Posted by Vince Morgan on 03/19/07 09:43

"starman7" <starman7@hotmail.com> wrote in message
news:1174276558.004984.145320@l75g2000hse.googlegroups.com...
> On Mar 18, 8:42 pm, "Vince Morgan" <vin...@REMOVEoptusnet.com.au>
> wrote:
> > "Vince Morgan" <vin...@REMOVEoptusnet.com.au> wrote in message
> >
> > news:45fde317$0$4753$afc38c87@news.optusnet.com.au...
> >
> >
> >
> > > >if ( strpos($config_content, 'dbuser') && (substr($config_content, 0,
> > > >5) != '<?php' || substr($config_content, -2) != '?>') )
> > > {

> Thanks for the insight. The application works without that code block
> - so I'm guessing the config file gets loaded despite the reported
> problem.
>
Yep, you are correct. There is no "return" or "exit" so the script should
keep on running after the message.

> Here's my actual config file:
>
> <?php
>
> //
> // phpBB 2.x auto-generated config file
> // Do not change anything in this file!
> //
>
> $dbms = 'mysql4';
>
> $dbhost = '127.0.0.1';
> $dbname = '1234567';
> $dbuser = '12345678';
> $dbpasswd = '123456789';
>
> $table_prefix = 'phpbb_';
>
> define('PHPBB_INSTALLED', true);
>
> ?>
>

What is being checked in the "if" condition is of three parts.
First it checks for a substring "dbuser". The function "strpos()" returns
FALSE if the substring in question is not found, but it does exist in the
file apparently.
If it did not exist then the first condition "strpos($config_content,
'dbuser')" returning FALSE would cause the entire condition to return FALSE,
as the AND "&&" opperator does not bother evaluating any further if the
first part is FALSE.

In the second part. If the first five chars of the file are not "<?php"
[minuse the quotes] or, the last two chars are not "?>" then the entire
condition evaluates as TRUE. If the condition as a whole returns TRUE you
get the message.

It could be written as below, and still work.
if ( strpos($config_content, 'dbuser') AND (substr($config_content, 0, 5)
!= '<?php' OR substr($config_content, -2) != '?>') )

> any ideas why the code complains about it?
>

I think the problem is discovered in the second part of the condition.
That will evaluate as TRUE if the first 5 chars are not exactly "<?php", OR
if the last 2 chars are not exactly"?>".
A space in either part would cause the message to be output.
That is where I would be looking with regard to the above.

> i've tried even moving everything to one line, but always seem to get
> the error (unless i remove that block) - might this code be evaluated
> for some reason unintended by the author's warning?

Can't help you there.

>might removing
> this code decrease the app's security?

Don't know.

i should mention the
> environment is selinux - which requires specific/enhanced
> permissions ... not sure if that's relevant given the above info ...

Nope, can't see that being the case.

If the first five chars are "<?php" and the last are "?>" including hidden
characters, I would be lost too.
If the var that the file was loaded into was empty the first part of the
condition would evaluate as FALSE and you wouldn't see the message.
I would be making absolutely certain the the file begins with "<?php" and
ends with "?>". No line break or spaces whatsoever either before the first
part, or after the last part.

I believe you have a hidden character, or a line break, or space after the
"?>"

HTH
Vince Morgan

[Back to original message]