Menu
▾
▴
phpesp-devel
|
From: flobee <fl...@we...> - 2002-04-16 21:06:09
|
where is that: Patch for Auto-publishing ?? very intresting! i build up my own script for that but i have secure holes because i needed to disable some things in handler prefix! ----- Original Message ----- From: <php...@li...> To: <php...@li...> Sent: Tuesday, April 16, 2002 9:53 PM Subject: phpESP-devel digest, Vol 1 #25 - 8 msgs Send phpESP-devel mailing list submissions to php...@li... To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/phpesp-devel or, via email, send a message with subject or body 'help' to php...@li... You can reach the person managing the list at php...@li... When replying, please edit your Subject line so it is more specific than "Re: Contents of phpESP-devel digest..." Today's Topics: 1. Re: Patch for Auto-publishing (Kon Angelopoulos) 2. Re: Patch for Auto-publishing (James E. Flemer) 3. french translaton (James E. Flemer) 4. Re: Patch for Auto-publishing (Matthew Gregg) 5. Re: Patch for Auto-publishing (James E. Flemer) 6. Re: Patch for Auto-publishing (Matthew Gregg) 7. Re: Patch for Auto-publishing (Matthew Gregg) 8. Re: Patch for Auto-publishing (James E. Flemer) --__--__-- Message: 1 From: Kon Angelopoulos <ang...@ip...> To: "James E. Flemer" <jf...@ac...>, Matthew Gregg <gr...@mu...> Subject: Re: [phpesp-dev] Patch for Auto-publishing Date: Tue, 16 Apr 2002 19:49:23 +1000 Cc: <php...@li...> Organization: angek Productions Hi Guys, Just downloaded the latest version to have a look at Matthews patch and was looking at the code for handler.php 75 $action = $HTTP_SERVER_VARS['PHP_SELF']; 76 if (!empty($HTTP_SERVER_VARS['QUERY_STRING'])) 77 $action .= "?" . $HTTP_SERVER_VARS['QUERY_STRING']; should line 77 read $action = "?" .$HTTP_SERVER_VARS['QUERY_STRING']; instead? otherwise couldn't we have the following scenario when, for example we test surveys? ..../.../manage.php?where=test&sid=xx - then clicking the submit button would generate: ../../manage.php?where=test?where=test&sid=xx Regards Kon On Mon, 15 Apr 2002 05:05, James E. Flemer wrote: > On Wed, 10 Apr 2002, Matthew Gregg wrote: > > Attached is first run at a patch to allow publishing of surveys > > without needing to manually create a php "include" file. > > I made a few slight changes, nothing effecting use, and > committed this patch. Thanks. > > > Take a look in handler-prefix.php where the remote user id is found. > > I commented the QUERY_STRING case because it would grab the > > query string for survey selection every time. Can we live without > > that case? > > I changed this so that survey.php removes "name=xxx" from > the query string, so no mods to handler-prefix were needed. > > Thanks for the patch. > > -James > > > _______________________________________________ > phpESP-devel mailing list > php...@li... > https://lists.sourceforge.net/lists/listinfo/phpesp-devel --__--__-- Message: 2 Date: Tue, 16 Apr 2002 10:40:17 -0400 (EDT) From: "James E. Flemer" <jf...@ac...> Reply-To: "James E. Flemer" <jf...@ac...> To: <php...@li...> Subject: Re: [phpesp-dev] Patch for Auto-publishing Well, I see the problem, but I fixed it in where/test.inc instead. Now that the handler sanely treats the QUERY_STRING, I removed the QS mangling code in test.inc, that made it possible to embed the handler within the mangagemnt interface. Please checkout the latest revision of that file and see if your problems go away. -James On Tue, 16 Apr 2002, Kon Angelopoulos wrote: > Hi Guys, > > Just downloaded the latest version to have a look at Matthews patch and was > looking at the code for handler.php > > > 75 $action = $HTTP_SERVER_VARS['PHP_SELF']; > 76 if (!empty($HTTP_SERVER_VARS['QUERY_STRING'])) > 77 $action .= "?" . $HTTP_SERVER_VARS['QUERY_STRING']; > > should line 77 read $action = "?" .$HTTP_SERVER_VARS['QUERY_STRING']; instead? > > otherwise couldn't we have the following scenario when, for example we test > surveys? > > ..../.../manage.php?where=test&sid=xx - then clicking the submit button would > generate: > ../../manage.php?where=test?where=test&sid=xx > > > Regards > > > Kon --__--__-- Message: 3 Date: Tue, 16 Apr 2002 11:00:32 -0400 (EDT) From: "James E. Flemer" <jf...@ac...> Reply-To: "James E. Flemer" <jf...@ac...> To: <php...@li...> Subject: [phpesp-dev] french translaton Hey French Translation Team ... Did you send me the translated messages.po file? If you have, I've lost it in my mountain of email. I do have the translated images though, and will probably get around to adding code for choosing the right ones pretty soon. (I have final exams coming up so my time might be limited.) -James --__--__-- Message: 4 Date: Tue, 16 Apr 2002 11:07:17 -0400 From: Matthew Gregg <gr...@mu...> To: "James E. Flemer" <jf...@ac...> Cc: php...@li... Subject: Re: [phpesp-dev] Patch for Auto-publishing The change to remove "name=xxx" from the query string brings up a small problem. The first time through a survey the referer is set correctly so that the "return" link on the "thank you" page works correctly, however, if you click that link to take the survey again, the "name=xxx" will be dropped from the referer. So a second time through the survey the "return" link fails. On Sun, Apr 14, 2002 at 03:05:39PM -0400, James E. Flemer wrote: > On Wed, 10 Apr 2002, Matthew Gregg wrote: > > > Attached is first run at a patch to allow publishing of surveys > > without needing to manually create a php "include" file. > > I made a few slight changes, nothing effecting use, and > committed this patch. Thanks. > > > Take a look in handler-prefix.php where the remote user id is found. > > I commented the QUERY_STRING case because it would grab the > > query string for survey selection every time. Can we live without > > that case? > > I changed this so that survey.php removes "name=xxx" from > the query string, so no mods to handler-prefix were needed. > > Thanks for the patch. > > -James > -- brought to you by, Matthew Gregg... one of the friendly folks in the IT Lab. --------------------------------------\ The IT Lab (http://www.itlab.musc.edu) \____________________ Probably the world's premier software development center. Serving: Programming, Tools, Ice Cream, Seminars --__--__-- Message: 5 Date: Tue, 16 Apr 2002 11:31:35 -0400 (EDT) From: "James E. Flemer" <jf...@ac...> Reply-To: "James E. Flemer" <jf...@ac...> To: Matthew Gregg <gr...@mu...> Cc: <php...@li...> Subject: Re: [phpesp-dev] Patch for Auto-publishing Well ... Ideally the "return" link is supposed to be to the page _before_ the survey. So you've got some index.html somewhere with [a href="/survey.php?name=foo"] Take a Survey [/a] Then the "return" link should take you back to "index.html". However if you type http://place.ext/survey.php?name=foo into the url bar, then there is no referrer, so it sorta goes back to itself. What do you all think the policy should be? Vote: http://phpesp.sf.net/demo/test.php?sid=2944&userid=devel Results: http://phpesp.sf.net/demo/test.php?sid=2944&results=1 -James On Tue, 16 Apr 2002, Matthew Gregg wrote: > The change to remove "name=xxx" from the query string brings up a > small problem. > > The first time through a survey the referer is set correctly so that > the "return" link on the "thank you" page works correctly, however, if > you click that link to take the survey again, the "name=xxx" will be > dropped from the referer. So a second time through the survey the > "return" link fails. --__--__-- Message: 6 Date: Tue, 16 Apr 2002 11:46:14 -0400 From: Matthew Gregg <gr...@mu...> To: "James E. Flemer" <jf...@ac...> Cc: php...@li... Subject: Re: [phpesp-dev] Patch for Auto-publishing On Tue, Apr 16, 2002 at 11:31:35AM -0400, James E. Flemer wrote: > Well ... Ideally the "return" link is supposed to be to the > page _before_ the survey. Oh duh, yeah that would make sense. > > So you've got some index.html somewhere with > [a href="/survey.php?name=foo"] Take a Survey [/a] > Then the "return" link should take you back to > "index.html". > > However if you type http://place.ext/survey.php?name=foo > into the url bar, then there is no referrer, so it sorta > goes back to itself. > > What do you all think the policy should be? > > Vote: > http://phpesp.sf.net/demo/test.php?sid=2944&userid=devel Vote cast. > Results: > http://phpesp.sf.net/demo/test.php?sid=2944&results=1 > > -James > > > On Tue, 16 Apr 2002, Matthew Gregg wrote: > > > The change to remove "name=xxx" from the query string brings up a > > small problem. > > > > The first time through a survey the referer is set correctly so that > > the "return" link on the "thank you" page works correctly, however, if > > you click that link to take the survey again, the "name=xxx" will be > > dropped from the referer. So a second time through the survey the > > "return" link fails. > -- brought to you by, Matthew Gregg... one of the friendly folks in the IT Lab. --------------------------------------\ The IT Lab (http://www.itlab.musc.edu) \____________________ Probably the world's premier software development center. Serving: Programming, Tools, Ice Cream, Seminars --__--__-- Message: 7 Date: Tue, 16 Apr 2002 12:01:55 -0400 From: Matthew Gregg <gr...@mu...> To: "James E. Flemer" <jf...@ac...> Cc: php...@li... Subject: Re: [phpesp-dev] Patch for Auto-publishing One other thing. survey.php doesn't take into account private surveys. I think it's a small change to do this, but larger than I felt safe committing to CVS myself :-) - $sql = "SELECT id,title FROM survey WHERE name = '$_name'"; + $sql = "SELECT id, title, public FROM survey WHERE name = '$_name'"; if ($result = mysql_query($sql)) { if (mysql_num_rows($result) > 0) - list($sid, $_title) = mysql_fetch_row($result); + list($sid, $_title, $public) = mysql_fetch_row($result); mysql_free_result($result); } } + if ($public == "N") { + include($ESPCONFIG['handler_prefix']); + } ?> On Sun, Apr 14, 2002 at 03:05:39PM -0400, James E. Flemer wrote: > On Wed, 10 Apr 2002, Matthew Gregg wrote: > > > Attached is first run at a patch to allow publishing of surveys > > without needing to manually create a php "include" file. > > I made a few slight changes, nothing effecting use, and > committed this patch. Thanks. > > > Take a look in handler-prefix.php where the remote user id is found. > > I commented the QUERY_STRING case because it would grab the > > query string for survey selection every time. Can we live without > > that case? > > I changed this so that survey.php removes "name=xxx" from > the query string, so no mods to handler-prefix were needed. > > Thanks for the patch. > > -James > -- brought to you by, Matthew Gregg... one of the friendly folks in the IT Lab. --------------------------------------\ The IT Lab (http://www.itlab.musc.edu) \____________________ Probably the world's premier software development center. Serving: Programming, Tools, Ice Cream, Seminars --__--__-- Message: 8 Date: Tue, 16 Apr 2002 12:55:44 -0400 (EDT) From: "James E. Flemer" <jf...@ac...> Reply-To: "James E. Flemer" <jf...@ac...> To: Matthew Gregg <gr...@mu...> Cc: <php...@li...> Subject: Re: [phpesp-dev] Patch for Auto-publishing Thanks for pointing that out. I just committed smaller patch doing the same thing. :-) There is no need to check public, since the handler prefix is included by the handler (if it hasn't already) anyway, so now we just include it explicitly above any content. if ($result = mysql_query($sql)) { if (mysql_num_rows($result) > 0) list($sid, $_title) = mysql_fetch_row($result); mysql_free_result($result); } } + include($ESPCONFIG['handler_prefix']); ?> Checkout new revision from cvs. -James On Tue, 16 Apr 2002, Matthew Gregg wrote: > One other thing. > survey.php doesn't take into account private surveys. > I think it's a small change to do this, but larger than I felt safe committing > to CVS myself :-) > > - $sql = "SELECT id,title FROM survey WHERE name = '$_name'"; > + $sql = "SELECT id, title, public FROM survey WHERE name = '$_name'"; > if ($result = mysql_query($sql)) { > if (mysql_num_rows($result) > 0) > - list($sid, $_title) = mysql_fetch_row($result); > + list($sid, $_title, $public) = mysql_fetch_row($result); > mysql_free_result($result); > } > } > + if ($public == "N") { > + include($ESPCONFIG['handler_prefix']); > + } > ?> --__--__-- _______________________________________________ phpESP-devel mailing list php...@li... https://lists.sourceforge.net/lists/listinfo/phpesp-devel End of phpESP-devel Digest |
|
From: James E. F. <jf...@ac...> - 2002-04-16 22:34:50
|
On Tue, 16 Apr 2002, flobee wrote: > where is that: Patch for Auto-publishing ?? > > very intresting! i build up my own script for that but i have secure holes > because i needed to disable some things in handler prefix! You need to use the cvs version of phpESP. There are instructions on sf.net on obtaining code from the cvs server here: http://sourceforge.net/cvs/?group_id=8956 for example you would say: $ cvs -d:pserver:ano...@cv...:/cvsroot/phpesp login <hit enter at password prompt> $ cvs -d:pserver:ano...@cv...:/cvsroot/phpesp co phpesp Look online for help on using CVS or look back in the archives for the phpesp-general list for more help. -James |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X