Menu
▾
▴
phpesp-devel
|
From: randall e. <ra...@uc...> - 2002-04-17 20:42:34
|
i just downloaded and checked out your phpESP - very slick. we're currently
looking at developing a php/sql based application to build web surveys with
and to save time i think we're gonna be using phpESP as our starting point.
currently we use commercial windows software to build our web based surveys,
and there are some features that we'll be needing to implement
(question/answer 'piping', answer based 'skips') and whatnot; as well as using
adodb for the database abstraction layer.
our project is starting off just at UCSB with hopes of becoming a joint
development from all the UC campuses. in doing so we're also planning on
hosting the cvs repository for our project locally (but will be made available
publicly.) we already have an extensive set of tools for managing mass-mailing
of users for surveys that require authentication and data extraction (mostly
done in perl::dbi.) we'd love to have a single package to handle all the steps
needed to run a web based survey, so our plans are to extend phpESP to handle
the following:
o admin users database containing login, password, and ACL info for survey
creators and data extraction users
o web based tool to create survey
- surveys must be able to 'pipe' answers (ie: build a new question based on
the answer to a previous one)
- 'skips' - jump over certain questions based on answers to prior questions
o initial import of users (from a csv file, containing at least a login,
cleartext password, and a survey name)
o mass-mailing of users, sending their cleartext password (optional) in the
email and then encrypting it on the fly
o mass-mailing a 'reminder' or 'preminder' notice to users who are about to,
or who haven't taken the survey yet
o web based tool for survey-admins to extract real-time responses
o web based tool for survey-admins to display real-time results
our current mix of tools provides all of the above except for the web based
tool to create surveys (which is where phpESP fits into the mix).
http://open.survey.ucsb.edu/ - ignore the phpESP imported already, it was
merely a test.
- randall s. ehren :// 805.893.5632
systems administrator :// isber|survey|avss.ucsb.edu
institute for social, behavioral, and economic research
|
|
From: Matthew G. <gr...@mu...> - 2002-04-17 22:27:13
|
Are you planning to fork or contribute these changes back? If you plan to contribute, keeping your tree in sync. with the main devel tree could be troublesome. We should also nail down a clear roadmap for implementing your enhancements along with other possible/in progress changes, xml/xlt being a "biggie" and the new UI that should be somewhere near finished. Just my humble thoughts :-) On Wed, Apr 17, 2002 at 01:42:29PM -0700, randall ehren wrote: > i just downloaded and checked out your phpESP - very slick. we're currently > looking at developing a php/sql based application to build web surveys with > and to save time i think we're gonna be using phpESP as our starting point. > > currently we use commercial windows software to build our web based surveys, > and there are some features that we'll be needing to implement > (question/answer 'piping', answer based 'skips') and whatnot; as well as using > adodb for the database abstraction layer. > > our project is starting off just at UCSB with hopes of becoming a joint > development from all the UC campuses. in doing so we're also planning on > hosting the cvs repository for our project locally (but will be made available > publicly.) we already have an extensive set of tools for managing mass-mailing > of users for surveys that require authentication and data extraction (mostly > done in perl::dbi.) we'd love to have a single package to handle all the steps > needed to run a web based survey, so our plans are to extend phpESP to handle > the following: > > o admin users database containing login, password, and ACL info for survey > creators and data extraction users > o web based tool to create survey > - surveys must be able to 'pipe' answers (ie: build a new question based on > the answer to a previous one) > - 'skips' - jump over certain questions based on answers to prior questions > o initial import of users (from a csv file, containing at least a login, > cleartext password, and a survey name) > o mass-mailing of users, sending their cleartext password (optional) in the > email and then encrypting it on the fly > o mass-mailing a 'reminder' or 'preminder' notice to users who are about to, > or who haven't taken the survey yet > o web based tool for survey-admins to extract real-time responses > o web based tool for survey-admins to display real-time results > > our current mix of tools provides all of the above except for the web based > tool to create surveys (which is where phpESP fits into the mix). > > http://open.survey.ucsb.edu/ - ignore the phpESP imported already, it was > merely a test. > > - randall s. ehren :// 805.893.5632 > systems administrator :// isber|survey|avss.ucsb.edu > institute for social, behavioral, and economic research > > > > > _______________________________________________ > phpESP-devel mailing list > php...@li... > https://lists.sourceforge.net/lists/listinfo/phpesp-devel > -- brought to you by, Matthew Gregg... one of the friendly folks in the IT Lab. --------------------------------------\ The IT Lab (http://www.itlab.musc.edu) \____________________ Probably the world's premier software development center. Serving: Programming, Tools, Ice Cream, Seminars |
|
From: randall e. <ra...@uc...> - 2002-04-21 01:13:39
|
> Are you planning to fork or contribute these changes back?
our current thought is to have our own cvs tree, as we don't want to have any
external dependencies.
> If you plan to contribute, keeping your tree in sync. with the main
> devel tree could be troublesome. We should also nail down a clear roadmap
> for implementing your enhancements along with other possible/in
> progress changes, xml/xlt being a "biggie" and the new UI that should
> be somewhere near finished.
do you have a plan outline anywhere? we're currently laying one out and i'll
have it posted on the site once it's finalized.
as far as the new UI, is that currently being developed or just being thought
out?
-randall
- randall s. ehren :// 805.893.5632
systems administrator :// isber|survey|avss.ucsb.edu
institute for social, behavioral, and economic research
|
|
From: Kon A. <ang...@ip...> - 2002-04-21 03:06:37
|
Guys, I've already posted 2 new designs and am finishing off the 3rd (I've been delayed slightly... having to finish off a project at work first). Once that is done I'll be sending the sample html pages to James so they can be put up and tested. The pages you will see are only of the management interface page as I'm currently working on providing template files so that a user can choose whichever style they like and apply it to the entire site. The second process, which I've just started planning, is to also allow users to format their surveys using a number of predifined styles. Kon On Sun, 21 Apr 2002 11:13, randall ehren wrote: > > Are you planning to fork or contribute these changes back? > > our current thought is to have our own cvs tree, as we don't want to have > any external dependencies. > > > If you plan to contribute, keeping your tree in sync. with the main > > devel tree could be troublesome. We should also nail down a clear > > roadmap for implementing your enhancements along with other possible/in > > progress changes, xml/xlt being a "biggie" and the new UI that should > > be somewhere near finished. > > do you have a plan outline anywhere? we're currently laying one out and > i'll have it posted on the site once it's finalized. > > as far as the new UI, is that currently being developed or just being > thought out? > > -randall > > - randall s. ehren :// 805.893.5632 > systems administrator :// isber|survey|avss.ucsb.edu > institute for social, behavioral, and economic research > > > > _______________________________________________ > phpESP-devel mailing list > php...@li... > https://lists.sourceforge.net/lists/listinfo/phpesp-devel |
|
From: Matthew G. <gr...@mu...> - 2002-04-21 19:00:39
|
On Sun, Apr 21, 2002 at 01:06:27PM +1000, Kon Angelopoulos wrote: > and tested. The pages you will see are only of the management interface page > as I'm currently working on providing template files so that a user can > choose whichever style they like and apply it to the entire site. > The second process, which I've just started planning, is to also allow users > to format their surveys using a number of predifined styles. I was thinking about adding user definable/selectable styles for surveys only, not the phpESP system itself. Are you using CSS to accomplish this? I think it would be nifty if the user could specify a URL to his own style sheet as well as selecting predefined styles. > > Kon > > On Sun, 21 Apr 2002 11:13, randall ehren wrote: > > > Are you planning to fork or contribute these changes back? > > > > our current thought is to have our own cvs tree, as we don't want to have > > any external dependencies. > > > > > If you plan to contribute, keeping your tree in sync. with the main > > > devel tree could be troublesome. We should also nail down a clear > > > roadmap for implementing your enhancements along with other possible/in > > > progress changes, xml/xlt being a "biggie" and the new UI that should > > > be somewhere near finished. > > > > do you have a plan outline anywhere? we're currently laying one out and > > i'll have it posted on the site once it's finalized. > > > > as far as the new UI, is that currently being developed or just being > > thought out? > > > > -randall > > > > - randall s. ehren :// 805.893.5632 > > systems administrator :// isber|survey|avss.ucsb.edu > > institute for social, behavioral, and economic research > > > > > > > > _______________________________________________ > > phpESP-devel mailing list > > php...@li... > > https://lists.sourceforge.net/lists/listinfo/phpesp-devel > -- brought to you by, Matthew Gregg... one of the friendly folks in the IT Lab. --------------------------------------\ The IT Lab (http://www.itlab.musc.edu) \____________________ Probably the world's premier software development center. Serving: Programming, Tools, Ice Cream, Seminars |
|
From: Kon A. <an...@cp...> - 2002-04-22 03:57:15
|
I am using CSS. I don't know about allowing users to specify a URL to their own style sheets but I was going to create templates which the user could modify to include their own look and feel for the surveys they create. Kon On Mon, 22 Apr 2002 05:00, Matthew Gregg wrote: > On Sun, Apr 21, 2002 at 01:06:27PM +1000, Kon Angelopoulos wrote: > > and tested. The pages you will see are only of the management interface > > page as I'm currently working on providing template files so that a user > > can choose whichever style they like and apply it to the entire site. The > > second process, which I've just started planning, is to also allow users > > to format their surveys using a number of predifined styles. > > I was thinking about adding user definable/selectable styles for > surveys only, not the phpESP system itself. > > Are you using CSS to accomplish this? > I think it would be nifty if the user could specify a URL to his own > style sheet as well as selecting predefined styles. > > > Kon > > > > On Sun, 21 Apr 2002 11:13, randall ehren wrote: > > > > Are you planning to fork or contribute these changes back? > > > > > > our current thought is to have our own cvs tree, as we don't want to > > > have any external dependencies. > > > > > > > If you plan to contribute, keeping your tree in sync. with the main > > > > devel tree could be troublesome. We should also nail down a clear > > > > roadmap for implementing your enhancements along with other > > > > possible/in progress changes, xml/xlt being a "biggie" and the new UI > > > > that should be somewhere near finished. > > > > > > do you have a plan outline anywhere? we're currently laying one out and > > > i'll have it posted on the site once it's finalized. > > > > > > as far as the new UI, is that currently being developed or just being > > > thought out? > > > > > > -randall > > > > > > - randall s. ehren :// 805.893.5632 > > > systems administrator :// isber|survey|avss.ucsb.edu > > > institute for social, behavioral, and economic research > > > > > > > > > > > > _______________________________________________ > > > phpESP-devel mailing list > > > php...@li... > > > https://lists.sourceforge.net/lists/listinfo/phpesp-devel |
|
From: randall e. <ra...@uc...> - 2002-06-17 18:42:37
|
hi, i have a few questions about the filestructure & setup of phpESP... 1) is there any reasoning to have the config file be a .ini instead of say a .php so that there is no concern about it getting parsed as cleartext? 2) has anyone thought about using a global to define the filesystem locations? seems like it would require much less editing to use something like the horde.org's setup: define('PHPESP_BASE', dirname(__FILE__)); $locale_path = PHPESP_BASE . "/locale/"; $include_path = PHPESP_BASE . "/include/"; ... 3) any thoughts on importing adodb (http://php.weblogs.com/ADODB) so multiple databases could be used as the backend storage? thanks, - randall s. ehren :// 805.893.5632 systems administrator :// isber|survey|avss.ucsb.edu institute for social, behavioral, and economic research |
|
From: Matthew G. <gr...@mu...> - 2002-06-18 00:52:01
|
On Mon, Jun 17, 2002 at 11:42:24AM -0700, randall ehren wrote: > hi, > i have a few questions about the filestructure & setup of phpESP... > > 1) is there any reasoning to have the config file be a .ini instead of say a > .php so that there is no concern about it getting parsed as cleartext? This has been mentioned before and it's something I would like to see happen. > > 2) has anyone thought about using a global to define the filesystem > locations? seems like it would require much less editing to use something like > the horde.org's setup: > > define('PHPESP_BASE', dirname(__FILE__)); > $locale_path = PHPESP_BASE . "/locale/"; > $include_path = PHPESP_BASE . "/include/"; > ... Also talked about before. If it can be implemented without limiting installation flexibility, which I think it can be, it should probably also be done. > > 3) any thoughts on importing adodb (http://php.weblogs.com/ADODB) so multiple > databases could be used as the backend storage? Another good one. I would lean towards PEAR(http://pear.php.net) instead of ADODB myself. Anyone have any thoughts pro/con on PEAR, ADODB, etc...? > > thanks, > > - randall s. ehren :// 805.893.5632 > systems administrator :// isber|survey|avss.ucsb.edu > institute for social, behavioral, and economic research > > > _______________________________________________________________ > > Sponsored by: > ThinkGeek at http://www.ThinkGeek.com/ > _______________________________________________ > phpESP-devel mailing list > php...@li... > https://lists.sourceforge.net/lists/listinfo/phpesp-devel > -- brought to you by, Matthew Gregg... one of the friendly folks in the IT Lab. --------------------------------------\ The IT Lab (http://www.itlab.musc.edu) \____________________ Probably the world's premier software development center. Serving: Programming, Tools, Ice Cream, Seminars |
|
From: randall e. <ra...@uc...> - 2002-06-18 02:12:04
|
> This has been mentioned before and it's something I would like to see happen. probably should be edited directly in the CVSROOT so that the file maintains its history. > > $locale_path = PHPESP_BASE . "/locale/"; > > $include_path = PHPESP_BASE . "/include/"; > > ... > Also talked about before. If it can be implemented without limiting > installation flexibility, which I think it can be, it should probably > also be done. i'll test this out tomorrow and if it works, i'll submit a patch. > Another good one. I would lean towards PEAR(http://pear.php.net) > instead of ADODB myself. Anyone have any thoughts pro/con on PEAR, > ADODB, etc...? here's a benchmark showing direct mysql, adodb, phplib & PEAR: http://phplens.com/lens/adodb/ another point of interest is the 'gallery' developers notes on PEAR vs. adodb: http://marc.theaimsgroup.com/?l=gallery-devel&m=101946544502824&w=2 and: http://phpwiki.sourceforge.net/phpwiki/PhpDatabaseAccessLibraries - randall s. ehren :// 805.893.5632 systems administrator :// isber|survey|avss.ucsb.edu institute for social, behavioral, and economic research |
|
From: randall e. <ra...@uc...> - 2002-06-18 04:08:08
Attachments:
phpESP.ini.patch
|
> > > $locale_path = PHPESP_BASE . "/locale/";
> > > $include_path = PHPESP_BASE . "/include/";
> > > ...
> > Also talked about before. If it can be implemented without limiting
> > installation flexibility, which I think it can be, it should probably
> > also be done.
>
> i'll test this out tomorrow and if it works, i'll submit a patch.
worked just fine.
patch is attached.
cp phpESP.ini.patch /path/to/phpESP/
cd /path/to/phpESP/
patch < phpESP.ini.patch
also, for /public/*.php files -
randall@web[/www/phpesp/public]% diff survey.php.dist survey.php
3c3
< require('/usr/local/lib/php/contrib/phpESP/admin/phpESP.ini');
---
> require("../admin/phpESP.ini");
doesn't that seem better?
-randall
- randall s. ehren :// 805.893.5632
systems administrator :// isber|survey|avss.ucsb.edu
institute for social, behavioral, and economic research
|
|
From: James E. F. <jf...@ac...> - 2002-06-18 13:12:43
|
On Mon, 17 Jun 2002, randall ehren wrote:
> also, for /public/*.php files -
>
> randall@web[/www/phpesp/public]% diff survey.php.dist survey.php
> 3c3
> < require('/usr/local/lib/php/contrib/phpESP/admin/phpESP.ini');
> ---
> > require("../admin/phpESP.ini");
>
> doesn't that seem better?
No it does not. I have tried to make phpESP as secure as
possible. I don't want phpESP to open up holes to your
system, and you probably don't either. On of the best ways
to protect php scripts is to place them in a location that
is not accessible from the web. What I mean is, the main
body of any complicated php script should be *outside* of
your "htdocs" (or whatever) directory. That way you can
ensure that entry into the script is through a limited
number of points, and you only have to do security/sanity
checks there. For this reason, I suggest installing phpESP
in /usr/local/lib/php/contrib/phpESP, which is most
certainly outside of htdocs. Then you only copy the few
known entry points (public/handler*, admin/manage.php) to
some location in your htdocs. Because of this, it is
impossible to use relative pathnames in the public/* and
manage.php files. Does everyone understand this?
The naive user does this:
cd /usr/local/www/htdocs
tar -zxf ~/phpESP-1.4.tar.gz
vi phpESP-1.4/admin/phpESP.ini
mozilla http://mysite.com/phpESP-1.4/admin/manage.php
Wow, that was easy huh? But what about when someone notices
they are using phpESP, looks at the source and says humm:
mozilla http://mysite.com/phpESP-1.4/admin/phpESP.ini
mysql -h mysite.com -u phpESP -p phpESP
> DELETE FROM survey;
> ...
Several people have unzipped their fly with phpESP.ini
already. I've checked personally, every time someone asks a
question and posts some URL to the list or to me with
"phpESP/admin" in the URL I warn them they are exposing
themselves. (Are you Randal? It sure looks like it to me:
randall@web[/www/phpesp/public])
One step that has been mentioned is changing phpESP.ini to
something .php so that if it is accessible via a URL it
will get executed by PHP and be a harmless blank page. This
is treating the *symptoms* not the *problem*. I don't want
to promote bad security practices. I will not apply your
patch, unless it addresses these issues. Sorry to rant, but
there seem to be very few PHP coders who jack about
security.
-James
|
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X