IRC Logs

Network: freenode Channel: #php

	Enter your search terms Submit search form
	Web www.irclog.org

[21:22]<sggsgy>All of the above hihgly hypothetical btw *cough*
[21:23]<tml>I *WANT* them to, if they find it useful to do so.
[21:23]<zxnzvnz>yeah, nothing wrong - but it can be confusing to some people
[21:23]<jufyzg|wjzc>TML, good examples of that are google and dictionary.com
[21:23]<drvvdaa>Right. Virtually by definition, if you're using a query string, the user changing it shouldn't matter.
[21:23]<jufyzg|wjzc>mIRC aliases: /g { b http://www.google.com/search?hl=en&q= $+ $replace($1-, $chr(32), $chr(37) $+ 20) }
[21:23]<tml>cheater: So where's the security concern?
[21:23]<jufyzg|wjzc>And /d { b http://dictionary.reference.com/search?q= $+ $1- }
[21:23]<wjlllrws>Julian|Work: *blink*
[21:23]<zxnzvnz>i hack dictionary.com's request 20 times every day, Julian|Work :) it's always in my history
[21:23]<drvvdaa>So the query string says ?article=5 and they change it to article 6. If that's a bad thing, you're probably missing an authentication step.
[21:23]<jufyzg|wjzc>Wolfpaws: *reblink* -- what?
[21:23]<tml>SunRayCafe: You as well? Where's the security concern if all GET requests are idempotent.
[21:24]<zxnzvnz>TML: there's always security concern with session tokens displaying in semi-public places as well
[21:24]<jufyzg|wjzc>/d idempotent
[21:24]<sggsgy>mattmcc: Yes, of course.. And people does the sites, and people do miss authentication steps
[21:24]<tml>cheater: I never suggested putting the session token as part of the query string.
[21:24]<sggsgy>Which would be less 'exploitable' if they used POST
[21:24]<sugrrdcrpn>about the "I want them to change it", I agree. Use GET. That's what it's good for. If you DON'T want joe-user to change it, use POST. That's all I meant by "security concern" in the first place.
[21:25]<wjlllrws>sensei: ...
[21:25]<zxnzvnz>TML: don't get so stressed up. i'm just casually talking about the benefits of showing stuff versus hiding stuff
[21:25]<sggsgy>Wolfpaws: What?
[21:25]<wjlllrws>POST can be exploitable as well as GET
[21:25]<tml>cheater: Show everything you safely can. As I've said...oh, three times in the past hour.
[21:25]<drvvdaa>sensei: Nothing except the programmer's incompetance has been exploited in that scenario.
[21:25]<txudrgg>SunRayCafe: hmm.. post you say..
[21:25]<sggsgy>Wolfpaws: Yeah, of course.. read further up, I said that the risk spontaneous 'exploatation' is higher with get in some cases
[21:26]<tml>And don't call GET a "security concern" because it propagates the myth that POST is somehow "more secure"
[21:26]<tml>It's not.
[21:26]<zxnzvnz>TML: chill out, you don't need to prove anything to me
[21:26]<sggsgy>mattmcc: As opposed to when?
[21:26]<tml>sensei: spontaneous exploatation is good.
[21:26]<tml>(sic)
[21:26]<fgog>hello
[21:26]<fgog>anyone using suphp with chroot?
[21:26]<ajyf_>Hi, I have a problem with a php script that I wrote on a linux system and now moved to a SunOS box... My script is supposed to get a request from the user agent with some http_post vars and generate a file using fopen(). The file is created, but it isnt getting written to.... i havent changed anything from when it was working correctly other than the operating system
[21:26]<mwvp>what is wrong with this :
[21:26]<tml>cheater: I need to prove something to anyone who was listening to your side and might walk away thinking POST is "more secure than GET".
[21:26]<mwvp>UPDATE Untitled2_empty SET lat = 35.48777, long = -93.548492 WHERE field33 = '27'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'long = -93.548492 WHERE field33 = '27'' at line 1
[21:26]<txudrgg>SunRayCafe: echo <a href="delete.php?id='.$row['id'].'">X</a>;
[21:26]<sugrrdcrpn>TML: I read over the RFC on HTTP 1.1, and I'm missing the idempotent portion in the GET section (9.3)... Do you have more specific information on that?
[21:27]<txudrgg>SunRayCafe: i'm not sure if i'm looking at this the right way
[21:27]<zxnzvnz>TML: if it is, it's barely so at all, and on very few occasions.
[21:27]<zxnzvnz>but i never said otherwise
[21:27]<sggsgy>exploitation* :)
[21:27]<tml>SunRayCafe: 9.1.2 Idempotent Methods: Methods can also have the property of "idempotence" in that (aside from error or expiration issues) the side-effects of N > 0 identical requests is the same as for a single request. The methods GET, HEAD, PUT and DELETE share this property.
[21:27]<mwvp>UPDATE Untitled2_empty SET lat = 35.48777, long = -93.548492 WHERE field33 = '27'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'long = -93.548492 WHERE field33 = '27'' at line 1
[21:27]<mwvp>oppps
[21:28]<arajabat>coil_: try change the permissions
[21:28]<sugrrdcrpn>Thumann: please don't take most any of what we've been saying for the past 200 or so lines as recommendation for your application :) Give me just a moment...
[21:28]<tml>cheater: You were arguing on the side of those who were, and muddling the issue, at the very least.
[21:28]<sugrrdcrpn>TML: thanks
[21:28]<ajyf_>basically, the client sends a request for query.php?mac='blah' .... the script creates a file named 'blah'.cfg with the results of a mysql query and streams the file to the client.... the problem is the file is empty
[21:28]<rjfmsvnrf>i want to make a database but i never mad one before
[21:28]<malnzn>but yea
[21:28]<jufyzg|wjzc>TML, came out to about .28s of overhead from the DB.
[21:28]<malnzn>what is wrong with my query... it has to do with the - :O
[21:28]<tml>Julian|Work: That's .28s of overhead that serves no purpose.
[21:28]<jufyzg|wjzc>I'll let them compare that to whatever perceived overhead they're seeing in the filesystem.
[21:28]<gsvggsgg>anyone?
[21:28]<tml>Julian|Work: But I've already argued that.
[21:28]<jufyzg|wjzc>TML, I agree with you-- but they may know something I don't.
[21:29]<txudrgg>SunRayCafe: haha.. well.. you're talking on all kinds of security related matters.. i'm fine with any of them.. aslong as they're secure.. but the process itself.. i've got no idea on how to code ;>
[21:29]<ajyf_>ARAJABAT, you mean the fopen() mode or permissions on the file in the directory? the file doesnt exist until the request is made, so i cant really change the perms ahead of time
[21:29]<fusxuyrr>okay, let's try again
[21:29]<jufyzg|wjzc>TML, that also includes the time to stream the file back out as well.
[21:29]<txudrgg>SunRayCafe: and my eyes hurt if i look at this channel to long at a time.. so much text...
[21:29]<fusxuyrr>how do i make php tell windows to execute a program?
[21:29]<fusxuyrr>which is NOT part nor communicates with the executing script
[21:29]<tml>Thumann: None of it had anything to do with security. At all. Anyone who tells you otherwise is either ignorant of HTTP, or defines "security" in a way that makes no sense to the rest of the worl.
[21:29]<ajyf_>basically, i will unlink() the file first, then recreate it
[21:29]<tml>s/.$/d./
[21:30]<zzzzdwjd2zv>there's a function for setting variables from php.ini within a script on the fly, right?
[21:30]<tml>angrywombat: You mean setting configuration options at the script level?
[21:30]<rjfmsvnrf>im using php and mysql and i would like to make a database of all the ips and hostnames that visit my site how would i do it?
[21:31]<arajabat>coil_: you can use this http://www.php.net/chmod
[21:31]<zzzzdwjd2zv>TML: yes
[21:31]<tml>coldsteal: php.net/mysql
[21:31]<tml>angrywombat: php.net/ini-set
[21:31]<rjfmsvnrf>okay
[21:31]<zzzzdwjd2zv>aha I knew it.. thanks
[21:31]<scggg>Is anyone running PHP with Apache on Win XP? There are just no folder permissions on Windows!! move_uploaded_file will not work, because of a permission error...and it doesn't matter where I put the tmp folder! What can I do?
[21:31]<ajyf_>thanks ARAJABAT ill give that a shot
[21:31]<wjlllrws>skeen: oh, yes they are
[21:32]<||aw>skeen: xp home?
[21:32]<fusxuyrr>how do i make php tell windows to execute a program?
[21:32]<fusxuyrr>which is NOT part nor communicates with the executing script
[21:32]<||aw>skeen: you can use a command promt and the "cacls" command to set permissions
[21:32]<tml>!tell Fushuing about repeat
[21:32]<fusxuyrr>i thought someone might have missed it :)
[21:32]<rjfmsvnrf>fushuing whay do you need to do that?
[21:32]<||aw>Fushuing: exec() ?
[21:32]<scggg>XP home.
[21:32]<fusxuyrr>||cw: we've discussed that already
[21:32]<fusxuyrr>the problem is that PHP will hang
[21:33]<fusxuyrr>i don't want PHP to interact with the executed program
[21:33]<sggsgy>Am I the only one picking up some bad vibes from this channel at the moment? There's less helping and more self reassurance and ego boosting imho.. or am I wrong? Sure people are being helped, but in a.. yeah weird way :)
[21:33]<fusxuyrr>i want PHP to just START it and do nothing else
[21:33]<||aw>Fushuing: no says it has to interact
[21:33]<fgog>anyone using suphp with chroot and the mysql module ?

Back to #php
Or go to some related logs:
#gentoo
#macosx
#gentoo
#debian
#gentoo