phplib-users — A list for users of phplib to talk / discuss phplib

[Phplib-users] PHP Notice: oohforms

[Frank B. <fb...@sy...>]

I've been using phplib7.4 for some time now.  I recently upgraded php from 
4.0.4 to 4.3.8 and now I get the following entries in my Apache log for 
every element in my forms:

[Thu Nov  4 16:30:39 2004] [error] PHP Notice:  Undefined index:  hidden in 
/var/www/php/class/phplib-7.4/oohforms.inc on line  252
[Thu Nov  4 16:30:39 2004] [error] PHP Notice:  Undefined index:  name in 
/var/www/php/class/phplib-7.4/oohforms.inc on line 71
[Thu Nov  4 16:30:39 2004] [error] PHP Notice:  Undefined index:  name in 
/var/www/php/class/phplib-7.4/oohforms.inc on line 74
[Thu Nov  4 16:30:39 2004] [error] PHP Notice:  Undefined index:  value in 
/var/www/php/class/phplib-7.4/oohforms.inc on line 71
[Thu Nov  4 16:30:39 2004] [error] PHP Notice:  Undefined index:  value in 
/var/www/php/class/phplib-7.4/oohforms.inc on line 74
[Thu Nov  4 16:30:39 2004] [error] PHP Notice:  Undefined property:  isfile 
in /var/www/php/class/phplib-7.4/oohforms.inc on line 268

Re: [Phplib-users] Form POST data not making it into auth_preauth()

[Layne W. <la...@dr...>]

Quoth Robert Van Overmeiren:

> I have a secure https site running on Java Tomcat and I want to be able
> to access an application built on PHP and PHPlib. I'm thinking I can
> have a link that submits a form with the username/password as hidden
> inputs. I've added the 'auth_preauth()' function (posted to phpbuilder
> in 2000) to my extension of the 'Auth' class:

=2E..

> If I hard code in the username and password, I get authenticatied and
> go straight in. If I use a GET request method in the form, I can get
> in, but then the password is in the URL. I can't get my form data
> into the variables via POST Method - which is what I want to use. The
> posting to phpbuilder doesn't say you need to do anything to get the
> data into variables.

=2E..

> I can echo back form data ($_POST['username']) up to point of the
> 'release_token()' function. After that the data is gone and I can't get
> it back.


You are losing the POST when PHPLIB creates your session cookie. Cookies
historically are (or were) not available on the page that created them, so
the workaround that was to create the cookie and instantly cause the browse=
r
to load the same page again through a header redirect. PHPLIB's Session
class does not anticipate your problem of posting before the session has
been created. I see two options:

1. From your Java site, link to an invisible 1x1 gif from the PHPLIB site -
this will create the session transparently allowing the later POST to go
through and authenticate within the PHPLIB session. This method will not
work for users who turn off images and/or set their browser to only downloa=
d
images from the site they are visiting.

2. Rewrite the PHPLIB session creation routine to look for incoming POST on
pages without a valid session. If POST is found, then instead of the Header
redirect create an HTML page with a form containing the POST data with <bod=
y
onLoad=3D"yourformname.submit();"> to complete the creation of the session
cookie. This method will not work for non-Javascript browsers, but should
work in many situations.

3. Optionally, combine both methods to catch as many people as you can.

--=20

Layne Weathers

Re: [Phplib-users] Form POST data not making it into auth_preauth()

[Nathaniel P. <np...@te...>]

Robert Van Overmeiren wrote:

>My (PHP 4.3.3) setup has register_globals = On.
>
>
>My form does have a 'do_preauth' input (with value set to 'do_preauth'),
>but I can't echo that value from within 'auth_preauth()' either.
>
>
>I did try to pull the form data directly from the $_POST array:
>
>  $do_preauth = $_POST['do_preauth']; 
>  $username = $_POST['username'];
>  $password = $_POST['password'];
>
>    ...but there's nothing there.
>
>
>If I change the form to method="GET", and use:
>
>  $do_preauth = $_GET['do_preauth']; 
>  $username = $_GET['username'];
>  $password = $_GET['password'];
>
>    ...auth_preauth() works, but then I wind up with passwords in the
>location field.
>  
>
Makes sense, since even if it redirects, it will append the session id 
to the existing query string.

>The test form is nothing special:
>
>  <form action="https://secure.uniteddrugs.com/members/index.html"
>enctype="multipart/form-data" method="POST">
>    <input type="text" name="username" size="12">
>    <input type="password" name="password" size="12">
>    <input type="hidden" name="do_preauth" value="do_preauth">
>    <input type="submit" value="submit" name="submit" value="Login">
>  </form>
>
>In practice, the inputs would be the hidden type (values populated from
>the Tomcat JDBCRealm), and a link would execute a javascript function to
>submit he form.
>
>
>My setup uses prepend.php3, so I guess that means I'm using
>PHP3-compatible sessions.
>  
>
You might try switching to using prepend.php if you can (you'll need to 
port any modifications made to local.inc over to local4.inc). It might 
help clear up the problem, though I can't say for sure. I'd do this as 
more of a last resort, if the other things I mention below don't work 
for you.

>In 'release_token()', I noticed the code that redirects to itself and
>appends the session ID. Its right around there that I loose the form
>data. I also noticed that if I echo '$_SERVER['REQUEST_METHOD']', its
>always 'GET' - even if my form does a 'POST'. Your info got me thinking
>so I tested and the method comes back as 'POST' both before and after
>the redirect - so I still don't know where and why that gets flipped
>around, but by the time I echo it back in 'auth_preauth()', the request
>method is 'GET'.
>  
>
If you can narrow it down to a specific line in session.inc where POST 
becomes GET, that would be helpful... You might also try physically 
commenting out the whole block in release_token() starting with 'if 
($this->mode == "get")'

>I noticed 'variables_order' in php.ini (Newer overwrite older). Maybe
>when the process flips from POST to GET, they get overwritten?
>  
>
I'd assume that $_POST just doesn't get populated when it switches from 
POST to GET. After all, if the request is a 'GET', then there shouldn't 
be any posted data to worry about, so PHP would ignore it. If you can 
run something to sniff the headers being sent back and forth between the 
client and the server, it might help shed some light on what's going on. 
I personally use the Proxomitron for sniffing headers (among other 
things): http://www.proxomitron.info

>The session mode is already set to 'cookie'.
>There was nothing for fallback mode, but I set it '= false', just to try
>- no improvement.
>I noticed the loop that does the redirect seems to be for primary mode
>'GET', so I don't see why the block executes at all.
>  
>
Make sure you are setting the mode in the subclass of Session that is in 
local.inc and /not/ in session.inc. The values in local.inc will 
override the ones in session.inc. If I remember correctly, PHPlib is 
packaged with Example_Session's mode set to 'cookie' with the fallback 
mode set to 'get'.

>Tomcat/JSP and apache/PHP are on the same server, domain, and protocol -
>just different ports, so I guess having Tomcat set a PHP-like cookie is
>a possiblity. This would be a browser memory cookie and not the kind
>stored in a text file, wouldn't it?
>  
>
Either one should work, but session cookies (those stored in memory) are 
probably all you need. I'm not sure if differing ports would cause a 
problem with cookies or not.

>The info is helpful, but I still don't see why the POST data isn't
>there. 
>
>
>
>-----Original Message-----
>From: Nathaniel Price [mailto:np...@te...] 
>Sent: Wednesday, October 13, 2004 1:45 PM
>To: Robert Van Overmeiren; php...@li...
>Subject: Re: [Phplib-users] Form POST data not making it into
>auth_preauth()
>
>
>Robert Van Overmeiren wrote:
>
>  
>
>>Hello,
>>
>>I have a secure https site running on Java Tomcat and I want to be able
>>    
>>
>
>  
>
>>to access an application built on PHP and PHPlib. I'm thinking I can 
>>have a link that submits a form with the username/password as hidden 
>>inputs. I've added the 'auth_preauth()' function (posted to phpbuilder 
>>in 2000) to my extension of the 'Auth' class:
>>
>>function auth_preauth() {
>> global $do_preauth, $username, $password;
>> $uid = false; 
>> if (isset($do_preauth)) { 
>>   $this->db->query(sprintf("select user_id, perms ". 
>>                         " from %s ". 
>>                         " where username = '%s' ". 
>>                         " and password = '%s'", 
>>                         $this->database_table, 
>>                         addslashes($username), 
>>                         addslashes($password))); 
>>   while($this->db->next_record()) { 
>>     $uid = $this->db->f("user_id"); 
>>     $this->auth["perm"] = $this->db->f("perms"); 
>>     $this->auth["uname"] = $username; 
>>   } 
>> } 
>>return $uid; 
>>}
>>
>>The function is very similar to the 'auth_validatelogin()' function, 
>>but is called earlier in the whole process - before 'auth_loginform()'.
>>    
>>
>
>  
>
>>It is supposed to allow someone to use their own login form, and to 
>>bypass the default form.
>>
>>If I hard code in the username and password, I get authenticatied and 
>>go straight in. If I use a GET request method in the form, I can get 
>>in, but then the password is in the URL.
>>I can't get my form data into the variables via POST Method - which is
>>what I want to use.
>>The posting to phpbuilder doesn't say you need to do anything to get
>>    
>>
>the
>  
>
>>data into variables.
>> 
>>
>>    
>>
>Well, looking at your code, my guess would be that register_globals are 
>off in your setup, and that instead of auth_preauth() getting your form 
>data from $_POST like it should, it is trying to get it from the global 
>variable space. PHPlib was originally coded around the assumption that 
>register_globals was on; it's only relatively recently (around 2003, I 
>think?) that the register_globals issue was fixed to work whether or not
>
>PHP ran with register_globals off.
>
>I'd suggest replacing this line:
>
>global $do_preauth, $username, $password;
>
>with something that looks like this:
>
>//In addition to supplying a username and password, the form must have
>an element //named 'do_preauth' which is set to something that evaluates
>to TRUE in PHP, in order //for the preauth function to work. $do_preauth
>= $_POST['do_preauth']; 
>$username = $_POST['username'];
>$password = $_POST['password'];
>
>However, I can't be sure that this is the problem... It might be helpful
>if you post some sample code of the form you're submitting from as well
>as a stripped down version of the code you are using on your page. If
>you have customized other parts of PHPlib (aside from setting the
>database parameters), that might be useful to know as well. Also, are
>you using PHP3 or PHP4 sessions (i.e. are you using prepend.php or
>prepend.php3 to include PHPlib)? From your quoted start() code below, it
>seems like you're using PHPlib's PHP3-compatible sessions.
>
>Finally, one thing that has helped me understand PHPlib's auth system
>much better is this explanation here:
>http://www.drostan.org/Application/webdev/uod/auth_phplib.php
>
>At it's core, the auth_preauth function is nothing special... all it
>needs to do to do it's job is somehow return a PHPlib userid instead of
>false.
>
>
>  
>
>>I've been dissecting the phplib files and find that 'page_open()' calls
>>    
>>
>
>  
>
>>a 'start()' funtion from the 'Session' class, then a 'start()' function
>>    
>>
>
>>from the 'Auth' class (and another from the 'User' class). The Session 
>  
>
>>'start()' function makes a series of function calls itself:
>>
>> function start($sid = "") {
>>   $this->set_container();
>>   $this->set_tokenname();
>>   $this->put_headers();
>>   $this->release_token($sid);
>>   $this->get_id($sid);
>>   $this->thaw();
>>   $this->gc();
>> }
>>
>>I can echo back form data ($_POST['username']) up to point of the 
>>'release_token()' function. After that the data is gone and I can't get
>>    
>>
>
>  
>
>>it back.
>> 
>>
>>    
>>
>release_token() includes code that will cause a redirect (specifically, 
>it sends a 302: Moved Temporarily header and redirects to itself, 
>appending a session id to the URL) if $sess->mode is set to 'get' or 
>$sess->fallback_mode is set to 'get' and it doesn't detect that a 
>session cookie is set. Since the script tries to detect the cookie 
>before it gets set (that occurs in get_id()) when you first enter a page
>
>without an existing session cookie set on your browser, it will /always/
>
>redirect, even if your browser supports cookies. This is probably what 
>is causing you to loose your $_POST data.
>
>You can work around this by setting $sess->mode to 'cookie' 
>$sess->fallback_mode to null or false, as this will keep the code from 
>triggering a redirect. Unless you have a very good reason for supporting
>
>browsers where the user has turned cookies off (or even more rarely, one
>
>that doesn't support cookies), this should be an adequate solution.
>
>There may be a better solution that will support 'get' mode, but I can't
>
>think of one off the top of my head. You'd have to store your post data 
>in the session somewhere after the call to get_id() in release_token() 
>or something, and then have some corresponding mechanism for digging it 
>back out again. If you can switch to using PHP4-style sessions for 
>PHPlib, you might be able to do that more easily, as you could then 
>store the $_POST data in a PHP4 session natively, bypassing most of 
>PHPlib's session handling.
>
>  
>
>>What do I have to do to get the form data into the 'auth_preauth()' 
>>function?
>>
>>Of course, if you can suggest other ways to pass credentials between 
>>Tomcat container managed security and phplib, I'd be interested.
>> 
>>
>>    
>>
>The main problem is that it depends on credentials set at the client 
>end. So, basically, unless your Tomcat app can set a cookie that can 
>later be read by PHP and both your Tomcat app and PHP app are accessed 
>through the same domain name and protocol (i.e. both are accessed 
>through HTTPS), you're out of luck. PHP would also need to have access 
>to the same data store that you use to keep track of the session in
>Tomcat.
>  
>

-- 
___________________________
Nathaniel Price
http://www.tesserportal.net
Webmaster

Re: [Phplib-users] Form POST data not making it into auth_preauth()

[Nathaniel P. <np...@te...>]

Robert Van Overmeiren wrote:

>Hello,
>
>I have a secure https site running on Java Tomcat and I want to be able
>to access an application built on PHP and PHPlib. I'm thinking I can
>have a link that submits a form with the username/password as hidden
>inputs. I've added the 'auth_preauth()' function (posted to phpbuilder
>in 2000) to my extension of the 'Auth' class:
>
>function auth_preauth() {
>  global $do_preauth, $username, $password; 
>  $uid = false; 
>  if (isset($do_preauth)) { 
>    $this->db->query(sprintf("select user_id, perms ". 
>                          " from %s ". 
>                          " where username = '%s' ". 
>                          " and password = '%s'", 
>                          $this->database_table, 
>                          addslashes($username), 
>                          addslashes($password))); 
>    while($this->db->next_record()) { 
>      $uid = $this->db->f("user_id"); 
>      $this->auth["perm"] = $this->db->f("perms"); 
>      $this->auth["uname"] = $username; 
>    } 
>  } 
> return $uid; 
>}
>
>The function is very similar to the 'auth_validatelogin()' function, but
>is called earlier in the whole process - before 'auth_loginform()'. It
>is supposed to allow someone to use their own login form, and to bypass
>the default form.
>
>If I hard code in the username and password, I get authenticatied and go
>straight in.
>If I use a GET request method in the form, I can get in, but then the
>password is in the URL.
>I can't get my form data into the variables via POST Method - which is
>what I want to use.
>The posting to phpbuilder doesn't say you need to do anything to get the
>data into variables.
>  
>
Well, looking at your code, my guess would be that register_globals are 
off in your setup, and that instead of auth_preauth() getting your form 
data from $_POST like it should, it is trying to get it from the global 
variable space. PHPlib was originally coded around the assumption that 
register_globals was on; it's only relatively recently (around 2003, I 
think?) that the register_globals issue was fixed to work whether or not 
PHP ran with register_globals off.

I'd suggest replacing this line:

global $do_preauth, $username, $password;

with something that looks like this:

//In addition to supplying a username and password, the form must have an element
//named 'do_preauth' which is set to something that evaluates to TRUE in PHP, in order
//for the preauth function to work.
$do_preauth = $_POST['do_preauth']; 
$username = $_POST['username'];
$password = $_POST['password'];

However, I can't be sure that this is the problem... It might be helpful if you post some sample code of the form you're submitting from as well as a stripped down version of the code you are using on your page. If you have customized other parts of PHPlib (aside from setting the database parameters), that might be useful to know as well. Also, are you using PHP3 or PHP4 sessions (i.e. are you using prepend.php or prepend.php3 to include PHPlib)? From your quoted start() code below, it seems like you're using PHPlib's PHP3-compatible sessions.

Finally, one thing that has helped me understand PHPlib's auth system much better is this explanation here:
http://www.drostan.org/Application/webdev/uod/auth_phplib.php

At it's core, the auth_preauth function is nothing special... all it needs to do to do it's job is somehow return a PHPlib userid instead of false.


>I've been dissecting the phplib files and find that 'page_open()' calls
>a 'start()' funtion from the 'Session' class, then a 'start()' function
>from the 'Auth' class (and another from the 'User' class). The Session
>'start()' function makes a series of function calls itself:
>
>  function start($sid = "") {
>    $this->set_container();
>    $this->set_tokenname();
>    $this->put_headers();
>    $this->release_token($sid);
>    $this->get_id($sid);
>    $this->thaw();
>    $this->gc();
>  }
>
>I can echo back form data ($_POST['username']) up to point of the
>'release_token()' function. After that the data is gone and I can't get
>it back.
>  
>
release_token() includes code that will cause a redirect (specifically, 
it sends a 302: Moved Temporarily header and redirects to itself, 
appending a session id to the URL) if $sess->mode is set to 'get' or 
$sess->fallback_mode is set to 'get' and it doesn't detect that a 
session cookie is set. Since the script tries to detect the cookie 
before it gets set (that occurs in get_id()) when you first enter a page 
without an existing session cookie set on your browser, it will /always/ 
redirect, even if your browser supports cookies. This is probably what 
is causing you to loose your $_POST data.

You can work around this by setting $sess->mode to 'cookie' 
$sess->fallback_mode to null or false, as this will keep the code from 
triggering a redirect. Unless you have a very good reason for supporting 
browsers where the user has turned cookies off (or even more rarely, one 
that doesn't support cookies), this should be an adequate solution.

There may be a better solution that will support 'get' mode, but I can't 
think of one off the top of my head. You'd have to store your post data 
in the session somewhere after the call to get_id() in release_token() 
or something, and then have some corresponding mechanism for digging it 
back out again. If you can switch to using PHP4-style sessions for 
PHPlib, you might be able to do that more easily, as you could then 
store the $_POST data in a PHP4 session natively, bypassing most of 
PHPlib's session handling.

>What do I have to do to get the form data into the 'auth_preauth()'
>function?
>
>Of course, if you can suggest other ways to pass credentials between
>Tomcat container managed security and phplib, I'd be interested.
>  
>
The main problem is that it depends on credentials set at the client 
end. So, basically, unless your Tomcat app can set a cookie that can 
later be read by PHP and both your Tomcat app and PHP app are accessed 
through the same domain name and protocol (i.e. both are accessed 
through HTTPS), you're out of luck. PHP would also need to have access 
to the same data store that you use to keep track of the session in Tomcat.

Hope that helps.

-- 
___________________________
Nathaniel Price
http://www.tesserportal.net
Webmaster

[Phplib-users] Form POST data not making it into auth_preauth()

[Robert V. O. <van...@un...>]

Hello,

I have a secure https site running on Java Tomcat and I want to be able
to access an application built on PHP and PHPlib. I'm thinking I can
have a link that submits a form with the username/password as hidden
inputs. I've added the 'auth_preauth()' function (posted to phpbuilder
in 2000) to my extension of the 'Auth' class:

function auth_preauth() {
  global $do_preauth, $username, $password; 
  $uid = false; 
  if (isset($do_preauth)) { 
    $this->db->query(sprintf("select user_id, perms ". 
                          " from %s ". 
                          " where username = '%s' ". 
                          " and password = '%s'", 
                          $this->database_table, 
                          addslashes($username), 
                          addslashes($password))); 
    while($this->db->next_record()) { 
      $uid = $this->db->f("user_id"); 
      $this->auth["perm"] = $this->db->f("perms"); 
      $this->auth["uname"] = $username; 
    } 
  } 
 return $uid; 
}

The function is very similar to the 'auth_validatelogin()' function, but
is called earlier in the whole process - before 'auth_loginform()'. It
is supposed to allow someone to use their own login form, and to bypass
the default form.

If I hard code in the username and password, I get authenticatied and go
straight in.
If I use a GET request method in the form, I can get in, but then the
password is in the URL.
I can't get my form data into the variables via POST Method - which is
what I want to use.
The posting to phpbuilder doesn't say you need to do anything to get the
data into variables.

I've been dissecting the phplib files and find that 'page_open()' calls
a 'start()' funtion from the 'Session' class, then a 'start()' function
from the 'Auth' class (and another from the 'User' class). The Session
'start()' function makes a series of function calls itself:

  function start($sid = "") {
    $this->set_container();
    $this->set_tokenname();
    $this->put_headers();
    $this->release_token($sid);
    $this->get_id($sid);
    $this->thaw();
    $this->gc();
  }

I can echo back form data ($_POST['username']) up to point of the
'release_token()' function. After that the data is gone and I can't get
it back.

What do I have to do to get the form data into the 'auth_preauth()'
function?

Of course, if you can suggest other ways to pass credentials between
Tomcat container managed security and phplib, I'd be interested.

Thx,
Bob Van

Re: [Phplib-users] phplib and php5

[Joe S. <jo...@be...>]

On Thu, Oct 07, 2004 at 02:01:39PM +0200, Alexander Meis wrote:
> Hi...
> 
> is the phplib running with php5?
>

I've been doing development using php5 and phplib. Most of the 
time without having compatibility mode on just fine.

Nothing in production yet though.

Joe
 
> Thanks
> 
> Alex
> 

[Phplib-users] phplib and php5

[Alexander M. <am...@si...>]

Hi...

is the phplib running with php5?

Thanks

Alex

Re: [Phplib-users] Session id Prefix

[Clark F. <cl...@th...>]

Hi Alex,

My guess is that modifying the session_id() methods in session4.inc isn't
helping because the session id is determined by PHP's built-in session
handling. I would take a look at

http://us4.php.net/manual/en/ref.session.php

which lists all the session settings and functions--maybe you could set
the session.name to be different for the different machines, or use a
different entropy source or a different hash algorithm. There's also the
uniqid function which you might be able to use in some way.

Hope that helps.

Clark

On Tue, 21 Sep 2004, Alexander Meis wrote:

> Hi....
>
> i have 2 webservers running with an cookie based load balancer in front.
> the session of each server is saved in their file systems. if one of the
> server goes down
> i have the problem hat some sessions are overlapping and in this way the
> securitiy is poor.
> a way to fix this is the session on nfs or in the db but it generates up to
> 30 mbits of network load.
> my idea at this point is to set a prefix to every session id. the prefix
> should be special to
> every server. example server1adbassdfas vs. server2abfadfasdn as session
> ids.
>
> i tryed to modify the session_id() commands in session4.inc but the session
> id is allways generated by php
> with no prefix even if i comment the lines out.
>
> can someone tell me how to set a session id wich prefix for every server?
> the setting can allso be done in the php.ini
> it does not have to be in the phplib.
>
> Thanks for helping.
>
> Greetings
>
> Alex

Re: [Phplib-users] New IE anomaly(?)

[Frank B. <fb...@sy...>]

At 04:54 PM 9/20/04, Mike Green wrote:
>I have a site which I set up over four years ago using PHPLib's Object 
>Oriented Forms (OOForms). I have updated the PHPLib files which this site 
>uses since then, but I haven't changed the code which uses the OOForms, 
>including the regexes they use. Perhaps should have, but have not.
>
>Many, many folk have used the forms on this site for subscriptions during 
>the time they have been in place. Yesterday, however, a user returned to 
>renew his subscription and received an error message from OOForms saying 
>that he had entered an invalid email address. It is, however, the same 
>email address he used when he subscribed a year earlier, saved in our 
>database and placed in the form for him to confirm. It was accepted by 
>OOForms and the regex it uses when he originally subscribed. And when I 
>tested today, with my browser (Opera) and OS (Linux), OOForms had no 
>objections to his email address.
>
>It would seem, therefore, that the problem could be with some way that the 
>browser he is now using handles the data in the form. He reports that he 
>is using MS Internet Explorer v.6.0.2800 on MS XP Professional. Are any of 
>you aware of something new in an IE "fix" which could cause such a result?


You didn't provide either the regex or sample data.  Also, 6.0.2800 is an 
incomplete version number for IE.  I have access to IE 
6.0.2800.1106.xpsp2.030422.1633 on XP Pro, but do not know what you want 
tested. 

[Phplib-users] Session id Prefix

[Alexander M. <am...@si...>]

Hi....

i have 2 webservers running with an cookie based load balancer in front.
the session of each server is saved in their file systems. if one of the 
server goes down
i have the problem hat some sessions are overlapping and in this way the 
securitiy is poor.
a way to fix this is the session on nfs or in the db but it generates up to 
30 mbits of network load.
my idea at this point is to set a prefix to every session id. the prefix 
should be special to
every server. example server1adbassdfas vs. server2abfadfasdn as session 
ids.

i tryed to modify the session_id() commands in session4.inc but the session 
id is allways generated by php
with no prefix even if i comment the lines out.

can someone tell me how to set a session id wich prefix for every server? 
the setting can allso be done in the php.ini
it does not have to be in the phplib.

Thanks for helping.

Greetings

Alex

[Phplib-users] New IE anomaly(?)

[Mike G. <mik...@sa...>]

Hi!

I have a site which I set up over four years ago using PHPLib's Object Oriented Forms (OOForms). I have updated the PHPLib files which this site uses since then, but I haven't changed the code which uses the OOForms, including the regexes they use. Perhaps should have, but have not.

Many, many folk have used the forms on this site for subscriptions during the time they have been in place. Yesterday, however, a user returned to renew his subscription and received an error message from OOForms saying that he had entered an invalid email address. It is, however, the same email address he used when he subscribed a year earlier, saved in our database and placed in the form for him to confirm. It was accepted by OOForms and the regex it uses when he originally subscribed. And when I tested today, with my browser (Opera) and OS (Linux), OOForms had no objections to his email address.

It would seem, therefore, that the problem could be with some way that the browser he is now using handles the data in the form. He reports that he is using MS Internet Explorer v.6.0.2800 on MS XP Professional. Are any of you aware of something new in an IE "fix" which could cause such a result?

TIA!

Cheers!

Mike Green

Re: [Phplib-users] Template woes

[Nathaniel P. <np...@te...>]

Shiloh Madsen wrote:

> Ok, im going slightly mad here. Im about as green as you can be with 
> linux (running fedora 2 if it matters) and i spent the majority of the 
> day trying to install phplib. I thought it was working as i tried that 
> snippit of code:
>  
> <?php
>     $db = new DB_Example;
>     print "It works without error messages.<br>\n";
> ?>
>  
> and it returned the line that it was supposed to.
>  
> Now ive been working with wileys Secure php development and it makes 
> heavy use of templates. I cannot for the life of me figure out what im 
> doing wrong here. As far as i can tell the template functionality 
> seems to not be working. I went back to basics and input the phplib 
> code snippet for templates:
>  
> <?php
>  $t = new Template;
>  
>   $t->set_var("a", "defined as hugo");
>  $t->set_var("b", "the value of a is {a}");
>  
>           print $t->subst("b")
> ?>
>  
> but this bit of code simply brought up a blank screen for me. Given 
> that the db code worked without having to specify any certain include 
> i would think that should mean I should have full access to the phplib 
> functionality. Is there some further configuration that I have to do 
> to get all this up and running?

Most likely. The PHPlib Template library is not part of the core PHPlib 
functionality, so it must be included. If you use it extensively, you'll 
want to put a line like this in your prepend.php file:

require($_PHPLIB["libdir"] . "template.inc");

If you don't use it so often, you can also include template.inc manually 
on the pages that require it. Hope that helps.

Incedentally, I'd think you'd get errors on the second test... What 
error reporting level do you have PHP configured at?

-- 
___________________________
Nathaniel Price
http://www.tesserportal.net
Webmaster

[Phplib-users] Template woes

[Shiloh M. <shi...@ns...>]

Ok, im going slightly mad here. Im about as green as you can be with =
linux (running fedora 2 if it matters) and i spent the majority of the =
day trying to install phplib. I thought it was working as i tried that =
snippit of code:

<?php
    $db =3D new DB_Example;
    print "It works without error messages.<br>\n";
?>

and it returned the line that it was supposed to.=20

Now ive been working with wileys Secure php development and it makes =
heavy use of templates. I cannot for the life of me figure out what im =
doing wrong here. As far as i can tell the template functionality seems =
to not be working. I went back to basics and input the phplib code =
snippet for templates:=20

<?php
 $t =3D new Template;

  $t->set_var("a", "defined as hugo");
 $t->set_var("b", "the value of a is {a}");

          print $t->subst("b")
?>

but this bit of code simply brought up a blank screen for me. Given that =
the db code worked without having to specify any certain include i would =
think that should mean I should have full access to the phplib =
functionality. Is there some further configuration that I have to do to =
get all this up and running?

Shiloh

Re: [Phplib-users] PEAR & _prepend

[Layne W. <la...@dr...>]

Quoth Frank Bax:

> I just installed some PEAR components and noticed that _prepend was
> created in /var/www/pear/lib  - a directory that also happens to be
> in php.ini I can think of a couple of ways to resolve having two
> _prepend.php files (one for pear, one for phplib), but I'm wondering
> what might be a recommend way to resolve this?


Quite easy - don't use auto-prepend. I have found it very advantageous to
have customizeable prepends. I don't always want to be bound by my default
prepend environment on every script (sometimes I don't want or need any
prepend at all) and I've never understood why people would want a prepend
file that is used for multiple projects - at that level it can't do much an=
d
so I'd still need a manually prepended file for my project-specific setup.

In a similar vein, I don't use the include_path. I know exactly which
library file I want to include - making the server find all of the files I
need at run time hundreds of thousands of times each day is inefficient.
Because I am a lazy programmer and don't want to type paths, and because
having absolute paths in code is bad for portability between
workstation/test server/production servers, I set constants in my prepend
that contain the full path to each library. For instance,
   =20
    define("I", "/var/www/project_z/includes/");
    define("PL", "/var/www/php-lib-stable/php/");
    ...
    include_once I."some.inc";
    include_once PL."template.inc";


Ok, I'm climbing down off my soapbox now.

--=20

Layne Weathers

[Phplib-users] PEAR & _prepend

[Frank B. <fb...@sy...>]

I just installed some PEAR components and noticed that _prepend was created 
in /var/www/pear/lib  - a directory that also happens to be in php.ini
I can think of a couple of ways to resolve having two _prepend.php files 
(one for pear, one for phplib), but I'm wondering what might be a recommend 
way to resolve this?

Re: [Phplib-users] Is there a way to save sessions between page open and close?

[Nathaniel P. <np...@te...>]

Herouth Maoz wrote:

>I have a captcha system, wherein a php-generated image generates a number and
>displays it, and the user has to respond with the same number.
>
>If he does, a sensitive operation is performed, which we want to avoid being
>performed several times in a row.
>
>We find that if the user clicks the submit button on the form several times in
>a row, it creates several connections, all of which check the number and do
>the operation. Since the page does not reload between these submissions, the
>number does not get replaced.
>
>I thought I'd unregister the number directly after I verify that it's the
>right one, so that the next connection made will not reach the sensitive
>part, because its comparison will fail.
>
>However, since the data is only saved in the session at the end, when I do the
>page_close(), this is not working. I'd like to be able to control when the
>session is saved, so that only the first connection will be able to access
>that number.
>
>Any ideas?
>  
>
IF you are using PHP3-style sessions with PHPlib you might try putting 
the page_close() directly after unregistering the session variable. That 
will save the session almost immediately after the operation is 
performed, which may reduce, but won't necessarily prevent what you 
describe. If you need to manipulate the session after the page_close() 
you're probably out of luck, though. I'm not sure that you can do two 
page_open() and page_close() calls on a page. However, this would 
probably not work with PHP4 sessions, since those are saved at the end 
of page execution unless the php function session_write_close() is 
called. Personally, I wouldn't recommend this approach.

Another, more foolproof method would be to create a 
"lockfile"--basically just a dummy file. You'd check for that file when 
the script runs, and if it isn't there yet, create it, then do your 
stuff. Other instances of the script will see this lockfile, and can 
exit out, so they don't get executed. Then, once the original script has 
processed, have it delete the lockfile. Note that with this approach you 
can use whatever you want that will be visible to other instances of the 
script to do the locking: a file, a record in a database table, shared 
memory... whatever works best for your situation.

A couple of caveats with the lockfile approach: if the user presses the 
stop button in the browser PHP may (depending on how it's configured) 
stop execution of the script, leaving the lockfile there unless 
something is put into place to clean up old lockfiles. (I can't find the 
configuration directive on PHP.net though... perhaps someone knows what 
I'm talking about?) Also, if the user hits reload or the submit button 
again, their browser will be expecting output from one of these other 
instances instead of the original one, so you'll want to display an 
error message of some sort with a link that will go to wherever they 
were supposed to have gone. To help avoid problems you may want to 
include instructions that they should click submit only once, but of 
course you won't want to rely on that alone.

Hope that helps...

-- 
___________________________
Nathaniel Price
http://www.tesserportal.net
Webmaster

R: [Phplib-users] Is there a way to save sessions between page open and close?

[Gaetano G. <giu...@se...>]

I dunno about security implications, but avoidance of =
double-form-submittal is usually done via javascript, e.g. before =
posting data to the server set a cookie or some other variable on the =
client...

> -----Messaggio originale-----
> Da: php...@li...
> [mailto:php...@li...]Per conto di Herouth
> Maoz
> Inviato: luned=EC 5 luglio 2004 16:33
> A: php...@li...
> Oggetto: [Phplib-users] Is there a way to save sessions between page
> open and close?
>=20
>=20
> I have a captcha system, wherein a php-generated image=20
> generates a number and
> displays it, and the user has to respond with the same number.
>=20
> If he does, a sensitive operation is performed, which we want=20
> to avoid being
> performed several times in a row.
>=20
> We find that if the user clicks the submit button on the form=20
> several times in
> a row, it creates several connections, all of which check the=20
> number and do
> the operation. Since the page does not reload between these=20
> submissions, the
> number does not get replaced.
>=20
> I thought I'd unregister the number directly after I verify=20
> that it's the
> right one, so that the next connection made will not reach=20
> the sensitive
> part, because its comparison will fail.
>=20
> However, since the data is only saved in the session at the=20
> end, when I do the
> page_close(), this is not working. I'd like to be able to=20
> control when the
> session is saved, so that only the first connection will be=20
> able to access
> that number.
>=20
> Any ideas?
>=20
> Herouth
>=20
>=20
> -------------------------------------------------------
> This SF.Net email sponsored by Black Hat Briefings & Training.
> Attend Black Hat Briefings & Training, Las Vegas July 24-29 -=20
> digital self defense, top technical experts, no vendor pitches,=20
> unmatched networking opportunities. Visit www.blackhat.com
> _______________________________________________
> Phplib-users mailing list
> Php...@li...
> https://lists.sourceforge.net/lists/listinfo/phplib-users

[Phplib-users] Is there a way to save sessions between page open and close?

[Herouth M. <he...@ti...>]

I have a captcha system, wherein a php-generated image generates a number and
displays it, and the user has to respond with the same number.

If he does, a sensitive operation is performed, which we want to avoid being
performed several times in a row.

We find that if the user clicks the submit button on the form several times in
a row, it creates several connections, all of which check the number and do
the operation. Since the page does not reload between these submissions, the
number does not get replaced.

I thought I'd unregister the number directly after I verify that it's the
right one, so that the next connection made will not reach the sensitive
part, because its comparison will fail.

However, since the data is only saved in the session at the end, when I do the
page_close(), this is not working. I'd like to be able to control when the
session is saved, so that only the first connection will be able to access
that number.

Any ideas?

Herouth

Re: [Phplib-users] phplib and IE 6 authentication not working

[Layne W. <la...@dr...>]

> Finally I had a suggestion that IE6 doesn't like server names with
> underscores in them.  Our servers are all named along the lines
> edm_bfhxx_fp002, so I changed the web server to have a virtual host
> named edm-bfhxx-fp002 and BINGO everything sprung to life.  So it
> appears that IE 6 willno accept sessions, cookies etc from a server
> that has underscres in it's name.

Unless the rules have been modified in the last couple of months,
underscores have never been valid characters for a domain name.

Layne Weathers

Re: [Phplib-users] phplib and IE 6 authentication not working

[marko <mk...@mc...>]

Hi Paul,

> The second suggestion I got was from some one who suggested that when he
> set the session_cache_limiter ("private"), it solved all his problems
> with IE6.  Again this may help some one but it didn't fix the problem
> for me.
good hint, haven't tested that. But I'll keep it in mind for the future.

> Finally I had a suggestion that IE6 doesn't like server names with
> underscores in them.  Our servers are all named along the lines
That sounds quite typical... ;) OK, good to know.

So the underscore thing was your problem then... Funny.

> Hopefully one of the above will also fix your problem, Marko.
As I said, my problems with IE6 had been fixed since I used PHP 4.3.7!
4.3.1 had beeen mainly the reason! The quirks concerning downloading of
php files (instead of executing them when accessing the server with
FireFox) vanished, miraculously.

So, eventually, after half a year, this problem is solved. Good to know
that I can shift my re-coding of my phplib-based app further into the
future! :)

Greetings,
Marko

Re: [Phplib-users] phplib and IE 6 authentication not working

[<pau...@mo...>]

Dear All

I've finally managed to figure this out.  Not sure if it'll help any body else but here goes:

The first suggestion that was made was to implement a compact privacy policy.  This didn't work but may help in some cases, I guess.

The second suggestion I got was from some one who suggested that when he set the session_cache_limiter ("private"), it solved all his problems with IE6.  Again this may help some one but it didn't fix the problem for me.

Finally I had a suggestion that IE6 doesn't like server names with underscores in them.  Our servers are all named along the lines edm_bfhxx_fp002, so I changed the web server to have a virtual host named edm-bfhxx-fp002 and BINGO everything sprung to life.  So it appears that IE 6 willno accept sessions, cookies etc from a server that has underscres in it's name.

Nice of them to leet us know eh!!

Hopefully one of the above will also fix your problem, Marko.

THanks for all you help.

Paul


***********************************************************************
This email and any attachments transmitted with it are confidential
and intended solely for the use of the individual or entity to whom
they are addressed. If you have received this email in error please
notify the sender and do not store, copy or disclose the content
to any other person.

It is the responsibility of the recipient to ensure that opening this
message and/or any of its attachments will not adversely affect
its systems. No responsibility is accepted by the Company.
***********************************************************************

Re: [Phplib-users] phplib and IE 6 authentication not working

[marko <mk...@mc...>]

Hi Layne,

>     AddHandler application/x-httpd-php .php

well, actually I have this setting in my httpd.ini in a slightly different
form:

    <IfModule mod_php4.c>
    AddType application/x-httpd-php .php
    AddType application/x-httpd-php .php4
    AddType application/x-httpd-php-source .phps
    </IfModule>

I don't really know what happened, since for some reason my firefox works
fine again. Looks like that was some caching issue or something. Don't
know what happened. IE6 worked fine from the beginning.

Also I checked the changelog of the successor of my old PHP 4.3.1 and
there is a lot of stuff concerning cookies and sessions mentioned. Looks
like the 4.3.1 still contained quite a few quircks.

Marko

Re: [Phplib-users] phplib and IE 6 authentication not working

[Layne W. <la...@dr...>]

Quoth marko:

> I still have the problem with my apache that it sometimes offers php file=
s
> for download instead of just executing them. Haven't understood yet why
> this happens. But except of this inconvenience phplib is working again
> on IE and new Mozilla based browsers!!!

This is because the file extension you are using in these cases is not
mapped to a MIME type. Edit httpd.conf and look for a line like this:

    AddHandler application/x-httpd-php .php

Add the extension(s) you are using like this:

    AddHandler application/x-httpd-php .php .phtml

You can always put this in a .htaccess file to limit the setting to the
directory (and all sub-directories) in which you place it.

Layne Weathers

Re: [Phplib-users] phplib and IE 6 authentication not working

[marko <mk...@mc...>]

Hi Paul,

I installed the latest php 4.3.7. Although I had/have some difficulties
getting Apache properly running with PHP and my SuSE 8.2 I made it work
for my FireFox and IE6!

Obviously there was a problem with PHP version 4.3.1 which I had installed
before, which caused that for some reason cookies couldn't be created on
clients side.

I still have the problem with my apache that it sometimes offers php files
for download instead of just executing them. Haven't understood yet why
this happens. But except of this inconvenience phplib is working again
on IE and new Mozilla based browsers!!!

Greetings,
Marko

Re: [Phplib-users] phplib and IE 6 authentication not working

[marko <mk...@mc...>]

Hi Paul,

I'd advise you to do another test NOT using IE6! Could you install the
latest Mozilla FireFox 0.9 and do the same test? I see there the same
strange behaviour like in IE6.

There needs to be an entry for the session id in the file "cookies.txt" in
the user profile of FF, like:
--- cookies.txt ---
server.xyz FALSE / FALSE 2129183350 Exp_Session ac8b618aad4210aa2cd442d82c89b44b
-------------------

If this entry doesn't exist the FireFox would show the strange behaviour
also seen in IE6.

The 5th entry means lifetime until year 2137 and the last needs to be a
valid phplib session id. The strange thing is, that this lifetime never
changes if you open and close the application. This is different for
phpmyadmin!

So, why is phplib unable to create such a cookie in case it still doesn't
exist? Questions....

Marko