-
E-passport test takes flight
Date: 01/13/06 (Security) Keywords: security
Passengers will test biometric passports in airports worldwide under a Department of Homeland Security test.
-
$_REQUEST, $_POST, $_GET
Date: 01/17/06 (PHP Community) Keywords: security
Greetings.
I've been using $_REQUEST for a few years now instead of $_GET or $_POST. I have yet to find any sort of decent reasoning as to why we should be using one or the other.
Are there any potential security benefits or risks with using $_REQUEST instead?Source: http://www.livejournal.com/community/php/396705.html
-
Oracle fixes pile of bugs
Date: 01/18/06 (Security) Keywords: software, database, security
Scheduled batch of patches plugs a large number of security holes in many products, including its database and app server software.
-
Windows Wi-Fi patch could be long time coming
Date: 01/18/06 (Security) Keywords: security, microsoft
Microsoft confirms a Wi-Fi security flaw in Windows XP, but the wait for a fix may be as long as 18 months.
-
MSN Video/Video conferencing through a firewall without upnp support
Date: 10/10/05 (IT Professionals) Keywords: security, microsoft
Hi,
As you may know, MSN requires upnp for video chat/voice chat to happen, I'm currently using borderware, almost all (heck, maybe all) eal4+ certified firewalls do not support upnp because its a security loophole.
however, the alternative being to open the entire udp 5004-65535 range according to microsoft's documentation...
does anyone have any suggestions?
either an alternative video conferencing tool or a solution to the firewall problem?Source: http://community.livejournal.com/itprofessionals/25519.html
-
File upload control issues with ASP.NET (playing with fire)
Date: 01/03/06 (C Sharp) Keywords: html, asp, security, web
Heya all, I'm working on a web-based application (using ASP.NET and C# on .NET 1.1.4322, supporting only IE6 for Windows) that allows for file uploads. It seems to be a universally agreed that the file upload control is as ugly as they come, so I want to set its style to "display: none;" and interact only with the standard file upload dialog (which can be summoned by firing the click() method of the control, which is exposed under IE6 but not recent versions of Mozilla).
Attempting programmatic access of a file upload control is generally playing with fire, and this time is apparently no exception. Once I call the click() method, it seems, the page is no longer able to post back. When I attempt to submit the form, the value of the file upload control is cleared and the page just sits there. However, if I make the file upload control visible and manually click its "Browse..." button, the page posts back correctly.
For those of you familiar with Gmail's attachment upload interface, this is very close to the effect I am trying to achieve, but something about ASP.NET is apparently interfering (perhaps for my own protection) with the process. Has anybody experienced similar behavior under the same platform, and if so, explain the behavior or point to a KB article or security documentation that might be enlightening ? Thanks greatly for your time. Toy code can be found after the cut.
Codeahead:
Codebehind:<%@ Page language="c#" Codebehind="Foo.aspx.cs" AutoEventWireup="false" Inherits="FooApp.Foo" %>using System; using System.Collections; using System.ComponentModel; using System.Data; using System.Drawing; using System.Web; using System.Web.SessionState; using System.Web.UI; using System.Web.UI.WebControls; using System.Web.UI.HtmlControls; namespace FooApp { public class Foo : System.Web.UI.Page { protected HtmlInputFile f; protected HtmlGenericControl s; private void Page_Load(object sender, System.EventArgs e) { if (this.IsPostBack) { s.InnerText = String.Format("{0} file(s) posted", Request.Files.Count); if (1 == Request.Files.Count) { s.InnerText += String.Format(", content length: {0}", Request.Files[0].ContentLength); } } } override protected void OnInit(EventArgs e) { InitializeComponent(); base.OnInit(e); } private void InitializeComponent() { this.Load += new System.EventHandler(this.Page_Load); } } } -
Long posty
Date: 12/27/05 (C Sharp) Keywords: security, microsoft
This is a long post about one problem I have with Microsoft Report Viewer reports for .NET 2.0. Please don't skip it :)
ok, I have a simple windows form with report viewer control placed on it. The datasource for my reports is an object described in a class. Most of the fields are pretty simple like:
public string ObjectOperationType
{
get
{
return ent.Offer.OfferType.ToString();
}
}
where "ent" is a business object the application uses.
Some fields, though, are bit more complex and return List<> of things, like:
public ListObjectCloseLocations()
{
Listitems = new List ();
foreach (DirectoryEntry de in ent.Attributes[31].AvailableItemsList)
{
if (((ListDirectoryEntries)ent.Attributes[31]).Contains(de))
{
items.Add(new CloseLocations(de.Term, true));
}
else
{
items.Add(new CloseLocations(de.Term, false));
}
}
return items;
}
The CloseLocations type is a class with two public fields (Key and Value) that are filled by my method and then passed into the report as a list and the report will show the list in a table quite happily.It all works fine, as long as you don't have to include the ListsTypes() on your reports.
Originally, the code to get the proper BindingSource running looked like this:
ViewObject MyData = new ViewObject(vid, HidePD);
this.ViewObjectBindingSource.DataSource = MyData;
this.comfortAndSecurityBindingSource.DataSource = MyData.ObjectComfortAndSecurity();
this.closeLocationsBindingSource.DataSource = MyData.ObjectCloseLocations();
this.propPhotoBindingSource.DataSource = MyData.PropertyImages();
reportViewer1.RefreshReport();Now, when I pass List
to my primary BindingSource, the other binding sources have to be List<> or List types. I tried this:
List
myData = new List ();
... fill the list...
List
foreach(ViewObject vo in mydata)
{
comfort.Add(vo.Comfort());
}
this.comfortAndSecurityBindingSource.DataSource = comfort();
the problem now is that the comfort List<> is not "bount" to it's parent object that shall be getting data from it. How can I fix this?
Has anyone dealed with this? -
Safe Browsing...
Date: 09/27/05 (Opera Browser) Keywords: security
Opera 8.x
Advisories: 8
Highest Criticality: Moderate
Impact: Spoofing, Cross Site Scripting, Security Bypass.
Status: 100% patched
Firefox 1.x
Advisories: 24
Highest Criticality: Extreme
Impact: System access, DoS, Privilege escalation, Exposure sensitive info, Exposure system info, Manipulation of data, Spoofing, Cross Site Scripting, Security bypass, Hijacking.
Status: 83% patched
Internet Explorer 6.x
Advisories: 86
Highest Criticality: Extreme
Impact: System access, DoS, Exposure sensitive info, Exposure system info, Manipulation of data, Spoofing, Cross Site Scripting, Security bypass, Hijacking.
Status: 56% patchedSource: http://community.livejournal.com/opera_browser/44591.html
-
obfuscation and encoding
Date: 10/29/05 (PHP Development) Keywords: php, security, web
i have a case where i'm trying to provide some unsubscribe functionality via a link to a website in an email. i need to encode some information in the url, specifically a user id and a list so i know who they are and which list they are unsubscribing to. Security is of course important, I don't want anyone to be able to just submit with random user ids and lists so i need to encode it with some sort of obfuscation, but also with a checksum or something that would prevent tampering or at least let me know.
Anyone have any experience with this or ideas? ideally, i'd like to use something readily available in PHP (and also perl if possible since the encrypting part will happen in perl, but presumably i could port easily enough). maybe like generate a url string, such as "user_id=x&list=y", base64 encode it (which also shrinks it and is a plus) and then add a crc byte on the end? then my url would be http://www.example.com/file.php?hash="gobbledygook"
does anyone know of something in PHP that would do this? if not any suggestions for rolling your own (like algorithms, i don't need actual code probably unless you either have it, know of it on a free site, or really feel like writing it ;-) ) maybe using compression utils with a password? that would i think require recompiling php or using external programs which is doable, but not as desireable. plus if someone guessed the password, they could decrypt, but i suppose that is true for any algorithm that's one way. perhaps using ssl or pgp somehow? having 2 keys, then no one could decrypt it without the private key? that might be overkill. or mhash for hashing, but then might that be easy to crack and can it be computed in perl?
xposted to php -
The PHP/mySQL issue
Date: 06/07/05 (PHP Development) Keywords: php, mysql, software, html, xml, database, asp, sql, security, web, apache
Here's what I have
Apache/1.3.33 Server at localhost Port 80
Apache 1.3.33
PHP 5.0.4
MySQL 4.1.12a
Operating System: Windows 98
The error that I got when I tried using mysql_connect() on a php page:
Fatal error: Call to undefined function mysql_connect()
Things that I have done so far:
Apache, mySQL, and PHP are in directories on the C drive, named accordingly
in php.ini, this is what I changed (change in italics)
doc_root = "C:\Apache\htdocs"
extension_dir "C:\php\ext"
Removed the ";" in front of extension = php_mysql.dll (Is there supposed to be quotation marks on this line?)
Saved a copy of php.ini (after these changes) in the C:\Windows directory
Saved copies of c:\php\libmysql.dll & c:\php\ext\php_mysql.dll to the C:\Windows directory
--------------
What else am I missing?
PHP Version 5.0.4
System Windows 9x JESSICA 4.10
Build Date Mar 31 2005 02:44:34
Configure Command cscript /nologo configure.js "--enable-snapshot-build" "--with-gd=shared"
Server API Apache
Virtual Directory Support enabled
Configuration File (php.ini) Path no value
PHP API 20031224
PHP Extension 20041030
Zend Extension 220040412
Debug Build no
Thread Safety enabled
IPv6 Support enabled
Registered PHP Streams php, file, http, ftp, compress.zlib
Registered Stream Socket Transports tcp, udp
This program makes use of the Zend Scripting Language Engine:
Zend Engine v2.0.4-dev, Copyright (c) 1998-2004 Zend Technologies
--------------------------------------------------------------------------------
PHP Credits
--------------------------------------------------------------------------------
Configuration
PHP Core
Directive Local Value Master Value
allow_call_time_pass_reference On On
allow_url_fopen On On
always_populate_raw_post_data Off Off
arg_separator.input & &
arg_separator.output & &
asp_tags Off Off
auto_append_file no value no value
auto_globals_jit On On
auto_prepend_file no value no value
browscap no value no value
default_charset no value no value
default_mimetype text/html text/html
define_syslog_variables Off Off
disable_classes no value no value
disable_functions no value no value
display_errors On On
display_startup_errors Off Off
doc_root no value no value
docref_ext no value no value
docref_root no value no value
enable_dl On On
error_append_string no value no value
error_log no value no value
error_prepend_string no value no value
error_reporting no value no value
expose_php On On
extension_dir C:\php5 C:\php5
file_uploads On On
highlight.bg #FFFFFF #FFFFFF
highlight.comment #FF8000 #FF8000
highlight.default #0000BB #0000BB
highlight.html #000000 #000000
highlight.keyword #007700 #007700
highlight.string #DD0000 #DD0000
html_errors On On
ignore_repeated_errors Off Off
ignore_repeated_source Off Off
ignore_user_abort Off Off
implicit_flush Off Off
include_path .;C:\php5\pear .;C:\php5\pear
log_errors Off Off
log_errors_max_len 1024 1024
magic_quotes_gpc On On
magic_quotes_runtime Off Off
magic_quotes_sybase Off Off
mail.force_extra_parameters no value no value
max_execution_time 30 30
max_input_time -1 -1
open_basedir no value no value
output_buffering 0 0
output_handler no value no value
post_max_size 8M 8M
precision 14 14
register_argc_argv On On
register_globals Off Off
register_long_arrays On On
report_memleaks On On
report_zend_debug On On
safe_mode Off Off
safe_mode_exec_dir no value no value
safe_mode_gid Off Off
safe_mode_include_dir no value no value
sendmail_from no value no value
sendmail_path no value no value
serialize_precision 100 100
short_open_tag On On
SMTP localhost localhost
smtp_port 25 25
sql.safe_mode Off Off
track_errors Off Off
unserialize_callback_func no value no value
upload_max_filesize 2M 2M
upload_tmp_dir no value no value
user_dir no value no value
variables_order EGPCS EGPCS
xmlrpc_error_number 0 0
xmlrpc_errors Off Off
y2k_compliance On On
zend.ze1_compatibility_mode Off Off
apache
Apache for Windows 95/NT
Apache Version Apache/1.3.33 (Win32) PHP/5.0.4
Apache Release 10329100
Apache API Version 19990320
Hostname:Port localhost:80
Timeouts Connection: 300 - Keep-Alive: 15
Directive Local Value Master Value
child_terminate 0 0
engine 1 1
last_modified 0 0
xbithack 0 0
Apache Environment
Variable Value
COMSPEC C:\WINDOWS\COMMAND.COM
DOCUMENT_ROOT c:/apache/htdocs
HTTP________________ ----- -------
HTTP_ACCEPT image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*
HTTP_ACCEPT_LANGUAGE en-us
HTTP_CONNECTION Keep-Alive
HTTP_HOST localhost
HTTP_USER_AGENT Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)
PATH C:\WINDOWS;c:\windows;c:\windows\COMMAND
PHPRC C:/php
REMOTE_ADDR 127.0.0.1
REMOTE_PORT 2477
SCRIPT_FILENAME c:/apache/htdocs/phptest.php
SERVER_ADDR 127.0.0.1
SERVER_ADMIN jessica.karels@gmail.com
SERVER_NAME localhost
SERVER_PORT 80
SERVER_SIGNATURE
SERVER_SOFTWARE Apache/1.3.33 (Win32) PHP/5.0.4
WINDIR C:\WINDOWS
GATEWAY_INTERFACE CGI/1.1
SERVER_PROTOCOL HTTP/1.1
REQUEST_METHOD GET
QUERY_STRING no value
REQUEST_URI /phptest.php
SCRIPT_NAME /phptest.php
HTTP Headers Information
HTTP Request Headers
HTTP Request GET /phptest.php HTTP/1.1
--------------- ----- -------
Accept image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*
Accept-Language en-us
Connection Keep-Alive
Host localhost
User-Agent Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)
HTTP Response Headers
X-Powered-By PHP/5.0.4
Keep-Alive timeout=15, max=100
Connection Keep-Alive
Transfer-Encoding chunked
Content-Type text/html
bcmath
BCMath support enabled
calendar
Calendar support enabled
com_dotnet
COM support enabled
DCOM support disabled
.Net support enabled
Directive Local Value Master Value
com.allow_dcom 0 0
com.autoregister_casesensitive 1 1
com.autoregister_typelib 0 0
com.autoregister_verbose 0 0
com.code_page no value no value
com.typelib_file no value no value
ctype
ctype functions enabled
dom
DOM/XML enabled
DOM/XML API Version 20031129
libxml Version 2.6.11
HTML Support enabled
XPath Support enabled
XPointer Support enabled
Schema Support enabled
RelaxNG Support enabled
ftp
FTP support enabled
iconv
iconv support enabled
iconv implementation "libiconv"
iconv library version 1.9
Directive Local Value Master Value
iconv.input_encoding ISO-8859-1 ISO-8859-1
iconv.internal_encoding ISO-8859-1 ISO-8859-1
iconv.output_encoding ISO-8859-1 ISO-8859-1
libxml
libXML support active
libXML Version 2.6.11
libXML streams enabled
odbc
ODBC Support enabled
Active Persistent Links 0
Active Links 0
ODBC library Win32
Directive Local Value Master Value
odbc.allow_persistent On On
odbc.check_persistent On On
odbc.default_db no value no value
odbc.default_pw no value no value
odbc.default_user no value no value
odbc.defaultbinmode return as is return as is
odbc.defaultlrl return up to 4096 bytes return up to 4096 bytes
odbc.max_links Unlimited Unlimited
odbc.max_persistent Unlimited Unlimited
pcre
PCRE (Perl Compatible Regular Expressions) Support enabled
PCRE Library Version 4.5 01-December-2003
session
Session Support enabled
Registered save handlers files user sqlite
Registered serializer handlers php php_binary wddx
Directive Local Value Master Value
session.auto_start Off Off
session.bug_compat_42 On On
session.bug_compat_warn On On
session.cache_expire 180 180
session.cache_limiter nocache nocache
session.cookie_domain no value no value
session.cookie_lifetime 0 0
session.cookie_path / /
session.cookie_secure Off Off
session.entropy_file no value no value
session.entropy_length 0 0
session.gc_divisor 100 100
session.gc_maxlifetime 1440 1440
session.gc_probability 1 1
session.hash_bits_per_character 4 4
session.hash_function 0 0
session.name PHPSESSID PHPSESSID
session.referer_check no value no value
session.save_handler files files
session.save_path no value no value
session.serialize_handler php php
session.use_cookies On On
session.use_only_cookies Off Off
session.use_trans_sid 0 0
SimpleXML
Simplexml support enabled
Revision $Revision: 1.139.2.4 $
Schema support enabled
SPL
SPL support enabled
Interfaces RecursiveIterator, SeekableIterator
Classes ArrayObject, ArrayIterator, CachingIterator, CachingRecursiveIterator, DirectoryIterator, FilterIterator, LimitIterator, ParentIterator, RecursiveDirectoryIterator, RecursiveIteratorIterator, SimpleXMLIterator
SQLite
SQLite support enabled
PECL Module version 2.0-dev $Id: sqlite.c,v 1.146.2.3 2004/09/26 01:41:40 wez Exp $
SQLite Library 2.8.14
SQLite Encoding iso8859
Directive Local Value Master Value
sqlite.assoc_case 0 0
standard
Regex Library Bundled library enabled
Dynamic Library Support enabled
Internal Sendmail Support for Windows enabled
Directive Local Value Master Value
assert.active 1 1
assert.bail 0 0
assert.callback no value no value
assert.quiet_eval 0 0
assert.warning 1 1
auto_detect_line_endings 0 0
date.default_latitude 31.7667 31.7667
date.default_longitude 35.2333 35.2333
date.sunrise_zenith 90.83 90.83
date.sunset_zenith 90.83 90.83
default_socket_timeout 60 60
safe_mode_allowed_env_vars PHP_ PHP_
safe_mode_protected_env_vars LD_LIBRARY_PATH LD_LIBRARY_PATH
url_rewriter.tags a=href,area=href,frame=src,form=,fieldset= a=href,area=href,frame=src,form=,fieldse t=
user_agent no value no value
tokenizer
Tokenizer Support enabled
wddx
WDDX Support enabled
WDDX Session Serializer enabled
xml
XML Support active
XML Namespace Support active
libxml2 Version 2.6.11
zlib
ZLib Support enabled
Compiled Version 1.1.4
Linked Version 1.1.4
Directive Local Value Master Value
zlib.output_compression Off Off
zlib.output_compression_level -1 -1
zlib.output_handler no value no value
Additional Modules
Module Name
Environment
Variable Value
TMP c:\windows\TEMP
TEMP C:\windows\TEMP
PROMPT $p$g
winbootdir C:\WINDOWS
PATH C:\WINDOWS;c:\windows;c:\windows\COMMAND
COMSPEC C:\WINDOWS\COMMAND.COM
windir C:\WINDOWS
PHP Variables
Variable Value
_SERVER["COMSPEC"] C:\WINDOWS\COMMAND.COM
_SERVER["DOCUMENT_ROOT"] c:/apache/htdocs
_SERVER["HTTP________________"] ----- -------
_SERVER["HTTP_ACCEPT"] image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*
_SERVER["HTTP_ACCEPT_LANGUAGE"] en-us
_SERVER["HTTP_CONNECTION"] Keep-Alive
_SERVER["HTTP_HOST"] localhost
_SERVER["HTTP_USER_AGENT"] Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)
_SERVER["PATH"] C:\WINDOWS;c:\windows;c:\windows\COMMAND
_SERVER["PHPRC"] C:/php
_SERVER["REMOTE_ADDR"] 127.0.0.1
_SERVER["REMOTE_PORT"] 2477
_SERVER["SCRIPT_FILENAME"] c:/apache/htdocs/phptest.php
_SERVER["SERVER_ADDR"] 127.0.0.1
_SERVER["SERVER_ADMIN"] jessica.karels@gmail.com
_SERVER["SERVER_NAME"] localhost
_SERVER["SERVER_PORT"] 80
_SERVER["SERVER_SIGNATURE"] Apache/1.3.33 Server at localhost Port 80
_SERVER["SERVER_SOFTWARE"] Apache/1.3.33 (Win32) PHP/5.0.4
_SERVER["WINDIR"] C:\WINDOWS
_SERVER["GATEWAY_INTERFACE"] CGI/1.1
_SERVER["SERVER_PROTOCOL"] HTTP/1.1
_SERVER["REQUEST_METHOD"] GET
_SERVER["QUERY_STRING"] no value
_SERVER["REQUEST_URI"] /phptest.php
_SERVER["SCRIPT_NAME"] /phptest.php
_SERVER["PATH_TRANSLATED"] c:/apache/htdocs/phptest.php
_SERVER["PHP_SELF"] /phptest.php
_SERVER["argv"] Array
(
)
_SERVER["argc"] 0
_ENV["TMP"] c:\windows\TEMP
_ENV["TEMP"] C:\windows\TEMP
_ENV["PROMPT"] $p$g
_ENV["winbootdir"] C:\WINDOWS
_ENV["PATH"] C:\WINDOWS;c:\windows;c:\windows\COMMAND
_ENV["COMSPEC"] C:\WINDOWS\COMMAND.COM
_ENV["windir"] C:\WINDOWS
[PHP]
;;;;;;;;;;;;;;;;;;;
; About php.ini ;
;;;;;;;;;;;;;;;;;;;
; This file controls many aspects of PHP's behavior. In order for PHP to
; read it, it must be named 'php.ini'. PHP looks for it in the current
; working directory, in the path designated by the environment variable
; PHPRC, and in the path that was defined in compile time (in that order).
; Under Windows, the compile-time path is the Windows directory. The
; path in which the php.ini file is looked for can be overridden using
; the -c argument in command line mode.
;
; The syntax of the file is extremely simple. Whitespace and Lines
; beginning with a semicolon are silently ignored (as you probably guessed).
; Section headers (e.g. [Foo]) are also silently ignored, even though
; they might mean something in the future.
;
; Directives are specified using the following syntax:
; directive = value
; Directive names are *case sensitive* - foo=bar is different from FOO=bar.
;
; The value can be a string, a number, a PHP constant (e.g. E_ALL or M_PI), one
; of the INI constants (On, Off, True, False, Yes, No and None) or an expression
; (e.g. E_ALL & ~E_NOTICE), or a quoted string ("foo").
;
; Expressions in the INI file are limited to bitwise operators and parentheses:
; | bitwise OR
; & bitwise AND
; ~ bitwise NOT
; ! boolean NOT
;
; Boolean flags can be turned on using the values 1, On, True or Yes.
; They can be turned off using the values 0, Off, False or No.
;
; An empty string can be denoted by simply not writing anything after the equal
; sign, or by using the None keyword:
;
; foo = ; sets foo to an empty string
; foo = none ; sets foo to an empty string
; foo = "none" ; sets foo to the string 'none'
;
; If you use constants in your value, and these constants belong to a
; dynamically loaded extension (either a PHP extension or a Zend extension),
; you may only use these constants *after* the line that loads the extension.
;
;
;;;;;;;;;;;;;;;;;;;
; About this file ;
;;;;;;;;;;;;;;;;;;;
; This is the recommended, PHP 5-style version of the php.ini-dist file. It
; sets some non standard settings, that make PHP more efficient, more secure,
; and encourage cleaner coding.
;
; The price is that with these settings, PHP may be incompatible with some
; applications, and sometimes, more difficult to develop with. Using this
; file is warmly recommended for production sites. As all of the changes from
; the standard settings are thoroughly documented, you can go over each one,
; and decide whether you want to use it or not.
;
; For general information about the php.ini file, please consult the php.ini-dist
; file, included in your PHP distribution.
;
; This file is different from the php.ini-dist file in the fact that it features
; different values for several directives, in order to improve performance, while
; possibly breaking compatibility with the standard out-of-the-box behavior of
; PHP. Please make sure you read what's different, and modify your scripts
; accordingly, if you decide to use this file instead.
;
; - register_globals = Off [Security, Performance]
; Global variables are no longer registered for input data (POST, GET, cookies,
; environment and other server variables). Instead of using $foo, you must use
; you can use $_REQUEST["foo"] (includes any variable that arrives through the
; request, namely, POST, GET and cookie variables), or use one of the specific
; $_GET["foo"], $_POST["foo"], $_COOKIE["foo"] or $_FILES["foo"], depending
; on where the input originates. Also, you can look at the
; import_request_variables() function.
; Note that register_globals is going to be depracated (i.e., turned off by
; default) in the next version of PHP, because it often leads to security bugs.
; Read http://php.net/manual/en/security.registerglobals.php for further
; information.
; - register_long_arrays = Off [Performance]
; Disables registration of the older (and deprecated) long predefined array
; variables ($HTTP_*_VARS). Instead, use the superglobals that were
; introduced in PHP 4.1.0
; - display_errors = Off [Security]
; With this directive set to off, errors that occur during the execution of
; scripts will no longer be displayed as a part of the script output, and thus,
; will no longer be exposed to remote users. With some errors, the error message
; content may expose information about your script, web server, or database
; server that may be exploitable for hacking. Production sites should have this
; directive set to off.
; - log_errors = On [Security]
; This directive complements the above one. Any errors that occur during the
; execution of your script will be logged (typically, to your server's error log,
; but can be configured in several ways). Along with setting display_errors to off,
; this setup gives you the ability to fully understand what may have gone wrong,
; without exposing any sensitive information to remote users.
; - output_buffering = 4096 [Performance]
; Set a 4KB output buffer. Enabling output buffering typically results in less
; writes, and sometimes less packets sent on the wire, which can often lead to
; better performance. The gain this directive actually yields greatly depends
; on which Web server you're working with, and what kind of scripts you're using.
; - register_argc_argv = Off [Performance]
; Disables registration of the somewhat redundant $argv and $argc global
; variables.
; - magic_quotes_gpc = Off [Performance]
; Input data is no longer escaped with slashes so that it can be sent into
; SQL databases without further manipulation. Instead, you should use the
; function addslashes() on each input element you wish to send to a database.
; - variables_order = "GPCS" [Performance]
; The environment variables are not hashed into the $_ENV. To access
; environment variables, you can use getenv() instead.
; - error_reporting = E_ALL [Code Cleanliness, Security(?)]
; By default, PHP surpresses errors of type E_NOTICE. These error messages
; are emitted for non-critical errors, but that could be a symptom of a bigger
; problem. Most notably, this will cause error messages about the use
; of uninitialized variables to be displayed.
; - allow_call_time_pass_reference = Off [Code cleanliness]
; It's not possible to decide to force a variable to be passed by reference
; when calling a function. The PHP 4 style to do this is by making the
; function require the relevant argument by reference.
;;;;;;;;;;;;;;;;;;;;
; Language Options ;
;;;;;;;;;;;;;;;;;;;;
; Enable the PHP scripting language engine under Apache.
engine = On
; Enable compatibility mode with Zend Engine 1 (PHP 4.x)
zend.ze1_compatibility_mode = Off
; Allow the tags are recognized.
; NOTE: Using short tags should be avoided when developing applications or
; libraries that are meant for redistribution, or deployment on PHP
; servers which are not under your control, because short tags may not
; be supported on the target server. For portable, redistributable code,
; be sure not to use short tags.
short_open_tag = On
; Allow ASP-style <% %> tags.
asp_tags = Off
; The number of significant digits displayed in floating point numbers.
precision = 14
; Enforce year 2000 compliance (will cause problems with non-compliant browsers)
y2k_compliance = On
; Output buffering allows you to send header lines (including cookies) even
; after you send body content, at the price of slowing PHP's output layer a
; bit. You can enable output buffering during runtime by calling the output
; buffering functions. You can also enable output buffering for all files by
; setting this directive to On. If you wish to limit the size of the buffer
; to a certain size - you can use a maximum number of bytes instead of 'On', as
; a value for this directive (e.g., output_buffering=4096).
output_buffering = 4096
; You can redirect all of the output of your scripts to a function. For
; example, if you set output_handler to "mb_output_handler", character
; encoding will be transparently converted to the specified encoding.
; Setting any output handler automatically turns on output buffering.
; Note: People who wrote portable scripts should not depend on this ini
; directive. Instead, explicitly set the output handler using ob_start().
; Using this ini directive may cause problems unless you know what script
; is doing.
; Note: You cannot use both "mb_output_handler" with "ob_iconv_handler"
; and you cannot use both "ob_gzhandler" and "zlib.output_compression".
; Note: output_handler must be empty if this is set 'On' !!!!
; Instead you must use zlib.output_handler.
;output_handler =
; Transparent output compression using the zlib library
; Valid values for this option are 'off', 'on', or a specific buffer size
; to be used for compression (default is 4KB)
; Note: Resulting chunk size may vary due to nature of compression. PHP
; outputs chunks that are few hundreds bytes each as a result of
; compression. If you prefer a larger chunk size for better
; performance, enable output_buffering in addition.
; Note: You need to use zlib.output_handler instead of the standard
; output_handler, or otherwise the output will be corrupted.
zlib.output_compression = Off
; You cannot specify additional output handlers if zlib.output_compression
; is activated here. This setting does the same as output_handler but in
; a different order.
;zlib.output_handler =
; Implicit flush tells PHP to tell the output layer to flush itself
; automatically after every output block. This is equivalent to calling the
; PHP function flush() after each and every call to print() or echo() and each
; and every HTML block. Turning this option on has serious performance
; implications and is generally recommended for debugging purposes only.
implicit_flush = Off
; The unserialize callback function will be called (with the undefined class'
; name as parameter), if the unserializer finds an undefined class
; which should be instanciated.
; A warning appears if the specified function is not defined, or if the
; function doesn't include/implement the missing class.
; So only set this entry, if you really want to implement such a
; callback-function.
unserialize_callback_func=
; When floats & doubles are serialized store serialize_precision significant
; digits after the floating point. The default value ensures that when floats
; are decoded with unserialize, the data will remain the same.
serialize_precision = 100
; Whether to enable the ability to force arguments to be passed by reference
; at function call time. This method is deprecated and is likely to be
; unsupported in future versions of PHP/Zend. The encouraged method of
; specifying which arguments should be passed by reference is in the function
; declaration. You're encouraged to try and turn this option Off and make
; sure your scripts work properly with it in order to ensure they will work
; with future versions of the language (you will receive a warning each time
; you use this feature, and the argument will be passed by value instead of by
; reference).
allow_call_time_pass_reference = Off
;
; Safe Mode
;
safe_mode = Off
; By default, Safe Mode does a UID compare check when
; opening files. If you want to relax this to a GID compare,
; then turn on safe_mode_gid.
safe_mode_gid = Off
; When safe_mode is on, UID/GID checks are bypassed when
; including files from this directory and its subdirectories.
; (directory must also be in include_path or full path must
; be used when including)
safe_mode_include_dir =
; When safe_mode is on, only executables located in the safe_mode_exec_dir
; will be allowed to be executed via the exec family of functions.
safe_mode_exec_dir =
; Setting certain environment variables may be a potential security breach.
; This directive contains a comma-delimited list of prefixes. In Safe Mode,
; the user may only alter environment variables whose names begin with the
; prefixes supplied here. By default, users will only be able to set
; environment variables that begin with PHP_ (e.g. PHP_FOO=BAR).
;
; Note: If this directive is empty, PHP will let the user modify ANY
; environment variable!
safe_mode_allowed_env_vars = PHP_
; This directive contains a comma-delimited list of environment variables that
; the end user won't be able to change using putenv(). These variables will be
; protected even if safe_mode_allowed_env_vars is set to allow to change them.
safe_mode_protected_env_vars = LD_LIBRARY_PATH
; open_basedir, if set, limits all file operations to the defined directory
; and below. This directive makes most sense if used in a per-directory
; or per-virtualhost web server configuration file. This directive is
; *NOT* affected by whether Safe Mode is turned On or Off.
;open_basedir =
; This directive allows you to disable certain functions for security reasons.
; It receives a comma-delimited list of function names. This directive is
; *NOT* affected by whether Safe Mode is turned On or Off.
disable_functions =
; This directive allows you to disable certain classes for security reasons.
; It receives a comma-delimited list of class names. This directive is
; *NOT* affected by whether Safe Mode is turned On or Off.
disable_classes =
; Colors for Syntax Highlighting mode. Anything that's acceptable in
; would work.
;highlight.string = #DD0000
;highlight.comment = #FF9900
;highlight.keyword = #007700
;highlight.bg = #FFFFFF
;highlight.default = #0000BB
;highlight.html = #000000
;
; Misc
;
; Decides whether PHP may expose the fact that it is installed on the server
; (e.g. by adding its signature to the Web server header). It is no security
; threat in any way, but it makes it possible to determine whether you use PHP
; on your server or not.
expose_php = On
;;;;;;;;;;;;;;;;;;;
; Resource Limits ;
;;;;;;;;;;;;;;;;;;;
max_execution_time = 30 ; Maximum execution time of each script, in seconds
max_input_time = 60 ; Maximum amount of time each script may spend parsing request data
memory_limit = 8M ; Maximum amount of memory a script may consume (8MB)
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; Error handling and logging ;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; error_reporting is a bit-field. Or each number up to get desired error
; reporting level
; E_ALL - All errors and warnings (doesn't include E_STRICT)
; E_ERROR - fatal run-time errors
; E_WARNING - run-time warnings (non-fatal errors)
; E_PARSE - compile-time parse errors
; E_NOTICE - run-time notices (these are warnings which often result
; from a bug in your code, but it's possible that it was
; intentional (e.g., using an uninitialized variable and
; relying on the fact it's automatically initialized to an
; empty string)
; E_STRICT - run-time notices, enable to have PHP suggest changes
; to your code which will ensure the best interoperability
; and forward compatibility of your code
; E_CORE_ERROR - fatal errors that occur during PHP's initial startup
; E_CORE_WARNING - warnings (non-fatal errors) that occur during PHP's
; initial startup
; E_COMPILE_ERROR - fatal compile-time errors
; E_COMPILE_WARNING - compile-time warnings (non-fatal errors)
; E_USER_ERROR - user-generated error message
; E_USER_WARNING - user-generated warning message
; E_USER_NOTICE - user-generated notice message
;
; Examples:
;
; - Show all errors, except for notices and coding standards warnings
;
;error_reporting = E_ALL & ~E_NOTICE & ~E_STRICT
;
; - Show all errors, except for notices
;
;error_reporting = E_ALL & ~E_NOTICE
;
; - Show only errors
;
;error_reporting = E_COMPILE_ERROR|E_ERROR|E_CORE_ERROR
;
; - Show all errors
;
error_reporting = E_ALL
; Print out errors (as a part of the output). For production web sites,
; you're strongly encouraged to turn this feature off, and use error logging
; instead (see below). Keeping display_errors enabled on a production web site
; may reveal security information to end users, such as file paths on your Web
; server, your database schema or other information.
display_errors = On
; Even when display_errors is on, errors that occur during PHP's startup
; sequence are not displayed. It's strongly recommended to keep
; display_startup_errors off, except for when debugging.
display_startup_errors = Off
; Log errors into a log file (server-specific log, stderr, or error_log (below))
; As stated above, you're strongly advised to use error logging in place of
; error displaying on production web sites.
log_errors = On
; Set maximum length of log_errors. In error_log information about the source is
; added. The default is 1024 and 0 allows to not apply any maximum length at all.
log_errors_max_len = 1024
; Do not log repeated messages. Repeated errors must occur in same file on same
; line until ignore_repeated_source is set true.
ignore_repeated_errors = Off
; Ignore source of message when ignoring repeated messages. When this setting
; is On you will not log errors with repeated messages from different files or
; sourcelines.
ignore_repeated_source = Off
; If this parameter is set to Off, then memory leaks will not be shown (on
; stdout or in the log). This has only effect in a debug compile, and if
; error reporting includes E_WARNING in the allowed list
report_memleaks = On
; Store the last error/warning message in $php_errormsg (boolean).
track_errors = Off
; Disable the inclusion of HTML tags in error messages.
; Note: Never use this feature for production boxes.
;html_errors = Off
; If html_errors is set On PHP produces clickable error messages that direct
; to a page describing the error or function causing the error in detail.
; You can download a copy of the PHP manual from http://www.php.net/docs.php
; and change docref_root to the base URL of your local copy including the
; leading '/'. You must also specify the file extension being used including
; the dot.
; Note: Never use this feature for production boxes.
;docref_root = "/phpmanual/"
;docref_ext = .html
; String to output before an error message.
;error_prepend_string = ""
; String to output after an error message.
;error_append_string = ""
; Log errors to specified file.
;error_log = filename
; Log errors to syslog (Event Log on NT, not valid in Windows 95).
;error_log = syslog
;;;;;;;;;;;;;;;;;
; Data Handling ;
;;;;;;;;;;;;;;;;;
;
; Note - track_vars is ALWAYS enabled as of PHP 4.0.3
; The separator used in PHP generated URLs to separate arguments.
; Default is "&".
;arg_separator.output = "&"
; List of separator(s) used by PHP to parse input URLs into variables.
; Default is "&".
; NOTE: Every character in this directive is considered as separator!
;arg_separator.input = ";&"
; This directive describes the order in which PHP registers GET, POST, Cookie,
; Environment and Built-in variables (G, P, C, E & S respectively, often
; referred to as EGPCS or GPC). Registration is done from left to right, newer
; values override older values.
variables_order = "GPCS"
; Whether or not to register the EGPCS variables as global variables. You may
; want to turn this off if you don't want to clutter your scripts' global scope
; with user data. This makes most sense when coupled with track_vars - in which
; case you can access all of the GPC variables through the $HTTP_*_VARS[],
; variables.
;
; You should do your best to write your scripts so that they do not require
; register_globals to be on; Using form variables as globals can easily lead
; to possible security problems, if the code is not very well thought of.
register_globals = Off
; Whether or not to register the old-style input arrays, HTTP_GET_VARS
; and friends. If you're not using them, it's recommended to turn them off,
; for performance reasons.
register_long_arrays = Off
; This directive tells PHP whether to declare the argv&argc variables (that
; would contain the GET information). If you don't use these variables, you
; should turn it off for increased performance.
register_argc_argv = Off
; Maximum size of POST data that PHP will accept.
post_max_size = 8M
; Magic quotes
;
; Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc = Off
; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
magic_quotes_runtime = Off
; Use Sybase-style magic quotes (escape ' with '' instead of \').
magic_quotes_sybase = Off
; Automatically add files before or after any PHP document.
auto_prepend_file =
auto_append_file =
; As of 4.0b4, PHP always outputs a character encoding by default in
; the Content-type: header. To disable sending of the charset, simply
; set it to be empty.
;
; PHP's built-in default is text/html
default_mimetype = "text/html"
;default_charset = "iso-8859-1"
; Always populate the $HTTP_RAW_POST_DATA variable.
;always_populate_raw_post_data = On
;;;;;;;;;;;;;;;;;;;;;;;;;
; Paths and Directories ;
;;;;;;;;;;;;;;;;;;;;;;;;;
; UNIX: "/path1:/path2"
;include_path = ".:/php/includes"
;
; Windows: "\path1;\path2"
;include_path = ".;c:\php\includes"
; The root of the PHP pages, used only if nonempty.
; if PHP was not compiled with FORCE_REDIRECT, you SHOULD set doc_root
; if you are running php as a CGI under any web server (other than IIS)
; see documentation for security issues. The alternate is to use the
; cgi.force_redirect configuration below
doc_root = "C:\Apache\htdocs\"
; The directory under which PHP opens the script using /~username used only
; if nonempty.
user_dir =
; Directory in which the loadable extensions (modules) reside.
extension_dir = "C:\php\ext\"
; Whether or not to enable the dl() function. The dl() function does NOT work
; properly in multithreaded servers, such as IIS or Zeus, and is automatically
; disabled on them.
enable_dl = On
; cgi.force_redirect is necessary to provide security running PHP as a CGI under
; most web servers. Left undefined, PHP turns this on by default. You can
; turn it off here AT YOUR OWN RISK
; **You CAN safely turn this off for IIS, in fact, you MUST.**
; cgi.force_redirect = 1
; if cgi.nph is enabled it will force cgi to always sent Status: 200 with
; every request.
; cgi.nph = 1
; if cgi.force_redirect is turned on, and you are not running under Apache or Netscape
; (iPlanet) web servers, you MAY need to set an environment variable name that PHP
; will look for to know it is OK to continue execution. Setting this variable MAY
; cause security issues, KNOW WHAT YOU ARE DOING FIRST.
; cgi.redirect_status_env = ;
; FastCGI under IIS (on WINNT based OS) supports the ability to impersonate
; security tokens of the calling client. This allows IIS to define the
; security context that the request runs under. mod_fastcgi under Apache
; does not currently support this feature (03/17/2002)
; Set to 1 if running under IIS. Default is zero.
; fastcgi.impersonate = 1;
; cgi.rfc2616_headers configuration option tells PHP what type of headers to
; use when sending HTTP response code. If it's set 0 PHP sends Status: header that
; is supported by Apache. When this option is set to 1 PHP will send
; RFC2616 compliant header.
; Default is zero.
;cgi.rfc2616_headers = 0
;;;;;;;;;;;;;;;;
; File Uploads ;
;;;;;;;;;;;;;;;;
; Whether to allow HTTP file uploads.
file_uploads = On
; Temporary directory for HTTP uploaded files (will use system default if not
; specified).
;upload_tmp_dir =
; Maximum allowed size for uploaded files.
upload_max_filesize = 2M
;;;;;;;;;;;;;;;;;;
; Fopen wrappers ;
;;;;;;;;;;;;;;;;;;
; Whether to allow the treatment of URLs (like http:// or ftp://) as files.
allow_url_fopen = On
; Define the anonymous ftp password (your email address)
;from="john@doe.com"
; Define the User-Agent string
; user_agent="PHP"
; Default timeout for socket based streams (seconds)
default_socket_timeout = 60
; If your scripts have to deal with files from Macintosh systems,
; or you are running on a Mac and need to deal with files from
; unix or win32 systems, setting this flag will cause PHP to
; automatically detect the EOL character in those files so that
; fgets() and file() will work regardless of the source of the file.
; auto_detect_line_endings = Off
;;;;;;;;;;;;;;;;;;;;;;
; Dynamic Extensions ;
;;;;;;;;;;;;;;;;;;;;;;
;
; If you wish to have an extension loaded automatically, use the following
; syntax:
;
; extension=modulename.extension
;
; For example, on Windows:
;
; extension=msql.dll
;
; ... or under UNIX:
;
; extension=msql.so
;
; Note that it should be the name of the module only; no directory information
; needs to go here. Specify the location of the extension with the
; extension_dir directive above.
;Windows Extensions
;Note that ODBC support is built in, so no dll is needed for it.
;
;extension=php_bz2.dll
;extension=php_cpdf.dll
;extension=php_curl.dll
;extension=php_dba.dll
;extension=php_dbase.dll
;extension=php_dbx.dll
;extension=php_exif.dll
;extension=php_fdf.dll
;extension=php_filepro.dll
;extension=php_gd2.dll
;extension=php_gettext.dll
;extension=php_ifx.dll
;extension=php_iisfunc.dll
;extension=php_imap.dll
;extension=php_interbase.dll
;extension=php_java.dll
;extension=php_ldap.dll
;extension=php_mbstring.dll
;extension=php_mcrypt.dll
;extension=php_mhash.dll
;extension=php_mime_magic.dll
;extension=php_ming.dll
;extension=php_mssql.dll
;extension=php_msql.dll
extension=php_mysql.dll
;extension=php_oci8.dll
;extension=php_openssl.dll
;extension=php_oracle.dll
;extension=php_pdf.dll
;extension=php_pgsql.dll
;extension=php_shmop.dll
;extension=php_snmp.dll
;extension=php_sockets.dll
;extension=php_sybase_ct.dll
;extension=php_tidy.dll
;extension=php_w32api.dll
;extension=php_xmlrpc.dll
;extension=php_xsl.dll
;extension=php_yaz.dll
;extension=php_zip.dll
;;;;;;;;;;;;;;;;;;;
; Module Settings ;
;;;;;;;;;;;;;;;;;;;
[Syslog]
; Whether or not to define the various syslog variables (e.g. $LOG_PID,
; $LOG_CRON, etc.). Turning it off is a good idea performance-wise. In
; runtime, you can define these variables by calling define_syslog_variables().
define_syslog_variables = Off
[mail function]
; For Win32 only.
SMTP = localhost
smtp_port = 25
; For Win32 only.
;sendmail_from = me@example.com
; For Unix only. You may supply arguments as well (default: "sendmail -t -i").
;sendmail_path =
; Force the addition of the specified parameters to be passed as extra parameters
; to the sendmail binary. These parameters will always replace the value of
; the 5th parameter to mail(), even in safe mode.
;mail.force_extra_parameters =
[SQL]
sql.safe_mode = Off
[ODBC]
;odbc.default_db = Not yet implemented
;odbc.default_user = Not yet implemented
;odbc.default_pw = Not yet implemented
; Allow or prevent persistent links.
odbc.allow_persistent = On
; Check that a connection is still valid before reuse.
odbc.check_persistent = On
; Maximum number of persistent links. -1 means no limit.
odbc.max_persistent = -1
; Maximum number of links (persistent + non-persistent). -1 means no limit.
odbc.max_links = -1
; Handling of LONG fields. Returns number of bytes to variables. 0 means
; passthru.
odbc.defaultlrl = 4096
; Handling of binary data. 0 means passthru, 1 return as is, 2 convert to char.
; See the documentation on odbc_binmode and odbc_longreadlen for an explanation
; of uodbc.defaultlrl and uodbc.defaultbinmode
odbc.defaultbinmode = 1
[MySQL]
; Allow or prevent persistent links.
mysql.allow_persistent = On
; Maximum number of persistent links. -1 means no limit.
mysql.max_persistent = -1
; Maximum number of links (persistent + non-persistent). -1 means no limit.
mysql.max_links = -1
; Default port number for mysql_connect(). If unset, mysql_connect() will use
; the $MYSQL_TCP_PORT or the mysql-tcp entry in /etc/services or the
; compile-time value defined MYSQL_PORT (in that order). Win32 will only look
; at MYSQL_PORT.
mysql.default_port =
; Default socket name for local MySQL connects. If empty, uses the built-in
; MySQL defaults.
mysql.default_socket =
; Default host for mysql_connect() (doesn't apply in safe mode).
mysql.default_host =
; Default user for mysql_connect() (doesn't apply in safe mode).
mysql.default_user =
; Default password for mysql_connect() (doesn't apply in safe mode).
; Note that this is generally a *bad* idea to store passwords in this file.
; *Any* user with PHP access can run 'echo get_cfg_var("mysql.default_password")
; and reveal this password! And of course, any users with read access to this
; file will be able to reveal the password as well.
mysql.default_password =
; Maximum time (in secondes) for connect timeout. -1 means no limit
mysql.connect_timeout = 60
; Trace mode. When trace_mode is active (=On), warnings for table/index scans and
; SQL-Errors will be displayed.
mysql.trace_mode = Off
[MySQLI]
; Maximum number of links. -1 means no limit.
mysqli.max_links = -1
; Default port number for mysqli_connect(). If unset, mysqli_connect() will use
; the $MYSQL_TCP_PORT or the mysql-tcp entry in /etc/services or the
; compile-time value defined MYSQL_PORT (in that order). Win32 will only look
; at MYSQL_PORT.
mysqli.default_port = 3306
; Default socket name for local MySQL connects. If empty, uses the built-in
; MySQL defaults.
mysqli.default_socket =
; Default host for mysql_connect() (doesn't apply in safe mode).
mysqli.default_host =
; Default user for mysql_connect() (doesn't apply in safe mode).
mysqli.default_user =
; Default password for mysqli_connect() (doesn't apply in safe mode).
; Note that this is generally a *bad* idea to store passwords in this file.
; *Any* user with PHP access can run 'echo get_cfg_var("mysqli.default_password")
; and reveal this password! And of course, any users with read access to this
; file will be able to reveal the password as well.
mysqli.default_password =
; Allow or prevent reconnect
mysqli.reconnect = Off
[mSQL]
; Allow or prevent persistent links.
msql.allow_persistent = On
; Maximum number of persistent links. -1 means no limit.
msql.max_persistent = -1
; Maximum number of links (persistent+non persistent). -1 means no limit.
msql.max_links = -1
[PostgresSQL]
; Allow or prevent persistent links.
pgsql.allow_persistent = On
; Detect broken persistent links always with pg_pconnect().
; Auto reset feature requires a little overheads.
pgsql.auto_reset_persistent = Off
; Maximum number of persistent links. -1 means no limit.
pgsql.max_persistent = -1
; Maximum number of links (persistent+non persistent). -1 means no limit.
pgsql.max_links = -1
; Ignore PostgreSQL backends Notice message or not.
; Notice message logging require a little overheads.
pgsql.ignore_notice = 0
; Log PostgreSQL backends Noitce message or not.
; Unless pgsql.ignore_notice=0, module cannot log notice message.
pgsql.log_notice = 0
[Sybase]
; Allow or prevent persistent links.
sybase.allow_persistent = On
; Maximum number of persistent links. -1 means no limit.
sybase.max_persistent = -1
; Maximum number of links (persistent + non-persistent). -1 means no limit.
sybase.max_links = -1
;sybase.interface_file = "/usr/sybase/interfaces"
; Minimum error severity to display.
sybase.min_error_severity = 10
; Minimum message severity to display.
sybase.min_message_severity = 10
; Compatability mode with old versions of PHP 3.0.
; If on, this will cause PHP to automatically assign types to results according
; to their Sybase type, instead of treating them all as strings. This
; compatability mode will probably not stay around forever, so try applying
; whatever necessary changes to your code, and turn it off.
sybase.compatability_mode = Off
[Sybase-CT]
; Allow or prevent persistent links.
sybct.allow_persistent = On
; Maximum number of persistent links. -1 means no limit.
sybct.max_persistent = -1
; Maximum number of links (persistent + non-persistent). -1 means no limit.
sybct.max_links = -1
; Minimum server message severity to display.
sybct.min_server_severity = 10
; Minimum client message severity to display.
sybct.min_client_severity = 10
[dbx]
; returned column names can be converted for compatibility reasons
; possible values for dbx.colnames_case are
; "unchanged" (default, if not set)
; "lowercase"
; "uppercase"
; the recommended default is either upper- or lowercase, but
; unchanged is currently set for backwards compatibility
dbx.colnames_case = "lowercase"
[bcmath]
; Number of decimal digits for all bcmath functions.
bcmath.scale = 0
[browscap]
;browscap = extra/browscap.ini
[Informix]
; Default host for ifx_connect() (doesn't apply in safe mode).
ifx.default_host =
; Default user for ifx_connect() (doesn't apply in safe mode).
ifx.default_user =
; Default password for ifx_connect() (doesn't apply in safe mode).
ifx.default_password =
; Allow or prevent persistent links.
ifx.allow_persistent = On
; Maximum number of persistent links. -1 means no limit.
ifx.max_persistent = -1
; Maximum number of links (persistent + non-persistent). -1 means no limit.
ifx.max_links = -1
; If on, select statements return the contents of a text blob instead of its id.
ifx.textasvarchar = 0
; If on, select statements return the contents of a byte blob instead of its id.
ifx.byteasvarchar = 0
; Trailing blanks are stripped from fixed-length char columns. May help the
; life of Informix SE users.
ifx.charasvarchar = 0
; If on, the contents of text and byte blobs are dumped to a file instead of
; keeping them in memory.
ifx.blobinfile = 0
; NULL's are returned as empty strings, unless this is set to 1. In that case,
; NULL's are returned as string 'NULL'.
ifx.nullformat = 0
[Session]
; Handler used to store/retrieve data.
session.save_handler = files
; Argument passed to save_handler. In the case of files, this is the path
; where data files are stored. Note: Windows users have to change this
; variable in order to use PHP's session functions.
;
; As of PHP 4.0.1, you can define the path as:
;
; session.save_path = "N;/path"
;
; where N is an integer. Instead of storing all the session files in
; /path, what this will do is use subdirectories N-levels deep, and
; store the session data in those directories. This is useful if you
; or your OS have problems with lots of files in one directory, and is
; a more efficient layout for servers that handle lots of sessions.
;
; NOTE 1: PHP will not create this directory structure automatically.
; You can use the script in the ext/session dir for that purpose.
; NOTE 2: See the section on garbage collection below if you choose to
; use subdirectories for session storage
;
; The file storage module creates files using mode 600 by default.
; You can change that by using
;
; session.save_path = "N;MODE;/path"
;
; where MODE is the octal representation of the mode. Note that this
; does not overwrite the process's umask.
;session.save_path = "/tmp"
; Whether to use cookies.
session.use_cookies = 1
; This option enables administrators to make their users invulnerable to
; attacks which involve passing session ids in URLs; defaults to 0.
; session.use_only_cookies = 1
; Name of the session (used as cookie name).
session.name = PHPSESSID
; Initialize session on request startup.
session.auto_start = 0
; Lifetime in seconds of cookie or, if 0, until browser is restarted.
session.cookie_lifetime = 0
; The path for which the cookie is valid.
session.cookie_path = /
; The domain for which the cookie is valid.
session.cookie_domain =
; Handler used to serialize data. php is the standard serializer of PHP.
session.serialize_handler = php
; Define the probability that the 'garbage collection' process is started
; on every session initialization.
; The probability is calculated by using gc_probability/gc_divisor,
; e.g. 1/100 means there is a 1% chance that the GC process starts
; on each request.
session.gc_probability = 1
session.gc_divisor = 1000
; After this number of seconds, stored data will be seen as 'garbage' and
; cleaned up by the garbage collection process.
session.gc_maxlifetime = 1440
; NOTE: If you are using the subdirectory option for storing session files
; (see session.save_path above), then garbage collection does *not*
; happen automatically. You will need to do your own garbage
; collection through a shell script, cron entry, or some other method.
; For example, the following script would is the equivalent of
; setting session.gc_maxlifetime to 1440 (1440 seconds = 24 minutes):
; cd /path/to/sessions; find -cmin +24 | xargs rm
; PHP 4.2 and less have an undocumented feature/bug that allows you to
; to initialize a session variable in the global scope, albeit register_globals
; is disabled. PHP 4.3 and later will warn you, if this feature is used.
; You can disable the feature and the warning separately. At this time,
; the warning is only displayed, if bug_compat_42 is enabled.
session.bug_compat_42 = 0
session.bug_compat_warn = 1
; Check HTTP Referer to invalidate externally stored URLs containing ids.
; HTTP_REFERER has to contain this substring for the session to be
; considered as valid.
session.referer_check =
; How many bytes to read from the file.
session.entropy_length = 0
; Specified here to create the session id.
session.entropy_file =
;session.entropy_length = 16
;session.entropy_file = /dev/urandom
; Set to {nocache,private,public,} to determine HTTP caching aspects
; or leave this empty to avoid sending anti-caching headers.
session.cache_limiter = nocache
; Document expires after n minutes.
session.cache_expire = 180
; trans sid support is disabled by default.
; Use of trans sid may risk your users security.
; Use this option with caution.
; - User may send URL contains active session ID
; to other person via. email/irc/etc.
; - URL that contains active session ID may be stored
; in publically accessible computer.
; - User may access your site with the same session ID
; always using URL stored in browser's history or bookmarks.
session.use_trans_sid = 0
; Select a hash function
; 0: MD5 (128 bits)
; 1: SHA-1 (160 bits)
session.hash_function = 0
; Define how many bits are stored in each character when converting
; the binary hash data to something readable.
;
; 4 bits: 0-9, a-f
; 5 bits: 0-9, a-v
; 6 bits: 0-9, a-z, A-Z, "-", ","
session.hash_bits_per_character = 5
; The URL rewriter will look for URLs in a defined set of HTML tags.
; form/fieldset are special; if you include them here, the rewriter will
; add a hidden field with the info which is otherwise appended
; to URLs. If you want XHTML conformity, remove the form entry.
; Note that all valid entries require a "=", even if no value follows.
url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=fakeentry"
[MSSQL]
; Allow or prevent persistent links.
mssql.allow_persistent = On
; Maximum number of persistent links. -1 means no limit.
mssql.max_persistent = -1
; Maximum number of links (persistent+non persistent). -1 means no limit.
mssql.max_links = -1
; Minimum error severity to display.
mssql.min_error_severity = 10
; Minimum message severity to display.
mssql.min_message_severity = 10
; Compatability mode with old versions of PHP 3.0.
mssql.compatability_mode = Off
; Connect timeout
;mssql.connect_timeout = 5
; Query timeout
;mssql.timeout = 60
; Valid range 0 - 2147483647. Default = 4096.
;mssql.textlimit = 4096
; Valid range 0 - 2147483647. Default = 4096.
;mssql.textsize = 4096
; Limits the number of records in each batch. 0 = all records in one batch.
;mssql.batchsize = 0
; Specify how datetime and datetim4 columns are returned
; On => Returns data converted to SQL server settings
; Off => Returns values as YYYY-MM-DD hh:mm:ss
;mssql.datetimeconvert = On
; Use NT authentication when connecting to the server
mssql.secure_connection = Off
; Specify max number of processes. Default = 25
;mssql.max_procs = 25
[Assertion]
; Assert(expr); active by default.
;assert.active = On
; Issue a PHP warning for each failed assertion.
;assert.warning = On
; Don't bail out by default.
;assert.bail = Off
; User-function to be called if an assertion fails.
;assert.callback = 0
; Eval the expression with current error_reporting(). Set to true if you want
; error_reporting(0) around the eval().
;assert.quiet_eval = 0
[Ingres II]
; Allow or prevent persistent links.
ingres.allow_persistent = On
; Maximum number of persistent links. -1 means no limit.
ingres.max_persistent = -1
; Maximum number of links, including persistents. -1 means no limit.
ingres.max_links = -1
; Default database (format: [node_id::]dbname[/srv_class]).
ingres.default_database =
; Default user.
ingres.default_user =
; Default password.
ingres.default_password =
[Verisign Payflow Pro]
; Default Payflow Pro server.
pfpro.defaulthost = "test-payflow.verisign.com"
; Default port to connect to.
pfpro.defaultport = 443
; Default timeout in seconds.
pfpro.defaulttimeout = 30
; Default proxy IP address (if required).
;pfpro.proxyaddress =
; Default proxy port.
;pfpro.proxyport =
; Default proxy logon.
;pfpro.proxylogon =
; Default proxy password.
;pfpro.proxypassword =
[com]
; path to a file containing GUIDs, IIDs or filenames of files with TypeLibs
;com.typelib_file =
; allow Distributed-COM calls
;com.allow_dcom = true
; autoregister constants of a components typlib on com_load()
;com.autoregister_typelib = true
; register constants casesensitive
;com.autoregister_casesensitive = false
; show warnings on duplicate constat registrations
;com.autoregister_verbose = true
[mbstring]
; language for internal character representation.
;mbstring.language = Japanese
; internal/script encoding.
; Some encoding cannot work as internal encoding.
; (e.g. SJIS, BIG5, ISO-2022-*)
;mbstring.internal_encoding = EUC-JP
; http input encoding.
;mbstring.http_input = auto
; http output encoding. mb_output_handler must be
; registered as output buffer to function
;mbstring.http_output = SJIS
; enable automatic encoding translation accoding to
; mbstring.internal_encoding setting. Input chars are
; converted to internal encoding by setting this to On.
; Note: Do _not_ use automatic encoding translation for
; portable libs/applications.
;mbstring.encoding_translation = Off
; automatic encoding detection order.
; auto means
;mbstring.detect_order = auto
; substitute_character used when character cannot be converted
; one from another
;mbstring.substitute_character = none;
; overload(replace) single byte functions by mbstring functions.
; mail(), ereg(), etc are overloaded by mb_send_mail(), mb_ereg(),
; etc. Possible values are 0,1,2,4 or combination of them.
; For example, 7 for overload everything.
; 0: No overload
; 1: Overload mail() function
; 2: Overload str*() functions
; 4: Overload ereg*() functions
;mbstring.func_overload = 0
[FrontBase]
;fbsql.allow_persistent = On
;fbsql.autocommit = On
;fbsql.default_database =
;fbsql.default_database_password =
;fbsql.default_host =
;fbsql.default_password =
;fbsql.default_user = "_SYSTEM"
;fbsql.generate_warnings = Off
;fbsql.max_connections = 128
;fbsql.max_links = 128
;fbsql.max_persistent = -1
;fbsql.max_results = 128
;fbsql.batchSize = 1000
[exif]
; Exif UNICODE user comments are handled as UCS-2BE/UCS-2LE and JIS as JIS.
; With mbstring support this will automatically be converted into the encoding
; given by corresponding encode setting. When empty mbstring.internal_encoding
; is used. For the decode settings you can distinguish between motorola and
; intel byte order. A decode setting cannot be empty.
;exif.encode_unicode = ISO-8859-15
;exif.decode_unicode_motorola = UCS-2BE
;exif.decode_unicode_intel = UCS-2LE
;exif.encode_jis =
;exif.decode_jis_motorola = JIS -
This thing ROCKS!
Date: 11/18/05 (SQL Server) Keywords: database, sql, security, google
http://www.sqledit.com/dg/
Yesterday after lunch, I got one of those famous, hurried "critical" requests to export some data to a vendor for an important project. Someone from our Stock Administration team insisted on meeting with me to give me a USB drive to get the database image. Apparently, they needed someone to import the data on our system, then export it in a format requested by the vendor in order to test and configure a new offering for us.
I was already irritated that yet another team had failed to document and obtain resources for their data requirements, therefore making an emergency for me that very important people would hear about if I didn't follow through. I did what I aways do, I said I'd look at it and see what could be done. Oh man...you know what I saw? This dude had been walking around all over the place with this little flash drive in is pocket with stock administration data for EVERYONE IN OUR COMPANY. This data included Social Security Numbers, Birthday's, Names, Addresses, Salaries, and Stock Options. AND he wanted me to just send it off to some company to play around with. I was pretty mad, especially when he had his manager call me to complain.
I explained that this was in violation with our SOX commitments and that the data would have to be at the very least cleansed before it was sent out. I also mentioned that I didn't particularly want my SSN sent to parts unknown for a proof-of-concept project. After that I found a kind way of mentioning that carrying around sensitive data in an unsecure format is grounds for termination. Then his manager called the CIO. All the better, at least the CIO understands INFORMATION and the protection thereof!
I didn't have a clue how to cleanse data, but it had to get done fast, so I did a google search for tools, and I found this little gem. The DTM Data Generator contained a robust set of tools for analyzing the SQL tables field by field, while retaining the referential integrity. It's very versatile. I'm definately going to use this again. I think I might finally generate those mean sets of data for our QA team to test against. This tool rocks.Source: http://community.livejournal.com/sqlserver/37213.html
-
help!! annoying security prompts
Date: 01/06/06 (Computer Help) Keywords: html, security, ebay
I run: windows 98 SE, IE 6.0
For some reason, just today, when I log into sites, I can't STAY logged in, and I get annoying security certifcate prompts everytime I go to ebay and gmail ..
I can't access the 'standard' view of gmail, and the 'html' version of gmail wont let me delete messages.
I looked in my internet options >> advanced tab, and 'warn about invalid site certifates' is UNCHECKED, (I never had it checked in the first place, nor did I change any security settings to make it this way, so I have no idea what is going on.)
I cleared ALL cookies, my cache, my temp internet files, ran hijackthis, and spybot, and nothing showed any problems or fixed anything.
wtf is going on?
thanks alot for your help.Source: http://community.livejournal.com/computer_help/561595.html
-
Secure Online storage - read/write access for set user group
Date: 06/22/05 (Software) Keywords: php, mysql, sql, security, web, linux, yahoo
I have a group of users (100 or so) that need read/write access to a document (excel) of sensitive information. Since they are all over the place, they requested a web application to be able to access from anywhere whenever they need to modify or look at this document. I'm trying to figure out what is the best way to provide a secure way to only allow these specific users to access this document.
ideas have included:
Plone - complex, looking for simplicity
phpBB - requires me to set up a mysql linux box somewhere which might be possible
Yahoo groups - not very secure but basically what i want
any other ideas? Security of this information is the biggest priority. i currently have both linux/windows available to host.Source: http://community.livejournal.com/software/54525.html
-
paypal/ebay scam
Date: 01/13/06 (Computer Geeks) Keywords: asp, security, ebay
So here is the deal. I was selling this laptop on ebay. Retails about $850. So I get an email in ebay from this guy say he needs it right away and it for his son, blah blah blah. I will pay you $4,000 if you can ship it to me right away and if we can do the transaction through western union. So here is the emails. Just be careful, I am very security minded and almost fell for it. If it wasn't for my distrust in most things, I wouldn't of call western union and found out it was fake.
From: "ade taiwo"
To: lordsaibat
Date: 11 Jan 2006, 05:55:09 AM
Subject: Congratulations Your Payment Is In Progress !!!
--------------------------------------------------------------------------------
Dear Seller,
This is to inform you that your payment has been made and is currently under
processing, I am very sure you are in receipt of the notification of my payment
from Western Union.
Anyway, I want the package to be shipped out as soon as you received the
approval of your money order from Western Union so that my Son can be able
meet up with the need for this package .
Kindly get back to me with the shipment tracking number immediately you
shipped my package.
I WANT THIS PACKAGE TO BE SHIPPED AS SOON AS THE PAYMENT APPROVED FROM Western
Union AND SHIPPED IT THROUGH Global Express mail 3-5days USPS POST ONLY PLS.
I will be looking forward to hearing from you soonest because the Package is
urgently needed.
Regards,
Ade
--
_______________________________________________
Get your free email from http://fastermail.com
From: "Western Union Transfer"
To: lordsaibat@gawab.com
Date: 11 Jan 2006, 05:54:36 AM
Subject: MONEY ORDER PENDING (7650980937)***DO NOT REPLY***
--------------------------------------------------------------------------------
================================================================================ ==========================
================================================================================ ==========================
THIS IS AN AUTOMATED MESSAGE, PLEASE DO NOT REPLY
================================================================================ ==========================
================================================================================ ==========================
*AUCTION PAYMENT NOTIFICATION*
Western Union ® Order Number: 7650980937
Dear Tobias Mccurry,
This is to notify you that Western Union® Accounts Payments has
received an order placed by Mr.Ade Tawio, of your auction item to
have a Western Union® branded Money OrderSM sent to you as
payment for the auction item. The order is currently being processed.
The details of the transaction are stated below:
-------------------------------------------------------------------------------- --------------------
*AUCTION DETAILS*
AUCTION SITE : Ebay Inc.
AUCTION ITEM : HP PAVILION Laptop
-------------------------------------------------------------------------------- --------------------
*FINANCIAL DETAILS*
----------------------------------------
AUCTION AMOUNT : $ 3,800.00
SHIPPING AMOUNT : $ 200.00
----------------------------------------
TOTAL : $ 4,000.00
----------------------------------------
Once the order is processed successfully, you will receive another
email from Western Union ® informing you that the money order has been
approved.The Money OrderSM will be delivered to the address below,
Please verify that the name and address (As entered by the buyer)are
correct:
-------------------------------------------------------------------------------- -----------------------
NAME : Tobias Mccurry
ADDRESS : 7101 C Mcnickle
CITY : TAFB
STATE : Ok
POST CODE : 73145
COUNTRY : USA
EMAIL : lordsaibat@gawab.com
-------------------------------------------------------------------------------- -----------------------
Seller Should Not ship until you recieve another email
informing you that your money order has been APPROVED, also seller
must ship the item upon receipt of the confirmation email that your
money order has been APPROVED in other not to delay your money
order from being shipped to the designated address provided by the
buyer.
Seller must ship the item to the buyer when the money order has been
approved and send the tracking number to our agent email
address:(helpdesks@consultant.com) DO NOT forget to include
Order number,your full name and address.
-------------------------------------------------------------------------------- ------------------------
PLEASE NOTE: This is only a notification informing you that the
buyer Has made payment to Western Union®, The payment is currently being
processed and is regarded as PENDING as it is still subject to APPROVAL
after being successfully processed.Western Union® hereby advises
you NOT to ship the item until you have received another message from
Western Union® stating that, the order has been APPROVED.Please
exercise some patience as the process usually approved within 1 to 24 hours.
-------------------------------------------------------------------------------- ------------------------
Thank you for using Western Union® Accounts Payments. We look
forward to serving your online auction payment needs better in the
future.
Western Union Team,
Accounts Payments.
================================================================================ =============================
THIS IS AN AUTOMATED MESSAGE, PLEASE DO NOT REPLY
================================================================================ =============================
From: "Western Union Transfer"
To: lordsaibat@gawab.com
Date: 11 Jan 2006, 01:09:31 PM
Subject: MONEY ORDER HAS BEEN APPROVED***(7650980937)***DO NOT REPLY
--------------------------------------------------------------------------------
================================================================================ ==========================
================================================================================ ==========================
THIS IS AN AUTOMATED MESSAGE, PLEASE DO NOT REPLY
================================================================================ ==========================
================================================================================ ==========================
*AUCTION PAYMENT NOTIFICATION*
Western Union® Order Number: 7650980937
Dear Tobias Mccurry,
Congratulations! The order placed by Mr.Ade Tawio, of your auction
item to have a Western Union Accounts® branded Money OrderSM
sent to you as payment for the item has been successfully processed
and has consequently been APPROVED. The financial details of the
transaction are stated below:
-------------------------------------------------------------------------------- -------
*FINANCIAL DETAILS*
----------------------------------------
AUCTION AMOUNT : $ 3,800.00
SHIPPING AMOUNT : $ 200.00
----------------------------------------
TOTAL : $ 4,000.00
----------------------------------------
--------------------------------------------------------------------
***PLEASE NOTE***
The Money OrderSM will be delivered to the address below, Please verify
if the name and address (As entered by the buyer)are correct:
-------------------------------------------------------------------------------- ---------------------------------------- -----
NAME : Tobias Mccurry
ADDRESS : 7101 C Mcnickle
CITY : TAFB
STATE : Ok
POST CODE : 73145
COUNTRY : USA
EMAIL : lordsaibat@gawab.com
-------------------------------------------------------------------------------- ---------------------------------------- -----
***ATTENTION**
The order has been APPROVED, you CAN NOW ship the Item to the buyer
shipping address. You are expected to make the shipment within 48 hours
of receiving this Payment Approval Notification.
This is the buyer shipping information:
-------------------------------------------------------------------------------- ---------------------------------------- -----
Name : Mr. Ade Tawio
Address : 40 queen cinema street
City : IBADAN
State : OYO STATE
Zip : 20001
Country : NIGERIA
-------------------------------------------------------------------------------- ---------------------------------------- -----
If the buyer has requested that the item be sent to any address other
than the one provided above, please ship the item OUT and notify us
immediately. Go to http://www.Westernunion.com
Be sure to include the Western Union Accounts Payments order number and the
change of address the buyer has requested. Also, include the change of
address as the subject of your mail.
-------------------------------------------------------------------------------- ---------------------------------------- -----
***PLEASE NOTE***
The Money OrderSM will NOT be dispatched until shipment has been
verified. This measure is taken in order to protect both seller and
buyer interests and to reduce the occurrence of fraudulent activities.
-------------------------------------------------------------------------------- ---------------------------------------- -----
*SHIPMENT VERIFICATION*
You can have the shipment confirmed/verified in any of the following
ways:
1. Shipment should be made to the buyer and the TRACKING NUMBER of the
shipment should be sent to our agent email address :
helpdesks@consultant.com
Once the verification of shipment is confirmed, you will be notified
and your money order will be shipped out to your designated address
immediately.
2. Your money order will be delayed until you send the SHIPMENT
TRACKING NUMBER of the item been shipped to our agent as a Confirmation.
3. Your money order will be shipped out immediately you send the
shipment notification to our agent.
PLEASE ON NO ACCOUNT MUST YOU ALLOW THE BUYER GAIN ACCESS TO THIS MAIL.
Thanks for using Western Union. Looking forward to serve your
future Online needs.
Western Union Team,
Accounts Payments.
================================================================================ =============================
THIS IS AN AUTOMATED MESSAGE, PLEASE DO NOT REPLY
================================================================================ =============================
Source: http://community.livejournal.com/computergeeks/859697.html
-
PHP shell access question
Date: 01/19/06 (PHP Community) Keywords: php, mysql, sql, security
Hello all,
I am working on a project to create highly customizable live cds mainly for my peronal use and for friends to try diffrent OSs. At the moment I have several shell scripts that I am looking at converting over to PHP if possiable. The bulk of it i know can be ported easily enough but I have never attempted to call other programs besides MySQL in PHP so I am not quite sure if it is feasable. The server will be located all inhouse with no outside access untill i can be sure of the security implcations involved in the procedure and lower the risks. Can I access other programs through php, spefically can I run "/usr/local/bin/mkisofs -b boot/cdboot -no-emul-boot -c boot/boot.catalog -r -l -L -V LiveCD -o $LIVEISODIR/LiveCD.iso ." and get the intended result? Any thoughts would be appreciated. -
$_REQUEST, $_POST, $_GET
Date: 01/17/06 (PHP Community) Keywords: security
Greetings.
I've been using $_REQUEST for a few years now instead of $_GET or $_POST. I have yet to find any sort of decent reasoning as to why we should be using one or the other.
Are there any potential security benefits or risks with using $_REQUEST instead? -
php frameworks and such
Date: 01/09/06 (PHP Community) Keywords: cms, php, html, database, security, web
Hey all,
I know there's been a couple posts about this recently, so if I'm asking redundant questions, sorry.
A friend of mine has come up with a pretty novel idea for a MySpace-ish site, but for a specific niche market (kind of like those CatSpace and DogSpaces that exist) - users will have profiles, photos, a blog, message boards, send friend requests, yadda yadda yadda, you've seen it all before. I'm going to be developing the initial setup myself (since we have no money), and this is a somewhat long term project that I'll be picking at casually for a little while.
Right now I'm trying to figure out if I should give this a go coding from scratch, or use an existing CMS type solution (like Mambo, Joomla, Drupal, etc). I'd really like to code it myself, as I think it could be a fun project to work on. I'm a pretty solid PHP programmer, but as I have a feeling that this idea could jump in popularity pretty quick, I really want to make sure I keep this thing as efficient as possible for a large user base. For instance, I don't want to go making another MySpace which I think runs horribly as a web app compared to even LiveJournal.
Currently I use PEAR's DB_DataObject or my database interactions and I've just gotten into Smarty for templating, though I'm sure I'm not using either to their fullest potential. I saw mention of a couple of development environments and frameworks in someone's recent post looking for a visual studio-esque PHP environment - http://www.livejournal.com/community/php/388602.html but I've never used any of these.
I'm not really concerned here with using a "rapid development" framework - I don't mind coding, I like it - but what I'm really concerned with is stability, efficiency and security - I know of course that these also rely heavily on how well I code, and using a good coding environment or framework won't do the coding for me, but there have to be some tools/frameworks/etc out there that pros are using that I just haven't moved onto yet, and I wanted to see what you guys (and gals) are using on some of your bigger projects.
- I know this comes up a bunch, but does anyone else think would it be handy at all for us as a community to maybe organize some of the more useful threads and frequently asked (and answered) questions in the php community at a separate location? Doing just a search on the community doesn't necessarily give you anything about the quality of the responses, and it may even be nice to be able to 'browse' solutions/posts by categories or something; maybe we could have some sort of quality ranking on posts, or some way to identify posts that contain questions that get asked all the time. I don't think this would be too tricky to put together, and I'd be willing to work on it, but I don't know if anyone would even use it? -
most images, thumbnails, placeholders not loading
Date: 01/11/06 (Mozilla) Keywords: java, security, web
After switching to FF 1.5, iam facing these annoying problems.
1) Most times when i load web pages, most placeholders like image links, thumbs, even smaller icons etc simply dont load. All are blank. Reloading doesnt really help much, still many places are blank. Its a big annoyance seeing blank even after successive reloads.
when only the image resource is loaded, that single thing loads perfectly.
bloody flash objects, adds all load, images,thumbnails dont.
2) Not a big annoyance, still some pages fail giving the error message,
'unable load could not connect'.. when i reload it problem is solved. Its annoyance at times to keep reloading.
Regard to first problem, I use a laptop, in it all pages load perfectly with IE. Also both IE,FF work perfect in a desktop(same connection). So it should not be a problem with the connection.
Also i tried in another user, another profile, a completely new profile all these with no extensions, the same problem persists there also. So its not because of extensions either.
info : options->contents-> all image settings are correct with no filters. javascript, java enabled.
I run windows XP (with all latest security).
Can anybody help.. its big big nuisance.
Thanks in advance
cross posted to!['[info]']('http://stat.livejournal.com/img/community.gif')
firefoxusersSource: http://community.livejournal.com/mozilla/347293.html
-
Is it just me ...
Date: 12/10/05 (Mozilla) Keywords: java, security
.. or has anyone else who upgraded to Firefox 1.5 last week found it buggy and bloated?
It crashes every once in a while (not related to the recent security hole) and java 5.0 is really bad. I installed it and it makes my computer unresponsive requiring a reboot sometimes. Firefox will make my computer unresponsive to a ctrl+alt+del for 2-3 minutes until its closed if I leave my computer on all night. Normally when a process in WIndows2000 is using %100 of the cpu it should at least remain responsive.
I hope some bug fixes come soon. Its that or my registry is corrupt perhaps? Anyone else have the same problems?Source: http://community.livejournal.com/mozilla/341918.html
-
New Firefox/Mozilla Security Vulnerability
Date: 12/08/05 (Mozilla) Keywords: browser, asp, java, security, virus, linux
News of a new security vulnerability has been posted for Firefox 1.5 (my own testing confirms it also affects Firefox 1.0.7, Mozilla 1.7.12, and Camino 1.0b1) that allows for Denial of Service or potentially arbitrary code execution. It has to do with a buffer overflow in the parsing of history.dat, which stores browser history.
Basically, if you visit a malcious site using this vulnerability, the next time you try to start Firefox it will run the malicious code, which could be as minor as causing Firefox not to work (such as the Proof of Concept) or as serious as executing arbitrary code (i.e. it could install a virus or other malware). Fortunately, there is a simple workaround: just set Firefox to keep browser history for 0 (zero) days, essentially setting it not to keep history, and then restart Firefox to make the change take effect. Note that disabling JavaScript DOES NOT mitigate this vulnerability; only disabling browser history does, since that prevents the creation of history.dat. Also note that the malcious code would run each time you attempt to start Firefox, until you delete history.dat from your profile folder.
I don't believe Mozilla has announced anything about this yet, but proof of concept code is available, and I confirmed with my own testing that it works as I described on both Mac OS X and Windows, using both Firefox 1.5 and Firefox 1.0.7, meaning that all versions are probably affected (or at least all recent versions).
Here are the steps to mitigate this vulnerability until a patch is released (for Firefox 1.5):
1. Open Firefox Options (Tools->Options on Windows) or Preferences (Edit->Preferences on Linux, Firefox->Preferences on Mac OS X).
2. Choose "Privacy" from the top button bar, and choose the "History" tab.
3. Set "Remember visited pages for the last ____ days." to 0 (zero).
4. On Windows, click OK to close the Options window. On Linux or Mac, simply close the Preferences window.
5. Restart Firefox to make sure the setting takes effect.
The same steps apply to Firefox 1.0.x, it's just that the options/preferences window is different. Basically, for step 2 the "Privacy" button is on the left side button bar, and history is the top section on that pane.
More details for the technically minded...
X-posted tomozilla
Update 1: My own testing confirms that other Mozilla-based browsers are affected by this vulnerability as well, including Mozilla Suite and Camino. I've also confirmed that this can be exploited without JavaScript (which I already suspected), and it has the same effect as the original PoC. All users of Gecko-based browsers should disable browser history.
Also, Secunia has released an advisory on the issue, but they only mention the DoS aspect, not the possibility of code execution that the original researchers claim is possible. While I can't confirm myself whether or not that is true, it is still certainly a nuisance to have Firefox become unusable, so you should all still protect yourselves.
Update 2: Mozilla has released a statement, claiming that the flaw only causes Firefox and Mozilla to hang for a long time when starting, but that they eventually do start. They also say that they don't think code execution is possible, since the original researchers present no proof of it other than claiming its possible. Though they don't state it, it doesn't sound like they're planning to release a patch anytime soon...
Also, testing confirms that this affects Linux, though depending on the distribution it seems to affect it differently. For example, on Gentoo using the twm window manager, accessing the test case caused the window manager to completely lock up, and then after restarting Firefox wouldn't work. On Fedora Core 4, however, after restarting Gnome (which locked up for me similarly to twm) Firefox did seem to keep working normally. Perhaps the fact that the window managers are locking up is a sign that they can't handle extremely long window titles...Source: http://community.livejournal.com/mozilla/341566.html
| Previous page | || | Next page |