Menu
▾
▴
phpesp-devel — Discussion of the development of phpESP
You can subscribe to this list here.
| 2002 |
Jan
|
Feb
|
Mar
(103) |
Apr
(37) |
May
(45) |
Jun
(49) |
Jul
(55) |
Aug
(11) |
Sep
(47) |
Oct
(55) |
Nov
(47) |
Dec
(8) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2003 |
Jan
(43) |
Feb
(85) |
Mar
(121) |
Apr
(37) |
May
(33) |
Jun
(33) |
Jul
(14) |
Aug
(34) |
Sep
(58) |
Oct
(68) |
Nov
(31) |
Dec
(9) |
| 2004 |
Jan
(13) |
Feb
(57) |
Mar
(37) |
Apr
(26) |
May
(57) |
Jun
(14) |
Jul
(8) |
Aug
(12) |
Sep
(32) |
Oct
(10) |
Nov
(7) |
Dec
(12) |
| 2005 |
Jan
(8) |
Feb
(25) |
Mar
(50) |
Apr
(20) |
May
(32) |
Jun
(20) |
Jul
(83) |
Aug
(25) |
Sep
(17) |
Oct
(14) |
Nov
(32) |
Dec
(27) |
| 2006 |
Jan
(24) |
Feb
(15) |
Mar
(46) |
Apr
(5) |
May
(6) |
Jun
(9) |
Jul
(12) |
Aug
(5) |
Sep
(7) |
Oct
(7) |
Nov
(4) |
Dec
(5) |
| 2007 |
Jan
(4) |
Feb
(1) |
Mar
(7) |
Apr
(3) |
May
(4) |
Jun
|
Jul
|
Aug
(2) |
Sep
(2) |
Oct
|
Nov
(22) |
Dec
(19) |
| 2008 |
Jan
(94) |
Feb
(19) |
Mar
(32) |
Apr
(46) |
May
(20) |
Jun
(10) |
Jul
(11) |
Aug
(20) |
Sep
(16) |
Oct
(12) |
Nov
(13) |
Dec
|
| 2009 |
Jan
|
Feb
(9) |
Mar
(37) |
Apr
(65) |
May
(15) |
Jun
|
Jul
(24) |
Aug
(1) |
Sep
(8) |
Oct
(4) |
Nov
(21) |
Dec
(5) |
| 2010 |
Jan
(35) |
Feb
(6) |
Mar
(8) |
Apr
|
May
(4) |
Jun
(3) |
Jul
(4) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2011 |
Jan
|
Feb
(4) |
Mar
|
Apr
|
May
(1) |
Jun
(1) |
Jul
(1) |
Aug
|
Sep
(1) |
Oct
|
Nov
|
Dec
|
|
From: James E. F. <jf...@ac...> - 2002-03-31 00:44:20
|
When doing any GUI design please keep these points in mind. I do want phpESP to have a nice "look-and-feel" but at the same time I want it to be usable by as many people as possible. I use lynx from time to time myself... -James ---------- Forwarded message ---------- Date: Mon, 22 Oct 2001 16:16:16 -0500 From: Matt Campbell <ma...@fr...> To: jf...@ac... Subject: Great job on phpESP! Hello, I work for InHouse Radio Networks, Inc., and we're working on a product called the Freedom Box which gives blind and other disabled people access to the Internet through speech synthesis and speech recognition. We're going to run a market survey to find out about our potential customers, and I was put in charge of setting it up. I was going to write my own custom PHP scripts to do it, but thought I'd first look to see if a PHP survey package was already available. I found phpESP (1.2beta3), and decided to check it out. I've got it up and running, and the president of the company is very pleased with it. Great job, and thanks for making this package available for free! A few suggestions: 1. Include alt attributes for all your images, especially the form buttons for the tabs on the survey creation/editing pages. This way people using text-only browsers such as Lynx, as well as blind people using screen readers, can tell what these images are. 2. Use drop-down menus instead of radio buttons whenever possible (e.g. on the page for creating or editing a survey question). The president of this company that I'm working for is blind himself, and he says that drop-down menus are much easier to use with his screen reader than radio buttons are. Besides, drop-down menus take up less space on the page. 3. When rendering a survey question with "!other" as the last choice, it would be best if phpESP displayed "other" or "Other" without the exclamation mark. Also would it be possible to include an "Other" choice and an accompanying text field for questions where the choices are presented in a drop-down menu? That way we don't have to use radio buttons at all. I've implemented #1 and #2 in our local copy, and will work on #3 soon. Thanks, -- Matt Campbell Programmer and System Administrator InHouse Radio Networks, Inc. http://www.freedombox.cc/ |
|
From: James E. F. <jf...@ac...> - 2002-03-31 00:36:18
|
Yes, though I don't like renaming files (CVS doesn't handle it gracefully). I also really think that it is best for the package to be installed outside of a public directory. It is certainly an option to rename files, and perhaps it will happen soon. -James On Sat, 30 Mar 2002, Lou Spironello wrote: > Yup. This a very serious security breach. > > All files which contain php code should have the php > extension unless one has explicitly defined those > excluded extensions in web server configuration files. > > That's in one of my other messages or > it could have been posted to a feature request I made today. > > All php related scripts should have a "PHP" extension, > which means all .inc or .ini must be renamed to either > *.inc.php *.ini.php or just *.php. > > > Lou. > > ----- Original Message ----- > From: "Matthew Gregg" <gr...@mu...> > To: <php...@li...> > Sent: Saturday, March 30, 2002 2:57 PM > Subject: [phpesp-dev] Rename phpESP.ini? > > > > While thinking about installation scripts.... > > I must have overlooked something, but why not rename phpESP.ini to > > something like config.php? > > > > If someone mistakenly installs it in a web accessible directory, > > the web server will attempt to execute it instead of plastering > sensitive > > information to the browser. > > > > I tried it, seems to work. It gives you a nice blank page if you > > access > > http://yourhost.com/phpESP/admin/config.php > > > > Can't be this easy. |
|
From: Lou S. <lr...@at...> - 2002-03-31 00:21:17
|
Cool. Love those colours (Candian spelling!).
I wondering if the menu items under the main headings
will have the same colour pallete as the main heading?
:-)
I wish I had that sense of colour maching and design. :-((
I guess I'm in the same boat as James on this one.
I don't know if your next mock-up will contain this,
but I still think there should be a Survey Deployement
section (i.e. which contains the Changing of status (or publishing the
survey) and the Change of Access).
I was also thinking that Survey Administration might
be changed to Survey Creation so then we have
Survey Creation
Survey Deployment
Survey Results
and then the
Admin
Utilites
Help
That would balance the display with 3 x 3 with one at the bottom(i.e
the contact stuff).
I was just wondering about the order of the menu items in the Account
Admin
section. That is, I was thinking that they should be in order of usage
and I
don't know what the order should be. Any ideas?
I noticed the version number! :-))
(I guess the reason I'm kinda sensitve about that one is that if users
are having difficulty
they can quickly find the version number of the package. Moreover, it
also saves
time for developers when trying to track down bugs).
Regarding the version number, I also think that the version should be
placed somewhere at the bottom
of each survey generated (in small font of course)
Thank you.
Lou.
----- Original Message -----
From: "Kon Angelopoulos" <ang...@ip...>
To: "James E. Flemer" <jf...@ac...>; "Lou Spironello"
<lr...@at...>
Cc: <php...@li...>
Sent: Saturday, March 30, 2002 7:44 PM
Subject: Re: [phpesp-dev] new phpESP GUI
> Thanks for the suggestions Lou, I'll keep them in mind for the final
design.
> In the mean time I've implemented some of your suggestions to the GUI
I posted
> yesterday and have attached a revised version.
>
> Do they suite ?
>
> Kon
>
> On Sun, 31 Mar 2002 02:45, James E. Flemer wrote:
> > Looks cool. I can't wait to see the rest.
> > -James
> >
> >
> > _______________________________________________
> > phpESP-devel mailing list
> > php...@li...
> > https://lists.sourceforge.net/lists/listinfo/phpesp-devel
>
|
|
From: Lou S. <lr...@at...> - 2002-03-30 23:55:02
|
No complaints about the GUI just another suggestion regarding old interface and the combo boxes for the yes/no options in the Designer Account page. I think they should be changed to checkboxes. I was also thinking it would be good to have combo boxes for the Day, Month, and Years. Lou P.S. I like the colours and the graphics of the new interface. ----- Original Message ----- From: "Kon Angelopoulos" <ang...@ip...> To: <php...@li...> Sent: Saturday, March 30, 2002 2:17 AM Subject: [phpesp-dev] new phpESP GUI > Guys, > > I've attached one of the new GUIs I designed for phpESP. > Your thoughts, ideas please ...... > > Over the next couple of days I'll also post the other 2 designs I've > created for your comments. > > Kon |
|
From: Kon A. <ang...@ip...> - 2002-03-30 23:47:57
|
Thanks for the suggestions Lou, I'll keep them in mind for the final design. In the mean time I've implemented some of your suggestions to the GUI I posted yesterday and have attached a revised version. Do they suite ? Kon On Sun, 31 Mar 2002 02:45, James E. Flemer wrote: > Looks cool. I can't wait to see the rest. > -James > > > _______________________________________________ > phpESP-devel mailing list > php...@li... > https://lists.sourceforge.net/lists/listinfo/phpesp-devel |
|
From: Matthew G. <gr...@mu...> - 2002-03-30 22:36:29
|
Yeah. Survey Name is already forced to be unique and I think it's
sufficiently random. I will proceed with the "auto_template" using
that as the "key".
On Sat, Mar 30, 2002 at 02:42:31PM -0500, James E. Flemer wrote:
> On Sat, 30 Mar 2002, Matthew Gregg wrote:
> >
> > A thought here:
> > Instead of sequential why not increment SID by a larger increment and/or
> > perhaps add some randomness.
> > It would be harder for "Joe User" to try other surveys.
> >
> > Of course this would add some complexity since we couldn't use mysql's
> > auto_increment.
>
> Well, I think the complexity would be excessive just to
> "hide" the SID, but it made me think of a better solution.
> Rather than having the "auto-template" (as I will call it)
> use the SID as the key we could have it use the survey
> "name" (or even "title"). So the auto-template would look
> more like this:
>
> ...
> $sid = -1;
> $_name = XADDSLASHES($_REQUEST['name']);
> if ($result = mysql_query(
> "SELECT id FROM survey WHERE name = '$_name'"))
> {
> if (mysql_num_rows($result) > 0)
> $sid = mysql_result($result, 0, 0);
> mysql_free_result($result);
> }
> ...
>
> This would still make "name" publicly visable, but guessing
> a name is much "harder" than {in,de}crementing the SID.
>
> Or perhaps the auto-template could range check the SID, or
> use some other verification.
>
> -James
>
--
brought to you by, Matthew Gregg...
one of the friendly folks in the IT Lab.
--------------------------------------\
The IT Lab (http://www.itlab.musc.edu) \____________________
Probably the world's premier software development center.
Serving: Programming, Tools, Ice Cream, Seminars
|
|
From: Kon A. <ang...@ip...> - 2002-03-30 21:43:50
|
James, I'm using the latest version - ckecked out from devel cvs yesterday. Kon On Sun, 31 Mar 2002 02:26, James E. Flemer wrote: > What version of PHP do you have? I used $_REQUEST[] in the > updates for download/export. That is available only in > PHP4.1.0 or later. If you have an older version I would > suggest upgrading (security holes), though if you cannot. > then replace $_REQUEST[] with $GLOBALS['HTTP_GET_VARS'][]. > > -James > > On Sat, 30 Mar 2002, Kon Angelopoulos wrote: > > OK, > > > > I've made the correction (updated my CVS copy) but still get an "Invalid > > survey ID" error whenever I try to download any survey results. > > > > Any ideas ???? > > Kon |
|
From: Lou S. <lr...@at...> - 2002-03-30 20:49:03
|
Yup. This a very serious security breach. All files which contain php code should have the php extension unless one has explicitly defined those excluded extensions in web server configuration files. That's in one of my other messages or it could have been posted to a feature request I made today. All php related scripts should have a "PHP" extension, which means all .inc or .ini must be renamed to either *.inc.php *.ini.php or just *.php. Lou. ----- Original Message ----- From: "Matthew Gregg" <gr...@mu...> To: <php...@li...> Sent: Saturday, March 30, 2002 2:57 PM Subject: [phpesp-dev] Rename phpESP.ini? > While thinking about installation scripts.... > I must have overlooked something, but why not rename phpESP.ini to > something like config.php? > > If someone mistakenly installs it in a web accessible directory, > the web server will attempt to execute it instead of plastering sensitive > information to the browser. > > I tried it, seems to work. It gives you a nice blank page if you > access > http://yourhost.com/phpESP/admin/config.php > > Can't be this easy. > > -- > brought to you by, Matthew Gregg... > one of the friendly folks in the IT Lab. > --------------------------------------\ > The IT Lab (http://www.itlab.musc.edu) \____________________ > Probably the world's premier software development center. > Serving: Programming, Tools, Ice Cream, Seminars > > > _______________________________________________ > phpESP-devel mailing list > php...@li... > https://lists.sourceforge.net/lists/listinfo/phpesp-devel > |
|
From: Matthew G. <gr...@mu...> - 2002-03-30 19:57:47
|
While thinking about installation scripts.... I must have overlooked something, but why not rename phpESP.ini to something like config.php? If someone mistakenly installs it in a web accessible directory, the web server will attempt to execute it instead of plastering sensitive information to the browser. I tried it, seems to work. It gives you a nice blank page if you access http://yourhost.com/phpESP/admin/config.php Can't be this easy. -- brought to you by, Matthew Gregg... one of the friendly folks in the IT Lab. --------------------------------------\ The IT Lab (http://www.itlab.musc.edu) \____________________ Probably the world's premier software development center. Serving: Programming, Tools, Ice Cream, Seminars |
|
From: James E. F. <jf...@ac...> - 2002-03-30 19:42:36
|
On Sat, 30 Mar 2002, Matthew Gregg wrote:
>
> A thought here:
> Instead of sequential why not increment SID by a larger increment and/or
> perhaps add some randomness.
> It would be harder for "Joe User" to try other surveys.
>
> Of course this would add some complexity since we couldn't use mysql's
> auto_increment.
Well, I think the complexity would be excessive just to
"hide" the SID, but it made me think of a better solution.
Rather than having the "auto-template" (as I will call it)
use the SID as the key we could have it use the survey
"name" (or even "title"). So the auto-template would look
more like this:
...
$sid = -1;
$_name = XADDSLASHES($_REQUEST['name']);
if ($result = mysql_query(
"SELECT id FROM survey WHERE name = '$_name'"))
{
if (mysql_num_rows($result) > 0)
$sid = mysql_result($result, 0, 0);
mysql_free_result($result);
}
...
This would still make "name" publicly visable, but guessing
a name is much "harder" than {in,de}crementing the SID.
Or perhaps the auto-template could range check the SID, or
use some other verification.
-James
|
|
From: Matthew G. <gr...@mu...> - 2002-03-30 19:25:17
|
On Thu, Mar 28, 2002 at 02:54:14PM -0500, James E. Flemer wrote:
> On Thu, 28 Mar 2002, Matthew Gregg wrote:
>
> > I need a way for users to publish their surveys that doesn't require
> > the user or the administrator to create a php include.
> > It can be very simple to start with, but I could see adding a user
> > definable CSS as an easy addition, before we make the transition into
> > XML/XLT.
> >
> > I understand the risks of accepting "tainted" user input.
> > So what's wrong with this:
> > <?php $sid=intval($id); include("/blah/public/handler.php");?>
> >
> > $id has been "un-tainted" with intval.
>
> That is fine. The only issue is of course that people (web
> users) can try different id's -- that is not necessarily a
> problem, I just wanted to keep the SID hidden from the
> user.
A thought here:
Instead of sequential why not increment SID by a larger increment and/or
perhaps add some randomness.
It would be harder for "Joe User" to try other surveys.
Of course this would add some complexity since we couldn't use mysql's
auto_increment.
--
brought to you by, Matthew Gregg...
one of the friendly folks in the IT Lab.
--------------------------------------\
The IT Lab (http://www.itlab.musc.edu) \____________________
Probably the world's premier software development center.
Serving: Programming, Tools, Ice Cream, Seminars
|
|
From: Lou S. <lr...@at...> - 2002-03-30 19:02:30
|
Cool!
Just a few ideas(as always. :-) ):
Change the order of the display of main headings so that they follow
the logical
path of a survey construction/adminitration(i.e.
Creation/Build
Add
Edit
Copy
Delete
Test
Send/Distribute
Set survey access privliges
Set survey status
Results/Reports
view results from survey
view survey report
Administration
User
Add/Edit/Delete/Copy
Group
Add/Edit/Delete/Copy
Admin
Add/Edit/Delete/Copy
Password
Utilities
Import
Export
Purge
Merge
Help
User Guide
Administration Guide
Link to Bugs document
Link to Credits Document
Link to License
Link to Todo
Contact Us
Link to Bugs reporting database for phpESP at SF
Link to user newsgroup lists for phpESP at SF
I have a concern for the wording of the two phrases "View Results
from a Survey" and
"View a Survey Report". I find that those phrases don't
immediately convey
the meaning of the menu item. I haven't thought of an
alternative yet. :-(
Version number of phpESP should be displayed at top of page.
phpESP website URL might be included at the bottom of the page
or through clicking from the phpESP image at the top of the
page.
Thank you
Lou.
----- Original Message -----
From: "Kon Angelopoulos" <ang...@ip...>
To:
Sent: Saturday, March 30, 2002 2:17 AM
Subject: [phpesp-dev] new phpESP GUI
> Guys,
>
> I've attached one of the new GUIs I designed for phpESP.
> Your thoughts, ideas please ......
>
> Over the next couple of days I'll also post the other 2 designs I've
> created for your comments.
>
> Kon
|
|
From: Lou S. <lr...@at...> - 2002-03-30 17:19:12
|
Sorry for this. This was supposed to go to the devel list. ----- Original Message ----- From: "Lou Spironello" <lr...@at...> To: "James E. Flemer" <jf...@ac...> Sent: Saturday, March 30, 2002 10:50 AM Subject: Re: [phpesp-dev] ideas, wishlist. etc > I thought I would get this out today because it's been sitting in > my drafts folder for a while. Sorry. :-( > > ----- Original Message ----- > From: "James E. Flemer" <jf...@ac...> > To: <php...@li...> > Sent: Sunday, March 24, 2002 2:28 PM > Subject: Re: [phpesp-dev] ideas, wishlist. etc > > Anyone who is seriously interested in contributing should > > get themselves a sourceforge account, and letting me know > > their user name. > My sourceforge user name is spiro. > Sign me up! > > Probably the best way to handle task > > assignment and such is through the "Feature Request" part of > > SourceForge, that way hopefully people will not duplicate > > the efforts of others. > Sounds good to me. > > > I have commented (below) on a few of the items you brought > > up. I'd like to see other users opinions on them as well. > > Then perhaps we can try to assign some of them among those > > willing to contribute. > > > > -James > > > > On Sun, 24 Mar 2002, Lou Spironello wrote: > > > > > I'm please you started this development list. > > > I've been using phpESP for a while and like it. > > > > > > I would like to contribute my time to some development things. > > > > > > I'm wondering if anyone is working on an install script for phpESP > > > and if not I would be willing to work on one. > > > > > > Just a few ideas: > > > install script for phpESP > > > RPMs, SRPMS, deb, zip, formats for phpESP > > > standardize the config directory so users won't have to > > > modify the source files (i.e. references to the include > files) > > > > This is a good idea, but isn't possible. The location of > > the files must not be pre-determined. Many people use > > hosting companies, and have very little control over the > > actual web server they are running phpESP on. As of version > > 1.3 (or maybe earlier) I have suggested that the package > > get installed in /usr/local/lib/php/contrib, since > > /usr/local/lib/php is typically where PEAR and such gets > > installed. Installing in lib requires root access to the > > webserver, however. So the option must exist to install in > > a user directory. Unfortunately, many people install the > > *whole* package in their "public_html" directory -- this > > leads to problems because then the config file (phpESP.ini) > > is accessible to the world via the web server, hence the > > database passwords are also available. > Hmmm. See install script issue below. :-) > > > The best solution to this is something you have already > > suggested -- an install script. The install script, if > > written, must check to make sure the user will not install > > the phpESP.ini in a publicly accessible directory, and must > > modify all necessary paths depending on the install > > location. This should be a fairly trivial operation. In > > addition, I would like (tho not necessary) for the install > > script to handle the database creation and initialization, > > and on checking the user permissions (mysql user). > Sounds good to me. > > > > add a stock set of surveys and questionnaires > I still this this is a good idea considering that it would reduce the > amount of time individuals would have to spend creating surveys, and it > would also allow others to make duplicates from them. > > > > import/export feature which handles XML and other formats > > > use XML and XSLT to generate the HTML pages for reports etc. > > > > I am very glad you mentioned XML. I would actually like to > > move a large portion of data out of mysql and into XML. I > > would like the backend format for the surveys to be XML. > Ssounds good. > > > With a well written DTD (or schema), the XML based survey > > format would be much more flexible. It would still be > > simple enough to allow a similar web interface to design > > basic surveys, but would also allow advanced users to work > > directly with the XML to create a more customized layout. > Yes. > > > Also, by using XSLT, we add the possibility of themes and > > even more flexibility. > Yup. > > > > ability to copy portions of surveys from other surveys > > > change the main maintenance menu to functional areas > > > Survey construction > > > add, edit. delete, copy > > > Survey administration > > > test, activate, close > > > Survey reports > > > view, print, etc > > > Survey authentication > > > user creation, editing, deletion, copying (i.e. > > > duplicate user > > > privileges) > > > Survey utilities > > > export (mySQL, XML, CSV, etc), import(mySQL, XML, > CSV, > > > etc) > > > > The whole interface needs to be redone. I am not a > > designer, and clearly the GUI I designed sucks. Hopefully > > there is someone who will have the time to rework the > > interface. > Looks like Kon is working on this one! > > > > interfaces to other content management systems > > > phpNuke, PostNuke, phpgroupware, ezPublish, etc. > > > > I would like to see an interface to PostNuke first. Note > > that there are license differences between most of those > > CMS and phpESP, so phpESP cannot be distributed with them, > > but I can certainly work with them. > Didn't have an intention that you change the license for phpESP, just > the issue of providing a number of hooks, etc so that it would make > integration with other packages a little easier. > > > > Ability to specify a page to include the generated PHP code > > > (i.e. maybe include comment in the HTML/PHP page with a > > > begin/end > > > comment such that phpESP could auto insert the php code > > > directly > > > into the HTML/PHP page > > > e.g. > > > HTML/PHP file. > > > > > > <!-- phpESP v1.4 Survey Start --> > > > Section to include the generated PHP > code > > > <!-- phpESP v1.4 Survey End --> > > > > > > Possibility to manage "pages with the php generated survey > code" > > > > I don't quite follow this. I am assuming you mean removing > > the step where the user inserts the PHP code into their > > HTML template file. > Yes and also to provide a user interface to manage the insertion of > the php code along with any or all of the template files the user uses. > > > Naturally that would be ideal, but > > probably not possible security wise (since the web server > > executes without user privileges). > > > > > Display phpESP version on Maintenance Page > > > > It is in the "title" tag of the page. :-) > Yes, I understand. However, I believe it should also be placed on the > page itself. > > Thank you. > Lou. > > > > > > > > _______________________________________________ > > phpESP-devel mailing list > > php...@li... > > https://lists.sourceforge.net/lists/listinfo/phpesp-devel > > > > > > > |
|
From: James E. F. <jf...@ac...> - 2002-03-30 15:45:36
|
Looks cool. I can't wait to see the rest. -James |
|
From: James E. F. <jf...@ac...> - 2002-03-30 15:26:13
|
What version of PHP do you have? I used $_REQUEST[] in the updates for download/export. That is available only in PHP4.1.0 or later. If you have an older version I would suggest upgrading (security holes), though if you cannot. then replace $_REQUEST[] with $GLOBALS['HTTP_GET_VARS'][]. -James On Sat, 30 Mar 2002, Kon Angelopoulos wrote: > OK, > > I've made the correction (updated my CVS copy) but still get an "Invalid > survey ID" error whenever I try to download any survey results. > > Any ideas ???? > Kon |
|
From: Kon A. <ang...@ip...> - 2002-03-30 07:20:42
|
Guys, I've attached one of the new GUIs I designed for phpESP. Your thoughts, ideas please ...... Over the next couple of days I'll also post the other 2 designs I've created for your comments. Kon |
|
From: Kon A. <ang...@ip...> - 2002-03-30 06:31:09
|
OK, I've made the correction (updated my CVS copy) but still get an "Invalid survey ID" error whenever I try to download any survey results. Any ideas ???? Kon On Fri, 29 Mar 2002 01:53, James E. Flemer wrote: > On Thu, 28 Mar 2002, Matthew Gregg wrote: > > Fix for this on line 38 in phpESP.ini: > > - unset $tmp_lang; > > + unset($tmp_lang); > > > > With that fix in place I don't have the "Invalid survey ID" problem. > > Fixed in CVS. > -James > > > _______________________________________________ > phpESP-devel mailing list > php...@li... > https://lists.sourceforge.net/lists/listinfo/phpesp-devel |
|
From: James E. F. <jf...@ac...> - 2002-03-29 15:15:06
|
Committed patch. The content-type is now "text/comma-separated-values". -James On Fri, 29 Mar 2002, Kon Angelopoulos wrote: > Totally agree..... > and it seems that text/comma-separated-values will be it > > Kon > > On Fri, 29 Mar 2002 01:33, Matthew Gregg wrote: > > Yeah! Great idea to use ESP for stuff like this. > > > > > > --On Thursday, March 28, 2002 12:14:53 AM -0500 "James E. Flemer" > > > > <jf...@ac...> wrote: > > >> http://phpesp.sf.net/demo/test.php?sid=2574&userid=devel > > > > > > Results: > > > http://phpesp.sf.net/demo/test.php?sid=2574&results=1 > > > > > > > > > > > > _______________________________________________ > > > phpESP-devel mailing list > > > php...@li... > > > https://lists.sourceforge.net/lists/listinfo/phpesp-devel > > > > ---- > > > > one of the friendly folks in the IT Lab. > > --------------------------------------\ > > The IT Lab (http://www.itlab.musc.edu) \____________________ > > Probably the world's premier software development center. > > Serving: Programming, Tools, Ice Cream, Seminars > > > > _______________________________________________ > > phpESP-devel mailing list > > php...@li... > > https://lists.sourceforge.net/lists/listinfo/phpesp-devel > > _______________________________________________ > phpESP-devel mailing list > php...@li... > https://lists.sourceforge.net/lists/listinfo/phpesp-devel > |
|
From: Kon A. <ang...@ip...> - 2002-03-28 22:07:26
|
Totally agree..... and it seems that text/comma-separated-values will be it Kon On Fri, 29 Mar 2002 01:33, Matthew Gregg wrote: > Yeah! Great idea to use ESP for stuff like this. > > > --On Thursday, March 28, 2002 12:14:53 AM -0500 "James E. Flemer" > > <jf...@ac...> wrote: > >> http://phpesp.sf.net/demo/test.php?sid=2574&userid=devel > > > > Results: > > http://phpesp.sf.net/demo/test.php?sid=2574&results=1 > > > > > > > > _______________________________________________ > > phpESP-devel mailing list > > php...@li... > > https://lists.sourceforge.net/lists/listinfo/phpesp-devel > > ---- > > one of the friendly folks in the IT Lab. > --------------------------------------\ > The IT Lab (http://www.itlab.musc.edu) \____________________ > Probably the world's premier software development center. > Serving: Programming, Tools, Ice Cream, Seminars > > _______________________________________________ > phpESP-devel mailing list > php...@li... > https://lists.sourceforge.net/lists/listinfo/phpesp-devel |
|
From: James E. F. <jf...@ac...> - 2002-03-28 19:54:20
|
On Thu, 28 Mar 2002, Matthew Gregg wrote:
> I need a way for users to publish their surveys that doesn't require
> the user or the administrator to create a php include.
> It can be very simple to start with, but I could see adding a user
> definable CSS as an easy addition, before we make the transition into
> XML/XLT.
>
> I understand the risks of accepting "tainted" user input.
> So what's wrong with this:
> <?php $sid=intval($id); include("/blah/public/handler.php");?>
>
> $id has been "un-tainted" with intval.
That is fine. The only issue is of course that people (web
users) can try different id's -- that is not necessarily a
problem, I just wanted to keep the SID hidden from the
user. But as you may have noticed, I handled the "test.php"
on the demo site the way you suggested above. In fact here
is the actual code:
<?php
$my_sid = $HTTP_GET_VARS['sid'];
unset ($HTTP_GET_VARS['sid']);
$sid = intval($my_sid);
$my_res = $HTTP_GET_VARS['results'];
unset ($HTTP_GET_VARS['results']);
$results = $my_res;
echo ("<tt>sid = $sid</tt><hr>\n");
include('handler.php');
echo ("<hr>\n");
if (isset($errmsg))
echo $errmsg;
?>
Note that the handler will give a "Security violation" if
either $HTTP_GET_VARS['sid'] or $HTTP_GET_VARS['results']
is set.
-James
|
|
From: Matthew G. <gr...@mu...> - 2002-03-28 19:26:16
|
I need a way for users to publish their surveys that doesn't require
the user or the administrator to create a php include.
It can be very simple to start with, but I could see adding a user
definable CSS as an easy addition, before we make the transition into
XML/XLT.
I understand the risks of accepting "tainted" user input.
So what's wrong with this:
<?php $sid=intval($id); include("/blah/public/handler.php");?>
$id has been "un-tainted" with intval.
--
brought to you by, Matthew Gregg...
one of the friendly folks in the IT Lab.
--------------------------------------\
The IT Lab (http://www.itlab.musc.edu) \____________________
Probably the world's premier software development center.
Serving: Programming, Tools, Ice Cream, Seminars
|
|
From: James E. F. <jf...@ac...> - 2002-03-28 14:53:07
|
On Thu, 28 Mar 2002, Matthew Gregg wrote: > Fix for this on line 38 in phpESP.ini: > - unset $tmp_lang; > + unset($tmp_lang); > > With that fix in place I don't have the "Invalid survey ID" problem. Fixed in CVS. -James |
|
From: Matthew G. <gr...@mu...> - 2002-03-28 14:33:55
|
Yeah! Great idea to use ESP for stuff like this. --On Thursday, March 28, 2002 12:14:53 AM -0500 "James E. Flemer" <jf...@ac...> wrote: >> http://phpesp.sf.net/demo/test.php?sid=2574&userid=devel > > Results: > http://phpesp.sf.net/demo/test.php?sid=2574&results=1 > > > > _______________________________________________ > phpESP-devel mailing list > php...@li... > https://lists.sourceforge.net/lists/listinfo/phpesp-devel > ---- one of the friendly folks in the IT Lab. --------------------------------------\ The IT Lab (http://www.itlab.musc.edu) \____________________ Probably the world's premier software development center. Serving: Programming, Tools, Ice Cream, Seminars |
|
From: Matthew G. <gr...@mu...> - 2002-03-28 14:32:29
|
Fix for this on line 38 in phpESP.ini:
- unset $tmp_lang;
+ unset($tmp_lang);
With that fix in place I don't have the "Invalid survey ID" problem.
--On Thursday, March 28, 2002 09:44:50 PM +1100 Kon Angelopoulos
<ang...@ip...> wrote:
> Hi James,
>
> Just after you made the changes to fix the global variable conflict on
> $tmp (phpESP.ini v1.24) I downloaded the latest devel CVS and tested.
>
> I get the following error when trying to log into the management
> interface: Parse error, expecting `'('' in /../../../../admin/phpESP.ini
> on line 38 Fatal error: Call to underfined function: esp_where() in
> /../../../../admin/manage.php on line 83.
>
> I just commented out line 38 ( unset $tmp_lang; ) so that I can keep
> testing and found another bug:
>
> When trying to download a file I keep getting the following error:
> [ Invalid survey ID. ]
>
> I put in an echo statement in download.inc to see what is returned from:
> $sid = intval($_REQUEST['sid']); and it always returns 0.
>
>
> Kon
>
> _______________________________________________
> phpESP-devel mailing list
> php...@li...
> https://lists.sourceforge.net/lists/listinfo/phpesp-devel
>
----
one of the friendly folks in the IT Lab.
--------------------------------------\
The IT Lab (http://www.itlab.musc.edu) \____________________
Probably the world's premier software development center.
Serving: Programming, Tools, Ice Cream, Seminars
|
|
From: Kon A. <ang...@ip...> - 2002-03-28 10:47:20
|
Hi James,
Just after you made the changes to fix the global variable conflict on $tmp
(phpESP.ini v1.24) I downloaded the latest devel CVS and tested.
I get the following error when trying to log into the management interface:
Parse error, expecting `'('' in /../../../../admin/phpESP.ini on line 38
Fatal error: Call to underfined function: esp_where() in
/../../../../admin/manage.php on line 83.
I just commented out line 38 ( unset $tmp_lang; ) so that I can keep testing
and found another bug:
When trying to download a file I keep getting the following error:
[ Invalid survey ID. ]
I put in an echo statement in download.inc to see what is returned from: $sid
= intval($_REQUEST['sid']); and it always returns 0.
Kon
|
24 messages has been excluded from this view by a project administrator.
