IRC Logs

Network: freenode Channel: #php

	Enter your search terms Submit search form
	Web www.irclog.org

[02:07]<rrppygrvnm>richardlynch: that is specificly there only for the browser.
[02:07]<nvrd>caffinated: you mean that everything in manual is fresh?
[02:07]<rrppygrvnm>etam: generally, yes.
[02:07]<slragguvs>richardlynch, strange thing is using a ErrorDocument statement in the same .htaccess file works just fine
[02:07]<nvrd>caffinated: ok, thanks
[02:08]<zdzxzzmfdgzx>etam: User Contributed Notes often lag behind, however. They are VERY useful, but take care.
[02:08]<rjrunjnmy>spacenuts: Certain abilities can be disabled, such as RewriteEngine
[02:08]<slragguvs>RogueJedi, hmm better contact them, why I can't set register_globals manually
[02:09]<jddddd>AllowOverride NONE
[02:09]<zdzxzzmfdgzx>spacenuts: You are trying to turn on/off register_globals, no? Maybe it's really old PHP and you need: php_flag register_globals 0
[02:09]<slragguvs>strange however one needs an .htaccess file, on non .htaccess file compliant webservers, one is stuck with the server settings
[02:09]<rjrunjnmy>spacenuts: I would. You should also try what richardlynch just said first =)
[02:09]<slragguvs>strange they don't allow a local php.ini, one can use to overwrite some global settings
[02:09]<zdzxzzmfdgzx>I thought it was php_value since, errr, PHP 4? 4.1?
[02:09]<kdrrddffdddffd>Anyone remember a challenge a few years ago where programmers wrote the same script in different languages to see which was shortest or fastest?
[02:09]<drvvdaa>4.0.
[02:10]<zdzxzzmfdgzx>spacenuts: That's why they put it into .htaccess
[02:10]<nvrd>richardlynch: ok
[02:10]<slragguvs>richardlynch, already tried that, php version: 4.3.10
[02:10]<zdzxzzmfdgzx>spacenuts: Also php.ini gets loaded once, and only once, at Apache startup.
[02:10]<zdzxzzmfdgzx>spacenuts: php_value versus php_flag and "off" versus 0 for the value.
[02:11]<slragguvs>richardlynch, so either "php_value register_globals off" or "php_flag register_globals 0" should work?
[02:12]<zdzxzzmfdgzx>spacenuts: Also if they've turned register_globals on, and have .htaccess on, but won't let you change PHP stuff in .htaccess.... Find a new webhost. :-)
[02:12]<zzlzm>perhaps it's cgi
[02:12]<zdzxzzmfdgzx>spacenuts: I *think* the safest one in PHP 4.3.10 would be: php_value register_globals 0
[02:12]<slragguvs>richardlynch, so they can just block overwriting register_globals, nasty, cause turned off it is much more secure
[02:13]<slragguvs>richardlynch, 0 or off?
[02:13]<rrppygrvnm>spacenuts: register_globals is not insecure.
[02:13]<zdzxzzmfdgzx>spacenuts: MAYBE they just block php_value completely, so you can't re-configure PHP in bad ways as well as good.
[02:13]<zdzxzzmfdgzx>caffinated: register_globals is not insecure *IF* every script you write *OR* download and install is perfectly written... Hello? Are you in the real world?
[02:14]<rjrunjnmy>caffinated: It is if you're using a script by someone that doesn't know what the hell they're doing :-P
[02:14]<sxzzypp>Can someone tell me what PECL means?
[02:14]<xmlxjym>what you're saying is that crappy code is insecure
[02:14]<rrppygrvnm>RogueJedi: that's not register_globals being secure, that's the programmer
[02:14]<xmlxjym>turning register_globals off doesn't make your code safe.
[02:14]<zdzxzzmfdgzx>Shariff: http://pecl.php.net
[02:14]<slragguvs>caffinated, I read it can be hazardous when using crappy scripts
[02:14]<rrppygrvnm>richardlynch: I'm not sure I care for your tone, tread carefully.
[02:14]<mrfmgg>Column count doesn't match value count at row 1
[02:14]<mzzcz9q>Also, some PHP programmers decided that rather than upgrade their scripts, just to put code in to emulate register_globals
[02:14]<mrfmgg>uoss
[02:15]<mrfmgg>soz
[02:15]<slragguvs>caffinated, giving every person a gun isn't dangerous, but their might be some loony among them and that is where it gets dangerous
[02:15]<mzzcz9q>which introduces the same problems
[02:15]<xmlxjym>frankly I think 'downloading and installing' scripts is the dangerous bit
[02:15]<mzgmzya>i think i would like to turn off caching for html on my admin interface ... should this be done in php or apache?
[02:15]<mzgmzya>http caching that is
[02:15]<jddddd>And thus why EVERY gun mfg now includes a gun lock at no charge.
[02:15]<slragguvs>richardlynch, none of the php_value stuff works, better contact the owners, cause this sucks bigtime
[02:15]<mzgmzya>ie browser caching
[02:15]<zdzxzzmfdgzx>caffinated: I don't want to argue semantics with you. The reality is that there are a zillion scripts that have un-initialized variables, and way too many users installing them.
[02:15]<drvvdaa>spacenuts: Indeed, but it remains true that the gun wasn't the cause of the problem. If he didn't have a gun, he'd just use a pick axe.
[02:15]<jddddd>Same reason why php disabled register globals by default.
[02:16]<rrppygrvnm>spacenuts: there are lots of things you can do in php to shoot yourself in the foot even without register_globals enabled. security at the level you're talking about is the programmer's responsibility, not the language's.
[02:16]<zdzxzzmfdgzx>And why PHP 6 won't even give you a choice. You may as well get used to it now.
[02:16]<slragguvs>mattmcc, true indeed, but I for one want to not give the oppurtunity of getting a gun
[02:16]<drvvdaa>spacenuts: Here's a more fun example. We give drivers licenses to people pretty much universally.
[02:16]<drvvdaa>spacenuts: Now let's compare shooting deaths to drunk driving deaths.
[02:16]<jddddd>mattmcc I prefer a 8 'D' cell mag light
[02:16]<slragguvs>caffinated, I know, but it limits me in my programming when turned on
[02:16]<rrppygrvnm>richardlynch: I don't really care what you want to argue. if you make the statement that register_globals is insecure you are flat out wrong.
[02:17]<drvvdaa>Jymmmm: Damn. How do you carry that thing around, a shoulder strap?
[02:17]<zdzxzzmfdgzx>Anybody can make a mistake and mis-type a variable and not initialize it.
[02:17]<zdzxzzmfdgzx>caffinated: You did not, and will not, see me say that.
[02:17]<rjrunjnmy>spacenuts: It limits you? How? It doesnt _limit_ anything.
[02:17]<slragguvs>mattmcc, nice metafor, haha better make a not of it somewhere ;)
[02:17]<jddddd>mattmcc: It fits PERFECTLY under the front seat of the car
[02:17]<zdzxzzmfdgzx>caffinated: You WILL see me say it register_globals should be turned OFF.
[02:17]<jddddd>mattmcc only LEGAL weapon of it's kind that I know of.
[02:17]<rrppygrvnm>richardlynch: it really shouldn't matter if it's on or off.
[02:18]<slragguvs>RogueJedi, yes it does, I am not able to use a variable with the same name as a key in $_SESSION
[02:18]<zdzxzzmfdgzx>In a perfect world, it wouldn't matter one whit...
[02:18]<drvvdaa>Jymmmm: You've seen Lock, Stock, and Two Smoking Barrels, right?
[02:18]<rrppygrvnm>richardlynch: and it doesn't matter at all. security is on the programmer, not the language.
[02:18]<zpzzznff>gah what is wrong with the .net connector grr
[02:18]<slragguvs>mattmcc, good movie ;)
[02:18]<zpzzznff>the connection is null, how can it have something associated with that
[02:18]<zdzxzzmfdgzx>Security is on everybody. Apache devs, PHP devs, the programmers, the installers, the users. We all have to share responsibility, or we are doomed.
[02:18]<rrppygrvnm>richardlynch: languages should not go out of their way to protect a user from bad code. you're going to be able to write bad code no matter what they do in the language.
[02:19]<jddddd>mattmcc afraid not
[02:19]<slragguvs>caffinated, true that security is on the programmer, but a server can be configured as secure as possible, just in case some programmer makes a little slip somewhere
[02:19]<rjrunjnmy>spacenuts: All depends on the scope
[02:19]<zdzxzzmfdgzx>So we should all just write in Hex? Assembly? C? VBSCript?
[02:19]<zdzxzzmfdgzx>Or, in this, case because sooner or later somebody WILL make that mistake.
[02:19]<rrppygrvnm>richardlynch: I think at this point you're pretty much just being stupid.
[02:19]<drvvdaa>Jymmmm: Ah. There's a reference in the movie to somebody being beaten to death with a large rubber dildo. Maybe not exactly the same class as a maglite, but worth an honorable mention at least.
[02:20]<slragguvs>RogueJedi, ah yes, using such a variable in an object does not mangle things, right?
[02:20]<rrppygrvnm>richardlynch: people do make mistakes in all those languages. and sometimes those mistakes lead to vulnerabilities. this does not mean we should implement all kinds of preventitive measures in the language itself. it means that they should learn to write better software.
[02:20]<jddddd>mattmcc ROTF... Well, I have no use for such things, so I'll stick with the flashlight =)
[02:20]<xmlxjym>the thing is, saying 'register globals is insecure' is incorrect. because it *was possible to write secure php 4.0 code*.
[02:20]<zdzxzzmfdgzx>caffinated: If I am, so are the PHP Devs who are turning it OFF in PHP 6 and giving you no choice.
[02:21]<xmlxjym>saying 'tends to encourage insecure code', sure
[02:21]<xmlxjym>but 'is insecure' is a very different thing
[02:21]<jddddd>!+go
[02:21]<lxl-2jv>[GO] Gross Overgeneralization. Everything that we tell you in ##PHP is what we consider "best practices". Of course, only YOU know your own requirements, so you may feel you need to do something we told you not to. Just don't say we didn't warn you.
[02:21]<rrppygrvnm>richardlynch: that doesn't really matter to me. all that really matters to me is pointing out that there really isn't any problem with it being there. it's easy to deal with if you write good software.
[02:21]<dggg>slightly offtopic.. i need to get hosting for big files with like 1000 gb traffic a month... cheap of course ;) any hints?
[02:21]<slragguvs>just to stop all the flaming, I take back my statement "register_globals on" is insecure
[02:21]<zdzxzzmfdgzx>And never ever make a typo mistake.
[02:22]<pzrgac19>does it make sens to use stream_socket_pair with pcntl fork like the example on php website but with more than 1 child ?

Back to #php
Or go to some related logs:
#css
#gentoo
#gentoo
#iptables
#gentoo