IRC Logs

Network: freenode Channel: #php

	Enter your search terms Submit search form
	Web www.irclog.org

[06:40]<xracnm`>guys
[06:41]<xracnm`>anyone an expert in mail() ?
[06:41]<drscyns>What's you question?
[06:41]<drscyns>you?
[06:41]<drscyns>Arrr grammar
[06:41]<drscyns>*your
[06:41]<xracnm`>k, cause basically, i have apache + php + mysql running on my server
[06:41]<rjrunjnmy>NativePHP: Like I said before, I can see maybe javascript, and when you point that out it sounds like you should certainly do it for JS
[06:41]<xracnm`>and the server has internet access
[06:42]<xracnm`>now the workstations, they connect to the server http via the LAN
[06:42]<xracnm`>but they dont have internet access
[06:42]<zufn>what about stuff like onclick in a <p> tag?
[06:42]<drscyns>hacked`, What operating system is it using?
[06:42]<drscyns>The server
[06:42]<xracnm`>daskies, win2000
[06:42]<drscyns>Problem
[06:42]<xracnm`>no
[06:42]<drscyns>M$ doesn't do mial()
[06:42]<zufn>The most I'd do is just htmlspecialchars though...
[06:42]<drscyns>*mail()
[06:42]<xracnm`>daskies
[06:42]<xracnm`>so how can i do it
[06:42]<zufn>SMTP server
[06:43]<xracnm`>i dont want to set up an smtp server
[06:43]<drscyns>Or anything not using M$
[06:43]<zufn>Then you don't do it at all.
[06:43]<zufn>Actually, I lie.
[06:43]<xracnm`>i want to use my isp's smtp
[06:43]<zufn>I think you can enter an eternal smtp.
[06:43]<zufn>But I wouldn't recommend it. Check your php.ini configuration, happy days :)
[06:43]<xracnm`>zule, point is, will the workstations need internet access
[06:43]<nrvyvnphp>RogueJedi: It would be best to have a white list of tags you let users enter, and a white list of tag attributes and then strip out everything else. You may not want them to enter things like <html> or <body> tags, or style attributes on stuff
[06:43]<xracnm`>or will server send out email
[06:44]<zufn>Well, yea. Some kind, even if indirect.
[06:44]<[yvzn2rf_sfnnl]>mail() works on windows, php.net/mail
[06:44]<xracnm`>exactly
[06:44]<xracnm`>i dont know why people were misleading me
[06:44]<fumygnzm>What's an unexpected T_VARIABLE error mean?
[06:44]<zufn>Only if you have an SMTP server entered in your php.ini config though...
[06:44]<jddddd>hacked` Then do you own research and learn
[06:44]<mnzmzjjv>NativePHP: you still don't have to do that processing upon input.
[06:44]<zufn>That the variable wasn't expected.
[06:44]<drscyns>[itrebal_sleep], Not really
[06:45]<[yvzn2rf_sfnnl]>php.net/mail seems to think so
[06:45]<rjrunjnmy>deadroot: He's pointing out that if you are using some sort of DB viewer that doesn't strip it you could have problems
[06:45]<[yvzn2rf_sfnnl]>even some windows only params
[06:45]<zufn>Filtering HTML by hand is a nightmare. There are countless things you have to think about.
[06:45]<mnzmzjjv>then it is the DB viewer's fault
[06:45]<mnzmzjjv>you should file a bug report if the viewer broke
[06:46]<fumygnzm>lol, thanks Zule, guess I forgot to define it
[06:46]<rjrunjnmy>deadroot: I agree, if you get cracked by some exploit through a bad db viewer its your own fault
[06:46]<2r2j>But if you don't filter your data on input, especially data that gets exectued - then you are leaving yourself open to someone running all kinds of nasty things on your computer ...
[06:46]<djjsnd>how can i limit max data sent in a form
[06:47]<2r2j>And it's better to be safe than sorry when it comes to what gets executed and what doesn't ... ?
[06:47]<zufn>Just out of curiousity, what kind of user input are we talking about? User input you want displayed as HTML in the end, or input you don't...
[06:47]<djjsnd>so like someone can't submit 50,000,000 text into a text box and hack the server
[06:47]<djjsnd>hehe
[06:47]<mjffxyrfyrr>Why does
[06:47]<mjffxyrfyrr>global $x;
[06:47]<mjffxyrfyrr>$x = "blah";
[06:47]<mjffxyrfyrr>function test(){ echo $x; }
[06:47]<mjffxyrfyrr>test();
[06:47]<mjffxyrfyrr>not work?
[06:47]<mnzmzjjv>okay, say you filter upon input. that avoids the bad DB viewer problem. what about the millions of other people who don't filter their input and uses the same bad DB viewer?
[06:47]<zufn>Because you need the global word in the function, read up about globals.
[06:48]<zufn>'cause my view is just that you're as well using htmlspecialcahrs when you put it in the database, rather than after. It saves processing time when reading it out and echoing it anyway. Call it once when storing saves calling it multiple times for every output
[06:48]<mnzmzjjv>the correct fix in that case is to fix the DB viewer
[06:48]<[yvzn2rf_sfnnl]>!tell dolphinling about pastebin
[06:48]<sgajgmv>moosey: look into using strlen or count > www.php.net/strlen , www.php.net/count
[06:49]<mnzmzjjv>Zule: if processing speed is important, then yes, preprocessing would save on postprocessing stuff
[06:49]<mjffxyrfyrr>[itrebal_sleep]: is 4 short lines too long to paste in here? sorry.
[06:49]<zufn>Well if you don't have any valid need to keep it raw, htmlspecialchars on it is viable. It really depends on the end need in my opinion
[06:49]<zufn>dolphinling: Read this -> http://uk2.php.net/global
[06:50]<[yvzn2rf_sfnnl]>alright, sleep for sure now
[06:50]<2r2j>Zule, agreed ...
[06:50]<mjffxyrfyrr>Zule: Oh, thanks! That explains it a lot better than the tutorial I was using.
[06:50]<2r2j>and prevents most CSS attacks at the same time ...
[06:51]<zufn>php.net is magical :)
[06:51]<sgajgmv>Indeed
[06:52]<zufn>But it just seems an odd debate :) If in the end you don't want whatever is in the database being outputted as html, and will be calling htmlspecialchars on it, you're as well doing that when you store it. If you do need the output as html, well, it's probably safe to assume you know the html is likely okay or your security is horrible so it's game over either way! :D
[06:52]<2r2j>... and what about a user executing remote shellcode ... escaping won't stop that ... I was just looking at a phpbb hack the other day that did that very thing ...
[06:53]<zufn>That's what learning about security is for \o/
[06:53]<rjrunjnmy>Zule: Exactly, not to mention how much simpler filtering output rather then input is for editing
[06:53]<jddddd>bullshit
[06:54]<jddddd>you'll get input usually once, you'll output thousands of times
[06:54]<zufn>Well I wouldn't exactly say "exactly" in response to me :P
[06:54]<rjrunjnmy>Jymmmm: So output filtering is slower, thats a given. Doesn't change the fact that you're writing the filter code either way.
[06:54]<zufn>As I said, if my output was going to not have raw html, I'd store it with htmlspecialcahrs.
[06:54]<jddddd>RogueJedi why waste resoruces like that?!
[06:55]<rjrunjnmy>Yet you still have to write something to show the user what they entered, not what your program turned it into
[06:55]<annlnz`>anyone ever use tinyhtml parser?
[06:55]<annlnz`>does it have stuff for nested tags
[06:55]<annlnz`>i just wrote a huge program to do it manually
[06:55]<jddddd>!+g8
[06:55]<lxl-2jv>Guideline #8) SQL Q's: #sql, #mysql or #postgresql. Apache Q's: #apache. Linux Q's: Either #yourdistro, #linuxhelp or #linpeople. HTML/CSS/JavaScript Q's: #web. Just because some other channel is 'dead' does NOT mean you can ask here.
[06:55]<rjrunjnmy>Well, I suppose you don't _have_ to
[06:55]<jddddd>!+g10
[06:55]<lxl-2jv>Guideline #10) We don't support script(s). We help you *write* PHP, not recommend or download and install/hack/modify/adapt/use pre-written scripts
[06:57]<zufn>I wonder if we'll get another release of php 4.4.x :(
[07:00]<fyvx>hey whats the word for when your subscribed to a service and when the contract is over, it auto renews? (drunken mental lapse in brilliance)

Back to #php
Or go to some related logs:
#python
#gentoo
#gentoo
#gentoo
#macosx