php_guy

Hello all, I am trying to make a document repository for my a group of people on my website. The problem is, I only want people with "membership" (i.e. that enter a correct user/pwd) to be able to get access to this page and download the files. Normally in PHP we can use Sessions to create a login process -- that is not the problem. The problem is that if someone knows the direct link to the file, they can send it to a friend (who is not a member) and they can download the file without being able to log in. For example, let's say an authenticated user John logs in and copies the link location of a particular MS-Word file. This link will allow anyone to download the file. How can I prevent that? Thanks

Hey guys, I've been trying a lot of things, and finally got it to work.... I'll try and remember what I did in case anyone runs into this in the future: First, I'm running debian so it was recommended to use exim instead of sendmail explicitly... So I did apt-get install exim4-base. I think this must have replaced the symbolic link for /usr/sbin/sendmail to exim after I did this. Anyway, I tried to run my PHP page agian. No luck Then I tried to run sendmail directly from the command line and I got the error: "Mailing to remote domains not supported " So I googled that error and found someone else had a similar problem here: http://himerus.com/blog/himerus/mailing-remote-domains-not-supported-debian-lenny I had to run: dpkg-reconfigure exim4-config and choose "internet site; mail is sent and received directly using SMTP". I took the defaults for the other settings. This is also explained here: http://www.electrictoolbox.com/changing-exim4-settings-debian-5-lenny/ Whew! What an epic journey and I hope this is solved... I will continue to test

Well, I just read that Perl's Mail function (at least the one that I used) does not use sendmail Does Mail::Sendmail need a command-line sendmail? No. It communicates directly with any local or remote SMTP server using only Perl sockets. This was actually it's primary "raison d'être". Source: http://alma.ch/perl/Mail-Sendmail-FAQ.html That explains why it works on Perl. I mean, I could always use PHP's PEAR or another Mail api thta does not use sendmail, but I would rather try to get sendmail to work... At this point, it seems to be a problem with sendmail, since sendmail at the command line does not work. Has anyone run into this before?

I'm not sure if you're familiar with Perl... But this perl code -- on the same machine -- takes about a second to send.... compared to the PHP code and sendmail command line which take forever #!/usr/bin/perl -T #!/usr/bin/perl -Tw use strict; use CGI; use Mail::Sendmail; my %mail = ( To => "me\@domain.com", From => "The Perl Agent <perl\@domain.com>", Subject => "Perl Mail", Message => "Just the message body", smtp => 'mail.isp.com', 'Content-Type' => 'text/html; charset=iso-8859-1' ); sendmail(%mail); # or die $Mail::Sendmail::error; print "Content-type: text/html\n\n"; print "<html><body>"; print "OK. Log says:\n", $Mail::Sendmail::log; print "</body></html>"; Presumably they use the same method to send mail, no?

I just tried sendmail alone on the command line: sendmail -v me@domain.com < test.mail Where test.mail is Subject: test mail Some test And it still takes long... maybe the problem is with my sendmail itself?

Hi Ken Here's my code ini_set("SMTP", "mail.isp.com"); $to = "myaddress@domain.com"; $subject = "PHP Sendmail Example"; $headers = "From: The Root Monster <bigbadroot@domain.com>\r\n" . "Reply-To: bigbadroot@domain.com\r\n" . "Content-type: text/html; charset=iso-8859-1\r\n"; $body = "This is a sample message -- Why does it take so long"; if( mail($to,$subject,$body,$headers) ) echo "success!"; else echo "nope! nope!"; I WAS able to get things working by doing apt-get install sendmail-bin apt-get install sendmail ... But the mail takes so LONG to send! Normally it takes a second tops, but this is taking close to a minute. When I say, "takes long to send" i mean the actual php page takes almost a minute to respond (the task bar says "Waiting for domain....") and the output ("success!") is not printed for about a minute. Any idea what it could be that's taking so long?

FYI I've tried changing the sendmail configuration the following as well, to no avail sendmail_path = "/usr/sbin/sendmail -t" sendmail_path = "/usr/sbin/sendmail -t -i" Same result, the code returns true, but I don't receive any email. I've tried different email addresses to see if it's a problem with my particular one (which, like I said, it shouldn't, I've used Perl to send an email fine on the same machine)

Hello all, I am trying to get PHP's mail() function to work, but it's not. I'm just using a basic mail() example that I've used on other servers -- it works fine. I've tried... 1) Setting the SMTP to the correct SMTP server in PHP ini file and using ini_set() 2) The port is correctly set to 25 3) I've set the sendmail path in PHP.INI to ; For Unix only. You may supply arguments as well (default: "sendmail -t -i"). ; http://php.net/sendmail-path sendmail_path = /usr/sbin/sendmail -t The mail() function returns true, however it's not working! I know it's not something with my machine blocking ports because I can use Perl and it works fine Any ideas?

I have the following 1. php page that stores sessions. press submit and... 2. ...goes to perl/cgi page to interface with an api only available in perl, then auto redirects via HTTP headers to... 3. ... a php page where depending on the result a field is added to database then emailed, etc... then... 4.... redirects to main page so really all the user sees is page 1 -> hits submit -> ends up on page 4 via redirects Is there a problem with using redirects? Could the user intervene and prevent these redirects? Thanks

I am using a sloppy 3rd party API that doesn't return error codes, just error messages. See below $err = $object->getErrorMessage(); if( strlen($err) > 0 ) { header("Location: step1.php?err=$err"); } As you can see this is sloppy because anyone can just modify the address bar of step1.php and inject their own error message, or javascript or their own HTML buttons, etc. As a work around, I thought maybe I could use POST instead of GET... At least then the "err" variable would be hidden for the most part Any ideas how I can work around this? Thanks!

Hello all, I've recently upgraded some php binaries on my machine (as well as other files from my distro), and now my PHP files are downloading, rather than being parsed by Apache Here is the output of php -v juptier:/home# php -v PHP Deprecated: Comments starting with '#' are deprecated in /etc/php5/cli/conf.d/mysql.ini on line 1 in Unknown on line 0 PHP Deprecated: Comments starting with '#' are deprecated in /etc/php5/cli/conf.d/mysqli.ini on line 1 in Unknown on line 0 PHP Deprecated: Comments starting with '#' are deprecated in /etc/php5/cli/conf.d/pdo_mysql.ini on line 1 in Unknown on line 0 PHP Deprecated: Comments starting with '#' are deprecated in /etc/php5/cli/conf.d/pspell.ini on line 1 in Unknown on line 0 PHP Deprecated: Comments starting with '#' are deprecated in /etc/php5/cli/conf.d/xmlrpc.ini on line 1 in Unknown on line 0 PHP Deprecated: Comments starting with '#' are deprecated in /etc/php5/cli/conf.d/xsl.ini on line 1 in Unknown on line 0 PHP Warning: PHP Startup: Unable to load dynamic library '/usr/lib/php5/20090626+lfs/mysql.so' - /usr/lib/php5/20090626+lfs/mysql.so: cannot open shared object file: No such file or directory in Unknown on line 0 PHP Warning: PHP Startup: Unable to load dynamic library '/usr/lib/php5/20090626+lfs/mysqli.so' - /usr/lib/php5/20090626+lfs/mysqli.so: cannot open shared object file: No such file or directory in Unknown on line 0 PHP Warning: PHP Startup: Unable to load dynamic library '/usr/lib/php5/20090626+lfs/pdo_mysql.so' - /usr/lib/php5/20090626+lfs/pdo_mysql.so: cannot open shared object file: No such file or directory in Unknown on line 0 PHP Warning: PHP Startup: Unable to load dynamic library '/usr/lib/php5/20090626+lfs/pspell.so' - /usr/lib/php5/20090626+lfs/pspell.so: cannot open shared object file: No such file or directory in Unknown on line 0 PHP Warning: PHP Startup: Unable to load dynamic library '/usr/lib/php5/20090626+lfs/xmlrpc.so' - /usr/lib/php5/20090626+lfs/xmlrpc.so: cannot open shared object file: No such file or directory in Unknown on line 0 PHP Warning: PHP Startup: Unable to load dynamic library '/usr/lib/php5/20090626+lfs/xsl.so' - /usr/lib/php5/20090626+lfs/xsl.so: cannot open shared object file: No such file or directory in Unknown on line 0 PHP 5.3.5-0.dotdeb.1 with Suhosin-Patch (cli) (built: Jan 11 2011 10:40:15) Copyright (c) 1997-2009 The PHP Group Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies with Suhosin v0.9.32.1, Copyright (c) 2007-2010, by SektionEins GmbH juptier:/home# Any idea how to fix this? Thanks

Makes perfect sense Thanks a bunch!

Ahhhhh I KNEW there was a cleaner way than just hidden fields How secure are sessions? And would it just be a matter of doing: $_SESSION['myfield'] = myvalue? Besides the user clicking the close button of the browser, when are session variables destroyed? Thanks

I have an ordering process that consists of 3 pages: 1) Page1: Enter name/address 2) Page2: Based on address, determine availability of products, and let user choose which products, how many, etc. 3) Page3: Enter credit card info to send to the processor What is the best way to store information fro page 1 to page 2, then from page 2 to page 3? I thought about just using hidden fields. Is this OK? Is there another preferred way? Thanks!

Ahhhh that makes sense, and sounds very thorough. So basically program your PHP as if there is no Javascript -- but optionally include the javascript anyway, as a means to reduce server hits for something as simple as a missing field (but don't rely solely on this) Is that sort of the rationale? Thanks

Let's say I have a form with 5 fields to fill out Is it better practice to use Javascript to ensure that all fields are non-empty, a certain length, contain certain characters, etc. Or should the back end PHP side of things handle this, then return an error code to be printed out, etc Thanks!

Awesome, thanks! So is it OK to send via HTTP POST? Or is there another preferred way?

Thanks for the quick replies guys So how about this. I move the purchase page (just an HTML page) on the second server, such that when the submit button is pressed, then it submits to the CGI script that resides on the same server. In this case, I do not have to get two SSL certificates, and all processing is localized on one machine Would this work? Keeping in mind that the data would be sent to the CGI script via POST. Is this okay, so long as I have SSL? Thanks! Now, keep in mind that i'm submitting data from

I have two sites on two different servers server1: has the purchase page where it asks for credit card numbers etc. server2: has the CGI files to send payment data directly into the payment processor. I cannot put the CGI files on server1 due to security restrictions, etc. My question is: How can I securely transmit the credit card data from server1 to server2? Thanks!

When sending data via $_POST for example, I've seen the data get filtered with both mysql_real_escape_string or htmlspecialchars When should you use one or the other?

Hello all, I have this at the top of my page to ensure that only logged in users can see the content if(!isset($_SESSION['myusername'])){ header("Location:login.php"); exit; } else { $username = $_SESSION['myusername']; } This, of course is checked in the login form against a database and only stored in $_SESSION once it's verified... Now, my question is -- how secure is this? For example, could someone have $_SESSION['myusername'] set from another webpage, then navigate to mine and be able to see the protected content?

Hello all, I have a website where I do not want the Javascript to be viewable by the client right-clicking and choosing "View source". I am using specific Google Maps API so it has to be Javascript, there is unfortunately no server side equivalent. Is there a way for me to have a skeleton webpage that sends the data to a severside page -- where the javascript is processed -- then returned somehow back to the client? Forget for a second that I'm using Google Maps, but just looking at it from a higher level view: Is it possible to have a webpage where I submit data -> goes to the server where it's processed using javascript -> then returns HTML to the client? Thanks!!

Hello all, I'm using sessions to store a username/password For example, I have the following at the top of all my source files: <?php session_start(); if(!isset($_SESSION['myusername'])){ header("Location:login.php"); exit; } else { $username = $_SESSION['myusername']; $permissionLevel = $_SESSION['mypermissionlevel']; } ?> Now, I'd like to add a "Remember Me" checkbox so they can store their login info (securely!) so they don't have to log in all the time.... How do I do this? Thanks

Hey all, I'm fairly new to Linux and am trying to run PHP + Apache2 on here... I open my browser, and go to localhost/index.html and I get to a page that says, "It Works!" But I can't find this file! Where is the default web server directory for apache2 on Linux? Thanks

Hi, sorry I missed that about the exit; statement. I added that in. How is my code deemed reasonably secure when using $_SESSION??