Menu
▾
▴
phpesp-devel — Discussion of the development of phpESP
You can subscribe to this list here.
| 2002 |
Jan
|
Feb
|
Mar
(103) |
Apr
(37) |
May
(45) |
Jun
(49) |
Jul
(55) |
Aug
(11) |
Sep
(47) |
Oct
(55) |
Nov
(47) |
Dec
(8) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2003 |
Jan
(43) |
Feb
(85) |
Mar
(121) |
Apr
(37) |
May
(33) |
Jun
(33) |
Jul
(14) |
Aug
(34) |
Sep
(58) |
Oct
(68) |
Nov
(31) |
Dec
(9) |
| 2004 |
Jan
(13) |
Feb
(57) |
Mar
(37) |
Apr
(26) |
May
(57) |
Jun
(14) |
Jul
(8) |
Aug
(12) |
Sep
(32) |
Oct
(10) |
Nov
(7) |
Dec
(12) |
| 2005 |
Jan
(8) |
Feb
(25) |
Mar
(50) |
Apr
(20) |
May
(32) |
Jun
(20) |
Jul
(83) |
Aug
(25) |
Sep
(17) |
Oct
(14) |
Nov
(32) |
Dec
(27) |
| 2006 |
Jan
(24) |
Feb
(15) |
Mar
(46) |
Apr
(5) |
May
(6) |
Jun
(9) |
Jul
(12) |
Aug
(5) |
Sep
(7) |
Oct
(7) |
Nov
(4) |
Dec
(5) |
| 2007 |
Jan
(4) |
Feb
(1) |
Mar
(7) |
Apr
(3) |
May
(4) |
Jun
|
Jul
|
Aug
(2) |
Sep
(2) |
Oct
|
Nov
(22) |
Dec
(19) |
| 2008 |
Jan
(94) |
Feb
(19) |
Mar
(32) |
Apr
(46) |
May
(20) |
Jun
(10) |
Jul
(11) |
Aug
(20) |
Sep
(16) |
Oct
(12) |
Nov
(13) |
Dec
|
| 2009 |
Jan
|
Feb
(9) |
Mar
(37) |
Apr
(65) |
May
(15) |
Jun
|
Jul
(24) |
Aug
(1) |
Sep
(8) |
Oct
(4) |
Nov
(21) |
Dec
(5) |
| 2010 |
Jan
(35) |
Feb
(6) |
Mar
(8) |
Apr
|
May
(4) |
Jun
(3) |
Jul
(4) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2011 |
Jan
|
Feb
(4) |
Mar
|
Apr
|
May
(1) |
Jun
(1) |
Jul
(1) |
Aug
|
Sep
(1) |
Oct
|
Nov
|
Dec
|
|
From: angek <ang...@ip...> - 2003-01-31 10:28:09
|
Hey James,
Just downloaded your changes and started testing.
I've come across a couple of things:
1. finish.inc - line 35 still reads:
<?php echo($ESPCONFIG['auto_handler']....
should this now be:
<?php echo($ESPCONFIG['autopub_url']......
2. When I test a survey I get 2 warnings from espresponse.inc:
Warning: Variable passed to reset() is not an array or object .... on
line 549
Warning: Variable passed to each() is not an array or object ..... on
line 557
it seems that $result = mysql_query($sql) returns a result identifier
therefore the "if ($result) {...." code is executed however the num_rows
returned is 0.
more as soon as I start testing the save/resume functionality.
Kon
On Fri, 2003-01-31 at 15:26, James E. Flemer wrote:
> I renamed phpESP.ini to phpESP.ini.php. While I was at it,
> I cleaned up a bunch of stuff. I moved as much code out of
> the ini as possible, so it's mostly just variables now.
>
> I replaced TRUE/FALSE with true/false.
> I replaced DESLASH/XADDSLASHES with _stripslashes/_addslashes.
> I changed to require_once(), and removed a bunch of if-defined()'s.
>
> So now, phpESP can be installed anywhere. No moving or
> symlinking needed. All that needs to be edited for almost
> all cases is: $ESPCONFIG['base_url'], and database
> passwords. How is this done you ask? It is done with a
> trick horde and others use: dirname(__FILE__) and relative
> paths from there.
>
> -James
>
>
>
> -------------------------------------------------------
> This SF.NET email is sponsored by:
> SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
> http://www.vasoftware.com
> _______________________________________________
> phpESP-devel mailing list
> php...@li...
> https://lists.sourceforge.net/lists/listinfo/phpesp-devel
|
|
From: James E. F. <jf...@ac...> - 2003-01-31 04:26:59
|
I renamed phpESP.ini to phpESP.ini.php. While I was at it, I cleaned up a bunch of stuff. I moved as much code out of the ini as possible, so it's mostly just variables now. I replaced TRUE/FALSE with true/false. I replaced DESLASH/XADDSLASHES with _stripslashes/_addslashes. I changed to require_once(), and removed a bunch of if-defined()'s. So now, phpESP can be installed anywhere. No moving or symlinking needed. All that needs to be edited for almost all cases is: $ESPCONFIG['base_url'], and database passwords. How is this done you ask? It is done with a trick horde and others use: dirname(__FILE__) and relative paths from there. -James |
|
From: Moshe W. <wei...@te...> - 2003-01-30 01:44:23
|
attached are two patches which implement validation. some bugs have been ironed out of the function that i sent this morning. |
|
From: James E. F. <jf...@ac...> - 2003-01-29 17:23:14
|
Other stuff to do before 1.6: - Rename phpESP.ini. - Check when CSS <link ...> are/aren't shown. - Documentation / FAQ update. -James On Wed, 29 Jan 2003, James E. Flemer wrote: > The save/resume patches, as well as some other minor things > and cleanup have been comitted. (Or will be done shortly.) > This may break a little bit of stuff: > LDAP auth should be checked / updated. > Translations will need some updating. > > Take a look at the code a little later this afternoon. > Once this and the forking / crossanalysis patches are in, > we should get ready for a v1.6 release. That means bug > testing and documentation updates, and holding off on new > features. > > -James > > > > > ------------------------------------------------------- > This SF.NET email is sponsored by: > SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! > http://www.vasoftware.com > _______________________________________________ > phpESP-devel mailing list > php...@li... > https://lists.sourceforge.net/lists/listinfo/phpesp-devel > |
|
From: James E. F. <jf...@ac...> - 2003-01-29 17:06:02
|
The save/resume patches, as well as some other minor things and cleanup have been comitted. (Or will be done shortly.) This may break a little bit of stuff: LDAP auth should be checked / updated. Translations will need some updating. Take a look at the code a little later this afternoon. Once this and the forking / crossanalysis patches are in, we should get ready for a v1.6 release. That means bug testing and documentation updates, and holding off on new features. -James |
|
From: angek <ang...@ip...> - 2003-01-29 07:41:11
|
Hi Shane, I agree that the scaled questions needs updating not only to allow what you have suggested but to also allow for textual descriptions. Suffice to say that I have started writting the code. In the meantine you might want to use a statement question type just before your scaled question describing the meaning of the 12345. This is the only option available to you at present. Kon On Wed, 2003-01-29 at 07:51, Shane Harsch wrote: > Some survey design theories suggest that scaled questions should always be > ordered from best answer to worst answer. Since we typically associate best > with a higher numerical value, what is the likelihood of adding an ordering > option to the scaled questions, allowing the designer to specify 5 as first > and 1 as last, instead of the 12345 method used now? > > Thanks. > > > ------------------------------------------------------- > This SF.NET email is sponsored by: > SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! > http://www.vasoftware.com > _______________________________________________ > phpESP-devel mailing list > php...@li... > https://lists.sourceforge.net/lists/listinfo/phpesp-devel |
|
From: Moshe W. <wei...@te...> - 2003-01-29 04:28:17
|
I noticed that although the survey help file implies that we check
for valid responses using the type/length/precision parameters, we don't.
We just check that all required responses are present. If I'm wrong about
this, I apologize.
So I decided to write some code to do validation. In my setup, the following function
is called right in handler.php right after we check that all required questions are present.
This is preliminary, but I wanted to get feedback from this group.
Is this valuable? What should I change? Also, what is the intent of
the length/precision params for the *numeric* question type.
I'll submit a patch soon - just want some opinions first.
-moshe
/* {{{ proto string response_validate(int survey_id, int section)
Reads current form variables from HTTP_POST_VARS.
Returns an empty string if all fields are
valid, else returns a message string indicating which
responses need to be changed. */
function response_validate($sid, $section) {
global $HTTP_POST_VARS;
$sql = "
SELECT id, length, precise, content, type_id
FROM question
". survey_select_section_sql($sid,$section) ."
ORDER BY position";
$result = mysql_query($sql);
$invalid = array(); // array of invalid responses
while(list($qid, $length,$precise,$content, $type_id) = mysql_fetch_row($result)) {
switch ($type_id) {
case 2: // textbox
if (isset($HTTP_POST_VARS[$qid]) && strlen($HTTP_POST_VARS[$qid]) > $precise) {
$invalid[$qid] = "Response is too long: $content";
}
break;
case 5: //checkboxes
if (isset($HTTP_POST_VARS[$qid])) {
if (count($HTTP_POST_VARS[$qid]) > $precise) {
$invalid[$qid] = "Too many boxes checked: $content";
}
else if (count($HTTP_POST_VARS[$qid]) < $length) {
$invalid[$qid] = "Too few boxes checked: $content";
}
}
break;
case 9: //date
if (isset($HTTP_POST_VARS[$qid]) && strtotime($HTTP_POST_VARS[$qid])) {
$invalid[$qid] = "Invalid date format. Use this format - <i>10 September 2000</i>: $content";
}
break;
case 10: //numeric
// not sure what the length/precision test is all about.
if (isset($HTTP_POST_VARS[$qid]) && !is_numeric($HTTP_POST_VARS[$qid])) {
$invalid[$qid] = "Invalid number format: $content";
}
break;
}
}
if(count($invalid)) {
// we have some invalid responses
$message = "<br />". _('The following responses are invalid:') ."<br>\n";
while(list($qid,$content)=each($invalid)) {
if($GLOBALS['ESPCONFIG']['DEBUG'])
$message .= "<!-- ${qid} -->";
$message .= "${content}<br>\n";
}
return($message);
}
return('');
}
|
|
From: Shane H. <sh...@at...> - 2003-01-28 20:51:48
|
Some survey design theories suggest that scaled questions should always be ordered from best answer to worst answer. Since we typically associate best with a higher numerical value, what is the likelihood of adding an ordering option to the scaled questions, allowing the designer to specify 5 as first and 1 as last, instead of the 12345 method used now? Thanks. |
|
From: Matthew G. <gr...@mu...> - 2003-01-28 00:40:06
|
If you can get shell access to your mysql DB, try the mysqldump command. On Tue, Jan 28, 2003 at 01:10:08AM +0100, fl...@gm... wrote: > phpESP question forking and Cross Analysis / Tabulation GUIhello all! > > well , just a little request if anybody has build a tool to backup or restor the phpesp db when you have a huge db-size..... > now i get really problems when getting backups or trying to restore it! > > my db size is 10MB and i get more often a timeout when trying to backup or restore it by using PhpMyAdmin. > any ideas when having no root rights? > > kind regards flobee -- one of the friendly folks in the IT Lab. --------------------------------------\ The IT Lab (http://www.itlab.musc.edu) \____________________ Probably the world's premier software development center. Serving: Programming, Tools, Ice Cream, Seminars |
|
From: <fl...@gm...> - 2003-01-28 00:10:40
|
phpESP question forking and Cross Analysis / Tabulation GUIhello all! well , just a little request if anybody has build a tool to backup or = restor the phpesp db when you have a huge db-size..... now i get really problems when getting backups or trying to restore it!=20 my db size is 10MB and i get more often a timeout when trying to backup = or restore it by using PhpMyAdmin. any ideas when having no root rights? kind regards flobee |
|
From: James E. F. <jf...@ac...> - 2003-01-24 20:31:21
|
---------- Forwarded message ----------
Date: Fri, 24 Jan 2003 13:00:37 -0700 (MST)
From: Iain O'Cain <ec...@in...>
To: jim...@us...
Subject: Small phpESP 1.5 fix
James,
Setting up phpESP for the first time -- by far the best PHP voting package
I've come across! thanks! -- and had to make this one small fix. Since we
aren't authenticating voters (more on that below), the vote success page
was producing an error in espresponse.inc. I made this change at line 532
to work around it:
/* ADDED TO PREVENT "Warning: Undefined index: PHP_AUTH_USER" MESSAGE... */
isset($GLOBALS['HTTP_SERVER_VARS']['PHP_AUTH_USER']) &&
As for unauthenticated voters, I've been thinking it would be a step
toward discouraging cheaters in an open vote like this if I add in an
email confirmation step. I'll let you know if I can get to that in time.
Cheers,
Iain
--
Iain Ó Cain <ec...@in...> - IO10 - http://ec.intranet.org/
"We have no intention of shipping another bloated OS and shoving it down
the throats of our users." -- Paul Maritz, Microsoft Vice President
|
|
From: Matthew G. <gr...@mu...> - 2003-01-23 15:37:49
|
Thanks. I've applied your changes in CVS. On Wed, Jan 22, 2003 at 10:13:36PM -0500, Moshe Weitzman wrote: > The attached patch to survey_render.inc adds a class="surveyPage" > attribute to the FONT tags surrounding the page numbering text at top > and bottom of multi-page surveys. this is the only text which is not > easily accessible via CSS. ...snip -- one of the friendly folks in the IT Lab. --------------------------------------\ The IT Lab (http://www.itlab.musc.edu) \____________________ Probably the world's premier software development center. Serving: Programming, Tools, Ice Cream, Seminars |
|
From: Moshe W. <wei...@te...> - 2003-01-23 03:13:52
|
The attached patch to survey_render.inc adds a class="surveyPage" attribute to the FONT tags surrounding the page numbering text at top and bottom of multi-page surveys. this is the only text which is not easily accessible via CSS. Since this is my first patch to this project, please let me know if I've erred in technique or substance. |
|
From: Matthew G. <gr...@mu...> - 2003-01-21 15:38:13
|
Hmm... email shouldn't be required, but if any data is present in the email column it must be a valid email address. For example: te...@te... is valid test@test is not valid test is not valid On Tue, Jan 21, 2003 at 10:13:08AM -0500, Moshe Weitzman wrote: > thanks james. this works well. for anyone who is confused, james > suggests using the the bulk upload functionality. > > would you accept a patch to the 'add respondent' web page which changes > the group select box to multi-select instead of single? this would make > this capability more obvious. > > fyi, my bulk respondent uploads would not work unless i included an > email in each row. the docs don't state this as a required field. no big > deal, since the error message is clear. > > James E. Flemer wrote: > > >Just enter the same username and password w/ multiple > >groups. > >-James > > > >On Tue, 21 Jan 2003, Moshe Weitzman wrote: > > > > > > > >>I am deploying a site for a doctor who intends to deploy many private > >>surveys. it will be common for patients to complete several of these > >>private surveys. > >> > >>the ui seems to enforce that a respondent may be a member of only 1 > >>group. furthermore, a respondent's group membership can never change. > >>these are both undesirable IMO. > >> > >>is there a reason why this must be so. is there an interest in a patch > >>which improves this situation? any implementation suggestions for such a > >>patch are welcome ... i haven't looked at this closely enough yet, so > >>please forgive me if i am missing something obvious. > >> > >>-moshe > >> > >> > >> > >>This SF.NET email is sponsored by: > >>SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! > >>http://www.vasoftware.com > >>_______________________________________________ > >>phpESP-devel mailing list > >>php...@li... > >>https://lists.sourceforge.net/lists/listinfo/phpesp-devel > >> > >> > >> > > > > > > > > > > This SF.net email is sponsored by: Scholarships for Techies! > Can't afford IT training? All 2003 ictp students receive scholarships. > Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more. > www.ictp.com/training/sourceforge.asp > _______________________________________________ > phpESP-devel mailing list > php...@li... > https://lists.sourceforge.net/lists/listinfo/phpesp-devel > -- one of the friendly folks in the IT Lab. --------------------------------------\ The IT Lab (http://www.itlab.musc.edu) \____________________ Probably the world's premier software development center. Serving: Programming, Tools, Ice Cream, Seminars |
|
From: Moshe W. <wei...@te...> - 2003-01-21 15:11:00
|
thanks james. this works well. for anyone who is confused, james suggests using the the bulk upload functionality. would you accept a patch to the 'add respondent' web page which changes the group select box to multi-select instead of single? this would make this capability more obvious. fyi, my bulk respondent uploads would not work unless i included an email in each row. the docs don't state this as a required field. no big deal, since the error message is clear. James E. Flemer wrote: >Just enter the same username and password w/ multiple >groups. >-James > >On Tue, 21 Jan 2003, Moshe Weitzman wrote: > > > >>I am deploying a site for a doctor who intends to deploy many private >>surveys. it will be common for patients to complete several of these >>private surveys. >> >>the ui seems to enforce that a respondent may be a member of only 1 >>group. furthermore, a respondent's group membership can never change. >>these are both undesirable IMO. >> >>is there a reason why this must be so. is there an interest in a patch >>which improves this situation? any implementation suggestions for such a >>patch are welcome ... i haven't looked at this closely enough yet, so >>please forgive me if i am missing something obvious. >> >>-moshe >> >> >> >>------------------------------------------------------- >>This SF.NET email is sponsored by: >>SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! >>http://www.vasoftware.com >>_______________________________________________ >>phpESP-devel mailing list >>php...@li... >>https://lists.sourceforge.net/lists/listinfo/phpesp-devel >> >> >> > > > |
|
From: James E. F. <jf...@ac...> - 2003-01-21 14:44:04
|
Just enter the same username and password w/ multiple groups. -James On Tue, 21 Jan 2003, Moshe Weitzman wrote: > I am deploying a site for a doctor who intends to deploy many private > surveys. it will be common for patients to complete several of these > private surveys. > > the ui seems to enforce that a respondent may be a member of only 1 > group. furthermore, a respondent's group membership can never change. > these are both undesirable IMO. > > is there a reason why this must be so. is there an interest in a patch > which improves this situation? any implementation suggestions for such a > patch are welcome ... i haven't looked at this closely enough yet, so > please forgive me if i am missing something obvious. > > -moshe > > > > ------------------------------------------------------- > This SF.NET email is sponsored by: > SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! > http://www.vasoftware.com > _______________________________________________ > phpESP-devel mailing list > php...@li... > https://lists.sourceforge.net/lists/listinfo/phpesp-devel > |
|
From: Moshe W. <wei...@te...> - 2003-01-21 06:45:13
|
I am deploying a site for a doctor who intends to deploy many private surveys. it will be common for patients to complete several of these private surveys. the ui seems to enforce that a respondent may be a member of only 1 group. furthermore, a respondent's group membership can never change. these are both undesirable IMO. is there a reason why this must be so. is there an interest in a patch which improves this situation? any implementation suggestions for such a patch are welcome ... i haven't looked at this closely enough yet, so please forgive me if i am missing something obvious. -moshe |
|
From: <fl...@gm...> - 2003-01-18 19:36:59
|
that access was allowed on my problem with my ISP! thats why i report to be changed ----- Original Message ----- From: "Moshe Weitzman" <wei...@te...> To: <php...@li...> Sent: Saturday, January 18, 2003 5:20 PM Subject: Re: [phpesp-dev] insecure phpesp.ini Another open source project I know (Drupal) keeps their ini file in the web accessible directory but blocks it via .htaccess rule. Here is the rule: # Protect files and directories from prying eyes: <Files ~ "(\.(conf|inc|module|pl|sh|sql|theme)|Entries|Repositories|Root|scripts|upda tes)$"> order deny,allow deny from all </Files> Users of non apache web servers are warned of risks. Christopher Zorn wrote: > -1 for me. I think it should stay in a none web accessible directory. > > > On Fri, Jan 17, 2003 at 04:31:54PM -0500, James E. Flemer wrote: > >>Initially my feeling was that phpESP should be installed >>somewhere outside of the web accessible part of your >>filesystem. This would ensure that phpESP.ini would not be >>compromised. However it seems many people can not >>understand how to do this, and many can not do so because >>they have to deal with open_basedir restrictions from their >>hosting service. In light of this, I am willing to change >>the extension. The change would be to rename phpESP.ini to >>phpESP.ini.php. I would like the developers to vote on >>this (-1/0/+1). >> >>This also brings up an important point about mysql >>security. If you are concerned about your database >>passwords, then I suggest you read the mysql manual on >>permissions. The mysql security model allows restricting >>access based on IP addresses, usename/password, database, >>and actions. My mysql server uses phpesp with the default >>password (phpesp), and it doesn't matter that I tell you >>that because the restrictions on hostnames, databases, and >>permissions on that account prevent anyone from doing >>damage. Anyone administering a mysql server should RTFM. >> >>-James >> >>---------- Forwarded message ---------- >>Date: Fri, 17 Jan 2003 16:45:39 +0100 >>From: fl...@gm... >>Subject: Re: [phpesp-dev] themes when embedding >> >>hi and happy new year! >> >>i have a really unnice message: my server let open port 8080 an with that >>and misconfiguration all websurfer can look in my phpesp ini wich is bloody >>uncool! >>so there is the need to change is to ext.php! i think... when php crashes >>then it´s the only point to have a chance to look in a php file otherwise >>no! >>is there any chance to do is or do i have to change it by myself?....... >>(bad on upgardes) >> >>kind regards flobee >> >> >> >>------------------------------------------------------- >>This SF.NET email is sponsored by: Thawte.com - A 128-bit supercerts will >>allow you to extend the highest allowed 128 bit encryption to all your >>clients even if they use browsers that are limited to 40 bit encryption. >>Get a guide here:http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0030en >>_______________________________________________ >>phpESP-devel mailing list >>php...@li... >>https://lists.sourceforge.net/lists/listinfo/phpesp-devel >> > > > > ------------------------------------------------------- > This SF.NET email is sponsored by: Thawte.com - A 128-bit supercerts will > allow you to extend the highest allowed 128 bit encryption to all your > clients even if they use browsers that are limited to 40 bit encryption. > Get a guide here:http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0030en > _______________________________________________ > phpESP-devel mailing list > php...@li... > https://lists.sourceforge.net/lists/listinfo/phpesp-devel ------------------------------------------------------- This SF.NET email is sponsored by: Thawte.com - A 128-bit supercerts will allow you to extend the highest allowed 128 bit encryption to all your clients even if they use browsers that are limited to 40 bit encryption. Get a guide here:http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0030en _______________________________________________ phpESP-devel mailing list php...@li... https://lists.sourceforge.net/lists/listinfo/phpesp-devel |
|
From: James E. F. <jf...@ac...> - 2003-01-18 18:39:08
|
Consider a user who is using MajorHostingProvider, who
gives them space like:
/home/httpd/vhosts/example.com
Which has directories:
/home/httpd/vhosts/example.com/httpdocs
/home/httpd/vhosts/example.com/httpsdocs
Which are the doc-roots for the example.com virtual host.
Now you stick a phpinfo() script it there and it reports
open_basedir as:
open_basedir = '/home/httpd/vhosts/example.com/httpdocs'
Thus all support files for any PHP script must be within
a web accessible directory. The only option here is to
either use '.htaccess' files or an extension such that the
file is parsed by PHP. I dislike the .htaccess method,
because it is possible that a (pedantic) httpd.conf will
disallow changing options w/ .htaccess, and so a mysterious
HTTP/500 error will show up. Many people have no idea
where to look to find apache logs, so tracking down a 500
is difficult.
-James
s/MajorHostingProvider/rackspace.com/
On Sat, 18 Jan 2003, Christopher Zorn wrote:
> -1 for me. I think it should stay in a none web accessible directory.
>
>
> On Fri, Jan 17, 2003 at 04:31:54PM -0500, James E. Flemer wrote:
> > Initially my feeling was that phpESP should be installed
> > somewhere outside of the web accessible part of your
> > filesystem. This would ensure that phpESP.ini would not be
> > compromised. However it seems many people can not
> > understand how to do this, and many can not do so because
> > they have to deal with open_basedir restrictions from their
> > hosting service. In light of this, I am willing to change
> > the extension. The change would be to rename phpESP.ini to
> > phpESP.ini.php. I would like the developers to vote on
> > this (-1/0/+1).
> >
> > This also brings up an important point about mysql
> > security. If you are concerned about your database
> > passwords, then I suggest you read the mysql manual on
> > permissions. The mysql security model allows restricting
> > access based on IP addresses, usename/password, database,
> > and actions. My mysql server uses phpesp with the default
> > password (phpesp), and it doesn't matter that I tell you
> > that because the restrictions on hostnames, databases, and
> > permissions on that account prevent anyone from doing
> > damage. Anyone administering a mysql server should RTFM.
> >
> > -James
> >
> > ---------- Forwarded message ----------
> > Date: Fri, 17 Jan 2003 16:45:39 +0100
> > From: fl...@gm...
> > Subject: Re: [phpesp-dev] themes when embedding
> >
> > hi and happy new year!
> >
> > i have a really unnice message: my server let open port 8080 an with that
> > and misconfiguration all websurfer can look in my phpesp ini wich is bloody
> > uncool!
> > so there is the need to change is to ext.php! i think... when php crashes
> > then it´s the only point to have a chance to look in a php file otherwise
> > no!
> > is there any chance to do is or do i have to change it by myself?.......
> > (bad on upgardes)
> >
> > kind regards flobee
> >
> >
> >
> > -------------------------------------------------------
> > This SF.NET email is sponsored by: Thawte.com - A 128-bit supercerts will
> > allow you to extend the highest allowed 128 bit encryption to all your
> > clients even if they use browsers that are limited to 40 bit encryption.
> > Get a guide here:http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0030en
> > _______________________________________________
> > phpESP-devel mailing list
> > php...@li...
> > https://lists.sourceforge.net/lists/listinfo/phpesp-devel
> >
>
>
> -------------------------------------------------------
> This SF.NET email is sponsored by: Thawte.com - A 128-bit supercerts will
> allow you to extend the highest allowed 128 bit encryption to all your
> clients even if they use browsers that are limited to 40 bit encryption.
> Get a guide here:http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0030en
> _______________________________________________
> phpESP-devel mailing list
> php...@li...
> https://lists.sourceforge.net/lists/listinfo/phpesp-devel
>
|
|
From: Moshe W. <wei...@te...> - 2003-01-18 16:20:40
|
Another open source project I know (Drupal) keeps their ini file in the web accessible directory but blocks it via .htaccess rule. Here is the rule: # Protect files and directories from prying eyes: <Files ~ "(\.(conf|inc|module|pl|sh|sql|theme)|Entries|Repositories|Root|scripts|updates)$"> order deny,allow deny from all </Files> Users of non apache web servers are warned of risks. Christopher Zorn wrote: > -1 for me. I think it should stay in a none web accessible directory. > > > On Fri, Jan 17, 2003 at 04:31:54PM -0500, James E. Flemer wrote: > >>Initially my feeling was that phpESP should be installed >>somewhere outside of the web accessible part of your >>filesystem. This would ensure that phpESP.ini would not be >>compromised. However it seems many people can not >>understand how to do this, and many can not do so because >>they have to deal with open_basedir restrictions from their >>hosting service. In light of this, I am willing to change >>the extension. The change would be to rename phpESP.ini to >>phpESP.ini.php. I would like the developers to vote on >>this (-1/0/+1). >> >>This also brings up an important point about mysql >>security. If you are concerned about your database >>passwords, then I suggest you read the mysql manual on >>permissions. The mysql security model allows restricting >>access based on IP addresses, usename/password, database, >>and actions. My mysql server uses phpesp with the default >>password (phpesp), and it doesn't matter that I tell you >>that because the restrictions on hostnames, databases, and >>permissions on that account prevent anyone from doing >>damage. Anyone administering a mysql server should RTFM. >> >>-James >> >>---------- Forwarded message ---------- >>Date: Fri, 17 Jan 2003 16:45:39 +0100 >>From: fl...@gm... >>Subject: Re: [phpesp-dev] themes when embedding >> >>hi and happy new year! >> >>i have a really unnice message: my server let open port 8080 an with that >>and misconfiguration all websurfer can look in my phpesp ini wich is bloody >>uncool! >>so there is the need to change is to ext.php! i think... when php crashes >>then it´s the only point to have a chance to look in a php file otherwise >>no! >>is there any chance to do is or do i have to change it by myself?....... >>(bad on upgardes) >> >>kind regards flobee >> >> >> >>------------------------------------------------------- >>This SF.NET email is sponsored by: Thawte.com - A 128-bit supercerts will >>allow you to extend the highest allowed 128 bit encryption to all your >>clients even if they use browsers that are limited to 40 bit encryption. >>Get a guide here:http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0030en >>_______________________________________________ >>phpESP-devel mailing list >>php...@li... >>https://lists.sourceforge.net/lists/listinfo/phpesp-devel >> > > > > ------------------------------------------------------- > This SF.NET email is sponsored by: Thawte.com - A 128-bit supercerts will > allow you to extend the highest allowed 128 bit encryption to all your > clients even if they use browsers that are limited to 40 bit encryption. > Get a guide here:http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0030en > _______________________________________________ > phpESP-devel mailing list > php...@li... > https://lists.sourceforge.net/lists/listinfo/phpesp-devel |
|
From: randall e. <ra...@uc...> - 2003-01-18 16:19:15
|
> It was the UCSB branch that I downloaded and modified (had to remove all > the non generic stuff and some other features that have already been > implemented) and then patched to phpESP1.5RC3 so the code base won't be > too different. > > I'll be updating this to phpESP1.6 beta during the week and making it > available to both lists. > > So I guess we don't have to worry too much about the original ucsb > import. we here at ucsb have made heavy modifications to the ucsb branch. http://open.survey.ucsb.edu/horde/chora/cvs.php/php_survey i'm having our main developer writeup a list of the major changes and will get back to you shortly. -randall -- :// randall s. ehren :// voice 805.893.5632 :// systems administrator :// isber|survey|avss.ucsb.edu :// institute for social, behavioral, and economic research |
|
From: <fl...@gm...> - 2003-01-18 16:11:48
|
about to mysql password: it can be easyly ripped! i´ve heard in a forum! (i dont know how..) but: creating a simple password function with an 32 lenth string is more secure! we aleady have one way password check, just request on this with the extra function md5($password * $extrastrings * $routines) would be more secure :-) any way i dont hav ford nox :-) ----- Original Message ----- From: "James E. Flemer" <jf...@ac...> To: <php...@li...> Sent: Friday, January 17, 2003 10:31 PM Subject: [phpesp-dev] insecure phpesp.ini Initially my feeling was that phpESP should be installed somewhere outside of the web accessible part of your filesystem. This would ensure that phpESP.ini would not be compromised. However it seems many people can not understand how to do this, and many can not do so because they have to deal with open_basedir restrictions from their hosting service. In light of this, I am willing to change the extension. The change would be to rename phpESP.ini to phpESP.ini.php. I would like the developers to vote on this (-1/0/+1). This also brings up an important point about mysql security. If you are concerned about your database passwords, then I suggest you read the mysql manual on permissions. The mysql security model allows restricting access based on IP addresses, usename/password, database, and actions. My mysql server uses phpesp with the default password (phpesp), and it doesn't matter that I tell you that because the restrictions on hostnames, databases, and permissions on that account prevent anyone from doing damage. Anyone administering a mysql server should RTFM. -James ---------- Forwarded message ---------- Date: Fri, 17 Jan 2003 16:45:39 +0100 From: fl...@gm... Subject: Re: [phpesp-dev] themes when embedding hi and happy new year! i have a really unnice message: my server let open port 8080 an with that and misconfiguration all websurfer can look in my phpesp ini wich is bloody uncool! so there is the need to change is to ext.php! i think... when php crashes then it´s the only point to have a chance to look in a php file otherwise no! is there any chance to do is or do i have to change it by myself?....... (bad on upgardes) kind regards flobee ------------------------------------------------------- This SF.NET email is sponsored by: Thawte.com - A 128-bit supercerts will allow you to extend the highest allowed 128 bit encryption to all your clients even if they use browsers that are limited to 40 bit encryption. Get a guide here:http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0030en _______________________________________________ phpESP-devel mailing list php...@li... https://lists.sourceforge.net/lists/listinfo/phpesp-devel |
|
From: Christopher Z. <zo...@mu...> - 2003-01-18 16:10:38
|
-1 for me. I think it should stay in a none web accessible directory. On Fri, Jan 17, 2003 at 04:31:54PM -0500, James E. Flemer wrote: > Initially my feeling was that phpESP should be installed > somewhere outside of the web accessible part of your > filesystem. This would ensure that phpESP.ini would not be > compromised. However it seems many people can not > understand how to do this, and many can not do so because > they have to deal with open_basedir restrictions from their > hosting service. In light of this, I am willing to change > the extension. The change would be to rename phpESP.ini to > phpESP.ini.php. I would like the developers to vote on > this (-1/0/+1). >=20 > This also brings up an important point about mysql > security. If you are concerned about your database > passwords, then I suggest you read the mysql manual on > permissions. The mysql security model allows restricting > access based on IP addresses, usename/password, database, > and actions. My mysql server uses phpesp with the default > password (phpesp), and it doesn't matter that I tell you > that because the restrictions on hostnames, databases, and > permissions on that account prevent anyone from doing > damage. Anyone administering a mysql server should RTFM. >=20 > -James >=20 > ---------- Forwarded message ---------- > Date: Fri, 17 Jan 2003 16:45:39 +0100 > From: fl...@gm... > Subject: Re: [phpesp-dev] themes when embedding >=20 > hi and happy new year! >=20 > i have a really unnice message: my server let open port 8080 an with th= at > and misconfiguration all websurfer can look in my phpesp ini wich is bl= oody > uncool! > so there is the need to change is to ext.php! i think... when php crash= es > then it=B4s the only point to have a chance to look in a php file other= wise > no! > is there any chance to do is or do i have to change it by myself?....... > (bad on upgardes) >=20 > kind regards flobee >=20 >=20 >=20 > ------------------------------------------------------- > This SF.NET email is sponsored by: Thawte.com - A 128-bit supercerts wi= ll > allow you to extend the highest allowed 128 bit encryption to all your=20 > clients even if they use browsers that are limited to 40 bit encryption= .=20 > Get a guide here:http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw003= 0en > _______________________________________________ > phpESP-devel mailing list > php...@li... > https://lists.sourceforge.net/lists/listinfo/phpesp-devel >=20 |
|
From: angek <ang...@ip...> - 2003-01-18 11:12:51
|
and a +1 from me Kon On Sat, 2003-01-18 at 12:04, Matthew Gregg wrote: > On Fri, Jan 17, 2003 at 04:31:54PM -0500, James E. Flemer wrote: > +1 in favor of the rename > > ...snip > > hosting service. In light of this, I am willing to change > > the extension. The change would be to rename phpESP.ini to > > phpESP.ini.php. I would like the developers to vote on > > this (-1/0/+1). > > > > > > ------------------------------------------------------- > This SF.NET email is sponsored by: Thawte.com - A 128-bit supercerts will > allow you to extend the highest allowed 128 bit encryption to all your > clients even if they use browsers that are limited to 40 bit encryption. > Get a guide here:http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0030en > _______________________________________________ > phpESP-devel mailing list > php...@li... > https://lists.sourceforge.net/lists/listinfo/phpesp-devel |
|
From: angek <ang...@ip...> - 2003-01-18 10:46:03
|
Hey James, It was the UCSB branch that I downloaded and modified (had to remove all the non generic stuff and some other features that have already been implemented) and then patched to phpESP1.5RC3 so the code base won't be too different. I'll be updating this to phpESP1.6 beta during the week and making it available to both lists. So I guess we don't have to worry too much about the original ucsb import. Kon On Sat, 2003-01-18 at 14:48, James E. Flemer wrote: > Hey what did we get with the ucsb import anyway? I never > really got a chance to review any of it. If there is > anything we want to pull back into the main branch, we > should do it soon before the code base changes much. > > -James > > > > > ------------------------------------------------------- > This SF.NET email is sponsored by: Thawte.com - A 128-bit supercerts will > allow you to extend the highest allowed 128 bit encryption to all your > clients even if they use browsers that are limited to 40 bit encryption. > Get a guide here:http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0030en > _______________________________________________ > phpESP-devel mailing list > php...@li... > https://lists.sourceforge.net/lists/listinfo/phpesp-devel |
24 messages has been excluded from this view by a project administrator.
