From elharo at metalab.unc.edu  Sun Sep  2 08:02:42 2007
From: elharo at metalab.unc.edu (Elliotte Harold)
Date: Sun, 02 Sep 2007 08:02:42 -0400
Subject: [nycphp-talk] Minimal overhead
Message-ID: <46DAA662.6050404@metalab.unc.edu>

Suppose I don't want it to be so obvious that I'm using PHP on a site, 
Or that I just want the freedom to not always use PHP in a given 
document. Thus I decide to configure Apache to treat all .html files as 
PHP files.

How much overhead does this add for the common case when a file only 
contains static data, no PHP? Would I notice the hit?

-- 
Elliotte Rusty Harold  elharo at metalab.unc.edu
Java I/O 2nd Edition Just Published!
http://www.cafeaulait.org/books/javaio2/
http://www.amazon.com/exec/obidos/ISBN=0596527500/ref=nosim/cafeaulaitA/


From paul at devonianfarm.com  Sun Sep  2 08:55:15 2007
From: paul at devonianfarm.com (Paul Houle)
Date: Sun, 02 Sep 2007 08:55:15 -0400
Subject: [nycphp-talk] Minimal overhead
In-Reply-To: <46DAA662.6050404@metalab.unc.edu>
References: <46DAA662.6050404@metalab.unc.edu>
Message-ID: <46DAB2B3.4060504@devonianfarm.com>

Elliotte Harold wrote:
> Suppose I don't want it to be so obvious that I'm using PHP on a site, 
> Or that I just want the freedom to not always use PHP in a given 
> document. Thus I decide to configure Apache to treat all .html files 
> as PHP files.
>
> How much overhead does this add for the common case when a file only 
> contains static data, no PHP? Would I notice the hit?
>
    You should measure this yourself using tools such as ab 
(ApacheBench,  included with the Apache distribution)

     I benched out an Apache 2 installation on a somewhat beefy Linux 
machine about two years ago.  Apache could serve about 2000 hits/sec of 
plain HTML files and around 400 hits/sec of simple PHP files.

    About five years ago I developed a simple PHP system that put 
templating on existing HTML documents.  I clocked this at around 100 
hits/sec,  which is around 8 million a day.

    There is substantial overhead in processing PHP,  but most people 
won't notice it unless they have very high traffic sites or are in a 
very resource constrained environment.




From ramons at gmx.net  Sun Sep  2 09:25:41 2007
From: ramons at gmx.net (David Krings)
Date: Sun, 02 Sep 2007 09:25:41 -0400
Subject: [nycphp-talk] Minimal overhead
In-Reply-To: <46DAA662.6050404@metalab.unc.edu>
References: <46DAA662.6050404@metalab.unc.edu>
Message-ID: <46DAB9D5.90109@gmx.net>

Elliotte Harold wrote:
> Suppose I don't want it to be so obvious that I'm using PHP on a site, 
> Or that I just want the freedom to not always use PHP in a given 
> document. Thus I decide to configure Apache to treat all .html files as 
> PHP files.
> 
> How much overhead does this add for the common case when a file only 
> contains static data, no PHP? Would I notice the hit?
> 

As usual, it depends. All pages will be sent to the PHP interpreter 
which parses the file and decides that there is nothing to do and has 
the web server serve the static content. While there may be no 
noticeable difference when calling one page it may come into play when 
you get several thousand hits a minute.

What's so wrong with calling files .htm and .php and handle them 
differently? Although, I can ask the opposite question and come up with 
some good answers as well. I'd take a look as to how busy the site is 
and how much oomph your server box has. Or just try it out and see what 
happens.
I came across several instances where I crafted a page as static, but 
then wanted to add a header and then internationalization based on user 
preference. At that point there isn't a way around PHP. Chances are that 
you will use PHP at some point even for pages that are currently static.

David



From joshmccormack at travelersdiary.com  Sun Sep  2 11:14:54 2007
From: joshmccormack at travelersdiary.com (Josh McCormack)
Date: Sun, 2 Sep 2007 11:14:54 -0400
Subject: [nycphp-talk] Minimal overhead
In-Reply-To: <46DAB9D5.90109@gmx.net>
References: <46DAA662.6050404@metalab.unc.edu> <46DAB9D5.90109@gmx.net>
Message-ID: <e22ad7830709020814m3680705v80e8dfd49b801ec0@mail.gmail.com>

You could get around having to have all pages be php by running
through some sort of preprocessos that makes static pages for that
audience, day, hour, etc, and flags which files really need to be
dynamic. Sounds like a lot of work, though.

Josh



On 9/2/07, David Krings <ramons at gmx.net> wrote:
> Elliotte Harold wrote:
> > Suppose I don't want it to be so obvious that I'm using PHP on a site,
> > Or that I just want the freedom to not always use PHP in a given
> > document. Thus I decide to configure Apache to treat all .html files as
> > PHP files.
> >
> > How much overhead does this add for the common case when a file only
> > contains static data, no PHP? Would I notice the hit?
> >
>
> As usual, it depends. All pages will be sent to the PHP interpreter
> which parses the file and decides that there is nothing to do and has
> the web server serve the static content. While there may be no
> noticeable difference when calling one page it may come into play when
> you get several thousand hits a minute.
>
> What's so wrong with calling files .htm and .php and handle them
> differently? Although, I can ask the opposite question and come up with
> some good answers as well. I'd take a look as to how busy the site is
> and how much oomph your server box has. Or just try it out and see what
> happens.
> I came across several instances where I crafted a page as static, but
> then wanted to add a header and then internationalization based on user
> preference. At that point there isn't a way around PHP. Chances are that
> you will use PHP at some point even for pages that are currently static.
>
> David
>
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
>


-- 
Josh McCormack
Owner, InteractiveQA
Web testing & development
http://www.interactiveqa.com
917.620.4902


From paul at devonianfarm.com  Sun Sep  2 13:02:31 2007
From: paul at devonianfarm.com (Paul Houle)
Date: Sun, 02 Sep 2007 13:02:31 -0400
Subject: [nycphp-talk] Minimal overhead
In-Reply-To: <e22ad7830709020814m3680705v80e8dfd49b801ec0@mail.gmail.com>
References: <46DAA662.6050404@metalab.unc.edu> <46DAB9D5.90109@gmx.net>
	<e22ad7830709020814m3680705v80e8dfd49b801ec0@mail.gmail.com>
Message-ID: <46DAECA7.7010705@devonianfarm.com>

Josh McCormack wrote:
> You could get around having to have all pages be php by running
> through some sort of preprocessos that makes static pages for that
> audience, day, hour, etc, and flags which files really need to be
> dynamic. Sounds like a lot of work, though.
>
> Josh
>   
    I'm currently building an ultralight publishing system to preserve 
an old database-backed site that got trashed a year or two ago.

    I don't have any intention of adding new articles,  so I don't need 
a live database.  I wrote a script that read rows from the database and 
wrote them into ".html" files that look like

<?php

$post_data=array(
    "SID" => "20070202304034",
    "TITLE" => "The title of this post"
    ...
);

    I'm just about to use "auto_prepend_file" configuration directive to 
run another PHP file that renders the page based on the contents of 
$post_data.

    I expect to get excellent performance this way,  but still have the 
flexibility of changing the way files are rendered without having to go 
back to the database.


From jakob.buchgraber at googlemail.com  Sun Sep  2 12:49:42 2007
From: jakob.buchgraber at googlemail.com (Jakob Buchgraber)
Date: Sun, 02 Sep 2007 18:49:42 +0200
Subject: [nycphp-talk] Minimal overhead
In-Reply-To: <46DAA662.6050404@metalab.unc.edu>
References: <46DAA662.6050404@metalab.unc.edu>
Message-ID: <46DAE9A6.5050500@gmail.com>

Elliotte Harold wrote:
> Suppose I don't want it to be so obvious that I'm using PHP on a site, 
> Or that I just want the freedom to not always use PHP in a given 
> document. Thus I decide to configure Apache to treat all .html files as 
> PHP files.
> 
> How much overhead does this add for the common case when a file only 
> contains static data, no PHP? Would I notice the hit?
> 

In case you mainly want to hide the use of php why not call your files 
.jsp or .aspx and sending fake headers or just remove the PHP headers 
and call your php files .htm and the normal files .html

Jakob
-- 
Sun Certified Programmer for the Java 2 Platform, Standard Edition 5.0


From pmjones88 at gmail.com  Sun Sep  2 14:00:24 2007
From: pmjones88 at gmail.com (Paul M Jones)
Date: Sun, 2 Sep 2007 13:00:24 -0500
Subject: [nycphp-talk] Minimal overhead
In-Reply-To: <46DAA662.6050404@metalab.unc.edu>
References: <46DAA662.6050404@metalab.unc.edu>
Message-ID: <3E727EC7-2A6C-4DEB-A77B-9614A0F0F05A@gmail.com>


On Sep 2, 2007, at 7:02 AM, Elliotte Harold wrote:

> Suppose I don't want it to be so obvious that I'm using PHP on a  
> site, Or that I just want the freedom to not always use PHP in a  
> given document. Thus I decide to configure Apache to treat  
> all .html files as PHP files.
>
> How much overhead does this add for the common case when a file  
> only contains static data, no PHP? Would I notice the hit?

Depends on the particular server, but:  merely invoking the PHP  
interpreter, you can expect it to cut your requests-per-second by 40  
to 60 percent.

Scroll down to the "Baseline" heading here for more info:

     http://paul-m-jones.com/blog/?p=238



--

Paul M. Jones  <http://paul-m-jones.com>

Solar: Simple Object Library and Application Repository
for PHP5.  <http://solarphp.com>

Join the Solar community wiki!  <http://solarphp.org>

Savant: The simple, elegant, and powerful solution for
templates in PHP.  <http://phpsavant.com>


From rolan at omnistep.com  Sun Sep  2 21:49:52 2007
From: rolan at omnistep.com (Rolan Yang)
Date: Sun, 02 Sep 2007 21:49:52 -0400
Subject: [nycphp-talk] Minimal overhead
In-Reply-To: <46DAA662.6050404@metalab.unc.edu>
References: <46DAA662.6050404@metalab.unc.edu>
Message-ID: <46DB6840.1050509@omnistep.com>

You might be able to create a modified XBitHack Apache module which, 
essentially checks to see if the a file has the "x" (execute) bit set 
under permissions. If so, then it parses the file, if not, then it 
displays as a regular html file. This is normally used for server side 
includes, but you could probably modify the script to execute it as a 
php file instead.

~Rolan

Elliotte Harold wrote:
> Suppose I don't want it to be so obvious that I'm using PHP on a site, 
> Or that I just want the freedom to not always use PHP in a given 
> document. Thus I decide to configure Apache to treat all .html files 
> as PHP files.
>
> How much overhead does this add for the common case when a file only 
> contains static data, no PHP? Would I notice the hit?
>


From mitch.pirtle at gmail.com  Mon Sep  3 13:56:45 2007
From: mitch.pirtle at gmail.com (Mitch Pirtle)
Date: Mon, 3 Sep 2007 19:56:45 +0200
Subject: [nycphp-talk] Framework poll
In-Reply-To: <46D48188.6000007@enobrev.com>
References: <C2F99261.7397%cliff@pinestream.com>
	<03fa01c7e9a7$ed94f140$651ba8c0@MobileZ>
	<b76252690708281253p50b4f21dsb35edcada298957a@mail.gmail.com>
	<46D48188.6000007@enobrev.com>
Message-ID: <330532b60709031056h3648aa50m711562e62fcb4168@mail.gmail.com>

On 8/28/07, Mark Armendariz <lists at enobrev.com> wrote:
> Brilliant!! And each will have separate implementations for each database
> (mysql, postgres, oracle, xml, couchdb, etc) and then each of those for each
> OS (linux, windows, palm, hacked wii, etc) and we'll name each
> framework/database/os implementation according to our favorite beers, which
> we'll pick according to our ruby-poll.

Ok then, when do we get started? I can setup pound as an application
proxy to randomly redirect each incoming request to a different
virtual host. I can write the log rotate and analysis stuff in python.
We even get to implement session handlers over and over! I mean, this
*is* what PHP developers like to do, right? hehe

-- Mitch


From maxarbos at yahoo.com  Mon Sep  3 14:24:32 2007
From: maxarbos at yahoo.com (Bill P.)
Date: Mon, 3 Sep 2007 11:24:32 -0700 (PDT)
Subject: [nycphp-talk] MSSql , IIS Encrypted Connection String
Message-ID: <27060.96537.qm@web90602.mail.mud.yahoo.com>

Hello,

I have a project that will be using IIS and mssql.
I need to use an encrypted conneciton string in my config/lib.php file. 

mssql has built in encryption connection ability, but within asp.

Everything will be written in php so does anyone have any suggestions on encrypting a connection string to connect to a mssql db?

thanks.
Bill


       
---------------------------------
Choose the right car based on your needs.  Check out Yahoo! Autos new Car Finder tool.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070903/779d73e2/attachment.html>

From tom at supertom.com  Tue Sep  4 00:17:14 2007
From: tom at supertom.com (Tom Melendez)
Date: Mon, 3 Sep 2007 21:17:14 -0700
Subject: [nycphp-talk] MSSql , IIS Encrypted Connection String
In-Reply-To: <27060.96537.qm@web90602.mail.mud.yahoo.com>
References: <27060.96537.qm@web90602.mail.mud.yahoo.com>
Message-ID: <117286890709032117s7bde7f61l49409afbdb5b581d@mail.gmail.com>

> I have a project that will be using IIS and mssql.
> I need to use an encrypted conneciton string in my config/lib.php file.
>
> mssql has built in encryption connection ability, but within asp.
>
> Everything will be written in php so does anyone have any suggestions on
> encrypting a connection string to connect to a mssql db?
>

Do you know any more about the encryption mechanism used by MSSQL and
ASP?  I would think it could be duplicated somehow.  Any docs
available on the subject?

Tom
http://www.liphp.org


From bz-gmort at beezifies.com  Tue Sep  4 08:35:38 2007
From: bz-gmort at beezifies.com (Gary Mort)
Date: Tue, 04 Sep 2007 08:35:38 -0400
Subject: [nycphp-talk] MSSql , IIS Encrypted Connection String
In-Reply-To: <27060.96537.qm@web90602.mail.mud.yahoo.com>
References: <27060.96537.qm@web90602.mail.mud.yahoo.com>
Message-ID: <46DD511A.2040709@beezifies.com>

Bill P. wrote:
> Hello,
>
> I have a project that will be using IIS and mssql.
> I need to use an encrypted conneciton string in my config/lib.php file.
>
> mssql has built in encryption connection ability, but within asp.
>
> Everything will be written in php so does anyone have any suggestions 
> on encrypting a connection string to connect to a mssql db?
>
What's the point of encrypting the data?
Reading through 
http://msdn2.microsoft.com/en-us/library/ms998280.aspx
and
http://msdn2.microsoft.com/en-us/library/ms998283.aspx, it is purely a 
local system server protection.

IE
You have web servers A. B. and C
You have MSSQL Server D and a database(MyDatabase)

A web application running on the WEB server wants to connect to the 
MSSQL server.
Using ASP,. some code somewhere says "Connect to MyDatabase, a MSSQL 
Database "

ASP will then search for a text file called web.conf, and it will grab 
the connection information stored there(the server it is on, the 
database name, yadda yadda).

Than it connects up to the server and does whatever you want it to do.

"Encrypted connection string" just means that the data stored in that 
text file is encrypted, using either an RSA mechanism or DPAPI - which 
to tell you the truth is completely beyond me.  I know there are 
different mechanisms for encryption.  I know in a general way how 
public/private key encryption works. And I know the longer the key 
length, in general, the more secure and the longer to process.  When I 
need to know more than that, I research what the industry stds are at 
that time, what is the best performance for a situation, and move on.  
Trying to understand the math behind it all would drive me bonkers. 

Using encrypted connection strings, the ASP program has an extra step. 
It accesses the text file, grabs the data, and then decrypts the data 
and uses it.  It doesn't actually send the data in an encrypted format 
to the server - the key to noticing this for me was that your ASP 
program can display the plaintext decoded info to you, so it's decoding 
it on the web server. 

So really, you get the same benefit by choosing any encryption scheme 
you like for PHP and encrypting the connection information file that 
your using.

The only reason I can see to use "encrypted connection strings" the 
Microsoft way is the method used in that RSA article(link above).

There, they suggest that for a server farm, what you would do is create 
the connection string file on the MSSQL server system(or on your own 
system, whatever.  The point is, you don't create it on servers A,B, and 
C).  Than you encrypt the file using RSA and transfer both the encrypted 
file AND the RSA private key needed to decrypt the file to servers 
A,B,and C.  Than by installing them under the appropriate user, web apps 
running under that user can decrypt the data.

If that is your goal, find a PHP RSA decryption routine, place the 
private key somewhere secure on your server, and use the key to decrypt 
the connection string file.  Than parse the file and shove the 
appropriate fields into your PHP connection.  If you want to use their 
method, they store the private key in the registry, so you can pull it 
out the same way.

Am I missing something here on how encrypted connection string works?  
(Besides the obvious that Microsoft went to great lengths to describe a 
fairly simple process in complex language such that it would appear to 
be a function exclusive to their API, instead of a fairly trivial 
implementation of standard config file encryption.  I mean, on first 
glance, I thought it was pretty cool, the concept being that you would 
provide the web servers with a connection string encrypted just for each 
server, and that server would send the encrypted data to the database 
server - thus it would not ever know what the true userid and password 
was and since the key is assigned to an ip address, a connection using 
the same config file from a different system would be rejected.  But no, 
it doesn't seem to be that, just a local config file encryption.)


From ken at secdat.com  Tue Sep  4 08:50:56 2007
From: ken at secdat.com (Kenneth Downs)
Date: Tue, 04 Sep 2007 08:50:56 -0400
Subject: [nycphp-talk] AJAX and State
Message-ID: <46DD54B0.5060803@secdat.com>

One thing that seems to have gone unsaid in the praise for Ajax is its 
ability to radically transform how we maintain state.

The web server session is our basic mechanism for storing information 
between requests.  But it gets clumsier and clumsier to try to maintain 
complex state across many page requests when you use a session.  
Ingenious minds have put their will to the problem and come up with 
workable systems, but all of them are complicated because of the nature 
of the problem.

That problem, stated here, is simply the problem of tracking what I'll 
call the "context" of a user's session.  Some elements of a session are 
fixed: the user id, the password, a few other things, but almost 
everything that we need to track is always changing.  A basic example: a 
list of search results.  Where do you store it?  When the user hits, 
"NEXT PAGE", how do you know what to do?  If you are using a session, 
what happens if he opens a new window and has two search results sets up 
for two different tables?

Ajax solves this problem neatly by letting you move all state [1] into 
the browser.  This makes sense from an architectural viewpoint because 
we are putting this context information close to where it is needed, the 
UI. 

I've been converting the basic Andromeda UI code over to a completely 
AJAX system [1], and have found my code radically simplified and far 
smoother, due almost entirely to the moving of all state information to 
the browser.  Hurray for Ajax!

[1] Here I'll use "state" to mean the changing context of user requests, 
and assume we are still using the session for User_id and password.

[2] Andromeda is used to make database applications for businesses, we 
don't care in this case about google following our links.


-- 
Kenneth Downs
Secure Data Software, Inc.
www.secdat.com    www.andromeda-project.org
631-689-7200   Fax: 631-689-0527
cell: 631-379-0010



From jonbaer at jonbaer.com  Tue Sep  4 10:33:16 2007
From: jonbaer at jonbaer.com (Jon Baer)
Date: Tue, 4 Sep 2007 10:33:16 -0400
Subject: [nycphp-talk] AJAX and State
In-Reply-To: <46DD54B0.5060803@secdat.com>
References: <46DD54B0.5060803@secdat.com>
Message-ID: <46DB80D6-790B-4260-A4B6-17F2E3BCCE64@jonbaer.com>

Personally ... I think even broader ideas like Dojo Offline (http:// 
dojotoolkit.org/offline) and Google Gears (http://gears.google.com/)  
takes it to an even further level which has not been tapped (yet).   
Now if only you can sneak it into a project ;-)

- Jon

On Sep 4, 2007, at 8:50 AM, Kenneth Downs wrote:

> One thing that seems to have gone unsaid in the praise for Ajax is  
> its ability to radically transform how we maintain state.
>
> The web server session is our basic mechanism for storing  
> information between requests.  But it gets clumsier and clumsier to  
> try to maintain complex state across many page requests when you  
> use a session.  Ingenious minds have put their will to the problem  
> and come up with workable systems, but all of them are complicated  
> because of the nature of the problem.
>
> That problem, stated here, is simply the problem of tracking what  
> I'll call the "context" of a user's session.  Some elements of a  
> session are fixed: the user id, the password, a few other things,  
> but almost everything that we need to track is always changing.  A  
> basic example: a list of search results.  Where do you store it?   
> When the user hits, "NEXT PAGE", how do you know what to do?  If  
> you are using a session, what happens if he opens a new window and  
> has two search results sets up for two different tables?
>
> Ajax solves this problem neatly by letting you move all state [1]  
> into the browser.  This makes sense from an architectural viewpoint  
> because we are putting this context information close to where it  
> is needed, the UI.
> I've been converting the basic Andromeda UI code over to a  
> completely AJAX system [1], and have found my code radically  
> simplified and far smoother, due almost entirely to the moving of  
> all state information to the browser.  Hurray for Ajax!
>
> [1] Here I'll use "state" to mean the changing context of user  
> requests, and assume we are still using the session for User_id and  
> password.
>
> [2] Andromeda is used to make database applications for businesses,  
> we don't care in this case about google following our links.
>
>
> -- 
> Kenneth Downs
> Secure Data Software, Inc.
> www.secdat.com    www.andromeda-project.org
> 631-689-7200   Fax: 631-689-0527
> cell: 631-379-0010
>
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php



From ken at secdat.com  Tue Sep  4 13:37:10 2007
From: ken at secdat.com (Kenneth Downs)
Date: Tue, 04 Sep 2007 13:37:10 -0400
Subject: [nycphp-talk] Finding event listeners?
Message-ID: <46DD97C6.8000805@secdat.com>

I cannot seem to figure out which javascript function I would use to 
determine the event listeners that have been added to an element. Can 
anybody steer me on this? Thanks...

-- 
Kenneth Downs
Secure Data Software, Inc.
www.secdat.com    www.andromeda-project.org
631-689-7200   Fax: 631-689-0527
cell: 631-379-0010



From ken at secdat.com  Tue Sep  4 13:41:18 2007
From: ken at secdat.com (Kenneth Downs)
Date: Tue, 04 Sep 2007 13:41:18 -0400
Subject: [nycphp-talk] AJAX and State
In-Reply-To: <46DB80D6-790B-4260-A4B6-17F2E3BCCE64@jonbaer.com>
References: <46DD54B0.5060803@secdat.com>
	<46DB80D6-790B-4260-A4B6-17F2E3BCCE64@jonbaer.com>
Message-ID: <46DD98BE.9020304@secdat.com>

I have not looked at Dojo yet, though they have been on "the list" for 
awhile.

The firefox extensions are now looking really exciting.  I am looking to 
download or write an extension that will let me ship photographs from a 
camera directly to the database, and also to intercept bar code scans 
and do some intelligent page routing.  Fun stuff.

Jon Baer wrote:
> Personally ... I think even broader ideas like Dojo Offline 
> (http://dojotoolkit.org/offline) and Google Gears 
> (http://gears.google.com/) takes it to an even further level which has 
> not been tapped (yet).  Now if only you can sneak it into a project ;-)
>
> - Jon
>
> On Sep 4, 2007, at 8:50 AM, Kenneth Downs wrote:
>
>> One thing that seems to have gone unsaid in the praise for Ajax is 
>> its ability to radically transform how we maintain state.
>>
>> The web server session is our basic mechanism for storing information 
>> between requests.  But it gets clumsier and clumsier to try to 
>> maintain complex state across many page requests when you use a 
>> session.  Ingenious minds have put their will to the problem and come 
>> up with workable systems, but all of them are complicated because of 
>> the nature of the problem.
>>
>> That problem, stated here, is simply the problem of tracking what 
>> I'll call the "context" of a user's session.  Some elements of a 
>> session are fixed: the user id, the password, a few other things, but 
>> almost everything that we need to track is always changing.  A basic 
>> example: a list of search results.  Where do you store it?  When the 
>> user hits, "NEXT PAGE", how do you know what to do?  If you are using 
>> a session, what happens if he opens a new window and has two search 
>> results sets up for two different tables?
>>
>> Ajax solves this problem neatly by letting you move all state [1] 
>> into the browser.  This makes sense from an architectural viewpoint 
>> because we are putting this context information close to where it is 
>> needed, the UI.
>> I've been converting the basic Andromeda UI code over to a completely 
>> AJAX system [1], and have found my code radically simplified and far 
>> smoother, due almost entirely to the moving of all state information 
>> to the browser.  Hurray for Ajax!
>>
>> [1] Here I'll use "state" to mean the changing context of user 
>> requests, and assume we are still using the session for User_id and 
>> password.
>>
>> [2] Andromeda is used to make database applications for businesses, 
>> we don't care in this case about google following our links.
>>
>>
>> --Kenneth Downs
>> Secure Data Software, Inc.
>> www.secdat.com    www.andromeda-project.org
>> 631-689-7200   Fax: 631-689-0527
>> cell: 631-379-0010
>>
>> _______________________________________________
>> New York PHP Community Talk Mailing List
>> http://lists.nyphp.org/mailman/listinfo/talk
>>
>> NYPHPCon 2006 Presentations Online
>> http://www.nyphpcon.com
>>
>> Show Your Participation in New York PHP
>> http://www.nyphp.org/show_participation.php
>
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php


-- 
Kenneth Downs
Secure Data Software, Inc.
www.secdat.com    www.andromeda-project.org
631-689-7200   Fax: 631-689-0527
cell: 631-379-0010



From tedd at sperling.com  Tue Sep  4 20:00:41 2007
From: tedd at sperling.com (tedd)
Date: Tue, 4 Sep 2007 20:00:41 -0400
Subject: [nycphp-talk] Finding event listeners?
In-Reply-To: <46DD97C6.8000805@secdat.com>
References: <46DD97C6.8000805@secdat.com>
Message-ID: <p06240805c303a0922441@[192.168.1.109]>

At 1:37 PM -0400 9/4/07, Kenneth Downs wrote:
>I cannot seem to figure out which javascript function I would use to 
>determine the event listeners that have been added to an element. 
>Can anybody steer me on this? Thanks...
>
>--
>Kenneth Downs

Kenneth:

You probably should post this question to a javascript list, but a 
listener is triggered by an event.

I can think of 7 (may be more) and they all start with "on" (i.e., 
onBlur, onClick, onSubmit, onLoad, onChange, onMouseOut, onMouseOver) 
not counting onreadystatechange via ajax/ahah.

So, what triggers the event for the element?

Cheers,

tedd
-- 
-------
http://sperling.com  http://ancientstones.com  http://earthstones.com


From jonbaer at jonbaer.com  Tue Sep  4 20:28:35 2007
From: jonbaer at jonbaer.com (Jon Baer)
Date: Tue, 4 Sep 2007 20:28:35 -0400
Subject: [nycphp-talk] Finding event listeners?
In-Reply-To: <p06240805c303a0922441@[192.168.1.109]>
References: <46DD97C6.8000805@secdat.com>
	<p06240805c303a0922441@[192.168.1.109]>
Message-ID: <3DE172F5-DD82-4A8A-9ECA-7FD04263CF72@jonbaer.com>

Actually a pretty good question ... I was under assumption that you  
could call Event.observers in Prototype and get back an array of  
element and handlers but after glimpsing through the API was not the  
case.  In fact since it's not a DOM-level call it seems that it would  
be pretty API independent.  It seems that they even removed that and  
implemented a stacked cache a while back ...

http://dev.rubyonrails.org/browser/spinoffs/prototype/trunk/src/event.js

Interesting that you can't get back an array of listeners for an  
element.

- Jon

On Sep 4, 2007, at 8:00 PM, tedd wrote:

> At 1:37 PM -0400 9/4/07, Kenneth Downs wrote:
>> I cannot seem to figure out which javascript function I would use  
>> to determine the event listeners that have been added to an  
>> element. Can anybody steer me on this? Thanks...
>>
>> --
>> Kenneth Downs
>
> Kenneth:
>
> You probably should post this question to a javascript list, but a  
> listener is triggered by an event.
>
> I can think of 7 (may be more) and they all start with "on" (i.e.,  
> onBlur, onClick, onSubmit, onLoad, onChange, onMouseOut,  
> onMouseOver) not counting onreadystatechange via ajax/ahah.
>
> So, what triggers the event for the element?
>
> Cheers,
>
> tedd
> -- 
> -------
> http://sperling.com  http://ancientstones.com  http://earthstones.com
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070904/8ad37acd/attachment.html>

From jcampbell1 at gmail.com  Tue Sep  4 20:35:33 2007
From: jcampbell1 at gmail.com (John Campbell)
Date: Tue, 4 Sep 2007 20:35:33 -0400
Subject: [nycphp-talk] Finding event listeners?
In-Reply-To: <46DD97C6.8000805@secdat.com>
References: <46DD97C6.8000805@secdat.com>
Message-ID: <8f0676b40709041735m2bb9936gaaa11747fc7212c0@mail.gmail.com>

> I cannot seem to figure out which javascript function I would use to
> determine the event listeners that have been added to an element. Can
> anybody steer me on this? Thanks...

It is not possible to get a listing using the W3C DOM methods.  You
will have to use a custom event manager if you want to be able to get
an array of references of the function objects.


From lists at silmail.com  Wed Sep  5 02:32:53 2007
From: lists at silmail.com (Jiju Thomas Mathew)
Date: Wed, 5 Sep 2007 12:02:53 +0530
Subject: [nycphp-talk] how did you learn php?
In-Reply-To: <98a958580708261850v3094dca8sbf5af23165d1bec7@mail.gmail.com>
References: <98a958580708261850v3094dca8sbf5af23165d1bec7@mail.gmail.com>
Message-ID: <6431a0f40709042332u2cac1502p9262dd6157579b4b@mail.gmail.com>

On 8/27/07, Anthony <speel3k at gmail.com> wrote:
>
> Hey, i'm kinda new around here and just tinkering around with php. My
> question to you guys is how did you learn? by reading or by taking apart
> scripts and adding your own style or what? I'm very curious.
>
>
Well It was real great to see all those replies. And could not resist to add
my own views.

I started doing php on a fury, to prove that php was better than jsp, no
flames, and I dont want to hurt anyone. At that time I just had experience
in perl cgi, and wanted to switch somehow, due to the hype php was getting.

My first project was a fully written community site just for the hero honda
cbz users, since we had a handful in our neighbourhood. Well it was real
tough, when starting with a personal project, but I myself being the project
owner, I could decide on what features and where to cut corners.  The
biggest lifesaver was the dynamic function reference at http://php.net,
which I had stated to rsync to my office once a week longback. And to admit
it, once done it was a piece of hell. From then on there was no turning
back.

Currently I am mostly doing code reviews, guiding new recruits and doing
R&D.

-- 
Jiju Thomas Mathew
Technology Officer, Saturn Systemwares Pvt Ltd
Gayathri, Technopark, Trivandrum,  Kerala, India
Mob: 91 94470 47989   Tel : +91 471 3255001
http://www.saturn.in
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070905/b6ecb00c/attachment.html>

From paulcheung at tiscali.co.uk  Wed Sep  5 06:26:02 2007
From: paulcheung at tiscali.co.uk (PaulCheung)
Date: Wed, 5 Sep 2007 11:26:02 +0100
Subject: [nycphp-talk] PHP REDIRECT
References: <20070701.215701.25801.0@webmail14.dca.untd.com>
	<b76252690707020905p6809390eq9b0b9d176774bb87@mail.gmail.com>
Message-ID: <000501c7efa7$28d0fbf0$0200a8c0@X9183>

Can anybody help? I am using "MAINMENU" built in HTML forms to get to get me 
to where I want to be (Add, Update or Print record) and of course, I cannot 
update or print a record that does not exist yet. Here is a snippet of the 
coding.
<?PHP session_start(); PHP?>
<HTML>
    HTML coding
    more HTML coding

<?PHP>
    PHP coding
    more PHP coding
.
$q="Select SQL_CALC_FOUND_ROWS * FROM test_table
WHERE customer = $customer ORDER BY invoices LIMIT $cps, $rpp";
.
    PHP coding
    more PHP coding
    more coding
.
if ($number_of_records == 0)
    {$link = "http://localhost/mainmenu.php";}

I have also tried
header('Location: http://localhost/mainmenu.php);
With this PHP gets really ticked-off giving me a long error message and 
points to a line which contains the following coding.
<script language="JavaScript" type="text/javascript"> As to why, I haven't a 
clue.

On invalid operation I want to exit (with all the usual user error messages) 
and return back to the mainmenu, For this test I am using 99999990 as the 
dummy customer

Paul







From ken at secdat.com  Wed Sep  5 06:38:56 2007
From: ken at secdat.com (Kenneth Downs)
Date: Wed, 05 Sep 2007 06:38:56 -0400
Subject: [nycphp-talk] Finding event listeners?
In-Reply-To: <8f0676b40709041735m2bb9936gaaa11747fc7212c0@mail.gmail.com>
References: <46DD97C6.8000805@secdat.com>
	<8f0676b40709041735m2bb9936gaaa11747fc7212c0@mail.gmail.com>
Message-ID: <46DE8740.20504@secdat.com>

John Campbell wrote:
>> I cannot seem to figure out which javascript function I would use to
>> determine the event listeners that have been added to an element. Can
>> anybody steer me on this? Thanks...
>>     
>
> It is not possible to get a listing using the W3C DOM methods.  You
> will have to use a custom event manager if you want to be able to get
> an array of references of the function objects.
>   

Urg.  I figured as much but was hoping I was wrong :(

FWIW, there was a principal stated in E.F. Codd's very first paper on 
his proposed relational theory that a system should allow, by inquiry, 
the ability to determine its complete state.  I guess we don't get that 
w/Javascript.

> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
>   


-- 
Kenneth Downs
Secure Data Software, Inc.
www.secdat.com    www.andromeda-project.org
631-689-7200   Fax: 631-689-0527
cell: 631-379-0010

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070905/f980387c/attachment.html>

From ramons at gmx.net  Wed Sep  5 06:50:36 2007
From: ramons at gmx.net (David Krings)
Date: Wed, 05 Sep 2007 06:50:36 -0400
Subject: [nycphp-talk] PHP REDIRECT
In-Reply-To: <000501c7efa7$28d0fbf0$0200a8c0@X9183>
References: <20070701.215701.25801.0@webmail14.dca.untd.com>	<b76252690707020905p6809390eq9b0b9d176774bb87@mail.gmail.com>
	<000501c7efa7$28d0fbf0$0200a8c0@X9183>
Message-ID: <46DE89FC.4090304@gmx.net>

PaulCheung wrote:
> With this PHP gets really ticked-off giving me a long error message and 
> points to a line which contains the following coding.
> <script language="JavaScript" type="text/javascript"> As to why, I 
> haven't a clue.

I always fared very well with the header redirects, but those only work 
if you haven't sent any body content yet. For those cases a simple a 
link should do the trick.
Since the error you get has seemingly nothing to do with the 
redirect/link, but some other non-PHP line of code I'd like to see what 
is before the quoted line. Do you use an echo to write that line? If 
yes, did you put the \ in front of all " that are to be printed out?
Oh, and what does the long error message state? Error messages are there 
for a reason and they sometimes are helpful (most often they are not as 
developers think that stupid users deserve crappy error messages and 
that their code never fails anyway).


David


From kenrbnsn at rbnsn.com  Wed Sep  5 07:26:34 2007
From: kenrbnsn at rbnsn.com (Ken Robinson)
Date: Wed, 05 Sep 2007 07:26:34 -0400
Subject: [nycphp-talk] Finding event listeners?
In-Reply-To: <46DE8740.20504@secdat.com>
References: <46DD97C6.8000805@secdat.com>
	<8f0676b40709041735m2bb9936gaaa11747fc7212c0@mail.gmail.com>
	<46DE8740.20504@secdat.com>
Message-ID: <mailman.15.1363003698.25290.talk@lists.nyphp.org>

At 06:38 AM 9/5/2007, Kenneth Downs wrote:
>John Campbell wrote:
>>>
>>>I cannot seem to figure out which javascript function I would use to
>>>determine the event listeners that have been added to an element. Can
>>>anybody steer me on this? Thanks...
>>>
>>
>>
>>It is not possible to get a listing using the W3C DOM methods.  You
>>will have to use a custom event manager if you want to be able to get
>>an array of references of the function objects.
>>
>
>Urg.  I figured as much but was hoping I was wrong :(

You might want to to take a look at the Yahoo User Interface Library 
(YUI) at <http://developer.yahoo.com/yui/>.  When using the Yahoo 
event functions, I believe you can get what you're looking for.

Ken 



From bz-gmort at beezifies.com  Wed Sep  5 07:47:47 2007
From: bz-gmort at beezifies.com (bz-gmort at beezifies.com)
Date: Wed, 05 Sep 2007 07:47:47 -0400
Subject: [nycphp-talk] Finding event listeners?
In-Reply-To: <46DD97C6.8000805@secdat.com>
References: <46DD97C6.8000805@secdat.com>
Message-ID: <46DE9763.4010606@beezifies.com>

Kenneth Downs wrote:
> I cannot seem to figure out which javascript function I would use to 
> determine the event listeners that have been added to an element. Can 
> anybody steer me on this? Thanks...
>


Apparently, none.

http://objectmix.com/javascript/116920-how-discover-if-attachevent-done-element-2.html

They also suggest if you use something like the yahoo UI library, or 
write your own, you can get listeners attached through the library, but 
not anything attached in another mechanism.  (IE if you are including 
some cool script you got from the web to do something, and it adds event 
listeners, they won't be tracked).

Note: I know enough Javascript to troubleshoot and fix scripts written 
by others, as well as review other people's code, but I don't actually 
know a lot of Javascript intimately.


From bz-gmort at beezifies.com  Wed Sep  5 07:52:51 2007
From: bz-gmort at beezifies.com (bz-gmort at beezifies.com)
Date: Wed, 05 Sep 2007 07:52:51 -0400
Subject: [nycphp-talk] Finding event listeners?
In-Reply-To: <46DE8740.20504@secdat.com>
References: <46DD97C6.8000805@secdat.com>	<8f0676b40709041735m2bb9936gaaa11747fc7212c0@mail.gmail.com>
	<46DE8740.20504@secdat.com>
Message-ID: <46DE9893.9090302@beezifies.com>

Kenneth Downs wrote:
>
> FWIW, there was a principal stated in E.F. Codd's very first paper on 
> his proposed relational theory that a system should allow, by inquiry, 
> the ability to determine its complete state.  I guess we don't get 
> that w/Javascript.
>
Small nit to pick.

Javascript isn't a system, it is a cross browser semi compatible 
language which allows you access to elements of the browser system.

As such, it gives you access to various elements of the browser.

If browsers don't allow access to their state by Javascript, it is 
hardly the fault of Javascript that it is not allowed.




From lists at zaunere.com  Wed Sep  5 07:53:07 2007
From: lists at zaunere.com (Hans Zaunere)
Date: Wed, 5 Sep 2007 07:53:07 -0400
Subject: [nycphp-talk] AJAX and State
In-Reply-To: <46DD54B0.5060803@secdat.com>
References: <46DD54B0.5060803@secdat.com>
Message-ID: <07f701c7efb3$52f6a9f0$651ba8c0@MobileZ>


Hi,

Kenneth Downs wrote on Tuesday, September 04, 2007 8:51 AM:
> One thing that seems to have gone unsaid in the praise for Ajax is its
> ability to radically transform how we maintain state.
> 
> The web server session is our basic mechanism for storing information
> between requests.  But it gets clumsier and clumsier to try to
> maintain complex state across many page requests when you use a
> session. Ingenious minds have put their will to the problem and come
> up with workable systems, but all of them are complicated because of
> the nature of the problem.
> 
> That problem, stated here, is simply the problem of tracking what I'll
> call the "context" of a user's session.  Some elements of a session
> are fixed: the user id, the password, a few other things, but almost
> everything that we need to track is always changing.  A basic
> example: a list of search results.  Where do you store it?  When the
> user hits, "NEXT PAGE", how do you know what to do?  If you are using
> a session, what happens if he opens a new window and has two search
> results sets up for two different tables?

We've encountered similar problems, which are especially prevelant in a web
2.0 super-duper-magic type of site (ie, tabbed browsing, draggable modules,
etc).

> Ajax solves this problem neatly by letting you move all state [1] into
> the browser.  This makes sense from an architectural viewpoint because
> we are putting this context information close to where it is needed,
> the UI.

I'm not sure what you mean, though, by keeping state in the browser.  Here's
essentially what's work for me in the past:P

-- typical session ID is generated and the browser is cookied, just like
with any other site.  this sets a session for the entire browser - nothing
special here

-- the Javascript code is written to persist the browser's cookie, so it's
requests appear to the server just like any other regular browser request

-- the server is now getting hit with numerous requests - some are the
"whole browser" and some are simply partial requests (Ajax/JS requests).
These requests are typically out of the classic order that you'd expect a
browser to produce, since you can't always assume the timing of the user's
browser.

The Ajax requests hit a certain set of URLs, let's say /Ajax/, on the
server.  The server knows to handle these requests specially, which in
effect creates sub-sessions.  That is to say, for every complex set of Ajax
operations, the server is maintaining it's own sub-set of data.  For
instance, search results and the search criteria, which is attached strictly
to a single module or Ajax part of the page.

---
Hans Zaunere / President / New York PHP
    www.nyphp.org  /  www.nyphp.com




From bz-gmort at beezifies.com  Wed Sep  5 07:58:06 2007
From: bz-gmort at beezifies.com (bz-gmort at beezifies.com)
Date: Wed, 05 Sep 2007 07:58:06 -0400
Subject: [nycphp-talk] PHP REDIRECT
In-Reply-To: <000501c7efa7$28d0fbf0$0200a8c0@X9183>
References: <20070701.215701.25801.0@webmail14.dca.untd.com>	<b76252690707020905p6809390eq9b0b9d176774bb87@mail.gmail.com>
	<000501c7efa7$28d0fbf0$0200a8c0@X9183>
Message-ID: <46DE99CE.5060407@beezifies.com>

PaulCheung wrote:
> .
> if ($number_of_records == 0)
>    {$link = "http://localhost/mainmenu.php";}
>
> I have also tried
> header('Location: http://localhost/mainmenu.php);

For the first, I generally find it best to place an "echo $link" first 
to make sure it is being set to what I think it should be set to.  Than 
following that with replacing the echo with a meta-refresh and a 
countdown timer to see if that works, and do the the header call 
last(since header calls can get blown if you outputted any text before 
them, and it is easy when working on other peoples code to have:

<?php
some code ?>

<?php
some more code
?>

The blank space between the two blocks will kill your header call.

For the second, is that truly what you wrote?  Your missing the closing 
single quote on the line you posted here.




From lists at zaunere.com  Wed Sep  5 08:03:32 2007
From: lists at zaunere.com (Hans Zaunere)
Date: Wed, 5 Sep 2007 08:03:32 -0400
Subject: [nycphp-talk] FW: PHP statistics for August 2007
Message-ID: <07f801c7efb4$c7912b40$651ba8c0@MobileZ>


This just in...

> PHP adoption statistics for August 2007 are released.
> Here are the monthly highlight :
> 
>     * PHP 4 starting to decline!
>     * PHP 5 break its progression record : +1,5% to 22%
>     * August 2007, best month to compile PHP
> 
> PHP statistics for August 2007
>  
>
http://www.nexen.net/chiffres_cles/phpversion/17504-php_statistics_for_augus
t_2007.php
> PHP stats evolution for August 2007
>  
>
http://www.nexen.net/chiffres_cles/phpversion/17507-php_stats_evolution_for_
august_2007.php
> 
> All nexen.net articles in English :
>   http://www.nexen.net/the_english_speaking_nexen.net.php
> 




From danielc at analysisandsolutions.com  Wed Sep  5 08:19:05 2007
From: danielc at analysisandsolutions.com (Daniel Convissor)
Date: Wed, 5 Sep 2007 08:19:05 -0400
Subject: [nycphp-talk] PHP REDIRECT
In-Reply-To: <000501c7efa7$28d0fbf0$0200a8c0@X9183>
References: <20070701.215701.25801.0@webmail14.dca.untd.com>
	<b76252690707020905p6809390eq9b0b9d176774bb87@mail.gmail.com>
	<000501c7efa7$28d0fbf0$0200a8c0@X9183>
Message-ID: <20070905121905.GA14135@panix.com>

On Wed, Sep 05, 2007 at 11:26:02AM +0100, PaulCheung wrote:
> header('Location: http://localhost/mainmenu.php);
> With this PHP gets really ticked-off giving me a long error message and 
> points to a line which contains the following coding.
> <script language="JavaScript" type="text/javascript"> As to why, I haven't 
> a clue.

You're getting distracted by the end of the error message.  Read the first 
seven words of the warning again, CAREFULLY.  It's VERY explicit.  If you 
still don't get it, Google for those words.  This has been explained 
thousands of times.

--Dan

-- 
 T H E   A N A L Y S I S   A N D   S O L U T I O N S   C O M P A N Y
            data intensive web and database programming
                http://www.AnalysisAndSolutions.com/
 4015 7th Ave #4, Brooklyn NY 11232  v: 718-854-0335 f: 718-854-0409


From bz-gmort at beezifies.com  Wed Sep  5 08:20:56 2007
From: bz-gmort at beezifies.com (bz-gmort at beezifies.com)
Date: Wed, 05 Sep 2007 08:20:56 -0400
Subject: [nycphp-talk] AJAX and State
In-Reply-To: <07f701c7efb3$52f6a9f0$651ba8c0@MobileZ>
References: <46DD54B0.5060803@secdat.com>
	<07f701c7efb3$52f6a9f0$651ba8c0@MobileZ>
Message-ID: <46DE9F28.5060705@beezifies.com>

Hans Zaunere wrote:
> Ajax solves this problem neatly by letting you move all state [1] into
>> the browser.  This makes sense from an architectural viewpoint because
>> we are putting this context information close to where it is needed,
>> the UI.
>>     
>
> I'm not sure what you mean, though, by keeping state in the browser.  Here's
> essentially what's work for me in the past:P
>   


I read the above as, to take a simple example:

A user searches for all employee records in NYC. 
He browses to page 3 of that result set
Than he clicks on a record to edit it.
When he completes editing the record and clicks "save", he wants to be 
returned to page 3 of the result set, with a message across the top of 
the screen saying "Record XYZ updated successfully".

With sessions, you could store the search and page number he was on in 
the session, so when he clicks save he returns to the page he came from.

Problem:
A user searches for all employee records in NYC. 
He browses to page 3 of that result set
Than he clicks on a record to edit it.
He doesn't recall the exact phrase used that he wants to change some 
piece of data to to adopt a standard.
He opens a second tab/browser and searches for all employees in Baltimore.
He browses through to the fourth page and finds a record he used that on 
and opens it
He then switches back to the window where he is editing the record and 
copies the phrase from one window to the other.
He completes processing and clicks save.
He is returned to page 4 of the Baltimore search(his last viewed search 
page) and not the NY search


Ajax tracking state:
A user searches for all employee records in NYC
The search result is loaded in a hidden div which is then made visible 
via AJAX
He browses to page 3 of the search results
Then he clicks on a record to edit it
Using Ajax, the listing is now hidden and the record is loaded in a 
hidden div and then made visible
He doesn't recall the exact phrase...
....
(user now has 2 windows open, 1 with the NYC employee being edited, 1 
with the Baltimore employee being edited - yes this is stupid, he should 
be viewing not editing the Baltimore data, but such is the way of life)
He makes the change to the NYC employee and clicks save
using AJAX, the data is saved, the employee edit div data is set to 
"employee XYZ successfully update", while the employe list div is made 
visible.

So in this manner, using Ajax his path/state is saved in the browser 
window and he returns to precisely where he was.


The above being a stupid example that could have been easily tracked in 
other ways(a single line of data in each row specifying the search 
criteria, the page, and perhaps the result set data identifier).  But 
when you have 30 or 40 pieces of data to track and return to the user, 
it starts getting more complicated.

Of course, all this could have been done with sessions and setting an 
identifier for each browser window.  So I would not say this is 
something "extra" you get with Ajax.  What it rather does is make less 
work for the coder.  Using cookies, sessions, or passing variables 
through the forms you would have had to actively code for all that state 
information.  By keeping it all stored in the browser and not reloading 
the data, you don't have to track it at all.


OTOH it does have it's own price and problems.  All these nifty little 
ajax scripts maintaining data on a browser start to eat up memory.  
Browsers that weren't designed on the assumption of maintaining and 
adding more and more variables, instead they assumed each page 
navigation would discard all the old variables and create a new set will 
start leaking memory.  And after sitting on one of these cool sites for 
4-6 hours, your browser could start dragging the browser or system 
down.  In addition, since all these links ARE often links, you get 
someone like me who comes along and opens up windows in new tabs when he 
wants to work on something specific, and you can get a lot of 
unpredictable results if you were counting on the data in the browser to 
be there for context and I suddenly opened a new tab.

But hey, everything has a cost, right?


From paulcheung at tiscali.co.uk  Wed Sep  5 08:36:01 2007
From: paulcheung at tiscali.co.uk (PaulCheung)
Date: Wed, 5 Sep 2007 13:36:01 +0100
Subject: [nycphp-talk] PHP REDIRECT
References: <20070701.215701.25801.0@webmail14.dca.untd.com>	<b76252690707020905p6809390eq9b0b9d176774bb87@mail.gmail.com><000501c7efa7$28d0fbf0$0200a8c0@X9183>
	<46DE99CE.5060407@beezifies.com>
Message-ID: <002301c7efb9$51b568a0$0200a8c0@X9183>

Thanks David, Dan and bz

the missing quote was just a copying error. Using the header('location: 
http://localhost/mainmenu.php');

this is the value of $number_of_records  = 0
Warning: Cannot modify header information - headers already sent by (output 
started at C:\xampp\htdocs\etestform.php:4) in C:\xampp\htdocs\etestform.php 
on line 59

This is the error message the 4 at the end of 
C:\xampp\htdocs\etestform.php:4 - points to script line 4. which is
 <script language="JavaScript" type="text/javascript">

Line 59 is
57      if ($b == 0)
58        {echo 'this is the value of $number_of_records  = ' . 
$number_of_records;
59        header('location: http://localhost/mainmenu.php');}
60        else

Using PseudoCode - Is there anything in PHP that will simply just sayes the 
following

If  $number_of_records == 0
    goto http://www.localhost/mainmenu.php ??

Paul


----- Original Message ----- 
From: <bz-gmort at beezifies.com>
To: "NYPHP Talk" <talk at lists.nyphp.org>
Sent: Wednesday, September 05, 2007 12:58 PM
Subject: Re: [nycphp-talk] PHP REDIRECT


> PaulCheung wrote:
>> .
>> if ($number_of_records == 0)
>>    {$link = "http://localhost/mainmenu.php";}
>>
>> I have also tried
>> header('Location: http://localhost/mainmenu.php);
>
> For the first, I generally find it best to place an "echo $link" first to 
> make sure it is being set to what I think it should be set to.  Than 
> following that with replacing the echo with a meta-refresh and a countdown 
> timer to see if that works, and do the the header call last(since header 
> calls can get blown if you outputted any text before them, and it is easy 
> when working on other peoples code to have:
>
> <?php
> some code ?>
>
> <?php
> some more code
> ?>
>
> The blank space between the two blocks will kill your header call.
>
> For the second, is that truly what you wrote?  Your missing the closing 
> single quote on the line you posted here.
>
>
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php 


From tedd at sperling.com  Wed Sep  5 08:36:56 2007
From: tedd at sperling.com (tedd)
Date: Wed, 5 Sep 2007 08:36:56 -0400
Subject: [nycphp-talk] PHP REDIRECT
In-Reply-To: <000501c7efa7$28d0fbf0$0200a8c0@X9183>
References: <20070701.215701.25801.0@webmail14.dca.untd.com>
	<b76252690707020905p6809390eq9b0b9d176774bb87@mail.gmail.com>
	<000501c7efa7$28d0fbf0$0200a8c0@X9183>
Message-ID: <p06240805c3045233943d@[192.168.1.109]>

At 11:26 AM +0100 9/5/07, PaulCheung wrote:
>Can anybody help? I am using "MAINMENU" built in HTML forms to get 
>to get me to where I want to be (Add, Update or Print record) and of 
>course, I cannot update or print a record that does not exist yet. 
>Here is a snippet of the coding.
><?PHP session_start(); PHP?>
><HTML>
>    HTML coding
>    more HTML coding
>
><?PHP>
>    PHP coding
>    more PHP coding
>.
>$q="Select SQL_CALC_FOUND_ROWS * FROM test_table
>WHERE customer = $customer ORDER BY invoices LIMIT $cps, $rpp";
>.
>    PHP coding
>    more PHP coding
>    more coding
>.
>if ($number_of_records == 0)
>    {$link = "http://localhost/mainmenu.php";}
>
>I have also tried
>header('Location: http://localhost/mainmenu.php);

header('Location: http://localhost/mainmenu.php'); <-- missing '

Cheers,

tedd
-- 
-------
http://sperling.com  http://ancientstones.com  http://earthstones.com


From lists at zaunere.com  Wed Sep  5 08:41:20 2007
From: lists at zaunere.com (Hans Zaunere)
Date: Wed, 5 Sep 2007 08:41:20 -0400
Subject: [nycphp-talk] PHP REDIRECT
In-Reply-To: <002301c7efb9$51b568a0$0200a8c0@X9183>
References: <20070701.215701.25801.0@webmail14.dca.untd.com>	<b76252690707020905p6809390eq9b0b9d176774bb87@mail.gmail.com><000501c7efa7$28d0fbf0$0200a8c0@X9183><46DE99CE.5060407@beezifies.com>
	<002301c7efb9$51b568a0$0200a8c0@X9183>
Message-ID: <081401c7efba$0fa49bb0$651ba8c0@MobileZ>



PaulCheung wrote on Wednesday, September 05, 2007 8:36 AM:
> Thanks David, Dan and bz
> 
> the missing quote was just a copying error. Using the
> header('location: http://localhost/mainmenu.php');
> 
> this is the value of $number_of_records  = 0
> Warning: Cannot modify header information - headers already sent by
> (output started at C:\xampp\htdocs\etestform.php:4) in
> C:\xampp\htdocs\etestform.php on line 59
> 
> This is the error message the 4 at the end of
> C:\xampp\htdocs\etestform.php:4 - points to script line 4. which is
>  <script language="JavaScript" type="text/javascript">
> 
> Line 59 is
> 57      if ($b == 0)
> 58        {echo 'this is the value of $number_of_records  = ' .
> $number_of_records;
> 59        header('location: http://localhost/mainmenu.php');}
> 60        else
> 
> Using PseudoCode - Is there anything in PHP that will simply just
> sayes the following
> 
> If  $number_of_records == 0
>     goto http://www.localhost/mainmenu.php ??

There is, and you're trying to do it.  But the error you're getting explains
what the problem.  You can't send content to the browser before you send the
headers (which cause the redirect).

At the very first line of your script, try adding:

ob_start();

The error message is not about the Javascript.  It's saying that you can't
send headers after you've already sent page content.  ob_start() adds output
buffering, so you might be able to get away with just adding the above line.
But you should read the comments in the php.net/header document page to
understand why it's working/not working.

H



From enrico.faifer at popso.it  Wed Sep  5 08:46:00 2007
From: enrico.faifer at popso.it (Enrico Faifer)
Date: Wed, 05 Sep 2007 14:46:00 +0200
Subject: [nycphp-talk] Zend_Db and Oracle Cursor
Message-ID: <46DEA508.9050200@popso.it>

An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070905/09776a1b/attachment.html>

From tedd at sperling.com  Wed Sep  5 08:55:50 2007
From: tedd at sperling.com (tedd)
Date: Wed, 5 Sep 2007 08:55:50 -0400
Subject: [nycphp-talk] AJAX and State
In-Reply-To: <46DE9F28.5060705@beezifies.com>
References: <46DD54B0.5060803@secdat.com>
	<07f701c7efb3$52f6a9f0$651ba8c0@MobileZ>
	<46DE9F28.5060705@beezifies.com>
Message-ID: <p06240806c304566c9180@[192.168.1.109]>

At 8:20 AM -0400 9/5/07, bz-gmort at beezifies.com wrote:
>Hans Zaunere wrote:
>>Ajax solves this problem neatly by letting you move all state [1] into
>>>the browser.  This makes sense from an architectural viewpoint because
>>>we are putting this context information close to where it is needed,
>>>the UI.
>>>
>>
>>I'm not sure what you mean, though, by keeping state in the browser.  Here's
>>essentially what's work for me in the past:P
>>
>
>I read the above as, to take a simple example:

I read your "simple example" and see that you can do it w/wo ajax -- 
but I don't see the advantage in using ajax other than presentation.

Please correct me if I'm wrong, but isn't ajax (and ahah) only a 
means to communicate with the server without causing a refresh? Does 
ajax provide something beyond that?

Cheers,

tedd

-- 
-------
http://sperling.com  http://ancientstones.com  http://earthstones.com


From paulcheung at tiscali.co.uk  Wed Sep  5 09:26:25 2007
From: paulcheung at tiscali.co.uk (PaulCheung)
Date: Wed, 5 Sep 2007 14:26:25 +0100
Subject: [nycphp-talk] PHP REDIRECT
References: <20070701.215701.25801.0@webmail14.dca.untd.com>	<b76252690707020905p6809390eq9b0b9d176774bb87@mail.gmail.com><000501c7efa7$28d0fbf0$0200a8c0@X9183><46DE99CE.5060407@beezifies.com><002301c7efb9$51b568a0$0200a8c0@X9183>
	<081401c7efba$0fa49bb0$651ba8c0@MobileZ>
Message-ID: <003501c7efc0$5bf79520$0200a8c0@X9183>

Thanks Hans and everybody else for the help, it is truely appreciated.

That certainly sorted that problem out and really fast too, I got away with 
just adding the line.

Paul
----- Original Message ----- 
From: "Hans Zaunere" <lists at zaunere.com>
To: "'NYPHP Talk'" <talk at lists.nyphp.org>
Sent: Wednesday, September 05, 2007 1:41 PM
Subject: RE: [nycphp-talk] PHP REDIRECT


>
>
> PaulCheung wrote on Wednesday, September 05, 2007 8:36 AM:
>> Thanks David, Dan and bz
>>
>> the missing quote was just a copying error. Using the
>> header('location: http://localhost/mainmenu.php');
>>
>> this is the value of $number_of_records  = 0
>> Warning: Cannot modify header information - headers already sent by
>> (output started at C:\xampp\htdocs\etestform.php:4) in
>> C:\xampp\htdocs\etestform.php on line 59
>>
>> This is the error message the 4 at the end of
>> C:\xampp\htdocs\etestform.php:4 - points to script line 4. which is
>>  <script language="JavaScript" type="text/javascript">
>>
>> Line 59 is
>> 57      if ($b == 0)
>> 58        {echo 'this is the value of $number_of_records  = ' .
>> $number_of_records;
>> 59        header('location: http://localhost/mainmenu.php');}
>> 60        else
>>
>> Using PseudoCode - Is there anything in PHP that will simply just
>> sayes the following
>>
>> If  $number_of_records == 0
>>     goto http://www.localhost/mainmenu.php ??
>
> There is, and you're trying to do it.  But the error you're getting 
> explains
> what the problem.  You can't send content to the browser before you send 
> the
> headers (which cause the redirect).
>
> At the very first line of your script, try adding:
>
> ob_start();
>
> The error message is not about the Javascript.  It's saying that you can't
> send headers after you've already sent page content.  ob_start() adds 
> output
> buffering, so you might be able to get away with just adding the above 
> line.
> But you should read the comments in the php.net/header document page to
> understand why it's working/not working.
>
> H
>
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php 


From ken at secdat.com  Wed Sep  5 09:31:49 2007
From: ken at secdat.com (Kenneth Downs)
Date: Wed, 05 Sep 2007 09:31:49 -0400
Subject: [nycphp-talk] AJAX and State
In-Reply-To: <p06240806c304566c9180@[192.168.1.109]>
References: <46DD54B0.5060803@secdat.com>	<07f701c7efb3$52f6a9f0$651ba8c0@MobileZ>	<46DE9F28.5060705@beezifies.com>
	<p06240806c304566c9180@[192.168.1.109]>
Message-ID: <46DEAFC5.2090108@secdat.com>

tedd wrote:
> At 8:20 AM -0400 9/5/07, bz-gmort at beezifies.com wrote:
>> Hans Zaunere wrote:
>>> Ajax solves this problem neatly by letting you move all state [1] into
>>>> the browser.  This makes sense from an architectural viewpoint because
>>>> we are putting this context information close to where it is needed,
>>>> the UI.
>>>>
>>>
>>> I'm not sure what you mean, though, by keeping state in the 
>>> browser.  Here's
>>> essentially what's work for me in the past:P
>>>
>>
>> I read the above as, to take a simple example:
>
> I read your "simple example" and see that you can do it w/wo ajax -- 
> but I don't see the advantage in using ajax other than presentation.
>
> Please correct me if I'm wrong, but isn't ajax (and ahah) only a means 
> to communicate with the server without causing a refresh? Does ajax 
> provide something beyond that?

Yes, AJAX provides benefits beyond its simple ability to communicate w/o 
a refresh.

BZ's example is exactly what I've been coding the past week or so, and 
it is far simpler keeping track of things in the browser than on the 
server, particularly with tabbed browsing.

Here is a smaller example.  User has a form up to do a database insert 
-- such as create a new insurance company entry.  They have some 
duplicate information and their save will fail, but they don't know and 
they hit save.  What happens?

-> In non-ajax world, you submit the form.  The data is validated and a 
list of errors is generated.  You regenerate the HTML, populate the form 
with the original values, place the error notices, and send it back. 

-> In the ajax world you do an Ajax submit and get back a JSON object 
that contains an array listing the errors.  The response handler puts up 
a popup telling you there were errors, then it adds the errors next to 
the inputs that have problems and changes their css class to make them 
red (or whatever). 

    - no regenerating the form on the server
    - no re-assigning values (they were never changed)
    - no html processing AT ALL on server, just take the data and run 
the INSERT

Doing this requires that some state be stored in the browser as the 
properties of a global object.  That was the thrust of my original post, 
and bz fleshed out scenarios where it would be used.  Here I've tried to 
give a very specific example of how it changes your coding practices.


>
> Cheers,
>
> tedd
>


-- 
Kenneth Downs
Secure Data Software, Inc.
www.secdat.com    www.andromeda-project.org
631-689-7200   Fax: 631-689-0527
cell: 631-379-0010



From lists at enobrev.com  Wed Sep  5 09:40:20 2007
From: lists at enobrev.com (Mark Armendariz)
Date: Wed, 05 Sep 2007 09:40:20 -0400
Subject: [nycphp-talk] AJAX and State
In-Reply-To: <p06240806c304566c9180@[192.168.1.109]>
References: <46DD54B0.5060803@secdat.com>	<07f701c7efb3$52f6a9f0$651ba8c0@MobileZ>	<46DE9F28.5060705@beezifies.com>
	<p06240806c304566c9180@[192.168.1.109]>
Message-ID: <46DEB1C4.2010205@enobrev.com>

tedd wrote:
> At 8:20 AM -0400 9/5/07, bz-gmort at beezifies.com wrote:
>> Hans Zaunere wrote:
>>> Ajax solves this problem neatly by letting you move all state [1] into
>>>> the browser.  This makes sense from an architectural viewpoint because
>>>> we are putting this context information close to where it is needed,
>>>> the UI.
>>>>
>>>
>>> I'm not sure what you mean, though, by keeping state in the 
>>> browser.  Here's
>>> essentially what's work for me in the past:P
>>>
>>
>> I read the above as, to take a simple example:
>
> I read your "simple example" and see that you can do it w/wo ajax -- 
> but I don't see the advantage in using ajax other than presentation.
>
> Please correct me if I'm wrong, but isn't ajax (and ahah) only a means 
> to communicate with the server without causing a refresh? Does ajax 
> provide something beyond that?
That's exactly what's provided by XHR (what's usually referred to as 
ajax) - a means of mini-requests instead of full-page requests.  You 
still have to maintain a session id and everything when communicating 
with the server, but with a well thought out application, you can skip a 
lot of the back and forth between the server and hence keep a lot of the 
heavy lifting that involves simple client-side interaction on the client. 

Ideally we should be molding our requests around usability, which is 
what the ubiquity of XHR allows us to finally do.  When we build apps 
for the web, we tend to mold usability around server requests.  It might 
make sense to do so after writing web apps for a while, but to users who 
aren't as affiliated, waiting for 3 or 4 pages to load to fill out a 
form doesn't make very much sense.

For instance, your user wants to register at your site.  The user enters 
their username, password, address, personal information, etc and 
submit.  The username is already in use, so the entire form has to be 
reloaded, all the previously entered values have to be shown.  This is a 
large request on the server (check the db for a  username, revert to the 
last page with posted data, regenerate the template and fill the form 
values).  With an XHR capable form, as soon as you tab off of the 
username field, a smaller request is made to check the username, and the 
user knows immediately if they can continue.  No reloading of the page, 
minimal server request for the one thing needed instead of the whole 
thing.  Saves bandwidth, but far more importantly, saves the user's time 
and patience.

It mostly depends on what you're building.  There's generally not much 
use for XHR on a blog app, unless you're adding some bells and whistles 
that people can use (a poll that won't refresh the page and hence force 
the reader to lose their place, for instance).  But on a CMS app or 
other type of application that requires a good deal of communication 
with the server without having to reload an entire page, it can change 
the entire way you program.


From bz-gmort at beezifies.com  Wed Sep  5 09:47:43 2007
From: bz-gmort at beezifies.com (Gary Mort)
Date: Wed, 05 Sep 2007 09:47:43 -0400
Subject: [nycphp-talk] AJAX and State
In-Reply-To: <p06240806c304566c9180@[192.168.1.109]>
References: <46DD54B0.5060803@secdat.com>
	<07f701c7efb3$52f6a9f0$651ba8c0@MobileZ>
	<46DE9F28.5060705@beezifies.com>
	<p06240806c304566c9180@[192.168.1.109]>
Message-ID: <46DEB37F.4090905@beezifies.com>

tedd wrote:
> At 8:20 AM -0400 9/5/07, bz-gmort at beezifies.com wrote:
>>
>> I read the above as, to take a simple example:
>
> I read your "simple example" and see that you can do it w/wo ajax -- 
> but I don't see the advantage in using ajax other than presentation.
>

To do it without Ajax requires you to explicitly create code to track 
each individual browser window as the user moves throughout the system 
so you can bring them back to where they started from.

Using Ajax, you didn't have to write a line of code since the state was 
maintained in the browser window itself.

So it was not having to code for the situation at all due to using Ajax.

Is that an advantage?  I don't see it as one, as using Ajax in that 
manner introduces other problems.  But it is a different way to code and 
based on your individual mindset, you might find it easier to think in 
terms of letting the browser maintain it's own tracking than in trying 
to track every variable yourself.

> Please correct me if I'm wrong, but isn't ajax (and ahah) only a means 
> to communicate with the server without causing a refresh? Does ajax 
> provide something beyond that? 

Ajax changes the way you program. 
Consider the following:
You have a form with 100 fields of information, 1 of which must be 
unique in your database.

A user enters all 100 pieces of data and than submits it(yes, this is 
poor form.  You should pace the data over multiple input screens so as 
not to overwhelm the user.  I however deal with the real world where 
real clients insist this is the way everyone wants to enter data and 
refuse alternate suggestions such as tabs.  *shrug*), you check for 
uniqueness and generate an error message, as well as having to make sure 
to preload every one of those 99 fields in the error form, as well as 
prompting for a new unique key.  Alternatively, you could prompt for 
that one piece of unique data, and than reserve it for that user and 
than prompt for the other 99.

Problems:
If checking after the user enters 100 different fields, they get very 
very irate to be asked to enter yet another piece of data.
If you reserve the field for them and they don't complete the 
registration, you also need to build a cleanup process or have phantom 
records hanging around.

With Ajax:
You can check that unique field at the moment they enter it, so they can 
pick one at the time.  And you can check that field when they try to 
submit it and keep them from submitting a non unique value(in case 
someone claimed it while they filled in the info).  You STILL need to 
perform the final submit check, but you reduce user irritation by 
minimizing attempts at loading bad data.

Also, the classic Ajax example.  Go the newegg.com and start searching 
for something.  It generates a drop down list dynamically of potential 
matches.  Without AJAX and with a database of thousands of keywords, you 
will need to perform fuzzy searches and deal with users mis-spelling 
keywords.

With Ajax, you can get correct keywords and don't need fuzzy searches.

Ajax allows you to move certain lookups from popup windows, which are 
annoying and frequently blocked, to the main window itself.

Imagine you want to select a user from a list of 1000 users.  An old way 
of doing it could be to list the letters of the Alphabet, and have 
clicking on them popup a window with just the users who have a lastname 
starting with that letter.  Than you select the user and the popup 
closes, using javascript to load the field.

With Ajax, instead you can do that sort of lookup in the browser itself.

All of this is due to being able to "communicate with the server without 
causing a browser refresh"  Basically, Ajax can turn traditional client 
lite/server heavy applications into client heavy/server lite applications. 

This is not always a good thing!  It is simply a thing.  Whether it is 
good or bad depends strongly on your users, your application, and your 
needs(I'm not a big Ajax advocate, heck I've only used it in a few apps.)



From bz-gmort at beezifies.com  Wed Sep  5 09:51:44 2007
From: bz-gmort at beezifies.com (bz-gmort at beezifies.com)
Date: Wed, 05 Sep 2007 09:51:44 -0400
Subject: [nycphp-talk] AJAX and State
In-Reply-To: <46DEAFC5.2090108@secdat.com>
References: <46DD54B0.5060803@secdat.com>	<07f701c7efb3$52f6a9f0$651ba8c0@MobileZ>	<46DE9F28.5060705@beezifies.com>	<p06240806c304566c9180@[192.168.1.109]>
	<46DEAFC5.2090108@secdat.com>
Message-ID: <46DEB470.9010608@beezifies.com>

Kenneth Downs wrote:
>
> BZ's example is exactly what I've been coding the past week or so, and 
> it is far simpler keeping track 
^^^^^
I'll take this as a hint that I need to create a sigfile with my name 
and such in it.



From ken at secdat.com  Wed Sep  5 10:13:54 2007
From: ken at secdat.com (Kenneth Downs)
Date: Wed, 05 Sep 2007 10:13:54 -0400
Subject: [nycphp-talk] AJAX and State
In-Reply-To: <46DEB470.9010608@beezifies.com>
References: <46DD54B0.5060803@secdat.com>	<07f701c7efb3$52f6a9f0$651ba8c0@MobileZ>	<46DE9F28.5060705@beezifies.com>	<p06240806c304566c9180@[192.168.1.109]>	<46DEAFC5.2090108@secdat.com>
	<46DEB470.9010608@beezifies.com>
Message-ID: <46DEB9A2.2050306@secdat.com>

bz-gmort at beezifies.com wrote:
> Kenneth Downs wrote:
>>
>> BZ's example is exactly what I've been coding the past week or so, 
>> and it is far simpler keeping track 
> ^^^^^
> I'll take this as a hint that I need to create a sigfile with my name 
> and such in it.

Unless you've got secrets to keep :)

>
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php


-- 
Kenneth Downs
Secure Data Software, Inc.
www.secdat.com    www.andromeda-project.org
631-689-7200   Fax: 631-689-0527
cell: 631-379-0010



From ken at secdat.com  Wed Sep  5 10:22:33 2007
From: ken at secdat.com (Kenneth Downs)
Date: Wed, 05 Sep 2007 10:22:33 -0400
Subject: [nycphp-talk] AJAX and State
In-Reply-To: <07f701c7efb3$52f6a9f0$651ba8c0@MobileZ>
References: <46DD54B0.5060803@secdat.com>
	<07f701c7efb3$52f6a9f0$651ba8c0@MobileZ>
Message-ID: <46DEBBA9.8010102@secdat.com>

Hans Zaunere wrote:
>   
>> Ajax solves this problem neatly by letting you move all state [1] into
>> the browser.  This makes sense from an architectural viewpoint because
>> we are putting this context information close to where it is needed,
>> the UI.
>>     
>
> I'm not sure what you mean, though, by keeping state in the browser.  
>   

For example, when a table maintenance form loads up (aka CRUD form), 
with simulated tabs, one for browse, one for detail editing.  There is a 
global object that looks something like this:

x4global.tabs=new Object();
x4global.tabs[x0] = new Object();
x4global.tabs[x0].tabType = 'browse';
x4global.tabs[x0].table_id = 'contacts';
x4global.tabs[x0].columns = 'ssn,first_name,last_name,phone'
x4global.tabs[x0].widgets = new Object();
x4global.tabs[x0].widgets[ssn] = 'x4w_ssn'
x4global.tabs[x0].widgets[ssn] = 'x4w_ssn'
x4global.tabs[x0].widgets[ssn] = 'x4w_ssn'
...
... and so on

This allows the browser to keep a small library of JS code that receives 
JSON back from the browser, then it looks at the response to see what it 
should do, and uses the x4global object to figure out where to put things.


-- 
Kenneth Downs
Secure Data Software, Inc.
www.secdat.com    www.andromeda-project.org
631-689-7200   Fax: 631-689-0527
cell: 631-379-0010

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070905/be368a1e/attachment.html>

From maxarbos at yahoo.com  Wed Sep  5 11:05:49 2007
From: maxarbos at yahoo.com (Bill P.)
Date: Wed, 5 Sep 2007 08:05:49 -0700 (PDT)
Subject: [nycphp-talk] MSSql , IIS Encrypted Connection String
In-Reply-To: <46DD511A.2040709@beezifies.com>
Message-ID: <943547.98854.qm@web90611.mail.mud.yahoo.com>

Hi Gary,

I have been reading through these articles and it really does make it seems very secure, but the plainttext connection is still being sent over to the sql machine, as you stated, right?

I cannot seem to find any info on how to send an encrypted string to the db and have the db machine decrypt it properly before making the connection.

still a little unsure if i am missing something though.
Bill



Gary Mort <bz-gmort at beezifies.com> wrote: Bill P. wrote:
> Hello,
>
> I have a project that will be using IIS and mssql.
> I need to use an encrypted conneciton string in my config/lib.php file.
>
> mssql has built in encryption connection ability, but within asp.
>
> Everything will be written in php so does anyone have any suggestions 
> on encrypting a connection string to connect to a mssql db?
>
What's the point of encrypting the data?
Reading through 
http://msdn2.microsoft.com/en-us/library/ms998280.aspx
and
http://msdn2.microsoft.com/en-us/library/ms998283.aspx, it is purely a 
local system server protection.

IE
You have web servers A. B. and C
You have MSSQL Server D and a database(MyDatabase)

A web application running on the WEB server wants to connect to the 
MSSQL server.
Using ASP,. some code somewhere says "Connect to MyDatabase, a MSSQL 
Database "

ASP will then search for a text file called web.conf, and it will grab 
the connection information stored there(the server it is on, the 
database name, yadda yadda).

Than it connects up to the server and does whatever you want it to do.

"Encrypted connection string" just means that the data stored in that 
text file is encrypted, using either an RSA mechanism or DPAPI - which 
to tell you the truth is completely beyond me.  I know there are 
different mechanisms for encryption.  I know in a general way how 
public/private key encryption works. And I know the longer the key 
length, in general, the more secure and the longer to process.  When I 
need to know more than that, I research what the industry stds are at 
that time, what is the best performance for a situation, and move on.  
Trying to understand the math behind it all would drive me bonkers. 

Using encrypted connection strings, the ASP program has an extra step. 
It accesses the text file, grabs the data, and then decrypts the data 
and uses it.  It doesn't actually send the data in an encrypted format 
to the server - the key to noticing this for me was that your ASP 
program can display the plaintext decoded info to you, so it's decoding 
it on the web server. 

So really, you get the same benefit by choosing any encryption scheme 
you like for PHP and encrypting the connection information file that 
your using.

The only reason I can see to use "encrypted connection strings" the 
Microsoft way is the method used in that RSA article(link above).

There, they suggest that for a server farm, what you would do is create 
the connection string file on the MSSQL server system(or on your own 
system, whatever.  The point is, you don't create it on servers A,B, and 
C).  Than you encrypt the file using RSA and transfer both the encrypted 
file AND the RSA private key needed to decrypt the file to servers 
A,B,and C.  Than by installing them under the appropriate user, web apps 
running under that user can decrypt the data.

If that is your goal, find a PHP RSA decryption routine, place the 
private key somewhere secure on your server, and use the key to decrypt 
the connection string file.  Than parse the file and shove the 
appropriate fields into your PHP connection.  If you want to use their 
method, they store the private key in the registry, so you can pull it 
out the same way.

Am I missing something here on how encrypted connection string works?  
(Besides the obvious that Microsoft went to great lengths to describe a 
fairly simple process in complex language such that it would appear to 
be a function exclusive to their API, instead of a fairly trivial 
implementation of standard config file encryption.  I mean, on first 
glance, I thought it was pretty cool, the concept being that you would 
provide the web servers with a connection string encrypted just for each 
server, and that server would send the encrypted data to the database 
server - thus it would not ever know what the true userid and password 
was and since the key is assigned to an ip address, a connection using 
the same config file from a different system would be rejected.  But no, 
it doesn't seem to be that, just a local config file encryption.)
_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk

NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com

Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php


       
---------------------------------
Take the Internet to Go: Yahoo!Go puts the Internet in your pocket: mail, news, photos & more. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070905/94c12f06/attachment.html>

From tedd at sperling.com  Wed Sep  5 11:08:44 2007
From: tedd at sperling.com (tedd)
Date: Wed, 5 Sep 2007 11:08:44 -0400
Subject: [nycphp-talk] AJAX and State
In-Reply-To: <46DEB1C4.2010205@enobrev.com>
References: <46DD54B0.5060803@secdat.com>
	<07f701c7efb3$52f6a9f0$651ba8c0@MobileZ>	<46DE9F28.5060705@beezifies.com>
	<p06240806c304566c9180@[192.168.1.109]> <46DEB1C4.2010205@enobrev.com>
Message-ID: <p0624080ac30472a72f59@[192.168.1.109]>

At 9:40 AM -0400 9/5/07, Mark Armendariz wrote:
>tedd wrote:
>>At 8:20 AM -0400 9/5/07, bz-gmort at beezifies.com wrote:
>>>Hans Zaunere wrote:
>>>>Ajax solves this problem neatly by letting you move all state [1] into
>>>>>the browser.  This makes sense from an architectural viewpoint because
>>>>>we are putting this context information close to where it is needed,
>>>>>the UI.
>>>>>
>>>>
>>>>I'm not sure what you mean, though, by keeping state in the 
>>>>browser.  Here's
>>>>essentially what's work for me in the past:P
>>>>
>>>
>>>I read the above as, to take a simple example:
>>
>>I read your "simple example" and see that you can do it w/wo ajax 
>>-- but I don't see the advantage in using ajax other than 
>>presentation.
>>
>>Please correct me if I'm wrong, but isn't ajax (and ahah) only a 
>>means to communicate with the server without causing a refresh? 
>>Does ajax provide something beyond that?
>That's exactly what's provided by XHR (what's usually referred to as 
>ajax) - a means of mini-requests instead of full-page requests.

Mark:

-snip- Thanks for the examples.

The examples you provided basically do only one thing -- they 
communicates with the server without a refresh -- nothing more.

I know all about filling in forms, checking if the user is registered 
or not, and numerous other aspects of how to use ajax to update web 
pages without refresh to enrich the user's experience. Been there, 
done that.

I also know how to use ajax to communicate with php to do stuff, like so:

http://webbytedd.com/b/timed-php/

So, I am familiar with ajax. But, everything I've seen thus far is 
simply using the get/post aspects of javascript to communicate with 
the server, nothing more.

Now, what I am asking is not how ajax communication with the server 
can be used, but rather is there anything beyond that which ajax can 
provide?

Another way of asking this question is, "Besides not triggering a 
refresh, what can ajax do that php can not?"

Note: I know that technically, ajax uses xml, but in the cases we've 
discussed thus far, I'm assuming that this has been limited to 
responseTEXT property and not to xml, correct?

Cheers,

tedd

-- 
-------
http://sperling.com  http://ancientstones.com  http://earthstones.com


From tedd at sperling.com  Wed Sep  5 11:20:37 2007
From: tedd at sperling.com (tedd)
Date: Wed, 5 Sep 2007 11:20:37 -0400
Subject: [nycphp-talk] AJAX and State
In-Reply-To: <46DEAFC5.2090108@secdat.com>
References: <46DD54B0.5060803@secdat.com>
	<07f701c7efb3$52f6a9f0$651ba8c0@MobileZ>	<46DE9F28.5060705@beezifies.com>
	<p06240806c304566c9180@[192.168.1.109]> <46DEAFC5.2090108@secdat.com>
Message-ID: <p0624080bc304774c4609@[192.168.1.109]>

At 9:31 AM -0400 9/5/07, Kenneth Downs wrote:
>tedd wrote:
>>At 8:20 AM -0400 9/5/07, bz-gmort at beezifies.com wrote:
>>>Hans Zaunere wrote:
>>>>Ajax solves this problem neatly by letting you move all state [1] into
>>>>>the browser.  This makes sense from an architectural viewpoint because
>>>>>we are putting this context information close to where it is needed,
>>>>>the UI.
>>>>>
>>>>
>>>>I'm not sure what you mean, though, by keeping state in the 
>>>>browser.  Here's
>>>>essentially what's work for me in the past:P
>>>>
>>>
>>>I read the above as, to take a simple example:
>>
>>I read your "simple example" and see that you can do it w/wo ajax 
>>-- but I don't see the advantage in using ajax other than 
>>presentation.
>>
>>Please correct me if I'm wrong, but isn't ajax (and ahah) only a 
>>means to communicate with the server without causing a refresh? 
>>Does ajax provide something beyond that?
>
>Yes, AJAX provides benefits beyond its simple ability to communicate 
>w/o a refresh.
>
>BZ's example is exactly what I've been coding the past week or so, 
>and it is far simpler keeping track of things in the browser than on 
>the server, particularly with tabbed browsing.
>
>Here is a smaller example.  User has a form up to do a database 
>insert -- such as create a new insurance company entry.  They have 
>some duplicate information and their save will fail, but they don't 
>know and they hit save.  What happens?
>
>-> In non-ajax world, you submit the form.  The data is validated 
>and a list of errors is generated.  You regenerate the HTML, 
>populate the form with the original values, place the error notices, 
>and send it back.
>-> In the ajax world you do an Ajax submit and get back a JSON 
>object that contains an array listing the errors.  The response 
>handler puts up a popup telling you there were errors, then it adds 
>the errors next to the inputs that have problems and changes their 
>css class to make them red (or whatever).
>    - no regenerating the form on the server
>    - no re-assigning values (they were never changed)
>    - no html processing AT ALL on server, just take the data and run 
>the INSERT
>
>Doing this requires that some state be stored in the browser as the 
>properties of a global object.  That was the thrust of my original 
>post, and bz fleshed out scenarios where it would be used.  Here 
>I've tried to give a very specific example of how it changes your 
>coding practices.
>

Yes, but I can do all of that via javascript without touching the 
server or using ajax.

Just keep the user entering data until the data is correct, then 
submit the form via ajax or as one normally would via a form submit.

So, I don't see the ajax advantage here.

Granted, I may be missing the point, are you saying that you can 
communicate data between two open windows on the client side?

Cheers,

tedd
-- 
-------
http://sperling.com  http://ancientstones.com  http://earthstones.com


From bz-gmort at beezifies.com  Wed Sep  5 11:31:57 2007
From: bz-gmort at beezifies.com (Gary Mort)
Date: Wed, 05 Sep 2007 11:31:57 -0400
Subject: [nycphp-talk] MSSql , IIS Encrypted Connection String
In-Reply-To: <943547.98854.qm@web90611.mail.mud.yahoo.com>
References: <943547.98854.qm@web90611.mail.mud.yahoo.com>
Message-ID: <46DECBED.9010406@beezifies.com>

Bill P. wrote:
> Hi Gary,
>
> I have been reading through these articles and it really does make it 
> seems very secure, but the plainttext connection is still being sent 
> over to the sql machine, as you stated, right?
> I cannot seem to find any info on how to send an encrypted string to 
> the db and have the db machine decrypt it properly before making the 
> connection.

Erm, no, what I was saying is that according to the doc, that the 
encrypted connection string was being decrypted by the client before 
being used to connect.  Basically, whether or not the connection string 
is encrypted in the file is irrelevant to how it is used between 
systems. As for the connection itself, that occurs in whatever manner 
you connect.  I am not especially familiar with MSSQL to say how that is 
done.

I will note that the documentation included at least one "secure" 
mechanism.  Between windows machines, you can use NTLM security - which 
is Microsoft's preferred method of doing connections and encrypts the 
password before sending it(all Microsoft servers and clients seem to 
support NTLM.  I know that Internet Explorer connecting to an IIS server 
will default to trying an NTLM logon first).

If you want to encrypt the connection string, the simplest answer is to 
encrypt the who sessions.  IE set up a VPN between the web server and 
the database server and send all connections through the VPN.  Outside 
of that, you need to do some work into learning how the connection is 
actually done and what is involved.  For example, with making a DB2 
connection from a client to a server, you use a DB2 client installed on 
the client itself.  So PHP merely connects to the local DB2 client, 
passes it the connection info, and the client will connect to the server 
- and thus you can configure the db2 client to use encrypted 
connections, or encrypt the password.

Does MSSQL follow the same pattern?  Do you have mssql specific client 
code installed on the web server?




From dell at sala.ca  Wed Sep  5 11:33:20 2007
From: dell at sala.ca (Dell Sala)
Date: Wed, 5 Sep 2007 11:33:20 -0400
Subject: [nycphp-talk] AJAX and State
In-Reply-To: <p0624080ac30472a72f59@[192.168.1.109]>
References: <46DD54B0.5060803@secdat.com>
	<07f701c7efb3$52f6a9f0$651ba8c0@MobileZ>	<46DE9F28.5060705@beezifies.com>
	<p06240806c304566c9180@[192.168.1.109]>
	<46DEB1C4.2010205@enobrev.com>
	<p0624080ac30472a72f59@[192.168.1.109]>
Message-ID: <DDB437A3-CE77-471F-8401-2845F72BDADC@sala.ca>

On Sep 5, 2007, at 11:08 AM, tedd wrote:

> Now, what I am asking is not how ajax communication with the server  
> can be used, but rather is there anything beyond that which ajax  
> can provide?
>
> Another way of asking this question is, "Besides not triggering a  
> refresh, what can ajax do that php can not?"

At the root of things, that IS all ajax provides -- a way to issue  
requests without having to refresh the entire browser window.  
However, this opens up all kinds of other possibilities when it comes  
to building a user interface. All of a sudden you can design things  
to behave much more like a networked desktop application instead of a  
series of isolated, stateless documents.

The basic pattern becomes
1) deploy an html/javascript application to the browser
2) the html/javascript application communicates with the server to  
get any information it needs to change it's own state

You get a very nice separation between business and presentation  
source code.

Here's my beef: ** JavaScript is painful **

I've found the amount of code I have to write has increased  
dramatically. I write a little less php, but TONS more javascript.  
And debugging javascript sucks... Browser compat. issues just kill  
the experience for me. And there are performance issues too.

Ajax is great because it has given us a new way to think about  
developing web apps. But I feel this model needs a better platform...  
Flex anyone?

-- Dell



From tedd at sperling.com  Wed Sep  5 11:51:52 2007
From: tedd at sperling.com (tedd)
Date: Wed, 5 Sep 2007 11:51:52 -0400
Subject: [nycphp-talk] AJAX and State
In-Reply-To: <46DEB37F.4090905@beezifies.com>
References: <46DD54B0.5060803@secdat.com>
	<07f701c7efb3$52f6a9f0$651ba8c0@MobileZ>
	<46DE9F28.5060705@beezifies.com>
	<p06240806c304566c9180@[192.168.1.109]>
	<46DEB37F.4090905@beezifies.com>
Message-ID: <p0624080cc3047e98fbfa@[192.168.1.109]>

At 9:47 AM -0400 9/5/07, Gary Mort wrote:
>tedd wrote:
>>Please correct me if I'm wrong, but isn't ajax (and ahah) only a 
>>means to communicate with the server without causing a refresh? 
>>Does ajax provide something beyond that?
>
>Ajax changes the way you program. Consider the following:
>You have a form with 100 fields of information, 1 of which must be 
>unique in your database.
>
>-snip-
>
>With Ajax:
>You can check that unique field at the moment they enter it, so they 
>can pick one at the time.  And you can check that field when they 
>try to submit it and keep them from submitting a non unique value(in 
>case someone claimed it while they filled in the info).  You STILL 
>need to perform the final submit check, but you reduce user 
>irritation by minimizing attempts at loading bad data.

Yes, I can still do that with just javascript and notify the user of 
an incorrect entry immediately using onBlur. I do it all the time.

>Also, the classic Ajax example.  Go the newegg.com and start 
>searching for something.  It generates a drop down list dynamically 
>of potential matches.  Without AJAX and with a database of thousands 
>of keywords, you will need to perform fuzzy searches and deal with 
>users mis-spelling keywords.

Been there, done that and even have an example. But it is still 
nothing more than communication between client/server without a 
refresh.

>With Ajax, you can get correct keywords and don't need fuzzy searches.

I can get specific or fuzzy searches with Ajax, but it is still just 
communication.

>Ajax allows you to move certain lookups from popup windows, which 
>are annoying and frequently blocked, to the main window itself.

Okay, this is where I'm missing the point. Are you saying that you 
can have communication between windows on the client side? I would 
like to see that.

>Imagine you want to select a user from a list of 1000 users.  An old 
>way of doing it could be to list the letters of the Alphabet, and 
>have clicking on them popup a window with just the users who have a 
>lastname starting with that letter.  Than you select the user and 
>the popup closes, using javascript to load the field.
>
>With Ajax, instead you can do that sort of lookup in the browser itself.
>
>All of this is due to being able to "communicate with the server 
>without causing a browser refresh"  Basically, Ajax can turn 
>traditional client lite/server heavy applications into client 
>heavy/server lite applications.

Now, I'm back to square one (I guess I should have read everything 
before I started writing).

That's been my point -- ajax is only performing communication between 
the server and the client without a refresh. I've been asking, is 
that all there is?

Cheers,

tedd
-- 
-------
http://sperling.com  http://ancientstones.com  http://earthstones.com


From dell at sala.ca  Wed Sep  5 11:52:06 2007
From: dell at sala.ca (Dell Sala)
Date: Wed, 5 Sep 2007 11:52:06 -0400
Subject: [nycphp-talk] AJAX and State
In-Reply-To: <p0624080bc304774c4609@[192.168.1.109]>
References: <46DD54B0.5060803@secdat.com>
	<07f701c7efb3$52f6a9f0$651ba8c0@MobileZ>	<46DE9F28.5060705@beezifies.com>
	<p06240806c304566c9180@[192.168.1.109]>
	<46DEAFC5.2090108@secdat.com>
	<p0624080bc304774c4609@[192.168.1.109]>
Message-ID: <C138EF07-DD3E-42CD-8AF5-E5A8E76C2258@sala.ca>

On Sep 5, 2007, at 11:20 AM, tedd wrote:

> Just keep the user entering data until the data is correct, then  
> submit the form via ajax or as one normally would via a form submit.
>
> So, I don't see the ajax advantage here.

The problem with what you're describing is that all your form  
validation code (business logic) is deployed to the browser as  
javascript. For serious applications, the server cannot rely on the  
client to take care of things like validation, because they can  
easily be bypassed.

What ajax allows you to do is keep the heavy lifting business logic  
on the server (where it belongs), but have your web page change it's  
own state without having to ask the server to redraw an entire  
document every time it needs some new information, or a calculation  
performed.

For example: you could authenticate a user without having to refresh  
the page. There is no way to do that without asking the server to  
verify credentials. Ajax (or some other kind of remoting) is required  
if you want to avoid a page refresh.

-- Dell



From tedd at sperling.com  Wed Sep  5 12:04:23 2007
From: tedd at sperling.com (tedd)
Date: Wed, 5 Sep 2007 12:04:23 -0400
Subject: [nycphp-talk] AJAX and State
In-Reply-To: <DDB437A3-CE77-471F-8401-2845F72BDADC@sala.ca>
References: <46DD54B0.5060803@secdat.com>
	<07f701c7efb3$52f6a9f0$651ba8c0@MobileZ>	<46DE9F28.5060705@beezifies.com>
	<p06240806c304566c9180@[192.168.1.109]>	<46DEB1C4.2010205@enobrev.com>
	<p0624080ac30472a72f59@[192.168.1.109]>
	<DDB437A3-CE77-471F-8401-2845F72BDADC@sala.ca>
Message-ID: <p0624080ec3048288e833@[192.168.1.109]>

At 11:33 AM -0400 9/5/07, Dell Sala wrote:
>On Sep 5, 2007, at 11:08 AM, tedd wrote:
>
>>Now, what I am asking is not how ajax communication with the server 
>>can be used, but rather is there anything beyond that which ajax 
>>can provide?
>>
>>Another way of asking this question is, "Besides not triggering a 
>>refresh, what can ajax do that php can not?"
>
>At the root of things, that IS all ajax provides


OK then, my confusion has been cleared.

 From many of the post here, I thought someone had discovered something new.

My only fault with ajax is that many people make it out to be 
something more complicated than what it actually is -- when in fact, 
it's pretty simple.

Sure it's application can get complicated as to what calls what and 
when, but when you distill what it does down to the basics, things 
become much simpler. I like simple.

Thanks everyone,

Cheers,

tedd
-- 
-------
http://sperling.com  http://ancientstones.com  http://earthstones.com


From bz-gmort at beezifies.com  Wed Sep  5 12:07:22 2007
From: bz-gmort at beezifies.com (Gary Mort)
Date: Wed, 05 Sep 2007 12:07:22 -0400
Subject: [nycphp-talk] AJAX and State
In-Reply-To: <p0624080ac30472a72f59@[192.168.1.109]>
References: <46DD54B0.5060803@secdat.com>	<07f701c7efb3$52f6a9f0$651ba8c0@MobileZ>	<46DE9F28.5060705@beezifies.com>	<p06240806c304566c9180@[192.168.1.109]>
	<46DEB1C4.2010205@enobrev.com>
	<p0624080ac30472a72f59@[192.168.1.109]>
Message-ID: <46DED43A.6040803@beezifies.com>

tedd wrote:
> Another way of asking this question is, "Besides not triggering a 
> refresh, what can ajax do that php can not?"
>

PHP cannot control the browser presentation, it can merely provide 
static information to the browser.
Javascript can control the browser presentation, and it can be generated 
by PHP
AJAX merely allows you to combine the functionality of javascript with 
the dynamic data access of PHP(or any other CGI script) in order to put 
the two together in a more dynamic fashion.  It has sparked some 
innovations in presenting and packaging data generated by CGI that than 
make the whole thing reusable(for example, frameworks which pull all the 
dynamic data down to the server and then allow one to work offline and 
then sync up to the server.  Of course, the curmudgeon in me would say 
"well, besides using a web browser, what can this do that a Lotus Notes 
client can't? " :-0 and the answer is it can be done without charging 
hundreds of dollars per user.)

I see web browser applications slowly approaching the full power of a 
Notes Application from over 5 years ago.  But they do it in a cross 
platform, affordable manner.  Still, with notes I knew precisely what 
functions would work on every system with a notes client plus had 
certain levels of security unavailable with a browser without a lot of 
work, so it has it's place in the corporate environment.



From tedd at sperling.com  Wed Sep  5 12:10:16 2007
From: tedd at sperling.com (tedd)
Date: Wed, 5 Sep 2007 12:10:16 -0400
Subject: [nycphp-talk] AJAX and State
In-Reply-To: <C138EF07-DD3E-42CD-8AF5-E5A8E76C2258@sala.ca>
References: <46DD54B0.5060803@secdat.com>
	<07f701c7efb3$52f6a9f0$651ba8c0@MobileZ>	<46DE9F28.5060705@beezifies.com>
	<p06240806c304566c9180@[192.168.1.109]>	<46DEAFC5.2090108@secdat.com>
	<p0624080bc304774c4609@[192.168.1.109]>
	<C138EF07-DD3E-42CD-8AF5-E5A8E76C2258@sala.ca>
Message-ID: <p0624080fc30484314bcc@[192.168.1.109]>

At 11:52 AM -0400 9/5/07, Dell Sala wrote:
>On Sep 5, 2007, at 11:20 AM, tedd wrote:
>
>>Just keep the user entering data until the data is correct, then 
>>submit the form via ajax or as one normally would via a form submit.
>>
>>So, I don't see the ajax advantage here.
>
>The problem with what you're describing is that all your form 
>validation code (business logic) is deployed to the browser as 
>javascript. For serious applications, the server cannot rely on the 
>client to take care of things like validation, because they can 
>easily be bypassed.
>
>What ajax allows you to do is keep the heavy lifting business logic 
>on the server (where it belongs), but have your web page change it's 
>own state without having to ask the server to redraw an entire 
>document every time it needs some new information, or a calculation 
>performed.
>
>For example: you could authenticate a user without having to refresh 
>the page. There is no way to do that without asking the server to 
>verify credentials. Ajax (or some other kind of remoting) is 
>required if you want to avoid a page refresh.
>
>-- Dell

-- Dell:

Well of course, you never trust anything on the client side and it 
makes sense to do the user input checks client-side and then validate 
on server side, but that's not what we've (at at least me) have been 
discussing.

The only question I've asked here is what beyond communication 
without refresh does ajax provide and the only answer I've received 
is "nothing", which is what I expect.

Thanks for your time.

Cheers,

tedd



-- 
-------
http://sperling.com  http://ancientstones.com  http://earthstones.com


From tedd at sperling.com  Wed Sep  5 12:50:26 2007
From: tedd at sperling.com (tedd)
Date: Wed, 5 Sep 2007 12:50:26 -0400
Subject: [nycphp-talk] AJAX and State
In-Reply-To: <46DED43A.6040803@beezifies.com>
References: <46DD54B0.5060803@secdat.com>
	<07f701c7efb3$52f6a9f0$651ba8c0@MobileZ>	<46DE9F28.5060705@beezifies.com>
	<p06240806c304566c9180@[192.168.1.109]>	<46DEB1C4.2010205@enobrev.com>
	<p0624080ac30472a72f59@[192.168.1.109]>
	<46DED43A.6040803@beezifies.com>
Message-ID: <p06240812c30487400335@[192.168.1.109]>

At 12:07 PM -0400 9/5/07, Gary Mort wrote:
>tedd wrote:
>>Another way of asking this question is, "Besides not triggering a 
>>refresh, what can ajax do that php can not?"
>>
>
>PHP cannot control the browser presentation, it can merely provide 
>static information to the browser.

Ah yes, my question was somewhat lame. I know that php can't control 
client-side. But, that's not what I was asking.

>Javascript can control the browser presentation, and it can be 
>generated by PHP
>AJAX merely allows you to combine the functionality of javascript 
>with the dynamic data access of PHP(or any other CGI script) in 
>order to put the two together in a more dynamic fashion.  It has 
>sparked some innovations in presenting and packaging data generated 
>by CGI that than make the whole thing reusable(for example, 
>frameworks which pull all the dynamic data down to the server and 
>then allow one to work offline and then sync up to the server.

Yeah, like what I've seen in jQuery -- very exciting stuff. This impressed me:

http://webbytedd.com/a/move/


>Of course, the curmudgeon in me would say "well, besides using a web 
>browser, what can this do that a Lotus Notes client can't? " :-0 and 
>the answer is it can be done without charging hundreds of dollars 
>per user.)

Next year it will be cheaper.

>I see web browser applications slowly approaching the full power of 
>a Notes Application from over 5 years ago.  But they do it in a 
>cross platform, affordable manner.  Still, with notes I knew 
>precisely what functions would work on every system with a notes 
>client plus had certain levels of security unavailable with a 
>browser without a lot of work, so it has it's place in the corporate 
>environment.

And, perhaps the year after that those problems will be solved.

My slant, which is of no importance, is that web application 
developers have to be masters of several languages -- one won't do. 
At present, a good grasp of php, javascript, mysql, css, and ajax 
makes for good company in application development.

 From the perspective of 42 years of programming, to me all languages 
are converging anyway -- I don't see that much difference now and I 
expect that one day there will be only one.

Cheers,

tedd
-- 
-------
http://sperling.com  http://ancientstones.com  http://earthstones.com


From bz-gmort at beezifies.com  Wed Sep  5 13:45:07 2007
From: bz-gmort at beezifies.com (bz-gmort at beezifies.com)
Date: Wed, 05 Sep 2007 13:45:07 -0400
Subject: [nycphp-talk] AJAX and State
In-Reply-To: <p06240812c30487400335@[192.168.1.109]>
References: <46DD54B0.5060803@secdat.com>	<07f701c7efb3$52f6a9f0$651ba8c0@MobileZ>	<46DE9F28.5060705@beezifies.com>	<p06240806c304566c9180@[192.168.1.109]>	<46DEB1C4.2010205@enobrev.com>	<p0624080ac30472a72f59@[192.168.1.109]>	<46DED43A.6040803@beezifies.com>
	<p06240812c30487400335@[192.168.1.109]>
Message-ID: <46DEEB23.7000507@beezifies.com>

tedd wrote:
>
>
> My slant, which is of no importance, is that web application 
> developers have to be masters of several languages -- one won't do. At 
> present, a good grasp of php, javascript, mysql, css, and ajax makes 
> for good company in application development.
>

Hmm...has this ever not been the case?

I mean, with lotus notes I had to know:
Lotusscript, Notes Formula, Notes UI design, a little graphics editing, 
and SQL
Over the years, Java and Javascript got thrown into the mix as well.

Heck, before that with my very first job(writing user interfaces in an 
IBM IDE called PAS, then renamed as Visualizer, before dying) I had to know:
SQL, PAS, DB2 Query Manager, Rexx, the DB2 CLI, and C(for those 
functions that PAS just did not do and we had to write specialized 
interfaces for.  Like the barcode printer.  Oh was that a joy to work with!)


:-)


From jonbaer at jonbaer.com  Wed Sep  5 14:00:07 2007
From: jonbaer at jonbaer.com (Jon Baer)
Date: Wed, 5 Sep 2007 14:00:07 -0400
Subject: [nycphp-talk] Finding event listeners?
In-Reply-To: <46de9294.1d27360a.33b7.36a5SMTPIN_ADDED@mx.google.com>
References: <46DD97C6.8000805@secdat.com>
	<8f0676b40709041735m2bb9936gaaa11747fc7212c0@mail.gmail.com>
	<46DE8740.20504@secdat.com>
	<46de9294.1d27360a.33b7.36a5SMTPIN_ADDED@mx.google.com>
Message-ID: <7F638DF0-2AEA-49A3-B8DF-3DD96375F505@jonbaer.com>

Yep, it does ...

http://developer.yahoo.com/yui/docs/YAHOO.util.Event.html#getListeners

- Jon

On Sep 5, 2007, at 7:26 AM, Ken Robinson wrote:

> At 06:38 AM 9/5/2007, Kenneth Downs wrote:
>> John Campbell wrote:
>>>>
>>>> I cannot seem to figure out which javascript function I would  
>>>> use to
>>>> determine the event listeners that have been added to an  
>>>> element. Can
>>>> anybody steer me on this? Thanks...
>>>>
>>>
>>>
>>> It is not possible to get a listing using the W3C DOM methods.  You
>>> will have to use a custom event manager if you want to be able to  
>>> get
>>> an array of references of the function objects.
>>>
>>
>> Urg.  I figured as much but was hoping I was wrong :(
>
> You might want to to take a look at the Yahoo User Interface  
> Library (YUI) at <http://developer.yahoo.com/yui/>.  When using the  
> Yahoo event functions, I believe you can get what you're looking for.
>
> Ken
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070905/37329daf/attachment.html>

From ken at secdat.com  Wed Sep  5 14:41:54 2007
From: ken at secdat.com (Kenneth Downs)
Date: Wed, 05 Sep 2007 14:41:54 -0400
Subject: [nycphp-talk] Asynchronous downloads -- how?
Message-ID: <46DEF872.5060803@secdat.com>

Hi folks,

Let's say you have a link on a page, 
www.example.com/friendly-url/file.mp3, which is actually being handled 
by a PHP file that checks for subscription status and then sends the 
file.  It looks like a straight download to the user.  So far so good.

Now let's say the file is 50MB, so that a download will take several 
minutes.

When the user initiates the download, and then attempts to go to another 
page on the site, they cannot.  All access to the site is waiting until 
the download completes.

I would like the user to be able to continue to navigate while the 
download continues in the background.

The best I could come up with on Google suggests that it is the apache 
server that is limiting the number of requests it will serve to a given 
host.  Zend sells something that supposedly cures this for downloads, 
but they wont' give pricing on their site and they did not answer my 
inquiry.

Anybody know if an apache setting can be made to allow more connections 
to a domain from  a host?  At least two I figure, so that the download 
and page navigation can both be going on?

-- 
Kenneth Downs
Secure Data Software, Inc.
www.secdat.com    www.andromeda-project.org
631-689-7200   Fax: 631-689-0527
cell: 631-379-0010



From nyphp at summit7solutions.com  Wed Sep  5 14:58:31 2007
From: nyphp at summit7solutions.com (Jeff Wilhelm - NYPHP)
Date: Wed, 5 Sep 2007 14:58:31 -0400
Subject: [nycphp-talk] Asynchronous downloads -- how?
In-Reply-To: <46DEF872.5060803@secdat.com>
References: <46DEF872.5060803@secdat.com>
Message-ID: <12cc01c7efee$c0a87970$327ba8c0@ERNIE>

The setting is part of the HTTP 1.0 settings set on the client. You can edit
the registry (as a user) and allow more than two simultaneous connections to
a site, but as the site operator you are more limited. The way most sites
(us included) get around this is by having the downloads come from
downloads.sitename.com whereas the content is server from www.sitename.com.
This way the downloads are coming from a different server, and normal
navigation can continue.


 

-----Original Message-----
From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On
Behalf Of Kenneth Downs
Sent: Wednesday, September 05, 2007 2:42 PM
To: NYPHP Talk
Subject: [nycphp-talk] Asynchronous downloads -- how?

Hi folks,

Let's say you have a link on a page,
www.example.com/friendly-url/file.mp3, which is actually being handled by a
PHP file that checks for subscription status and then sends the file.  It
looks like a straight download to the user.  So far so good.

Now let's say the file is 50MB, so that a download will take several
minutes.

When the user initiates the download, and then attempts to go to another
page on the site, they cannot.  All access to the site is waiting until the
download completes.

I would like the user to be able to continue to navigate while the download
continues in the background.

The best I could come up with on Google suggests that it is the apache
server that is limiting the number of requests it will serve to a given
host.  Zend sells something that supposedly cures this for downloads, but
they wont' give pricing on their site and they did not answer my inquiry.

Anybody know if an apache setting can be made to allow more connections to a
domain from  a host?  At least two I figure, so that the download and page
navigation can both be going on?

--
Kenneth Downs
Secure Data Software, Inc.
www.secdat.com    www.andromeda-project.org
631-689-7200   Fax: 631-689-0527
cell: 631-379-0010

_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk

NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com

Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php




From ken at secdat.com  Wed Sep  5 15:01:37 2007
From: ken at secdat.com (Kenneth Downs)
Date: Wed, 05 Sep 2007 15:01:37 -0400
Subject: [nycphp-talk] Asynchronous downloads -- how?
In-Reply-To: <12cc01c7efee$c0a87970$327ba8c0@ERNIE>
References: <46DEF872.5060803@secdat.com>
	<12cc01c7efee$c0a87970$327ba8c0@ERNIE>
Message-ID: <46DEFD11.7010001@secdat.com>

Jeff,

Can I ask you handle authentication?  If the download request goes to 
another host, isn't the user basically starting with no session?  Or are 
we so lucky that a session on www.sitename.com is valid on 
downloads.sitename.com?

Jeff Wilhelm - NYPHP wrote:
> The setting is part of the HTTP 1.0 settings set on the client. You can edit
> the registry (as a user) and allow more than two simultaneous connections to
> a site, but as the site operator you are more limited. The way most sites
> (us included) get around this is by having the downloads come from
> downloads.sitename.com whereas the content is server from www.sitename.com.
> This way the downloads are coming from a different server, and normal
> navigation can continue.
>
>
>  
>
> -----Original Message-----
> From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On
> Behalf Of Kenneth Downs
> Sent: Wednesday, September 05, 2007 2:42 PM
> To: NYPHP Talk
> Subject: [nycphp-talk] Asynchronous downloads -- how?
>
> Hi folks,
>
> Let's say you have a link on a page,
> www.example.com/friendly-url/file.mp3, which is actually being handled by a
> PHP file that checks for subscription status and then sends the file.  It
> looks like a straight download to the user.  So far so good.
>
> Now let's say the file is 50MB, so that a download will take several
> minutes.
>
> When the user initiates the download, and then attempts to go to another
> page on the site, they cannot.  All access to the site is waiting until the
> download completes.
>
> I would like the user to be able to continue to navigate while the download
> continues in the background.
>
> The best I could come up with on Google suggests that it is the apache
> server that is limiting the number of requests it will serve to a given
> host.  Zend sells something that supposedly cures this for downloads, but
> they wont' give pricing on their site and they did not answer my inquiry.
>
> Anybody know if an apache setting can be made to allow more connections to a
> domain from  a host?  At least two I figure, so that the download and page
> navigation can both be going on?
>
> --
> Kenneth Downs
> Secure Data Software, Inc.
> www.secdat.com    www.andromeda-project.org
> 631-689-7200   Fax: 631-689-0527
> cell: 631-379-0010
>
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
>
>
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
>   


-- 
Kenneth Downs
Secure Data Software, Inc.
www.secdat.com    www.andromeda-project.org
631-689-7200   Fax: 631-689-0527
cell: 631-379-0010



From dcech at phpwerx.net  Wed Sep  5 15:47:31 2007
From: dcech at phpwerx.net (Dan Cech)
Date: Wed, 05 Sep 2007 15:47:31 -0400
Subject: [nycphp-talk] Asynchronous downloads -- how?
In-Reply-To: <46DEF872.5060803@secdat.com>
References: <46DEF872.5060803@secdat.com>
Message-ID: <46DF07D3.1090509@phpwerx.net>

Kenneth Downs wrote:
> Let's say you have a link on a page,
> www.example.com/friendly-url/file.mp3, which is actually being handled
> by a PHP file that checks for subscription status and then sends the
> file.  It looks like a straight download to the user.  So far so good.
> 
> Now let's say the file is 50MB, so that a download will take several
> minutes.
> 
> When the user initiates the download, and then attempts to go to another
> page on the site, they cannot.  All access to the site is waiting until
> the download completes.

This may be an over-simplification, but are you using
session_write_close() after the authentication phase is complete?

If the session is still active during the download, other requests with
the same session id will hang while php waits for your download script
to release the lock on the session file.

Calling session_write_close() will end the session and relinquish the
locks, allowing your other scripts to run.

Dan


From ken at secdat.com  Wed Sep  5 15:59:38 2007
From: ken at secdat.com (Kenneth Downs)
Date: Wed, 05 Sep 2007 15:59:38 -0400
Subject: [nycphp-talk] Asynchronous downloads -- how?
In-Reply-To: <46DF07D3.1090509@phpwerx.net>
References: <46DEF872.5060803@secdat.com> <46DF07D3.1090509@phpwerx.net>
Message-ID: <46DF0AAA.7070601@secdat.com>

Dan Cech wrote:
> Kenneth Downs wrote:
>   
>> Let's say you have a link on a page,
>> www.example.com/friendly-url/file.mp3, which is actually being handled
>> by a PHP file that checks for subscription status and then sends the
>> file.  It looks like a straight download to the user.  So far so good.
>>
>> Now let's say the file is 50MB, so that a download will take several
>> minutes.
>>
>> When the user initiates the download, and then attempts to go to another
>> page on the site, they cannot.  All access to the site is waiting until
>> the download completes.
>>     
>
> This may be an over-simplification, but are you using
> session_write_close() after the authentication phase is complete?
>   

Dan, I owe you a beer.  That was it.

> If the session is still active during the download, other requests with
> the same session id will hang while php waits for your download script
> to release the lock on the session file.
>
> Calling session_write_close() will end the session and relinquish the
> locks, allowing your other scripts to run.
>
> Dan
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
>   


-- 
Kenneth Downs
Secure Data Software, Inc.
www.secdat.com    www.andromeda-project.org
631-689-7200   Fax: 631-689-0527
cell: 631-379-0010

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070905/228b3392/attachment.html>

From ben at projectskyline.com  Wed Sep  5 18:30:11 2007
From: ben at projectskyline.com (Ben Sgro (ProjectSkyLine))
Date: Wed, 5 Sep 2007 18:30:11 -0400
Subject: [nycphp-talk] CAPTCHA; Fixed.
Message-ID: <02c701c7f00c$557986d0$6401a8c0@gamebox>

Hello again, 

So I fixed the CAPTCHA PEAR issue. Well, I didn't fix it, someone else did.
It was actually a PEAR bug that was causing my issue.
http://www.pear-forum.org/viewtopic.php?p=2730 (if you want to know)

- Ben

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070905/c5e6e451/attachment.html>

From ben at projectskyline.com  Wed Sep  5 18:58:28 2007
From: ben at projectskyline.com (Ben Sgro (ProjectSkyLine))
Date: Wed, 5 Sep 2007 18:58:28 -0400
Subject: [nycphp-talk] Two part question: Shopping carts & E-commerce
References: <C2FDF5E0.75BA%cliff@pinestream.com>
Message-ID: <02dc01c7f010$46c495e0$6401a8c0@gamebox>

Hello Again,

I didn't start on the jobs list, because this is a thread I had started on 
the PHP list
and want to continue (or hopefully end it).

I am looking for someone with E-commerce experiance to assist myself and my
company with our clients needs.

Please contact me offlist with some background information and best
time to speak. I am looking for someone to consult ASAP.

- Ben

----- Original Message ----- 
From: "Cliff Hirsch" <cliff at pinestream.com>
To: "NYPHP Talk" <talk at lists.nyphp.org>
Sent: Friday, August 31, 2007 4:44 PM
Subject: Re: [nycphp-talk] Two part question: Shopping carts & E-commerce


> On 8/31/07 2:22 PM, "John Campbell" <jcampbell1 at gmail.com> wrote:
>
>>> If you really want to get into the nitty-gritty, make sure you get a
>>> cost-plus account. Meaning full-transparency where you get the actually
>>> interchange rates plus the payment processor markup.
>>
>> Can you get this service on turnover ~$300k? A couple of years ago I
>> looked and couldn't find anything.
>
> Not sure. You can always say you're a startup and project millions :) A
> little chutzpah goes a long way.
>
>
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php 



From ramons at gmx.net  Wed Sep  5 19:16:22 2007
From: ramons at gmx.net (David Krings)
Date: Wed, 05 Sep 2007 19:16:22 -0400
Subject: [nycphp-talk] PHP REDIRECT
In-Reply-To: <002301c7efb9$51b568a0$0200a8c0@X9183>
References: <20070701.215701.25801.0@webmail14.dca.untd.com>	<b76252690707020905p6809390eq9b0b9d176774bb87@mail.gmail.com><000501c7efa7$28d0fbf0$0200a8c0@X9183>	<46DE99CE.5060407@beezifies.com>
	<002301c7efb9$51b568a0$0200a8c0@X9183>
Message-ID: <46DF38C6.6020509@gmx.net>

PaulCheung wrote:
> Thanks David, Dan and bz
> 
> the missing quote was just a copying error. Using the header('location: 
> http://localhost/mainmenu.php');
> 
> this is the value of $number_of_records  = 0
> Warning: Cannot modify header information - headers already sent by 
> (output started at C:\xampp\htdocs\etestform.php:4) in 
> C:\xampp\htdocs\etestform.php on line 59
> 
> This is the error message the 4 at the end of 
> C:\xampp\htdocs\etestform.php:4 - points to script line 4. which is
> <script language="JavaScript" type="text/javascript">
> 
> Line 59 is
> 57      if ($b == 0)
> 58        {echo 'this is the value of $number_of_records  = ' . 
> $number_of_records;
> 59        header('location: http://localhost/mainmenu.php');}
> 60        else
> 

That explains it. Line 58 echos something, which is body content and 
then you try to modify the header, which is long gone to the client. And 
even if that would work, PHP would echo the line and immediately tell 
the browser to go somewhere else. Nobody can read that fast. You need to 
craft line 59 into a regular hyperlink and have the user click on it.

The error message does tell you what went wrong. And it also tells you 
where the offending output started, exactly at line 4. OK, I can see how 
one could find line 4 to be the cuplrit and to some extent it is. It is 
the chicken and the egg problem, is the header redirect at the wrong 
place or the output?

 > Using PseudoCode - Is there anything in PHP that will simply just sayes
 > the following
 >
 > If  $number_of_records == 0
 >    goto http://www.localhost/mainmenu.php ??

That depends, if there is no output before that, then you can use a 
header redirect. If there is output you could write it to a buffer and 
once all is settled and no redirects could potentially take place you 
blurt out the buffer. Usually, that is not necessary, but I recall that 
I used it once and forgot why, but I remember that the alternatives 
weren't that satisfying.

Hope that helps,

	David


From smanes at magpie.com  Wed Sep  5 19:47:11 2007
From: smanes at magpie.com (Steve Manes)
Date: Wed, 05 Sep 2007 19:47:11 -0400
Subject: [nycphp-talk] AJAX and State
In-Reply-To: <p0624080ac30472a72f59@[192.168.1.109]>
References: <46DD54B0.5060803@secdat.com>	<07f701c7efb3$52f6a9f0$651ba8c0@MobileZ>	<46DE9F28.5060705@beezifies.com>	<p06240806c304566c9180@[192.168.1.109]>
	<46DEB1C4.2010205@enobrev.com>
	<p0624080ac30472a72f59@[192.168.1.109]>
Message-ID: <46DF3FFF.30606@magpie.com>

tedd wrote:
> Now, what I am asking is not how ajax communication with the server can 
> be used, but rather is there anything beyond that which ajax can provide?
> 
> Another way of asking this question is, "Besides not triggering a 
> refresh, what can ajax do that php can not?"

You're right: nothing.  But just focusing on the get/post mechanics as a 
baseline for comparison is kinda reducing the question to, "is there 
anything client/server can do that client/server can't do?"

Ajax is just a tool.  My table saw cuts wood one way, my compound miter 
saw another, my radial arm saw another.  Technically, they can all do 
the same cuts.  It's just a lot nicer (and safer) to use a table saw to 
rip panels and an SCMS to crosscut long lumber.  And technically most of 
what they can do can be done with a manual carpenter's saw and a bottle 
of glucosomine.

Here's an example where Ajax is the better tool.  I'm building a medical 
application which has a desktop containing seven collapsible DIVs.  Each 
of those DIVs can also have at least two states: view and edit.  Some 
have three, with a result list (like a list of current insurance 
policies).  That's the way the client wanted it.

Necessarily, there are a lot of queries going on to populate all the 
DIVs on that page: patient demographic info, insurance info, guarantor 
info, family relations info, a list of historical referrals, 
appointments, patient transportation, etc.  So repopulating that page 
sucks the air out of the database.  If I correct a start date for an 
insurance policy do I really want to repopulate that entire desktop 
page?  Heck no.

The better solution is to submit just the form that matters and update 
just those DIVs where that update has data relevance.  Mostly it's two 
just queries instead of a dozen: put_foo and get_foo, with Ajax 
arbitrating which display elements get updated.


From tedd at sperling.com  Wed Sep  5 20:36:33 2007
From: tedd at sperling.com (tedd)
Date: Wed, 5 Sep 2007 20:36:33 -0400
Subject: [nycphp-talk] AJAX and State
In-Reply-To: <46DF3FFF.30606@magpie.com>
References: <46DD54B0.5060803@secdat.com>
	<07f701c7efb3$52f6a9f0$651ba8c0@MobileZ>	<46DE9F28.5060705@beezifies.com>
	<p06240806c304566c9180@[192.168.1.109]>	<46DEB1C4.2010205@enobrev.com>
	<p0624080ac30472a72f59@[192.168.1.109]> <46DF3FFF.30606@magpie.com>
Message-ID: <p0624080bc304fb650a49@[192.168.1.102]>

At 7:47 PM -0400 9/5/07, Steve Manes wrote:
>tedd wrote:
>>Now, what I am asking is not how ajax communication with the server 
>>can be used, but rather is there anything beyond that which ajax 
>>can provide?
>>
>>Another way of asking this question is, "Besides not triggering a 
>>refresh, what can ajax do that php can not?"
>
>You're right: nothing.  But just focusing on the get/post mechanics 
>as a baseline for comparison is kinda reducing the question to, "is 
>there anything client/server can do that client/server can't do?"
>
>Ajax is just a tool.  My table saw cuts wood one way, my compound 
>miter saw another, my radial arm saw another.  Technically, they can 
>all do the same cuts.  It's just a lot nicer (and safer) to use a 
>table saw to rip panels and an SCMS to crosscut long lumber.  And 
>technically most of what they can do can be done with a manual 
>carpenter's saw and a bottle of glucosomine.
>
>Here's an example where Ajax is the better tool.  I'm building a 
>medical application which has a desktop containing seven collapsible 
>DIVs.  Each of those DIVs can also have at least two states: view 
>and edit.  Some have three, with a result list (like a list of 
>current insurance policies).  That's the way the client wanted it.
>
>Necessarily, there are a lot of queries going on to populate all the 
>DIVs on that page: patient demographic info, insurance info, 
>guarantor info, family relations info, a list of historical 
>referrals, appointments, patient transportation, etc.  So 
>repopulating that page sucks the air out of the database.  If I 
>correct a start date for an insurance policy do I really want to 
>repopulate that entire desktop page?  Heck no.
>
>The better solution is to submit just the form that matters and 
>update just those DIVs where that update has data relevance.  Mostly 
>it's two just queries instead of a dozen: put_foo and get_foo, with 
>Ajax arbitrating which display elements get updated.

Oh, I get the reasons for using it. No arguments from me.

The beginning of this thread led me to suspect that someone had found 
a way to move data from one browser window to another and I was 
focusing in on that, but that turned to be false.

Cheers,

tedd
-- 
-------
http://sperling.com  http://ancientstones.com  http://earthstones.com


From jcampbell1 at gmail.com  Wed Sep  5 21:35:38 2007
From: jcampbell1 at gmail.com (John Campbell)
Date: Wed, 5 Sep 2007 21:35:38 -0400
Subject: [nycphp-talk] AJAX and State
In-Reply-To: <p0624080bc304fb650a49@192.168.1.102>
References: <46DD54B0.5060803@secdat.com>
	<07f701c7efb3$52f6a9f0$651ba8c0@MobileZ>
	<46DE9F28.5060705@beezifies.com> <p06240806c304566c9180@192.168.1.109>
	<46DEB1C4.2010205@enobrev.com> <p0624080ac30472a72f59@192.168.1.109>
	<46DF3FFF.30606@magpie.com> <p0624080bc304fb650a49@192.168.1.102>
Message-ID: <8f0676b40709051835g64878c07w3c4d86899feab50a@mail.gmail.com>

> The beginning of this thread led me to suspect that someone had found
> a way to move data from one browser window to another and I was
> focusing in on that, but that turned to be false.

What makes you think you can't move stuff from one window to another?
It is completely possible so long as everything is on the same domain.
There are ways of doing it across domains, but it is *much* more
complicated.

http://dev.gypsymaps.com/test/moveit.html

Enjoy,

-John Campbell


From birgunjp0071 at yahoo.com  Thu Sep  6 06:33:46 2007
From: birgunjp0071 at yahoo.com (birgunj birgunj)
Date: Thu, 6 Sep 2007 03:33:46 -0700 (PDT)
Subject: [nycphp-talk] neeed help
In-Reply-To: <8f0676b40709051835g64878c07w3c4d86899feab50a@mail.gmail.com>
Message-ID: <180767.42490.qm@web59310.mail.re1.yahoo.com>

Dear All,
   
  i need help in the following thing.
   
  1. i am uploading ebooks on my website. i want to restrict user from downloading or printing the book.user should only read the document but cant not save or download or printing.
  how do we do  this ?
   
  2.if any book have four author.one author text box ,i display but i want to display more if neccessary by clicking add author more.
   
  or 
  how to add more choices by press CLTRL.
   
  please help me its very urgent. i am very tense about this.
   
  thanks to all in advance
   
  humayoo
  

 

       
---------------------------------
Pinpoint customers who are looking for what you sell. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070906/4b979f10/attachment.html>

From ken at secdat.com  Thu Sep  6 06:46:17 2007
From: ken at secdat.com (Kenneth Downs)
Date: Thu, 06 Sep 2007 06:46:17 -0400
Subject: [nycphp-talk] neeed help
In-Reply-To: <180767.42490.qm@web59310.mail.re1.yahoo.com>
References: <180767.42490.qm@web59310.mail.re1.yahoo.com>
Message-ID: <46DFDA79.50003@secdat.com>

birgunj birgunj wrote:
> Dear All,
>  
> i need help in the following thing.
>  
> 1. i am uploading ebooks on my website. i want to restrict user from 
> downloading or printing the book.user should only read the document 
> but cant not save or download or printing.
> how do we do  this ?

This is called "DRM", for "Digital Rights Management" or "Digital 
Restrictions Management", depending on your point of view.

The broad consensus is that it is not possible to do.  The big record 
labels have begun to abandon their efforts in this direction when it 
comes to music, it just doesn't work.

However, if you must try, why not research the basic methods of DRM.


-- 
Kenneth Downs
Secure Data Software, Inc.
www.secdat.com    www.andromeda-project.org
631-689-7200   Fax: 631-689-0527
cell: 631-379-0010



From tim_lists at o2group.com  Thu Sep  6 06:55:37 2007
From: tim_lists at o2group.com (Tim Lieberman)
Date: Thu, 06 Sep 2007 04:55:37 -0600
Subject: [nycphp-talk] neeed help
In-Reply-To: <180767.42490.qm@web59310.mail.re1.yahoo.com>
References: <180767.42490.qm@web59310.mail.re1.yahoo.com>
Message-ID: <46DFDCA9.2080708@o2group.com>

birgunj birgunj wrote:
> Dear All,
>  
> i need help in the following thing.
>  
> 1. i am uploading ebooks on my website. i want to restrict user from 
> downloading or printing the book.user should only read the document 
> but cant not save or download or printing.
> how do we do  this ?
Impossible, really.  DRM just gets broken. 

If making it difficult is "good enough" -- you could look for a eBook 
system vendor that supports this in their viewer plug-in.  Acrobat might 
even have some features like this, but I really don't know. 

You must be aware that no matter what system you use, someone will 
probably break it, and there will be a hack available for anyone who's 
motivated to find and use.  So these systems are only useful if "make it 
somewhat harder to save/print" is good enough. 
>  
> 2.if any book have four author.one author text box ,i display but i 
> want to display more if neccessary by clicking add author more.
>  
> or
> how to add more choices by press CLTRL.
The best way is probably to use javascript to output new input tags that 
look like:
<input name="authors[]" .../>

and limit the number displayed to four.

Then on the server, loop over $_REQUEST['authors'] and do something with 
the data. Don't forget to repeat your limit of four on the server -- the 
javascript limit is just for nice user experience... you must validate 
the data on the server.
>  
> please help me its very urgent. i am very tense about this.
>  
> thanks to all in advance
>  
Good luck!




From ramons at gmx.net  Thu Sep  6 07:00:57 2007
From: ramons at gmx.net (David Krings)
Date: Thu, 06 Sep 2007 07:00:57 -0400
Subject: [nycphp-talk] neeed help
In-Reply-To: <180767.42490.qm@web59310.mail.re1.yahoo.com>
References: <180767.42490.qm@web59310.mail.re1.yahoo.com>
Message-ID: <46DFDDE9.4020908@gmx.net>

birgunj birgunj wrote:
> Dear All,
>  
> i need help in the following thing.
>  
> 1. i am uploading ebooks on my website. i want to restrict user from 
> downloading or printing the book.user should only read the document but 
> cant not save or download or printing.
> how do we do  this ?
>  
> 2.if any book have four author.one author text box ,i display but i want 
> to display more if neccessary by clicking add author more.
>  
> or
> how to add more choices by press CLTRL.
>  
> please help me its very urgent. i am very tense about this.
>  
> thanks to all in advance
>  
> humayoo

If you do not want anyone to download or print the ebook you may need to 
make it into a streaming video and even then it may not be that tricky 
(just because I don't know how doesn't mean it is impossible).
We had this discussion here some days ago and you are basically out of 
luck. In order for a user to read the ebook they have to download it to 
their PC to be displayed in a browser. This is how WWW works. And once 
it is displayed in the browser you may have some control over the 
context menu, but I doubt you can manage the browser's main menues. And 
that is where the Print command is located. Also, if the users have some 
clue as to how WWW works, they will locate the downloaded ebook in the 
browser cache folder. Although, there are some ways to force the browser 
  not to cache the page contents. But then, how do you implement the 
ebook in a page anyway? Do you have something that obfuscates the 
original location on the server? Otherwise the user just needs to look 
at the page source and go directly to the URL of the ebook - and then, 
voila, no code involved that could control caching.
I could go on and on, but you really try to solve a marketing or 
management problem by wildly throwing technology at it. That approach is 
destined to fail!
Here is my proposal that from my own experience works much better:
a) price your offering so that there is no point in breaking the law
b) have your offering to be of such a high quality in content and 
delivery that users do want to pay you
c) add some other form of authentication to your site so that one has to 
login first or do something special that will make it more difficult for 
non-registered users to get the content

And if a), b), and c) are not an option, don't put it on the web. Put a 
request form up and mail CDs that are fully DRM enabled and 
self-destruct upon first use. Talk to Microsoft about this, they are 
experts in this asanine behavior.

For number 2: get a book about HTML and PHP and create some forms with 
code that first asks for the number of authors and then provides a form 
that as sufficient author entry fields.
Or get a book about ECMAScript and do some of this more fancy stuff 
where you process the click of a "More..." button on the client side. I 
am sure there are some on this list who could help you, but since this 
is a PHP list and we do server side scripting you are in the wrong 
concert here.


David


From nyphp at summit7solutions.com  Thu Sep  6 08:56:49 2007
From: nyphp at summit7solutions.com (Jeff Wilhelm - NYPHP)
Date: Thu, 6 Sep 2007 08:56:49 -0400
Subject: [nycphp-talk] Asynchronous downloads -- how?
In-Reply-To: <46DEFD11.7010001@secdat.com>
References: <46DEF872.5060803@secdat.com><12cc01c7efee$c0a87970$327ba8c0@ERNIE>
	<46DEFD11.7010001@secdat.com>
Message-ID: <13bc01c7f085$64171760$327ba8c0@ERNIE>

Well you may not need sessions on the other host in the first place, if it's
basically just a repository of files for download. But if your application
requires it, you can certainly do sessions across subdomains. 

There are a number of resources on Google, here's one:

http://www.idealog.us/2006/09/php_session_coo.html




-----Original Message-----
From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On
Behalf Of Kenneth Downs
Sent: Wednesday, September 05, 2007 3:02 PM
To: NYPHP Talk
Subject: Re: [nycphp-talk] Asynchronous downloads -- how?

Jeff,

Can I ask you handle authentication?  If the download request goes to
another host, isn't the user basically starting with no session?  Or are we
so lucky that a session on www.sitename.com is valid on
downloads.sitename.com?

Jeff Wilhelm - NYPHP wrote:
> The setting is part of the HTTP 1.0 settings set on the client. You 
> can edit the registry (as a user) and allow more than two simultaneous 
> connections to a site, but as the site operator you are more limited. 
> The way most sites (us included) get around this is by having the 
> downloads come from downloads.sitename.com whereas the content is server
from www.sitename.com.
> This way the downloads are coming from a different server, and normal 
> navigation can continue.
>
>
>  
>
> -----Original Message-----
> From: talk-bounces at lists.nyphp.org 
> [mailto:talk-bounces at lists.nyphp.org] On Behalf Of Kenneth Downs
> Sent: Wednesday, September 05, 2007 2:42 PM
> To: NYPHP Talk
> Subject: [nycphp-talk] Asynchronous downloads -- how?
>
> Hi folks,
>
> Let's say you have a link on a page,
> www.example.com/friendly-url/file.mp3, which is actually being handled 
> by a PHP file that checks for subscription status and then sends the 
> file.  It looks like a straight download to the user.  So far so good.
>
> Now let's say the file is 50MB, so that a download will take several 
> minutes.
>
> When the user initiates the download, and then attempts to go to 
> another page on the site, they cannot.  All access to the site is 
> waiting until the download completes.
>
> I would like the user to be able to continue to navigate while the 
> download continues in the background.
>
> The best I could come up with on Google suggests that it is the apache 
> server that is limiting the number of requests it will serve to a 
> given host.  Zend sells something that supposedly cures this for 
> downloads, but they wont' give pricing on their site and they did not
answer my inquiry.
>
> Anybody know if an apache setting can be made to allow more 
> connections to a domain from  a host?  At least two I figure, so that 
> the download and page navigation can both be going on?
>
> --
> Kenneth Downs
> Secure Data Software, Inc.
> www.secdat.com    www.andromeda-project.org
> 631-689-7200   Fax: 631-689-0527
> cell: 631-379-0010
>
> _______________________________________________
> New York PHP Community Talk Mailing List 
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP 
> http://www.nyphp.org/show_participation.php
>
>
> _______________________________________________
> New York PHP Community Talk Mailing List 
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP 
> http://www.nyphp.org/show_participation.php
>   


--
Kenneth Downs
Secure Data Software, Inc.
www.secdat.com    www.andromeda-project.org
631-689-7200   Fax: 631-689-0527
cell: 631-379-0010

_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk

NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com

Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php




From paulcheung at tiscali.co.uk  Thu Sep  6 09:35:07 2007
From: paulcheung at tiscali.co.uk (PaulCheung)
Date: Thu, 6 Sep 2007 14:35:07 +0100
Subject: [nycphp-talk] neeed help
References: <180767.42490.qm@web59310.mail.re1.yahoo.com>
Message-ID: <002e01c7f08a$bdf8f0f0$0200a8c0@X9183>

Hi Humayoo,

Try Googling on "PHP Data Security" or "Data Security Software". I hope this is of some help. 
I am sorry if I cannot help with any coding as my PHP/MySQL is not good enough.

Paul

----- Original Message ----- 
  From: birgunj birgunj 
  To: NYPHP Talk 
  Sent: Thursday, September 06, 2007 11:33 AM
  Subject: [nycphp-talk] neeed help


  Dear All,

  i need help in the following thing.

  1. i am uploading ebooks on my website. i want to restrict user from downloading or printing the book.user should only read the document but cant not save or download or printing.
  how do we do  this ?

  2.if any book have four author.one author text box ,i display but i want to display more if neccessary by clicking add author more.

  or 
  how to add more choices by press CLTRL.

  please help me its very urgent. i am very tense about this.

  thanks to all in advance

  humayoo


   


------------------------------------------------------------------------------
  Pinpoint customers who are looking for what you sell. 


------------------------------------------------------------------------------


  _______________________________________________
  New York PHP Community Talk Mailing List
  http://lists.nyphp.org/mailman/listinfo/talk

  NYPHPCon 2006 Presentations Online
  http://www.nyphpcon.com

  Show Your Participation in New York PHP
  http://www.nyphp.org/show_participation.php
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070906/baba13df/attachment.html>

From tedd at sperling.com  Thu Sep  6 09:49:20 2007
From: tedd at sperling.com (tedd)
Date: Thu, 6 Sep 2007 09:49:20 -0400
Subject: [nycphp-talk] AJAX and State
In-Reply-To: <8f0676b40709051835g64878c07w3c4d86899feab50a@mail.gmail.com>
References: <46DD54B0.5060803@secdat.com>
	<07f701c7efb3$52f6a9f0$651ba8c0@MobileZ>	<46DE9F28.5060705@beezifies.com>
	<p06240806c304566c9180@192.168.1.109>	<46DEB1C4.2010205@enobrev.com>
	<p0624080ac30472a72f59@192.168.1.109>	<46DF3FFF.30606@magpie.com>
	<p0624080bc304fb650a49@192.168.1.102>
	<8f0676b40709051835g64878c07w3c4d86899feab50a@mail.gmail.com>
Message-ID: <p06240805c305b3da12ad@[192.168.1.102]>

At 9:35 PM -0400 9/5/07, John Campbell wrote:
>  > The beginning of this thread led me to suspect that someone had found
>>  a way to move data from one browser window to another and I was
>>  focusing in on that, but that turned to be false.
>
>What makes you think you can't move stuff from one window to another?
>It is completely possible so long as everything is on the same domain.
>There are ways of doing it across domains, but it is *much* more
>complicated.
>
>http://dev.gypsymaps.com/test/moveit.html
>
>Enjoy,
>
>-John Campbell

-John:

I'm not talking about server-side to client-side sessions or cookies 
communication, but client-side one browser window communication to 
client-side another browser window (same client obviously).

For example, if you opened:

http://webbytedd.com/c/form-calc/

and started filling in the form. And then, you opened another browser 
window and went to the same url, how could you get your second window 
display all the data you entered in the first window?

If you know how, then I'm all ears.

Cheers,

tedd
-- 
-------
http://sperling.com  http://ancientstones.com  http://earthstones.com


From ken at secdat.com  Thu Sep  6 10:05:18 2007
From: ken at secdat.com (Kenneth Downs)
Date: Thu, 06 Sep 2007 10:05:18 -0400
Subject: [nycphp-talk] AJAX and State
In-Reply-To: <p06240805c305b3da12ad@[192.168.1.102]>
References: <46DD54B0.5060803@secdat.com>	<07f701c7efb3$52f6a9f0$651ba8c0@MobileZ>	<46DE9F28.5060705@beezifies.com>	<p06240806c304566c9180@192.168.1.109>	<46DEB1C4.2010205@enobrev.com>	<p0624080ac30472a72f59@192.168.1.109>	<46DF3FFF.30606@magpie.com>	<p0624080bc304fb650a49@192.168.1.102>	<8f0676b40709051835g64878c07w3c4d86899feab50a@mail.gmail.com>
	<p06240805c305b3da12ad@[192.168.1.102]>
Message-ID: <46E0091E.30503@secdat.com>

tedd wrote:
> At 9:35 PM -0400 9/5/07, John Campbell wrote:
>>  > The beginning of this thread led me to suspect that someone had found
>>>  a way to move data from one browser window to another and I was
>>>  focusing in on that, but that turned to be false.
>>
>> What makes you think you can't move stuff from one window to another?
>> It is completely possible so long as everything is on the same domain.
>> There are ways of doing it across domains, but it is *much* more
>> complicated.
>>
>

There is a deeper user interface design issue here.  Are you attempting 
to ensure that if multiple windows are opened to the same table row, 
that they will always hold the same information in real time?  So that 
if a user is editing in one, he will see the same information in the 
other as he types?

If so, you are probably working too hard, a better user interface 
concept is to trap a request for a duplicate view of the same 
information and give focus to the window/tab that is already holding 
it.  A user will understand and expect this, and it is far simpler to 
program.

This being said, the problem falls out like so:

IF WINDOWS ARE IN SAME SESSION, some mechanism must exist so that all 
open windows/tabs are identifiable as holding a certain state, so that 
you can give focus.  If all you do is give focus, you are now finished.  
If you want to keep the same information open in two windows, have fun, 
you've got quite a bit of programming to do, and you better hire another 
support person, you are going to get a lot of weird phone calls from the 
users.

IF THE WINDOWS ARE NOT IN THE SAME SESSION, you have a bigger problem, 
being of course there is no way to know what is going on.  The simplest 
case is to disallow multiple logins by a single user, then you prevent 
this case altogether.  If this is not an option, well...





-- 
Kenneth Downs
Secure Data Software, Inc.
www.secdat.com    www.andromeda-project.org
631-689-7200   Fax: 631-689-0527
cell: 631-379-0010



From elharo at metalab.unc.edu  Fri Sep  7 06:10:22 2007
From: elharo at metalab.unc.edu (Elliotte Harold)
Date: Fri, 07 Sep 2007 06:10:22 -0400
Subject: [nycphp-talk] AJAX and State
In-Reply-To: <46DD54B0.5060803@secdat.com>
References: <46DD54B0.5060803@secdat.com>
Message-ID: <46E1238E.5010307@metalab.unc.edu>

Kenneth Downs wrote:
> One thing that seems to have gone unsaid in the praise for Ajax is its 
> ability to radically transform how we maintain state.
> 
> The web server session is our basic mechanism for storing information 
> between requests.  But it gets clumsier and clumsier to try to maintain 
> complex state across many page requests when you use a session.  
> Ingenious minds have put their will to the problem and come up with 
> workable systems, but all of them are complicated because of the nature 
> of the problem.

There are no sessions, or at least there shouldn't be in well-designed 
Web applications. There's resource state (on the server) and there's 
application state (on the client). It sounds like you're in the process 
of reinventing REST. In particular you've noticed that keeping 
application state on the server is a royal pain that severely limits 
scalability.

However this has been known for a long time. Indeed one of the primary 
design principles of HTTP is that application state is not stored on the 
server but is transmitted with each request. This was true long before 
AJAX or even JavaScript. Usually the appropriate place to put such 
application state is in the URL, though sometimes what we initially 
think of as application state can be recast as resource state.


> That problem, stated here, is simply the problem of tracking what I'll 
> call the "context" of a user's session.  Some elements of a session are 
> fixed: the user id, the password, a few other things, but almost 
> everything that we need to track is always changing.  A basic example: a 
> list of search results.  Where do you store it?  When the user hits, 
> "NEXT PAGE", how do you know what to do?  If you are using a session, 
> what happens if he opens a new window and has two search results sets up 
> for two different tables?

Which is exactly why we don't use sessions for such applications. 
Instead the page of "next" search results is a URL like

http://www.google.com/search?q=Ken+Downs&hl=en&start=10&sa=N

That's an actual Google "Next" URL. It still works even though I've 
pasted it into an e-mail and sent it to you, thus breaking any notion of 
session.


> Ajax solves this problem neatly by letting you move all state [1] into 
> the browser.  This makes sense from an architectural viewpoint because 
> we are putting this context information close to where it is needed, the 
> UI.
> I've been converting the basic Andromeda UI code over to a completely 
> AJAX system [1], and have found my code radically simplified and far 
> smoother, due almost entirely to the moving of all state information to 
> the browser.  Hurray for Ajax!

Hurray for REST!  AJAX or no AJAX, this is the right way to design a web 
application. There's a really excellent book out now from O'Reilly 
called "RESTful Web Services" that covers this in detail.

> [1] Here I'll use "state" to mean the changing context of user requests, 
> and assume we are still using the session for User_id and password.

You still have a problem then, though perhaps your systems haven't yet 
grown big enough to have noticed it. But it will kill you when you need 
to scale beyond one server. The authentication info needs to be 
transmitted with each request also.



-- 
Elliotte Rusty Harold  elharo at metalab.unc.edu
Java I/O 2nd Edition Just Published!
http://www.cafeaulait.org/books/javaio2/
http://www.amazon.com/exec/obidos/ISBN=0596527500/ref=nosim/cafeaulaitA/


From elharo at metalab.unc.edu  Fri Sep  7 06:14:03 2007
From: elharo at metalab.unc.edu (Elliotte Harold)
Date: Fri, 07 Sep 2007 06:14:03 -0400
Subject: [nycphp-talk] AJAX and State
In-Reply-To: <C138EF07-DD3E-42CD-8AF5-E5A8E76C2258@sala.ca>
References: <46DD54B0.5060803@secdat.com>	<07f701c7efb3$52f6a9f0$651ba8c0@MobileZ>	<46DE9F28.5060705@beezifies.com>	<p06240806c304566c9180@[192.168.1.109]>	<46DEAFC5.2090108@secdat.com>	<p0624080bc304774c4609@[192.168.1.109]>
	<C138EF07-DD3E-42CD-8AF5-E5A8E76C2258@sala.ca>
Message-ID: <46E1246B.1020407@metalab.unc.edu>

Dell Sala wrote:
=
> The problem with what you're describing is that all your form validation 
> code (business logic) is deployed to the browser as javascript. For 
> serious applications, the server cannot rely on the client to take care 
> of things like validation, because they can easily be bypassed.

Of course not, which is why you double validate: on the client to help 
the honest user and on the server to keep out the hackers. This is true 
whether we're using HTML forms + JavaScript, XForms, or Web Forms 2.0. 
Client side validation does not replace server side validation.

> What ajax allows you to do is keep the heavy lifting business logic on 
> the server (where it belongs), but have your web page change it's own 
> state without having to ask the server to redraw an entire document 
> every time it needs some new information, or a calculation performed.

Yes, though that's actually not what Ken was talking about. :-)

-- 
Elliotte Rusty Harold  elharo at metalab.unc.edu
Java I/O 2nd Edition Just Published!
http://www.cafeaulait.org/books/javaio2/
http://www.amazon.com/exec/obidos/ISBN=0596527500/ref=nosim/cafeaulaitA/


From elharo at metalab.unc.edu  Fri Sep  7 06:16:16 2007
From: elharo at metalab.unc.edu (Elliotte Harold)
Date: Fri, 07 Sep 2007 06:16:16 -0400
Subject: [nycphp-talk] AJAX and State
In-Reply-To: <p0624080ec3048288e833@[192.168.1.109]>
References: <46DD54B0.5060803@secdat.com>	<07f701c7efb3$52f6a9f0$651ba8c0@MobileZ>	<46DE9F28.5060705@beezifies.com>	<p06240806c304566c9180@[192.168.1.109]>	<46DEB1C4.2010205@enobrev.com>	<p0624080ac30472a72f59@[192.168.1.109]>	<DDB437A3-CE77-471F-8401-2845F72BDADC@sala.ca>
	<p0624080ec3048288e833@[192.168.1.109]>
Message-ID: <46E124F0.7020309@metalab.unc.edu>

tedd wrote:

>  From many of the post here, I thought someone had discovered something 
> new.
> 

Discovering something truly new is rare. There's almost always someone 
who discovered it before you. Sometimes we don't believe them, though, 
until we discover it for ourselves.

Interestingly though what Ken rediscovered is not AJAX. It's one of the 
design principles of REST: all application state should be stored on the 
client and passed to the server with each request. That he discovered 
this in the context of AJAX is an implementation detail.

-- 
Elliotte Rusty Harold  elharo at metalab.unc.edu
Java I/O 2nd Edition Just Published!
http://www.cafeaulait.org/books/javaio2/
http://www.amazon.com/exec/obidos/ISBN=0596527500/ref=nosim/cafeaulaitA/


From ken at secdat.com  Fri Sep  7 06:49:27 2007
From: ken at secdat.com (Kenneth Downs)
Date: Fri, 07 Sep 2007 06:49:27 -0400
Subject: [nycphp-talk] AJAX and State
In-Reply-To: <46E124F0.7020309@metalab.unc.edu>
References: <46DD54B0.5060803@secdat.com>	<07f701c7efb3$52f6a9f0$651ba8c0@MobileZ>	<46DE9F28.5060705@beezifies.com>	<p06240806c304566c9180@[192.168.1.109]>	<46DEB1C4.2010205@enobrev.com>	<p0624080ac30472a72f59@[192.168.1.109]>	<DDB437A3-CE77-471F-8401-2845F72BDADC@sala.ca>	<p0624080ec3048288e833@[192.168.1.109]>
	<46E124F0.7020309@metalab.unc.edu>
Message-ID: <46E12CB7.7050804@secdat.com>

Elliotte Harold wrote:
> tedd wrote:
>
>>  From many of the post here, I thought someone had discovered 
>> something new.
>>
>
> Discovering something truly new is rare. There's almost always someone 
> who discovered it before you. Sometimes we don't believe them, though, 
> until we discover it for ourselves.
>
> Interestingly though what Ken rediscovered is not AJAX. It's one of 
> the design principles of REST: all application state should be stored 
> on the client and passed to the server with each request. That he 
> discovered this in the context of AJAX is an implementation detail.
>

Actually the idea was that you don't have to pass the state to the 
server, it stays on the client.    But otherwise yes that is the idea.

-- 
Kenneth Downs
Secure Data Software, Inc.
www.secdat.com    www.andromeda-project.org
631-689-7200   Fax: 631-689-0527
cell: 631-379-0010



From ken at secdat.com  Fri Sep  7 06:51:54 2007
From: ken at secdat.com (Kenneth Downs)
Date: Fri, 07 Sep 2007 06:51:54 -0400
Subject: [nycphp-talk] AJAX and State
In-Reply-To: <46E1238E.5010307@metalab.unc.edu>
References: <46DD54B0.5060803@secdat.com> <46E1238E.5010307@metalab.unc.edu>
Message-ID: <46E12D4A.2010204@secdat.com>

Elliotte Harold wrote:
>
> Which is exactly why we don't use sessions for such applications. 
> Instead the page of "next" search results is a URL like
>
> http://www.google.com/search?q=Ken+Downs&hl=en&start=10&sa=N

Did you log into Google?


-- 
Kenneth Downs
Secure Data Software, Inc.
www.secdat.com    www.andromeda-project.org
631-689-7200   Fax: 631-689-0527
cell: 631-379-0010



From elharo at metalab.unc.edu  Fri Sep  7 07:01:39 2007
From: elharo at metalab.unc.edu (Elliotte Harold)
Date: Fri, 07 Sep 2007 07:01:39 -0400
Subject: [nycphp-talk] AJAX and State
In-Reply-To: <46E12D4A.2010204@secdat.com>
References: <46DD54B0.5060803@secdat.com> <46E1238E.5010307@metalab.unc.edu>
	<46E12D4A.2010204@secdat.com>
Message-ID: <46E12F93.4040700@metalab.unc.edu>

Kenneth Downs wrote:
> Elliotte Harold wrote:
>>
>> Which is exactly why we don't use sessions for such applications. 
>> Instead the page of "next" search results is a URL like
>>
>> http://www.google.com/search?q=Ken+Downs&hl=en&start=10&sa=N
> 
> Did you log into Google?
> 
> 


Checking the screen it looks I was logged in, but that doesn't change 
the URL here. Follow that URL and you get the same results I do.

-- 
Elliotte Rusty Harold  elharo at metalab.unc.edu
Java I/O 2nd Edition Just Published!
http://www.cafeaulait.org/books/javaio2/
http://www.amazon.com/exec/obidos/ISBN=0596527500/ref=nosim/cafeaulaitA/


From ramons at gmx.net  Fri Sep  7 07:04:09 2007
From: ramons at gmx.net (David Krings)
Date: Fri, 07 Sep 2007 07:04:09 -0400
Subject: [nycphp-talk] AJAX and State
In-Reply-To: <46E1238E.5010307@metalab.unc.edu>
References: <46DD54B0.5060803@secdat.com> <46E1238E.5010307@metalab.unc.edu>
Message-ID: <46E13029.1030702@gmx.net>

Elliotte Harold wrote:
> Which is exactly why we don't use sessions for such applications. 
> Instead the page of "next" search results is a URL like
> 
> http://www.google.com/search?q=Ken+Downs&hl=en&start=10&sa=N
> 
> That's an actual Google "Next" URL. It still works even though I've 
> pasted it into an e-mail and sent it to you, thus breaking any notion of 
> session.

But isn't that the old GET that has so many limitations that many web 
app design guides basically tell you not to use it?
And it depends on what you transfer in clear text as URL parameters. A 
Google search is probably OK, but what if your application is about 
sensitive data? You then need to craft identifiers that are dropped 
after first use and never used again or some other untraceable 
obfuscating mechanism.

There was also the point made of scalability. As in this example, the 
search results are not stored anywhere, but get recreated each time a 
request is sent. That pushes the scalability issue from the web server 
to the database server, where it may or may not be handled more efficiently.

I do understand the limitation of sessions as well, which I wasn't 
really aware of before.

To sum it up: It sucks! One round of applause for the fat client who 
throws the strict client/server design principles out the window.


David


From ken at secdat.com  Fri Sep  7 07:14:56 2007
From: ken at secdat.com (Kenneth Downs)
Date: Fri, 07 Sep 2007 07:14:56 -0400
Subject: [nycphp-talk] AJAX and State
In-Reply-To: <46E12F93.4040700@metalab.unc.edu>
References: <46DD54B0.5060803@secdat.com>
	<46E1238E.5010307@metalab.unc.edu>	<46E12D4A.2010204@secdat.com>
	<46E12F93.4040700@metalab.unc.edu>
Message-ID: <46E132B0.9010400@secdat.com>

Elliotte Harold wrote:
> Kenneth Downs wrote:
>> Elliotte Harold wrote:
>>>
>>> Which is exactly why we don't use sessions for such applications. 
>>> Instead the page of "next" search results is a URL like
>>>
>>> http://www.google.com/search?q=Ken+Downs&hl=en&start=10&sa=N
>>
>> Did you log into Google?
>>
>>
>
>
> Checking the screen it looks I was logged in, but that doesn't change 
> the URL here. Follow that URL and you get the same results I do.
>

Should I email you a link allowing you to log into my customer's 
application and view confidential medical information?


-- 
Kenneth Downs
Secure Data Software, Inc.
www.secdat.com    www.andromeda-project.org
631-689-7200   Fax: 631-689-0527
cell: 631-379-0010



From elharo at metalab.unc.edu  Fri Sep  7 07:35:41 2007
From: elharo at metalab.unc.edu (Elliotte Harold)
Date: Fri, 07 Sep 2007 07:35:41 -0400
Subject: [nycphp-talk] AJAX and State
In-Reply-To: <46E13029.1030702@gmx.net>
References: <46DD54B0.5060803@secdat.com> <46E1238E.5010307@metalab.unc.edu>
	<46E13029.1030702@gmx.net>
Message-ID: <46E1378D.4070006@metalab.unc.edu>

David Krings wrote:
>
> But isn't that the old GET that has so many limitations that many web 
> app design guides basically tell you not to use it?

I have no idea what you're talking about. GET is GET. There's no old GET 
and new GET that I've ever heard of.

It's certainly true that there are a lot of bad web app design guides 
out there. Most of them try to reinvent client server on the web. 
They're like a manual for plastic molding machines that pretends the 
molder is really just a funny kind of table saw and drill press. Follow 
their directions and you'll develop problematic, unscalable 
applications; and certainly lots of people do.

> And it depends on what you transfer in clear text as URL parameters. A 
> Google search is probably OK, but what if your application is about 
> sensitive data? You then need to craft identifiers that are dropped 
> after first use and never used again or some other untraceable 
> obfuscating mechanism.

No. You use HTTPS.

> There was also the point made of scalability. As in this example, the 
> search results are not stored anywhere, but get recreated each time a 
> request is sent. That pushes the scalability issue from the web server 
> to the database server, where it may or may not be handled more 
> efficiently.

In point of fact, Google uses probably millions (maybe hundreds of 
thousands but I expect millions) of servers. They need this massive 
horizontal scalability. To make that work you really need to not care 
which server processes any given request. Three subsequent requests can 
and usually do go to three different physical servers. The more session 
state you try to maintain the harder that is to handle.

By contrast, if you design apps so they don't need session state, then 
you can scale horizontally very easily and you need a lot fewer actual 
servers.


-- 
Elliotte Rusty Harold  elharo at metalab.unc.edu
Java I/O 2nd Edition Just Published!
http://www.cafeaulait.org/books/javaio2/
http://www.amazon.com/exec/obidos/ISBN=0596527500/ref=nosim/cafeaulaitA/


From elharo at metalab.unc.edu  Fri Sep  7 07:40:50 2007
From: elharo at metalab.unc.edu (Elliotte Harold)
Date: Fri, 07 Sep 2007 07:40:50 -0400
Subject: [nycphp-talk] AJAX and State
In-Reply-To: <46E132B0.9010400@secdat.com>
References: <46DD54B0.5060803@secdat.com>	<46E1238E.5010307@metalab.unc.edu>	<46E12D4A.2010204@secdat.com>	<46E12F93.4040700@metalab.unc.edu>
	<46E132B0.9010400@secdat.com>
Message-ID: <46E138C2.3040307@metalab.unc.edu>

Kenneth Downs wrote:

> Should I email you a link allowing you to log into my customer's 
> application and view confidential medical information?
> 
> 

User authentication is (usually) separate from the URL. You can e-mail 
me such a link if you wish, but without the username and password I 
wouldn't get in.

Nonetheless, the username and password should be transmitted with each 
request (in the HTTP header, not the URL) so that it doesn't matter 
whether I've switched browsers, rebooted my machine, or told my office 
manager to login under my name on her PC.

The resource is identified by a URL and nothing but a URL. Whether I am 
allowed to load that URL is a separate issue.

This is one point a lot of otherwise RESTful services like Amazon's E3 
get wrong. My mailbox should have a URL like 
https://mail.google.com/mail/erharold and yours should have a URL like 
https://mail.google.com/mail/kdowns. Nonetheless, merely knowing the URL 
would not be sufficient to log either of us in to either mailbox.

-- 
Elliotte Rusty Harold  elharo at metalab.unc.edu
Java I/O 2nd Edition Just Published!
http://www.cafeaulait.org/books/javaio2/
http://www.amazon.com/exec/obidos/ISBN=0596527500/ref=nosim/cafeaulaitA/


From ken at secdat.com  Fri Sep  7 09:12:12 2007
From: ken at secdat.com (Kenneth Downs)
Date: Fri, 07 Sep 2007 09:12:12 -0400
Subject: [nycphp-talk] AJAX and State
In-Reply-To: <46E138C2.3040307@metalab.unc.edu>
References: <46DD54B0.5060803@secdat.com>	<46E1238E.5010307@metalab.unc.edu>	<46E12D4A.2010204@secdat.com>	<46E12F93.4040700@metalab.unc.edu>	<46E132B0.9010400@secdat.com>
	<46E138C2.3040307@metalab.unc.edu>
Message-ID: <46E14E2C.2030506@secdat.com>

Elliotte Harold wrote:
> Kenneth Downs wrote:
>
>> Should I email you a link allowing you to log into my customer's 
>> application and view confidential medical information?
>>
>>
>
> Nonetheless, the username and password should be transmitted with each 
> request (in the HTTP header, not the URL) so that it doesn't matter 
> whether I've switched browsers, rebooted my machine, or told my office 
> manager to login under my name on her PC.

That can only be done if the password is stored on the browser between 
requests.  No thanks! 

At any rate, in principle I believe that sessions are a bad way to do 
things, they just have that bag-on-the-side feel.  The only permanent 
use of a session in Andromeda is to store user information, notably 
user_id and password.  I do this only because I am not aware of a secure 
session-less alternative.  Any ideas are welcome.



-- 
Kenneth Downs
Secure Data Software, Inc.
www.secdat.com    www.andromeda-project.org
631-689-7200   Fax: 631-689-0527
cell: 631-379-0010



From henry at beewh.com  Fri Sep  7 09:54:23 2007
From: henry at beewh.com (Henry Ponce)
Date: Fri, 7 Sep 2007 10:54:23 -0300
Subject: [nycphp-talk] php authentication form
Message-ID: <c84496c60709070654m34c3acd7s5f2d24786ca8f966@mail.gmail.com>

Hi:

I have a form that currently checks if the username and password are correct
in mysql database. I need to know if it's possible to check this information
on apache server, using maybe $_SERVER['PHP_AUTH_USER'] and
$_SERVER['PHP_AUTH_PW'].
I know that this is set once the user enters his username and pass in popup
window.

There is currently a popup window that asks user to set his user and
password. I dont want this. I want to be able to validate login using
information that is stored in apache. Is this possible???

Henry
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070907/bbcd272c/attachment.html>

From tedd at sperling.com  Fri Sep  7 10:14:41 2007
From: tedd at sperling.com (tedd)
Date: Fri, 7 Sep 2007 10:14:41 -0400
Subject: [nycphp-talk] AJAX and State
In-Reply-To: <46E124F0.7020309@metalab.unc.edu>
References: <46DD54B0.5060803@secdat.com>
	<07f701c7efb3$52f6a9f0$651ba8c0@MobileZ>	<46DE9F28.5060705@beezifies.com>
	<p06240806c304566c9180@[192.168.1.109]>	<46DEB1C4.2010205@enobrev.com>
	<p0624080ac30472a72f59@[192.168.1.109]>
	<DDB437A3-CE77-471F-8401-2845F72BDADC@sala.ca>
	<p0624080ec3048288e833@[192.168.1.109]>
	<46E124F0.7020309@metalab.unc.edu>
Message-ID: <p06240803c307013d2458@[192.168.1.101]>

At 6:16 AM -0400 9/7/07, Elliotte Harold wrote:
>tedd wrote:
>
>>  From many of the post here, I thought someone had discovered something new.
>
>Discovering something truly new is rare. There's almost always 
>someone who discovered it before you. Sometimes we don't believe 
>them, though, until we discover it for ourselves.

Let me restate that "discovered something new to me" -- which isn't 
that hard to do.

>There are no sessions, or at least there shouldn't be in 
>well-designed Web applications.

Ouch -- straight through the heart, and now you've got my head hurting too.

In all my "applications" I use sessions to pass significant variables 
around from page to page. Each page is doing something different for 
the user and it make sense to me to break the routines into different 
groups and string them together using sessions.

If the user opts out at any time, then no harm done. If I want the 
user to have a state to come back to, then I use cookies "on-the-fly" 
to store that on the user's machine. For example:

http://ancientstones.com

If a user is looking through the widgets and has a search criteria 
they like, it's saved on their machine as a cookie and when they 
return, it's still there.

However, if the data is "sensitive", then I require a log-in.  If the 
user leaves in the middle of a session, and I want to store the 
session for the user, then I use the session id and mysql to store 
data and state on the server and the sid in a cookie on the user's 
machine. When they return, I check session id's and require another 
log-in before presenting "sensitive" data and they're back where they 
were.

All pretty simple stuff.

If someone told me that I couldn't use sessions, then I'm not sure 
how I would handle "sensitive" data. For example, I'm currently 
working on a site that provides papers, articles, tapes, cds, 
conferences, seminars, and videos to it members. However, they must 
be currently paid-up members to access the goodies.

My solution is to simply require them to log-in and set a session 
auth variable to OK and turn them loose. Then they have access to all 
the goodies.

While what they ask for on the site is provided in the URL via a GET, 
and as such, they could bookmark it and/or send the URL to someone 
else -- but they can't get at the goodies without being logged-in 
(i.e.,  session auth variable set to OK).

Again, all pretty simple stuff.

This works for me -- but, how do you do this without using sessions?

Cheers,

tedd

-- 
-------
http://sperling.com  http://ancientstones.com  http://earthstones.com


From bz-gmort at beezifies.com  Fri Sep  7 10:21:28 2007
From: bz-gmort at beezifies.com (bz-gmort at beezifies.com)
Date: Fri, 07 Sep 2007 10:21:28 -0400
Subject: [nycphp-talk] AJAX and State
In-Reply-To: <46E14E2C.2030506@secdat.com>
References: <46DD54B0.5060803@secdat.com>	<46E1238E.5010307@metalab.unc.edu>	<46E12D4A.2010204@secdat.com>	<46E12F93.4040700@metalab.unc.edu>	<46E132B0.9010400@secdat.com>	<46E138C2.3040307@metalab.unc.edu>
	<46E14E2C.2030506@secdat.com>
Message-ID: <46E15E68.3070901@beezifies.com>

Kenneth Downs wrote:
> That can only be done if the password is stored on the browser between 
> requests.  No thanks!
> At any rate, in principle I believe that sessions are a bad way to do 
> things, they just have that bag-on-the-side feel.  The only permanent 
> use of a session in Andromeda is to store user information, notably 
> user_id and password.

Why do you need to store the password?

Once the user has authenticated, their authenticated.  You don't need to 
keep a password lying around past that point unless you want to make 
them re-authenticate each time they access some data.  And since your 
storing that information on the server, it's somewhat irrelevant to 
store it since your already trusting whatever other mechanisms you have 
between the user and the server.

Though I would point out that with browsers these days, that password is 
gonna be stored on the browser no matter what you do short of embedding 
a flash or java applet to process the logon.  They save so much 
information, the user might have to explicitly confirm saving the 
address, but it will be saved.



From ken at secdat.com  Fri Sep  7 10:41:13 2007
From: ken at secdat.com (Kenneth Downs)
Date: Fri, 07 Sep 2007 10:41:13 -0400
Subject: Sessions and Authentication (was: [nycphp-talk] AJAX and State)
In-Reply-To: <46E15E68.3070901@beezifies.com>
References: <46DD54B0.5060803@secdat.com>	<46E1238E.5010307@metalab.unc.edu>	<46E12D4A.2010204@secdat.com>	<46E12F93.4040700@metalab.unc.edu>	<46E132B0.9010400@secdat.com>	<46E138C2.3040307@metalab.unc.edu>	<46E14E2C.2030506@secdat.com>
	<46E15E68.3070901@beezifies.com>
Message-ID: <46E16309.1070006@secdat.com>

bz-gmort at beezifies.com wrote:
> Kenneth Downs wrote:
>> That can only be done if the password is stored on the browser 
>> between requests.  No thanks!
>> At any rate, in principle I believe that sessions are a bad way to do 
>> things, they just have that bag-on-the-side feel.  The only permanent 
>> use of a session in Andromeda is to store user information, notably 
>> user_id and password.
>
> Why do you need to store the password?
>
> Once the user has authenticated, their authenticated.  You don't need 
> to keep a password lying around past that point unless you want to 
> make them re-authenticate each time they access some data.  And since 
> your storing that information on the server, it's somewhat irrelevant 
> to store it since your already trusting whatever other mechanisms you 
> have between the user and the server.

Database access.  Each trip to the server requires that you make a 
connection to the server.

In the PHP+MySQL world it is taken as an article of faith that you 
connect to the database as a super-user or admin, and your application 
code handles security.  But not everybody thinks this way.

That approach has many problems in a large-table-count system, including 
but not limited to documentation of security policies, effectiveness, 
efficiency, and scalability.  Probably the the most significant problem 
is that you cannot provide your customer's IT departments with true 
access to the database, which is a requirement to get some jobs.

As part of an overall more secure architecture, we connect the user to 
the database with a real database account, the database server is in 
charge of security and the program code has nothing to do with it.  In 
fact, the program by itself has no ability to connect to the database 
unless given credentials by a user.  This solves many problems, but it 
does require us to keep track of the user's password once they've given 
it to us, so that we can connect to the database on each of their 
requests. 

Hence my only use of a session.

>
> Though I would point out that with browsers these days, that password 
> is gonna be stored on the browser no matter what you do short of 
> embedding a flash or java applet to process the logon.  They save so 
> much information, the user might have to explicitly confirm saving the 
> address, but it will be saved.

True, you cannot stop the various "wallet" mechanisms from storing it 
<Sigh>.  But at least I did not add yet another :/


-- 
Kenneth Downs
Secure Data Software, Inc.
www.secdat.com    www.andromeda-project.org
631-689-7200   Fax: 631-689-0527
cell: 631-379-0010



From bz-gmort at beezifies.com  Fri Sep  7 11:14:10 2007
From: bz-gmort at beezifies.com (bz-gmort at beezifies.com)
Date: Fri, 07 Sep 2007 11:14:10 -0400
Subject: [nycphp-talk] Re: Sessions and Authentication
In-Reply-To: <46E16309.1070006@secdat.com>
References: <46DD54B0.5060803@secdat.com>	<46E1238E.5010307@metalab.unc.edu>	<46E12D4A.2010204@secdat.com>	<46E12F93.4040700@metalab.unc.edu>	<46E132B0.9010400@secdat.com>	<46E138C2.3040307@metalab.unc.edu>	<46E14E2C.2030506@secdat.com>	<46E15E68.3070901@beezifies.com>
	<46E16309.1070006@secdat.com>
Message-ID: <46E16AC2.9020008@beezifies.com>

Kenneth Downs wrote:
> bz-gmort at beezifies.com wrote:
>>
>> Why do you need to store the password?
>>
> <snip>
> Database access.  Each trip to the server requires that you make a 
> connection to the server.
>
> In the PHP+MySQL world it is taken as an article of faith that you 
> connect to the database as a super-user or admin, and your application 
> code handles security.  But not everybody thinks this way.

Thanks.  That was the only reason I could think of(not MySQL actually, 
but any external system you need the php script to authenticate too and 
want to manage security in that external system at a user level).

Though I would argue that is standard to use a single userid/password 
for all connections, not that it is the admin or super user.

I would be tempted towards using some sort of token generated 
authentication scheme instead, so instead of saving a userid and 
password in the session you save a token.  But I'm not quite sure to 
what levels MySQL has advanced DB wise, and not every third party app 
will support an alternate authentication mechanism.  And in the end, if 
it works, why bother?



From rmarscher at beaffinitive.com  Fri Sep  7 11:44:47 2007
From: rmarscher at beaffinitive.com (Rob Marscher)
Date: Fri, 7 Sep 2007 11:44:47 -0400
Subject: [nycphp-talk] AJAX and State
In-Reply-To: <46E12F93.4040700@metalab.unc.edu>
References: <46DD54B0.5060803@secdat.com> <46E1238E.5010307@metalab.unc.edu>
	<46E12D4A.2010204@secdat.com> <46E12F93.4040700@metalab.unc.edu>
Message-ID: <7BAC4C6E-BDE7-45FF-BA7B-4C78DDE12536@beaffinitive.com>

On Sep 7, 2007, at 7:01 AM, Elliotte Harold wrote:
> Kenneth Downs wrote:
>> Elliotte Harold wrote:
>>> http://www.google.com/search?q=Ken+Downs&hl=en&start=10&sa=N
>> Did you log into Google?
> Checking the screen it looks I was logged in

So... how did Google know you were logged in?  Look at your cookies  
-- there's one from google.com called SID -- Session ID!

Google is using sessions to keep track of whether or not you are  
logged in.  I see authentication as the primary use for sessions.  I  
agree that sessions could be considered evil if you try to store too  
much in there and rely on them for parts of your application that  
could be stored elsewhere.  For authentication purposes, I don't see  
another alternative, unless what I consider "sessions" is different  
from your definition.

In terms of large scaling, you could have a federation of session  
servers using a hashing algorithm based on the session id to  
determine which sessions are stored on which server and have the rest  
of your app communicate with them to determine if the session is  
valid and get a user id and authentication credentials.  I do agree  
that they are difficult to scale because of high read and write  
concurrency.  I would imagine that all the huge apps use a memory  
cache for sessions and optionally write them to disk periodically or  
log them in some other way if they need to keep track of stats or  
it's critical that no one's session can be lost by a server reboot.

-Rob


From ramons at gmx.net  Fri Sep  7 12:52:18 2007
From: ramons at gmx.net (David Krings)
Date: Fri, 07 Sep 2007 12:52:18 -0400
Subject: [nycphp-talk] AJAX and State
In-Reply-To: <46E1378D.4070006@metalab.unc.edu>
References: <46DD54B0.5060803@secdat.com>
	<46E1238E.5010307@metalab.unc.edu>	<46E13029.1030702@gmx.net>
	<46E1378D.4070006@metalab.unc.edu>
Message-ID: <46E181C2.1020501@gmx.net>

Elliotte Harold wrote:
> David Krings wrote:
>>
>> But isn't that the old GET that has so many limitations that many web 
>> app design guides basically tell you not to use it?
> 
> I have no idea what you're talking about. GET is GET. There's no old GET 
> and new GET that I've ever heard of.

Bad wording on my part. The talk went from states and sessions and 
whathavenot to the Google URL example, which is nothing more than 
passing form info via GET. It came across as this is a great new way of 
solving the discussed issue, which indeed it isn't as it is a plain GET 
mechanism that is around for ages.


> It's certainly true that there are a lot of bad web app design guides 
> out there. Most of them try to reinvent client server on the web.

Uhm, isn't browser and server the purest form of client server? The 
server doesn't to crap without the client constantly asking for it. 
There are ways to improve that with AJAX or server side scripting like 
PHP or a combination of both (which is needed when using databases as 
the client cannot connect to the db server directly).
I wouldn't necessarily call the design guides all bad, but they are for 
sure different.

> They're like a manual for plastic molding machines that pretends the 
> molder is really just a funny kind of table saw and drill press. Follow 
> their directions and you'll develop problematic, unscalable 
> applications; and certainly lots of people do.
Which begs the question if every app developed needs to be scalable. If 
there are at any given point in time no more than a few dozen clients 
connecting scalability isn't an issue. So it depends. For the low 
client, one site app I find sessions extremely useful.

> 
>> And it depends on what you transfer in clear text as URL parameters. A 
>> Google search is probably OK, but what if your application is about 
>> sensitive data? You then need to craft identifiers that are dropped 
>> after first use and never used again or some other untraceable 
>> obfuscating mechanism.
> 
> No. You use HTTPS.
Understood....bit with all that security discussion, it is funny that 
nobody focuses any effort on securing keyboards, mice, and monitors. 
Many tests have shown that you don't need a password cracker, but just 
some cheap equipment from Radioshack to record signals coming from input 
devices. That just as a side note.


> 
>> There was also the point made of scalability. As in this example, the 
>> search results are not stored anywhere, but get recreated each time a 
>> request is sent. That pushes the scalability issue from the web server 
>> to the database server, where it may or may not be handled more 
>> efficiently.
> 
> In point of fact, Google uses probably millions (maybe hundreds of 
> thousands but I expect millions) of servers. They need this massive 
> horizontal scalability. To make that work you really need to not care 
> which server processes any given request. Three subsequent requests can 
> and usually do go to three different physical servers. The more session 
> state you try to maintain the harder that is to handle.
> 
> By contrast, if you design apps so they don't need session state, then 
> you can scale horizontally very easily and you need a lot fewer actual 
> servers.

Understood as well...which is why Google and the likes drop sometimes 
massive cookies on the client side. That addresses the scalability 
issue, but is from a security standpoint somewhat questionable, which 
again in case of a Google search is likely a non-issue. This is why I 
routinely dump all cookies except for a few that I know I want to keep 
for convenience.

David


From rick at click-rick.net  Fri Sep  7 15:55:10 2007
From: rick at click-rick.net (Rick Retzko)
Date: Fri, 7 Sep 2007 15:55:10 -0400
Subject: [nycphp-talk] Emailing files from server
Message-ID: <00b301c7f189$00be6600$6600a8c0@adam>

Help please with setting up a function to email a specific file from a
specific directory located on my server to a customer.
 
Issue: My customer wants to have an xls file with specific info from their
website eMailed to him on demand.  I pulled a script from php.net, but I
can't seem to get it to grab the file.  The emailing works, but not the
attachment.
 
The key clip of the script is:
if($attachments!==false){
  for($i=0;$i<count($attachments);$i++){
   if(is_file($attachments[$i]["file"])){
    #File for Attachment
 
$file_name=substr($attachments[$i]["file"],(strrpos($attachments[$i]["file"]
,"/")+1));
    
    $handle=fopen($attachments[$i]["file"],'rb');
    $f_contents=fread($handle,filesize($attachments[$i]["file"]));
    $f_contents=chunk_split(base64_encode($f_contents));
    $f_type=filetype($attachments[$i]["file"]);
    fclose($handle);
    
    #Attachment
    $msg.="--".$mime_boundary.$eol;
    $msg.="Content-Type: ".$attachments[$i]["content-type"].";
name=\"".$file_name."\"".$eol;
    $msg.="Content-Transfer-Encoding: base64".$eol;
    $msg.="Content-Description: ".$file_name.$eol;
    $msg.="Content-Disposition: attachment;
filename=\"".$file_name."\"".$eol.$eol;
    $msg.=$f_contents.$eol.$eol;
   }
  }
 
where I've set up '$attachments' as:
$attachments = Array(  Array("file"=>"/students.xls",
"content_type"=>"application/x-msexcel "));
 
Thanks for any help you can offer!
 
Best Regards - 
 
Rick
============
MFR Holdings, LLC
rick at click-rick.net
201.755.4083
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070907/7062437a/attachment.html>

From chsnyder at gmail.com  Fri Sep  7 16:43:42 2007
From: chsnyder at gmail.com (csnyder)
Date: Fri, 7 Sep 2007 16:43:42 -0400
Subject: [nycphp-talk] Asynchronous downloads -- how?
In-Reply-To: <46DF0AAA.7070601@secdat.com>
References: <46DEF872.5060803@secdat.com> <46DF07D3.1090509@phpwerx.net>
	<46DF0AAA.7070601@secdat.com>
Message-ID: <b76252690709071343n27853d15i45732eebb2ce129@mail.gmail.com>

On 9/5/07, Kenneth Downs <ken at secdat.com> wrote:
>
>   This may be an over-simplification, but
> are you using
> session_write_close() after the authentication phase is complete?
>
>
>  Dan, I owe you a beer.  That was it.


Wow. Every now and then, the high cost of a subscription to this list
is worth it.

Great call, Dan, I had no idea that session_write_close() even
existed, and I serve _everything_ via php. It was like getting the APC
speed-boost all over again!


-- 
Chris Snyder
http://chxo.com/


From bz-gmort at beezifies.com  Fri Sep  7 17:41:15 2007
From: bz-gmort at beezifies.com (Gary Mort)
Date: Fri, 07 Sep 2007 17:41:15 -0400
Subject: [nycphp-talk] Emailing files from server
In-Reply-To: <00b301c7f189$00be6600$6600a8c0@adam>
References: <00b301c7f189$00be6600$6600a8c0@adam>
Message-ID: <46E1C57B.8000209@beezifies.com>

Rick Retzko wrote:
> Help please with setting up a function to email a specific file from a 
> specific directory located on my server to a customer.
>  
> Issue: My customer wants to have an xls file with specific info from 
> their website eMailed to him on demand.  I pulled a script from 
> php.net, but I can't seem to get it to grab the file.  The emailing 
> works, but not the attachment.
>

I'm lazy and use HTMLMimeMail:
http://www.phpguru.org/static/mime.mail.html




From dcech at phpwerx.net  Fri Sep  7 19:50:42 2007
From: dcech at phpwerx.net (Dan Cech)
Date: Fri, 07 Sep 2007 19:50:42 -0400
Subject: [nycphp-talk] Asynchronous downloads -- how?
In-Reply-To: <b76252690709071343n27853d15i45732eebb2ce129@mail.gmail.com>
References: <46DEF872.5060803@secdat.com>
	<46DF07D3.1090509@phpwerx.net>	<46DF0AAA.7070601@secdat.com>
	<b76252690709071343n27853d15i45732eebb2ce129@mail.gmail.com>
Message-ID: <46E1E3D2.3070504@phpwerx.net>

csnyder wrote:
> On 9/5/07, Kenneth Downs <ken at secdat.com> wrote:
>>   This may be an over-simplification, but
>> are you using
>> session_write_close() after the authentication phase is complete?
>>
>>  Dan, I owe you a beer.  That was it.
> 
> Wow. Every now and then, the high cost of a subscription to this list
> is worth it.
> 
> Great call, Dan, I had no idea that session_write_close() even
> existed, and I serve _everything_ via php. It was like getting the APC
> speed-boost all over again!

Great to hear you both found it useful!

There are so many little snippets like that on this list, in fact I'm
pretty sure I first heard about it here.  I don't know of any php
resource other than the manual that I use more often than the list archives.

Dan



From dcech at phpwerx.net  Fri Sep  7 19:57:15 2007
From: dcech at phpwerx.net (Dan Cech)
Date: Fri, 07 Sep 2007 19:57:15 -0400
Subject: [nycphp-talk] Emailing files from server
In-Reply-To: <46E1C57B.8000209@beezifies.com>
References: <00b301c7f189$00be6600$6600a8c0@adam>
	<46E1C57B.8000209@beezifies.com>
Message-ID: <46E1E55B.6020704@phpwerx.net>

Gary Mort wrote:
> Rick Retzko wrote:
>> Help please with setting up a function to email a specific file from a
>> specific directory located on my server to a customer.
>>  
>> Issue: My customer wants to have an xls file with specific info from
>> their website eMailed to him on demand.  I pulled a script from
>> php.net, but I can't seem to get it to grab the file.  The emailing
>> works, but not the attachment.
>>
> 
> I'm lazy and use HTMLMimeMail:
> http://www.phpguru.org/static/mime.mail.html

I haven't heard of that one, but I've used PHPMailer [1] with great
success, and I hear SwiftMailer is excellent too (and actively
maintained unlike PHPMailer and HTMLMimeMail).

Not only do they build the email and take care of such niceties as
encoding, etc, you also get drop-in SMTP and a host of other goodies.

They're also LGPL licensed libraries, so you can use them in commercial
projects without worries.

Dan

[1] http://phpmailer.sourceforge.net/
[2] http://www.swiftmailer.org/


From ramons at gmx.net  Fri Sep  7 20:06:51 2007
From: ramons at gmx.net (David Krings)
Date: Fri, 07 Sep 2007 20:06:51 -0400
Subject: [nycphp-talk] Asynchronous downloads -- how?
In-Reply-To: <b76252690709071343n27853d15i45732eebb2ce129@mail.gmail.com>
References: <46DEF872.5060803@secdat.com>
	<46DF07D3.1090509@phpwerx.net>	<46DF0AAA.7070601@secdat.com>
	<b76252690709071343n27853d15i45732eebb2ce129@mail.gmail.com>
Message-ID: <46E1E79B.30409@gmx.net>

csnyder wrote:
> On 9/5/07, Kenneth Downs <ken at secdat.com> wrote:
>>   This may be an over-simplification, but
>> are you using
>> session_write_close() after the authentication phase is complete?
>>
>>
>>  Dan, I owe you a beer.  That was it.
> 
> 
> Wow. Every now and then, the high cost of a subscription to this list
> is worth it.
> 
> Great call, Dan, I had no idea that session_write_close() even
> existed, and I serve _everything_ via php. It was like getting the APC
> speed-boost all over again!
> 
> 

Based on what posts about writing to a session in PHP state it is highly 
recommended to execute a session_write_close() before a header redirect 
as it can be that the browser already got redirected before the server 
is done writing the session data. With session_write_close() that will 
be guaranteed before anything else happens.

But based on a different thread we shouldn't use sessions anyway, right?

David



From jcampbell1 at gmail.com  Fri Sep  7 20:10:57 2007
From: jcampbell1 at gmail.com (John Campbell)
Date: Fri, 7 Sep 2007 20:10:57 -0400
Subject: [nycphp-talk] Asynchronous downloads -- how?
In-Reply-To: <46E1E3D2.3070504@phpwerx.net>
References: <46DEF872.5060803@secdat.com> <46DF07D3.1090509@phpwerx.net>
	<46DF0AAA.7070601@secdat.com>
	<b76252690709071343n27853d15i45732eebb2ce129@mail.gmail.com>
	<46E1E3D2.3070504@phpwerx.net>
Message-ID: <8f0676b40709071710o767d668ew96f94f41b63c2a1c@mail.gmail.com>

> > Great call, Dan, I had no idea that session_write_close() even
> > existed, and I serve _everything_ via php. It was like getting the APC
> > speed-boost all over again!

+1 here.

I just changed a bunch of code from:
session_start();
to
session_start();
session_write_close();

It is a god send, as I occasionally do a Cartesian Join by accident
and the site would just stop working for a minute or so.  Now, I know
why and the problem is solved.  All this time I thought MySQL was
using up all of the servers resources.

- John Campbell


From urb at e-government.com  Fri Sep  7 22:11:22 2007
From: urb at e-government.com (Urb LeJeune)
Date: Fri, 07 Sep 2007 22:11:22 -0400
Subject: [nycphp-talk] Mouse Over Menu
In-Reply-To: <46E181C2.1020501@gmx.net>
References: <46DD54B0.5060803@secdat.com> <46E1238E.5010307@metalab.unc.edu>
	<46E13029.1030702@gmx.net> <46E1378D.4070006@metalab.unc.edu>
	<46E181C2.1020501@gmx.net>
Message-ID: <7.0.1.0.2.20070907220925.02af5e18@e-government.com>

I'm looking to do a mouse over menu. You run the mouse over a main item
and a submenu appears, if available. I would prefer a css implementation
although a Java Script application would be acceptable.

Does anyone have any experience with such an animal or willing to make
a suggestions.

Thanks

Urb

Dr. Urban A. LeJeune, President
E-Government.com
800-204-9545




From jonbaer at jonbaer.com  Fri Sep  7 22:14:18 2007
From: jonbaer at jonbaer.com (Jon Baer)
Date: Fri, 7 Sep 2007 22:14:18 -0400
Subject: [nycphp-talk] Mouse Over Menu
In-Reply-To: <7.0.1.0.2.20070907220925.02af5e18@e-government.com>
References: <46DD54B0.5060803@secdat.com> <46E1238E.5010307@metalab.unc.edu>
	<46E13029.1030702@gmx.net> <46E1378D.4070006@metalab.unc.edu>
	<46E181C2.1020501@gmx.net>
	<7.0.1.0.2.20070907220925.02af5e18@e-government.com>
Message-ID: <A0362B68-D416-412E-AD9C-8279D54C52A9@jonbaer.com>

Suckerfish ...

http://www.alistapart.com/articles/dropdowns/
http://www.htmldog.com/articles/suckerfish/dropdowns/

- Jon

On Sep 7, 2007, at 10:11 PM, Urb LeJeune wrote:

> I'm looking to do a mouse over menu. You run the mouse over a main  
> item
> and a submenu appears, if available. I would prefer a css  
> implementation
> although a Java Script application would be acceptable.
>
> Does anyone have any experience with such an animal or willing to make
> a suggestions.
>
> Thanks
>
> Urb
>
> Dr. Urban A. LeJeune, President
> E-Government.com
> 800-204-9545
>
>
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070907/41be6110/attachment.html>

From jsia18 at yahoo.com  Fri Sep  7 22:18:25 2007
From: jsia18 at yahoo.com (Jason Sia)
Date: Fri, 7 Sep 2007 19:18:25 -0700 (PDT)
Subject: [nycphp-talk] Mouse Over Menu
Message-ID: <113458.59791.qm@web37901.mail.mud.yahoo.com>

Hi,
  You could try the hover effect but for Internet Explorer you should add a behavior (download csshover.htc) to make hover work in IE .  You should use <li> for this.

----- Original Message ----
From: Urb LeJeune <urb at e-government.com>
To: NYPHP Talk <talk at lists.nyphp.org>
Sent: Saturday, September 8, 2007 10:11:22 AM
Subject: [nycphp-talk] Mouse Over Menu

I'm looking to do a mouse over menu. You run the mouse over a main item
and a submenu appears, if available. I would prefer a css implementation
although a Java Script application would be acceptable.

Does anyone have any experience with such an animal or willing to make
a suggestions.

Thanks

Urb

Dr. Urban A. LeJeune, President
E-Government.com
800-204-9545


_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk

NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com

Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php






Send instant messages to your online friends http://uk.messenger.yahoo.com 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070907/7cda1854/attachment.html>

From tedd at sperling.com  Fri Sep  7 23:00:13 2007
From: tedd at sperling.com (tedd)
Date: Fri, 7 Sep 2007 23:00:13 -0400
Subject: [nycphp-talk] Mouse Over Menu
In-Reply-To: <7.0.1.0.2.20070907220925.02af5e18@e-government.com>
References: <46DD54B0.5060803@secdat.com>
	<46E1238E.5010307@metalab.unc.edu>	<46E13029.1030702@gmx.net>
	<46E1378D.4070006@metalab.unc.edu>	<46E181C2.1020501@gmx.net>
	<7.0.1.0.2.20070907220925.02af5e18@e-government.com>
Message-ID: <p06240801c307be62ae76@[192.168.1.101]>

At 10:11 PM -0400 9/7/07, Urb LeJeune wrote:
>I'm looking to do a mouse over menu. You run the mouse over a main item
>and a submenu appears, if available. I would prefer a css implementation
>although a Java Script application would be acceptable.
>
>Does anyone have any experience with such an animal or willing to make
>a suggestions.
>
>Thanks
>
>Urb
>
>Dr. Urban A. LeJeune, President
>E-Government.com
>800-204-9545


Try these -- they are widely used and work great:

http://sperling.com/examples/menuh/

http://sperling.com/examples/menuv/

However, they do use a js routine to make it work for IE browsers 
else IE won't work.

You might review cssplay -- I've seen that they have a pure css menu 
there, but it uses a table -- if that matters to you -- and -- it's a 
bit more complicated and verbose. BUT, it works without js.

Cheers,

tedd
-- 
-------
http://sperling.com  http://ancientstones.com  http://earthstones.com


From hart at saturn.med.nyu.edu  Sat Sep  8 00:22:07 2007
From: hart at saturn.med.nyu.edu (Joshua Hart)
Date: Sat, 08 Sep 2007 00:22:07 -0400
Subject: [nycphp-talk] Php 5.2.4 and Oracle instantclient
In-Reply-To: <67qvkr$1c64n@mail3.nyumc.org>
Message-ID: <C3079BAF.A114F%hart@saturn.med.nyu.edu>



Hi All!

Does anybody have some hints as to what might be causing a problem
(segfault) with Oracle's instantclient when used in conjunction with PHP
5.2.4 (both the CLI and a webserver -- apache 2.x).

If I run simple queries I get a result -- no problem. (select * from atable
where name='hart')  However if I do any more complicated query (select from
two tables via a join for example) I get a segmentation fault (again both
with the CLI and it segfaults the httpd process).

All programs are built from source (except instantclient which I downloaded
from oracle). I'm running on SLES10 on an ia64 platform.

The info PHP identifies as the system:

Linux ssaturn 2.6.16.21-0.8-default #1 SMP Mon Jul 3 18:25:39 UTC 2006 ia64

Oracle is instantclient ia64-10.2.0.3-20061230

oci8 version 1.2.3  revision 1.269.2.16.2.37

Here's my configure command for PHP:

'./configure' '--with-zlib' '--with-gd' '--with-jpeg' '--with-png'
'--with-libxml2=/usr/bin' '--with-mysql=/usr/local/mysql5120'
'--with-apxs2=/usr/local/apache2/bin/apxs' '--enable-ftp'
'--with-imap-ssl=/usr/include/ssl'
'--with-imap=/space/custom_builds/imap-stuff/' '--with-openssl' '--with-pam'
'--with-dom' '--with-iconv' '--with-mbstring=all' '--with-mbregex'
'--with-domsxlt' '--with-mcrypt' '--with-xml' '--with-mime-magic'
'--enable-exif' '--enable-uploadprogress' '--with-xmlrpc' '--with-gettext'
'--with-pgsql' '--with-oci8=instantclient,/usr/local/oracle'

Again, I can successfully login to the oracle database, and the simplest of
queries works. Anything "complicated" crashes the program.

I saw on php.net messages about memory exhaustion and segfaults.. Since I'm
using the most recent version of PHP I would not think that getting a
updated PECL package is going to do the trick.  I increased the amt of
memory a script can use (in php.ini) to 128Mb but no difference. Is there
somehwere else I should be changing a setting?

Not sure what else to try..

Thanks!

Joshua




From selyah1 at yahoo.com  Sat Sep  8 01:12:55 2007
From: selyah1 at yahoo.com (selyah)
Date: Fri, 7 Sep 2007 22:12:55 -0700 (PDT)
Subject: [nycphp-talk] Roll ove image
In-Reply-To: <A0362B68-D416-412E-AD9C-8279D54C52A9@jonbaer.com>
Message-ID: <580401.39354.qm@web30812.mail.mud.yahoo.com>

 Hello ;
I am in the process  of completing a  very complex php script and need to add a special effect using html.  The effect that i have to do is a simple roll over images and upon each roll over with the mouse the images increase in size and then return back to the original size.  The problem is that i am sure that this involves javascript and that is my weak point.
Therefore, i am asking anyone who can assist with a sample code or know of a link that would be helpful.
Thanks 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070907/fcc2fc2b/attachment.html>

From jsia18 at yahoo.com  Sat Sep  8 01:50:39 2007
From: jsia18 at yahoo.com (Jason Sia)
Date: Fri, 7 Sep 2007 22:50:39 -0700 (PDT)
Subject: [nycphp-talk] Roll ove image
Message-ID: <238877.68717.qm@web37914.mail.mud.yahoo.com>

Hi,
 You can create function like this:
  <script> 
    function Enlarge() //enlarge the image
   {
     document.getElementById('image').style.width=??;
     document.getElementById('image').style.height=??;
   }
   function Reduce()  //reduce the image
  {
    document.getElementById('image').style.width=??;
    document.getElementById('image').style.height=??;
  }
 </script>

 <html>
   <body>
      <img id='image' style='width:xx;height:xx;' src='' onmouseover="Enlarge();" onmouseout="Reduce();">
   </body>
</html>
  
Be sure to have an image with a good resolution so that it does not pixelize when you enlarge it

----- Original Message ----
From: selyah <selyah1 at yahoo.com>
To: NYPHP Talk <talk at lists.nyphp.org>
Sent: Saturday, September 8, 2007 1:12:55 PM
Subject: [nycphp-talk] Roll ove image

 Hello ;
I am in the process  of completing a  very complex php script and need to add a special effect using html.  The effect that i have to do is a simple roll over images and upon each roll over with the mouse the images increase in size and then return back to the original size.  The problem is that i am sure that this involves javascript and that is my weak point.
Therefore, i am asking anyone who can assist with a sample code or know of a link that would be helpful.
Thanks 





Send instant messages to your online friends http://uk.messenger.yahoo.com 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070907/b8238489/attachment.html>

From jonbaer at jonbaer.com  Sat Sep  8 09:04:55 2007
From: jonbaer at jonbaer.com (Jon Baer)
Date: Sat, 8 Sep 2007 09:04:55 -0400
Subject: [nycphp-talk] Roll ove image
In-Reply-To: <580401.39354.qm@web30812.mail.mud.yahoo.com>
References: <580401.39354.qm@web30812.mail.mud.yahoo.com>
Message-ID: <311ECA73-7DF4-4E90-86B6-92E03C87CD8D@jonbaer.com>

Probably the best way Ive seen it implemented (and easiest) would be  
to use the Fisheye plugin for jQuery ...

http://www.ndesign-studio.com/demo/css-dock-menu/css-dock.html

* Download link (jQuery): http://docs.jquery.com/ 
Downloading_jQuery#Current_Release
* Download link (Fisheye): http://interface.eyecon.ro/download

(Although the SVN copy of jQuery might have the latest version of  
this plugin - not 100% sure)

- Jon

On Sep 8, 2007, at 1:12 AM, selyah wrote:

>  Hello ;
> I am in the process  of completing a  very complex php script and  
> need to add a special effect using html.  The effect that i have to  
> do is a simple roll over images and upon each roll over with the  
> mouse the images increase in size and then return back to the  
> original size.  The problem is that i am sure that this involves  
> javascript and that is my weak point.
> Therefore, i am asking anyone who can assist with a sample code or  
> know of a link that would be helpful.
> Thanks
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070908/29b10f10/attachment.html>

From bz-gmort at beezifies.com  Sat Sep  8 09:19:05 2007
From: bz-gmort at beezifies.com (Gary Mort)
Date: Sat, 08 Sep 2007 09:19:05 -0400
Subject: [nycphp-talk] Emailing files from server
In-Reply-To: <46E1E55B.6020704@phpwerx.net>
References: <00b301c7f189$00be6600$6600a8c0@adam>	<46E1C57B.8000209@beezifies.com>
	<46E1E55B.6020704@phpwerx.net>
Message-ID: <46E2A149.9090408@beezifies.com>

Dan Cech wrote:
> I haven't heard of that one, but I've used PHPMailer [1] with great
> success, and I hear SwiftMailer is excellent too (and actively
> maintained unlike PHPMailer and HTMLMimeMail).
>   

I'm not too concerned about active maintenance, since the functions are 
pretty simple.  As I recall, I have only ever had to upgrade 
HTMLMimeMail once when I replaced sendmail with postfix on a server and 
discovered the old version of HTMLMimeMail had a bug in it(it was not 
formatting the headers with the correct carriage return codes.  The old 
sendmail processed it anyway, the new postfix dropped the mail as not 
being formatted properly.  Of course, I only discovered this when the 
client went to send out 800 emails a month later for a mailshot using a 
tool someone else wrote that I was unaware of.  That was a fun  couple 
hours of figuring out how the thing worked to track down the problem.)




From bz-gmort at beezifies.com  Sat Sep  8 09:28:54 2007
From: bz-gmort at beezifies.com (Gary Mort)
Date: Sat, 08 Sep 2007 09:28:54 -0400
Subject: [nycphp-talk] Emailing files from server
In-Reply-To: <46E1E55B.6020704@phpwerx.net>
References: <00b301c7f189$00be6600$6600a8c0@adam>	<46E1C57B.8000209@beezifies.com>
	<46E1E55B.6020704@phpwerx.net>
Message-ID: <46E2A396.2000300@beezifies.com>

Dan Cech wrote:
> Not only do they build the email and take care of such niceties as
> encoding, etc, you also get drop-in SMTP and a host of other goodies.
>
>   

Hmm, looking over the swift feature set(yeah, I replied before loading 
it..sorry not awake yet) swift looks fairly nice  - I'm in the middle of 
rewriting a number of email functions I'll give swift a try and see how 
it works.  HTMLMimeMailer will also use an SMTP host, and as I recall 
will handle pop3 logon before send functionality either easily or with a 
small hack(so you can keep all your programs on 1 host, but spread the 
email sending to seperate hosts by functionality - email list, 
transaction oriented, and normal correspondence - so idiots who sign up 
to your mailling list and then want off but won't click the unsub link 
won't lock out your transactional emails from AOL when they report you 
as spam).




From tedd at sperling.com  Sat Sep  8 11:53:08 2007
From: tedd at sperling.com (tedd)
Date: Sat, 8 Sep 2007 11:53:08 -0400
Subject: [nycphp-talk] Roll ove image
In-Reply-To: <580401.39354.qm@web30812.mail.mud.yahoo.com>
References: <580401.39354.qm@web30812.mail.mud.yahoo.com>
Message-ID: <p06240801c30874f5bead@[192.168.0.100]>

At 10:12 PM -0700 9/7/07, selyah wrote:
>  Hello ;
>I am in the process  of completing a  very complex php script and 
>need to add a special effect using html.  The effect that i have to 
>do is a simple roll over images and upon each roll over with the 
>mouse the images increase in size and then return back to the 
>original size.  The problem is that i am sure that this involves 
>javascript and that is my weak point.
>Therefore, i am asking anyone who can assist with a sample code or 
>know of a link that would be helpful.
>Thanks

selyah:

Here an example of an enlarging roll-over using only css with no javascript.

http://webbytedd.com/bb/replace-image2/

If that's what you want, everything's there.

Cheers,

tedd

-- 
-------
http://sperling.com  http://ancientstones.com  http://earthstones.com


From ereyes at totalcreations.com  Sat Sep  8 12:04:35 2007
From: ereyes at totalcreations.com (Edgar Reyes)
Date: Sat, 08 Sep 2007 12:04:35 -0400
Subject: [nycphp-talk] Roll ove image
In-Reply-To: <p06240801c30874f5bead@[192.168.0.100]>
References: <580401.39354.qm@web30812.mail.mud.yahoo.com>
	<p06240801c30874f5bead@[192.168.0.100]>
Message-ID: <013e01c7f231$f3e467a0$6500a8c0@ERTop>

Here is a simple way to do a roll over effect for images;

<a href="#" onMouseOver='rollover.src="images/lagerimage.jpg"'
onMouseOut='rollover.src="images/smallimage.jpg"'>
<img src="images/smallimage.jpg" name="rollover" border="0"></a>

ER

-----Original Message-----
From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On
Behalf Of tedd
Sent: Saturday, September 08, 2007 11:53 AM
To: NYPHP Talk
Subject: Re: [nycphp-talk] Roll ove image

At 10:12 PM -0700 9/7/07, selyah wrote:
>  Hello ;
>I am in the process  of completing a  very complex php script and 
>need to add a special effect using html.  The effect that i have to 
>do is a simple roll over images and upon each roll over with the 
>mouse the images increase in size and then return back to the 
>original size.  The problem is that i am sure that this involves 
>javascript and that is my weak point.
>Therefore, i am asking anyone who can assist with a sample code or 
>know of a link that would be helpful.
>Thanks

selyah:

Here an example of an enlarging roll-over using only css with no javascript.

http://webbytedd.com/bb/replace-image2/

If that's what you want, everything's there.

Cheers,

tedd

-- 
-------
http://sperling.com  http://ancientstones.com  http://earthstones.com
_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk

NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com

Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php



From rick at click-rick.net  Sat Sep  8 13:01:04 2007
From: rick at click-rick.net (Rick Retzko)
Date: Sat, 8 Sep 2007 13:01:04 -0400
Subject: [nycphp-talk] Mouse Over Menu
In-Reply-To: <7.0.1.0.2.20070907220925.02af5e18@e-government.com>
References: <46DD54B0.5060803@secdat.com>
	<46E1238E.5010307@metalab.unc.edu><46E13029.1030702@gmx.net>
	<46E1378D.4070006@metalab.unc.edu><46E181C2.1020501@gmx.net>
	<7.0.1.0.2.20070907220925.02af5e18@e-government.com>
Message-ID: <00ee01c7f239$d8c9ccf0$6600a8c0@adam>

Hi - Take a look at 'Stylin' with CSS' (Charles Wyke-Smith), he devotes
about 20 pages to building exactly this without any javascript including the
hacks necessary for IE.  A bit tricky, but it works.  The book is very
functional if you're just getting past the basics. 

You can also download the script from his www.bbd.com/stylin site.


Best Regards - 
 
Rick
============
MFR Holdings, LLC
rick at click-rick.net
201.755.4083

-----Original Message-----
From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On
Behalf Of Urb LeJeune
Sent: Friday, September 07, 2007 10:11 PM
To: NYPHP Talk
Subject: [nycphp-talk] Mouse Over Menu

I'm looking to do a mouse over menu. You run the mouse over a main item and
a submenu appears, if available. I would prefer a css implementation
although a Java Script application would be acceptable.

Does anyone have any experience with such an animal or willing to make a
suggestions.

Thanks

Urb

Dr. Urban A. LeJeune, President
E-Government.com
800-204-9545


_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk

NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com

Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php



From bz-gmort at beezifies.com  Sat Sep  8 13:06:26 2007
From: bz-gmort at beezifies.com (Gary Mort)
Date: Sat, 08 Sep 2007 13:06:26 -0400
Subject: [nycphp-talk] Books & magazines
Message-ID: <46E2D692.8020703@beezifies.com>

Just wondering what books and magazines people here particularly like 
for PHP programming.  Which are good for learning, and which are good 
for reference.


From rick at click-rick.net  Sat Sep  8 13:24:43 2007
From: rick at click-rick.net (Rick Retzko)
Date: Sat, 8 Sep 2007 13:24:43 -0400
Subject: [nycphp-talk] Books & magazines
In-Reply-To: <46E2D692.8020703@beezifies.com>
References: <46E2D692.8020703@beezifies.com>
Message-ID: <00ef01c7f23d$268f7090$6600a8c0@adam>

Hi Gary - Thanks for the previous response to my
email-attachment-from-server query.

Reference books I keep on my shelf:
PHP and MySQL For Dynamic Web Sites (Larry Ullman)
PHP and MySQL Web Development (Welling,Thomson) 
Php|architect's Guide to PHP Security (Alshanstsky)
Don't make me think! (Krug)
Stylin' with CSS (Wyke-Smith)
Bulletproof Web Design (Cederholm)
CSS Mastery (Budd, Moll,Collison)

Magazine: php|Architect


Best Regards - 
 
Rick
============
MFR Holdings, LLC
rick at click-rick.net
201.755.4083

-----Original Message-----
From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On
Behalf Of Gary Mort
Sent: Saturday, September 08, 2007 1:06 PM
To: NYPHP Talk
Subject: [nycphp-talk] Books & magazines

Just wondering what books and magazines people here particularly like for
PHP programming.  Which are good for learning, and which are good for
reference.
_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk

NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com

Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php



From ben at projectskyline.com  Sat Sep  8 14:34:33 2007
From: ben at projectskyline.com (Ben Sgro (ProjectSkyLine))
Date: Sat, 8 Sep 2007 14:34:33 -0400
Subject: [nycphp-talk] Books & magazines
References: <46E2D692.8020703@beezifies.com>
	<00ef01c7f23d$268f7090$6600a8c0@adam>
Message-ID: <002701c7f246$e74dda20$6401a8c0@gamebox>

Hello Gary,

SOME books off my shelf:
R = reference
L = learning

Older:
Web Database Applications w/PHP & Mysql (ORLY) - R
PHP 4? ( ORLY) - L (lots of source code errors though!!!)
SQL for Dummies - R

Newer:
PHP 5 and MySQL E-Commerce (Apress) - haven't touched this one yet but came 
recommened
Ajax Design Pattersn (ORLY) - ok - R
Foundations of PEAR (APRESS) - good reference, ok example source - R
Pro PHP Security (APRESS) - great book, great source - LR
Pro CSS and HTML Design Pattersn (APRESS) - pretty good, decent source - LR
PHP 5 Objects, Patterns, Practice (Apress) - good - LR

Good reads:
The art of unix programming (Addison Wesley) - excellent read - LLLL
Best software writing & Joel on software - EXCELLENT reads - LL

Disliked:
Pro Javascript Techniques (Apress) - blah, had mistakes in source. - !L
Any and ALL Wrox books. Wrox sux. - !L || R

-= ]

- Ben

----- Original Message ----- 
From: "Rick Retzko" <rick at click-rick.net>
To: "'NYPHP Talk'" <talk at lists.nyphp.org>
Sent: Saturday, September 08, 2007 1:24 PM
Subject: RE: [nycphp-talk] Books & magazines


> Hi Gary - Thanks for the previous response to my
> email-attachment-from-server query.
>
> Reference books I keep on my shelf:
> PHP and MySQL For Dynamic Web Sites (Larry Ullman)
> PHP and MySQL Web Development (Welling,Thomson)
> Php|architect's Guide to PHP Security (Alshanstsky)
> Don't make me think! (Krug)
> Stylin' with CSS (Wyke-Smith)
> Bulletproof Web Design (Cederholm)
> CSS Mastery (Budd, Moll,Collison)
>
> Magazine: php|Architect
>
>
> Best Regards -
>
> Rick
> ============
> MFR Holdings, LLC
> rick at click-rick.net
> 201.755.4083
>
> -----Original Message-----
> From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] 
> On
> Behalf Of Gary Mort
> Sent: Saturday, September 08, 2007 1:06 PM
> To: NYPHP Talk
> Subject: [nycphp-talk] Books & magazines
>
> Just wondering what books and magazines people here particularly like for
> PHP programming.  Which are good for learning, and which are good for
> reference.
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
>
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php 



From lists at zaunere.com  Sat Sep  8 16:16:21 2007
From: lists at zaunere.com (Hans Zaunere)
Date: Sat, 8 Sep 2007 16:16:21 -0400
Subject: [nycphp-talk] Php 5.2.4 and Oracle instantclient
In-Reply-To: <C3079BAF.A114F%hart@saturn.med.nyu.edu>
References: <67qvkr$1c64n@mail3.nyumc.org>
	<C3079BAF.A114F%hart@saturn.med.nyu.edu>
Message-ID: <097801c7f255$1f54edb0$640aa8c0@MobileZ>


Hi Joshua,

Joshua Hart wrote on Saturday, September 08, 2007 12:22 AM:
> Hi All!
> 
> Does anybody have some hints as to what might be causing a problem
> (segfault) with Oracle's instantclient when used in conjunction with
> PHP  5.2.4 (both the CLI and a webserver -- apache 2.x).
> 
> If I run simple queries I get a result -- no problem. (select * from
> atable where name='hart')  However if I do any more complicated query
> (select from two tables via a join for example) I get a segmentation
> fault (again both with the CLI and it segfaults the httpd process).
> 
> All programs are built from source (except instantclient which I
> downloaded from oracle). I'm running on SLES10 on an ia64 platform.
> 
> The info PHP identifies as the system:
> 
> Linux ssaturn 2.6.16.21-0.8-default #1 SMP Mon Jul 3 18:25:39 UTC
> 2006 ia64

And uname -a should report the same.  Does what it report make sense?

> Oracle is instantclient ia64-10.2.0.3-20061230
> 
> oci8 version 1.2.3  revision 1.269.2.16.2.37
> 
> Here's my configure command for PHP:
> 
> './configure' '--with-zlib' '--with-gd' '--with-jpeg' '--with-png'
> '--with-libxml2=/usr/bin' '--with-mysql=/usr/local/mysql5120'
> '--with-apxs2=/usr/local/apache2/bin/apxs' '--enable-ftp'
> '--with-imap-ssl=/usr/include/ssl'
> '--with-imap=/space/custom_builds/imap-stuff/' '--with-openssl'
> '--with-pam' '--with-dom' '--with-iconv' '--with-mbstring=all'
> '--with-mbregex' '--with-domsxlt' '--with-mcrypt' '--with-xml'
> '--with-mime-magic' '--enable-exif' '--enable-uploadprogress'
> '--with-xmlrpc' '--with-gettext' '--with-pgsql'
> '--with-oci8=instantclient,/usr/local/oracle' 

Hmm... since this is ia64, there is no lib64 anywhere right?  Make sure PHP
is linking against the right libs.  Sometimes lib64'ness isn't always
obvious.  Try adding --with-libdir=lib64 to the PHP ./configure, but I'm not
sure on this.

Another option would be to strip down the ./configure and add --disable-all.
Perhaps there are some conflicts with Oracle, lib64, etc.  Then start to add
extensions to see if you can isolate the problem.

> Again, I can successfully login to the oracle database, and the
> simplest of queries works. Anything "complicated" crashes the program.

If I understand correctly - if you login via the Oracle client directly (so
no PHP involved), it'll still segfault when there's a complicated query?

> I saw on php.net messages about memory exhaustion and segfaults..
> Since I'm using the most recent version of PHP I would not think that
> getting a updated PECL package is going to do the trick.  I increased
> the amt of memory a script can use (in php.ini) to 128Mb but no
> difference. Is there somehwere else I should be changing a setting?

Things should typically work right out of the box.  If there is a new
package available, though, it might make sense to try it - but have some bug
fixes.

H



From jonbaer at jonbaer.com  Sat Sep  8 21:57:30 2007
From: jonbaer at jonbaer.com (Jon Baer)
Date: Sat, 8 Sep 2007 21:57:30 -0400
Subject: [nycphp-talk] Books & magazines
In-Reply-To: <46E2D692.8020703@beezifies.com>
References: <46E2D692.8020703@beezifies.com>
Message-ID: <9CEFB170-CA95-4371-BF8C-DF47C149BBD5@jonbaer.com>

One of the best books Ive read(ing) in a while:

Beautiful Code
http://www.amazon.com/Beautiful-Code-Leading-Programmers-Practice/dp/ 
0596510047/ref=pd_bbs_sr_1/104-9638236-3966325? 
ie=UTF8&s=books&qid=1189302826&sr=8-1

There are a few chapters which are gems in general thinking.

- Jon

On Sep 8, 2007, at 1:06 PM, Gary Mort wrote:

> Just wondering what books and magazines people here particularly  
> like for PHP programming.  Which are good for learning, and which  
> are good for reference.
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070908/38eddc66/attachment.html>

From selyah1 at yahoo.com  Sat Sep  8 22:43:41 2007
From: selyah1 at yahoo.com (selyah)
Date: Sat, 8 Sep 2007 19:43:41 -0700 (PDT)
Subject: [nycphp-talk] Roll ove image
In-Reply-To: <238877.68717.qm@web37914.mail.mud.yahoo.com>
Message-ID: <390086.55950.qm@web30806.mail.mud.yahoo.com>

thank you

Jason Sia <jsia18 at yahoo.com> wrote: Hi,
 You can create function like this:
  <script> 
    function Enlarge() //enlarge the image
   {
     document.getElementById('image').style.width=??;
     document.getElementById('image').style.height=??;
   }
   function Reduce()  //reduce the image
  {
    document.getElementById('image').style.width=??;
    document.getElementById('image').style.height=??;
  }
 </script>

 <html>
   <body>
      <img id='image' style='width:xx;height:xx;' src='' onmouseover="Enlarge();"  onmouseout="Reduce();">
   </body>
</html>
  
Be sure to have an image with a good resolution so that it does not pixelize when you enlarge it

----- Original Message ----
From: selyah <selyah1 at yahoo.com>
To: NYPHP Talk <talk at lists.nyphp.org>
Sent: Saturday, September 8, 2007 1:12:55 PM
Subject: [nycphp-talk] Roll ove image

 Hello ;
I am in the process  of completing a  very complex php script and need to add a special effect using html.  The effect that i have to do is a simple roll over images and upon each roll over with the mouse the images increase in size and then return back to the original size.  The problem is that i am sure that this involves javascript and that is my weak point.
Therefore, i am asking anyone who can assist with a sample code or know of a  link that would be helpful.
Thanks 





Send instant messages to your online friends http://uk.messenger.yahoo.com _______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk

NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com

Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070908/e10427ed/attachment.html>

From selyah1 at yahoo.com  Sat Sep  8 22:46:35 2007
From: selyah1 at yahoo.com (selyah)
Date: Sat, 8 Sep 2007 19:46:35 -0700 (PDT)
Subject: [nycphp-talk] Roll ove image
In-Reply-To: <311ECA73-7DF4-4E90-86B6-92E03C87CD8D@jonbaer.com>
Message-ID: <371650.71961.qm@web30805.mail.mud.yahoo.com>

thank you

Jon Baer <jonbaer at jonbaer.com> wrote:  Probably the best way Ive seen it implemented (and easiest) would be to use the Fisheye plugin for jQuery ...


http://www.ndesign-studio.com/demo/css-dock-menu/css-dock.html


* Download link (jQuery): http://docs.jquery.com/Downloading_jQuery#Current_Release
 * Download link (Fisheye): http://interface.eyecon.ro/download


(Although the SVN copy of jQuery might have the latest version of this plugin - not 100% sure)


- Jon
  

On Sep 8, 2007, at 1:12 AM, selyah wrote:

 Hello ;
I am in the process  of completing a  very complex php script and need to add a special effect using html.  The effect that i have to do is a simple roll over images and upon each roll over with the mouse the images increase in size and then return back to the original size.  The problem is that i am sure that this involves javascript and that is my weak point.
Therefore, i am asking anyone who can assist with a sample code or know of a link that would be helpful.
Thanks 
_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk


NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com


Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php
 

_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk

NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com

Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070908/6fd5cd1c/attachment.html>

From jonbaer at jonbaer.com  Sat Sep  8 23:05:38 2007
From: jonbaer at jonbaer.com (Jon Baer)
Date: Sat, 8 Sep 2007 23:05:38 -0400
Subject: [nycphp-talk] CouchDB (PHP)
Message-ID: <BC728BB7-6E6C-423A-8BDB-E750ECDE1D83@jonbaer.com>

So has anyone here played around w/ CouchDB @ all?

http://blog.labnotes.org/2007/09/02/couchdb-thinking-beyond-the-rdbms/

http://couchdb.org/

PHP5 Client:
http://couchprojects.googlecode.com/svn/trunk/libraries/php/CouchDb/

Im getting the vibe that it would be akin to say SQLite BLOBs w/  
slick replication techniques, but have not seen it in action much,  
but the whole JSON in/out pipe is an interesting concept.  People are  
trying to kill RDBMS more and more everyday :-\

- Jon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070908/27987b77/attachment.html>

From hart at saturn.med.nyu.edu  Sat Sep  8 23:08:44 2007
From: hart at saturn.med.nyu.edu (Joshua Hart)
Date: Sat, 08 Sep 2007 23:08:44 -0400
Subject: [nycphp-talk] Re: talk Digest, Vol 11, Issue 18
In-Reply-To: <67qvkr$1dr7a@mail3.nyumc.org>
Message-ID: <C308DBFC.A14F8%hart@saturn.med.nyu.edu>




On 9/8/07 10:45 PM, "talk-request at lists.nyphp.org"
<talk-request at lists.nyphp.org> wrote:

> 
>> Oracle is instantclient ia64-10.2.0.3-20061230
>> 
>> oci8 version 1.2.3  revision 1.269.2.16.2.37
>> 
>> Here's my configure command for PHP:
>> 
>> './configure' '--with-zlib' '--with-gd' '--with-jpeg' '--with-png'
>> '--with-libxml2=/usr/bin' '--with-mysql=/usr/local/mysql5120'
>> '--with-apxs2=/usr/local/apache2/bin/apxs' '--enable-ftp'
>> '--with-imap-ssl=/usr/include/ssl'
>> '--with-imap=/space/custom_builds/imap-stuff/' '--with-openssl'
>> '--with-pam' '--with-dom' '--with-iconv' '--with-mbstring=all'
>> '--with-mbregex' '--with-domsxlt' '--with-mcrypt' '--with-xml'
>> '--with-mime-magic' '--enable-exif' '--enable-uploadprogress'
>> '--with-xmlrpc' '--with-gettext' '--with-pgsql'
>> '--with-oci8=instantclient,/usr/local/oracle'
> 
> Hmm... since this is ia64, there is no lib64 anywhere right?  Make sure PHP
> is linking against the right libs.  Sometimes lib64'ness isn't always
> obvious.  Try adding --with-libdir=lib64 to the PHP ./configure, but I'm not
> sure on this.

Ldd on the cli for php gives:
ssaturn /usr/local# ldd /space/custom_builds/php-5.2.4/sapi/cli/php
        linux-gate.so.1 =>  (0xa000000000000000)
        libcrypt.so.1 => /lib/libcrypt.so.1 (0x2000000000064000)
        libc-client.so =>
/space/custom_builds/imap-stuff//lib/libc-client.so (0x20000000000b4000)
        libpq.so.5 => /usr/local/pgsql/lib/libpq.so.5 (0x2000000000288000)
        librt.so.1 => /lib/librt.so.1 (0x20000000002dc000)
        libmysqlclient.so.15 =>
/usr/local/mysql5120/lib/libmysqlclient.so.15 (0x20000000002fc000)
        libmcrypt.so.4 => /usr/lib/libmcrypt.so.4 (0x2000000000528000)
        libltdl.so.3 => /usr/lib/libltdl.so.3 (0x2000000000588000)
        libdl.so.2 => /lib/libdl.so.2 (0x20000000005a8000)
        libpam.so.0 => /lib/libpam.so.0 (0x20000000005c0000)
        libpng.so.3 => /usr/lib/libpng.so.3 (0x20000000005e8000)
        libresolv.so.2 => /lib/libresolv.so.2 (0x200000000066c000)
        libm.so.6.1 => /lib/libm.so.6.1 (0x20000000006a0000)
        libnsl.so.1 => /lib/libnsl.so.1 (0x2000000000770000)
        libssl.so.0.9.8 => /usr/lib/libssl.so.0.9.8 (0x20000000007ac000)
        libcrypto.so.0.9.8 => /usr/lib/libcrypto.so.0.9.8
(0x200000000083c000)
        libclntsh.so.10.1 => /usr/local/oracle/libclntsh.so.10.1
(0x2000000000aa8000)
        libxml2.so.2 => /usr/lib/libxml2.so.2 (0x2000000002c90000)
        libc.so.6.1 => /lib/libc.so.6.1 (0x2000000002f40000)
        libimf.so.6 => /opt/intel/cc/9.1.037/lib/libimf.so.6
(0x2000000003190000)
        libirc.so => /opt/intel/cc/9.1.037/lib/libirc.so
(0x2000000003440000)
        libipr.so.6 => /usr/local/oracle/libipr.so.6 (0x2000000003470000)
        libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x2000000003484000)
        libpthread.so.0 => /lib/libpthread.so.0 (0x20000000034a4000)
        /lib/ld-linux-ia64.so.2 (0x2000000000000000)
        libz.so.1 => /lib/libz.so.1 (0x20000000034dc000)
        libnnz10.so => /usr/local/oracle/libnnz10.so (0x2000000003510000)
        libunwind.so.7 => /lib/libunwind.so.7 (0x2000000003898000)




> Another option would be to strip down the ./configure and add --disable-all.
> Perhaps there are some conflicts with Oracle, lib64, etc.  Then start to add
> extensions to see if you can isolate the problem.
> 
>> Again, I can successfully login to the oracle database, and the
>> simplest of queries works. Anything "complicated" crashes the program.
> 
> If I understand correctly - if you login via the Oracle client directly (so
> no PHP involved), it'll still segfault when there's a complicated query?

No.. What I was trying to say is that I can login to oracle via a PHP
script.  I can even do my query if I limit the data which is returned by
oracle to less than 5 rows. As soon as I ask it to return 5 or more rows I
get a segfault.

In order to test the instantclient installatiton I installed the sqlplus
"add on" for instantclient and it is able to connect to oracle and return
all requested rows.

When I use gdb to run the cli for php I get:

gdb /space/custom_builds/php-5.2.4/sapi/cli/php
GNU gdb 6.4
Copyright 2005 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "ia64-suse-linux"...Using host libthread_db
library "/lib/libthread_db.so.1".

(gdb) run /www/htdocs/nonsecure/con.html
Starting program: /space/custom_builds/php-5.2.4/sapi/cli/php
/www/htdocs/nonsecure/con.html
[Thread debugging using libthread_db enabled]
[New Thread 2305843009273028592 (LWP 27213)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 2305843009273028592 (LWP 27213)]
0x40000000005f6ba0 in _zval_ptr_dtor (zval_ptr=0x607ffffffebdb7f0) at
/space/custom_builds/php-5.2.4/Zend/zend_execute_API.c:413
413             (*zval_ptr)->refcount--;
(gdb) where
#0  0x40000000005f6ba0 in _zval_ptr_dtor (zval_ptr=0x607ffffffebdb7f0) at
/space/custom_builds/php-5.2.4/Zend/zend_execute_API.c:413
#1  0x400000000068d700 in zend_do_fcall_common_helper_SPEC
(execute_data=0x607ffffffebdc370)
    at /space/custom_builds/php-5.2.4/Zend/zend_execute.h:155
#2  0x4000000000666a00 in execute (op_array=0x20000000039d4e40) at
/space/custom_builds/php-5.2.4/Zend/zend_vm_execute.h:92
#3  0x40000000006188e0 in zend_execute_scripts (type=8, retval=0x0,
file_count=3) at /space/custom_builds/php-5.2.4/Zend/zend.c:1134
#4  0x4000000000577bb0 in php_execute_script (primary_file=Cannot access
memory at address 0x10
) at /space/custom_builds/php-5.2.4/main/main.c:1982
#5  0x400000000076fa30 in main (argc=Cannot access memory at address 0x0
) at /space/custom_builds/php-5.2.4/sapi/cli/php_cli.c:1140
(gdb) 

>From the stacktrace above looks like something is overflowing its bounds...

I will try your suggested alternative option next and just build php with
oracle only to see if I get the same problem.

I also have started to download the full client from Oracle instead of the
instantclient to see if it makes any sort of difference.

Thanks,

Joshua




From codebowl at gmail.com  Sun Sep  9 00:56:31 2007
From: codebowl at gmail.com (Joseph Crawford)
Date: Sun, 9 Sep 2007 00:56:31 -0400
Subject: [nycphp-talk] Books & magazines
In-Reply-To: <9CEFB170-CA95-4371-BF8C-DF47C149BBD5@jonbaer.com>
References: <46E2D692.8020703@beezifies.com>
	<9CEFB170-CA95-4371-BF8C-DF47C149BBD5@jonbaer.com>
Message-ID: <8d9a42800709082156q4345a090w3272ad2416c02dcb@mail.gmail.com>

i had php|architect and loved it but there is also PHP Magazine which I
never subscribed to.

-- 
Joseph Crawford Jr.
Zend Certified Engineer
Codebowl Solutions, Inc.
http://www.codebowl.com/
Blog: http://www.josephcrawford.com/
1-802-671-2021
codebowl at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070909/0841e9ab/attachment.html>

From lists at zaunere.com  Sun Sep  9 11:56:04 2007
From: lists at zaunere.com (Hans Zaunere)
Date: Sun, 9 Sep 2007 11:56:04 -0400
Subject: [nycphp-talk] Re: talk Digest, Vol 11, Issue 18
In-Reply-To: <C308DBFC.A14F8%hart@saturn.med.nyu.edu>
References: <67qvkr$1dr7a@mail3.nyumc.org>
	<C308DBFC.A14F8%hart@saturn.med.nyu.edu>
Message-ID: <0d8e01c7f2f9$ed878a90$640aa8c0@MobileZ>



Joshua Hart wrote on Saturday, September 08, 2007 11:09 PM:
> On 9/8/07 10:45 PM, "talk-request at lists.nyphp.org"
> <talk-request at lists.nyphp.org> wrote:
> 
> > 
> > > Oracle is instantclient ia64-10.2.0.3-20061230
> > > 
> > > oci8 version 1.2.3  revision 1.269.2.16.2.37
> > > 
> > > Here's my configure command for PHP:
> > > 
> > > './configure' '--with-zlib' '--with-gd' '--with-jpeg' '--with-png'
> > > '--with-libxml2=/usr/bin' '--with-mysql=/usr/local/mysql5120'
> > > '--with-apxs2=/usr/local/apache2/bin/apxs' '--enable-ftp'
> > > '--with-imap-ssl=/usr/include/ssl'
> > > '--with-imap=/space/custom_builds/imap-stuff/' '--with-openssl'
> > > '--with-pam' '--with-dom' '--with-iconv' '--with-mbstring=all'
> > > '--with-mbregex' '--with-domsxlt' '--with-mcrypt' '--with-xml'
> > > '--with-mime-magic' '--enable-exif' '--enable-uploadprogress'
> > > '--with-xmlrpc' '--with-gettext' '--with-pgsql'
> > > '--with-oci8=instantclient,/usr/local/oracle'
> > 
> > Hmm... since this is ia64, there is no lib64 anywhere right?  Make
> > sure PHP is linking against the right libs.  Sometimes lib64'ness
> > isn't always obvious.  Try adding --with-libdir=lib64 to the PHP
> > ./configure, but I'm not sure on this.
> 
> Ldd on the cli for php gives:
> ssaturn /usr/local# ldd /space/custom_builds/php-5.2.4/sapi/cli/php
>         linux-gate.so.1 =>  (0xa000000000000000)
>         libcrypt.so.1 => /lib/libcrypt.so.1 (0x2000000000064000)
>         libc-client.so =>
> /space/custom_builds/imap-stuff//lib/libc-client.so
>         (0x20000000000b4000) libpq.so.5 =>
>         /usr/local/pgsql/lib/libpq.so.5 (0x2000000000288000)
>         librt.so.1 => /lib/librt.so.1 (0x20000000002dc000)
> libmysqlclient.so.15 => /usr/local/mysql5120/lib/libmysqlclient.so.15
>         (0x20000000002fc000) libmcrypt.so.4 =>
>         /usr/lib/libmcrypt.so.4 (0x2000000000528000) libltdl.so.3 =>
>         /usr/lib/libltdl.so.3 (0x2000000000588000) libdl.so.2 =>
>         /lib/libdl.so.2 (0x20000000005a8000) libpam.so.0 =>
>         /lib/libpam.so.0 (0x20000000005c0000) libpng.so.3 =>
>         /usr/lib/libpng.so.3 (0x20000000005e8000) libresolv.so.2 =>
>         /lib/libresolv.so.2 (0x200000000066c000) libm.so.6.1 =>
>         /lib/libm.so.6.1 (0x20000000006a0000) libnsl.so.1 =>
>         /lib/libnsl.so.1 (0x2000000000770000) libssl.so.0.9.8 =>
>         /usr/lib/libssl.so.0.9.8 (0x20000000007ac000)
> libcrypto.so.0.9.8 => /usr/lib/libcrypto.so.0.9.8 (0x200000000083c000)
>         libclntsh.so.10.1 => /usr/local/oracle/libclntsh.so.10.1
> (0x2000000000aa8000)
>         libxml2.so.2 => /usr/lib/libxml2.so.2 (0x2000000002c90000)
>         libc.so.6.1 => /lib/libc.so.6.1 (0x2000000002f40000)
>         libimf.so.6 => /opt/intel/cc/9.1.037/lib/libimf.so.6
> (0x2000000003190000)
>         libirc.so => /opt/intel/cc/9.1.037/lib/libirc.so
> (0x2000000003440000)
>         libipr.so.6 => /usr/local/oracle/libipr.so.6
>         (0x2000000003470000) libgcc_s.so.1 => /lib/libgcc_s.so.1
>         (0x2000000003484000) libpthread.so.0 => /lib/libpthread.so.0
>         (0x20000000034a4000) /lib/ld-linux-ia64.so.2
>         (0x2000000000000000) libz.so.1 => /lib/libz.so.1
>         (0x20000000034dc000) libnnz10.so =>
>         /usr/local/oracle/libnnz10.so (0x2000000003510000)
> libunwind.so.7 => /lib/libunwind.so.7 (0x2000000003898000) 
> 
> 
> 
> 
> > Another option would be to strip down the ./configure and add
> > --disable-all. Perhaps there are some conflicts with Oracle, lib64,
> > etc.  Then start to add extensions to see if you can isolate the
> > problem. 
> > 
> > > Again, I can successfully login to the oracle database, and the
> > > simplest of queries works. Anything "complicated" crashes the
> > > program. 
> > 
> > If I understand correctly - if you login via the Oracle client
> > directly (so no PHP involved), it'll still segfault when there's a
> > complicated query? 
> 
> No.. What I was trying to say is that I can login to oracle via a PHP
> script.  I can even do my query if I limit the data which is returned
> by oracle to less than 5 rows. As soon as I ask it to return 5 or
> more rows I get a segfault.
> 
> In order to test the instantclient installatiton I installed the
> sqlplus "add on" for instantclient and it is able to connect to
> oracle and return all requested rows.
> 
> When I use gdb to run the cli for php I get:
> 
> gdb /space/custom_builds/php-5.2.4/sapi/cli/php
> GNU gdb 6.4
> Copyright 2005 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and
> you are welcome to change it and/or distribute copies of it under
> certain conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB.  Type "show warranty" for
> details. This GDB was configured as "ia64-suse-linux"...Using host
> libthread_db library "/lib/libthread_db.so.1".
> 
> (gdb) run /www/htdocs/nonsecure/con.html
> Starting program: /space/custom_builds/php-5.2.4/sapi/cli/php
> /www/htdocs/nonsecure/con.html
> [Thread debugging using libthread_db enabled]
> [New Thread 2305843009273028592 (LWP 27213)]
> 
> Program received signal SIGSEGV, Segmentation fault.
> [Switching to Thread 2305843009273028592 (LWP 27213)]
> 0x40000000005f6ba0 in _zval_ptr_dtor (zval_ptr=0x607ffffffebdb7f0) at
> /space/custom_builds/php-5.2.4/Zend/zend_execute_API.c:413
> 413             (*zval_ptr)->refcount--;
> (gdb) where
> #0  0x40000000005f6ba0 in _zval_ptr_dtor
> (zval_ptr=0x607ffffffebdb7f0) at
> /space/custom_builds/php-5.2.4/Zend/zend_execute_API.c:413 #1 
> 0x400000000068d700 in zend_do_fcall_common_helper_SPEC
>     (execute_data=0x607ffffffebdc370) at
> /space/custom_builds/php-5.2.4/Zend/zend_execute.h:155 #2 
> 0x4000000000666a00 in execute (op_array=0x20000000039d4e40) at
> /space/custom_builds/php-5.2.4/Zend/zend_vm_execute.h:92 #3 
> 0x40000000006188e0 in zend_execute_scripts (type=8, retval=0x0,
> file_count=3) at /space/custom_builds/php-5.2.4/Zend/zend.c:1134 #4 
> 0x4000000000577bb0 in php_execute_script (primary_file=Cannot access
> memory at address 0x10 ) at
> /space/custom_builds/php-5.2.4/main/main.c:1982 #5 
> 0x400000000076fa30 in main (argc=Cannot access memory at address 0x0
> ) at /space/custom_builds/php-5.2.4/sapi/cli/php_cli.c:1140 (gdb)
> 
> > From the stacktrace above looks like something is overflowing its
> > bounds... 
> 
> I will try your suggested alternative option next and just build php
> with oracle only to see if I get the same problem.

Yeah - I'd almost bet that it looks like a bad pointer/int on 64bit which is
probably a bug in PHP/Zend.  Try doing a minimal configure which can also
help in reporting a bug.

> I also have started to download the full client from Oracle instead
> of the instantclient to see if it makes any sort of difference.

Would be interested to know if this makes a difference - I think there's
been some rumblings of problems with instantclient.

H



From chsnyder at gmail.com  Sun Sep  9 18:18:42 2007
From: chsnyder at gmail.com (csnyder)
Date: Sun, 9 Sep 2007 18:18:42 -0400
Subject: [nycphp-talk] CouchDB (PHP)
In-Reply-To: <BC728BB7-6E6C-423A-8BDB-E750ECDE1D83@jonbaer.com>
References: <BC728BB7-6E6C-423A-8BDB-E750ECDE1D83@jonbaer.com>
Message-ID: <b76252690709091518g25d71e6dxb4007830f8ba4e3e@mail.gmail.com>

On 9/8/07, Jon Baer <jonbaer at jonbaer.com> wrote:
> So has anyone here played around w/ CouchDB @ all?

That should make some heads spin.

> Im getting the vibe that it would be akin to say SQLite BLOBs w/ slick
> replication techniques, but have not seen it in action much, but the whole
> JSON in/out pipe is an interesting concept.  People are trying to kill RDBMS
> more and more everyday :-\

The cross-platform-ness of the CouchDB server implies that you might
replicate a shared database onto each workstation that accesses it.
What I don't see from the initial documentation and demos is a writeup
of how the bi-directional sync works, and whether it can be manually
triggered ("sync database now") from within an app.

Very cool, though. It seems like you could mix in some xml db
functionality, too, like creating a view of all of the links in a
collection of documents.

-- 
Chris Snyder
http://chxo.com/


From jakob.buchgraber at googlemail.com  Mon Sep 10 11:57:14 2007
From: jakob.buchgraber at googlemail.com (Jakob Buchgraber)
Date: Mon, 10 Sep 2007 17:57:14 +0200
Subject: [nycphp-talk] Check for absolute path (cross platform)
Message-ID: <46E5695A.1030302@gmail.com>

I wrote a function that searches for a file within the include_path.
Here it is:

function ppcIncludize ($path) {

     // check for absolute path
     if ($path[0] == "/" || $path[1] == ":") {
         if (file_exists ($path)) {
             return $path;
         }

         return false;
     }

     $includePath = get_include_path();

     foreach (explode (PATH_SEPARATOR, $includePath) as $directory) {
         $tmpPath = "$directory/$path";

         if (file_exists ($tmpPath)) {
             return $tmpPath;
         }
     }

     return false;
}

This function only makes sense if the parameter given is a relative path 
to a file or folder and as this is not always the case I first check if 
it's an absolute path. So for unix systems it's quite easy, just need to 
   check for / at the beginning, but on windows I am not sure as I don't 
use and have never developed under Windows. However as far as I know a 
absolute path starts with a drive letter e.g. C followed by a :. So I 
just check for the : . I am not a 100% sure if this works, so may 
anybody test it for me or at least tell me if I am write with my 
assumption about windows path names.

Thanks!

Jakob
-- 
Sun Certified Programmer for the Java 2 Platform, Standard Edition 5.0


From lists at enobrev.com  Mon Sep 10 13:05:03 2007
From: lists at enobrev.com (Mark Armendariz)
Date: Mon, 10 Sep 2007 13:05:03 -0400
Subject: [nycphp-talk] Check for absolute path (cross platform)
In-Reply-To: <46E5695A.1030302@gmail.com>
References: <46E5695A.1030302@gmail.com>
Message-ID: <46E5793F.5070308@enobrev.com>

Jakob Buchgraber wrote:
> I wrote a function that searches for a file within the include_path.
> Here it is:
>
>     // check for absolute path
>     if ($path[0] == "/" || $path[1] == ":") {
>         if (file_exists ($path)) {
>             return $path;
>         }
>
>         return false;
>     }

What about
if (str_replace('\\', '/', $path) == str_replace('\\','/', realpath($path)))

Mark


From danielc at analysisandsolutions.com  Tue Sep 11 10:20:16 2007
From: danielc at analysisandsolutions.com (Daniel Convissor)
Date: Tue, 11 Sep 2007 10:20:16 -0400
Subject: [nycphp-talk] Check for absolute path (cross platform)
In-Reply-To: <46E5695A.1030302@gmail.com>
References: <46E5695A.1030302@gmail.com>
Message-ID: <20070911142016.GA4600@panix.com>

Hi Jakob:

On Mon, Sep 10, 2007 at 05:57:14PM +0200, Jakob Buchgraber wrote:
> I wrote a function that searches for a file within the include_path.

Why?  PHP's include does all of this for you better and fasater.

--Dan

-- 
 T H E   A N A L Y S I S   A N D   S O L U T I O N S   C O M P A N Y
            data intensive web and database programming
                http://www.AnalysisAndSolutions.com/
 4015 7th Ave #4, Brooklyn NY 11232  v: 718-854-0335 f: 718-854-0409


From jkelly at sussex.edu  Tue Sep 11 12:12:38 2007
From: jkelly at sussex.edu (jessica kelly)
Date: Tue, 11 Sep 2007 12:12:38 -0400
Subject: [nycphp-talk] WebServer Probs - OT?
Message-ID: <46E686360200008A0000F987@mail.sussex.edu>

Hi Everyone

I am having problems with a webserver and a xampp type setup. I need to find some free or near free monitoring tool to see the process (apache php mysql mailclient etc...) load on the server, any processes that may be tying up the server/cpu and anything else that may help point out the problem. It's a older Win box and I have access to a Linux box if I need to run it on Linux with a client on the win box.

I have looked at Nagios & Cacti but I'm not sure it does what I'm looking for or if there even close to what I need. I'm getting over whelmed with the choices that turn up in a search.

Does anyone have any recommendations as to what software may works.

Sincerely,

Jessica Kelly


From ajai at bitblit.net  Tue Sep 11 12:18:08 2007
From: ajai at bitblit.net (Ajai Khattri)
Date: Tue, 11 Sep 2007 12:18:08 -0400 (EDT)
Subject: [nycphp-talk] WebServer Probs - OT?
In-Reply-To: <46E686360200008A0000F987@mail.sussex.edu>
Message-ID: <Pine.LNX.4.44.0709111216370.17851-100000@bitblit.net>

On Tue, 11 Sep 2007, jessica kelly wrote:

> I have looked at Nagios & Cacti but I'm not sure it does what I'm 
> looking for or if there even close to what I need. I'm getting over 
> whelmed with the choices that turn up in a search.

A lot of people use Nagios for monitoring - which begs the question why do 
you think it doesn't do what you need?

Over here, we have deployed Zabbix for monitoring.


-- 
Aj.



From bz-gmort at beezifies.com  Tue Sep 11 13:07:56 2007
From: bz-gmort at beezifies.com (Gary Mort)
Date: Tue, 11 Sep 2007 13:07:56 -0400
Subject: [nycphp-talk] Microsoft Access
Message-ID: <46E6CB6C.8070906@beezifies.com>

I'm looking around for a way to access some microsoft access database 
info on linux(sorry, netbsd, but it should work mostly the same, right? :-))

So far, mdbtools looks the most promising: http://mdbtools.sourceforge.net/

I was wondering if anyone else had any promising steps?


From wfan at VillageVoice.com  Tue Sep 11 13:26:41 2007
From: wfan at VillageVoice.com (Fan, Wellington)
Date: Tue, 11 Sep 2007 13:26:41 -0400
Subject: [nycphp-talk] Apache bench (ab) [OT]
Message-ID: <4D2FAD9B00577645932AD7ED5FECA2450324A020@mail>

Hey all,

I was using ab for some very simple load testing.


$ ab -n100 http://192.168.34.6/hits.php

Generates 100 access log lines.



$ ab -n100 -c100 http://192.168.34.6/hits.php

Generates *roughly* 200...



Huh?

--
Wellington Fan
wfan at villagevoice.com


From rharding at mitechie.com  Tue Sep 11 13:37:24 2007
From: rharding at mitechie.com (Rick Harding)
Date: Tue, 11 Sep 2007 13:37:24 -0400
Subject: [nycphp-talk] Apache bench (ab) [OT]
In-Reply-To: <4D2FAD9B00577645932AD7ED5FECA2450324A020@mail>
References: <4D2FAD9B00577645932AD7ED5FECA2450324A020@mail>
Message-ID: <46E6D254.7000304@mitechie.com>

Fan, Wellington wrote:
> Hey all,
>
> I was using ab for some very simple load testing.
>
>
> $ ab -n100 http://192.168.34.6/hits.php
>
> Generates 100 access log lines.
>
>
>
> $ ab -n100 -c100 http://192.168.34.6/hits.php
>
> Generates *roughly* 200...
>
>
>
> Huh?
>   

Retries perhaps? i.e. you tried to run 100 concurrent requests, not all 
got served so they retried?

Rick


From lk613m at yahoo.com  Tue Sep 11 15:49:07 2007
From: lk613m at yahoo.com (LK)
Date: Tue, 11 Sep 2007 12:49:07 -0700 (PDT)
Subject: [nycphp-talk] ORM anyone?
Message-ID: <581333.49724.qm@web53305.mail.re2.yahoo.com>

Hello,
 
Please help me in overcoming a mental block about this wonderful thing called ORM. 
 
By reading some examples on using ORM, such as setting up Author/Books parent/child objects, I notice that each author and each book has to be individually assigned in the PHP script and saved. This is what I don't understand, 
 
1. if my database contains thousands of authors and 100's of thousands of books, I have to 1) create each new object 2) assign each field value to it and 3) save it, and do this for 100's of thousands of records? Somehow that just does not make sense, since the records are already in the database, why do I have to save(..) them again?
 
2. If I have an existing database with 100's of thousands of rows already populated, how does ORM know which record corresponds to which php object? In other words, how do I just start using existing mysql records as php objects?
 
3. If an existing database has many relations between tables, how do I form complex joins between them using ORM?
 
Thanks for your response
 
Leo


      ____________________________________________________________________________________
Shape Yahoo! in your own image.  Join our Network Research Panel today!   http://surveylink.yahoo.com/gmrs/yahoo_panel_invite.asp?a=7 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070911/55dde23f/attachment.html>

From chsnyder at gmail.com  Tue Sep 11 16:21:30 2007
From: chsnyder at gmail.com (csnyder)
Date: Tue, 11 Sep 2007 16:21:30 -0400
Subject: [nycphp-talk] ORM anyone?
In-Reply-To: <581333.49724.qm@web53305.mail.re2.yahoo.com>
References: <581333.49724.qm@web53305.mail.re2.yahoo.com>
Message-ID: <b76252690709111321u249c3a77xcefe609563b8000e@mail.gmail.com>

On 9/11/07, LK <lk613m at yahoo.com> wrote:

> Please help me in overcoming a mental block about this wonderful thing
> called ORM.

ORM is a concept, not a defined system. It may help to get your
questions answered if you say whether you are using an existing
framework or designing your own.

> 1. if my database contains thousands of authors and 100's of thousands of
> books, I have to 1) create each new object 2) assign each field value to it
> and 3) save it, and do this for 100's of thousands of records? Somehow that
> just does not make sense, since the records are already in the database, why
> do I have to save(..) them again?

You could think of it as exporting records from your existing database
into your new object model. It's a one-time operation across all of
your data.


> 2. If I have an existing database with 100's of thousands of rows already
> populated, how does ORM know which record corresponds to which php object?
> In other words, how do I just start using existing mysql records as php
> objects?

It doesn't. You create those relations as you build and store the new objects.


> 3. If an existing database has many relations between tables, how do I form
> complex joins between them using ORM?

Depends on the system.

If you have an existing database with complex relations, why are you
considering breaking it by migrating to something new?


-- 
Chris Snyder
http://chxo.com/


From ken at secdat.com  Tue Sep 11 16:27:37 2007
From: ken at secdat.com (Kenneth Downs)
Date: Tue, 11 Sep 2007 16:27:37 -0400
Subject: [nycphp-talk] ORM anyone?
In-Reply-To: <581333.49724.qm@web53305.mail.re2.yahoo.com>
References: <581333.49724.qm@web53305.mail.re2.yahoo.com>
Message-ID: <46E6FA39.7000608@secdat.com>

LK wrote:
> Hello,
>  
> Please help me in overcoming a mental block about this wonderful thing 
> called ORM.
>  
> By reading some examples on using ORM, such as setting up Author/Books 
> parent/child objects, I notice that each author and each book has to 
> be individually assigned in the PHP script and saved. This is what I 
> don't understand,
>  
> 1. if my database contains thousands of authors and 100's of thousands 
> of books, I have to 1) create each new object 2) assign each field 
> value to it and 3) save it, and do this for 100's of thousands of 
> records? Somehow that just does not make sense, since the records are 
> already in the database, why do I have to save(..) them again?

Are you asking if it is necessary to create code that reproduces each 
row in each table in the database?  If so, the answer is no, definitely not.

>  
> 2. If I have an existing database with 100's of thousands of rows 
> already populated, how does ORM know which record corresponds to which 
> php object? In other words, how do I just start using existing mysql 
> records as php objects?

Presumably the user has indicated which row they want, usually as a 
result of some search.  You then instantiate a new object and populate 
it with those rows.

>  
> 3. If an existing database has many relations between tables, how do I 
> form complex joins between them using ORM?

PHP is a record-oriented step-wise language.  It is good for writing 
programs with
loops and if-then and case and so forth.  It is not good at manipulating 
sets of table-based data.

For manipulating sets of table-based data we use SQL (at least I do).

As you may guess, I'm no fan of ORM.  The main reason is what I just 
said above.  OO code and table-based data are two very different beasts 
with very different natures.  ORM tries to make one look like the 
other.  Why would anybody want to do this?   Hell if I know.

That being said, there are plenty of "solutions" out there that try to 
get around this.  IMHO they are all Rube Goldberg machines.


>  
> Thanks for your response
>  
> Leo
>
> ------------------------------------------------------------------------
> Need a vacation? Get great deals to amazing places 
> <http://us.rd.yahoo.com/evt=48256/*http://travel.yahoo.com/;_ylc=X3oDMTFhN2hucjlpBF9TAzk3NDA3NTg5BHBvcwM1BHNlYwNncm91cHMEc2xrA2VtYWlsLW5jbQ-->on 
> Yahoo! Travel.
> ------------------------------------------------------------------------
>
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php


-- 
Kenneth Downs
Secure Data Software, Inc.
www.secdat.com    www.andromeda-project.org
631-689-7200   Fax: 631-689-0527
cell: 631-379-0010

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070911/45c069aa/attachment.html>

From ajai at bitblit.net  Tue Sep 11 17:15:59 2007
From: ajai at bitblit.net (Ajai Khattri)
Date: Tue, 11 Sep 2007 17:15:59 -0400 (EDT)
Subject: [nycphp-talk] ORM anyone?
In-Reply-To: <46E6FA39.7000608@secdat.com>
Message-ID: <Pine.LNX.4.44.0709111709470.17851-100000@bitblit.net>

On Tue, 11 Sep 2007, Kenneth Downs wrote:

> As you may guess, I'm no fan of ORM.  The main reason is what I just 
> said above.  OO code and table-based data are two very different beasts 
> with very different natures.  ORM tries to make one look like the 
> other.  Why would anybody want to do this?

For a couple of reasons:

1) Dealing with SQL from an OOP programming language is not natural.

2) Conceptual relationships are easier to deal with via objects.

3) It gives you a layer of abstraction above the database to the
   degree that it doesn't matter what the underlying database
   actually is, you have a uniform interface always. Doesn't matter
   if you switch SQLlite to MySQL to Postgres - all looks the same.


-- 
Aj.



From ken at secdat.com  Tue Sep 11 19:07:04 2007
From: ken at secdat.com (Ken Downs)
Date: Tue, 11 Sep 2007 19:07:04 -0400
Subject: [nycphp-talk] ORM anyone?
In-Reply-To: <Pine.LNX.4.44.0709111709470.17851-100000@bitblit.net>
References: <Pine.LNX.4.44.0709111709470.17851-100000@bitblit.net>
Message-ID: <jo887s.2y2ig7@dhost2.secdat.com>

Ajai Khattri &lt;ajai at bitblit.net&gt; wrote:  &gt; On Tue, 11 Sep 2007,
Kenneth Downs wrote: &gt;  &gt; &gt; As you may guess, I'm no fan of ORM. 
The main reason is what I just  &gt; &gt; said above.  OO code and
table-based data are two very different beasts  &gt; &gt; with very different
natures.  ORM tries to make one look like the  &gt; &gt; other.  Why would
anybody want to do this? &gt;  &gt; For a couple of reasons: &gt;  &gt; 1)
Dealing with SQL from an OOP programming language is not natural.That's a
personal opinion, not a system requirement.Hey, that's fine.&nbsp; My opinion
is that generating SQL is natural and easy, a little easier than generating
HTML. &gt;  &gt; 2) Conceptual relationships are easier to deal with via
objects.What's a &quot;conceptual relationship?&quot;&nbsp; If you put your
data into tables, then the relationships between the tables are foreign
keys.&nbsp; That's easier to handle in set-based SQL, the language that was
designed to do it. &gt;  &gt; 3) It gives you a layer of abstraction above
the database to the &gt;    degree that it doesn't matter what the underlying
database &gt;    actually is, you have a uniform interface always. Doesn't
matter &gt;    if you switch SQLlite to MySQL to Postgres - all looks the
same. &gt;  Actually you don't need ORM for that, you just need a generalized
set of commands, like &quot;db_query&quot; instead of &quot;pg_query&quot; and
&quot;mysql_query&quot;.&nbsp;
_________________________________________________________
This mail sent using V-webmail - http://www.v-webmail.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070911/de10045d/attachment.html>

From ramons at gmx.net  Tue Sep 11 20:10:36 2007
From: ramons at gmx.net (David Krings)
Date: Tue, 11 Sep 2007 20:10:36 -0400
Subject: [nycphp-talk] Microsoft Access
In-Reply-To: <46E6CB6C.8070906@beezifies.com>
References: <46E6CB6C.8070906@beezifies.com>
Message-ID: <46E72E7C.7060501@gmx.net>

Gary Mort wrote:
> I'm looking around for a way to access some microsoft access database 
> info on linux(sorry, netbsd, but it should work mostly the same, right? 
> :-))
> 
> So far, mdbtools looks the most promising: http://mdbtools.sourceforge.net/
> 
> I was wondering if anyone else had any promising steps?

Doesn't PHP have a module to access Access dbs directly? No clue if that 
needs to have Access itself installed. You could see if you can hook 
something up through OOo.

Other than that, no idea.

David


From ajai at bitblit.net  Tue Sep 11 20:22:04 2007
From: ajai at bitblit.net (Ajai Khattri)
Date: Tue, 11 Sep 2007 20:22:04 -0400 (EDT)
Subject: [nycphp-talk] ORM anyone?
In-Reply-To: <jo887s.2y2ig7@dhost2.secdat.com>
Message-ID: <Pine.LNX.4.44.0709111947250.17851-100000@bitblit.net>


> On Tue, 11 Sep 2007, Kenneth Downs wrote:
>
> That's a personal opinion, not a system requirement.

We *can* agree that SQL is not PHP (or Ruby or Python).


> What's a "conceptual relationship?"  If you put your data into tables, 
> then the relationships between the tables are foreign keys.  That's easier 
> to handle in set-based SQL, the language that was designed to do it.

Noone writes apps in pure SQL :-)

One has to take off their OOP hat, replace with a SQL hat, and 
translate what you are trying to build into whatever tables / rows / 
columns / relations you can model in SQL. So if you're using an OOP 
language (and I do include PHP5 in that category) you have to do that 
mapping anyway (until we get object-based databases perhaps). In fact, 
most data structures need to be mapped (how do you store a tree in a 
relational database? You don't, at least not without some mapping 
process to SQL).


>Actually you don't need ORM for that, you just need a generalized set of 
> commands, like "db_query" instead of "pg_query" and "mysql_query". 

In other words, another layer of abstraction? Like ORM but not using 
objects? :-) For me, it comes down to a choice between dealing with mappings 
and all the database plumbing that that entails vs. letting an ORM layer 
manage all that so I can concentrate on business logic and application 
flow.

Of course, there's always a trade off, like most things - I just think 
writing say:

event = Event.find(1)
event.title = "New title"
event.save

more naturally expresses what Im doing than:

UPDATE events SET TITLE="New title" where id=1

Once you start defining and updating many-to-many relationships, the SQL 
becomes much more complex compared to writing code.

I know I won't convince you but I think it important for people to hear 
both sides and make up their own minds.



p.s. What the hell is v-webmail? Your email was unreplyable in Pine and 
WebMail. I had to manually copy and paste your comments...


-- 
Aj.



From ajai at bitblit.net  Tue Sep 11 20:24:50 2007
From: ajai at bitblit.net (Ajai Khattri)
Date: Tue, 11 Sep 2007 20:24:50 -0400 (EDT)
Subject: [nycphp-talk] Microsoft Access
In-Reply-To: <46E72E7C.7060501@gmx.net>
Message-ID: <Pine.LNX.4.44.0709112022340.17851-100000@bitblit.net>

On Tue, 11 Sep 2007, David Krings wrote:

> Gary Mort wrote:
> > I'm looking around for a way to access some microsoft access database 
> > info on linux(sorry, netbsd, but it should work mostly the same, right? 
> > :-))
> > 
> > So far, mdbtools looks the most promising: http://mdbtools.sourceforge.net/
> > 
> > I was wondering if anyone else had any promising steps?
> 
> Doesn't PHP have a module to access Access dbs directly? No clue if that 
> needs to have Access itself installed. You could see if you can hook 
> something up through OOo.


What about using ODBC to talk to Access?


-- 
Aj.



From bz-gmort at beezifies.com  Tue Sep 11 20:36:27 2007
From: bz-gmort at beezifies.com (Gary Mort)
Date: Tue, 11 Sep 2007 20:36:27 -0400
Subject: [nycphp-talk] Microsoft Access
In-Reply-To: <Pine.LNX.4.44.0709112022340.17851-100000@bitblit.net>
References: <Pine.LNX.4.44.0709112022340.17851-100000@bitblit.net>
Message-ID: <46E7348B.2030403@beezifies.com>

Ajai Khattri wrote:
> On Tue, 11 Sep 2007, David Krings wrote:
>
>   
>> Doesn't PHP have a module to access Access dbs directly? No clue if that 
>> needs to have Access itself installed. You could see if you can hook 
>> something up through OOo.
>>     
>
>
> What about using ODBC to talk to Access?
>
>
>   

Both methods seem to require running on windows so you have the windows 
drivers to access the access database.

I'd rather do all my processing on the netbsd platform.


From chsnyder at gmail.com  Tue Sep 11 23:04:23 2007
From: chsnyder at gmail.com (csnyder)
Date: Tue, 11 Sep 2007 23:04:23 -0400
Subject: [nycphp-talk] Microsoft Access
In-Reply-To: <46E7348B.2030403@beezifies.com>
References: <Pine.LNX.4.44.0709112022340.17851-100000@bitblit.net>
	<46E7348B.2030403@beezifies.com>
Message-ID: <b76252690709112004v3e906717n3ad98d5dc7dbd54c@mail.gmail.com>

On 9/11/07, Gary Mort <bz-gmort at beezifies.com> wrote:

> I'd rather do all my processing on the netbsd platform.

Are you sure you wouldn't rather export from Access to CSV and process that?

I can see the appeal of accessing the .mdb directly (via samba?) but
unless you need to do so in real time...

Well, another option might be to use MSDE or SQL Server as a backend,
but now I'm way out of my league.

-- 
Chris Snyder
http://chxo.com/


From rahmin at insite-out.com  Wed Sep 12 05:39:30 2007
From: rahmin at insite-out.com (Rahmin Pavlovic)
Date: Wed, 12 Sep 2007 05:39:30 -0400
Subject: [nycphp-talk] "net" as timestamp?
Message-ID: <C30D2C12.447A7%rahmin@insite-out.com>

Found a weird one today:

echo date("Y-m-d H:i:s T", time()) . "\n";
echo date("Y-m-d H:i:s T", strtotime('net surfing')) . "\n";
echo date("Y-m-d H:i:s T", strtotime('surfing net')) . "\n";

Echoes:

2007-09-12 05:29:41 EDT
2007-09-12 01:09:41 EDT
1969-12-31 19:00:00 EST

Why does "net" return 4hr + 20min ago, and why do I feel like I already
lived it?

More importantly, does anyone know a list of reserved date terms I can parse
out?




From anieshjoseph at gmail.com  Wed Sep 12 06:06:46 2007
From: anieshjoseph at gmail.com (Aniesh joseph)
Date: Wed, 12 Sep 2007 15:36:46 +0530
Subject: [nycphp-talk] Keep login on two sites simultaneously by just login
	in any of the two sites..
Message-ID: <1b3d2fde0709120306s798af328ne2c27eb626b71b4d@mail.gmail.com>

Hello,

Is it possible to share the session in two sites? I have two sites both of
them having same contents(login id & password) in the database.. So someone
login in siteA, possible to login in siteB automatically?

So a person login in siteA and opens the siteB(same browser or in a seperate
browser), Can I show that the person is logined in siteB also ?

Could someone help me?


Thanks & Regards,
Aniesh Joseph
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070912/5e29ba4f/attachment.html>

From rahmin at insite-out.com  Wed Sep 12 06:28:38 2007
From: rahmin at insite-out.com (Rahmin Pavlovic)
Date: Wed, 12 Sep 2007 06:28:38 -0400
Subject: [nycphp-talk] Keep login on two sites simultaneously by just
	login in any of the two sites..
In-Reply-To: <1b3d2fde0709120306s798af328ne2c27eb626b71b4d@mail.gmail.com>
Message-ID: <C30D3796.447C1%rahmin@insite-out.com>


Aniesh joseph wrote:

> Hello,
> 
> Is it possible to share the session in two sites? I have two sites both of
> them having same contents(login id & password) in the database.. So someone
> login in siteA, possible to login in siteB automatically?
> 

I like to keep a sort of "bridge" table for things like this.

Say, user logs into site A, and their session id -- or some hash of their
personal data -- gets stored in the bridge table with a timestamp (and user
id, or whatever else you want to link up to).

If you drive content from one site to another, you could append their
session id to the URL, and lookup that user on site B, within a given
timeframe (say, 30min since the bridge timestamp was inserted).

If the user/pass info is exactly the same on both sites, you could store a
hash of that in the bridge table (as opposed to the session).

If logins to site B are sensitive, you could include a counter in the bridge
table to only allow one concurrent login.




From ken at secdat.com  Wed Sep 12 07:28:45 2007
From: ken at secdat.com (Kenneth Downs)
Date: Wed, 12 Sep 2007 07:28:45 -0400
Subject: [nycphp-talk] ORM anyone?
In-Reply-To: <Pine.LNX.4.44.0709111947250.17851-100000@bitblit.net>
References: <Pine.LNX.4.44.0709111947250.17851-100000@bitblit.net>
Message-ID: <46E7CD6D.6060006@secdat.com>

Ajai Khattri wrote:
>> On Tue, 11 Sep 2007, Kenneth Downs wrote:
>>
>> That's a personal opinion, not a system requirement.
>>     
>
> We *can* agree that SQL is not PHP (or Ruby or Python).
>   

Sure.

>
>   
>> What's a "conceptual relationship?"  If you put your data into tables, 
>> then the relationships between the tables are foreign keys.  That's easier 
>> to handle in set-based SQL, the language that was designed to do it.
>>     
>
> Noone writes apps in pure SQL :-)
>
> One has to take off their OOP hat, replace with a SQL hat, and 
> translate what you are trying to build into whatever tables / rows / 
> columns / relations you can model in SQL. So if you're using an OOP 
> language (and I do include PHP5 in that category) you have to do that 
> mapping anyway (until we get object-based databases perhaps). In fact, 
> most data structures need to be mapped (how do you store a tree in a 
> relational database? You don't, at least not without some mapping 
> process to SQL).
>
>   

What I am saying is no, you don't have to do that mapping, not if you 
think of data in terms of tables and rows, which is after all what it 
is, and think of code in terms of functions and classes, which is, after 
all, what it is.

OOP is wonderful for organizing code.  I have always found it superb at 
organizing UI based code, but horrible for business rules.

But my central point is that code is so different from table-based data, 
it requires different "hats" as you say above, that trying to make one 
look like the other is ultimately counter-productive.  In particular, I 
find it a mistake to make an object for each table and then to try to 
extend the object model to handle things like foreign keys.

Consider an analogy.  Most PHP programmers must learn HTML, CSS, and 
Javascript to some level of competence in order to code in PHP.  This is 
considered necessary and good, and we encourage one another to learn to 
do that stuff right, the way it wants to be done.  But come the database 
and we all decide we can somehow avoid learning the principles of DB 
design and try to make it look like PHP code.  We accept the obligation 
to learn HTML, CSS and Javascript, and even a few things about HTTP 
headers and so forth, but we think it is optional to learn SQL and to 
treat the database as what it is.  That really puzzles me.  The only 
explanation I can come up with is people must be using really simple 
databases so that the inefficiencies at large table counts just never 
show up.

This is probably where we simply disagree, though I hope we've fleshed 
out the positions to the point of usefulness to somebody sitting on the 
fence.

>   
>> Actually you don't need ORM for that, you just need a generalized set of 
>> commands, like "db_query" instead of "pg_query" and "mysql_query". 
>>     
>
> In other words, another layer of abstraction? Like ORM but not using 
> objects? :-) For me, it comes down to a choice between dealing with mappings 
> and all the database plumbing that that entails vs. letting an ORM layer 
> manage all that so I can concentrate on business logic and application 
> flow.
>
> Of course, there's always a trade off, like most things - I just think 
> writing say:
>
> event = Event.find(1)
> event.title = "New title"
> event.save
>
> more naturally expresses what Im doing than:
>
> UPDATE events SET TITLE="New title" where id=1
>   

ORM is definitely not a generalized (or abstracted as we say incorrectly 
these days) database layer.  It is the attempt to cast database 
operations in object-oriented actions, using objects to implement 
validation, relationships, and other stuff.

Your example above, by contrast, is not really ORM, it is just an update 
routine implemented using OO code.  My own looks very similar but does 
not use OO code, because none is necessary:

$row = array();
$row['first_name'] = 'Arkady';
$row['last_name'] = 'Bogdanov';
sql_insert('sometable',$row);

...and you can do the same for the other three basic operations of 
delete, update, and select.  But your example and mine both stress what 
I said in the beginning, PHP is fine for row-by-row operations, that is 
what it is good at.

But when you need to start doing reporting or on-screen displays, and 
the query requires even one or two joins, your performance tanks unless 
you just break down and write the query:

SELECT blah,blah,blah
    FROM table 1
    JOIN table 2 on x = y
  WHERE filters,filters,filters

Then recurse through the results and spit out your HTML or generate your 
PDF or whatever.  Trying to treat the rows as objects in that case is 
taking a good idea where it was never meant to go.


> Once you start defining and updating many-to-many relationships, the SQL 
> becomes much more complex compared to writing code.
>   

Again, not my experience.  But that is probably because I implement the 
business logic on the database server, and I generate the code to do so 
out of a data dictionary.  I haven't manually coded that stuff for 3 
years and I hope I never have to again :)

> I know I won't convince you but I think it important for people to hear 
> both sides and make up their own minds.
>
>   

Yup, couldn't agree more.

It has been fun debating the topic.

-- 
Kenneth Downs
Secure Data Software, Inc.
www.secdat.com    www.andromeda-project.org
631-689-7200   Fax: 631-689-0527
cell: 631-379-0010

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070912/b2f009a4/attachment.html>

From arzala at gmail.com  Wed Sep 12 07:39:37 2007
From: arzala at gmail.com (Anirudh Zala)
Date: Wed, 12 Sep 2007 17:09:37 +0530
Subject: [nycphp-talk] Keep login on two sites simultaneously by just login
	in any of the two sites..
In-Reply-To: <C30D3796.447C1%rahmin@insite-out.com>
References: <C30D3796.447C1%rahmin@insite-out.com>
Message-ID: <200709121709.37595.arzala@gmail.com>

On Wednesday 12 Sep 2007 15:58:38 Rahmin Pavlovic wrote:
> Aniesh joseph wrote:
> > Hello,
> >
> > Is it possible to share the session in two sites? I have two sites both
> > of them having same contents(login id & password) in the database.. So
> > someone login in siteA, possible to login in siteB automatically?
>
> I like to keep a sort of "bridge" table for things like this.
>
> Say, user logs into site A, and their session id -- or some hash of their
> personal data -- gets stored in the bridge table with a timestamp (and user
> id, or whatever else you want to link up to).
>
> If you drive content from one site to another, you could append their
> session id to the URL, and lookup that user on site B, within a given
> timeframe (say, 30min since the bridge timestamp was inserted).
>
> If the user/pass info is exactly the same on both sites, you could store a
> hash of that in the bridge table (as opposed to the session).
>
> If logins to site B are sensitive, you could include a counter in the
> bridge table to only allow one concurrent login.

If you are using session cookies (which is used on most of implementations) 
then you can share it among multiple sites if base domain is same. For 
example if siteA is http://www.example.com and siteB is 
http://subsite.example.com then you can read session cookies of 1 site from 
another (and vice versa, provided that you set cookies the way it is 
required) hence no need to store data into table or to pass any hash or 
string into URL.

Yahoo uses this technique because structure of it's services are like  
autos.yahoo.com, mail.yahoo.com etc. Hence they can share same cookies on all 
services as main domain (yahoo.com) is same.

This method can work only if you have 2 websites with above domain name 
pattern. But if you have 2 different domains then method shown by Rahmin is 
must.

>
>
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php




From chsnyder at gmail.com  Wed Sep 12 08:22:04 2007
From: chsnyder at gmail.com (csnyder)
Date: Wed, 12 Sep 2007 08:22:04 -0400
Subject: [nycphp-talk] "net" as timestamp?
In-Reply-To: <C30D2C12.447A7%rahmin@insite-out.com>
References: <C30D2C12.447A7%rahmin@insite-out.com>
Message-ID: <b76252690709120522n3afbcd61l296db3f3e217f5cd@mail.gmail.com>

On 9/12/07, Rahmin Pavlovic <rahmin at insite-out.com> wrote:
>
> Why does "net" return 4hr + 20min ago, and why do I feel like I already
> lived it?

Looks like an inside joke.

grep net ext/date/lib/*
timezonemap.h:  { "net",   0,   1200, "Europe/Amsterdam"              },

Some kind of "special" timezone for Amsterdam. Sigh.

-- 
Chris Snyder
http://chxo.com/


From chsnyder at gmail.com  Wed Sep 12 08:23:29 2007
From: chsnyder at gmail.com (csnyder)
Date: Wed, 12 Sep 2007 08:23:29 -0400
Subject: [nycphp-talk] "net" as timestamp?
In-Reply-To: <b76252690709120522n3afbcd61l296db3f3e217f5cd@mail.gmail.com>
References: <C30D2C12.447A7%rahmin@insite-out.com>
	<b76252690709120522n3afbcd61l296db3f3e217f5cd@mail.gmail.com>
Message-ID: <b76252690709120523p5b076f17h802cbac052a6e837@mail.gmail.com>

On 9/12/07, csnyder <chsnyder at gmail.com> wrote:

> Some kind of "special" timezone for Amsterdam. Sigh.

Actually, my bad pattern matching brain. It's a real timezone for
Netherlands. Seems like a bug if it's giving you the wrong time.

/shame

-- 
Chris Snyder
http://chxo.com/


From lists at zaunere.com  Wed Sep 12 10:13:15 2007
From: lists at zaunere.com (Hans Zaunere)
Date: Wed, 12 Sep 2007 10:13:15 -0400
Subject: [nycphp-talk] ReMIX 07 Free Passes
Message-ID: <007101c7f547$0f7111e0$651ba8c0@MobileZ>


Hello all,

We have free conference passes to Microsoft's ReMIX07 conference in Boston,
October 8-9.

"Multi-track sessions for designers and developers covering Silverlight,
AJAX, Virtual Earth, .Net 3.0/3.5, Expression and Visual Studio"

http://www.remix07boston.com/

Including, of course, a PHP talk "Partying with PHP (...and the Microsoft
Platform)"

RSVP Code:  RM07WDS

I'll look to be at the conference as well, so hope to see a few there.

---
Hans Zaunere / President / New York PHP
    www.nyphp.org  /  www.nyphp.com




From rahmin at insite-out.com  Wed Sep 12 12:16:29 2007
From: rahmin at insite-out.com (Rahmin Pavlovic)
Date: Wed, 12 Sep 2007 12:16:29 -0400
Subject: [nycphp-talk] "net" as timestamp?
In-Reply-To: <b76252690709120522n3afbcd61l296db3f3e217f5cd@mail.gmail.com>
Message-ID: <C30D891D.44864%rahmin@insite-out.com>


csnyder wrote:

> grep net ext/date/lib/*
> timezonemap.h:  { "net",   0,   1200, "Europe/Amsterdam"              },
> 

Sweet jelly--looks like there're a lot of those: http://tinyurl.com/yphczl

Would you happen to know of any parsers out there?  




From rmarscher at beaffinitive.com  Wed Sep 12 12:36:31 2007
From: rmarscher at beaffinitive.com (Rob Marscher)
Date: Wed, 12 Sep 2007 12:36:31 -0400
Subject: [nycphp-talk] ORM anyone?
In-Reply-To: <46E7CD6D.6060006@secdat.com>
References: <Pine.LNX.4.44.0709111947250.17851-100000@bitblit.net>
	<46E7CD6D.6060006@secdat.com>
Message-ID: <1B6E2849-5D5A-4220-85F0-E6ABC97BFA24@beaffinitive.com>

I think ORM definitely fits a lot of common models.  It can be great  
for rapid development which is why frameworks like Ruby on Rails and  
CakePHP have it build in.  You just define the fields and the  
relationships to other objects and the built in methods for saving  
the objects (which will maintain your foreign keys), retrieving an  
object (and their related objects), and get listings of objects work  
without any additional coding.

There are other cases where you might need tables that don't fit to  
an OOP model -- or you need custom sql to get the best optimized  
listings.  Even if you use ORM, you still need to understand the SQL  
layer underneath to really optimize your application.

I haven't used the open source php ORM solutions (Propel, CakePHP,  
etc) -- but I hear there are ways to configure/tune them to get  
better optimized sql under-the-covers.  That would be a presentation  
I'd like to see.  Anyone have experience with this?

-Rob



From jonbaer at jonbaer.com  Wed Sep 12 13:07:47 2007
From: jonbaer at jonbaer.com (Jon Baer)
Date: Wed, 12 Sep 2007 13:07:47 -0400
Subject: [nycphp-talk] ORM anyone?
In-Reply-To: <1B6E2849-5D5A-4220-85F0-E6ABC97BFA24@beaffinitive.com>
References: <Pine.LNX.4.44.0709111947250.17851-100000@bitblit.net>
	<46E7CD6D.6060006@secdat.com>
	<1B6E2849-5D5A-4220-85F0-E6ABC97BFA24@beaffinitive.com>
Message-ID: <13B80C7D-1210-4906-9959-08AB7BD4EB41@jonbaer.com>

(This might have already been mentioned, sorry lost some emails) ...

I think no matter what ORM framework you pick you always have to look  
@ its lazy + eager loading options (this is even before the  
optimization).  You can run into big problems if you don't consider  
the timing of data in your app, most ORM fanatics think its great  
that you get all that functionality and some praise caching as a  
solution but never realize they are working with stale child objects  
in the end and have to code workarounds themselves.

For the most part the agile benefit of using it in dev environment  
outweighs this issue but definitely something to review in a project.

- Jon

On Sep 12, 2007, at 12:36 PM, Rob Marscher wrote:

> I think ORM definitely fits a lot of common models.  It can be  
> great for rapid development which is why frameworks like Ruby on  
> Rails and CakePHP have it build in.  You just define the fields and  
> the relationships to other objects and the built in methods for  
> saving the objects (which will maintain your foreign keys),  
> retrieving an object (and their related objects), and get listings  
> of objects work without any additional coding.
>
> There are other cases where you might need tables that don't fit to  
> an OOP model -- or you need custom sql to get the best optimized  
> listings.  Even if you use ORM, you still need to understand the  
> SQL layer underneath to really optimize your application.
>
> I haven't used the open source php ORM solutions (Propel, CakePHP,  
> etc) -- but I hear there are ways to configure/tune them to get  
> better optimized sql under-the-covers.  That would be a  
> presentation I'd like to see.  Anyone have experience with this?
>
> -Rob
>
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php



From danielc at analysisandsolutions.com  Wed Sep 12 17:44:34 2007
From: danielc at analysisandsolutions.com (Daniel Convissor)
Date: Wed, 12 Sep 2007 17:44:34 -0400
Subject: [nycphp-talk] AJAX and State
In-Reply-To: <46E138C2.3040307@metalab.unc.edu>
References: <46DD54B0.5060803@secdat.com> <46E1238E.5010307@metalab.unc.edu>
	<46E12D4A.2010204@secdat.com> <46E12F93.4040700@metalab.unc.edu>
	<46E132B0.9010400@secdat.com> <46E138C2.3040307@metalab.unc.edu>
Message-ID: <20070912214433.GA11305@panix.com>

On Fri, Sep 07, 2007 at 07:40:50AM -0400, Elliotte Harold wrote:
> 
> Nonetheless, the username and password should be transmitted with each 
> request (in the HTTP header, not the URL)

Are you saying the web browser should send the user name and password to 
the HTTP server on each request?  That's a lousy idea.


> so that it doesn't matter 
> whether I've switched browsers, rebooted my machine, or told my office 
> manager to login under my name on her PC.

How.

--Dan

-- 
 T H E   A N A L Y S I S   A N D   S O L U T I O N S   C O M P A N Y
            data intensive web and database programming
                http://www.AnalysisAndSolutions.com/
 4015 7th Ave #4, Brooklyn NY 11232  v: 718-854-0335 f: 718-854-0409


From lists at enobrev.com  Wed Sep 12 23:18:26 2007
From: lists at enobrev.com (Mark Armendariz)
Date: Wed, 12 Sep 2007 23:18:26 -0400
Subject: [nycphp-talk] Books & magazines
In-Reply-To: <46E2D692.8020703@beezifies.com>
References: <46E2D692.8020703@beezifies.com>
Message-ID: <46E8AC02.1020100@enobrev.com>

Gary Mort wrote:
> Just wondering what books and magazines people here particularly like 
> for PHP programming.  Which are good for learning, and which are good 
> for reference.

I'm a Huge fan of Code Complete by Steve McConnell, which is an 
incredible gathering of best practices for programming in general 
(regardless of language).

I tend to resort to Jeffrey Friedl's Mastering Regular Expressions quite 
often as well.

I used to receive both PHP|Architect and PHP Magazine - both were very 
informative. 

Otherwise, anything by Charles Bukowski or Hunter S. Thompson.

Mark






From ajai at bitblit.net  Thu Sep 13 10:50:24 2007
From: ajai at bitblit.net (Ajai Khattri)
Date: Thu, 13 Sep 2007 10:50:24 -0400 (EDT)
Subject: [nycphp-talk] ORM anyone?
In-Reply-To: <46E7CD6D.6060006@secdat.com>
Message-ID: <Pine.LNX.4.44.0709131041050.17851-100000@bitblit.net>

On Wed, 12 Sep 2007, Kenneth Downs wrote:

> ... We accept the obligation 
> to learn HTML, CSS and Javascript, and even a few things about HTTP 
> headers and so forth, but we think it is optional to learn SQL and to 
> treat the database as what it is.  That really puzzles me.  The only 
> explanation I can come up with is people must be using really simple 
> databases so that the inefficiencies at large table counts just never 
> show up.

OR

I think what you're saying here kind of proves my point. HTML and CSS are 
easy to learn no matter if you're a programmer or not. And in the OOP 
world, JavaScript, Ruby, Python, C++, Java are all similar enough that 
most programmers will find the learning curve fairly shallow. Learning 
about database design, normalization and SQL is outside of both of those 
worlds.

Im not saying this is right or wrong, or that everything must be done 
with an ORM layer always, but you can see where the friction gets 
introduced. This is why, for example, migrations exist in Ruby on Rails.



-- 
Aj.



From david at davidmintz.org  Thu Sep 13 16:26:46 2007
From: david at davidmintz.org (David Mintz)
Date: Thu, 13 Sep 2007 16:26:46 -0400
Subject: [nycphp-talk] hats off to Matthew
Message-ID: <721f1cc50709131326o568a62e4r11dfc852f904e6c1@mail.gmail.com>

Kudos to Matthew Weier O'Phinney for traveling to New York City yesterday
and giving a fine presentation on ZF for nyphp.org in the back room of a
loud bar where the screen was too far away for the audience to read the
text. You made it look easy. Thanks also for answering question and question
after question on *@lists.zend.com lists as well as in noisy downtown New
York bars.

(-:

         David


-- 
David Mintz
http://davidmintz.org/

The subtle source is clear and bright
The tributary streams flow through the darkness
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070913/e9c4956c/attachment.html>

From danielc at analysisandsolutions.com  Thu Sep 13 18:15:07 2007
From: danielc at analysisandsolutions.com (Daniel Convissor)
Date: Thu, 13 Sep 2007 18:15:07 -0400
Subject: [nycphp-talk] php authentication form
In-Reply-To: <c84496c60709070654m34c3acd7s5f2d24786ca8f966@mail.gmail.com>
References: <c84496c60709070654m34c3acd7s5f2d24786ca8f966@mail.gmail.com>
Message-ID: <20070913221507.GA793@panix.com>

On Fri, Sep 07, 2007 at 10:54:23AM -0300, Henry Ponce wrote:
> 
> I have a form that currently checks if the username and password are correct
> in mysql database. I need to know if it's possible to check this information
> on apache server, using maybe $_SERVER['PHP_AUTH_USER'] and
> $_SERVER['PHP_AUTH_PW'].

A bit late, perhaps you already figured this out...  If you're using HTTP 
Basic authentication, yes.

I'm not sure you really want to do this.  The data gets cached in the 
browser.  Are you doing this via a TLS/SSL/https connection?  Otherwise 
your username/passwords are available to snoopers, etc.

--Dan

-- 
 T H E   A N A L Y S I S   A N D   S O L U T I O N S   C O M P A N Y
            data intensive web and database programming
                http://www.AnalysisAndSolutions.com/
 4015 7th Ave #4, Brooklyn NY 11232  v: 718-854-0335 f: 718-854-0409


From cliff at pinestream.com  Thu Sep 13 18:27:51 2007
From: cliff at pinestream.com (Cliff Hirsch)
Date: Thu, 13 Sep 2007 18:27:51 -0400
Subject: [nycphp-talk] Class name conflict with Pear Pager
Message-ID: <C30F31A7.7C6E%cliff@pinestream.com>

Shana Tovah:

I have a class called Pager. Bad name. This conflicts with Pear Pager. It is
used in a zilion places so changing the name would be a pain. Not a big
deal, but a pain. To date, I have just been deleting or renaming the Pear
Pager class, but every time I ?refresh? PHP, the problem crops up again. Any
global suggestions on how to address class name conflicts with Pear?

Cliff
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070913/0abb2b01/attachment.html>

From rolan at omnistep.com  Thu Sep 13 18:40:52 2007
From: rolan at omnistep.com (Rolan Yang)
Date: Thu, 13 Sep 2007 18:40:52 -0400
Subject: [nycphp-talk] Class name conflict with Pear Pager
In-Reply-To: <C30F31A7.7C6E%cliff@pinestream.com>
References: <C30F31A7.7C6E%cliff@pinestream.com>
Message-ID: <46E9BC74.8000209@omnistep.com>

Cliff Hirsch wrote:
> Shana Tovah:
>
> I have a class called Pager. Bad name. This conflicts with Pear Pager. 
> It is used in a zilion places so changing the name would be a pain. 
> Not a big deal, but a pain. To date, I have just been deleting or 
> renaming the Pear Pager class, but every time I ?refresh? PHP, the 
> problem crops up again. Any global suggestions on how to address class 
> name conflicts with Pear?
>
> Cliff

If the summation of your "refresh" pains exceed the one-time pain in 
changing the name, try a perl global search and replace.
See the "perl -pi -e" examples at the bottom of 
http://www.oreilly.com/pub/h/73

~Rolan


From rolan at omnistep.com  Thu Sep 13 18:46:07 2007
From: rolan at omnistep.com (Rolan Yang)
Date: Thu, 13 Sep 2007 18:46:07 -0400
Subject: [nycphp-talk] Class name conflict with Pear Pager
In-Reply-To: <46E9BC74.8000209@omnistep.com>
References: <C30F31A7.7C6E%cliff@pinestream.com>
	<46E9BC74.8000209@omnistep.com>
Message-ID: <46E9BDAF.8090501@omnistep.com>

Rolan Yang wrote:
> Cliff Hirsch wrote:
>> Shana Tovah:
>>
>> I have a class called Pager. Bad name. This conflicts with Pear 
>> Pager. It is used in a zilion places so changing the name would be a 
>> pain. Not a big deal, but a pain. To date, I have just been deleting 
>> or renaming the Pear Pager class, but every time I ?refresh? PHP, the 
>> problem crops up again. Any global suggestions on how to address 
>> class name conflicts with Pear?
>>
>> Cliff
>
> If the summation of your "refresh" pains exceed the one-time pain in 
> changing the name, try a perl global search and replace.
> See the "perl -pi -e" examples at the bottom of 
> http://www.oreilly.com/pub/h/73
>
> ~Rolan
>
That was a bit confusing in english. Perhaps this code snippet will 
clarify things a bit:

if (array_sum($refreshPains) > $searchAndReplacePain) {
    readfile('http://www.oreilly.com/pub/h/73');
}


From danielc at analysisandsolutions.com  Thu Sep 13 21:04:56 2007
From: danielc at analysisandsolutions.com (Daniel Convissor)
Date: Thu, 13 Sep 2007 21:04:56 -0400
Subject: [nycphp-talk] Class name conflict with Pear Pager
In-Reply-To: <C30F31A7.7C6E%cliff@pinestream.com>
References: <C30F31A7.7C6E%cliff@pinestream.com>
Message-ID: <20070914010456.GA14287@panix.com>

On Thu, Sep 13, 2007 at 06:27:51PM -0400, Cliff Hirsch wrote:
> Shana Tovah:
> 
> I have a class called Pager. Bad name. This conflicts with Pear Pager. It is
> used in a zilion places so changing the name would be a pain. Not a big
> deal, but a pain. To date, I have just been deleting or renaming the Pear
> Pager class,

That's crazy.  Rename your class and be done with it.  It's such an easy 
fix.  One way:

* Either use grep or your favorite text editor to open all files that 
refer to either Pager class.  For example, using cygwin on windows:

grep -rlE 'new Pager|new YourFakePearPagerName' . | xargs -i ep {} &

(replacing ep at the end with the name of your editor)


* Search and replace in all files YourFakePearPagerName with 
XXXTempPgrName

* Search and replace in all files Pager with NewNameForYourPagerClass

* Finally search and replace XXXTempPgrName with Pager.

* Save all files.

It took me longer to write this email than it would have taken to solve 
the problem once and for all.

--Dan

-- 
 T H E   A N A L Y S I S   A N D   S O L U T I O N S   C O M P A N Y
            data intensive web and database programming
                http://www.AnalysisAndSolutions.com/
 4015 7th Ave #4, Brooklyn NY 11232  v: 718-854-0335 f: 718-854-0409


From ken at secdat.com  Fri Sep 14 07:19:38 2007
From: ken at secdat.com (Kenneth Downs)
Date: Fri, 14 Sep 2007 07:19:38 -0400
Subject: [nycphp-talk] ORM anyone?
In-Reply-To: <Pine.LNX.4.44.0709131041050.17851-100000@bitblit.net>
References: <Pine.LNX.4.44.0709131041050.17851-100000@bitblit.net>
Message-ID: <46EA6E4A.9050504@secdat.com>

Ajai Khattri wrote:
> On Wed, 12 Sep 2007, Kenneth Downs wrote:
>
>   
>> ... We accept the obligation 
>> to learn HTML, CSS and Javascript, and even a few things about HTTP 
>> headers and so forth, but we think it is optional to learn SQL and to 
>> treat the database as what it is.  That really puzzles me.  The only 
>> explanation I can come up with is people must be using really simple 
>> databases so that the inefficiencies at large table counts just never 
>> show up.
>>     
>
> OR
>
> I think what you're saying here kind of proves my point. HTML and CSS are 
> easy to learn no matter if you're a programmer or not. And in the OOP 
> world, JavaScript, Ruby, Python, C++, Java are all similar enough that 
> most programmers will find the learning curve fairly shallow. Learning 
> about database design, normalization and SQL is outside of both of those 
> worlds.
>   

It seems we are saying the same thing on a crucial point: SQL/RDBMS is 
not OOP.

It comes down to our different responses to that reality.  Your response 
is, if I may characterize it, /to cast the unknown in terms of the 
known./  The goal of all ORM projects is to make tables look like 
objects so they can be manipulated in known terms.

This seems to make great sense and to be wise.  I used to do this myself 
and thought it was a great idea.  I have since found that it is 
counter-productive, at least for me and the programmers I've worked 
with.  I have found a far more productive approach to be to /use each 
tool as it works best./  With this approach I would not treat a table as 
an object because a table is not an object, or a class or an interface!

I think that is where we differ. 

> Im not saying this is right or wrong, or that everything must be done 
> with an ORM layer always, but you can see where the friction gets 
> introduced. This is why, for example, migrations exist in Ruby on Rails.
>   

Agreed insofar as there is much personal preference involved in these 
decisions. 



-- 
Kenneth Downs
Secure Data Software, Inc.
www.secdat.com    www.andromeda-project.org
631-689-7200   Fax: 631-689-0527
cell: 631-379-0010

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070914/8fde84f3/attachment.html>

From paulcheung at tiscali.co.uk  Fri Sep 14 09:09:30 2007
From: paulcheung at tiscali.co.uk (PaulCheung)
Date: Fri, 14 Sep 2007 14:09:30 +0100
Subject: [nycphp-talk] Emailing from a PHP script
Message-ID: <004201c7f6d0$7cc0f780$0200a8c0@X9183>

Can anybody see what I am doing wrong??

I have set php.ini (as per the manual) to my email settings
======================================
[mail function]
; For Win32 only.
SMTP = smtp.tiscali.co.uk
smtp_port = 25

; For Win32 only.
sendmail_from = paulcheung at tiscali.co.uk
========================================================
I run the script and the following message appears

Warning: mail() [function.mail]: Failed to connect to mailserver at 
"localhost" port 25, verify your "SMTP" and "smtp_port" setting in php.ini 
or use ini_set() in C:\xampp\htdocs\tp_access.php on line 61
========================================================
script line 61   mail(to, subject, message, "From: 
paulcheung at tiscali.co.uk");

Following the textbook example it should work - why am I directed to 
localhost?? 


From nikola.mitic at gmail.com  Fri Sep 14 09:27:08 2007
From: nikola.mitic at gmail.com (Nikola Mitic)
Date: Fri, 14 Sep 2007 15:27:08 +0200
Subject: [nycphp-talk] Emailing from a PHP script
In-Reply-To: <004201c7f6d0$7cc0f780$0200a8c0@X9183>
References: <004201c7f6d0$7cc0f780$0200a8c0@X9183>
Message-ID: <6b1dc5090709140627td55d1dg76d7472abdc1992a@mail.gmail.com>

It looks OK.

Can you check that you changed php.ini file that your server is using?

you can see that with <? echo phpinfo(); ?>

Best,
Nikola Mitic
http://www.twospots.com

On 9/14/07, PaulCheung <paulcheung at tiscali.co.uk> wrote:
>
> Can anybody see what I am doing wrong??
>
> I have set php.ini (as per the manual) to my email settings
> ======================================
> [mail function]
> ; For Win32 only.
> SMTP = smtp.tiscali.co.uk
> smtp_port = 25
>
> ; For Win32 only.
> sendmail_from = paulcheung at tiscali.co.uk
> ========================================================
> I run the script and the following message appears
>
> Warning: mail() [function.mail]: Failed to connect to mailserver at
> "localhost" port 25, verify your "SMTP" and "smtp_port" setting in php.ini
> or use ini_set() in C:\xampp\htdocs\tp_access.php on line 61
> ========================================================
> script line 61   mail(to, subject, message, "From:
> paulcheung at tiscali.co.uk");
>
> Following the textbook example it should work - why am I directed to
> localhost??
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070914/c02db538/attachment.html>

From kenrbnsn at rbnsn.com  Fri Sep 14 09:32:07 2007
From: kenrbnsn at rbnsn.com (Ken Robinson)
Date: Fri, 14 Sep 2007 09:32:07 -0400
Subject: [nycphp-talk] Emailing from a PHP script
In-Reply-To: <004201c7f6d0$7cc0f780$0200a8c0@X9183>
References: <004201c7f6d0$7cc0f780$0200a8c0@X9183>
Message-ID: <mailman.16.1363003701.25290.talk@lists.nyphp.org>

At 09:09 AM 9/14/2007, PaulCheung wrote:
>Can anybody see what I am doing wrong??
>
>I have set php.ini (as per the manual) to my email settings
>======================================
>[mail function]
>; For Win32 only.
>SMTP = smtp.tiscali.co.uk
>smtp_port = 25
>
>; For Win32 only.
>sendmail_from = paulcheung at tiscali.co.uk
>========================================================
>I run the script and the following message appears

Did you restart your web server (Apache?) after making the changes to 
the PHP.INI file? This has to be done for the changes to take affect.

Ken 



From paulcheung at tiscali.co.uk  Fri Sep 14 09:42:36 2007
From: paulcheung at tiscali.co.uk (PaulCheung)
Date: Fri, 14 Sep 2007 14:42:36 +0100
Subject: [nycphp-talk] Emailing from a PHP script
References: <004201c7f6d0$7cc0f780$0200a8c0@X9183>
	<46E9B582004E7A82@mail-8-uk.mail.tiscali.sys> (added by
	postmaster@mail-8.uk.tiscali.com)
Message-ID: <001001c7f6d5$1cb4daf0$0200a8c0@X9183>

Yes I did that and the direction to localhost disappeared and I got the 
following message

Warning: mail() [function.mail]: "sendmail_from" not set in php.ini or 
custom "From:" header missing in C:\xampp\htdocs\tp_access.php on line 61

----- Original Message ----- 
From: "Ken Robinson" <kenrbnsn at rbnsn.com>
To: "NYPHP Talk" <talk at lists.nyphp.org>
Sent: Friday, September 14, 2007 2:32 PM
Subject: Re: [nycphp-talk] Emailing from a PHP script


> At 09:09 AM 9/14/2007, PaulCheung wrote:
>>Can anybody see what I am doing wrong??
>>
>>I have set php.ini (as per the manual) to my email settings
>>======================================
>>[mail function]
>>; For Win32 only.
>>SMTP = smtp.tiscali.co.uk
>>smtp_port = 25
>>
>>; For Win32 only.
>>sendmail_from = paulcheung at tiscali.co.uk
>>========================================================
>>I run the script and the following message appears
>
> Did you restart your web server (Apache?) after making the changes to the 
> PHP.INI file? This has to be done for the changes to take affect.
>
> Ken
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php 


From cliff at pinestream.com  Fri Sep 14 10:09:24 2007
From: cliff at pinestream.com (Cliff Hirsch)
Date: Fri, 14 Sep 2007 10:09:24 -0400
Subject: [nycphp-talk] Class name conflict with Pear Pager
In-Reply-To: <20070914010456.GA14287@panix.com>
Message-ID: <C3100E54.7CB8%cliff@pinestream.com>

On 9/13/07 9:04 PM, "Daniel Convissor" <danielc at analysisandsolutions.com>
wrote:

> On Thu, Sep 13, 2007 at 06:27:51PM -0400, Cliff Hirsch wrote:
>> I have a class called Pager. Bad name. This conflicts with Pear Pager. It is
>> used in a zilion places so changing the name would be a pain. Not a big
>> deal, but a pain. To date, I have just been deleting or renaming the Pear
>> Pager class,

readfile('http://www.oreilly.com/pub/h/73');

> * Either use grep or your favorite text editor to open all files that
> refer to either Pager class.  For example, using cygwin on windows:

Thanks Dan and Rolan: Sounds like I just need to stop being lazy and fix it
once and for all.

Cliff




From jsia18 at yahoo.com  Fri Sep 14 10:24:41 2007
From: jsia18 at yahoo.com (Jason Sia)
Date: Fri, 14 Sep 2007 07:24:41 -0700 (PDT)
Subject: [nycphp-talk] Emailing from a PHP script
Message-ID: <52054.93970.qm@web37901.mail.mud.yahoo.com>

you are just using XAMPP for windows right?

----- Original Message ----
From: Ken Robinson <kenrbnsn at rbnsn.com>
To: NYPHP Talk <talk at lists.nyphp.org>
Sent: Friday, September 14, 2007 9:32:07 PM
Subject: Re: [nycphp-talk] Emailing from a PHP script

At 09:09 AM 9/14/2007, PaulCheung wrote:
>Can anybody see what I am doing wrong??
>
>I have set php.ini (as per the manual) to my email settings
>======================================
>[mail function]
>; For Win32 only.
>SMTP = smtp.tiscali.co.uk
>smtp_port = 25
>
>; For Win32 only.
>sendmail_from = paulcheung at tiscali.co.uk
>========================================================
>I run the script and the following message appears

Did you restart your web server (Apache?) after making the changes to 
the PHP.INI file? This has to be done for the changes to take affect.

Ken 

_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk

NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com

Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php






Send instant messages to your online friends http://uk.messenger.yahoo.com 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070914/d7105dd7/attachment.html>

From paulcheung at tiscali.co.uk  Fri Sep 14 10:37:11 2007
From: paulcheung at tiscali.co.uk (PaulCheung)
Date: Fri, 14 Sep 2007 15:37:11 +0100
Subject: [nycphp-talk] Emailing from a PHP script
References: <52054.93970.qm@web37901.mail.mud.yahoo.com>
Message-ID: <001a01c7f6dc$bda98530$0200a8c0@X9183>

Yes, that is correct.
Has this anything to do with my problem?


  ----- Original Message ----- 
  From: Jason Sia 
  To: NYPHP Talk 
  Sent: Friday, September 14, 2007 3:24 PM
  Subject: Re: [nycphp-talk] Emailing from a PHP script


  you are just using XAMPP for windows right?


  ----- Original Message ----
  From: Ken Robinson <kenrbnsn at rbnsn.com>
  To: NYPHP Talk <talk at lists.nyphp.org>
  Sent: Friday, September 14, 2007 9:32:07 PM
  Subject: Re: [nycphp-talk] Emailing from a PHP script


  At 09:09 AM 9/14/2007, PaulCheung wrote:
  >Can anybody see what I am doing wrong??
  >
  >I have set php.ini (as per the manual) to my email settings
  >======================================
  >[mail function]
  >; For Win32 only.
  >SMTP = smtp.tiscali.co.uk
  >smtp_port = 25
  >
  >; For Win32 only.
  >sendmail_from = paulcheung at tiscali.co.uk
  >========================================================
  >I run the script and the following message appears

  Did you restart your web server (Apache?) after making the changes to 
  the PHP.INI file? This has to be done for the changes to take affect.

  Ken 

  _______________________________________________
  New York PHP Community Talk Mailing List
  http://lists.nyphp.org/mailman/listinfo/talk

  NYPHPCon 2006 Presentations Online
  http://www.nyphpcon.com

  Show Your Participation in New York PHP
  http://www.nyphp.org/show_participation.php




  Send instant messages to your online friends http://uk.messenger.yahoo.com 


------------------------------------------------------------------------------


  _______________________________________________
  New York PHP Community Talk Mailing List
  http://lists.nyphp.org/mailman/listinfo/talk

  NYPHPCon 2006 Presentations Online
  http://www.nyphpcon.com

  Show Your Participation in New York PHP
  http://www.nyphp.org/show_participation.php
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070914/b6fb34fa/attachment.html>

From jsia18 at yahoo.com  Fri Sep 14 11:00:23 2007
From: jsia18 at yahoo.com (Jason Sia)
Date: Fri, 14 Sep 2007 08:00:23 -0700 (PDT)
Subject: [nycphp-talk] Emailing from a PHP script
Message-ID: <206328.34768.qm@web37906.mail.mud.yahoo.com>

ok that will not really work 
you should use SMTP=localhost then download QK SMTP Server to make this work.

----- Original Message ----
From: PaulCheung <paulcheung at tiscali.co.uk>
To: NYPHP Talk <talk at lists.nyphp.org>
Sent: Friday, September 14, 2007 10:37:11 PM
Subject: Re: [nycphp-talk] Emailing from a PHP script



 
DIV {
MARGIN:0px;}



Yes, that is correct.

Has this anything to do with my 
problem?

 

 


  ----- Original Message ----- 

  From: 
  Jason Sia 

  To: NYPHP Talk 

  Sent: Friday, September 14, 2007 3:24 
  PM

  Subject: Re: [nycphp-talk] Emailing from a 
  PHP script

  


  
  you are 
  just using XAMPP for windows right?


  ----- 
  Original Message ----
From: Ken Robinson <kenrbnsn at rbnsn.com>
To: NYPHP Talk 
  <talk at lists.nyphp.org>
Sent: 
  Friday, September 14, 2007 9:32:07 PM
Subject: Re: [nycphp-talk] Emailing 
  from a PHP script


  At 09:09 AM 9/14/2007, PaulCheung wrote:
>Can anybody see what I am 
  doing wrong??
>
>I have set php.ini (as per the manual) to my 
  email settings
>======================================
>[mail 
  function]
>; For Win32 only.
>SMTP = 
  smtp.tiscali.co.uk
>smtp_port = 25
>
>; For Win32 
  only.
>sendmail_from = 
  paulcheung at tiscali.co.uk
>========================================================
>I 
  run the script and the following message appears

Did you restart your 
  web server (Apache?) after making the changes to 
the PHP.INI file? This 
  has to be done for the changes to take affect.

Ken 
  

_______________________________________________
New York PHP 
  Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk

NYPHPCon 
  2006 Presentations Online
http://www.nyphpcon.com

Show Your Participation in 
  New York PHP
http://www.nyphp.org/show_participation.php






Send 
  instant messages to your online friends http://uk.messenger.yahoo.com 
  
  


  
_______________________________________________
New York PHP 
  Community Talk Mailing 
  List
http://lists.nyphp.org/mailman/listinfo/talk

NYPHPCon 2006 
  Presentations Online
http://www.nyphpcon.com

Show Your Participation 
  in New York 
PHP
http://www.nyphp.org/show_participation.php




Send instant messages to your online friends http://uk.messenger.yahoo.com 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070914/6918b974/attachment.html>

From paulcheung at tiscali.co.uk  Fri Sep 14 11:34:56 2007
From: paulcheung at tiscali.co.uk (PaulCheung)
Date: Fri, 14 Sep 2007 16:34:56 +0100
Subject: [nycphp-talk] Emailing from a PHP script
References: <206328.34768.qm@web37906.mail.mud.yahoo.com>
Message-ID: <001201c7f6e4$cdf04340$0200a8c0@X9183>

Thanks for the solution. I've tried it and it did not work for me
changed php.ini to reflect change rebooted my system. Don't really understand why it is necessary to download QK SMTP 
Has all my problems been something to do with XAMPP under windows??

Paul

  ----- Original Message ----- 
  From: Jason Sia 
  To: NYPHP Talk 
  Sent: Friday, September 14, 2007 4:00 PM
  Subject: Re: [nycphp-talk] Emailing from a PHP script


  ok that will not really work 
  you should use SMTP=localhost then download QK SMTP Server to make this work.


  ----- Original Message ----
  From: PaulCheung <paulcheung at tiscali.co.uk>
  To: NYPHP Talk <talk at lists.nyphp.org>
  Sent: Friday, September 14, 2007 10:37:11 PM
  Subject: Re: [nycphp-talk] Emailing from a PHP script


  Yes, that is correct.
  Has this anything to do with my problem?


    ----- Original Message ----- 
    From: Jason Sia 
    To: NYPHP Talk 
    Sent: Friday, September 14, 2007 3:24 PM
    Subject: Re: [nycphp-talk] Emailing from a PHP script


    you are just using XAMPP for windows right?


    ----- Original Message ----
    From: Ken Robinson <kenrbnsn at rbnsn.com>
    To: NYPHP Talk <talk at lists.nyphp.org>
    Sent: Friday, September 14, 2007 9:32:07 PM
    Subject: Re: [nycphp-talk] Emailing from a PHP script


    At 09:09 AM 9/14/2007, PaulCheung wrote:
    >Can anybody see what I am doing wrong??
    >
    >I have set php.ini (as per the manual) to my email settings
    >======================================
    >[mail function]
    >; For Win32 only.
    >SMTP = smtp.tiscali.co.uk
    >smtp_port = 25
    >
    >; For Win32 only.
    >sendmail_from = paulcheung at tiscali.co.uk
    >========================================================
    >I run the script and the following message appears

    Did you restart your web server (Apache?) after making the changes to 
    the PHP.INI file? This has to be done for the changes to take affect.

    Ken 

    _______________________________________________
    New York PHP Community Talk Mailing List
    http://lists.nyphp.org/mailman/listinfo/talk

    NYPHPCon 2006 Presentations Online
    http://www.nyphpcon.com

    Show Your Participation in New York PHP
    http://www.nyphp.org/show_participation.php




    Send instant messages to your online friends http://uk.messenger.yahoo.com 


    _______________________________________________
    New York PHP Community Talk Mailing List
    http://lists.nyphp.org/mailman/listinfo/talk

    NYPHPCon 2006 Presentations Online
    http://www.nyphpcon.com

    Show Your Participation in New York PHP
    http://www.nyphp.org/show_participation.php



  Send instant messages to your online friends http://uk.messenger.yahoo.com 


------------------------------------------------------------------------------


  _______________________________________________
  New York PHP Community Talk Mailing List
  http://lists.nyphp.org/mailman/listinfo/talk

  NYPHPCon 2006 Presentations Online
  http://www.nyphpcon.com

  Show Your Participation in New York PHP
  http://www.nyphp.org/show_participation.php
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070914/8b6b1708/attachment.html>

From jsia18 at yahoo.com  Fri Sep 14 11:36:56 2007
From: jsia18 at yahoo.com (Jason Sia)
Date: Fri, 14 Sep 2007 08:36:56 -0700 (PDT)
Subject: [nycphp-talk] Emailing from a PHP script
Message-ID: <831989.10288.qm@web37902.mail.mud.yahoo.com>

In order to send a mail you need SMTP QK SMTP acts as your SMTP server I use it for with WAMP instead of XAMPP.

----- Original Message ----
From: PaulCheung <paulcheung at tiscali.co.uk>
To: NYPHP Talk <talk at lists.nyphp.org>
Sent: Friday, September 14, 2007 11:34:56 PM
Subject: Re: [nycphp-talk] Emailing from a PHP script



 
DIV {
MARGIN:0px;}



Thanks for the solution. I've tried it and it did 
not work for me

changed php.ini to reflect change rebooted my 
system. Don't really understand why it is necessary to download QK SMTP 


Has all my problems been something to do 
with XAMPP under windows??

 

Paul

 


  ----- Original Message ----- 

  From: 
  Jason Sia 

  To: NYPHP Talk 

  Sent: Friday, September 14, 2007 4:00 
  PM

  Subject: Re: [nycphp-talk] Emailing from a 
  PHP script

  


  
  ok that 
  will not really work 
you should use SMTP=localhost then download QK SMTP 
  Server to make this work.


  ----- 
  Original Message ----
From: PaulCheung <paulcheung at tiscali.co.uk>
To: 
  NYPHP Talk <talk at lists.nyphp.org>
Sent: 
  Friday, September 14, 2007 10:37:11 PM
Subject: Re: [nycphp-talk] Emailing 
  from a PHP script


  DIV {
MARGIN:0px;}


  Yes, that is correct.

  Has this anything to do with my 
  problem?

   

   

  
    ----- 
    Original Message ----- 

    From: 
    Jason Sia 

    To: 
    NYPHP Talk 

    Sent: 
    Friday, September 14, 2007 3:24 PM

    Subject: 
    Re: [nycphp-talk] Emailing from a PHP script

    


    
    you 
    are just using XAMPP for windows right?


    ----- 
    Original Message ----
From: Ken Robinson <kenrbnsn at rbnsn.com>
To: NYPHP Talk <talk at lists.nyphp.org>
Sent: Friday, September 14, 
    2007 9:32:07 PM
Subject: Re: [nycphp-talk] Emailing from a PHP 
    script


    At 09:09 AM 9/14/2007, PaulCheung wrote:
>Can anybody see what I 
    am doing wrong??
>
>I have set php.ini (as per the manual) to my 
    email settings
>======================================
>[mail 
    function]
>; For Win32 only.
>SMTP = 
    smtp.tiscali.co.uk
>smtp_port = 25
>
>; For Win32 
    only.
>sendmail_from = 
    paulcheung at tiscali.co.uk
>========================================================
>I 
    run the script and the following message appears

Did you restart your 
    web server (Apache?) after making the changes to 
the PHP.INI file? This 
    has to be done for the changes to take affect.

Ken 
    

_______________________________________________
New York PHP 
    Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk

NYPHPCon 
    2006 Presentations Online
http://www.nyphpcon.com

Show Your Participation in 
    New York PHP
http://www.nyphp.org/show_participation.php






Send 
    instant messages to your online friends http://uk.messenger.yahoo.com 
    

    
_______________________________________________
New York PHP 
    Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk

NYPHPCon 
    2006 Presentations Online
http://www.nyphpcon.com

Show Your 
    Participation in New York PHP
http://www.nyphp.org/show_participation.php




Send 
  instant messages to your online friends http://uk.messenger.yahoo.com 
  
  


  
_______________________________________________
New York PHP 
  Community Talk Mailing 
  List
http://lists.nyphp.org/mailman/listinfo/talk

NYPHPCon 2006 
  Presentations Online
http://www.nyphpcon.com

Show Your Participation 
  in New York 
PHP
http://www.nyphp.org/show_participation.php




Send instant messages to your online friends http://uk.messenger.yahoo.com 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070914/28f58ff9/attachment.html>

From jonbaer at jonbaer.com  Fri Sep 14 13:51:41 2007
From: jonbaer at jonbaer.com (Jon Baer)
Date: Fri, 14 Sep 2007 13:51:41 -0400
Subject: [nycphp-talk] Emailing from a PHP script
In-Reply-To: <001201c7f6e4$cdf04340$0200a8c0@X9183>
References: <206328.34768.qm@web37906.mail.mud.yahoo.com>
	<001201c7f6e4$cdf04340$0200a8c0@X9183>
Message-ID: <D4270AF4-EAF6-4657-BFC4-D4C97D8C3A6F@jonbaer.com>

What does the register_globals and safe_mode settings your .ini file  
say?

- Jon

On Sep 14, 2007, at 11:34 AM, PaulCheung wrote:

> Thanks for the solution. I've tried it and it did not work for me
> changed php.ini to reflect change rebooted my system. Don't really  
> understand why it is necessary to download QK SMTP
> Has all my problems been something to do with XAMPP under windows??
>
> Paul


From ajai at bitblit.net  Fri Sep 14 13:57:14 2007
From: ajai at bitblit.net (Ajai Khattri)
Date: Fri, 14 Sep 2007 13:57:14 -0400 (EDT)
Subject: [nycphp-talk] Emailing from a PHP script
In-Reply-To: <001201c7f6e4$cdf04340$0200a8c0@X9183>
Message-ID: <Pine.LNX.4.44.0709141354250.3630-100000@bitblit.net>

On Fri, 14 Sep 2007, PaulCheung wrote:

> Thanks for the solution. I've tried it and it did not work for me
> changed php.ini to reflect change rebooted my system. Don't really understand why it is necessary to download QK SMTP 
> Has all my problems been something to do with XAMPP under windows??

Do you know how SMTP works? If you are trying to send through localhost, 
then PHP expects to be able to connect to port 25 on localhost and talk 
SMTP to it to send the email.

If you are using your ISPs mail server to send the email, then I would 
test from the command-line by telnetting to port 25 if your ISPs mail 
server and trying to send an email via SMTP.

If you can't connect to port 25 then I would check for things like 
firewall settings or whatever "security" suite you have running.


-- 
Aj.



From jsia18 at yahoo.com  Fri Sep 14 20:24:26 2007
From: jsia18 at yahoo.com (Jason Sia)
Date: Fri, 14 Sep 2007 17:24:26 -0700 (PDT)
Subject: [nycphp-talk] Emailing from a PHP script
Message-ID: <294758.26813.qm@web37907.mail.mud.yahoo.com>

Based on experience, a lot of ISPs are blocking external access to their SMTPs.  However, you could also try using your ISPs SMTP

----- Original Message ----
From: Ajai Khattri <ajai at bitblit.net>
To: NYPHP Talk <talk at lists.nyphp.org>
Sent: Saturday, September 15, 2007 1:57:14 AM
Subject: Re: [nycphp-talk] Emailing from a PHP script

On Fri, 14 Sep 2007, PaulCheung wrote:

> Thanks for the solution. I've tried it and it did not work for me
> changed php.ini to reflect change rebooted my system. Don't really understand why it is necessary to download QK SMTP 
> Has all my problems been something to do with XAMPP under windows??

Do you know how SMTP works? If you are trying to send through localhost, 
then PHP expects to be able to connect to port 25 on localhost and talk 
SMTP to it to send the email.

If you are using your ISPs mail server to send the email, then I would 
test from the command-line by telnetting to port 25 if your ISPs mail 
server and trying to send an email via SMTP.

If you can't connect to port 25 then I would check for things like 
firewall settings or whatever "security" suite you have running.


-- 
Aj.

_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk

NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com

Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php






Send instant messages to your online friends http://uk.messenger.yahoo.com 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070914/a76e2a6b/attachment.html>

From christinak at wll.com  Sat Sep 15 11:41:57 2007
From: christinak at wll.com (Christina Karlhoff)
Date: Sat, 15 Sep 2007 11:41:57 -0400
Subject: [nycphp-talk] PHP script needs some filter help
Message-ID: <EF0605FC343F204C9F5A8771CC09B22B4F45AF@pe2800.wlabs.local>

HI all,

I will preface with this:  I am not very experienced with php scripting.
I do know a bit of asp [classic], and have some skills in writing a web
app (done uisng asp classic and a little jscript).

The situation:  Our company's website host server only processes scripts
in php, python, cld fusion [not in asp - go figure].  Our website has
three seperate user information request forms on it; all were posted
using a php mail script.  One day, all of a sudden, we get 20-30 bogus
forms mail to us per day.  Annoying and alarming.  So i went searching
for some way to control it.  I managed to insert a php script with
captcha into each.  but, we are still getting bogus forms sent to us.
Not as many, but still annoying and no fun...email header injections i
take it?

So, i tried to follow along and use some php includes that i found
posted on nyphp.org.  After addiing some of the code and quite a few
iterations, I'd keep getting these parsing errors, and could never get
it to work.

Can any of you help me out?  Let me know....i don't know if i can attach
the script i have and send it to you all or not....let me know that too.


I would greatly appreciate it if anyone would be willing to have a quick
look-see at my script and assist me in getting some php filtering into
place.  I'd also have the privelage to get some real php understanding
under my belt.

Thanks so much!

Christina~

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070915/3e570f25/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Glacier Bkgrd.jpg
Type: image/jpeg
Size: 2743 bytes
Desc: Glacier Bkgrd.jpg
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070915/3e570f25/attachment.jpg>

From paul at devonianfarm.com  Sat Sep 15 12:50:05 2007
From: paul at devonianfarm.com (Paul Houle)
Date: Sat, 15 Sep 2007 12:50:05 -0400
Subject: [nycphp-talk] ORM vs SQL: the ultimate showdown
In-Reply-To: <46EA6E4A.9050504@secdat.com>
References: <Pine.LNX.4.44.0709131041050.17851-100000@bitblit.net>
	<46EA6E4A.9050504@secdat.com>
Message-ID: <46EC0D3D.3040600@devonianfarm.com>

    I think of ORM as a partial solution to the problems of building 
database-backed web apps.  People call database applications "CRUD" 
apps,  short for

Create
Recall
Update
Delete

    ORM is good for Create,  and for many cases of Update and Delete.  
It can be used to do Recall,  but can be disastrously slow for 
generating many kinds of reports.

    Just the other day I was working with a Java Servlet-based webapp.  
I entered a text string with a single quote,  which caused an error.  
The cause was code that would have looked like this in PHP:

$conn->Execute("INSERT INTO users (first_name,last_name,organization) 
VALUES ('$first_name','$last_name','$organization'");

    This would have been OK if they'd written something like

$first_name=addslashes($_POST["first_name"]);
$last_name=addslashes($_POST["last_name"]);
$organization=addslashes($_POST["organization"]);

    But they didn't.  Neither do most developers.  Now,  there are tools 
that help with this:  for instance,  some database API's will 
automatically quote things if you use placeholders.  This style of doing 
things has it's own problems:  let's say the user table has a lot of 
fields...

$conn->Execute("
    INSERT INTO users
       (first_name,last_name,organization,address1, ... 20 more fields 
..., birthday, favorite_color)
    VALUES
       (?,?,?,?,... 20 more question marks ...,?,?)
",array($first_name,$last_name,$organization,$address1,... 20 more 
fields...,$favorite_color,$birthday);

    Notice the error?  I didn't get the order of the fields quite right 
,  so the 'birthday' and 'favorite color' fields will get scrambled.  
Imagine how hard it would have been to have noticed the error in the 
middle of the field list!  I recently caught this one in a Cold Fusion 
application -- this kind of code gets hard to maintain.

    Enter ORM.  Syntax varies,  but this kind of insert is simple and 
maintainable with an ORM system:

$t=$db->users;
$r=$t->new_record();
$r->first_name=$_POST["first_name"];
$r->last_name=$_POST["last_name"];
$r->organization=$_POST["organization"];
...
$r->insert();
$user_id=$r->user_id;

    The ORM system takes care of quotes and bad data for you.  You're 
not likely to introduce bugs when you add and remove fields,  and 
they'll be transparent if you do.  If you want to make life really 
easy,  you might write a subroutine that uses the ORM's introspection 
capability,  so you can just write

populate_from_post($r,$_POST);

    that scans through the database fields,  and automatically assigns 
post variables down to fields.  Talk about zero maintainance!

-------

    ORM and other SQL-phobic approaches can also get you into big 
trouble.  I once inherited a PHP app,  using MS SQL server as the back 
end that had an administrative interface that listed all of the users in 
the system.  It worked just fine in testing,  but got REALLY slow when a 
few hundred users joined the system...  It could take more than 100 
seconds to produce the screen!

    The problem was that the system did between 10 and 20 queries to 
produce each output row.  It first did a query that retrieved a few 
hundred rows,  and then it did more queries to get all the details.  
Doing 5000 queries took a really long time.

    We changed the application to use prepared statements and found that 
the query took 10 seconds.  This was acceptable,  but still pretty bad.

    Although this system didn't use an ORM,  the general approach was 
that encouraged by most ORM systems -- I don't think any ORM system 
would have been smart enough to consolidate the multiple queries into a 
smaller number,  because the individual-row queries were implementing 
quite complicated business rules that involved counting rows with 
certain attributes,  preparing thresholds,  etc.

    An ORM system might or might not be smart enough to generate 
prepared statements.  The difference between a 'smart' and 'dumb' ORM 
would be a factor of 10 in performance in this case.

    Later on I wrote a 'pure SQL' query that calculated everything in 
one complex query.  It used a number of subselects...  I thought it was 
pretty straightforward,  but many people aren't comfortable with queries 
that are this complex.  It did the job in 0.1 seconds!!  That's a factor 
of 100x better than I got from running separate statements.

-----------------------

    Similar issues turn up with UPDATEs and DELETEs.  ORM is quite 
efficient if you only want to update one or two records at a time,  but 
imagine you want to update 100,000 rows.  (Turning off service for 
people who didn't pay their bills,  reset scores in an online game to 
zero, ...)  It can be thousands of times faster to do something like:

UPDATE user SET score=0;

than to write some loop that runs hundreds of thousands of queries.  
Once you add in the issues of concurrency and transactions,  the 'pure 
SQL' solution looks a lot better -- it's automatically protected by the 
transactional integrity of the database.  Probably 80% of people working 
with an ORM system will forget to put the whole thing in a transaction:  
so it won't be reliable.  The 20% of the people who do put it in a 
transaction will hold locks on the database for hundreds or thousands of 
times longer than they need to...  Which slows down the site for 
everybody else.

--------------------------

    The gold standard is use an ORM system that's tightly integrated 
with your framework when it's appropriate:  when you're manipulating a 
few rows at a time.  You'll get big gains in maintainability.  When 
you're updating 1000+ rows or generating complex reports,  you need 
different tools.  I've built a few systems that integrate data grid 
display on the client with a prebuilt set of data fields that can be 
incorporated into the query,  using subselects to 'join' data from other 
tables -- this gets the silver...  The gold medal would go to a system 
that uses the database metadata from an ORM system to help you build 
queries.  Hook this up to an AJAX data grid,  say the one from ext,  and 
you've got a rails killer...


From ben at projectskyline.com  Sat Sep 15 12:31:40 2007
From: ben at projectskyline.com (Ben Sgro (ProjectSkyLine))
Date: Sat, 15 Sep 2007 12:31:40 -0400
Subject: [nycphp-talk] ORM vs SQL: the ultimate showdown
References: <Pine.LNX.4.44.0709131041050.17851-100000@bitblit.net><46EA6E4A.9050504@secdat.com>
	<46EC0D3D.3040600@devonianfarm.com>
Message-ID: <00c501c7f7b5$e5598920$6401a8c0@gamebox>

Hello,

    INSERT INTO users
       (first_name,last_name,organization,address1, ... 20 more fields
..., birthday, favorite_color)
    VALUES
       (?,?,?,?,... 20 more question marks ...,?,?)
",array($first_name,$last_name,$organization,$address1,... 20 more
fields...,$favorite_color,$birthday);

Why not just do:

SET ...
first_name = $firstname,
last_name = $lastname, ...

Which is *basically* the same as what your saying ORM is useful for in this 
case...

- Ben

----- Original Message ----- 
From: "Paul Houle" <paul at devonianfarm.com>
To: "NYPHP Talk" <talk at lists.nyphp.org>
Sent: Saturday, September 15, 2007 12:50 PM
Subject: [nycphp-talk] ORM vs SQL: the ultimate showdown


>    I think of ORM as a partial solution to the problems of building 
> database-backed web apps.  People call database applications "CRUD" apps, 
> short for
>
> Create
> Recall
> Update
> Delete
>
>    ORM is good for Create,  and for many cases of Update and Delete.  It 
> can be used to do Recall,  but can be disastrously slow for generating 
> many kinds of reports.
>
>    Just the other day I was working with a Java Servlet-based webapp.  I 
> entered a text string with a single quote,  which caused an error.  The 
> cause was code that would have looked like this in PHP:
>
> $conn->Execute("INSERT INTO users (first_name,last_name,organization) 
> VALUES ('$first_name','$last_name','$organization'");
>
>    This would have been OK if they'd written something like
>
> $first_name=addslashes($_POST["first_name"]);
> $last_name=addslashes($_POST["last_name"]);
> $organization=addslashes($_POST["organization"]);
>
>    But they didn't.  Neither do most developers.  Now,  there are tools 
> that help with this:  for instance,  some database API's will 
> automatically quote things if you use placeholders.  This style of doing 
> things has it's own problems:  let's say the user table has a lot of 
> fields...
>
> $conn->Execute("
>    INSERT INTO users
>       (first_name,last_name,organization,address1, ... 20 more fields ..., 
> birthday, favorite_color)
>    VALUES
>       (?,?,?,?,... 20 more question marks ...,?,?)
> ",array($first_name,$last_name,$organization,$address1,... 20 more 
> fields...,$favorite_color,$birthday);
>
>    Notice the error?  I didn't get the order of the fields quite right , 
> so the 'birthday' and 'favorite color' fields will get scrambled.  Imagine 
> how hard it would have been to have noticed the error in the middle of the 
> field list!  I recently caught this one in a Cold Fusion application --  
> this kind of code gets hard to maintain.
>
>    Enter ORM.  Syntax varies,  but this kind of insert is simple and 
> maintainable with an ORM system:
>
> $t=$db->users;
> $r=$t->new_record();
> $r->first_name=$_POST["first_name"];
> $r->last_name=$_POST["last_name"];
> $r->organization=$_POST["organization"];
> ...
> $r->insert();
> $user_id=$r->user_id;
>
>    The ORM system takes care of quotes and bad data for you.  You're not 
> likely to introduce bugs when you add and remove fields,  and they'll be 
> transparent if you do.  If you want to make life really easy,  you might 
> write a subroutine that uses the ORM's introspection capability,  so you 
> can just write
>
> populate_from_post($r,$_POST);
>
>    that scans through the database fields,  and automatically assigns post 
> variables down to fields.  Talk about zero maintainance!
>
> -------
>
>    ORM and other SQL-phobic approaches can also get you into big trouble. 
> I once inherited a PHP app,  using MS SQL server as the back end that had 
> an administrative interface that listed all of the users in the system. 
> It worked just fine in testing,  but got REALLY slow when a few hundred 
> users joined the system...  It could take more than 100 seconds to produce 
> the screen!
>
>    The problem was that the system did between 10 and 20 queries to 
> produce each output row.  It first did a query that retrieved a few 
> hundred rows,  and then it did more queries to get all the details.  Doing 
> 5000 queries took a really long time.
>
>    We changed the application to use prepared statements and found that 
> the query took 10 seconds.  This was acceptable,  but still pretty bad.
>
>    Although this system didn't use an ORM,  the general approach was that 
> encouraged by most ORM systems -- I don't think any ORM system would have 
> been smart enough to consolidate the multiple queries into a smaller 
> number,  because the individual-row queries were implementing quite 
> complicated business rules that involved counting rows with certain 
> attributes,  preparing thresholds,  etc.
>
>    An ORM system might or might not be smart enough to generate prepared 
> statements.  The difference between a 'smart' and 'dumb' ORM would be a 
> factor of 10 in performance in this case.
>
>    Later on I wrote a 'pure SQL' query that calculated everything in one 
> complex query.  It used a number of subselects...  I thought it was pretty 
> straightforward,  but many people aren't comfortable with queries that are 
> this complex.  It did the job in 0.1 seconds!!  That's a factor of 100x 
> better than I got from running separate statements.
>
> -----------------------
>
>    Similar issues turn up with UPDATEs and DELETEs.  ORM is quite 
> efficient if you only want to update one or two records at a time,  but 
> imagine you want to update 100,000 rows.  (Turning off service for people 
> who didn't pay their bills,  reset scores in an online game to zero, ...) 
> It can be thousands of times faster to do something like:
>
> UPDATE user SET score=0;
>
> than to write some loop that runs hundreds of thousands of queries.  Once 
> you add in the issues of concurrency and transactions,  the 'pure SQL' 
> solution looks a lot better -- it's automatically protected by the 
> transactional integrity of the database.  Probably 80% of people working 
> with an ORM system will forget to put the whole thing in a transaction: 
> so it won't be reliable.  The 20% of the people who do put it in a 
> transaction will hold locks on the database for hundreds or thousands of 
> times longer than they need to...  Which slows down the site for everybody 
> else.
>
> --------------------------
>
>    The gold standard is use an ORM system that's tightly integrated with 
> your framework when it's appropriate:  when you're manipulating a few rows 
> at a time.  You'll get big gains in maintainability.  When you're updating 
> 1000+ rows or generating complex reports,  you need different tools.  I've 
> built a few systems that integrate data grid display on the client with a 
> prebuilt set of data fields that can be incorporated into the query, 
> using subselects to 'join' data from other tables -- this gets the 
> silver...  The gold medal would go to a system that uses the database 
> metadata from an ORM system to help you build queries.  Hook this up to an 
> AJAX data grid,  say the one from ext,  and you've got a rails killer...
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php 



From paul at devonianfarm.com  Sat Sep 15 13:14:11 2007
From: paul at devonianfarm.com (Paul Houle)
Date: Sat, 15 Sep 2007 13:14:11 -0400
Subject: [nycphp-talk] ORM vs SQL: the ultimate showdown
In-Reply-To: <00c501c7f7b5$e5598920$6401a8c0@gamebox>
References: <Pine.LNX.4.44.0709131041050.17851-100000@bitblit.net><46EA6E4A.9050504@secdat.com>	<46EC0D3D.3040600@devonianfarm.com>
	<00c501c7f7b5$e5598920$6401a8c0@gamebox>
Message-ID: <46EC12E3.7050902@devonianfarm.com>

Ben Sgro (ProjectSkyLine) wrote:
>
>
> Why not just do:
>
> SET ...
> first_name = $firstname,
> last_name = $lastname, ...
>
> Which is *basically* the same as what your saying ORM is useful for in 
> this case...
    That's a very nice syntax.  It's also mysql-specific.  I love 
mysql,  and it may be very sensible to build a mysql app that takes 
advantage of great features like this,  but many of us need to write 
apps for postgreSQL,  Oracle,  MS SQL and other databases that don't 
support this (superior) syntax.

    Another advantage of an ORM system is that it can use database 
metadata to validate data much better than addslashes() can.  For 
instance,  some databases will let you get away with

UPDATE TABLE SET an_integer_field='55';

    Other databases (for instance,  MS Access) won't,  and you need to write

UPDATE TABLE SET an_integer_field=55;

    If '55' comes from the outside,  you'll want to validate that it's 
an integer.  Do you want to write that code by hand every time?  Or 
would you like your ORM system to automatically detect the type based on 
database metadata,  and give you an intelligible  error message like : 
"776krashyourdatabase is not an integer" rather than "Invalid SQL Syntax 
(Code 7719290)."

    I find that I spent entirely too much time dealing with error 
conditions in my code,  and welcome anything that makes that work easier.


From ben at projectskyline.com  Sat Sep 15 12:56:23 2007
From: ben at projectskyline.com (Ben Sgro (ProjectSkyLine))
Date: Sat, 15 Sep 2007 12:56:23 -0400
Subject: [nycphp-talk] ORM vs SQL: the ultimate showdown
References: <Pine.LNX.4.44.0709131041050.17851-100000@bitblit.net><46EA6E4A.9050504@secdat.com>	<46EC0D3D.3040600@devonianfarm.com><00c501c7f7b5$e5598920$6401a8c0@gamebox>
	<46EC12E3.7050902@devonianfarm.com>
Message-ID: <00ec01c7f7b9$596d1540$6401a8c0@gamebox>

Hello,

Good point. I've only been writing code for MSSQL and MySQL, and currently 
only MySQL.

Anything that makes our job easier seems good to me!

- Ben
----- Original Message ----- 
From: "Paul Houle" <paul at devonianfarm.com>
To: "NYPHP Talk" <talk at lists.nyphp.org>
Sent: Saturday, September 15, 2007 1:14 PM
Subject: Re: [nycphp-talk] ORM vs SQL: the ultimate showdown


> Ben Sgro (ProjectSkyLine) wrote:
>>
>>
>> Why not just do:
>>
>> SET ...
>> first_name = $firstname,
>> last_name = $lastname, ...
>>
>> Which is *basically* the same as what your saying ORM is useful for in 
>> this case...
>    That's a very nice syntax.  It's also mysql-specific.  I love mysql, 
> and it may be very sensible to build a mysql app that takes advantage of 
> great features like this,  but many of us need to write apps for 
> postgreSQL,  Oracle,  MS SQL and other databases that don't support this 
> (superior) syntax.
>
>    Another advantage of an ORM system is that it can use database metadata 
> to validate data much better than addslashes() can.  For instance,  some 
> databases will let you get away with
>
> UPDATE TABLE SET an_integer_field='55';
>
>    Other databases (for instance,  MS Access) won't,  and you need to 
> write
>
> UPDATE TABLE SET an_integer_field=55;
>
>    If '55' comes from the outside,  you'll want to validate that it's an 
> integer.  Do you want to write that code by hand every time?  Or would you 
> like your ORM system to automatically detect the type based on database 
> metadata,  and give you an intelligible  error message like : 
> "776krashyourdatabase is not an integer" rather than "Invalid SQL Syntax 
> (Code 7719290)."
>
>    I find that I spent entirely too much time dealing with error 
> conditions in my code,  and welcome anything that makes that work easier.
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php 



From ken at secdat.com  Sat Sep 15 13:05:36 2007
From: ken at secdat.com (Kenneth Downs)
Date: Sat, 15 Sep 2007 13:05:36 -0400
Subject: What Does ORM Mean? Re: [nycphp-talk] ORM vs SQL: the ultimate showdown
In-Reply-To: <00c501c7f7b5$e5598920$6401a8c0@gamebox>
References: <Pine.LNX.4.44.0709131041050.17851-100000@bitblit.net><46EA6E4A.9050504@secdat.com>	<46EC0D3D.3040600@devonianfarm.com>
	<00c501c7f7b5$e5598920$6401a8c0@gamebox>
Message-ID: <46EC10E0.3020204@secdat.com>

ORM is normally meant to mean a comprehensive strategy for treating 
tables as objects, and to recast relational concepts in object oriented 
terms.

The examples in the past few posts just ain't ORM, there is no 
showdown.  The examples are necessary, clever, and intelligent examples 
of simple abstractions of the interface of PHP to a  SQL database.

They don't display ORM, so they can't be a showdown between ORM and SQL.

A better title might be "Manual coding vs library routines."

Ben Sgro (ProjectSkyLine) wrote:
> Hello,
>
>    INSERT INTO users
>       (first_name,last_name,organization,address1, ... 20 more fields
> ..., birthday, favorite_color)
>    VALUES
>       (?,?,?,?,... 20 more question marks ...,?,?)
> ",array($first_name,$last_name,$organization,$address1,... 20 more
> fields...,$favorite_color,$birthday);
>
> Why not just do:
>
> SET ...
> first_name = $firstname,
> last_name = $lastname, ...
>
> Which is *basically* the same as what your saying ORM is useful for in 
> this case...
>
> - Ben
>
> ----- Original Message ----- From: "Paul Houle" <paul at devonianfarm.com>
> To: "NYPHP Talk" <talk at lists.nyphp.org>
> Sent: Saturday, September 15, 2007 12:50 PM
> Subject: [nycphp-talk] ORM vs SQL: the ultimate showdown
>
>
>>    I think of ORM as a partial solution to the problems of building 
>> database-backed web apps.  People call database applications "CRUD" 
>> apps, short for
>>
>> Create
>> Recall
>> Update
>> Delete
>>
>>    ORM is good for Create,  and for many cases of Update and Delete.  
>> It can be used to do Recall,  but can be disastrously slow for 
>> generating many kinds of reports.
>>
>>    Just the other day I was working with a Java Servlet-based 
>> webapp.  I entered a text string with a single quote,  which caused 
>> an error.  The cause was code that would have looked like this in PHP:
>>
>> $conn->Execute("INSERT INTO users (first_name,last_name,organization) 
>> VALUES ('$first_name','$last_name','$organization'");
>>
>>    This would have been OK if they'd written something like
>>
>> $first_name=addslashes($_POST["first_name"]);
>> $last_name=addslashes($_POST["last_name"]);
>> $organization=addslashes($_POST["organization"]);
>>
>>    But they didn't.  Neither do most developers.  Now,  there are 
>> tools that help with this:  for instance,  some database API's will 
>> automatically quote things if you use placeholders.  This style of 
>> doing things has it's own problems:  let's say the user table has a 
>> lot of fields...
>>
>> $conn->Execute("
>>    INSERT INTO users
>>       (first_name,last_name,organization,address1, ... 20 more fields 
>> ..., birthday, favorite_color)
>>    VALUES
>>       (?,?,?,?,... 20 more question marks ...,?,?)
>> ",array($first_name,$last_name,$organization,$address1,... 20 more 
>> fields...,$favorite_color,$birthday);
>>
>>    Notice the error?  I didn't get the order of the fields quite 
>> right , so the 'birthday' and 'favorite color' fields will get 
>> scrambled.  Imagine how hard it would have been to have noticed the 
>> error in the middle of the field list!  I recently caught this one in 
>> a Cold Fusion application --  this kind of code gets hard to maintain.
>>
>>    Enter ORM.  Syntax varies,  but this kind of insert is simple and 
>> maintainable with an ORM system:
>>
>> $t=$db->users;
>> $r=$t->new_record();
>> $r->first_name=$_POST["first_name"];
>> $r->last_name=$_POST["last_name"];
>> $r->organization=$_POST["organization"];
>> ...
>> $r->insert();
>> $user_id=$r->user_id;
>>
>>    The ORM system takes care of quotes and bad data for you.  You're 
>> not likely to introduce bugs when you add and remove fields,  and 
>> they'll be transparent if you do.  If you want to make life really 
>> easy,  you might write a subroutine that uses the ORM's introspection 
>> capability,  so you can just write
>>
>> populate_from_post($r,$_POST);
>>
>>    that scans through the database fields,  and automatically assigns 
>> post variables down to fields.  Talk about zero maintainance!
>>
>> -------
>>
>>    ORM and other SQL-phobic approaches can also get you into big 
>> trouble. I once inherited a PHP app,  using MS SQL server as the back 
>> end that had an administrative interface that listed all of the users 
>> in the system. It worked just fine in testing,  but got REALLY slow 
>> when a few hundred users joined the system...  It could take more 
>> than 100 seconds to produce the screen!
>>
>>    The problem was that the system did between 10 and 20 queries to 
>> produce each output row.  It first did a query that retrieved a few 
>> hundred rows,  and then it did more queries to get all the details.  
>> Doing 5000 queries took a really long time.
>>
>>    We changed the application to use prepared statements and found 
>> that the query took 10 seconds.  This was acceptable,  but still 
>> pretty bad.
>>
>>    Although this system didn't use an ORM,  the general approach was 
>> that encouraged by most ORM systems -- I don't think any ORM system 
>> would have been smart enough to consolidate the multiple queries into 
>> a smaller number,  because the individual-row queries were 
>> implementing quite complicated business rules that involved counting 
>> rows with certain attributes,  preparing thresholds,  etc.
>>
>>    An ORM system might or might not be smart enough to generate 
>> prepared statements.  The difference between a 'smart' and 'dumb' ORM 
>> would be a factor of 10 in performance in this case.
>>
>>    Later on I wrote a 'pure SQL' query that calculated everything in 
>> one complex query.  It used a number of subselects...  I thought it 
>> was pretty straightforward,  but many people aren't comfortable with 
>> queries that are this complex.  It did the job in 0.1 seconds!!  
>> That's a factor of 100x better than I got from running separate 
>> statements.
>>
>> -----------------------
>>
>>    Similar issues turn up with UPDATEs and DELETEs.  ORM is quite 
>> efficient if you only want to update one or two records at a time,  
>> but imagine you want to update 100,000 rows.  (Turning off service 
>> for people who didn't pay their bills,  reset scores in an online 
>> game to zero, ...) It can be thousands of times faster to do 
>> something like:
>>
>> UPDATE user SET score=0;
>>
>> than to write some loop that runs hundreds of thousands of queries.  
>> Once you add in the issues of concurrency and transactions,  the 
>> 'pure SQL' solution looks a lot better -- it's automatically 
>> protected by the transactional integrity of the database.  Probably 
>> 80% of people working with an ORM system will forget to put the whole 
>> thing in a transaction: so it won't be reliable.  The 20% of the 
>> people who do put it in a transaction will hold locks on the database 
>> for hundreds or thousands of times longer than they need to...  Which 
>> slows down the site for everybody else.
>>
>> --------------------------
>>
>>    The gold standard is use an ORM system that's tightly integrated 
>> with your framework when it's appropriate:  when you're manipulating 
>> a few rows at a time.  You'll get big gains in maintainability.  When 
>> you're updating 1000+ rows or generating complex reports,  you need 
>> different tools.  I've built a few systems that integrate data grid 
>> display on the client with a prebuilt set of data fields that can be 
>> incorporated into the query, using subselects to 'join' data from 
>> other tables -- this gets the silver...  The gold medal would go to a 
>> system that uses the database metadata from an ORM system to help you 
>> build queries.  Hook this up to an AJAX data grid,  say the one from 
>> ext,  and you've got a rails killer...
>> _______________________________________________
>> New York PHP Community Talk Mailing List
>> http://lists.nyphp.org/mailman/listinfo/talk
>>
>> NYPHPCon 2006 Presentations Online
>> http://www.nyphpcon.com
>>
>> Show Your Participation in New York PHP
>> http://www.nyphp.org/show_participation.php 
>
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php


-- 
Kenneth Downs
Secure Data Software, Inc.
www.secdat.com    www.andromeda-project.org
631-689-7200   Fax: 631-689-0527
cell: 631-379-0010



From ramons at gmx.net  Sat Sep 15 13:48:32 2007
From: ramons at gmx.net (David Krings)
Date: Sat, 15 Sep 2007 13:48:32 -0400
Subject: [nycphp-talk] ORM vs SQL: the ultimate showdown
In-Reply-To: <46EC0D3D.3040600@devonianfarm.com>
References: <Pine.LNX.4.44.0709131041050.17851-100000@bitblit.net>	<46EA6E4A.9050504@secdat.com>
	<46EC0D3D.3040600@devonianfarm.com>
Message-ID: <46EC1AF0.8040803@gmx.net>

Paul Houle wrote:
>    I think of ORM as a partial solution to the problems of building 
> database-backed web apps.  People call database applications "CRUD" 
> apps,  short for
I have no idea what ORM is, mainly because I didn't follow the past 
threads, but here is my take of the problem you describe.

  >    This would have been OK if they'd written something like
> 
> $first_name=addslashes($_POST["first_name"]);
> $last_name=addslashes($_POST["last_name"]);
> $organization=addslashes($_POST["organization"]);

Depending on the database used there are better means. In case of mysql 
using mysql_real_escape_string is the way better approach as I learned 
not too long ago. With addslashes you get the proper escaping, but upon 
retrieval you have to take the surplus slashes back out. When storing 
something that has slashes in the original information (windows file 
paths for example) how is the code supposed to know which slashes to 
take out? And all that although a slash won't break your SQL.

> 
>    But they didn't.  Neither do most developers.  Now,  there are tools 

That is because most developers are ignorant, unqualified, or arrogant 
or all three in regards to users some very basic level of quality and 
security.* I have seen apps where the developer went through the trouble 
to take out anything that might be offending to SQL or the rest of the 
code rather than to choose proper delimiters and proper escaping.
I often post opinions in a german online newspaper and they use a PHP 
script with MySQL. Of course, that script doesn't do any escaping and 
blurts out the whole SQL query upon failure. How easy will it be to drop 
some tables, add some, modify, add procedures....in short, that script 
is open to SQL injection at the first degree.

I recall that I did exactly the same when I started poking around in 
MySQL with PHP until I read about SQL injection and that addslashes is 
the way to go - until I tried to store file paths in my tables and all 
they stopped working upon retrieval. I then opted to go the ignorant and 
unqualified route by not escaping file paths and thus not needing to 
strip slashes. Until I came across a folder name with a single quote in 
it. Then I learned to do it the right way.

>    The ORM system takes care of quotes and bad data for you.

One of the lessons of professional software QA and hobbyist PHP 
development is "All input is evil!". I always distrust everything even 
when it comes from a db record that I just wrote a few seconds ago. In 
that sense I think it is a bit foolish to just forget about proper 
validation and have some system take care of it. That system is also 
just a bunch of lines of code. While I do see the benefits of 
simplifying db access and with that abstracting the db layer I still 
think that anything that comes in and goes out has to be fully verified 
to be good data. Don't expect that you get good data and don't expect 
that the other system will take care of bad data (from you or someone else).

This concludes today's lesson. Thank you students.

David

*Note: There are very many honorable exceptions and I know of several 
who take things like security, quality, and usability into consideration 
- after the lack of doing so bit them hard into their behinds.



From ramons at gmx.net  Sat Sep 15 13:51:07 2007
From: ramons at gmx.net (David Krings)
Date: Sat, 15 Sep 2007 13:51:07 -0400
Subject: [nycphp-talk] ORM vs SQL: the ultimate showdown
In-Reply-To: <46EC12E3.7050902@devonianfarm.com>
References: <Pine.LNX.4.44.0709131041050.17851-100000@bitblit.net><46EA6E4A.9050504@secdat.com>	<46EC0D3D.3040600@devonianfarm.com>	<00c501c7f7b5$e5598920$6401a8c0@gamebox>
	<46EC12E3.7050902@devonianfarm.com>
Message-ID: <46EC1B8B.7050109@gmx.net>

Paul Houle wrote:
>    Other databases (for instance,  MS Access) won't,  and you need to write
Since when is Access a database? It is a big piece of stinkin' garbage. ;)

David


From ben at projectskyline.com  Sat Sep 15 14:24:02 2007
From: ben at projectskyline.com (Ben Sgro (ProjectSkyLine))
Date: Sat, 15 Sep 2007 14:24:02 -0400
Subject: [nycphp-talk] Two part question: Shopping carts & E-commerce
References: <Pine.LNX.4.44.0708281044470.7063-100000@bitblit.net>	<46D43B08.60009@beezifies.com><70745236-EB98-4AC3-B754-4DC2A315323E@jonbaer.com>
	<46D47172.1000909@beezifies.com>
Message-ID: <016801c7f7c5$9820c190$6401a8c0@gamebox>

Hello,

After speaking with a lot of people, it seems OSCommerce and Authorize.net
are a good team.

However, after taking a look at CS-Cart, it does *look* nicer than 
OScommerce.

Does anyone have experiance with both of these carts?

- Ben



From lists at enobrev.com  Sat Sep 15 15:24:30 2007
From: lists at enobrev.com (Mark Armendariz)
Date: Sat, 15 Sep 2007 15:24:30 -0400
Subject: [nycphp-talk] ORM vs SQL: the ultimate showdown
In-Reply-To: <00c501c7f7b5$e5598920$6401a8c0@gamebox>
References: <Pine.LNX.4.44.0709131041050.17851-100000@bitblit.net><46EA6E4A.9050504@secdat.com>	<46EC0D3D.3040600@devonianfarm.com>
	<00c501c7f7b5$e5598920$6401a8c0@gamebox>
Message-ID: <46EC316E.6030203@enobrev.com>

I'm a huge fan of SQL, and I've been using it for over 10 years.  its a 
solid and reliable friend.  But it seems to be far too wordy and gets 
hairy to maintain, which is why we tend to look for ways to modularize 
it within our programming languages.  When using SQL, we're just working 
with strings.  mysql_query('SELECT * FROM customers') is as painful as 
using innerHTML in javascript.  In some instances, you just have to, but 
it 'feels right' to use the DOM, and the DOM allows so much more power 
from a javascript perspective.

This might seem completely ridiculous and tear the idea to shreds if you 
must, but I've been working on a library with it's own query language 
that creates both the SQL and the PHP Objects to reference everything 
returned.  Though I've been working on it for quite some time, it's 
still too early (read: messy) to offer it to the masses (I'm 
successfully using it in 4 of my current small to medium sized projects). 

Over the past 10 years, every time I try to keep all my queries in one 
place, whether it be with SQL or with some objects representing my 
Database Tables, i end up with a bunch of functions named getCustomers, 
getCustomer($id), getCustomersInNy, getCustomersInTristate, so instead I 
made a language that allows something like:

get customers
means
SELECT * FROM customers

get customers 425
means
SELECT * FROM customers WHERE customer_id = 425

get customer last_name d, first_name d, full_address where customer_id = 1-5
means
SELECT c.first_name, c.last_name, a.address_1, a.address_2, a.city, 
a.province, co.country_title FROM customers c LEFT JOIN addresses a on 
c.customer_id = a.customer_id LEFT JOIN c.countries ON a.country_id = 
c.country_id WHERE customer_id = 1 OR customer_id = 2 OR customer_id = 3 
OR customer_id = 4 OR customer_id = 5 ORDER BY c.last_name DESC 
c.first_name DESC

and
find mark in customers, addresses, countries
means
SELECT * FROM customers c LEFT JOIN addresses a on c.customer_id = 
a.customer_id FROM customers c LEFT JOIN addresses a on c.customer_id = 
a.customer_id LEFT JOIN c.countries ON a.country_id = c.country_id WHERE 
c.first_name LIKE '%mark%' OR c.last_name LIKE '%mark%' OR c.username 
LIKE '%mark%' OR a.address_1 LIKE '%mark%' OR a.address_2 LIKE '%mark%' 
OR a.city LIKE '%mark%' OR a.province LIKE '%mark%'
OR co.country_title LIKE '%mark%'
(all the string fields in all pertaining tables)

All the joins are dynamically generated, and those generations are 
cached, so it only needs to figure out the joins once.  All the queries 
are dynamically generated as well (obviously) and cached, but if a new 
field is added, the cache is cleared and all those selects are re-cached 
with the new fields (or removed fields removed from queries)

The return can be an array of results, an iterator or an object with 
access to the selected tables and fields (with values set and more 
detailed properties for formatting and manipulation).  The returned 
array can have the data formatted as well.

I haven't done the inserts and updates language yet, but all the fields 
have types (url, email, USPhone, textile, textileComment, alpha, 
alphaWithPunctuation, Integer, DateTime etc), so all the proper 
filtering and escaping is done automatically as is.  Even though the 
language doesn't have inserts and updates, I've been using the type 
objects for proper field handling and filtering (rather than 
add-slashing everything)

Anyways, to me this seems to be the way to go.  If we're dealing with 
strings anyways, we might as well keep those strings short and sweet and 
most importantly dynamic.  It should be portable (any database or any 
model, really) and simple.

The biggest argument I tend to hear is that restricting fields in php is 
silly, but I largely disagree.  By filtering inputted data, we're 
already typing these fields, and usually incorrectly.  Strict typing and 
a dynamic language fit together well as you are allowed the choice of 
either.

Ideally I'd be able to get this into an extension at some point, but I'm 
still getting things organized.  I'm currently in the process of 
rewriting the type classes to make the more modular / portable (if 
anyone has experience in the realm of creating a type system, please 
give me a shout off-list)

Anyways, that's my take on SQL and ORM.  Both - with an easily 
manipulated and portable meta language.

Mark Armendariz


From ken at secdat.com  Sat Sep 15 15:45:12 2007
From: ken at secdat.com (Kenneth Downs)
Date: Sat, 15 Sep 2007 15:45:12 -0400
Subject: [nycphp-talk] ORM vs SQL: the ultimate showdown
In-Reply-To: <46EC316E.6030203@enobrev.com>
References: <Pine.LNX.4.44.0709131041050.17851-100000@bitblit.net><46EA6E4A.9050504@secdat.com>	<46EC0D3D.3040600@devonianfarm.com>	<00c501c7f7b5$e5598920$6401a8c0@gamebox>
	<46EC316E.6030203@enobrev.com>
Message-ID: <46EC3648.8020508@secdat.com>

Mark, this all sounds very interesting.

Nothing will improve your code nearly as much as letting other people 
see it.

Get it on sourceforge!  Release early!  Release Often!

Mark Armendariz wrote:
> I'm a huge fan of SQL, and I've been using it for over 10 years.  its 
> a solid and reliable friend.  But it seems to be far too wordy and 
> gets hairy to maintain, which is why we tend to look for ways to 
> modularize it within our programming languages.  When using SQL, we're 
> just working with strings.  mysql_query('SELECT * FROM customers') is 
> as painful as using innerHTML in javascript.  In some instances, you 
> just have to, but it 'feels right' to use the DOM, and the DOM allows 
> so much more power from a javascript perspective.
>


-- 
Kenneth Downs
Secure Data Software, Inc.
www.secdat.com    www.andromeda-project.org
631-689-7200   Fax: 631-689-0527
cell: 631-379-0010



From jcampbell1 at gmail.com  Sat Sep 15 22:30:05 2007
From: jcampbell1 at gmail.com (John Campbell)
Date: Sat, 15 Sep 2007 22:30:05 -0400
Subject: [nycphp-talk] PHP script needs some filter help
In-Reply-To: <EF0605FC343F204C9F5A8771CC09B22B4F45AF@pe2800.wlabs.local>
References: <EF0605FC343F204C9F5A8771CC09B22B4F45AF@pe2800.wlabs.local>
Message-ID: <8f0676b40709151930w136168cdxa90051ca5be3589e@mail.gmail.com>

> The situation:  Our company's website host server only processes scripts in
> php, python, cld fusion [not in asp - go figure].  Our website has three
> seperate user information request forms on it; all were posted using a php
> mail script.  One day, all of a sudden, we get 20-30 bogus forms mail to us
> per day.  Annoying and alarming.  So i went searching for some way to
> control it.  I managed to insert a php script with captcha into each.  but,
> we are still getting bogus forms sent to us.  Not as many, but still
> annoying and no fun...email header injections i take it?
>
> So, i tried to follow along and use some php includes that i found posted on
> nyphp.org.  After addiing some of the code and quite a few iterations, I'd
> keep getting these parsing errors, and could never get it to work.

Here is what I think is really happening, and a captcha isn't going to
do a damn thing.

Your script has a vulnerability that allows a spammer to use your
company's webserver to send out mass emailings.  You should fix the
header injection, and the spammer will quit within a week or so.
Technically, you are responsible for the spam, as it is being sent by
your server and your company's email will get blacklisted soon.

Don't allow user input into the header parameter of the mail()
function.  If you do, make sure and validate it (no newlines). Check
your mail logs as well.

Regards,
John Campbell


From brenttech at gmail.com  Sun Sep 16 01:39:16 2007
From: brenttech at gmail.com (Brent Baisley)
Date: Sun, 16 Sep 2007 01:39:16 -0400
Subject: [nycphp-talk] Emailing from a PHP script
In-Reply-To: <004201c7f6d0$7cc0f780$0200a8c0@X9183>
References: <004201c7f6d0$7cc0f780$0200a8c0@X9183>
Message-ID: <5CFF5FC7-705C-4BC6-A532-DA5D2DC8FE1B@gmail.com>

I think there are a few possible problems, the first is that you may  
be running windows. The mail() function really looks for sendmail  
installed under Unix, which is a pretty safe assumption since  
sendmail or postfix (which emulates sendmail) comes with just about  
all unix systems. But you need to have it configure in order for it  
to work, meaning your local machine has to be setup to be allowed to  
send email unauthenticated (i.e. an open relay). If your email server  
isn't set to "trust" the box you are on, you're not going to be able  
to send email.

I would recommend downloading either swiftmail or phpmailer (I prefer  
swiftmail), which will allow you to point your script at any mail  
server, login and send an email.

On Sep 14, 2007, at 9:09 AM, PaulCheung wrote:

> Can anybody see what I am doing wrong??
>
> I have set php.ini (as per the manual) to my email settings
> ======================================
> [mail function]
> ; For Win32 only.
> SMTP = smtp.tiscali.co.uk
> smtp_port = 25
>
> ; For Win32 only.
> sendmail_from = paulcheung at tiscali.co.uk
> ========================================================
> I run the script and the following message appears
>
> Warning: mail() [function.mail]: Failed to connect to mailserver at  
> "localhost" port 25, verify your "SMTP" and "smtp_port" setting in  
> php.ini or use ini_set() in C:\xampp\htdocs\tp_access.php on line 61
> ========================================================
> script line 61   mail(to, subject, message, "From:  
> paulcheung at tiscali.co.uk");
>
> Following the textbook example it should work - why am I directed  
> to localhost?? _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php



From bz-gmort at beezifies.com  Sun Sep 16 13:57:16 2007
From: bz-gmort at beezifies.com (Gary Mort)
Date: Sun, 16 Sep 2007 13:57:16 -0400
Subject: [nycphp-talk] ORM vs SQL: the ultimate showdown
In-Reply-To: <46EC316E.6030203@enobrev.com>
References: <Pine.LNX.4.44.0709131041050.17851-100000@bitblit.net><46EA6E4A.9050504@secdat.com>	<46EC0D3D.3040600@devonianfarm.com>	<00c501c7f7b5$e5598920$6401a8c0@gamebox>
	<46EC316E.6030203@enobrev.com>
Message-ID: <46ED6E7C.4010100@beezifies.com>

Mark Armendariz wrote:
> I'm a huge fan of SQL, and I've been using it for over 10 years.  its 
> a solid and reliable friend.  But it seems to be far too wordy and 
> gets hairy to maintain, which is why we tend to look for ways to 
> modularize it within our programming languages.

Personally, my feeling has generally been that since the "wordy" SQL is 
generally performing the tasks of a lot of different functions, it is no 
wordier than writing the code in PHP.  Nor is making objects necessarily 
less "work" than making functions.

I started with SQL on an SQL/DS system and then moved over to DB2 over 
15 years ago.

At the time, SQL was powerful, it was it's own virtual mini language if 
you took the time to craft your queries carefully, and in a client 
server app on the slow network of the day(an 16MB Token Ring network) it 
just made sense to do as much processing and filtering as possible on 
the server, rather than transmit lots of data across the network and tie 
up the client's memory and bandwidth in processing it.

Plus you got a lot of extra power in that processing of the data was the 
most CPU and memory intensive operation, it's a lot easier to add extra 
memory and upgrade the server than 50 clients.  And tuning queries and 
indexes is can make things run faster without having a heavy coding impact.


But back in those days we had a DB Admin, a Network admin, and a 
Programmer working together to determine the problems(and I was lucky 
enough to train in all 3 areas, plus the people I worked lacked many of 
the ego's I would later encounter.  If a problem will take the DB Admin 
a couple hours to tweak the indexes and tune them for the queries, a 
couple days for the network admin to update the parameters in the 
network window sizes to fetch the result sets more efficiently, or a 
week for the programmer to recode everything to meet the current 
limitations - we took the business decision of correcting it in the 
Database.  I was later to run into people who would insist that the 
"correct" solution was for someone else to fix it, no matter what the 
time involved.).

When I went to MySQL it was a massive shock to lose so much 
functionality that the DB2 had.  This was after years of looking at DB2 
compared to Oracle and always saying "if only we could store blobs in 
the database like Oracle..." etc.  But there was a good reason for this, 
MySQL was a lightweight database that eschewed many of these features in 
order to have the best performance it could.  Plus it seemed rather 
obvious that the developers of it had gotten burned by a few of those 
features in the past.

Over time, MySQL is still advancing, and has added many cool features of 
it's own.  It also traditionally runs in an environment  where you don't 
have a DBAdmin committed to just your applications.  You don't have a 
network admin, as the application passes through many networks and you 
can't force them to tune for your app.  So a lot of logic ends up 
getting pushed into the application.

But I'd not give up on SQL programming.


Heck, here is a simple benefit of SQL.

I had to export data for half a dozen different tables I inherited on 
different reports.  All I was doing was creating CSV files with a header.

The procedural way of creating the report would be to pull the data, 
than create the file and header, than export all the rows parsing them 
out , knowing which are strings and which are numbers so you can 
determine which should be given quotes for importing into excel and 
which should be placed without quotes.

The object way would be to create a master object, subclass it for each 
report, have a little createReport function unique to each one, etc.

The SQL way was to use the handy little "as" function to name each of 
the obtusely named columns, so pno could become "Part Number".  Also a 
little conversion to convert different application fine grained status 
codes into human readable summary codes(have 3 pending status codes for 
application logic is fine, but to the user they all mean the same thing 
- pending).  Use a little data type checking in the PHP to determine 
which column was text and which was numbers, and create the file.

If done purely with objects, you would need to create a new class for 
each report.  Procedures means making some small changes and a new copy 
of the program for each report.  With the bulk of the logic in the SQL,
to make a "new" report all that is required is changing 1 line of code - 
the SQL query.


Each tool has it's place for it's need.  For me, the two main factors 
tend to be:
Time: How much time will each one take.  It's all well and good to say 
"this is the best solution, and doing it any other way is lazy".  But 
when the question boils down to "you have 3 hours to do it" - you choose 
the solution that fits the time constraints.

Other coders: If most of the coders working on a project use 1 style of 
coding, I like to follow the same style.  And if there is a wealth of 
code out there that can adapted but it uses one style or another, I go 
with that style.  Of course, this means I'm now working on rewriting a 
number of apps, on my own time, to use object oriented design as the 
bulk of other code and modules I use are now using that design.  It 
makes for a jarring transition to go from one to the other, so I might 
as well learn now.


From bz-gmort at beezifies.com  Sun Sep 16 14:02:20 2007
From: bz-gmort at beezifies.com (Gary Mort)
Date: Sun, 16 Sep 2007 14:02:20 -0400
Subject: [nycphp-talk] PHP script needs some filter help
In-Reply-To: <EF0605FC343F204C9F5A8771CC09B22B4F45AF@pe2800.wlabs.local>
References: <EF0605FC343F204C9F5A8771CC09B22B4F45AF@pe2800.wlabs.local>
Message-ID: <46ED6FAC.8050308@beezifies.com>

Christina Karlhoff wrote:
>
> The situation:  Our company's website host server only processes 
> scripts in php, python, cld fusion [not in asp - go figure].  Our 
> website has three seperate user information request forms on it; all 
> were posted using a php mail script.  One day, all of a sudden, we get 
> 20-30 bogus forms mail to us per day.  Annoying and alarming.  So i 
> went searching for some way to control it.  I managed to insert a php 
> script with captcha into each.  but, we are still getting bogus forms 
> sent to us.  Not as many, but still annoying and no fun...email header 
> injections i take it?
>


Captcha prevents, to a degree, the automated use of your forms to send 
you email.

It won't prevent someone from manually using those forms to send you email.

Nor will it prevent someone from forging your email address and sending 
you spam.

So without know why the forms are bogus, it's somewhat hard to tell what 
the problem is.

As a first step, I'd make sure to code something so you track who 
submits an email through on a form(cookie plus ip address tracking along 
with placing a unique id for each email in the header) so you can 
compare the "spam" with your database and see where it is coming from.

Than attack the problem from that perspective.  If they all come from 
the same IP address range, add an extra captcha routine triggered just 
for them to confirm email.  Reject their address entirely.  Whatever.




From paul at devonianfarm.com  Sun Sep 16 14:38:38 2007
From: paul at devonianfarm.com (Paul Houle)
Date: Sun, 16 Sep 2007 14:38:38 -0400
Subject: [nycphp-talk] ORM vs SQL: the ultimate showdown
In-Reply-To: <46EC316E.6030203@enobrev.com>
References: <Pine.LNX.4.44.0709131041050.17851-100000@bitblit.net><46EA6E4A.9050504@secdat.com>	<46EC0D3D.3040600@devonianfarm.com>	<00c501c7f7b5$e5598920$6401a8c0@gamebox>
	<46EC316E.6030203@enobrev.com>
Message-ID: <46ED782E.3070303@devonianfarm.com>

Mark Armendariz wrote:
>
> This might seem completely ridiculous and tear the idea to shreds if 
> you must, but I've been working on a library with it's own query 
> language that creates both the SQL and the PHP Objects to reference 
> everything returned.  Though I've been working on it for quite some 
> time, it's still too early (read: messy) to offer it to the masses 
> (I'm successfully using it in 4 of my current small to medium sized 
> projects).
> Over the past 10 years, every time I try to keep all my queries in one 
> place, whether it be with SQL or with some objects representing my 
> Database Tables, i end up with a bunch of functions named 
> getCustomers, getCustomer($id), getCustomersInNy, 
> getCustomersInTristate, so instead I made a language that allows 
> something like:
>
    I'm really fascinated by ideas like this.

    Have you seen HQL,  the query language that comes with the 
(Java-based) Hibernate ORM system?

http://www.hibernate.org/hib_docs/reference/en/html/queryhql.html



From edwardpotter at gmail.com  Sun Sep 16 14:23:17 2007
From: edwardpotter at gmail.com (Edward Potter)
Date: Sun, 16 Sep 2007 14:23:17 -0400
Subject: [nycphp-talk] Two part question: Shopping carts & E-commerce
In-Reply-To: <016801c7f7c5$9820c190$6401a8c0@gamebox>
References: <Pine.LNX.4.44.0708281044470.7063-100000@bitblit.net>
	<46D43B08.60009@beezifies.com>
	<70745236-EB98-4AC3-B754-4DC2A315323E@jonbaer.com>
	<46D47172.1000909@beezifies.com>
	<016801c7f7c5$9820c190$6401a8c0@gamebox>
Message-ID: <c5949a380709161123o6da77c8ey6023c53221e83c78@mail.gmail.com>

To the best of my knowledge I may have put one of  the first "Shopping
Carts" on the Web, I think it was back in '95-96'. I used perl is
those days. They can get VERY complex, VERY, VERY  fast - I suggest
read all the above posts, twice!

How's this one : one client wanted anything sent to Canada to be
priced double or not sent at all, depending on the mood of his
girlfriend, but only DVD items that had a romantic title, all was set
back to normal in March,  then he had a new girlfriend that lived in
California, all the Cali customers got an extra 6% off, but only on
collectible videos, not DVDs. And the inventory was in the thousands,
how do you program for that?

Yipes!

good luck  :-)
ed

On 9/15/07, Ben Sgro (ProjectSkyLine) <ben at projectskyline.com> wrote:
> Hello,
>
> After speaking with a lot of people, it seems OSCommerce and Authorize.net
> are a good team.
>
> However, after taking a look at CS-Cart, it does *look* nicer than
> OScommerce.
>
> Does anyone have experiance with both of these carts?
>
> - Ben
>
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
>


-- 
the Blog: http://www.utopiaparkway.com
the Karma: http://www.coderswithconscience.com
the Projects: http://flickr.com/photos/86842405 at N00/
the Store: http://astore.amazon.com/httpwwwutopic-20


From nikola.mitic at gmail.com  Sun Sep 16 16:24:01 2007
From: nikola.mitic at gmail.com (Nikola Mitic)
Date: Sun, 16 Sep 2007 22:24:01 +0200
Subject: [nycphp-talk] Two part question: Shopping carts & E-commerce
In-Reply-To: <c5949a380709161123o6da77c8ey6023c53221e83c78@mail.gmail.com>
References: <Pine.LNX.4.44.0708281044470.7063-100000@bitblit.net>
	<46D43B08.60009@beezifies.com>
	<70745236-EB98-4AC3-B754-4DC2A315323E@jonbaer.com>
	<46D47172.1000909@beezifies.com>
	<016801c7f7c5$9820c190$6401a8c0@gamebox>
	<c5949a380709161123o6da77c8ey6023c53221e83c78@mail.gmail.com>
Message-ID: <6b1dc5090709161324j1109f7ccq642fb4f815284d6f@mail.gmail.com>

just working on candles <http://www.candledelirium.com/> website with
Oscommerce SC and it is OK for basic use.

You can also check X-cart <http://www.x-cart.com/> that I was working 1 year
ago.

Things that are interesting in X-cart are:
- Manufacturers
- Wish lists
- News management
- Shipping methods
- Taxing system
- Edit ratings
- Gift certificates

You can also add modules like:
- UPS OnLine(r) Tools
- Users online
- G Anallytics
...

Best,
Nikola Mitic
http://www.twospots.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070916/81716dd8/attachment.html>

From cliff at pinestream.com  Sun Sep 16 17:25:06 2007
From: cliff at pinestream.com (Cliff Hirsch)
Date: Sun, 16 Sep 2007 17:25:06 -0400
Subject: [nycphp-talk] Book suggestions for web site management
Message-ID: <C3131772.7D62%cliff@pinestream.com>

So I have all the php, mysql and Javascript books. I even have a few books
on CSS and scale-out.

But does anyone have suggestions, whether books, web site, articles, etc.,
for what I need to do to keep a complex LAMP-based server humming? I have a
few Linux books and I?m sure my managed hosting provider will take care of
most everything, but it would still make interesting reading. And I need to
know what to ask them....

Cliff
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070916/b3787581/attachment.html>

From lk613m at yahoo.com  Sun Sep 16 18:10:25 2007
From: lk613m at yahoo.com (LK)
Date: Sun, 16 Sep 2007 15:10:25 -0700 (PDT)
Subject: [nycphp-talk] Book suggestions for web site management
Message-ID: <735295.34047.qm@web53304.mail.re2.yahoo.com>

I use http://safari.oreilly.com/ For a $40/month subscription you can read thousands of IT books online. The entire database is searcheable and does not take any shelf space. I highly recommend it.

-Leo

----- Original Message ----
From: Cliff Hirsch <cliff at pinestream.com>
To: NYPHP Talk <talk at lists.nyphp.org>
Sent: Sunday, September 16, 2007 5:25:06 PM
Subject: [nycphp-talk] Book suggestions for web site management

So I have all the php, mysql and Javascript books. I even have a few books on CSS and scale-out.

But does anyone have suggestions, whether books, web site, articles, etc., for what I need to do to keep a complex LAMP-based server humming? I have a few Linux books and I?m sure my managed hosting provider will take care of most everything, but it would still make interesting reading. And I need to know what to ask them....

Cliff


       
____________________________________________________________________________________
Looking for a deal? Find great prices on flights and hotels with Yahoo! FareChase.
http://farechase.yahoo.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070916/89be1df7/attachment.html>

From rmarscher at beaffinitive.com  Sun Sep 16 19:47:06 2007
From: rmarscher at beaffinitive.com (Rob Marscher)
Date: Sun, 16 Sep 2007 19:47:06 -0400
Subject: [nycphp-talk] ORM vs SQL: the ultimate showdown
In-Reply-To: <46EC316E.6030203@enobrev.com>
References: <Pine.LNX.4.44.0709131041050.17851-100000@bitblit.net><46EA6E4A.9050504@secdat.com>	<46EC0D3D.3040600@devonianfarm.com>
	<00c501c7f7b5$e5598920$6401a8c0@gamebox>
	<46EC316E.6030203@enobrev.com>
Message-ID: <4400D089-F617-45DD-ACC0-BCB7794732B1@beaffinitive.com>

On Sep 15, 2007, at 3:24 PM, Mark Armendariz wrote:
> Anyways, that's my take on SQL and ORM.  Both - with an easily  
> manipulated and portable meta language.
Sounds pretty cool.  Ever thought of analyzing the queries used  
within an application and automatically generate (or suggest)  
indexes?  Seems like your system might have self-analyzing  
capabilities to be able to do that.

-Rob


From lists at enobrev.com  Sun Sep 16 20:02:45 2007
From: lists at enobrev.com (Mark Armendariz)
Date: Sun, 16 Sep 2007 20:02:45 -0400
Subject: [nycphp-talk] ORM vs SQL: the ultimate showdown
In-Reply-To: <4400D089-F617-45DD-ACC0-BCB7794732B1@beaffinitive.com>
References: <Pine.LNX.4.44.0709131041050.17851-100000@bitblit.net><46EA6E4A.9050504@secdat.com>	<46EC0D3D.3040600@devonianfarm.com>	<00c501c7f7b5$e5598920$6401a8c0@gamebox>	<46EC316E.6030203@enobrev.com>
	<4400D089-F617-45DD-ACC0-BCB7794732B1@beaffinitive.com>
Message-ID: <46EDC425.2010805@enobrev.com>

Rob Marscher wrote:
> On Sep 15, 2007, at 3:24 PM, Mark Armendariz wrote:
>> Anyways, that's my take on SQL and ORM.  Both - with an easily 
>> manipulated and portable meta language.
> Sounds pretty cool.  Ever thought of analyzing the queries used within 
> an application and automatically generate (or suggest) indexes?  Seems 
> like your system might have self-analyzing capabilities to be able to 
> do that.
Working towards that as well.  Currently has some basic profiling 
capabilities for finding the real nasty queries (reminiscent to 
adodb's).   For the most part the multi-table queries tend to be pretty 
tight as long as the indexes are already set up.  I've been considering 
what it would take to parse an explain and make suggestions for some time.

The whole idea is something of a self-generating dao (or orm, i get the 
concepts and then I get them mixed up) that quietly caches itself out of 
existence over time, but sticks around for general maintenance when 
needed.  I'm glad to see some interest.  Good motivation to get this 
thing out in the world soon.

Mark


From lists at enobrev.com  Sun Sep 16 20:10:51 2007
From: lists at enobrev.com (Mark Armendariz)
Date: Sun, 16 Sep 2007 20:10:51 -0400
Subject: [nycphp-talk] ORM vs SQL: the ultimate showdown
In-Reply-To: <46ED782E.3070303@devonianfarm.com>
References: <Pine.LNX.4.44.0709131041050.17851-100000@bitblit.net><46EA6E4A.9050504@secdat.com>	<46EC0D3D.3040600@devonianfarm.com>	<00c501c7f7b5$e5598920$6401a8c0@gamebox>	<46EC316E.6030203@enobrev.com>
	<46ED782E.3070303@devonianfarm.com>
Message-ID: <46EDC60B.7090706@enobrev.com>

Paul Houle wrote:
> Mark Armendariz wrote:
>    I'm really fascinated by ideas like this.
>
>    Have you seen HQL,  the query language that comes with the 
> (Java-based) Hibernate ORM system?
>
> http://www.hibernate.org/hib_docs/reference/en/html/queryhql.html
This is interesting, Paul.  Thank you.  I've read about TQL and a couple 
others (tons of del.icio.us links) and hadn't run across HQL.  They seem 
to have quite a bit of inter-table relationship info in their queries 
which is what i really want to avoid, but otherwise, it's interesting to 
see how it's done.

Thanks!

Mark


From christinak at wll.com  Mon Sep 17 09:35:11 2007
From: christinak at wll.com (Christina Karlhoff)
Date: Mon, 17 Sep 2007 09:35:11 -0400
Subject: [nycphp-talk] PHP script needs some filter help
In-Reply-To: <2934ED1639B14D5E8FF6F5E75F0DE290@wlabs.local>
References: <EF0605FC343F204C9F5A8771CC09B22B4F45AF@pe2800.wlabs.local>
	<2934ED1639B14D5E8FF6F5E75F0DE290@wlabs.local>
Message-ID: <EF0605FC343F204C9F5A8771CC09B22B4F45DA@pe2800.wlabs.local>

Hi Gary,

Thanks, I appreciate your insight. 

At the moment, I'm afraid that I am not privvy to the correct
implementation of php code to track a user's submission... 

I am going to look into php classes, and at the very least get somebody
to design a custom php component for the company to use.


-----Original Message-----
From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org]
On Behalf Of Gary Mort
Sent: Sunday, September 16, 2007 2:16 PM
To: NYPHP Talk
Subject: Re: [nycphp-talk] PHP script needs some filter help

Christina Karlhoff wrote:
>
> The situation:  Our company's website host server only processes 
> scripts in php, python, cld fusion [not in asp - go figure].  Our 
> website has three seperate user information request forms on it; all 
> were posted using a php mail script.  One day, all of a sudden, we get

> 20-30 bogus forms mail to us per day.  Annoying and alarming.  So i 
> went searching for some way to control it.  I managed to insert a php 
> script with captcha into each.  but, we are still getting bogus forms 
> sent to us.  Not as many, but still annoying and no fun...email header

> injections i take it?
>


Captcha prevents, to a degree, the automated use of your forms to send
you email.

It won't prevent someone from manually using those forms to send you
email.

Nor will it prevent someone from forging your email address and sending
you spam.

So without know why the forms are bogus, it's somewhat hard to tell what
the problem is.

As a first step, I'd make sure to code something so you track who
submits an email through on a form(cookie plus ip address tracking along
with placing a unique id for each email in the header) so you can
compare the "spam" with your database and see where it is coming from.

Than attack the problem from that perspective.  If they all come from
the same IP address range, add an extra captcha routine triggered just
for them to confirm email.  Reject their address entirely.  Whatever.


_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk

NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com

Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php




From tedd at sperling.com  Mon Sep 17 09:48:49 2007
From: tedd at sperling.com (tedd)
Date: Mon, 17 Sep 2007 09:48:49 -0400
Subject: [nycphp-talk] ORM vs SQL: the ultimate showdown
In-Reply-To: <46EDC425.2010805@enobrev.com>
References: <Pine.LNX.4.44.0709131041050.17851-100000@bitblit.net><46EA6E4A.9050504@se
	cdat.com>	<46EC0D3D.3040600@devonianfarm.com>
	<00c501c7f7b5$e5598920$6401a8c0@gamebox>	<46EC316E.6030203@enobrev.com>
	<4400D089-F617-45DD-ACC0-BCB7794732B1@beaffinitive.com>
	<46EDC425.2010805@enobrev.com>
Message-ID: <p06240802c314354a7b24@[192.168.1.101]>

At 8:02 PM -0400 9/16/07, Mark Armendariz wrote:
>Rob Marscher wrote:
>>On Sep 15, 2007, at 3:24 PM, Mark Armendariz wrote:
>>>Anyways, that's my take on SQL and ORM.  Both - with an easily 
>>>manipulated and portable meta language.
>>Sounds pretty cool.  Ever thought of analyzing the queries used 
>>within an application and automatically generate (or suggest) 
>>indexes?  Seems like your system might have self-analyzing 
>>capabilities to be able to do that.
>Working towards that as well.  Currently has some basic profiling 
>capabilities for finding the real nasty queries (reminiscent to 
>adodb's).   For the most part the multi-table queries tend to be 
>pretty tight as long as the indexes are already set up.  I've been 
>considering what it would take to parse an explain and make 
>suggestions for some time.
>
>The whole idea is something of a self-generating dao (or orm, i get 
>the concepts and then I get them mixed up) that quietly caches 
>itself out of existence over time, but sticks around for general 
>maintenance when needed.  I'm glad to see some interest.  Good 
>motivation to get this thing out in the world soon.
>
>Mark

In regard to self-analyzing, it would be nice to have the option to 
select what types of search methodologies the dB uses, such as splay.

Cheers,

tedd
-- 
-------
http://sperling.com  http://ancientstones.com  http://earthstones.com


From bz-gmort at beezifies.com  Mon Sep 17 10:07:38 2007
From: bz-gmort at beezifies.com (Gary Mort)
Date: Mon, 17 Sep 2007 10:07:38 -0400
Subject: [nycphp-talk] PHP script needs some filter help
In-Reply-To: <EF0605FC343F204C9F5A8771CC09B22B4F45DA@pe2800.wlabs.local>
References: <EF0605FC343F204C9F5A8771CC09B22B4F45AF@pe2800.wlabs.local>	<2934ED1639B14D5E8FF6F5E75F0DE290@wlabs.local>
	<EF0605FC343F204C9F5A8771CC09B22B4F45DA@pe2800.wlabs.local>
Message-ID: <46EE8A2A.9090207@beezifies.com>

Christina Karlhoff wrote:
> Hi Gary,
>
> Thanks, I appreciate your insight. 
>
> At the moment, I'm afraid that I am not privvy to the correct
> implementation of php code to track a user's submission... 
>   

I make it up as I go along. :-)

You have a PHP form that sends an email.
So, at the very least, find where the mail is sent to the internal 
user(don't do this for the copy sent to the submitter, assuming you are 
sending a copy to the submitter which, if your getting spam, is a very 
very bad thing to do)
Assume that your message is stored in a text variable called $message.


$message .= " The submitters ip address was ";
$message .= $_SERVER[?REMOTE_ADDR?];
$message .= " and the secret code is YoLarry";


The point of this little bit of text is twofold:
1) It will tell you the ip address of the system that is submitting spam 
through your form.
2) The secret code is just a stupid little phrase to add so that the 
email came through your own form generator. As you may have someone who 
is spoofing the address the form generator uses but sending spam 
externally(ie your form may be fine and it may be something outside of 
PHP causing the problems).
Note: A better solution is to add those 2 items to the header, not the 
email body. Plus adding some extra tracking info, a cookie, the browser 
type, capabilities, etc. Basically, track your submissions and find out 
what, if any, is unique about the spam submissions that can be used to 
filter it.

What I would really do at that point is manually create the message id 
and store that in a database somewhere and do some reconcillation 
between the spam email and the emails generated by the form to ensure 
their the same.

Basically, the main point I'm making is that right now your getting 
spam. You think it comes from this form. Make SURE it comes from the 
form itself before you go spending time trying to figure out how to stop 
the form from sending spam. Also note that if you are getting spam, you 
may not be the target of the spam. If you allow someone to CC themselves 
on an email, what you may have is a spammer who is trying to send spam 
to other people(by claiming to be them and asking to be cc'd on the email).

This is a quick and dirty troubleshooting step, not a long term 
solution. A long term solution would be to build a more comprehensive 
tracking system for the emails, make sure it is as secure as possible, 
and take things step by step. (if you absolutely HAVE to allow everyone 
to send email to you through this form, you could send submitted emails 
through a spam filter and quarantine the spam on the server and just 
send the users a report every few hours "X new emails in Quarantine".)




From mitch.pirtle at gmail.com  Mon Sep 17 11:09:06 2007
From: mitch.pirtle at gmail.com (Mitch Pirtle)
Date: Mon, 17 Sep 2007 11:09:06 -0400
Subject: [nycphp-talk] Two part question: Shopping carts & E-commerce
In-Reply-To: <6b1dc5090709161324j1109f7ccq642fb4f815284d6f@mail.gmail.com>
References: <Pine.LNX.4.44.0708281044470.7063-100000@bitblit.net>
	<46D43B08.60009@beezifies.com>
	<70745236-EB98-4AC3-B754-4DC2A315323E@jonbaer.com>
	<46D47172.1000909@beezifies.com>
	<016801c7f7c5$9820c190$6401a8c0@gamebox>
	<c5949a380709161123o6da77c8ey6023c53221e83c78@mail.gmail.com>
	<6b1dc5090709161324j1109f7ccq642fb4f815284d6f@mail.gmail.com>
Message-ID: <330532b60709170809g53fa49eg86877780423957fa@mail.gmail.com>

I can't believe nobody's mentioned Magento yet:

http://www.magentocommerce.com/

That's the one I'm taking a very very close look at...

-- Mitch, impressed easily with all the pretty screens *blush*


From ben at projectskyline.com  Mon Sep 17 11:25:58 2007
From: ben at projectskyline.com (Ben Sgro (ProjectSkyLine))
Date: Mon, 17 Sep 2007 11:25:58 -0400
Subject: [nycphp-talk] Two part question: Shopping carts & E-commerce
References: <Pine.LNX.4.44.0708281044470.7063-100000@bitblit.net><46D43B08.60009@beezifies.com><70745236-EB98-4AC3-B754-4DC2A315323E@jonbaer.com><46D47172.1000909@beezifies.com><016801c7f7c5$9820c190$6401a8c0@gamebox><c5949a380709161123o6da77c8ey6023c53221e83c78@mail.gmail.com><6b1dc5090709161324j1109f7ccq642fb4f815284d6f@mail.gmail.com>
	<330532b60709170809g53fa49eg86877780423957fa@mail.gmail.com>
Message-ID: <00af01c7f93f$0ccd8580$6401a8c0@gamebox>

Hello Mitch, 

This product looks great.  A lot nicer than OSCommerce in terms of look.
Not sure it if functions better, since I've yet to use OSCommerce or any
cart for that matter.

I'm going to look at it in detail now ...

Thanks for mentioning this!

- Ben
----- Original Message ----- 
From: "Mitch Pirtle" <mitch.pirtle at gmail.com>
To: "NYPHP Talk" <talk at lists.nyphp.org>
Sent: Monday, September 17, 2007 11:09 AM
Subject: Re: [nycphp-talk] Two part question: Shopping carts & E-commerce


>I can't believe nobody's mentioned Magento yet:
> 
> http://www.magentocommerce.com/
> 
> That's the one I'm taking a very very close look at...
> 
> -- Mitch, impressed easily with all the pretty screens *blush*
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
> 
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
> 
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php


From bz-gmort at beezifies.com  Mon Sep 17 11:35:15 2007
From: bz-gmort at beezifies.com (Gary Mort)
Date: Mon, 17 Sep 2007 11:35:15 -0400
Subject: [nycphp-talk] Two part question: Shopping carts & E-commerce
In-Reply-To: <330532b60709170809g53fa49eg86877780423957fa@mail.gmail.com>
References: <Pine.LNX.4.44.0708281044470.7063-100000@bitblit.net>	<46D43B08.60009@beezifies.com>	<70745236-EB98-4AC3-B754-4DC2A315323E@jonbaer.com>	<46D47172.1000909@beezifies.com>	<016801c7f7c5$9820c190$6401a8c0@gamebox>	<c5949a380709161123o6da77c8ey6023c53221e83c78@mail.gmail.com>	<6b1dc5090709161324j1109f7ccq642fb4f815284d6f@mail.gmail.com>
	<330532b60709170809g53fa49eg86877780423957fa@mail.gmail.com>
Message-ID: <46EE9EB3.700@beezifies.com>

Mitch Pirtle wrote:
> I can't believe nobody's mentioned Magento yet:
>
> http://www.magentocommerce.com/
>   

Magento?  Ewww..

Now if they called it Magneto.....



From cliff at pinestream.com  Mon Sep 17 11:38:45 2007
From: cliff at pinestream.com (Cliff Hirsch)
Date: Mon, 17 Sep 2007 11:38:45 -0400
Subject: [nycphp-talk] Two part question: Shopping carts & E-commerce
In-Reply-To: <330532b60709170809g53fa49eg86877780423957fa@mail.gmail.com>
Message-ID: <C31417C5.7DD2%cliff@pinestream.com>

On 9/17/07 11:09 AM, "Mitch Pirtle" <mitch.pirtle at gmail.com> wrote:
> I can't believe nobody's mentioned Magento yet:
> 
> http://www.magentocommerce.com/
> 
> That's the one I'm taking a very very close look at...

Not production yet, last time I checked, but looks interesting.




From edwardpotter at gmail.com  Mon Sep 17 14:09:52 2007
From: edwardpotter at gmail.com (Edward Potter)
Date: Mon, 17 Sep 2007 14:09:52 -0400
Subject: [nycphp-talk] Two part question: Shopping carts & E-commerce
In-Reply-To: <C31417C5.7DD2%cliff@pinestream.com>
References: <330532b60709170809g53fa49eg86877780423957fa@mail.gmail.com>
	<C31417C5.7DD2%cliff@pinestream.com>
Message-ID: <c5949a380709171109s4c72fe1ayc08282723dec7e78@mail.gmail.com>

http://www.magentocommerce.com/

wow, looks VERY slick, have not yet looked at the source, but so far
looks very slick....  I think osCommerce has kinda of run it's life
span.  IMHO

On 9/17/07, Cliff Hirsch <cliff at pinestream.com> wrote:
> On 9/17/07 11:09 AM, "Mitch Pirtle" <mitch.pirtle at gmail.com> wrote:
> > I can't believe nobody's mentioned Magento yet:
> >
> > http://www.magentocommerce.com/
> >
> > That's the one I'm taking a very very close look at...
>
> Not production yet, last time I checked, but looks interesting.
>
>
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
>


-- 
the Blog: http://www.utopiaparkway.com
the Karma: http://www.coderswithconscience.com
the Projects: http://flickr.com/photos/86842405 at N00/
the Store: http://astore.amazon.com/httpwwwutopic-20


From christinak at wll.com  Mon Sep 17 14:37:34 2007
From: christinak at wll.com (Christina Karlhoff)
Date: Mon, 17 Sep 2007 14:37:34 -0400
Subject: [nycphp-talk] PHP script needs some filter help
In-Reply-To: <090F13186BF5429EBCC8CCBBF85C7111@wlabs.local>
References: <EF0605FC343F204C9F5A8771CC09B22B4F45AF@pe2800.wlabs.local>	<2934ED1639B14D5E8FF6F5E75F0DE290@wlabs.local><EF0605FC343F204C9F5A8771CC09B22B4F45DA@pe2800.wlabs.local>
	<090F13186BF5429EBCC8CCBBF85C7111@wlabs.local>
Message-ID: <EF0605FC343F204C9F5A8771CC09B22B4F4602@pe2800.wlabs.local>

>>A better solution is to add those 2 items to the header, not the email
body. Plus adding some extra tracking info, a cookie, the browser type,
capabilities, etc. Basically, track your submissions and find out what,
if any, is unique about the spam submissions that can be used to filter
it.<<


Ok...so now I take what you provided below, and add its contents to the
header, like this?

$header = "Return-Path: ".$mailuser."\r\n";
	$header .= "From: form with captcha <".$mailuser.">\r\n"; 
	$header .= "Content-Type: text/plain;";
 	$header .= "message info: ".$message.";

Or... 

...do I define it as you provided below, and make it appear as part of
the mail message body like this?
	
	$mail_body = '
	
	The submitters ip address was '$_SERVER['REMOTE_ADDR'].'
	
	The User: '.$_POST[Company].' has sent a request for general
information.;
	
	The secret code is YoLarry' 



=\ Christina~
  
-----Original Message-----
From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org]
On Behalf Of Gary Mort
Sent: Monday, September 17, 2007 10:45 AM
To: NYPHP Talk
Subject: Re: [nycphp-talk] PHP script needs some filter help

Christina Karlhoff wrote:
> Hi Gary,
>
> Thanks, I appreciate your insight. 
>
> At the moment, I'm afraid that I am not privvy to the correct 
> implementation of php code to track a user's submission...
>   

I make it up as I go along. :-)

You have a PHP form that sends an email.
So, at the very least, find where the mail is sent to the internal
user(don't do this for the copy sent to the submitter, assuming you are
sending a copy to the submitter which, if your getting spam, is a very
very bad thing to do) Assume that your message is stored in a text
variable called $message.


$message .= " The submitters ip address was "; $message .=
$_SERVER['REMOTE_ADDR']; $message .= " and the secret code is YoLarry";


The point of this little bit of text is twofold:
1) It will tell you the ip address of the system that is submitting spam
through your form.
2) The secret code is just a stupid little phrase to add so that the
email came through your own form generator. As you may have someone who
is spoofing the address the form generator uses but sending spam
externally(ie your form may be fine and it may be something outside of
PHP causing the problems).
Note: A better solution is to add those 2 items to the header, not the
email body. Plus adding some extra tracking info, a cookie, the browser
type, capabilities, etc. Basically, track your submissions and find out
what, if any, is unique about the spam submissions that can be used to
filter it.

What I would really do at that point is manually create the message id
and store that in a database somewhere and do some reconcillation
between the spam email and the emails generated by the form to ensure
their the same.

Basically, the main point I'm making is that right now your getting
spam. You think it comes from this form. Make SURE it comes from the
form itself before you go spending time trying to figure out how to stop
the form from sending spam. Also note that if you are getting spam, you
may not be the target of the spam. If you allow someone to CC themselves
on an email, what you may have is a spammer who is trying to send spam
to other people(by claiming to be them and asking to be cc'd on the
email).

This is a quick and dirty troubleshooting step, not a long term
solution. A long term solution would be to build a more comprehensive
tracking system for the emails, make sure it is as secure as possible,
and take things step by step. (if you absolutely HAVE to allow everyone
to send email to you through this form, you could send submitted emails
through a spam filter and quarantine the spam on the server and just
send the users a report every few hours "X new emails in Quarantine".)


_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk

NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com

Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php




From jonbaer at jonbaer.com  Mon Sep 17 17:38:13 2007
From: jonbaer at jonbaer.com (Jon Baer)
Date: Mon, 17 Sep 2007 17:38:13 -0400
Subject: [nycphp-talk] php|works 07 slides
Message-ID: <3BB27F05-89EB-40CD-A7B1-B16636033D79@jonbaer.com>

For those interested ... Paul Jones put up his 2 slides - excellent  
topics - @ his blog here:

http://paul-m-jones.com/blog/

* Framework and Application Benchmarking
* Organizing Your PHP Project

Was trying to locate a few others from the schedule w/o luck, anyone  
have a repository link?  Hearing it was a great conference.

Thanks.

- Jon

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070917/ba56420a/attachment.html>

From jonbaer at jonbaer.com  Mon Sep 17 17:42:10 2007
From: jonbaer at jonbaer.com (Jon Baer)
Date: Mon, 17 Sep 2007 17:42:10 -0400
Subject: [nycphp-talk] Re: php|works 07 slides
In-Reply-To: <3BB27F05-89EB-40CD-A7B1-B16636033D79@jonbaer.com>
References: <3BB27F05-89EB-40CD-A7B1-B16636033D79@jonbaer.com>
Message-ID: <62CCD347-2937-4548-95C5-23D5B66D9979@jonbaer.com>

Actually found the one I was looking for ...

http://sizzo.org/wp/talks/

* Facebook Performance Caching

Anyone know if there will be / was video?

- Jon

On Sep 17, 2007, at 5:38 PM, Jon Baer wrote:

> For those interested ... Paul Jones put up his 2 slides - excellent  
> topics - @ his blog here:
>
> http://paul-m-jones.com/blog/
>
> * Framework and Application Benchmarking
> * Organizing Your PHP Project
>
> Was trying to locate a few others from the schedule w/o luck,  
> anyone have a repository link?  Hearing it was a great conference.
>
> Thanks.
>
> - Jon
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070917/aba99751/attachment.html>

From pmjones88 at gmail.com  Mon Sep 17 17:47:11 2007
From: pmjones88 at gmail.com (Paul M Jones)
Date: Mon, 17 Sep 2007 16:47:11 -0500
Subject: [nycphp-talk] php|works 07 slides
In-Reply-To: <3BB27F05-89EB-40CD-A7B1-B16636033D79@jonbaer.com>
References: <3BB27F05-89EB-40CD-A7B1-B16636033D79@jonbaer.com>
Message-ID: <5D1AD2FF-E381-41DF-AF1D-466283E3FB57@gmail.com>

On Sep 17, 2007, at 4:38 PM, Jon Baer wrote:

> For those interested ... Paul Jones put up his 2 slides - excellent  
> topics - @ his blog here:
>
> http://paul-m-jones.com/blog/
>
> * Framework and Application Benchmarking
> * Organizing Your PHP Project
>
> Was trying to locate a few others from the schedule w/o luck,  
> anyone have a repository link?  Hearing it was a great conference.

Hey Jon -- it was a good conference, thanks for the compliments.

The slides from all the talks (well, all the slides that got turned  
in, anyway) are at this location:

   <http://works.phparch.com/c/p/works_live,slides>




--

Paul M. Jones  <http://paul-m-jones.com>

Solar: Simple Object Library and Application Repository
for PHP5.  <http://solarphp.com>

Join the Solar community wiki!  <http://solarphp.org>

Savant: The simple, elegant, and powerful solution for
templates in PHP.  <http://phpsavant.com>




From jonbaer at jonbaer.com  Mon Sep 17 17:52:59 2007
From: jonbaer at jonbaer.com (Jon Baer)
Date: Mon, 17 Sep 2007 17:52:59 -0400
Subject: [nycphp-talk] php|works 07 slides
In-Reply-To: <5D1AD2FF-E381-41DF-AF1D-466283E3FB57@gmail.com>
References: <3BB27F05-89EB-40CD-A7B1-B16636033D79@jonbaer.com>
	<5D1AD2FF-E381-41DF-AF1D-466283E3FB57@gmail.com>
Message-ID: <B34C930A-2F91-4576-81B3-F0618B65194C@jonbaer.com>

Nice, thanks Paul!

- Jon

On Sep 17, 2007, at 5:47 PM, Paul M Jones wrote:

> On Sep 17, 2007, at 4:38 PM, Jon Baer wrote:
>
>> For those interested ... Paul Jones put up his 2 slides -  
>> excellent topics - @ his blog here:
>>
>> http://paul-m-jones.com/blog/
>>
>> * Framework and Application Benchmarking
>> * Organizing Your PHP Project
>>
>> Was trying to locate a few others from the schedule w/o luck,  
>> anyone have a repository link?  Hearing it was a great conference.
>
> Hey Jon -- it was a good conference, thanks for the compliments.
>
> The slides from all the talks (well, all the slides that got turned  
> in, anyway) are at this location:
>
>   <http://works.phparch.com/c/p/works_live,slides>
>
>


From elharo at metalab.unc.edu  Wed Sep 19 05:41:21 2007
From: elharo at metalab.unc.edu (Elliotte Harold)
Date: Wed, 19 Sep 2007 05:41:21 -0400
Subject: [nycphp-talk] AJAX and State
In-Reply-To: <46E14E2C.2030506@secdat.com>
References: <46DD54B0.5060803@secdat.com>	<46E1238E.5010307@metalab.unc.edu>	<46E12D4A.2010204@secdat.com>	<46E12F93.4040700@metalab.unc.edu>	<46E132B0.9010400@secdat.com>	<46E138C2.3040307@metalab.unc.edu>
	<46E14E2C.2030506@secdat.com>
Message-ID: <46F0EEC1.5030608@metalab.unc.edu>

Kenneth Downs wrote:

> That can only be done if the password is stored on the browser between 
> requests.  No thanks!

I don't know about your browser but mine (and those of most of the 
people I know) store lots of passwords pretty much all the time. I 
prefer to trust Firefox's encryption and security to my ability to 
remember umpteen different passwords.

> At any rate, in principle I believe that sessions are a bad way to do 
> things, they just have that bag-on-the-side feel.  The only permanent 
> use of a session in Andromeda is to store user information, notably 
> user_id and password.  I do this only because I am not aware of a secure 
> session-less alternative.  Any ideas are welcome.


The key idea is that all authentication data is transmitted with each 
request, not merely a session token. There may well be ways to make that 
authentication data something other than a username and password.

You may wish to explore what Amazon E3 does. They have some sort of 
unique private-key/public key encryption scheme that might suit you. 
Google GData also has some sort of strange, custom authentication scheme 
though I haven't explored it in detail.

-- 
Elliotte Rusty Harold  elharo at metalab.unc.edu
Java I/O 2nd Edition Just Published!
http://www.cafeaulait.org/books/javaio2/
http://www.amazon.com/exec/obidos/ISBN=0596527500/ref=nosim/cafeaulaitA/


From elharo at metalab.unc.edu  Wed Sep 19 05:43:43 2007
From: elharo at metalab.unc.edu (Elliotte Harold)
Date: Wed, 19 Sep 2007 05:43:43 -0400
Subject: [nycphp-talk] AJAX and State
In-Reply-To: <p06240803c307013d2458@[192.168.1.101]>
References: <46DD54B0.5060803@secdat.com>
	<07f701c7efb3$52f6a9f0$651ba8c0@MobileZ>	<46DE9F28.5060705@beezifies.com>
	<p06240806c304566c9180@[192.168.1.109]>	<46DEB1C4.2010205@enobrev.com>
	<p0624080ac30472a72f59@[192.168.1.109]>
	<DDB437A3-CE77-471F-8401-2845F72BDADC@sala.ca>
	<p0624080ec3048288e833@[192.168.1.109]>
	<46E124F0.7020309@metalab.unc.edu>
	<p06240803c307013d2458@[192.168.1.101]>
Message-ID: <46F0EF4F.7040702@metalab.unc.edu>

tedd wrote:

> My solution is to simply require them to log-in and set a session auth 
> variable to OK and turn them loose. Then they have access to all the 
> goodies.
> 
> While what they ask for on the site is provided in the URL via a GET, 
> and as such, they could bookmark it and/or send the URL to someone else 
> -- but they can't get at the goodies without being logged-in (i.e.,  
> session auth variable set to OK).
> 
> Again, all pretty simple stuff.
> 
> This works for me -- but, how do you do this without using sessions?
> 

HTTP basic or digest authentication would do exactly this with less work 
on your part. There are other alternatives if that doesn't meet your 
needs, but HTTP authentication is by far the simplest approach.

-- 
Elliotte Rusty Harold  elharo at metalab.unc.edu
Java I/O 2nd Edition Just Published!
http://www.cafeaulait.org/books/javaio2/
http://www.amazon.com/exec/obidos/ISBN=0596527500/ref=nosim/cafeaulaitA/


From elharo at metalab.unc.edu  Wed Sep 19 05:48:25 2007
From: elharo at metalab.unc.edu (Elliotte Harold)
Date: Wed, 19 Sep 2007 05:48:25 -0400
Subject: [nycphp-talk] AJAX and State
In-Reply-To: <20070912214433.GA11305@panix.com>
References: <46DD54B0.5060803@secdat.com>
	<46E1238E.5010307@metalab.unc.edu>	<46E12D4A.2010204@secdat.com>
	<46E12F93.4040700@metalab.unc.edu>	<46E132B0.9010400@secdat.com>
	<46E138C2.3040307@metalab.unc.edu>
	<20070912214433.GA11305@panix.com>
Message-ID: <46F0F069.3000206@metalab.unc.edu>

Daniel Convissor wrote:
> On Fri, Sep 07, 2007 at 07:40:50AM -0400, Elliotte Harold wrote:
>> Nonetheless, the username and password should be transmitted with each 
>> request (in the HTTP header, not the URL)
> 
> Are you saying the web browser should send the user name and password to 
> the HTTP server on each request?  That's a lousy idea.
> 

Yes I am, and it's not a lousy idea.  This follows directly from the 
core principles of HTTP.  HTTP Basic authentication does that. HTTP 
digest is a little more complex. And there are some other alternatives. 
However the fundamental principle is that full auth data must be sent 
with each request.

Breaking that rule is going to cost you big time when you need to scale 
an application. It very well may introduce single points of failure into 
your app. You can architect around those, but only at the cost of doing 
a lot more work with a lot more machines than you would have had to do 
if your app had followed the design of HTTP instead of working against it.

-- 
Elliotte Rusty Harold  elharo at metalab.unc.edu
Java I/O 2nd Edition Just Published!
http://www.cafeaulait.org/books/javaio2/
http://www.amazon.com/exec/obidos/ISBN=0596527500/ref=nosim/cafeaulaitA/


From ken at secdat.com  Wed Sep 19 06:56:37 2007
From: ken at secdat.com (Kenneth Downs)
Date: Wed, 19 Sep 2007 06:56:37 -0400
Subject: [nycphp-talk] AJAX and State
In-Reply-To: <46F0F069.3000206@metalab.unc.edu>
References: <46DD54B0.5060803@secdat.com>	<46E1238E.5010307@metalab.unc.edu>	<46E12D4A.2010204@secdat.com>	<46E12F93.4040700@metalab.unc.edu>	<46E132B0.9010400@secdat.com>	<46E138C2.3040307@metalab.unc.edu>	<20070912214433.GA11305@panix.com>
	<46F0F069.3000206@metalab.unc.edu>
Message-ID: <46F10065.5030606@secdat.com>

Elliotte Harold wrote:
> Daniel Convissor wrote:
>> On Fri, Sep 07, 2007 at 07:40:50AM -0400, Elliotte Harold wrote:
>>> Nonetheless, the username and password should be transmitted with 
>>> each request (in the HTTP header, not the URL)
>>
>> Are you saying the web browser should send the user name and password 
>> to the HTTP server on each request?  That's a lousy idea.
>>
>
> Yes I am, and it's not a lousy idea.  This follows directly from the 
> core principles of HTTP.  HTTP Basic authentication does that. HTTP 
> digest is a little more complex. And there are some other 
> alternatives. However the fundamental principle is that full auth data 
> must be sent with each request.
>
> Breaking that rule is going to cost you big time when you need to 
> scale an application. It very well may introduce single points of 
> failure into your app. You can architect around those, but only at the 
> cost of doing a lot more work with a lot more machines than you would 
> have had to do if your app had followed the design of HTTP instead of 
> working against it.
>

It is actually very appealing from the overall design viewpoint.  Since 
Andromeda logs you in to db server with the credentials you supply 
(instead of something generic) then we have lost all need for state.

The itch though is in entrusting the uid/pw to the browser's memory, 
which is easily exploitable.  I simply cannot believe that that data is 
adequately protected on an IE/Windows machine.

But then on the third hand the browser is trapping passwords anyway with 
various wallet mechanisms that I cannot prevent, so what the heck, right?

Right now I'm considering the judgment call between those two ideas.

-- 
Kenneth Downs
Secure Data Software, Inc.
www.secdat.com    www.andromeda-project.org
631-689-7200   Fax: 631-689-0527
cell: 631-379-0010



From ken at secdat.com  Wed Sep 19 06:58:41 2007
From: ken at secdat.com (Kenneth Downs)
Date: Wed, 19 Sep 2007 06:58:41 -0400
Subject: [nycphp-talk] AJAX and State
In-Reply-To: <46F0EEC1.5030608@metalab.unc.edu>
References: <46DD54B0.5060803@secdat.com>	<46E1238E.5010307@metalab.unc.edu>	<46E12D4A.2010204@secdat.com>	<46E12F93.4040700@metalab.unc.edu>	<46E132B0.9010400@secdat.com>	<46E138C2.3040307@metalab.unc.edu>	<46E14E2C.2030506@secdat.com>
	<46F0EEC1.5030608@metalab.unc.edu>
Message-ID: <46F100E1.7090701@secdat.com>

Elliotte Harold wrote:
> Kenneth Downs wrote:
>
>> That can only be done if the password is stored on the browser 
>> between requests.  No thanks!
>
> I don't know about your browser but mine (and those of most of the 
> people I know) store lots of passwords pretty much all the time. I 
> prefer to trust Firefox's encryption and security to my ability to 
> remember umpteen different passwords.

Me too, except that my customers still run IE on Windows. 

>
>> At any rate, in principle I believe that sessions are a bad way to do 
>> things, they just have that bag-on-the-side feel.  The only permanent 
>> use of a session in Andromeda is to store user information, notably 
>> user_id and password.  I do this only because I am not aware of a 
>> secure session-less alternative.  Any ideas are welcome.
>
> You may wish to explore what Amazon E3 does. They have some sort of 
> unique private-key/public key encryption scheme that might suit you. 
> Google GData also has some sort of strange, custom authentication 
> scheme though I haven't explored it in detail.
>

You can issue them a key as well, and require that key.  That adds 
trouble to the login process, but does produce greater security.

-- 
Kenneth Downs
Secure Data Software, Inc.
www.secdat.com    www.andromeda-project.org
631-689-7200   Fax: 631-689-0527
cell: 631-379-0010



From david at davidmintz.org  Wed Sep 19 16:34:59 2007
From: david at davidmintz.org (David Mintz)
Date: Wed, 19 Sep 2007 16:34:59 -0400
Subject: [nycphp-talk] what's up with array_diff()
Message-ID: <721f1cc50709191334q4faeaf4aya0fde47d69152f91@mail.gmail.com>

The description of array_diff at
http://www.php.net/manual/en/function.array-diff.php says it computes the
difference between the arrays you pass it, and returns that difference as an
array.

The behavior is that it finds and returns an array of elements that are
present in the first argument that are not present in the following
arguments, so the order in which you pass in your arrays is all-important.

I am trying to find out if two arrays are different from each other or not.
I can sort() and then compare with ==, but I thought this might be more
elegant.

Now I am looking at

       if (array_diff($one,$two) or array_diff($two,$one)) {
           /* do something */
       }

but I wonder if anyone can suggest a better way.

Thanks.

-- 
David Mintz
http://davidmintz.org/

The subtle source is clear and bright
The tributary streams flow through the darkness
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070919/c320d5c1/attachment.html>

From ramons at gmx.net  Wed Sep 19 18:47:18 2007
From: ramons at gmx.net (David Krings)
Date: Wed, 19 Sep 2007 18:47:18 -0400
Subject: [nycphp-talk] what's up with array_diff()
In-Reply-To: <721f1cc50709191334q4faeaf4aya0fde47d69152f91@mail.gmail.com>
References: <721f1cc50709191334q4faeaf4aya0fde47d69152f91@mail.gmail.com>
Message-ID: <46F1A6F6.9020007@gmx.net>

David Mintz wrote:
> Now I am looking at
> 
>        if (array_diff($one,$two) or array_diff($two,$one)) {
>            /* do something */
>        }
> 
> but I wonder if anyone can suggest a better way.
> 

I can only think of a worse way by looping through one array and seeing 
if the key/value pair exists in the other one. That might be OK for 
small arrays, but my assumption is that array_diff is way more 
optimized. I just wonder how if() will evaluate an array. Also, when the 
arrays are identical the return value is an empty array. Again, I am not 
sure if if() evaluates and empty array differently than an array with 
stuff in it. Also, comments on php.net indicate that when one array in 
fact is not array the return value of array_diff is NULL.
So, you probably need to run array_diff and then check the count of the 
resulting array. If it is anything else other than 0 the arrays are 
different. In theory, haven't tried that out.

Good luck!

David K.


From ikedrin at clinicaladvisors.com  Wed Sep 19 23:39:00 2007
From: ikedrin at clinicaladvisors.com (Ivan Kedrin)
Date: Wed, 19 Sep 2007 23:39:00 -0400
Subject: [nycphp-talk] what's up with array_diff()
In-Reply-To: <721f1cc50709191334q4faeaf4aya0fde47d69152f91@mail.gmail.com>
References: <721f1cc50709191334q4faeaf4aya0fde47d69152f91@mail.gmail.com>
Message-ID: <051e01c7fb37$c81b16a0$0b01a8c0@tokra>

take a look at http://us.php.net/operators.comparison for some suggestions:

 

function array_equal($a, $b) {
    return (is_array($a) && is_array($b) && array_diff($a, $b) ===
array_diff($b, $a));
}

 

function array_identical($a, $b) {
    return (is_array($a) && is_array($b) && array_diff_assoc($a, $b) ===
array_diff_assoc($b, $a));
}

 

alternatively, you could always serialize() and compare using == if your
definition of "equals" requires them to be identical in every respect
including order of the keys and if you don't care about overhead related to
serialization. there are probably also some shortcuts that could save some
cpu cycles but it depends on the type of data you got in your arrays, array
size, etc. 

 

-ivan kedrin

 

  _____  

From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On
Behalf Of David Mintz
Sent: Wednesday, September 19, 2007 4:35 PM
To: NYPHP Talk
Subject: [nycphp-talk] what's up with array_diff()

 


The description of array_diff at
http://www.php.net/manual/en/function.array-diff.php says it computes the
difference between the arrays you pass it, and returns that difference as an
array. 

The behavior is that it finds and returns an array of elements that are
present in the first argument that are not present in the following
arguments, so the order in which you pass in your arrays is all-important. 

I am trying to find out if two arrays are different from each other or not.
I can sort() and then compare with ==, but I thought this might be more
elegant.

Now I am looking at 

       if (array_diff($one,$two) or array_diff($two,$one)) { 
           /* do something */ 
       }

but I wonder if anyone can suggest a better way.

Thanks.

-- 
David Mintz
http://davidmintz.org/

The subtle source is clear and bright 
The tributary streams flow through the darkness 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070919/a9332886/attachment.html>

From david at davidmintz.org  Thu Sep 20 09:34:24 2007
From: david at davidmintz.org (David Mintz)
Date: Thu, 20 Sep 2007 09:34:24 -0400
Subject: [nycphp-talk] what's up with array_diff()
In-Reply-To: <051e01c7fb37$c81b16a0$0b01a8c0@tokra>
References: <721f1cc50709191334q4faeaf4aya0fde47d69152f91@mail.gmail.com>
	<051e01c7fb37$c81b16a0$0b01a8c0@tokra>
Message-ID: <721f1cc50709200634y7631d3d2ie4317453a4ad2f98@mail.gmail.com>

Interesting -- thank you gentlemen.

Actually this whole thing stems from the issue of inserting/deleting related
rows from an intersection table in a many-to-many scenario, and keeping the
view consistent with the model in an Ajaxy way. Maybe I will commence a new
thread.

On 9/19/07, Ivan Kedrin <ikedrin at clinicaladvisors.com> wrote:
>
>  take a look at http://us.php.net/operators.comparison for some
> suggestions:
>
>
>
> function array_equal($a, $b) {
>     return (is_array($a) && is_array($b) && array_diff($a, $b) ===
> array_diff($b, $a));
> }
>
>
>
> function array_identical($a, $b) {
>     return (is_array($a) && is_array($b) && array_diff_assoc($a, $b) ===
> array_diff_assoc($b, $a));
> }
>
>
>
> alternatively, you could always serialize() and compare using == if your
> definition of "equals" requires them to be identical in every respect
> including order of the keys and if you don't care about overhead related to
> serialization. there are probably also some shortcuts that could save some
> cpu cycles but it depends on the type of data you got in your arrays, array
> size, etc.
>
>
>
> -ivan kedrin
>
>
>  ------------------------------
>
> *From:* talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org]
> *On Behalf Of *David Mintz
> *Sent:* Wednesday, September 19, 2007 4:35 PM
> *To:* NYPHP Talk
> *Subject:* [nycphp-talk] what's up with array_diff()
>
>
>
>
> The description of array_diff at
> http://www.php.net/manual/en/function.array-diff.php says it computes the
> difference between the arrays you pass it, and returns that difference as an
> array.
>
> The behavior is that it finds and returns an array of elements that are
> present in the first argument that are not present in the following
> arguments, so the order in which you pass in your arrays is all-important.
>
> I am trying to find out if two arrays are different from each other or
> not. I can sort() and then compare with ==, but I thought this might be more
> elegant.
>
> Now I am looking at
>
>        if (array_diff($one,$two) or array_diff($two,$one)) {
>            /* do something */
>        }
>
> but I wonder if anyone can suggest a better way.
>
> Thanks.
>
> --
> David Mintz
> http://davidmintz.org/
>
> The subtle source is clear and bright
> The tributary streams flow through the darkness
>
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
>



-- 
David Mintz
http://davidmintz.org/

The subtle source is clear and bright
The tributary streams flow through the darkness
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070920/a58c0c08/attachment.html>

From anangtt at hotmail.com  Thu Sep 20 12:57:06 2007
From: anangtt at hotmail.com (anan tette-tawia)
Date: Thu, 20 Sep 2007 12:57:06 -0400
Subject: [nycphp-talk] Craigslist Integration
Message-ID: <BLU115-W20E40A38BFAC0376950AD3A8BA0@phx.gbl>

Integration with Craigslist

Has anyone developed a system that integrated with Craigslist housing and apartments portal before.  My client is a real estate agent who wants to be able to upload new property info onto his site and then have it also posted on craigslist if he checks a particular button.

The problem is that i have been doing researching on finding any such API or document that explains how to achieve this type of integration with craigslist without much success.  I would greatly appreciate any assistance from this list.

thanx,

Anang
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070920/444cb6bd/attachment.html>

From dcech at phpwerx.net  Thu Sep 20 13:10:03 2007
From: dcech at phpwerx.net (Dan Cech)
Date: Thu, 20 Sep 2007 13:10:03 -0400
Subject: [nycphp-talk] Craigslist Integration
In-Reply-To: <BLU115-W20E40A38BFAC0376950AD3A8BA0@phx.gbl>
References: <BLU115-W20E40A38BFAC0376950AD3A8BA0@phx.gbl>
Message-ID: <46F2A96B.8030402@phpwerx.net>

anan tette-tawia wrote:
> Has anyone developed a system that integrated with Craigslist housing
> and apartments portal before.  My client is a real estate agent who
> wants to be able to upload new property info onto his site and then
> have it also posted on craigslist if he checks a particular button.
> 
> The problem is that i have been doing researching on finding any such
> API or document that explains how to achieve this type of integration
> with craigslist without much success.  I would greatly appreciate any
> assistance from this list.

I think you will find that there is no documentation because this kind
of thing is expressly forbidden by the Craigslist Terms of Use.

> y) use any form of automated device or computer program that enables the 
> submission of postings on craigslist without each posting being manually 
> entered by the author thereof (an "automated posting device"), including
> without limitation, the use of any such automated posting device to submit
> postings in bulk, or for automatic submission of postings at regular intervals.

http://www.craigslist.org/about/terms.of.use.html#conduct

Dan


From ben at projectskyline.com  Thu Sep 20 13:17:34 2007
From: ben at projectskyline.com (Ben Sgro (ProjectSkyLine))
Date: Thu, 20 Sep 2007 13:17:34 -0400
Subject: [nycphp-talk] Craigslist Integration
References: <BLU115-W20E40A38BFAC0376950AD3A8BA0@phx.gbl>
	<46F2A96B.8030402@phpwerx.net>
Message-ID: <01bf01c7fbaa$237c4fb0$6401a8c0@gamebox>

Hello,

There are some 3rd party apps you can purchase that do this.

I've written code in perl to do reply to postings based on certain "weights" 
with/in the post.

I've looked into the writing auto-post code, but its a bit more complicated 
w/the
CAPTCHAs and pop checking.

- Ben

----- Original Message ----- 
From: "Dan Cech" <dcech at phpwerx.net>
To: "NYPHP Talk" <talk at lists.nyphp.org>
Sent: Thursday, September 20, 2007 1:10 PM
Subject: Re: [nycphp-talk] Craigslist Integration


> anan tette-tawia wrote:
>> Has anyone developed a system that integrated with Craigslist housing
>> and apartments portal before.  My client is a real estate agent who
>> wants to be able to upload new property info onto his site and then
>> have it also posted on craigslist if he checks a particular button.
>>
>> The problem is that i have been doing researching on finding any such
>> API or document that explains how to achieve this type of integration
>> with craigslist without much success.  I would greatly appreciate any
>> assistance from this list.
>
> I think you will find that there is no documentation because this kind
> of thing is expressly forbidden by the Craigslist Terms of Use.
>
>> y) use any form of automated device or computer program that enables the
>> submission of postings on craigslist without each posting being manually
>> entered by the author thereof (an "automated posting device"), including
>> without limitation, the use of any such automated posting device to 
>> submit
>> postings in bulk, or for automatic submission of postings at regular 
>> intervals.
>
> http://www.craigslist.org/about/terms.of.use.html#conduct
>
> Dan
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php 



From tomsartain at gmail.com  Thu Sep 20 15:04:57 2007
From: tomsartain at gmail.com (Tom Sartain)
Date: Thu, 20 Sep 2007 15:04:57 -0400
Subject: [nycphp-talk] Craigslist Integration
In-Reply-To: <46F2A96B.8030402@phpwerx.net>
References: <BLU115-W20E40A38BFAC0376950AD3A8BA0@phx.gbl>
	<46F2A96B.8030402@phpwerx.net>
Message-ID: <20190d950709201204q6b07226vabd0c1c80181cf8f@mail.gmail.com>

Actually, it seems like the case could be made that this does not go against
their TOS (or at least, the segment you copied).

It seems that this would simply post on Craigslist whatever the user posted
on their own site.. and only by opt in. Seems like each posting would be
entered manually (albeit, in a non-Craigslist site), and each would be
submitted only once, so it's not like they would be submitted in bulk, or at
any interval. So just based off of the quote Dan gave, it doesn't seem to be
against their TOS.

As to the technical side of things, and the original question, you could use
the cURL library to send a POST over to the Craigslist form handler. If
you're using Firefox, you could use the excellent LiveHTTPHeaders extension
to see what variables are being posted when the form is submitted on
Craigslist, then work that in with the rest of your script using cURL.

Hope that made sense, and it should get you a step in the right direction.

On 9/20/07, Dan Cech <dcech at phpwerx.net> wrote:
>
>
> I think you will find that there is no documentation because this kind
> of thing is expressly forbidden by the Craigslist Terms of Use.
>
> > y) use any form of automated device or computer program that enables the
> > submission of postings on craigslist without each posting being manually
> > entered by the author thereof (an "automated posting device"), including
> > without limitation, the use of any such automated posting device to
> submit
> > postings in bulk, or for automatic submission of postings at regular
> intervals.
>
> http://www.craigslist.org/about/terms.of.use.html#conduct
>
> Dan
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070920/364fe0c6/attachment.html>

From ioplex at gmail.com  Fri Sep 21 11:27:05 2007
From: ioplex at gmail.com (Michael B Allen)
Date: Fri, 21 Sep 2007 11:27:05 -0400
Subject: [nycphp-talk] array_get_value?
Message-ID: <78c6bd860709210827h35f8c5a3w670947824b495de4@mail.gmail.com>

Hey,

I find myself doing a lot of:

  if (isset($data['foo']))
      // use $data['foo']

Is there an existing array function that gets the array value or
returns a default value like:

  function array_get_value($arr, $key, $def) {
      return array_key_exists($arr, $key) ? $arr[$key] : $def;
  }

?

Mike


From ken at secdat.com  Fri Sep 21 11:45:25 2007
From: ken at secdat.com (Kenneth Downs)
Date: Fri, 21 Sep 2007 11:45:25 -0400
Subject: [nycphp-talk] array_get_value?
In-Reply-To: <78c6bd860709210827h35f8c5a3w670947824b495de4@mail.gmail.com>
References: <78c6bd860709210827h35f8c5a3w670947824b495de4@mail.gmail.com>
Message-ID: <46F3E715.40700@secdat.com>

I wrote my own as one of my very first PHP library functions.  It's 
extremely useful for writing simple and clean code, like:

$state = ArrayValue($_POST,'state','NY');

Then you need one in javascript:

function getProperty(object,property,defvalue) {
    defvalue = defvalue==null ? '' : defvalue;
    if(object == null) return defvalue
    if(typeof(object[property])=='undefined') return defvalue;
    else return object[property];
}

Michael B Allen wrote:
> Hey,
>
> I find myself doing a lot of:
>
>   if (isset($data['foo']))
>       // use $data['foo']
>
> Is there an existing array function that gets the array value or
> returns a default value like:
>
>   function array_get_value($arr, $key, $def) {
>       return array_key_exists($arr, $key) ? $arr[$key] : $def;
>   }
>
> ?
>
> Mike
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
>   


-- 
Kenneth Downs
Secure Data Software, Inc.
www.secdat.com    www.andromeda-project.org
631-689-7200   Fax: 631-689-0527
cell: 631-379-0010



From ioplex at gmail.com  Fri Sep 21 13:14:50 2007
From: ioplex at gmail.com (Michael B Allen)
Date: Fri, 21 Sep 2007 13:14:50 -0400
Subject: [nycphp-talk] array_get_value?
In-Reply-To: <46F3E715.40700@secdat.com>
References: <78c6bd860709210827h35f8c5a3w670947824b495de4@mail.gmail.com>
	<46F3E715.40700@secdat.com>
Message-ID: <78c6bd860709211014r26bcff73q42e0d29db075297b@mail.gmail.com>

On 9/21/07, Kenneth Downs <ken at secdat.com> wrote:
>
> $state = ArrayValue($_POST,'state','NY');

Theres a mistake in your code. It should be:

  $state = ArrayValue($_POST,'state','NJ');

:-)

Mike


From bz-gmort at beezifies.com  Fri Sep 21 15:01:38 2007
From: bz-gmort at beezifies.com (Gary Mort)
Date: Fri, 21 Sep 2007 15:01:38 -0400
Subject: [nycphp-talk] Re: [joomla] Sphinx search
In-Reply-To: <330532b60709210919x509678eep1a42e409740e61a3@mail.gmail.com>
References: <46F3B50C.6030203@beezifies.com>
	<330532b60709210919x509678eep1a42e409740e61a3@mail.gmail.com>
Message-ID: <46F41512.3040006@beezifies.com>

Mitch Pirtle wrote:
> I'd love to see some sort of joomla<->sphinx integration, that one
> might be worth creating a project for on JoomlaCode. To be honest
> though I'm not sure how you would integrate the two, as they are quite
> separate and distinct beasts ;-) 
Well, I've been fixing some code that does searches of data in a Joomla 
component(AdsManager), which also comes with a really messy mambot to 
plug into the regular Joomla search.  The default searches are really 
really bad(price fields can be searched for EXACT price, not ranges).

So I started looking at how to make that advanced search mode a bit more 
friendly, when I ran across Sphinx and looking at it, it has every 
advanced search function I would want.  Since all you need from your 
search result is an id number and the component it is in, it seems to me 
Sphinx could be easily integrated with a server side search, so the 
server checks the Sphinx system based on the parms, and returns a bunch 
of data, than back to the Joomla MVC component to format the display of 
the data.

I have a good idea of how to integrate my component with Sphinx.  And I 
see how to do the Joomla content component.  The big problem I was 
looking at was how to make it painless to integrate everything else?  
Something that would take all the search Plugins installed for each 
component, and build out the Sphinx index(though worst case, I think 
that can be handled just by saying "hey, here is a neat tool if you want 
to write yet ANOTHER search module")

The only downside I saw with it was requiring a server to run the daemon 
on(yeah, I'm a shared hosting guy.  I just don't have the time to deal 
with the hassle of setting up, configuring, and securing a server these 
days.  Other than periodic refreshes on my MythTV/router I don't worry 
about it much.)

Still, it would be a fun project to work on, providing I can find 
someone who wants to handle the headache of maintaining a linux server. :-)




From paulcheung at tiscali.co.uk  Fri Sep 21 15:47:28 2007
From: paulcheung at tiscali.co.uk (PaulCheung)
Date: Fri, 21 Sep 2007 20:47:28 +0100
Subject: [nycphp-talk] MySQL Monitor  V PHP & MySQL 
Message-ID: <008001c7fc88$3e086d80$0200a8c0@X9183>

 I have researched, checked and tried everything I can think of and still 
cannot get it to work.

when using MySQL monitor  the following works
=================================

SELECT access_code FROM authorised_users WHEN
user_id  =  'Nancy' AND
user_password = 'qwerty' AND
account = '48572998';

Access_code is displayed = 11966552

When using PHP & MySQL ($userid='Nancy',  $user_password='qwerty', 
$account='48572998')
====================
<?PHP session_start(); ob_start(); PHP?>
<HTML><HEAD>
<!-- Global site tag (gtag.js) - Google Analytics -->
<script async src="https://www.googletagmanager.com/gtag/js?id=UA-51353372-3"></script>
<script>
  window.dataLayer = window.dataLayer || [];
  function gtag(){dataLayer.push(arguments);}
  gtag('js', new Date());

  gtag('config', 'UA-51353372-3');
</script><TITLE>auth</TITLE><meta name="description" content="PHP jobs stackware web application support and development forums for Mongo LAMP MySQL SQL Windows IIS Linux." />
<meta name="author" content="Stackware Web Development - http://stackware.com" />
<meta name="verify-v1" content="zWMoPwMn/dolscLkjLXTpRqgr9K8bzlzL1vM9WTjpHc=" />
<meta name="msvalidate.01" content="F85F81C1D0BAB5C349E8395628845E27" />
<meta name="y_key" content="265502be3db4fb6e" />
</HEAD>
<FORM action="X.php" id="primary" method="post">
<BODY>
<?PHP
$userid   = $_POST['user'];
$password = $_POST['passcode'];
$account  = $_POST['account'];
$self     = $_SERVER['PHP_SELF'];
$referer  = $_SERVER['HTTP_REFERER'];
$access_code = $access_code - $access_code;

/* FOR TEST ONLY */
echo ("user id = " . $userid . "<br>");
echo ("password = " . $password .  "<br>");
echo ("account = " . $account . "<br>");
echo ("self = " . $self . "<br>");

/* VALIDATE FOR BLANK INPUT FIELD */
if( ( !$userid ) or ( !$password ) or (!$account) )
{ header( "Location:$referer" ); exit(); }
/*CONNECT TO MYSQL  */
$conn=@mysql_connect( "localhost", "paul", "enter" )
   or die( "Could not connect" );
/* CONNECT TO DATABASE */
$rs = @mysql_select_db( "test_db", $conn )
  or die( "Could not select database" );

$rs = @mysql_select_db( "test_db", $conn ) or die( "Could not select 
database" );

$sql = "SELECT access_code
        FROM authorised_users
        user_id = '$userid' AND
        user_password = '$password' AND
        account = '$account'";

$rs = mysql_query( $sql, $conn )  or die( "Could not execute query" );

$num = mysql_numrows( $rs );

if( $num != 0 )
{ $access_code = access_code;
   echo ("testcheckpoint - Welcome - your log-in succeeded!" . "<br>");
   echo ("testcheckpoint - accesscode = " . access_code . "<BR>");
   echo ('testcheckpoint - $accesscode = ' . $access_code . "<BR>"); }
else
{ echo (" test checkpoint statement 55 " . "<br>");
   header( "Location:$referer" );
   exit(); }

===========================================
this is what is returned from the test

user id = Nancy
password = qwerty
account = 48572998
self = /tp_orth.php
conn = Resource id #2
sql = SELECT access_code FROM authorised_users WHERE user_id = 'Nancy' AND 
user_password = 'qwerty' AND account = '48572998'
access = 0
Welcome - your log-in succeeded!
testcheckpoint - accesscode = access_code
testcheckpoint - $accesscode = access_code

I am trying to get the Access_code and cannot see what I am doing wrong

P








From kenneth at ylayali.net  Fri Sep 21 16:03:35 2007
From: kenneth at ylayali.net (Kenneth Dombrowski)
Date: Fri, 21 Sep 2007 16:03:35 -0400
Subject: [nycphp-talk] MySQL Monitor  V PHP & MySQL
In-Reply-To: <008001c7fc88$3e086d80$0200a8c0@X9183>
References: <008001c7fc88$3e086d80$0200a8c0@X9183>
Message-ID: <20070921200335.GO17734@ylayali.net>


Hi Paul, 

On 07-09-21 20:47 +0100, PaulCheung wrote:
> $access_code = $access_code - $access_code;

i don't understand what your intent is with the above line.. setting
$access_code to 0?  (it's not your problem, i am just curious) 

> $rs = mysql_query( $sql, $conn )  or die( "Could not execute query" );
> 
> $num = mysql_numrows( $rs );
> 
> if( $num != 0 )
> { $access_code = access_code;

the above line looks to me like $access_code is being assigned the value
of the undefined constant access_code, which php will assume is intended
to be the string 'access_code' 

i think you want $access_code = $rs['access_code'] 




From danielc at analysisandsolutions.com  Fri Sep 21 16:33:39 2007
From: danielc at analysisandsolutions.com (Daniel Convissor)
Date: Fri, 21 Sep 2007 16:33:39 -0400
Subject: [nycphp-talk] AJAX and State
In-Reply-To: <46F0F069.3000206@metalab.unc.edu>
References: <46DD54B0.5060803@secdat.com> <46E1238E.5010307@metalab.unc.edu>
	<46E12D4A.2010204@secdat.com> <46E12F93.4040700@metalab.unc.edu>
	<46E132B0.9010400@secdat.com> <46E138C2.3040307@metalab.unc.edu>
	<20070912214433.GA11305@panix.com>
	<46F0F069.3000206@metalab.unc.edu>
Message-ID: <20070921203338.GA9970@panix.com>

Hi Elliotte:

On Wed, Sep 19, 2007 at 05:48:25AM -0400, Elliotte Harold wrote:
> 
> However the fundamental principle is that full auth data must be sent 
> with each request.
>
> Breaking that rule is going to cost you big time when you need to scale 
> an application.

Basic and Digest auth are slow when it comes to dealing with large user 
bases.  They also increase insecurity, particularly when working over 
non-encrypted connections.  Plus I don't like the idea of keeping 
authentication information in the browser.

Sure, session id's introduce security pitfalls such as session hijacking, 
but that seems less ominous to me than giving out your user name and 
password on each request.


> It very well may introduce single points of failure into 
> your app. You can architect around those, but only at the cost of doing 
> a lot more work with a lot more machines than you would have had to do 
> if your app had followed the design of HTTP instead of working against it.

How is using a session id cookie "working against" the design of HTTP?

--Dan

-- 
 T H E   A N A L Y S I S   A N D   S O L U T I O N S   C O M P A N Y
            data intensive web and database programming
                http://www.AnalysisAndSolutions.com/
 4015 7th Ave #4, Brooklyn NY 11232  v: 718-854-0335 f: 718-854-0409


From bz-gmort at beezifies.com  Fri Sep 21 16:42:30 2007
From: bz-gmort at beezifies.com (Gary Mort)
Date: Fri, 21 Sep 2007 16:42:30 -0400
Subject: [nycphp-talk] Re: [joomla] Sphinx search
In-Reply-To: <46F41512.3040006@beezifies.com>
References: <46F3B50C.6030203@beezifies.com>	<330532b60709210919x509678eep1a42e409740e61a3@mail.gmail.com>
	<46F41512.3040006@beezifies.com>
Message-ID: <46F42CB6.9080209@beezifies.com>

Opps, wrong list.  Sorry.




From michael.southwell at nyphp.com  Fri Sep 21 19:41:29 2007
From: michael.southwell at nyphp.com (Michael Southwell)
Date: Fri, 21 Sep 2007 19:41:29 -0400
Subject: [nycphp-talk] MySQL Monitor  V PHP & MySQL
In-Reply-To: <008001c7fc88$3e086d80$0200a8c0@X9183>
References: <008001c7fc88$3e086d80$0200a8c0@X9183>
Message-ID: <20070921194129.hrl1k96k0s8kcs4g@webmail.nyphp.com>

Quoting PaulCheung <paulcheung at tiscali.co.uk>:

> I have researched, checked and tried everything I can think of and
> still cannot get it to work.

> SELECT access_code FROM authorised_users WHEN

I am not familiar with WHEN but that could be my own ignorance

> $rs = @mysql_select_db( "test_db", $conn )
>  or die( "Could not select database" );
>
> $rs = @mysql_select_db( "test_db", $conn ) or die( "Could not select
> database" );

This line is doubled but that is not your problem.

>
> $sql = "SELECT access_code
>        FROM authorised_users
>        user_id = '$userid' AND

This is the reason that you are getting different results:  you left  
out the WHEN that you had above (unless this is not an accurate  
representation of your code); whether WHEN is a legitimate keyword is  
a different issue.

-- 
Michael Southwell
Vice President, Education
NYPHP TRAINING http://nyphp.com/training/indepth


From elharo at metalab.unc.edu  Sat Sep 22 08:19:01 2007
From: elharo at metalab.unc.edu (Elliotte Harold)
Date: Sat, 22 Sep 2007 08:19:01 -0400
Subject: [nycphp-talk] AJAX and State
In-Reply-To: <20070921203338.GA9970@panix.com>
References: <46DD54B0.5060803@secdat.com>
	<46E1238E.5010307@metalab.unc.edu>	<46E12D4A.2010204@secdat.com>
	<46E12F93.4040700@metalab.unc.edu>	<46E132B0.9010400@secdat.com>
	<46E138C2.3040307@metalab.unc.edu>	<20070912214433.GA11305@panix.com>	<46F0F069.3000206@metalab.unc.edu>
	<20070921203338.GA9970@panix.com>
Message-ID: <46F50835.3050505@metalab.unc.edu>

Daniel Convissor wrote:

> Basic and Digest auth are slow when it comes to dealing with large user 
> bases.  

I've seen no evidence of that whatsoever.

> They also increase insecurity, particularly when working over 
> non-encrypted connections.  

For basic I'd use encrypted connections only. Digest is fine in the 
"clear".

> Plus I don't like the idea of keeping 
> authentication information in the browser.

Tough. That's being done anyway.

> Sure, session id's introduce security pitfalls such as session hijacking, 
> but that seems less ominous to me than giving out your user name and 
> password on each request.

Only basic really gives out user name and password info one each 
request. Digest never passes the password at all. And there are other 
schemes.


>> It very well may introduce single points of failure into 
>> your app. You can architect around those, but only at the cost of doing 
>> a lot more work with a lot more machines than you would have had to do 
>> if your app had followed the design of HTTP instead of working against it.
> 
> How is using a session id cookie "working against" the design of HTTP?
> 

Because HTTP is explicitly designed to be stateless and sessionless. 
See, for example, Sam Ruby's RESTful Web Services.


-- 
Elliotte Rusty Harold  elharo at metalab.unc.edu
Java I/O 2nd Edition Just Published!
http://www.cafeaulait.org/books/javaio2/
http://www.amazon.com/exec/obidos/ISBN=0596527500/ref=nosim/cafeaulaitA/


From ken at secdat.com  Sat Sep 22 08:43:58 2007
From: ken at secdat.com (Kenneth Downs)
Date: Sat, 22 Sep 2007 08:43:58 -0400
Subject: [nycphp-talk] AJAX and State
In-Reply-To: <46F50835.3050505@metalab.unc.edu>
References: <46DD54B0.5060803@secdat.com>	<46E1238E.5010307@metalab.unc.edu>	<46E12D4A.2010204@secdat.com>	<46E12F93.4040700@metalab.unc.edu>	<46E132B0.9010400@secdat.com>	<46E138C2.3040307@metalab.unc.edu>	<20070912214433.GA11305@panix.com>	<46F0F069.3000206@metalab.unc.edu>	<20070921203338.GA9970@panix.com>
	<46F50835.3050505@metalab.unc.edu>
Message-ID: <46F50E0E.2020302@secdat.com>

Elliotte Harold wrote:
>> Plus I don't like the idea of keeping authentication information in 
>> the browser.
>
> Tough. That's being done anyway.
>

True, but we need a better answer than that.

Can you explain what mechanisms are storing the passwords, and why no 
additional weakness has been introduced?

-- 
Kenneth Downs
Secure Data Software, Inc.
www.secdat.com    www.andromeda-project.org
631-689-7200   Fax: 631-689-0527
cell: 631-379-0010



From ramons at gmx.net  Sat Sep 22 09:01:55 2007
From: ramons at gmx.net (David Krings)
Date: Sat, 22 Sep 2007 09:01:55 -0400
Subject: [nycphp-talk] MySQL Monitor  V PHP & MySQL
In-Reply-To: <20070921194129.hrl1k96k0s8kcs4g@webmail.nyphp.com>
References: <008001c7fc88$3e086d80$0200a8c0@X9183>
	<20070921194129.hrl1k96k0s8kcs4g@webmail.nyphp.com>
Message-ID: <46F51243.9090804@gmx.net>

Michael Southwell wrote:
> Quoting PaulCheung <paulcheung at tiscali.co.uk>:
> 
>> I have researched, checked and tried everything I can think of and
>> still cannot get it to work.
> 
>> SELECT access_code FROM authorised_users WHEN
> 
> I am not familiar with WHEN but that could be my own ignorance
> 
>> $rs = @mysql_select_db( "test_db", $conn )
>>  or die( "Could not select database" );
>>
>> $rs = @mysql_select_db( "test_db", $conn ) or die( "Could not select
>> database" );
> 
> This line is doubled but that is not your problem.
> 
>>
>> $sql = "SELECT access_code
>>        FROM authorised_users
>>        user_id = '$userid' AND
> 
> This is the reason that you are getting different results:  you left out 
> the WHEN that you had above (unless this is not an accurate 
> representation of your code); whether WHEN is a legitimate keyword is a 
> different issue.
> 

AFAIK that WHEN should be a WHERE. Also, the one ID is put in single 
quotes within the query. Better is sth like this if in case IDs are integers

$sql = "SELECT access_code FROM authorised_users WHERE user_id = 
".$userid." AND ....

Not that this is the reason for failure, but I found it somewhat 
difficult to follow the code as there are absolutely no comments. Add 
commentary, at least one comment per two lines of code. That helps to 
understand what you are doing and what the steps are, even for something 
basic like this.

David


From danielc at analysisandsolutions.com  Sat Sep 22 10:19:42 2007
From: danielc at analysisandsolutions.com (Daniel Convissor)
Date: Sat, 22 Sep 2007 10:19:42 -0400
Subject: [nycphp-talk] AJAX and State
In-Reply-To: <46F50835.3050505@metalab.unc.edu>
References: <46DD54B0.5060803@secdat.com> <46E1238E.5010307@metalab.unc.edu>
	<46E12D4A.2010204@secdat.com> <46E12F93.4040700@metalab.unc.edu>
	<46E132B0.9010400@secdat.com> <46E138C2.3040307@metalab.unc.edu>
	<20070912214433.GA11305@panix.com>
	<46F0F069.3000206@metalab.unc.edu>
	<20070921203338.GA9970@panix.com>
	<46F50835.3050505@metalab.unc.edu>
Message-ID: <20070922141942.GA17164@panix.com>

Hi Elliotte:

On Sat, Sep 22, 2007 at 08:19:01AM -0400, Elliotte Harold wrote:
> 
> For basic I'd use encrypted connections only. Digest is fine in the 
> "clear".

No HTTP auth method is okay in the clear.  Digest sends an MD5 hash as 
the token.  While that doesn't tell me what your password is, unless I 
figure it out via a reverse lookup database, I can just forge my request 
headers to include the hash itself.


> >Plus I don't like the idea of keeping 
> >authentication information in the browser.
> 
> Tough. That's being done anyway.

Depends on what the user's settings are.


> >How is using a session id cookie "working against" the design of HTTP?
> 
> Because HTTP is explicitly designed to be stateless and sessionless. 
> See, for example, Sam Ruby's RESTful Web Services.

Passing your user name and password on each request is no different than 
passing a session ID on each request.  They both indicate who you are.

--Dan

-- 
 T H E   A N A L Y S I S   A N D   S O L U T I O N S   C O M P A N Y
            data intensive web and database programming
                http://www.AnalysisAndSolutions.com/
 4015 7th Ave #4, Brooklyn NY 11232  v: 718-854-0335 f: 718-854-0409


From rick at click-rick.net  Sat Sep 22 10:57:20 2007
From: rick at click-rick.net (Rick Retzko)
Date: Sat, 22 Sep 2007 10:57:20 -0400
Subject: [nycphp-talk] MySQL Monitor  V PHP & MySQL 
In-Reply-To: <008001c7fc88$3e086d80$0200a8c0@X9183>
References: <008001c7fc88$3e086d80$0200a8c0@X9183>
Message-ID: <006201c7fd28$e1141f60$6600a8c0@adam>

Two errors that I can find:

1. You're missing the 'WHERE' key word in your SQL: $sql = "SELECT
access_code
        FROM authorised_users
        user_id = '$userid' AND
        user_password = '$password' AND
        account = '$account'"; 
	should be:
$sql = "SELECT access_code
        FROM authorised_users
        WHERE user_id = '$userid' AND
        user_password = '$password' AND
        account = '$account'";

2. Your mysql_num_rows is misspelled (Yours is mysql_numrows) making the
subsequent 'if' statement FALSE.

Hope this helps 

 
Rick

-----Original Message-----
From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On
Behalf Of PaulCheung
Sent: Friday, September 21, 2007 3:47 PM
To: talk at lists.nyphp.org
Subject: [nycphp-talk] MySQL Monitor V PHP & MySQL 

 I have researched, checked and tried everything I can think of and still
cannot get it to work.

when using MySQL monitor  the following works
=================================

SELECT access_code FROM authorised_users WHEN user_id  =  'Nancy' AND
user_password = 'qwerty' AND account = '48572998';

Access_code is displayed = 11966552

When using PHP & MySQL ($userid='Nancy',  $user_password='qwerty',
$account='48572998')
====================
<?PHP session_start(); ob_start(); PHP?>
<HTML><HEAD>
<!-- Global site tag (gtag.js) - Google Analytics -->
<script async src="https://www.googletagmanager.com/gtag/js?id=UA-51353372-3"></script>
<script>
  window.dataLayer = window.dataLayer || [];
  function gtag(){dataLayer.push(arguments);}
  gtag('js', new Date());

  gtag('config', 'UA-51353372-3');
</script><TITLE>auth</TITLE><meta name="description" content="PHP jobs stackware web application support and development forums for Mongo LAMP MySQL SQL Windows IIS Linux." />
<meta name="author" content="Stackware Web Development - http://stackware.com" />
<meta name="verify-v1" content="zWMoPwMn/dolscLkjLXTpRqgr9K8bzlzL1vM9WTjpHc=" />
<meta name="msvalidate.01" content="F85F81C1D0BAB5C349E8395628845E27" />
<meta name="y_key" content="265502be3db4fb6e" />
</HEAD>
<FORM action="X.php" id="primary" method="post"> <BODY> <?PHP
$userid   = $_POST['user'];
$password = $_POST['passcode'];
$account  = $_POST['account'];
$self     = $_SERVER['PHP_SELF'];
$referer  = $_SERVER['HTTP_REFERER'];
$access_code = $access_code - $access_code;

/* FOR TEST ONLY */
echo ("user id = " . $userid . "<br>");
echo ("password = " . $password .  "<br>"); echo ("account = " . $account .
"<br>"); echo ("self = " . $self . "<br>");

/* VALIDATE FOR BLANK INPUT FIELD */
if( ( !$userid ) or ( !$password ) or (!$account) ) { header(
"Location:$referer" ); exit(); } /*CONNECT TO MYSQL  */
$conn=@mysql_connect( "localhost", "paul", "enter" )
   or die( "Could not connect" );
/* CONNECT TO DATABASE */
$rs = @mysql_select_db( "test_db", $conn )
  or die( "Could not select database" );

$rs = @mysql_select_db( "test_db", $conn ) or die( "Could not select
database" );

$sql = "SELECT access_code
        FROM authorised_users
        user_id = '$userid' AND
        user_password = '$password' AND
        account = '$account'";

$rs = mysql_query( $sql, $conn )  or die( "Could not execute query" );

$num = mysql_numrows( $rs );

if( $num != 0 )
{ $access_code = access_code;
   echo ("testcheckpoint - Welcome - your log-in succeeded!" . "<br>");
   echo ("testcheckpoint - accesscode = " . access_code . "<BR>");
   echo ('testcheckpoint - $accesscode = ' . $access_code . "<BR>"); } else
{ echo (" test checkpoint statement 55 " . "<br>");
   header( "Location:$referer" );
   exit(); }

===========================================
this is what is returned from the test

user id = Nancy
password = qwerty
account = 48572998
self = /tp_orth.php
conn = Resource id #2
sql = SELECT access_code FROM authorised_users WHERE user_id = 'Nancy' AND
user_password = 'qwerty' AND account = '48572998'
access = 0
Welcome - your log-in succeeded!
testcheckpoint - accesscode = access_code testcheckpoint - $accesscode =
access_code

I am trying to get the Access_code and cannot see what I am doing wrong

P






_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk

NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com

Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php



From paulcheung at tiscali.co.uk  Sat Sep 22 11:49:46 2007
From: paulcheung at tiscali.co.uk (PaulCheung)
Date: Sat, 22 Sep 2007 16:49:46 +0100
Subject: [nycphp-talk] MySQL Monitor V PHP & MySQL
References: <008001c7fc88$3e086d80$0200a8c0@X9183>
	<7fb2405d0709211328y4f3d3536x881a83391bc2c274@mail.gmail.com>
Message-ID: <004101c7fd30$33470b60$0200a8c0@X9183>

Sorry everybody it was a typing error when assembling the email. The "WHEN" should have been "WHERE". I did use the "WHERE" when testing using MySQL Monitor and the statement  $sql = "SELECT access_code  FROM authorised_users  (WHERE ) user_id = '$userid' AND  user_password = '$password' AND  account = '$account'"; also had the missing WHERE in during testing but once again it was a typing error when assembling the email.

Sorry about that.



  ----- Original Message ----- 
  From: P. Ju (???) 
  To: NYPHP Talk ; paulcheung at tiscali.co.uk 
  Sent: Friday, September 21, 2007 9:28 PM
  Subject: Re: [nycphp-talk] MySQL Monitor V PHP & MySQL


  Err, actually ignore the previous. However, where's your WHERE ?

  $sql = "SELECT access_code
         FROM authorised_users
         user_id = '$userid' AND
         user_password = '$password' AND
         account = '$account'";


  You're missing a "WHERE"

  and in your MySQLMonitor statement, you typed WHEN. ??

  I don't use that tool, but is that valid?

  Patricia


  On 9/21/07, PaulCheung <paulcheung at tiscali.co.uk> wrote: 
    I have researched, checked and tried everything I can think of and still
    cannot get it to work.

    when using MySQL monitor  the following works
    =================================

    SELECT access_code FROM authorised_users WHEN 
    user_id  =  'Nancy' AND
    user_password = 'qwerty' AND
    account = '48572998';

    Access_code is displayed = 11966552

    When using PHP & MySQL ($userid='Nancy',  $user_password='qwerty', 
    $account='48572998')
    ====================
    <?PHP session_start(); ob_start(); PHP?>
    <HTML><HEAD>
<!-- Global site tag (gtag.js) - Google Analytics -->
<script async src="https://www.googletagmanager.com/gtag/js?id=UA-51353372-3"></script>
<script>
  window.dataLayer = window.dataLayer || [];
  function gtag(){dataLayer.push(arguments);}
  gtag('js', new Date());

  gtag('config', 'UA-51353372-3');
</script><TITLE>auth</TITLE><meta name="description" content="PHP jobs stackware web application support and development forums for Mongo LAMP MySQL SQL Windows IIS Linux." />
<meta name="author" content="Stackware Web Development - http://stackware.com" />
<meta name="verify-v1" content="zWMoPwMn/dolscLkjLXTpRqgr9K8bzlzL1vM9WTjpHc=" />
<meta name="msvalidate.01" content="F85F81C1D0BAB5C349E8395628845E27" />
<meta name="y_key" content="265502be3db4fb6e" />
</HEAD>
    <FORM action="X.php" id="primary" method="post"> 
    <BODY>
    <?PHP
    $userid   = $_POST['user'];
    $password = $_POST['passcode'];
    $account  = $_POST['account'];
    $self     = $_SERVER['PHP_SELF'];
    $referer  = $_SERVER['HTTP_REFERER']; 
    $access_code = $access_code - $access_code;

    /* FOR TEST ONLY */
    echo ("user id = " . $userid . "<br>");
    echo ("password = " . $password .  "<br>");
    echo ("account = " . $account . "<br>"); 
    echo ("self = " . $self . "<br>");

    /* VALIDATE FOR BLANK INPUT FIELD */
    if( ( !$userid ) or ( !$password ) or (!$account) )
    { header( "Location:$referer" ); exit(); }
    /*CONNECT TO MYSQL  */
    $conn=@mysql_connect( "localhost", "paul", "enter" )
       or die( "Could not connect" );
    /* CONNECT TO DATABASE */
    $rs = @mysql_select_db( "test_db", $conn ) 
      or die( "Could not select database" );

    $rs = @mysql_select_db( "test_db", $conn ) or die( "Could not select
    database" );

    $sql = "SELECT access_code
            FROM authorised_users 
            user_id = '$userid' AND
            user_password = '$password' AND
            account = '$account'";

    $rs = mysql_query( $sql, $conn )  or die( "Could not execute query" ); 

    $num = mysql_numrows( $rs );

    if( $num != 0 )
    { $access_code = access_code;
       echo ("testcheckpoint - Welcome - your log-in succeeded!" . "<br>");
       echo ("testcheckpoint - accesscode = " . access_code . "<BR>"); 
       echo ('testcheckpoint - $accesscode = ' . $access_code . "<BR>"); }
    else
    { echo (" test checkpoint statement 55 " . "<br>");
       header( "Location:$referer" ); 
       exit(); }

    ===========================================
    this is what is returned from the test

    user id = Nancy
    password = qwerty
    account = 48572998
    self = /tp_orth.php
    conn = Resource id #2 
    sql = SELECT access_code FROM authorised_users WHERE user_id = 'Nancy' AND
    user_password = 'qwerty' AND account = '48572998'
    access = 0
    Welcome - your log-in succeeded!
    testcheckpoint - accesscode = access_code 
    testcheckpoint - $accesscode = access_code

    I am trying to get the Access_code and cannot see what I am doing wrong

    P






    _______________________________________________
    New York PHP Community Talk Mailing List 
    http://lists.nyphp.org/mailman/listinfo/talk

    NYPHPCon 2006 Presentations Online
    http://www.nyphpcon.com

    Show Your Participation in New York PHP
    http://www.nyphp.org/show_participation.php




  -- 
  Patricia Ju
  phj at pobox.com
  +1-646-717-3871

  success = f(perseverance) 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070922/e08a945e/attachment.html>

From paulcheung at tiscali.co.uk  Sat Sep 22 11:52:09 2007
From: paulcheung at tiscali.co.uk (PaulCheung)
Date: Sat, 22 Sep 2007 16:52:09 +0100
Subject: [nycphp-talk] MySQL Monitor  V PHP & MySQL
References: <008001c7fc88$3e086d80$0200a8c0@X9183>
	<20070921194129.hrl1k96k0s8kcs4g@webmail.nyphp.com>
Message-ID: <004701c7fd30$89444a00$0200a8c0@X9183>

Hello Michael,

Sorry,  I was trying to make the statement more readable by putting the
WHERE and AND at the end of the line rather than at the beginning and
unconsciously mixed in to the email COBOL, where its' SELECT statement does
use WHEN, my apologies. Here is the actual statement used which didn't work
and it still does not, for me at least.

$sql = "SELECT access_code
        FROM authorised_users
        WHERE user_id = '$userid'
        AND user_password = '$password'
        AND account = '$account'";

This is what I was expecting (from MySQL Monitor) and got

mysql> use test_db;
Database changed
mysql> select access_code from authorised_users where user_id = 'Nancy' and
use_password = 'qwerty' and account = '48572998';
+-------------+
| access_code |
+-------------+
| 11966552    |
+-------------+
1 row in set (0.00 sec)

This is what I got from (PHP MySQL)

sql = SELECT access_code FROM authorised_users WHERE user_id = 'Nancy' AND
user_password = 'qwerty' AND account = '48572998';
Welcome - your log-in succeeded!
accesscode = access_code
$accesscode = access_code

I was expecting '11966552'

Paul



----- Original Message ----- 
From: "Michael Southwell" <michael.southwell at nyphp.com>
To: <talk at lists.nyphp.org>
Sent: Saturday, September 22, 2007 12:41 AM
Subject: Re: [nycphp-talk] MySQL Monitor V PHP & MySQL


> Quoting PaulCheung <paulcheung at tiscali.co.uk>:
>
>> I have researched, checked and tried everything I can think of and
>> still cannot get it to work.
>
>> SELECT access_code FROM authorised_users WHEN
>
> I am not familiar with WHEN but that could be my own ignorance
>
>> $rs = @mysql_select_db( "test_db", $conn )
>>  or die( "Could not select database" );
>>
>> $rs = @mysql_select_db( "test_db", $conn ) or die( "Could not select
>> database" );
>
> This line is doubled but that is not your problem.
>
>>
>> $sql = "SELECT access_code
>>        FROM authorised_users
>>        user_id = '$userid' AND
>
> This is the reason that you are getting different results:  you left  out
> the WHEN that you had above (unless this is not an accurate
> representation of your code); whether WHEN is a legitimate keyword is  a
> different issue.
>
> -- 
> Michael Southwell
> Vice President, Education
> NYPHP TRAINING http://nyphp.com/training/indepth
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php


From paulcheung at tiscali.co.uk  Sat Sep 22 11:52:59 2007
From: paulcheung at tiscali.co.uk (PaulCheung)
Date: Sat, 22 Sep 2007 16:52:59 +0100
Subject: [nycphp-talk] MySQL Monitor  V PHP & MySQL
References: <008001c7fc88$3e086d80$0200a8c0@X9183>
	<20070921200335.GO17734@ylayali.net>
Message-ID: <004801c7fd30$a6981230$0200a8c0@X9183>

Hi Ken,

The $access_code = $access_code - $access_code; is just an prehistoric 
programming technique.

By the way the solution you proposed did not work; But the access_code is 
now blank I would be most grateful for any other suggestions.

ser id = Nancy
password = qwerty
account = 48572998
self = /tp_orth.php
conn = Resource id #2
sql = SELECT access_code FROM authorised_users WHERE user_id = 'Nancy' AND 
user_password = 'qwerty' AND account = '48572998'
Welcome - your log-in succeeded!
access_code =
$access_code =

Paul
----- Original Message ----- 
From: "Kenneth Dombrowski" <kenneth at ylayali.net>
To: <talk at lists.nyphp.org>
Sent: Friday, September 21, 2007 9:03 PM
Subject: Re: [nycphp-talk] MySQL Monitor V PHP & MySQL


>
> Hi Paul,
>
> On 07-09-21 20:47 +0100, PaulCheung wrote:
>> $access_code = $access_code - $access_code;
>
> i don't understand what your intent is with the above line.. setting
> $access_code to 0?  (it's not your problem, i am just curious)
>
>> $rs = mysql_query( $sql, $conn )  or die( "Could not execute query" );
>>
>> $num = mysql_numrows( $rs );
>>
>> if( $num != 0 )
>> { $access_code = access_code;
>
> the above line looks to me like $access_code is being assigned the value
> of the undefined constant access_code, which php will assume is intended
> to be the string 'access_code'
>
> i think you want $access_code = $rs['access_code']
>
>
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php 


From paulcheung at tiscali.co.uk  Sat Sep 22 12:20:46 2007
From: paulcheung at tiscali.co.uk (PaulCheung)
Date: Sat, 22 Sep 2007 17:20:46 +0100
Subject: [nycphp-talk] MySQL Monitor  V PHP & MySQL 
References: <008001c7fc88$3e086d80$0200a8c0@X9183>
	<006201c7fd28$e1141f60$6600a8c0@adam>
Message-ID: <004e01c7fd34$882102e0$0200a8c0@X9183>

Hi everybody

I have implemented all the suggested changes and still cannot get it to work 
maybe it is time to just hand over the code to see if anybody can see what I 
am doing wrong.

What I am trying to do is get the value of ACCESS_CODE

Paul

----- Original Message ----- 
From: "Rick Retzko" <rick at click-rick.net>
To: "'NYPHP Talk'" <talk at lists.nyphp.org>
Sent: Saturday, September 22, 2007 3:57 PM
Subject: RE: [nycphp-talk] MySQL Monitor V PHP & MySQL


> Two errors that I can find:
>
> 1. You're missing the 'WHERE' key word in your SQL: $sql = "SELECT
> access_code
>        FROM authorised_users
>        user_id = '$userid' AND
>        user_password = '$password' AND
>        account = '$account'";
> should be:
> $sql = "SELECT access_code
>        FROM authorised_users
>        WHERE user_id = '$userid' AND
>        user_password = '$password' AND
>        account = '$account'";
>
> 2. Your mysql_num_rows is misspelled (Yours is mysql_numrows) making the
> subsequent 'if' statement FALSE.
>
> Hope this helps
>
>
> Rick
>
> -----Original Message-----
> From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] 
> On
> Behalf Of PaulCheung
> Sent: Friday, September 21, 2007 3:47 PM
> To: talk at lists.nyphp.org
> Subject: [nycphp-talk] MySQL Monitor V PHP & MySQL
>
> I have researched, checked and tried everything I can think of and still
> cannot get it to work.
>
> when using MySQL monitor  the following works
> =================================
>
> SELECT access_code FROM authorised_users WHEN user_id  =  'Nancy' AND
> user_password = 'qwerty' AND account = '48572998';
>
> Access_code is displayed = 11966552
>
> When using PHP & MySQL ($userid='Nancy',  $user_password='qwerty',
> $account='48572998')
> ====================
> <?PHP session_start(); ob_start(); PHP?>
> <HTML><HEAD>
<!-- Global site tag (gtag.js) - Google Analytics -->
<script async src="https://www.googletagmanager.com/gtag/js?id=UA-51353372-3"></script>
<script>
  window.dataLayer = window.dataLayer || [];
  function gtag(){dataLayer.push(arguments);}
  gtag('js', new Date());

  gtag('config', 'UA-51353372-3');
</script><TITLE>auth</TITLE><meta name="description" content="PHP jobs stackware web application support and development forums for Mongo LAMP MySQL SQL Windows IIS Linux." />
<meta name="author" content="Stackware Web Development - http://stackware.com" />
<meta name="verify-v1" content="zWMoPwMn/dolscLkjLXTpRqgr9K8bzlzL1vM9WTjpHc=" />
<meta name="msvalidate.01" content="F85F81C1D0BAB5C349E8395628845E27" />
<meta name="y_key" content="265502be3db4fb6e" />
</HEAD>
> <FORM action="X.php" id="primary" method="post"> <BODY> <?PHP
> $userid   = $_POST['user'];
> $password = $_POST['passcode'];
> $account  = $_POST['account'];
> $self     = $_SERVER['PHP_SELF'];
> $referer  = $_SERVER['HTTP_REFERER'];
> $access_code = $access_code - $access_code;
>
> /* FOR TEST ONLY */
> echo ("user id = " . $userid . "<br>");
> echo ("password = " . $password .  "<br>"); echo ("account = " . $account 
> .
> "<br>"); echo ("self = " . $self . "<br>");
>
> /* VALIDATE FOR BLANK INPUT FIELD */
> if( ( !$userid ) or ( !$password ) or (!$account) ) { header(
> "Location:$referer" ); exit(); } /*CONNECT TO MYSQL  */
> $conn=@mysql_connect( "localhost", "paul", "enter" )
>   or die( "Could not connect" );
> /* CONNECT TO DATABASE */
> $rs = @mysql_select_db( "test_db", $conn )
>  or die( "Could not select database" );
>
> $rs = @mysql_select_db( "test_db", $conn ) or die( "Could not select
> database" );
>
> $sql = "SELECT access_code
>        FROM authorised_users
>        user_id = '$userid' AND
>        user_password = '$password' AND
>        account = '$account'";
>
> $rs = mysql_query( $sql, $conn )  or die( "Could not execute query" );
>
> $num = mysql_numrows( $rs );
>
> if( $num != 0 )
> { $access_code = access_code;
>   echo ("testcheckpoint - Welcome - your log-in succeeded!" . "<br>");
>   echo ("testcheckpoint - accesscode = " . access_code . "<BR>");
>   echo ('testcheckpoint - $accesscode = ' . $access_code . "<BR>"); } else
> { echo (" test checkpoint statement 55 " . "<br>");
>   header( "Location:$referer" );
>   exit(); }
>
> ===========================================
> this is what is returned from the test
>
> user id = Nancy
> password = qwerty
> account = 48572998
> self = /tp_orth.php
> conn = Resource id #2
> sql = SELECT access_code FROM authorised_users WHERE user_id = 'Nancy' AND
> user_password = 'qwerty' AND account = '48572998'
> access = 0
> Welcome - your log-in succeeded!
> testcheckpoint - accesscode = access_code testcheckpoint - $accesscode =
> access_code
>
> I am trying to get the Access_code and cannot see what I am doing wrong
>
> P
>
>
>
>
>
>
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
>
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: innerguard.txt
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070922/c0308653/attachment.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: orth.txt
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070922/c0308653/attachment-0001.txt>

From elharo at metalab.unc.edu  Sat Sep 22 12:23:21 2007
From: elharo at metalab.unc.edu (Elliotte Harold)
Date: Sat, 22 Sep 2007 12:23:21 -0400
Subject: [nycphp-talk] AJAX and State
In-Reply-To: <46F50E0E.2020302@secdat.com>
References: <46DD54B0.5060803@secdat.com>	<46E1238E.5010307@metalab.unc.edu>	<46E12D4A.2010204@secdat.com>	<46E12F93.4040700@metalab.unc.edu>	<46E132B0.9010400@secdat.com>	<46E138C2.3040307@metalab.unc.edu>	<20070912214433.GA11305@panix.com>	<46F0F069.3000206@metalab.unc.edu>	<20070921203338.GA9970@panix.com>	<46F50835.3050505@metalab.unc.edu>
	<46F50E0E.2020302@secdat.com>
Message-ID: <46F54179.6040506@metalab.unc.edu>

Kenneth Downs wrote:

> True, but we need a better answer than that.
> 
> Can you explain what mechanisms are storing the passwords, and why no 
> additional weakness has been introduced?
> 

The issue here is really one of psychology and usability. A poorly 
usable authentication system will cause users to route around it, for 
example by always using the same password, by choosing easily remembered 
passwords, by writing them down on Post-it notes stuck to their 
monitors, or all of the above. The theoretical strength of 
authentication systems is irrelevant in the face of user 
counter-measures such as these.

Only systems that take users into account will be secure in the real 
world. Usability is not a sufficient condition for secure 
authentication, but it is a necessary one.

Given the wealth of passwords users are expected to remember in order to 
participate in the Web, the only plausibly usable system for managing 
client password lists that maintains some level of security is single 
sign-on. Server-based single sign-on systems have failed because no 
standard centralized repository has been established. Thus the only 
choice is to place this repository on the client. (I suspect that would 
still be the right answer even if one of the server based systems had 
succeeded, but the point is moot because none did.)

The vast majority of users will only accept such a system if it is 
actually easier to use than pen and paper. The only such system is the 
one that doesn't require the user to do any extra work. That means the 
browser itself (or a plug-in integrated into the browser) remembers the 
password.

EVERYTHING ELSE THAT HAS BEEN TRIED TO DATE HAS FAILED. NO EXCEPTIONS.

Now assuming you're willing to work under those constraints, you can 
make the browser repository a little stronger. You can use better 
encryption for the password store. You can make sure that the memory 
area in which the browser stores its passwords is promptly zeroed out 
after use. And you can play a few other tricks that don't affect the 
user experience. But that's about it.

A browser-based password store is the most secure authentication system 
devised to date. In practice, everything else that has been tried has 
been less secure. I suspect we're not going to improve on this state of 
affairs until we move away from usernames and passwords completely.

-- 
Elliotte Rusty Harold  elharo at metalab.unc.edu
Java I/O 2nd Edition Just Published!
http://www.cafeaulait.org/books/javaio2/
http://www.amazon.com/exec/obidos/ISBN=0596527500/ref=nosim/cafeaulaitA/


From danielc at analysisandsolutions.com  Sat Sep 22 12:54:44 2007
From: danielc at analysisandsolutions.com (Daniel Convissor)
Date: Sat, 22 Sep 2007 12:54:44 -0400
Subject: [nycphp-talk] AJAX and State
In-Reply-To: <46F54179.6040506@metalab.unc.edu>
References: <46E12D4A.2010204@secdat.com> <46E12F93.4040700@metalab.unc.edu>
	<46E132B0.9010400@secdat.com> <46E138C2.3040307@metalab.unc.edu>
	<20070912214433.GA11305@panix.com>
	<46F0F069.3000206@metalab.unc.edu>
	<20070921203338.GA9970@panix.com>
	<46F50835.3050505@metalab.unc.edu> <46F50E0E.2020302@secdat.com>
	<46F54179.6040506@metalab.unc.edu>
Message-ID: <20070922165444.GA24751@panix.com>

On Sat, Sep 22, 2007 at 12:23:21PM -0400, Elliotte Harold wrote:
>
> Thus the only 
> choice is to place this repository on the client.
> ... snip ...
> That means the 
> browser itself (or a plug-in integrated into the browser) remembers the 
> password.
> 
> EVERYTHING ELSE THAT HAS BEEN TRIED TO DATE HAS FAILED. NO EXCEPTIONS.

Except having a password store on one's computer that's separate from the 
browser.  There are several pieces of software that do this.

My technique is to store password information in a GPG encrypted text 
file.  Of course, this isn't a technique the masses would be able to 
handle.


> A browser-based password store is the most secure authentication system 
> devised to date.

No, it's not.

We're really diverging from PHP here, so this is the last posting I'll 
make in this thread.

--Dan

-- 
 T H E   A N A L Y S I S   A N D   S O L U T I O N S   C O M P A N Y
            data intensive web and database programming
                http://www.AnalysisAndSolutions.com/
 4015 7th Ave #4, Brooklyn NY 11232  v: 718-854-0335 f: 718-854-0409


From elharo at metalab.unc.edu  Sat Sep 22 13:09:32 2007
From: elharo at metalab.unc.edu (Elliotte Harold)
Date: Sat, 22 Sep 2007 13:09:32 -0400
Subject: [nycphp-talk] AJAX and State
In-Reply-To: <20070922165444.GA24751@panix.com>
References: <46E12D4A.2010204@secdat.com>
	<46E12F93.4040700@metalab.unc.edu>	<46E132B0.9010400@secdat.com>
	<46E138C2.3040307@metalab.unc.edu>	<20070912214433.GA11305@panix.com>	<46F0F069.3000206@metalab.unc.edu>	<20070921203338.GA9970@panix.com>	<46F50835.3050505@metalab.unc.edu>
	<46F50E0E.2020302@secdat.com>	<46F54179.6040506@metalab.unc.edu>
	<20070922165444.GA24751@panix.com>
Message-ID: <46F54C4C.2010100@metalab.unc.edu>

Daniel Convissor wrote:

> Except having a password store on one's computer that's separate from the 
> browser.  There are several pieces of software that do this.

If that's integrated with the browser, sure. However if it's not, it's 
too complicated. Opening a separate app, typing in its password, then 
copying and pasting the username and password into the browser is too 
much trouble.

Even Bruce Schneier, inventor of PasswordSafe among other things, stores 
his passwords on a little piece of paper in his wallet!

http://www.theregister.co.uk/2005/07/19/password_schneier/

I reiterate: browser-based password stores are the most secure solution 
yet devised.

-- 
Elliotte Rusty Harold  elharo at metalab.unc.edu
Java I/O 2nd Edition Just Published!
http://www.cafeaulait.org/books/javaio2/
http://www.amazon.com/exec/obidos/ISBN=0596527500/ref=nosim/cafeaulaitA/


From rick at click-rick.net  Sat Sep 22 14:26:51 2007
From: rick at click-rick.net (Rick Retzko)
Date: Sat, 22 Sep 2007 14:26:51 -0400
Subject: [nycphp-talk] MySQL Monitor  V PHP & MySQL 
In-Reply-To: <004e01c7fd34$882102e0$0200a8c0@X9183>
References: <008001c7fc88$3e086d80$0200a8c0@X9183><006201c7fd28$e1141f60$6600a8c0@adam>
	<004e01c7fd34$882102e0$0200a8c0@X9183>
Message-ID: <000c01c7fd46$2684e490$6600a8c0@adam>

Paul - Maybe this is a typo as well, but "$access_code = access_code;" ?  

What are you trying to do here?  My recommendation is that you add an 'echo
"Access Code: $access_code";' before and after this line to confirm that
you're getting what you think you should be getting.


Best Regards - 
 
Rick
============


-----Original Message-----
From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On
Behalf Of PaulCheung
Sent: Saturday, September 22, 2007 12:21 PM
To: NYPHP Talk
Subject: Re: [nycphp-talk] MySQL Monitor V PHP & MySQL 

Hi everybody

I have implemented all the suggested changes and still cannot get it to work
maybe it is time to just hand over the code to see if anybody can see what I
am doing wrong.

What I am trying to do is get the value of ACCESS_CODE

Paul

----- Original Message -----
From: "Rick Retzko" <rick at click-rick.net>
To: "'NYPHP Talk'" <talk at lists.nyphp.org>
Sent: Saturday, September 22, 2007 3:57 PM
Subject: RE: [nycphp-talk] MySQL Monitor V PHP & MySQL


> Two errors that I can find:
>
> 1. You're missing the 'WHERE' key word in your SQL: $sql = "SELECT
> access_code
>        FROM authorised_users
>        user_id = '$userid' AND
>        user_password = '$password' AND
>        account = '$account'";
> should be:
> $sql = "SELECT access_code
>        FROM authorised_users
>        WHERE user_id = '$userid' AND
>        user_password = '$password' AND
>        account = '$account'";
>
> 2. Your mysql_num_rows is misspelled (Yours is mysql_numrows) making the
> subsequent 'if' statement FALSE.
>
> Hope this helps
>
>
> Rick
>
> -----Original Message-----
> From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] 
> On
> Behalf Of PaulCheung
> Sent: Friday, September 21, 2007 3:47 PM
> To: talk at lists.nyphp.org
> Subject: [nycphp-talk] MySQL Monitor V PHP & MySQL
>
> I have researched, checked and tried everything I can think of and still
> cannot get it to work.
>
> when using MySQL monitor  the following works
> =================================
>
> SELECT access_code FROM authorised_users WHEN user_id  =  'Nancy' AND
> user_password = 'qwerty' AND account = '48572998';
>
> Access_code is displayed = 11966552
>
> When using PHP & MySQL ($userid='Nancy',  $user_password='qwerty',
> $account='48572998')
> ====================
> <?PHP session_start(); ob_start(); PHP?>
> <HTML><HEAD>
<!-- Global site tag (gtag.js) - Google Analytics -->
<script async src="https://www.googletagmanager.com/gtag/js?id=UA-51353372-3"></script>
<script>
  window.dataLayer = window.dataLayer || [];
  function gtag(){dataLayer.push(arguments);}
  gtag('js', new Date());

  gtag('config', 'UA-51353372-3');
</script><TITLE>auth</TITLE><meta name="description" content="PHP jobs stackware web application support and development forums for Mongo LAMP MySQL SQL Windows IIS Linux." />
<meta name="author" content="Stackware Web Development - http://stackware.com" />
<meta name="verify-v1" content="zWMoPwMn/dolscLkjLXTpRqgr9K8bzlzL1vM9WTjpHc=" />
<meta name="msvalidate.01" content="F85F81C1D0BAB5C349E8395628845E27" />
<meta name="y_key" content="265502be3db4fb6e" />
</HEAD>
> <FORM action="X.php" id="primary" method="post"> <BODY> <?PHP
> $userid   = $_POST['user'];
> $password = $_POST['passcode'];
> $account  = $_POST['account'];
> $self     = $_SERVER['PHP_SELF'];
> $referer  = $_SERVER['HTTP_REFERER'];
> $access_code = $access_code - $access_code;
>
> /* FOR TEST ONLY */
> echo ("user id = " . $userid . "<br>");
> echo ("password = " . $password .  "<br>"); echo ("account = " . $account 
> .
> "<br>"); echo ("self = " . $self . "<br>");
>
> /* VALIDATE FOR BLANK INPUT FIELD */
> if( ( !$userid ) or ( !$password ) or (!$account) ) { header(
> "Location:$referer" ); exit(); } /*CONNECT TO MYSQL  */
> $conn=@mysql_connect( "localhost", "paul", "enter" )
>   or die( "Could not connect" );
> /* CONNECT TO DATABASE */
> $rs = @mysql_select_db( "test_db", $conn )
>  or die( "Could not select database" );
>
> $rs = @mysql_select_db( "test_db", $conn ) or die( "Could not select
> database" );
>
> $sql = "SELECT access_code
>        FROM authorised_users
>        user_id = '$userid' AND
>        user_password = '$password' AND
>        account = '$account'";
>
> $rs = mysql_query( $sql, $conn )  or die( "Could not execute query" );
>
> $num = mysql_numrows( $rs );
>
> if( $num != 0 )
> { $access_code = access_code;
>   echo ("testcheckpoint - Welcome - your log-in succeeded!" . "<br>");
>   echo ("testcheckpoint - accesscode = " . access_code . "<BR>");
>   echo ('testcheckpoint - $accesscode = ' . $access_code . "<BR>"); } else
> { echo (" test checkpoint statement 55 " . "<br>");
>   header( "Location:$referer" );
>   exit(); }
>
> ===========================================
> this is what is returned from the test
>
> user id = Nancy
> password = qwerty
> account = 48572998
> self = /tp_orth.php
> conn = Resource id #2
> sql = SELECT access_code FROM authorised_users WHERE user_id = 'Nancy' AND
> user_password = 'qwerty' AND account = '48572998'
> access = 0
> Welcome - your log-in succeeded!
> testcheckpoint - accesscode = access_code testcheckpoint - $accesscode =
> access_code
>
> I am trying to get the Access_code and cannot see what I am doing wrong
>
> P
>
>
>
>
>
>
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
>
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php 



From ken at secdat.com  Sat Sep 22 14:26:29 2007
From: ken at secdat.com (Kenneth Downs)
Date: Sat, 22 Sep 2007 14:26:29 -0400
Subject: [nycphp-talk] AJAX and State
In-Reply-To: <46F54179.6040506@metalab.unc.edu>
References: <46DD54B0.5060803@secdat.com>	<46E1238E.5010307@metalab.unc.edu>	<46E12D4A.2010204@secdat.com>	<46E12F93.4040700@metalab.unc.edu>	<46E132B0.9010400@secdat.com>	<46E138C2.3040307@metalab.unc.edu>	<20070912214433.GA11305@panix.com>	<46F0F069.3000206@metalab.unc.edu>	<20070921203338.GA9970@panix.com>	<46F50835.3050505@metalab.unc.edu>	<46F50E0E.2020302@secdat.com>
	<46F54179.6040506@metalab.unc.edu>
Message-ID: <46F55E55.7060808@secdat.com>

Elliotte Harold wrote:
> Kenneth Downs wrote:
>
>> True, but we need a better answer than that.
>>
>> Can you explain what mechanisms are storing the passwords, and why no 
>> additional weakness has been introduced?
>>
>
> The issue here is really one of psychology and usability. A poorly 
> usable authentication system will cause users to route around it, for 
> example by always using the same password, by choosing easily 
> remembered passwords, by writing them down on Post-it notes stuck to 
> their monitors, or all of the above. The theoretical strength of 
> authentication systems is irrelevant in the face of user 
> counter-measures such as these.
>
>
<snip>

> A browser-based password store is the most secure authentication 
> system devised to date. In practice, everything else that has been 
> tried has been less secure. I suspect we're not going to improve on 
> this state of affairs until we move away from usernames and passwords 
> completely.
>

Well you've convinced me.

Technically there is nothing really to the issue of changing the PHP code.

However, this leaves the issue of what we are telling customers, if 
anything. 

The conversation we ought to have with the customer is all about what 
type of single sign-on the users are using.  But, methinks most 
programmers instead are having a conversation about their own efforts in 
handling passwords, which is misleading and irrelevant.

-- 
Kenneth Downs
Secure Data Software, Inc.
www.secdat.com    www.andromeda-project.org
631-689-7200   Fax: 631-689-0527
cell: 631-379-0010



From lists at zaunere.com  Sat Sep 22 14:29:36 2007
From: lists at zaunere.com (Hans Zaunere)
Date: Sat, 22 Sep 2007 14:29:36 -0400
Subject: [nycphp-talk] Integration Strategies
Message-ID: <04d601c7fd46$87858100$671ba8c0@MobileZ>


Hello all,

A recent presentation suggestion was on the topic of integration.  For
instance, taking the best of breed CMS, calendar and shopping cart
application and getting them to cross-connect.  Namely, for user
authentication, authorization and management.

There is no single solution that I am aware of, but typical strategies
include the following:

-- custom code to glue these different items together, on a case-by-case
basis

-- starting out with a framework of sorts and using moodules built for it.
The framework then provides the integration.

So I'd like to begin a discussion on what others have done to address these
challenges.

Additionally, we can use the points raised for a future presentation.  I'd
like to set one meeting aside where 4-5 speakers provide 10-15 minute case
studies on solutions/strategies they've used as solutions to these
challenges.

---
Hans Zaunere / President / New York PHP
    www.nyphp.org  /  www.nyphp.com






From ramons at gmx.net  Sat Sep 22 15:06:31 2007
From: ramons at gmx.net (David Krings)
Date: Sat, 22 Sep 2007 15:06:31 -0400
Subject: [nycphp-talk] MySQL Monitor  V PHP & MySQL
In-Reply-To: <004701c7fd30$89444a00$0200a8c0@X9183>
References: <008001c7fc88$3e086d80$0200a8c0@X9183>	<20070921194129.hrl1k96k0s8kcs4g@webmail.nyphp.com>
	<004701c7fd30$89444a00$0200a8c0@X9183>
Message-ID: <46F567B7.2020000@gmx.net>

PaulCheung wrote:
> Hello Michael,
> 
> Sorry,  I was trying to make the statement more readable by putting the
> WHERE and AND at the end of the line rather than at the beginning and
> unconsciously mixed in to the email COBOL, where its' SELECT statement does
> use WHEN, my apologies. Here is the actual statement used which didn't work
> and it still does not, for me at least.

Aha, so, the code posted isn't a 1:1 copy of the code you try to run? I 
do not know COBOL, but the SELECT statement is SQL and it doesn't matter 
which programming language you use to send SQL to the db engine.

David



From urb at e-government.com  Sat Sep 22 17:06:00 2007
From: urb at e-government.com (Urb LeJeune)
Date: Sat, 22 Sep 2007 17:06:00 -0400
Subject: [nycphp-talk] MTA commands
In-Reply-To: <6C575279-D00B-4FA7-8110-244C91B41431@gmail.com>
References: <C2C8F8BB.6223%cliff@pinestream.com>
	<6C575279-D00B-4FA7-8110-244C91B41431@gmail.com>
Message-ID: <7.0.1.0.2.20070922170003.02b25808@e-government.com>

	Does anyone have any experience with MTA commands being
injected in a forms input fields which are exploited by spammers? In
case there was one bogus email address in the To: field and then
many multiple email address (coma separated) which all received the
same message.

	Although anti-spamming code would be great I'm also looking
for ideas or suggestions.

Urb
Urb

Dr. Urban A. LeJeune, President
E-Government.com
800-204-9545




From rolan at omnistep.com  Sat Sep 22 17:20:42 2007
From: rolan at omnistep.com (Rolan Yang)
Date: Sat, 22 Sep 2007 17:20:42 -0400
Subject: [nycphp-talk] MTA commands
In-Reply-To: <7.0.1.0.2.20070922170003.02b25808@e-government.com>
References: <C2C8F8BB.6223%cliff@pinestream.com>	<6C575279-D00B-4FA7-8110-244C91B41431@gmail.com>
	<7.0.1.0.2.20070922170003.02b25808@e-government.com>
Message-ID: <46F5872A.3090602@omnistep.com>

Urb LeJeune wrote:
>     Does anyone have any experience with MTA commands being
> injected in a forms input fields which are exploited by spammers? In
> case there was one bogus email address in the To: field and then
> many multiple email address (coma separated) which all received the
> same message.
>
>     Although anti-spamming code would be great I'm also looking
> for ideas or suggestions.
>
> Urb
> Urb
>
> Dr. Urban A. LeJeune, President
> E-Government.com
> 800-204-9545
>

We had a discussion on this a few years back.
Check out http://www.nyphp.org/phundamentals/email_header_injection.php


From preinheimer at gmail.com  Sat Sep 22 19:17:26 2007
From: preinheimer at gmail.com (Paul Reinheimer)
Date: Sat, 22 Sep 2007 19:17:26 -0400
Subject: [nycphp-talk] addslashes vs mysql_escape_string()
Message-ID: <6ec19ec70709221617k4a7fa326j8a5ec7f9a78afdf7@mail.gmail.com>

Hey List,

I was reading http://nyphp.org/phundamentals/storingretrieving.php, and i
was a bit unsure about some of the characters listed
as being escaped, and did some research. I think that we're listing a few
characters as being escaped on that page that
actually aren't escaped by the funciton.  I've posted what I found here
http://blog.preinheimer.com/index.php?/archives/247-addslashes-vs-mysql_escape_string.html

If I'm wrong, please let me know, but I couldn't find any reference to some
of those characters in the C source, or in my
own tests.

paul


-- 
Paul Reinheimer
Zend Certified Engineer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070922/4695a614/attachment.html>

From ramons at gmx.net  Sat Sep 22 19:25:43 2007
From: ramons at gmx.net (David Krings)
Date: Sat, 22 Sep 2007 19:25:43 -0400
Subject: [nycphp-talk] MTA commands
In-Reply-To: <7.0.1.0.2.20070922170003.02b25808@e-government.com>
References: <C2C8F8BB.6223%cliff@pinestream.com>	<6C575279-D00B-4FA7-8110-244C91B41431@gmail.com>
	<7.0.1.0.2.20070922170003.02b25808@e-government.com>
Message-ID: <46F5A477.90908@gmx.net>

Urb LeJeune wrote:
> (coma separated)

Amazing that one letter can make such a difference. ;)

David


From lists at zaunere.com  Sat Sep 22 19:50:30 2007
From: lists at zaunere.com (Hans Zaunere)
Date: Sat, 22 Sep 2007 19:50:30 -0400
Subject: [nycphp-talk] addslashes vs mysql_escape_string()
In-Reply-To: <6ec19ec70709221617k4a7fa326j8a5ec7f9a78afdf7@mail.gmail.com>
References: <6ec19ec70709221617k4a7fa326j8a5ec7f9a78afdf7@mail.gmail.com>
Message-ID: <05d701c7fd73$5c3593f0$671ba8c0@MobileZ>


Hi Paul,

Paul Reinheimer wrote on Saturday, September 22, 2007 7:17 PM:
> Hey List,
> 
> I was reading http://nyphp.org/phundamentals/storingretrieving.php,
> and i was a bit unsure about some of the characters listed 
> as being escaped, and did some research. I think that we're listing a
> few characters as being escaped on that page that 
> actually aren't escaped by the funciton.  I've posted what I found
> here
>
http://blog.preinheimer.com/index.php?/archives/247-addslashes-vs-mysql_esca
pe_string.html
> 
> 
> If I'm wrong, please let me know, but I couldn't find any reference
> to some of those characters in the C source, or in my 
> own tests.

In the section of the article I think you're addressing, we talked about
what characters MySQL considers special in strings; that is, having special
meaning.  This includes the backspace and tab, per their documentation:

http://dev.mysql.com/doc/refman/5.0/en/string-syntax.html

They may or may not be escaped, but they do have special meaning to the
database which is why a database aware escape function should always be
used, vs a generic function like addslashes.

End of the day, it's not about what characters are actually escaped - it's
that the function you're using to escape is aware of the string's
destination.  Maybe this is where the confusion is.

---
Hans Zaunere / President / New York PHP
    www.nyphp.org  /  www.nyphp.com




From urb at e-government.com  Sun Sep 23 09:21:47 2007
From: urb at e-government.com (Urb LeJeune)
Date: Sun, 23 Sep 2007 09:21:47 -0400
Subject: [nycphp-talk] MTA commands
In-Reply-To: <46F5A477.90908@gmx.net>
References: <C2C8F8BB.6223%cliff@pinestream.com>
	<6C575279-D00B-4FA7-8110-244C91B41431@gmail.com>
	<7.0.1.0.2.20070922170003.02b25808@e-government.com>
	<46F5A477.90908@gmx.net>
Message-ID: <7.0.1.0.2.20070923092108.031608c8@e-government.com>


>>(coma separated)
>
>Amazing that one letter can make such a difference. ;)

         At my age the difference between a day-dreaming and a coma 
is quite small :-)



Urb

Dr. Urban A. LeJeune, President
E-Government.com
800-204-9545




From urb at e-government.com  Sun Sep 23 10:04:30 2007
From: urb at e-government.com (Urb LeJeune)
Date: Sun, 23 Sep 2007 10:04:30 -0400
Subject: [nycphp-talk] Header Injection
In-Reply-To: <46F5872A.3090602@omnistep.com>
References: <C2C8F8BB.6223%cliff@pinestream.com>
	<6C575279-D00B-4FA7-8110-244C91B41431@gmail.com>
	<7.0.1.0.2.20070922170003.02b25808@e-government.com>
	<46F5872A.3090602@omnistep.com>
Message-ID: <7.0.1.0.2.20070923095731.02b399e0@e-government.com>


>We had a discussion on this a few years back.
>Check out http://www.nyphp.org/phundamentals/email_header_injection.php

         This is a wonderful tutorial, thank you for pointing it out.

         I've made one little addition to the filtering after submit code.

$FormVariables = ($_POST) ? $_POST : $_GET;
foreach( $FormVariables as $value ){...stuff }

Since most forms use post and URL encoded variables are get this alleviates
the need to have two different functions.

Urb

Dr. Urban A. LeJeune, President
E-Government.com
800-204-9545
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070923/2d86c44d/attachment.html>

From ben at projectskyline.com  Sun Sep 23 23:54:53 2007
From: ben at projectskyline.com (Ben Sgro (ProjectSkyLine))
Date: Sun, 23 Sep 2007 23:54:53 -0400
Subject: [nycphp-talk] [OT] Authorize.net & banks.
Message-ID: <003401c7fe5e$aa16a460$6b01a8c0@c500>

Hello, 

Maybe I am missing someting, but I've looked on Authorize.net's website a lot,
used google, and can't seem to find the answer to:

Which banks work with authorize.net? Do all banks work w/the service?
Does anyone know where to find such info.

I attempted to call authorize.net twice and the wait both times was over 30m.

Thanks.

- Ben
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070923/cf57a7fa/attachment.html>

From mailinglists at caseysoftware.com  Sun Sep 23 12:10:36 2007
From: mailinglists at caseysoftware.com (Keith Casey)
Date: Sun, 23 Sep 2007 12:10:36 -0400
Subject: [nycphp-talk] [OT] Authorize.net & banks.
In-Reply-To: <003401c7fe5e$aa16a460$6b01a8c0@c500>
References: <003401c7fe5e$aa16a460$6b01a8c0@c500>
Message-ID: <fd219f0f0709230910p134237d1kf5cba06a1e84e5ec@mail.gmail.com>

On 9/23/07, Ben Sgro (ProjectSkyLine) <ben at projectskyline.com> wrote:
> Which banks work with authorize.net? Do all banks work w/the service?
> Does anyone know where to find such info.

I might be a bit off in the terminology, but there are three players
in the process.
*  First, there's your bank where you should have a Business Checking
account.  I used Wachovia when I set mine up in Jan 2005.  I think any
Business Checking account should work, but supposedly personal
accounts do not.
*  Then there's Authorize.net which is the payment gateway/processor
(incorrect term?).  Your customers put their CC info there.
*  Finally, between them is another bank which handles the transaction
between Authorize.net and your bank.  They do the deposits, etc.  I
did mine with Wells Fargo.

Shop around on rates - the discount rate is their cut.  Dating sites
will lose more (6+%) while established businesses are usually much
less (2-3%).  I got 2.19% when I did mine.  And carefully watch your
chargebacks.

kc

-- 
D. Keith Casey Jr.
CEO, CaseySoftware, LLC
http://CaseySoftware.com


From ben at projectskyline.com  Mon Sep 24 00:20:06 2007
From: ben at projectskyline.com (Ben Sgro (ProjectSkyLine))
Date: Mon, 24 Sep 2007 00:20:06 -0400
Subject: [nycphp-talk] [OT] Authorize.net & banks.
References: <003401c7fe5e$aa16a460$6b01a8c0@c500>
	<fd219f0f0709230910p134237d1kf5cba06a1e84e5ec@mail.gmail.com>
Message-ID: <003c01c7fe62$30215750$6b01a8c0@c500>

Hello Keith,

Good points. From the authorize.net online info, my understanding is
that:
http://www.authorize.net/support/csfaqs/#142133

#9 The Credit Card Interchange System passes the appropriate funds for the 
transaction to the Acquiring Bank.

I guess I'm not clear on who that is, and how to set that up. I know my 
client has a merchant
account with Soveirgn Bank. My client is a 35 year old business, so I'm sure 
they have
good rates.

So we want Authorize.net to transfer the funds to Soveirgn when the CC 
charge is completed.

Any further info?

- Ben


----- Original Message ----- 
From: "Keith Casey" <mailinglists at caseysoftware.com>
To: "NYPHP Talk" <talk at lists.nyphp.org>
Sent: Sunday, September 23, 2007 12:10 PM
Subject: Re: [nycphp-talk] [OT] Authorize.net & banks.


> On 9/23/07, Ben Sgro (ProjectSkyLine) <ben at projectskyline.com> wrote:
>> Which banks work with authorize.net? Do all banks work w/the service?
>> Does anyone know where to find such info.
>
> I might be a bit off in the terminology, but there are three players
> in the process.
> *  First, there's your bank where you should have a Business Checking
> account.  I used Wachovia when I set mine up in Jan 2005.  I think any
> Business Checking account should work, but supposedly personal
> accounts do not.
> *  Then there's Authorize.net which is the payment gateway/processor
> (incorrect term?).  Your customers put their CC info there.
> *  Finally, between them is another bank which handles the transaction
> between Authorize.net and your bank.  They do the deposits, etc.  I
> did mine with Wells Fargo.
>
> Shop around on rates - the discount rate is their cut.  Dating sites
> will lose more (6+%) while established businesses are usually much
> less (2-3%).  I got 2.19% when I did mine.  And carefully watch your
> chargebacks.
>
> kc
>
> -- 
> D. Keith Casey Jr.
> CEO, CaseySoftware, LLC
> http://CaseySoftware.com
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php 



From lists at zaunere.com  Sun Sep 23 12:40:11 2007
From: lists at zaunere.com (Hans Zaunere)
Date: Sun, 23 Sep 2007 12:40:11 -0400
Subject: [nycphp-talk] [OT] Authorize.net & banks.
In-Reply-To: <003c01c7fe62$30215750$6b01a8c0@c500>
References: <003401c7fe5e$aa16a460$6b01a8c0@c500><fd219f0f0709230910p134237d1kf5cba06a1e84e5ec@mail.gmail.com>
	<003c01c7fe62$30215750$6b01a8c0@c500>
Message-ID: <091a01c7fe00$68b66ef0$671ba8c0@MobileZ>



Ben Sgro (ProjectSkyLine) wrote on Monday, September 24, 2007 12:20 AM:
> Hello Keith,
> 
> Good points. From the authorize.net online info, my understanding is
> that:
> http://www.authorize.net/support/csfaqs/#142133
> 
> #9 The Credit Card Interchange System passes the appropriate funds
> for the transaction to the Acquiring Bank.
> 
> I guess I'm not clear on who that is, and how to set that up. I know
> my client has a merchant
> account with Soveirgn Bank. My client is a 35 year old business, so
> I'm sure they have
> good rates.
> 
> So we want Authorize.net to transfer the funds to Soveirgn when the CC
> charge is completed.

This is always a brilliantly confusing topic, but as I understand it...

-- you have a business checking account (let's say with Soveirgn)

-- you get a merchant account (with your bank like Soveirgn, or somewhere
else)

-- your merchant account generally picks the gateway (like authorize.net) to
use

There might be some more options, but typically the gateway (authorize.net)
doesn't do much with the money.  They just authorize the card and do the
capture.  If things are kosher, then they tell your merchant account to
initiate the transfer from the user's card to your merchant account.  Once
things settle at the end of the day, it gets transferred to your business
checking account.  Generally the best bet that I've seen is to talk to your
bank (the one where you can write checks from).  They typically will provide
merchant services, and generally have the better rates.  Going through
third-parties and smaller middleman can be troublesome.

I just had a meeting the other night with a couple guys who wrote their own
gateway (like authorize.net).  The number of middle-men was astonishing.
Someone like Authorize.net doesn't actually talk to the credit card
companies... they need to talk to another layer of networks.  It's not until
another apparent two to three layers of network, that finally the credit
card companies themselves get hit.  Mix in the different types of credit
cards, international banks, and the required support of course for standard
POS terminals, it's amazing it works quite frankly.

H



From cliff at pinestream.com  Sun Sep 23 14:51:59 2007
From: cliff at pinestream.com (Cliff Hirsch)
Date: Sun, 23 Sep 2007 14:51:59 -0400
Subject: [nycphp-talk] [OT] Authorize.net & banks.
In-Reply-To: <003c01c7fe62$30215750$6b01a8c0@c500>
Message-ID: <C31C2E0F.8279%cliff@pinestream.com>

> I guess I'm not clear on who that is, and how to set that up. I know my
> client has a merchant
> account with Soveirgn Bank. My client is a 35 year old business, so I'm sure
> they have
> good rates.
> 
> So we want Authorize.net to transfer the funds to Soveirgn when the CC
> charge is completed.

If Soverign also serves as the payment processor and issues your client a
merchant account #. Most brick and mortar banks will also serve as payment
processors with the usual higher than market rates that brick and mortar
banks usually have. There are lots or payments processors. If you google the
term, you will see a zillion listings. Understand that most if these are
ISOs -- yet another layer of complexity.

An ISO (independent service organization) is just a sales rep for a merchant
bank.

Easiest way is to either get a merchant # through the client's bank or
through the shopping cart provider you will be using. Just get it -- don't
worry about rates unless you have a very low margin biz. The quoted rate is
B.S. anyway. Ideally you want a cost+plus rate, meaning Interchange + the
processors markup (typically 25 cents) + the gateway fee, which is usually
5-10cents per transaction. But for symplicity, just get it and don't worry.




From mailinglists at caseysoftware.com  Sun Sep 23 15:15:59 2007
From: mailinglists at caseysoftware.com (Keith Casey)
Date: Sun, 23 Sep 2007 15:15:59 -0400
Subject: [nycphp-talk] [OT] Authorize.net & banks.
In-Reply-To: <C31C2E0F.8279%cliff@pinestream.com>
References: <003c01c7fe62$30215750$6b01a8c0@c500>
	<C31C2E0F.8279%cliff@pinestream.com>
Message-ID: <fd219f0f0709231215l79681e31tbbeef9a5ce9f3cef@mail.gmail.com>

On 9/23/07, Cliff Hirsch <cliff at pinestream.com> wrote:
> Easiest way is to either get a merchant # through the client's bank or
> through the shopping cart provider you will be using. Just get it -- don't
> worry about rates unless you have a very low margin biz. The quoted rate is
> B.S. anyway. Ideally you want a cost+plus rate, meaning Interchange + the
> processors markup (typically 25 cents) + the gateway fee, which is usually
> 5-10cents per transaction. But for symplicity, just get it and don't worry.

True... the more dangerous thing is the chargeback rate.  Some
processors, if you hit a certain % of chargebacks (in terms of dollar
amount), they usually have the right to cut you off immediately.  If
the company has a long history with the provider, the % will probably
be higher.  I seem to remember 5% as a common number...

A chargeback is when someone talks to their cc company and requests
the charge to be removed.  The cc company will immediately issue a
refund, the processor will immediately issue a refund, and your
account will be debited the amount.  I was working with a dating site
that got cutoff about 4 days before Christmas, it took them 2 weeks to
get back online.

kc

-- 
D. Keith Casey Jr.
CEO, CaseySoftware, LLC
http://CaseySoftware.com


From jay_nyphp2 at fastmail.fm  Sun Sep 23 21:25:25 2007
From: jay_nyphp2 at fastmail.fm (Jay Sheth)
Date: Sun, 23 Sep 2007 21:25:25 -0400
Subject: [nycphp-talk] next meeting
Message-ID: <1190597125.11226.1212184739@webmail.messagingengine.com>

Hi,

I've not been to the meetings in a while, and was just wondering if the
next meeting is on Sept 25th, or on October 23rd (like the website
says).

Thanks.

Regards,
- Jay


From lists at zaunere.com  Mon Sep 24 08:09:01 2007
From: lists at zaunere.com (Hans Zaunere)
Date: Mon, 24 Sep 2007 08:09:01 -0400
Subject: [nycphp-talk] next meeting
In-Reply-To: <1190597125.11226.1212184739@webmail.messagingengine.com>
References: <1190597125.11226.1212184739@webmail.messagingengine.com>
Message-ID: <0dd801c7fea3$b18fbca0$671ba8c0@MobileZ>


Hi Jay,

> I've not been to the meetings in a while, and was just wondering if
> the next meeting is on Sept 25th, or on October 23rd (like the website
> says).

Our next meeting will be Oct. 23rd at IBM.

We're also working on a holiday party (see http://www.nytchp.com for the
2004 event) on Dec. 13th.

H



From jay_nyphp2 at fastmail.fm  Mon Sep 24 12:11:26 2007
From: jay_nyphp2 at fastmail.fm (Jay Sheth)
Date: Mon, 24 Sep 2007 12:11:26 -0400
Subject: [nycphp-talk] next meeting
Message-ID: <1190650286.24270.1212304087@webmail.messagingengine.com>

Hi Hans,

thanks for the note. I will be there for the next meeting in October.
The holiday part is a great idea - I went to one several years ago.

Regards,
- Jay


From czech at npgroup.net  Mon Sep 24 16:52:19 2007
From: czech at npgroup.net (Pete Czech - New Possibilities Group, LLC)
Date: Mon, 24 Sep 2007 16:52:19 -0400
Subject: [nycphp-talk] [OT] Authorize.net & banks.
In-Reply-To: <003c01c7fe62$30215750$6b01a8c0@c500>
References: <003401c7fe5e$aa16a460$6b01a8c0@c500>	<fd219f0f0709230910p134237d1kf5cba06a1e84e5ec@mail.gmail.com>
	<003c01c7fe62$30215750$6b01a8c0@c500>
Message-ID: <46F82383.7090108@npgroup.net>

(long time lurker, occasional poster)

That is how it works.  I have an account with Authorize - they capture 
the transaction.  Then they send it to my merchant account, say, wells 
fargo, who in turn takes the money and transfers to my checking 
account.  Authorize just runs the authorization and then sends the money 
to the merchant account bank.  Kinda confusing but it works without 
hiccup.  Of course, the fees do add up.

When I signed up with wells fargo, i got authorize for free.  Maybe they 
still do this but this was years ago.

pjc

Ben Sgro (ProjectSkyLine) wrote:
> Hello Keith,
>
> Good points. From the authorize.net online info, my understanding is
> that:
> http://www.authorize.net/support/csfaqs/#142133
>
> #9 The Credit Card Interchange System passes the appropriate funds for 
> the transaction to the Acquiring Bank.
>
> I guess I'm not clear on who that is, and how to set that up. I know 
> my client has a merchant
> account with Soveirgn Bank. My client is a 35 year old business, so 
> I'm sure they have
> good rates.
>
> So we want Authorize.net to transfer the funds to Soveirgn when the CC 
> charge is completed.
>
> Any further info?
>
> - Ben
>
>
> ----- Original Message ----- From: "Keith Casey" 
> <mailinglists at caseysoftware.com>
> To: "NYPHP Talk" <talk at lists.nyphp.org>
> Sent: Sunday, September 23, 2007 12:10 PM
> Subject: Re: [nycphp-talk] [OT] Authorize.net & banks.
>
>
>> On 9/23/07, Ben Sgro (ProjectSkyLine) <ben at projectskyline.com> wrote:
>>> Which banks work with authorize.net? Do all banks work w/the service?
>>> Does anyone know where to find such info.
>>
>> I might be a bit off in the terminology, but there are three players
>> in the process.
>> *  First, there's your bank where you should have a Business Checking
>> account.  I used Wachovia when I set mine up in Jan 2005.  I think any
>> Business Checking account should work, but supposedly personal
>> accounts do not.
>> *  Then there's Authorize.net which is the payment gateway/processor
>> (incorrect term?).  Your customers put their CC info there.
>> *  Finally, between them is another bank which handles the transaction
>> between Authorize.net and your bank.  They do the deposits, etc.  I
>> did mine with Wells Fargo.
>>
>> Shop around on rates - the discount rate is their cut.  Dating sites
>> will lose more (6+%) while established businesses are usually much
>> less (2-3%).  I got 2.19% when I did mine.  And carefully watch your
>> chargebacks.
>>
>> kc
>>
>> -- 
>> D. Keith Casey Jr.
>> CEO, CaseySoftware, LLC
>> http://CaseySoftware.com
>> _______________________________________________
>> New York PHP Community Talk Mailing List
>> http://lists.nyphp.org/mailman/listinfo/talk
>>
>> NYPHPCon 2006 Presentations Online
>> http://www.nyphpcon.com
>>
>> Show Your Participation in New York PHP
>> http://www.nyphp.org/show_participation.php 
>
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
>

-- 

Pete Czech
Lead Guru
New Possibilities Group, LLC
http://npgroup.net

973.931.8283
AIM: PJCzech



From ben at projectskyline.com  Mon Sep 24 17:39:17 2007
From: ben at projectskyline.com (Ben Sgro (ProjectSkyLine))
Date: Mon, 24 Sep 2007 17:39:17 -0400
Subject: [nycphp-talk] [OT] Authorize.net & banks.
References: <003401c7fe5e$aa16a460$6b01a8c0@c500>	<fd219f0f0709230910p134237d1kf5cba06a1e84e5ec@mail.gmail.com><003c01c7fe62$30215750$6b01a8c0@c500>
	<46F82383.7090108@npgroup.net>
Message-ID: <4a8e01c7fef3$5c95d5e0$6401a8c0@gamebox>

Hello Pete, 

Thanks, that's my understanding of it now.
I spoke to authorize.net this AM and they cleared it all up.

We are going to use them and wells fargo as our merchant service provider
and they can deposit the funds into my clients bank.

> Of course, the fees do add up.
Yeah, the fees are about $2.75 per $100.00.

- Ben

----- Original Message ----- 
From: "Pete Czech - New Possibilities Group, LLC" <czech at npgroup.net>
To: "NYPHP Talk" <talk at lists.nyphp.org>
Sent: Monday, September 24, 2007 4:52 PM
Subject: Re: [nycphp-talk] [OT] Authorize.net & banks.


> (long time lurker, occasional poster)
> 
> That is how it works.  I have an account with Authorize - they capture 
> the transaction.  Then they send it to my merchant account, say, wells 
> fargo, who in turn takes the money and transfers to my checking 
> account.  Authorize just runs the authorization and then sends the money 
> to the merchant account bank.  Kinda confusing but it works without 
> hiccup.  Of course, the fees do add up.
> 
> When I signed up with wells fargo, i got authorize for free.  Maybe they 
> still do this but this was years ago.
> 
> pjc
> 
> Ben Sgro (ProjectSkyLine) wrote:
>> Hello Keith,
>>
>> Good points. From the authorize.net online info, my understanding is
>> that:
>> http://www.authorize.net/support/csfaqs/#142133
>>
>> #9 The Credit Card Interchange System passes the appropriate funds for 
>> the transaction to the Acquiring Bank.
>>
>> I guess I'm not clear on who that is, and how to set that up. I know 
>> my client has a merchant
>> account with Soveirgn Bank. My client is a 35 year old business, so 
>> I'm sure they have
>> good rates.
>>
>> So we want Authorize.net to transfer the funds to Soveirgn when the CC 
>> charge is completed.
>>
>> Any further info?
>>
>> - Ben
>>
>>
>> ----- Original Message ----- From: "Keith Casey" 
>> <mailinglists at caseysoftware.com>
>> To: "NYPHP Talk" <talk at lists.nyphp.org>
>> Sent: Sunday, September 23, 2007 12:10 PM
>> Subject: Re: [nycphp-talk] [OT] Authorize.net & banks.
>>
>>
>>> On 9/23/07, Ben Sgro (ProjectSkyLine) <ben at projectskyline.com> wrote:
>>>> Which banks work with authorize.net? Do all banks work w/the service?
>>>> Does anyone know where to find such info.
>>>
>>> I might be a bit off in the terminology, but there are three players
>>> in the process.
>>> *  First, there's your bank where you should have a Business Checking
>>> account.  I used Wachovia when I set mine up in Jan 2005.  I think any
>>> Business Checking account should work, but supposedly personal
>>> accounts do not.
>>> *  Then there's Authorize.net which is the payment gateway/processor
>>> (incorrect term?).  Your customers put their CC info there.
>>> *  Finally, between them is another bank which handles the transaction
>>> between Authorize.net and your bank.  They do the deposits, etc.  I
>>> did mine with Wells Fargo.
>>>
>>> Shop around on rates - the discount rate is their cut.  Dating sites
>>> will lose more (6+%) while established businesses are usually much
>>> less (2-3%).  I got 2.19% when I did mine.  And carefully watch your
>>> chargebacks.
>>>
>>> kc
>>>
>>> -- 
>>> D. Keith Casey Jr.
>>> CEO, CaseySoftware, LLC
>>> http://CaseySoftware.com
>>> _______________________________________________
>>> New York PHP Community Talk Mailing List
>>> http://lists.nyphp.org/mailman/listinfo/talk
>>>
>>> NYPHPCon 2006 Presentations Online
>>> http://www.nyphpcon.com
>>>
>>> Show Your Participation in New York PHP
>>> http://www.nyphp.org/show_participation.php 
>>
>> _______________________________________________
>> New York PHP Community Talk Mailing List
>> http://lists.nyphp.org/mailman/listinfo/talk
>>
>> NYPHPCon 2006 Presentations Online
>> http://www.nyphpcon.com
>>
>> Show Your Participation in New York PHP
>> http://www.nyphp.org/show_participation.php
>>
> 
> -- 
> 
> Pete Czech
> Lead Guru
> New Possibilities Group, LLC
> http://npgroup.net
> 
> 973.931.8283
> AIM: PJCzech
> 
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
> 
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
> 
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php


From ben at projectskyline.com  Mon Sep 24 18:37:13 2007
From: ben at projectskyline.com (Ben Sgro (ProjectSkyLine))
Date: Mon, 24 Sep 2007 18:37:13 -0400
Subject: [nycphp-talk] [OT] PHP IDS & Web Application Security
Message-ID: <4aba01c7fefb$74b8e830$6401a8c0@gamebox>

Hello All, 

I thought some might find this interesting. A PHP based IDS for web apps.
I played around with it on the site and seems pretty cool.

FROM THE SITE:
PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web application. The IDS neither strips, sanitizes nor filters any malicious input, it simply recognizes when an attacker tries to break your site and reacts in exactly the way you want it to. Based on a set of approved and heavily tested filter rules any attack is given a numerical impact rating which makes it easy to decide what kind of action should follow the hacking attempt. This could range from simple logging to sending out an emergency mail to the development team, displaying a warning message for the attacker or even ending the user's session.


The creators maintain a .xml with regex signatures used for detcting XSS, SQL, etc attacks.

I've seen one site in the wild that's using it to protect itself. It makes me wonder though, 
as more of these solutions emerge, will we see less security conscious coding?

http://php-ids.org/news/

- Ben

I recently finished a security audit and pen test for a client. I couldn't believe the problems they had.
They found a developer off CL and with his impressive portfolio decided to work with him. Now my
firm, 8 months later, is fixing all the developers mistakes. They had cookie based auth, file upload
exploits, xss, sql injection, ... you name it we could do it. Anyways, its just sad to see these types of
moonlight coders calling themselves developers and doing an awful jobs at writing software and leaving
their clients exposed.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070924/b6944708/attachment.html>

From arzala at gmail.com  Tue Sep 25 00:10:37 2007
From: arzala at gmail.com (Anirudh Zala)
Date: Tue, 25 Sep 2007 09:40:37 +0530
Subject: [nycphp-talk] Integration Strategies
In-Reply-To: <04d601c7fd46$87858100$671ba8c0@MobileZ>
References: <04d601c7fd46$87858100$671ba8c0@MobileZ>
Message-ID: <200709250940.38042.arzala@gmail.com>

On Saturday 22 Sep 2007 23:59:36 Hans Zaunere wrote:
> Hello all,
>
> A recent presentation suggestion was on the topic of integration.  For
> instance, taking the best of breed CMS, calendar and shopping cart
> application and getting them to cross-connect.  Namely, for user
> authentication, authorization and management.
>
> There is no single solution that I am aware of, but typical strategies
> include the following:
>
> -- custom code to glue these different items together, on a case-by-case
> basis
>
> -- starting out with a framework of sorts and using moodules built for it.
> The framework then provides the integration.

- Detailed study: Normally it requires to study each application to find out 
whether it behaves in different way when used without parent framework or 
not. Some application works best when they are part of parent 
application/framework but may not work as expected in custom environment.

- Changing code: Additionally it also requires to change the application 
itself. But changes depends upon requirements of integration and complexity 
of code of application.

- Security concern: Some sort of custom code to be designed to check whether 
there has occurred any kind of security holes due to integration of various 
application or not.

Thanks

Anirudh Zala

>
> So I'd like to begin a discussion on what others have done to address these
> challenges.
>
> Additionally, we can use the points raised for a future presentation.  I'd
> like to set one meeting aside where 4-5 speakers provide 10-15 minute case
> studies on solutions/strategies they've used as solutions to these
> challenges.
>
> ---
> Hans Zaunere / President / New York PHP
>     www.nyphp.org  /  www.nyphp.com
>
>
>
>
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php




From ioplex at gmail.com  Tue Sep 25 02:29:50 2007
From: ioplex at gmail.com (Michael B Allen)
Date: Tue, 25 Sep 2007 02:29:50 -0400
Subject: [nycphp-talk] Integration Strategies
In-Reply-To: <04d601c7fd46$87858100$671ba8c0@MobileZ>
References: <04d601c7fd46$87858100$671ba8c0@MobileZ>
Message-ID: <78c6bd860709242329q19520a51l8545c30dd577d266@mail.gmail.com>

On 9/22/07, Hans Zaunere <lists at zaunere.com> wrote:
>
> Hello all,
>
> A recent presentation suggestion was on the topic of integration.  For
> instance, taking the best of breed CMS, calendar and shopping cart
> application and getting them to cross-connect.  Namely, for user
> authentication, authorization and management.
>
> There is no single solution that I am aware of, but typical strategies
> include the following:
>
> -- custom code to glue these different items together, on a case-by-case
> basis
>
> -- starting out with a framework of sorts and using moodules built for it.
> The framework then provides the integration.

Hi Hans,

It really would be a boon if there were some kind of PHP standards
like Java's Servlet API and JAAS (minus the bloat). I fear that's the
only way you're going to get good realiable interop of components.

I've done SPNEGO auth plugins for MediaWiki, SugarCRM, and Joomla! 1.5
and they were all suprisingly different (in some cases it simply
wasn't possible - Joomla! 1.0 didn't have the necessary hooks). It
seems apps tend build auth around the idea of a username and password
but we're doing SSO which usually doesn't even have access to a
password.

Authorization is even harder. The application must use one method to
address and handle a resource being protected. We had page ACLs for
MediaWiki but we recently ripped it out because MW quite simply wasn't
designed to protect content by name or action. Users could access the
same content through a variety of different methods.

Mike


From mitch.pirtle at gmail.com  Tue Sep 25 11:51:46 2007
From: mitch.pirtle at gmail.com (Mitch Pirtle)
Date: Tue, 25 Sep 2007 11:51:46 -0400
Subject: [nycphp-talk] [OT] PHP IDS & Web Application Security
In-Reply-To: <4aba01c7fefb$74b8e830$6401a8c0@gamebox>
References: <4aba01c7fefb$74b8e830$6401a8c0@gamebox>
Message-ID: <330532b60709250851n39fb7ea1nef55c0c750de19bf@mail.gmail.com>

On 9/24/07, Ben Sgro (ProjectSkyLine) <ben at projectskyline.com> wrote:
>
> I recently finished a security audit and pen test for a client. I couldn't
> believe the problems they had.
> They found a developer off CL and with his impressive portfolio decided to
> work with him. Now my
> firm, 8 months later, is fixing all the developers mistakes. They had cookie
> based auth, file upload
> exploits, xss, sql injection, ... you name it we could do it. Anyways, its
> just sad to see these types of
> moonlight coders calling themselves developers and doing an awful jobs at
> writing software and leaving
> their clients exposed.

You know what? As long as the market for geeks remains hot like it is
now, there will be these parasites making us all look bad. Unfortunate
but true, and I distinctly remember observing this last time around in
the late 90s. Once the bubble burst and the economy went into the
toilet, all these folks went back to whatever it was they were doing
before jumping on the web developer bandwagon in disguise.

-- Mitch


From SHalter at ThorntonTomasetti.com  Tue Sep 25 11:43:06 2007
From: SHalter at ThorntonTomasetti.com (Halter, Shari)
Date: Tue, 25 Sep 2007 11:43:06 -0400
Subject: [nycphp-talk] Design Firm Recommendations
Message-ID: <20070925155326.15615BC8211@gatekeeper.thettgroup.com>

This may be slightly off php topic, but am wondering if anyone can provide a
recommendation.
 
Has anyone on the list worked for, or with, a design firm they can recommend
for overhaul of internal/external web presence for a 500+ person
international firm? 
 
Intuitive design (for internal) and engaging interface (external) is as
important as their experience with IA consulting and shepherding the project
through a CMS integration on the backend.
 


Shari L. Halter 
Web Programmer, Corporate Services 
Thornton Tomasetti 
51 Madison Avenue 
New York, NY  10010 
T 917.661.7800  F 917.661.7801   
D 917.661.7970   
SHalter at ThorntonTomasetti.com 


 

<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
The information in this email and any attachments may contain
confidential information that is intended solely for the
attention and use of the named addressee(s).  This message or
any part thereof must not be disclosed, copied, distributed or
retained by any person without authorization from the addressee.
If you are not the intended addressee, please notify the sender
immediately, and delete this message. 
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070925/8f807347/attachment.html>

From alexchan.1976 at gmail.com  Tue Sep 25 12:33:25 2007
From: alexchan.1976 at gmail.com (Alex C)
Date: Tue, 25 Sep 2007 12:33:25 -0400
Subject: [nycphp-talk] Design Firm Recommendations
In-Reply-To: <20070925155326.15615BC8211@gatekeeper.thettgroup.com>
References: <20070925155326.15615BC8211@gatekeeper.thettgroup.com>
Message-ID: <8f494f760709250933y25803544ta2677a1442f6a0a8@mail.gmail.com>

where i worked, we used pentagram . www.pentagram.com


alex

On 9/25/07, Halter, Shari <SHalter at thorntontomasetti.com> wrote:
>
>
>
> This may be slightly off php topic, but am wondering if anyone can provide a
> recommendation.
>
> Has anyone on the list worked for, or with, a design firm they can recommend
> for overhaul of internal/external web presence for a 500+ person
> international firm?
>
> Intuitive design (for internal) and engaging interface (external) is as
> important as their experience with IA consulting and shepherding the project
> through a CMS integration on the backend.
>
>
>
> Shari L. Halter
> Web Programmer, Corporate Services
> Thornton Tomasetti
> 51 Madison Avenue
> New York, NY  10010
> T 917.661.7800  F 917.661.7801
> D 917.661.7970
> SHalter at ThorntonTomasetti.com
>
>
>
>
> <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
>
> The information in this email and any attachments may contain
>
> confidential information that is intended solely for the
>
> attention and use of the named addressee(s). This message or
>
> any part thereof must not be disclosed, copied, distributed or
>
> retained by any person without authorization from the addressee.
>
> If you are not the intended addressee, please notify the sender
>
> immediately, and delete this message.
>
> <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
>


From ken at secdat.com  Wed Sep 26 06:54:33 2007
From: ken at secdat.com (Kenneth Downs)
Date: Wed, 26 Sep 2007 06:54:33 -0400
Subject: [nycphp-talk] Not-so-subtle attack on PHP
Message-ID: <46FA3A69.6000109@secdat.com>

*From: http://www.eweek.com/article2/0,1759,2188714,00.asp

Q: How can sites protect themselves against SQL injection?
A: *The best defense is to design your database-backed Web site properly 
to make sure it always separates SQL code and user data. You basically 
have a choice between programming tools that are specifically designed 
to prevent you from making this kind of mistake and those that allow you 
to get into trouble if you're not careful. Roughly speaking, this 
corresponds to the difference between the newer Microsoft .Net tools and 
their older tools or open source frameworks like PHP.

-- 
Kenneth Downs
Secure Data Software, Inc.
www.secdat.com    www.andromeda-project.org
631-689-7200   Fax: 631-689-0527
cell: 631-379-0010

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070926/814ee0ea/attachment.html>

From jmcgraw1 at gmail.com  Wed Sep 26 13:53:02 2007
From: jmcgraw1 at gmail.com (Jake McGraw)
Date: Wed, 26 Sep 2007 13:53:02 -0400
Subject: [nycphp-talk] Not-so-subtle attack on PHP
In-Reply-To: <46FA3A69.6000109@secdat.com>
References: <46FA3A69.6000109@secdat.com>
Message-ID: <e065b8610709261053u4f279b49wbb73099f9f0c71e4@mail.gmail.com>

Oh snap!

Personally, I like the flexibility PHP gives you in determining what
you can put in your queries and with PHP 5+, using the filter
functions and querying a MySQL DB with mysqli is a full proof method
of preventing SQL injection.

- jake

On 9/26/07, Kenneth Downs <ken at secdat.com> wrote:
>
>  From: http://www.eweek.com/article2/0,1759,2188714,00.asp
>
>  Q: How can sites protect themselves against SQL injection?
>  A: The best defense is to design your database-backed Web site properly to
> make sure it always separates SQL code and user data. You basically have a
> choice between programming tools that are specifically designed to prevent
> you from making this kind of mistake and those that allow you to get into
> trouble if you're not careful. Roughly speaking, this corresponds to the
> difference between the newer Microsoft .Net tools and their older tools or
> open source frameworks like PHP. --
> Kenneth Downs
> Secure Data Software, Inc.
> www.secdat.com www.andromeda-project.org
> 631-689-7200 Fax: 631-689-0527
> cell: 631-379-0010
>
>
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
>


From SHalter at ThorntonTomasetti.com  Wed Sep 26 13:18:08 2007
From: SHalter at ThorntonTomasetti.com (Halter, Shari)
Date: Wed, 26 Sep 2007 13:18:08 -0400
Subject: [nycphp-talk] Design Firm Recommendations
Message-ID: <20070926172734.A7A1BBC8123@gatekeeper.thettgroup.com>

 
Thank you everyone for the design firm recommendations!
 
Much appreciated,
Shari


Shari L. Halter 
Web Programmer, Corporate Services 
Thornton Tomasetti 
51 Madison Avenue 
New York, NY  10010 
T 917.661.7800  F 917.661.7801   
D 917.661.7970   
SHalter at ThorntonTomasetti.com 


 

<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
The information in this email and any attachments may contain
confidential information that is intended solely for the
attention and use of the named addressee(s).  This message or
any part thereof must not be disclosed, copied, distributed or
retained by any person without authorization from the addressee.
If you are not the intended addressee, please notify the sender
immediately, and delete this message. 
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070926/53131152/attachment.html>

From chsnyder at gmail.com  Wed Sep 26 14:04:04 2007
From: chsnyder at gmail.com (csnyder)
Date: Wed, 26 Sep 2007 14:04:04 -0400
Subject: [nycphp-talk] Not-so-subtle attack on PHP
In-Reply-To: <46FA3A69.6000109@secdat.com>
References: <46FA3A69.6000109@secdat.com>
Message-ID: <b76252690709261104v181580cav15e866222872dde4@mail.gmail.com>

On 9/26/07, Kenneth Downs <ken at secdat.com> wrote:
>
>  From:
> http://www.eweek.com/article2/0,1759,2188714,00.asp
>
>  Q: How can sites protect themselves against SQL injection?
>  A:  You basically have a choice between programming tools that lock you
>  into proprietary architectures and those that allow you to incorporate new
>  open source libraries and tools as they become available.

There, fixed that for them.

If your PHP code isn't preventing SQL injection then use one of the
many extensions or libraries that prevents it... or write your own.

My personal favorite:
public function esc( $value ) {
  return mysql_real_escape_string( $value, $this->db );
}

-- 
Chris Snyder
http://chxo.com/


From ken at secdat.com  Wed Sep 26 14:10:30 2007
From: ken at secdat.com (Kenneth Downs)
Date: Wed, 26 Sep 2007 14:10:30 -0400
Subject: [nycphp-talk] Not-so-subtle attack on PHP
In-Reply-To: <e065b8610709261053u4f279b49wbb73099f9f0c71e4@mail.gmail.com>
References: <46FA3A69.6000109@secdat.com>
	<e065b8610709261053u4f279b49wbb73099f9f0c71e4@mail.gmail.com>
Message-ID: <46FAA096.2060106@secdat.com>

Jake McGraw wrote:
> Oh snap!
>
> Personally, I like the flexibility PHP gives you in determining what
> you can put in your queries and with PHP 5+, using the filter
> functions and querying a MySQL DB with mysqli is a full proof method
> of preventing SQL injection.
>
> - jake
>
>   

Me too.

Nobody ever notices this, but the name ought to give it away, "SQL 
Injection".  Not "PHP Injection".

The root cause of the SQL injection vulnerability lies in the use of the 
database, not the code that accesses it.

Applying security in the database renders you structurally immune from 
SQL injection.


-- 
Kenneth Downs
Secure Data Software, Inc.
www.secdat.com    www.andromeda-project.org
631-689-7200   Fax: 631-689-0527
cell: 631-379-0010



From cliff at pinestream.com  Wed Sep 26 14:34:06 2007
From: cliff at pinestream.com (Cliff Hirsch)
Date: Wed, 26 Sep 2007 14:34:06 -0400
Subject: [nycphp-talk] Not-so-subtle attack on PHP
In-Reply-To: <e065b8610709261053u4f279b49wbb73099f9f0c71e4@mail.gmail.com>
Message-ID: <C3201E5E.844A%cliff@pinestream.com>

On 9/26/07 1:53 PM, "Jake McGraw" <jmcgraw1 at gmail.com> wrote:
> Oh snap!
> 
> Personally, I like the flexibility PHP gives you in determining what
> you can put in your queries and with PHP 5+, using the filter
> functions and querying a MySQL DB with mysqli is a full proof method
> of preventing SQL injection.

Filter functions? Not the new input filter functions? To trully prevent SQL
injection, you need to use eiher prepared statements or mysqlrealescape
function. And don't forget to put ' ' around the result, otherwise, it's
useless.




From cliff at pinestream.com  Wed Sep 26 14:36:25 2007
From: cliff at pinestream.com (Cliff Hirsch)
Date: Wed, 26 Sep 2007 14:36:25 -0400
Subject: [nycphp-talk] Not-so-subtle attack on PHP
In-Reply-To: <b76252690709261104v181580cav15e866222872dde4@mail.gmail.com>
Message-ID: <C3201EE9.844B%cliff@pinestream.com>

> My personal favorite:
> public function esc( $value ) {
>   return mysql_real_escape_string( $value, $this->db );
> }

I like: return "'".mysql_real_escape_string( $value, $this->db ),"'";

Otherwise, I might forget to quote the result, rendering the function
useless.




From codebowl at gmail.com  Wed Sep 26 07:04:48 2007
From: codebowl at gmail.com (Joseph Crawford)
Date: Wed, 26 Sep 2007 07:04:48 -0400
Subject: [nycphp-talk] Design Firm Recommendations
In-Reply-To: <8f494f760709250933y25803544ta2677a1442f6a0a8@mail.gmail.com>
References: <20070925155326.15615BC8211@gatekeeper.thettgroup.com>
	<8f494f760709250933y25803544ta2677a1442f6a0a8@mail.gmail.com>
Message-ID: <8d9a42800709260404r6f2cfe62g9a3cad6a68988107@mail.gmail.com>

www.jvmediadesign.com
I've worked with these guys for years now.


-- 
Joseph Crawford Jr.
Zend Certified Engineer
http://www.josephcrawford.com/
1-315-820-4244
codebowl at gmail.com


From ramons at gmx.net  Wed Sep 26 22:25:24 2007
From: ramons at gmx.net (David Krings)
Date: Wed, 26 Sep 2007 22:25:24 -0400
Subject: [nycphp-talk] Not-so-subtle attack on PHP
In-Reply-To: <46FA3A69.6000109@secdat.com>
References: <46FA3A69.6000109@secdat.com>
Message-ID: <46FB1494.6090705@gmx.net>

Kenneth Downs wrote:
> *From: http://www.eweek.com/article2/0,1759,2188714,00.asp
> 
> Q: How can sites protect themselves against SQL injection?
> A: *The best defense is to design your database-backed Web site properly 
> to make sure it always separates SQL code and user data. You basically 
> have a choice between programming tools that are specifically designed 
> to prevent you from making this kind of mistake and those that allow you 
> to get into trouble if you're not careful. Roughly speaking, this 
> corresponds to the difference between the newer Microsoft .Net tools and 
> their older tools or open source frameworks like PHP.
> 

Oh geez, it doesn't matter which prograimming / scripting language is 
used. You can make .NEt to be subceptible to SQL injections as easy, 
just don't escape user input. Who writes stuff like that?

David


From jcampbell1 at gmail.com  Wed Sep 26 22:46:43 2007
From: jcampbell1 at gmail.com (John Campbell)
Date: Wed, 26 Sep 2007 22:46:43 -0400
Subject: [nycphp-talk] Not-so-subtle attack on PHP
In-Reply-To: <b76252690709261104v181580cav15e866222872dde4@mail.gmail.com>
References: <46FA3A69.6000109@secdat.com>
	<b76252690709261104v181580cav15e866222872dde4@mail.gmail.com>
Message-ID: <8f0676b40709261946w641cf587u2a67a9dd7434d4d8@mail.gmail.com>

> My personal favorite:
> public function esc( $value ) {
>   return mysql_real_escape_string( $value, $this->db );
> }

If that is your personal favorite, you are justifying the the article.
All you have to do is forget to use single quotes once and your site
is vulnerable.  Step up and start using prepared queries.

On a similar subject:
If your solution is to "validate input" or "input filtering", you are
going about things all wrong.  Validating input is for the birds;
prepared sql and output escaping is the way to go.  I don't give a
shit if my user's use names like "<a href='javascript:blahblah'>" ,
just like my web email client doesn't filter it from this post.  I
default to escaping the html automatically when I send it to the view,
and all queries are prepared.  It makes coding much easier, and I
don't have to worry about forgetting to call esc() once.

When coders hear "don't trust user input" it foolishly gets translated
to "validate the user's input" and that is one of the primary problems
with php coders today.  I trust all user input and just escape it for
the db and display.  I occasionally validate the input, but that is
just to make sure the user didn't make a typo.

-John Campbell


From dcech at phpwerx.net  Wed Sep 26 23:12:37 2007
From: dcech at phpwerx.net (Dan Cech)
Date: Wed, 26 Sep 2007 23:12:37 -0400
Subject: [nycphp-talk] Not-so-subtle attack on PHP
In-Reply-To: <8f0676b40709261946w641cf587u2a67a9dd7434d4d8@mail.gmail.com>
References: <46FA3A69.6000109@secdat.com>	<b76252690709261104v181580cav15e866222872dde4@mail.gmail.com>
	<8f0676b40709261946w641cf587u2a67a9dd7434d4d8@mail.gmail.com>
Message-ID: <46FB1FA5.7060702@phpwerx.net>

John Campbell wrote:
> If your solution is to "validate input" or "input filtering", you are
> going about things all wrong.  Validating input is for the birds;
> prepared sql and output escaping is the way to go.  I don't give a
> shit if my user's use names like "<a href='javascript:blahblah'>" ,
> just like my web email client doesn't filter it from this post.  I
> default to escaping the html automatically when I send it to the view,
> and all queries are prepared.  It makes coding much easier, and I
> don't have to worry about forgetting to call esc() once.
> 
> When coders hear "don't trust user input" it foolishly gets translated
> to "validate the user's input" and that is one of the primary problems
> with php coders today.  I trust all user input and just escape it for
> the db and display.  I occasionally validate the input, but that is
> just to make sure the user didn't make a typo.

+1

Input filtering is for enforcing program/business logic, not for
'protecting' against 'bad data'.  So long as all the data you use is
appropriately escaped/encoded, the content of that data is irrelevant.

For the majority of php applications this means using prepared queries
(or proper sql escaping), html output escaping, url encoding and proper
email encoding (especially headers).

All of these are very easy to achieve, and when used in the correct
manner yield an application which is invulnerable to the attacks input
filtering is supposed to prevent.

Dan


From dell at sala.ca  Thu Sep 27 01:14:15 2007
From: dell at sala.ca (Dell Sala)
Date: Thu, 27 Sep 2007 01:14:15 -0400
Subject: [nycphp-talk] Not-so-subtle attack on PHP
In-Reply-To: <46FA3A69.6000109@secdat.com>
References: <46FA3A69.6000109@secdat.com>
Message-ID: <A3A1BB99-9742-4FF2-9790-F660A1E0888D@sala.ca>

I wouldn't call this an attack on PHP. It is a critique of a  
philosophy. From the same article:

> Q: Are you saying that sites built with open source tools like PHP  
> are more vulnerable to SQL injection attacks than sites built  
> with .Net?
>
> A: It's a question of mentality. Microsoft's mindset is to fix  
> things in such a way that the user doesn't have so much control and  
> is therefore less vulnerable. The open source tools like PHP have a  
> different philosophy. They assume that users know what they are  
> doing and want to be free of constraints, so these tools let users  
> do what they want but at their own risk. The open source tools  
> assume that developers these days are aware of the threat of SQL  
> injection and will do the right thing.

It's about different approaches to the balance between ease-of-use  
and flexibility.

The holy grail is a solution that provides both. Somewhere down the  
line there has to be code that generates the SQL. The real challenge  
is where that code goes. Does it happen inside a framework of some  
kind that takes care of all the escaping in a tested and reliable  
way, or do you generate the SQL higher up in your scripts adding the  
flexibility needed for complex joins and query optimization.

Ken Wrote:

> Applying security in the database renders you structurally immune  
> from SQL injection.

Can you elaborate on this? I'm always intrigued by your DB-centric  
slant.


-- Dell



From ramons at gmx.net  Thu Sep 27 06:40:26 2007
From: ramons at gmx.net (David Krings)
Date: Thu, 27 Sep 2007 06:40:26 -0400
Subject: [nycphp-talk] Not-so-subtle attack on PHP
In-Reply-To: <8f0676b40709261946w641cf587u2a67a9dd7434d4d8@mail.gmail.com>
References: <46FA3A69.6000109@secdat.com>	<b76252690709261104v181580cav15e866222872dde4@mail.gmail.com>
	<8f0676b40709261946w641cf587u2a67a9dd7434d4d8@mail.gmail.com>
Message-ID: <46FB889A.5050300@gmx.net>

John Campbell wrote:
> On a similar subject:
> If your solution is to "validate input" or "input filtering", you are
> going about things all wrong.  Validating input is for the birds;
> prepared sql and output escaping is the way to go.  I don't give a
> shit if my user's use names like "<a href='javascript:blahblah'>" ,
> just like my web email client doesn't filter it from this post.  I
> default to escaping the html automatically when I send it to the view,
> and all queries are prepared.  It makes coding much easier, and I
> don't have to worry about forgetting to call esc() once.
> 
> When coders hear "don't trust user input" it foolishly gets translated
> to "validate the user's input" and that is one of the primary problems
> with php coders today.  I trust all user input and just escape it for
> the db and display.  I occasionally validate the input, but that is
> just to make sure the user didn't make a typo.

That is what I still would call input validation. The validation is not 
about the sense of the input, but about it being valid for processing by 
the system. At leat you and I mean the same thing. When I say "all input 
is evil" then I mean that you need to check it for being fit for queries 
and display. So yes, if a user wants to be refered to by "<a 
href='javascript:blahblah'>" then I'd not stop them from it.

David


From ken at secdat.com  Thu Sep 27 07:21:37 2007
From: ken at secdat.com (Kenneth Downs)
Date: Thu, 27 Sep 2007 07:21:37 -0400
Subject: [nycphp-talk] Not-so-subtle attack on PHP
In-Reply-To: <A3A1BB99-9742-4FF2-9790-F660A1E0888D@sala.ca>
References: <46FA3A69.6000109@secdat.com>
	<A3A1BB99-9742-4FF2-9790-F660A1E0888D@sala.ca>
Message-ID: <46FB9241.3040404@secdat.com>

Dell Sala wrote:
> Ken Wrote:
>
>> Applying security in the database renders you structurally immune 
>> from SQL injection.
>
> Can you elaborate on this? I'm always intrigued by your DB-centric slant.
>

Sure.  The typical SQL injection example is where I put some command in 
on an email form:

EMAIL:  ken at secdat.com'; create user ken password 'backdoor';

In SQL Injection, the user accesses some table they are not supposed to 
access.  This can only be done if the application connects to the 
database as some generic user, where that generic user can do anything 
it wants.

To eliminate all possibility of SQL Injection, you must connect to the 
database with a user whose privileges in the database are limited.  The 
trick then is to work out who the users are and how their privileges are 
assigned.

Database security works basically by denying or granting access to 
tables.  The four fundamental functions of INSERT, UPDATE, DELETE and 
SELECT can be denied or granted to any user, group, or combination of 
users and groups.  An extremely important point here is that this is the 
simplest way to do security on a database app, because /every other 
method must resolve down to this method in the end./  So any method that 
begins with other ideas has more work to do.

So security becomes part of the database design process:

1) In the database, DENY ALL to all tables for all users.
2) Define different security groups, also known these days as *roles*.
3) GRANT select,update,insert,delete privileges to these different 
groups/roles as needs require.
4) Create actual users and assign them into appropriate groups.

If you want to go all the way, you actually create database users for 
every user of your system (that's what we do), and when they connect to 
the website we connect them to the database with their own credentials, 
this gives us a situation where:

1) SQL Injection does not let them do anything they can't do anyway, so 
at most it is a waste of the hacker's time
2) Our user interface design focuses on the idea that they should see 
everything they can do, and everything they can see they can do.  Again, 
SQL Injection only gives them a really crude way to do something that's 
probably on the menu!

Hope this helps get you started!

>
> -- Dell
>
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php


-- 
Kenneth Downs
Secure Data Software, Inc.
www.secdat.com    www.andromeda-project.org
631-689-7200   Fax: 631-689-0527
cell: 631-379-0010

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070927/b4bc3287/attachment.html>

From johnzabroski at yahoo.com  Thu Sep 27 07:56:37 2007
From: johnzabroski at yahoo.com (John Zabroski)
Date: Thu, 27 Sep 2007 04:56:37 -0700 (PDT)
Subject: [nycphp-talk] Not-so-subtle attack on PHP
In-Reply-To: <46FB889A.5050300@gmx.net>
Message-ID: <343915.12072.qm@web60224.mail.yahoo.com>

If that is what you call input validation, then you'd be wrong.

SQL Injection is a subset of all attacks based off input vulnerability.  As an example, input validation can include calculating and effectively using string length to avoid a buffer overrun or truncation attack.  Come to that, the notion of SQL Injection is a subset of all SQL attacks.

As a general observation, input vulnerabilities are usually the most heinous when the human mind can't possibly fathom how something could go wrong.  Usually, this manifests itself in the form of a limit.  Strings have all sorts of limits, most of which are subtle.  Strings have beginnings and ends, they may have delimiters, they may have special terminating characters, etc.  Limits are where nasty bugs tend to cluster, mostly because the human mind doesn't work in such a way that when we add 1 to +32767 we think "overflow!"  Instead, we think 32768.  It doesn't matter how good of a programmer you are.  You have a Ph.D. from Carnegie Melon and still get tripped up by limits (see: http://googleresearch.blogspot.com/2006/06/extra-extra-read-all-about-it-nearly.html).

Also, validation does concern "sense of input" in many cases.  Echo the wrong thing back to an unsuspecting user and the consequences could be horrific.  Sending an e-mail out to the wrong user because you didn't validate the send-to address could be horrific, etc.

We should always say what we mean, and always question what we mean.  I can guarantee you I learned this the hard way.

David Krings <ramons at gmx.net> wrote: John Campbell wrote:
> On a similar subject:
> If your solution is to "validate input" or "input filtering", you are
> going about things all wrong.  Validating input is for the birds;
> prepared sql and output escaping is the way to go.  I don't give a
> shit if my user's use names like "" ,
> just like my web email client doesn't filter it from this post.  I
> default to escaping the html automatically when I send it to the view,
> and all queries are prepared.  It makes coding much easier, and I
> don't have to worry about forgetting to call esc() once.
> 
> When coders hear "don't trust user input" it foolishly gets translated
> to "validate the user's input" and that is one of the primary problems
> with php coders today.  I trust all user input and just escape it for
> the db and display.  I occasionally validate the input, but that is
> just to make sure the user didn't make a typo.

That is what I still would call input validation. The validation is not 
about the sense of the input, but about it being valid for processing by 
the system. At leat you and I mean the same thing. When I say "all input 
is evil" then I mean that you need to check it for being fit for queries 
and display. So yes, if a user wants to be refered to by "
href='javascript:blahblah'>" then I'd not stop them from it.

David
_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk

NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com

Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php


       
---------------------------------
 Check out  the hottest 2008 models today at Yahoo! Autos.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070927/cf80bcdc/attachment.html>

From jonbaer at jonbaer.com  Thu Sep 27 08:14:05 2007
From: jonbaer at jonbaer.com (Jon Baer)
Date: Thu, 27 Sep 2007 08:14:05 -0400
Subject: [nycphp-talk] SPL - Do you use?
Message-ID: <65430E89-BE46-43C4-818A-7CBB0523C3F1@jonbaer.com>

Do many here use the SPL library?

I could never really understand this "library", on one side part of  
the Java programming that I really felt to be a burden of added /  
bloated code was the idea of the "Iterator" (you always had to grab  
one) and that is pretty much what the SPL is (for PHP5), and part of  
the joy to PHP was the ease + use of a foreach loop and then Java  
took a step back and implemented the same foreach idea in current  
JVMs but I barely see it used in many projects.  I would guess that  
Java people coming to PHP would understand it's uses / design pattern  
better but the part of the Zend article I don't understand is ...

"This library of interfaces creates a standard API for certain kinds  
of built-in functionality, allowing your classes to interact with the  
PHP engine in a much more seamless manner."

Im just wondering if this means the use of saying "foreach($objects  
as $object)" or does refactoring w/ PHP5 Iterators also get you  
something else as well?

- Jon

References:
http://devzone.zend.com/article/2565-The-Standard-PHP-Library-SPL
http://us.php.net/spl
http://www.php.net/~helly/php/ext/spl/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070927/4eb719e4/attachment.html>

From scott at crisscott.com  Thu Sep 27 08:58:18 2007
From: scott at crisscott.com (Scott Mattocks)
Date: Thu, 27 Sep 2007 08:58:18 -0400
Subject: [nycphp-talk] SPL - Do you use?
In-Reply-To: <65430E89-BE46-43C4-818A-7CBB0523C3F1@jonbaer.com>
References: <65430E89-BE46-43C4-818A-7CBB0523C3F1@jonbaer.com>
Message-ID: <46FBA8EA.4050203@crisscott.com>

Jon Baer wrote:
> Do many here use the SPL library?
> 

I use the ArrayAccess interface all the time. It allows me to get some 
OOP benefits for data structures while still having the ease of use of 
an array.

For example, we opened up a SOAP interface for our system. Internally we 
had things working as arrays but in order to provider more structure for 
the web service, we needed to have objects. Instead of rewriting the 
whole code base, I just made a few new classes which implemented 
ArrayAccess, changed $thing = array(); to $thing = new 
ArrayLikeObject(); and left the rest of the code alone. The rest of the 
code still does things like $thing[$key] = $var; but the SOAP interface 
has the objects it needs. It saved us from a lot of extra work rewriting 
tons of code.

-- 
Scott Mattocks
Author: Pro PHP-GTK
http://www.crisscott.com


From chsnyder at gmail.com  Thu Sep 27 09:11:34 2007
From: chsnyder at gmail.com (csnyder)
Date: Thu, 27 Sep 2007 09:11:34 -0400
Subject: [nycphp-talk] Not-so-subtle attack on PHP
In-Reply-To: <8f0676b40709261946w641cf587u2a67a9dd7434d4d8@mail.gmail.com>
References: <46FA3A69.6000109@secdat.com>
	<b76252690709261104v181580cav15e866222872dde4@mail.gmail.com>
	<8f0676b40709261946w641cf587u2a67a9dd7434d4d8@mail.gmail.com>
Message-ID: <b76252690709270611i4098c212m9fcd0f71622b598f@mail.gmail.com>

On 9/26/07, John Campbell <jcampbell1 at gmail.com> wrote:
> > My personal favorite:
> > public function esc( $value ) {
> >   return mysql_real_escape_string( $value, $this->db );
> > }
>
> If that is your personal favorite, you are justifying the the article.
> All you have to do is forget to use single quotes once and your site
> is vulnerable.  Step up and start using prepared queries.

Hmm, yeah I probably should, now that everything is php5.

I need to create SQL snippets that get embedded in multiple and
modular queries, like  "obj.priority > 99 AND obj.title='Foo' "... is
there a way to "pre-prepare" that? Or will I need to pass an object
around with the statement "obj.priority > ? AND obj.title=?" and the
two values as properties?


-- 
Chris Snyder
http://chxo.com/


From dorgan at optonline.net  Thu Sep 27 09:44:11 2007
From: dorgan at optonline.net (Donald Organ)
Date: Thu, 27 Sep 2007 09:44:11 -0400
Subject: [nycphp-talk] Webservice Issue with .NET
Message-ID: <1190900651.6021.6.camel@dorgan-mobile2>

I am wondering if anyone else has had this issue before.

I have a webservice made using Services_Webservice(PEAR Package).  In
one method of my service I am returning a complex type, which is able to
be read just fine, but I had to add more properties to the object, and
now one of the properties is an array of complex types.  When invoking
the webservice from PHP i am able to see this properties and each object
in the array just fine, but when invoking this service from .NET it
seems that the property is null.

I am just wondering if anyone else has had any issues with this.

Thanks



From bz-gmort at beezifies.com  Thu Sep 27 09:46:21 2007
From: bz-gmort at beezifies.com (bz-gmort at beezifies.com)
Date: Thu, 27 Sep 2007 09:46:21 -0400
Subject: [nycphp-talk] Not-so-subtle attack on PHP
In-Reply-To: <343915.12072.qm@web60224.mail.yahoo.com>
References: <343915.12072.qm@web60224.mail.yahoo.com>
Message-ID: <46FBB42D.4080608@beezifies.com>

John Zabroski wrote:
> We should always say what we mean, and always question what we mean.  I 
> can guarantee you I learned this the hard way.

You got conned into sitting on a stupid egg too?


From tedd at sperling.com  Thu Sep 27 11:05:28 2007
From: tedd at sperling.com (tedd)
Date: Thu, 27 Sep 2007 11:05:28 -0400
Subject: [nycphp-talk] Not-so-subtle attack on PHP
In-Reply-To: <46FA3A69.6000109@secdat.com>
References: <46FA3A69.6000109@secdat.com>
Message-ID: <p06240806c32172c04a26@[192.168.1.100]>

At 6:54 AM -0400 9/26/07, Kenneth Downs wrote:
>From: 
><http://www.eweek.com/article2/0,1759,2188714,00.asp>http://www.eweek.com/article2/0,1759,2188714,00.asp
>
>Q: How can sites protect themselves against SQL injection?
>A: The best defense is to design your database-backed Web site 
>properly to make sure it always separates SQL code and user data. 
>You basically have a choice between programming tools that are 
>specifically designed to prevent you from making this kind of 
>mistake and those that allow you to get into trouble if you're not 
>careful. Roughly speaking, this corresponds to the difference 
>between the newer Microsoft .Net tools and their older tools or open 
>source frameworks like PHP.

But of course -- Microsoft has always been leading the pack in 
everything is does. The net is no exception, take a look at its IE 
browsers with respect to web standards and compliance issues -- they 
certainly define what's best for the rest of us, right? Wrong!

Seriously, M$ has one thing on it's mind and that is to control as 
much as possible -- and that control is solely for profit and not for 
the better good. If they can sell .Net tools as the "best" way to go, 
and you buy into it, then I have some swamp land for you to consider 
because in either case, you're wading into a quagmire.

Answers like that above, are just more M$ noise for profit.

Cheers,

tedd
-- 
-------
http://sperling.com  http://ancientstones.com  http://earthstones.com


From mitch.pirtle at gmail.com  Thu Sep 27 11:32:32 2007
From: mitch.pirtle at gmail.com (Mitch Pirtle)
Date: Thu, 27 Sep 2007 11:32:32 -0400
Subject: [nycphp-talk] Not-so-subtle attack on PHP
In-Reply-To: <46FBB42D.4080608@beezifies.com>
References: <343915.12072.qm@web60224.mail.yahoo.com>
	<46FBB42D.4080608@beezifies.com>
Message-ID: <330532b60709270832q5bfbe5c1l82686a9cba61b6d5@mail.gmail.com>

On 9/27/07, bz-gmort at beezifies.com <bz-gmort at beezifies.com> wrote:
> John Zabroski wrote:
> > We should always say what we mean, and always question what we mean.  I
> > can guarantee you I learned this the hard way.
>
> You got conned into sitting on a stupid egg too?

I squished mine.

-- Mitch, sobbing uncontrollably in the corner


From dorgan at optonline.net  Thu Sep 27 14:30:32 2007
From: dorgan at optonline.net (Donald Organ)
Date: Thu, 27 Sep 2007 14:30:32 -0400
Subject: [nycphp-talk] Webservice Issue with .NET
In-Reply-To: <1190900651.6021.6.camel@dorgan-mobile2>
References: <1190900651.6021.6.camel@dorgan-mobile2>
Message-ID: <1190917832.16612.5.camel@dorgan-mobile2>

Wow no one has had any problems like this??

On Thu, 2007-09-27 at 09:44 -0400, Donald Organ wrote:
> I am wondering if anyone else has had this issue before.
> 
> I have a webservice made using Services_Webservice(PEAR Package).  In
> one method of my service I am returning a complex type, which is able to
> be read just fine, but I had to add more properties to the object, and
> now one of the properties is an array of complex types.  When invoking
> the webservice from PHP i am able to see this properties and each object
> in the array just fine, but when invoking this service from .NET it
> seems that the property is null.
> 
> I am just wondering if anyone else has had any issues with this.
> 
> Thanks
> 
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
> 
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
> 
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php



From ramons at gmx.net  Thu Sep 27 16:11:50 2007
From: ramons at gmx.net (David Krings)
Date: Thu, 27 Sep 2007 16:11:50 -0400
Subject: [nycphp-talk] Webservice Issue with .NET
In-Reply-To: <1190917832.16612.5.camel@dorgan-mobile2>
References: <1190900651.6021.6.camel@dorgan-mobile2>
	<1190917832.16612.5.camel@dorgan-mobile2>
Message-ID: <46FC0E86.7070302@gmx.net>

Donald Organ wrote:
> Wow no one has had any problems like this??
> 
Maybe no one else uses .NET?


From dorgan at optonline.net  Thu Sep 27 16:14:17 2007
From: dorgan at optonline.net (Donald Organ)
Date: Thu, 27 Sep 2007 16:14:17 -0400
Subject: [nycphp-talk] Webservice Issue (was Webserivce Issue with .NET	) no
	longer just .NET
In-Reply-To: <46FC0E86.7070302@gmx.net>
References: <1190900651.6021.6.camel@dorgan-mobile2>
	<1190917832.16612.5.camel@dorgan-mobile2> <46FC0E86.7070302@gmx.net>
Message-ID: <1190924057.16612.10.camel@dorgan-mobile2>

Ok well i belive its not longer just a .NET issue it seems the service
it self isnt returning a value for that property at all and i know its
being set because if i dump the object to the screen via php it appears
fine.

On Thu, 2007-09-27 at 16:11 -0400, David Krings wrote:
> Donald Organ wrote:
> > Wow no one has had any problems like this??
> > 
> Maybe no one else uses .NET?
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
> 
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
> 
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php



From cliff at pinestream.com  Thu Sep 27 16:25:24 2007
From: cliff at pinestream.com (Cliff Hirsch)
Date: Thu, 27 Sep 2007 16:25:24 -0400
Subject: [nycphp-talk] Apache document root location question 
Message-ID: <C32189F4.853F%cliff@pinestream.com>

I am bringing up a production server where the Apache document root is
currently: /srv/www/htdocs

Yet my application is in another directory and has its own public htdocs
directory. The php files in the public htdocs dir know that they are in a
subdir one level below the application directory, so I?d rather not move
those files to /srv/www/htdocs. This helps with includes, requires, etc when
it comes to finding files in the correct filepath.

Should I just make my application htdocs dir the new document root? Or
should I make a symbolic link, alias, redirect or virtual host (always get
confused about which to use since they seem to achieve the same thing)? Or I
guess I could move my entire application to /srv/www, which would keep the
hierarchy intact.

Thoughts? Want to get this right for production....

Cliff




From mitch.pirtle at gmail.com  Thu Sep 27 16:42:04 2007
From: mitch.pirtle at gmail.com (Mitch Pirtle)
Date: Thu, 27 Sep 2007 16:42:04 -0400
Subject: [nycphp-talk] Apache document root location question
In-Reply-To: <C32189F4.853F%cliff@pinestream.com>
References: <C32189F4.853F%cliff@pinestream.com>
Message-ID: <330532b60709271342i1b09a917r1e2b06e43319deba@mail.gmail.com>

On 9/27/07, Cliff Hirsch <cliff at pinestream.com> wrote:
>
> Should I just make my application htdocs dir the new document root? Or
> should I make a symbolic link, alias, redirect or virtual host (always get
> confused about which to use since they seem to achieve the same thing)? Or I
> guess I could move my entire application to /srv/www, which would keep the
> hierarchy intact.
>
> Thoughts? Want to get this right for production....

I'd just make that the docroot for that virtualhost. Symlinks always
seems to get phaclemped one way or another.

-- Mitch


From cliff at pinestream.com  Thu Sep 27 16:51:58 2007
From: cliff at pinestream.com (Cliff Hirsch)
Date: Thu, 27 Sep 2007 16:51:58 -0400
Subject: [nycphp-talk] Apache document root location question
In-Reply-To: <330532b60709271342i1b09a917r1e2b06e43319deba@mail.gmail.com>
Message-ID: <C321902E.854C%cliff@pinestream.com>

On 9/27/07 4:42 PM, "Mitch Pirtle" <mitch.pirtle at gmail.com> wrote:

> On 9/27/07, Cliff Hirsch <cliff at pinestream.com> wrote:
>> 
>> Should I just make my application htdocs dir the new document root? Or
>> should I make a symbolic link, alias, redirect or virtual host (always get
>> confused about which to use since they seem to achieve the same thing)? Or I
>> guess I could move my entire application to /srv/www, which would keep the
>> hierarchy intact.
>> 
>> Thoughts? Want to get this right for production....
> 
> I'd just make that the docroot for that virtualhost. Symlinks always
> seems to get phaclemped one way or another.
> 
> -- Mitch

I guess that would be the way to go, using IP-based virtual hosts so I  can
use SSL. Virtualhosts would give me flexibility in the future to have
subdomains, etc.

One though I had was to do this: Alias / /newfilepath But that effectively
kills the main document root. 




From ioplex at gmail.com  Thu Sep 27 20:52:28 2007
From: ioplex at gmail.com (Michael B Allen)
Date: Thu, 27 Sep 2007 20:52:28 -0400
Subject: [nycphp-talk] Digest Authentication w/ Login Form
Message-ID: <78c6bd860709271752l68ffc03bjd0e696116a97046e@mail.gmail.com>

Hi,

I think I already know the answer to this is a simple "no" but I
suppose it can't hurt to ask.

Is it possible to do digest authentication from a login form?

I'm curious as to why there isn't a special form element type like
"password" that doesn't compute a digest.

Otherwise, is there a reasonable Free / free JavaScript implementation
of MD5 and Base64?

Mike


From ioplex at gmail.com  Thu Sep 27 21:22:05 2007
From: ioplex at gmail.com (Michael B Allen)
Date: Thu, 27 Sep 2007 21:22:05 -0400
Subject: [nycphp-talk] Re: Digest Authentication w/ Login Form
In-Reply-To: <78c6bd860709271752l68ffc03bjd0e696116a97046e@mail.gmail.com>
References: <78c6bd860709271752l68ffc03bjd0e696116a97046e@mail.gmail.com>
Message-ID: <78c6bd860709271822k63d064b3m89d17078a02f7b21@mail.gmail.com>

On 9/27/07, Michael B Allen <ioplex at gmail.com> wrote:
> Is it possible to do digest authentication from a login form?

Of course I just figured out how to do this in record time. I also
just realized that, for reasons not worth going into I can't use this.
But for posterity here's the solution:

A BSD implementation of both MD5 and Bas64 is here:

  http://ecmanaut.googlecode.com/svn/trunk/lib/md5.js

Here's the client side:

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
<script type="text/javascript" src="<?php echo $this->baseUrl;
?>/scripts/md5.js"></script>
<script type="text/javascript">
function digest() {
    realm = document.f.realm.value;
    username = document.f.username.value;
    password = document.f.password.value;
    text = realm + ":" + username + ":";
    hash = MD5.base64(text + password);
    document.f.password.value = MD5.base64(text + hash);
}
</script>
<title>Login</title>
</head>
<body>
<h1>Login</h1>
<form name="f" action="<?php echo $this->baseUrl; ?>/login/login" method="POST">
<table border="1">
<tr><td>Username:</td><td>
    <input type="hidden" name="realm" value="<?php echo
$this->escape($this->realm); ?>"/>
    <input type="text" name="username" value="<?php echo
$this->escape($this->username); ?>"/>
</td></tr>
<tr><td>Password:</td><td><input type="password" name="password"/></td></tr>
<tr><td></td><td><input type="submit" value="Login"
onClick="digest()"/></td></tr>
</table>
</form>
</body>
</html>

I haven't actually tried to validate the resulting hash but I'm pretty
confident it will work.

Mike


From 1j0lkq002 at sneakemail.com  Fri Sep 28 01:54:46 2007
From: 1j0lkq002 at sneakemail.com (inforequest)
Date: Thu, 27 Sep 2007 22:54:46 -0700
Subject: [nycphp-talk] [OT] PHP IDS & Web Application Security
In-Reply-To: <330532b60709250851n39fb7ea1nef55c0c750de19bf@mail.gmail.com>
References: <4aba01c7fefb$74b8e830$6401a8c0@gamebox>
	<330532b60709250851n39fb7ea1nef55c0c750de19bf@mail.gmail.com>
Message-ID: <22858-45554@sneakemail.com>

Mitch Pirtle mitch.pirtle-at-gmail.com |nyphp dev/internal group use| 
wrote:

>On 9/24/07, Ben Sgro (ProjectSkyLine) <ben at projectskyline.com> wrote:
>  
>
>>I recently finished a security audit and pen test for a client. I couldn't
>>believe the problems they had.
>>They found a developer off CL and with his impressive portfolio decided to
>>work with him. Now my
>>firm, 8 months later, is fixing all the developers mistakes. They had cookie
>>based auth, file upload
>>exploits, xss, sql injection, ... you name it we could do it. Anyways, its
>>just sad to see these types of
>>moonlight coders calling themselves developers and doing an awful jobs at
>>writing software and leaving
>>their clients exposed.
>>    
>>
>
>You know what? As long as the market for geeks remains hot like it is
>now, there will be these parasites making us all look bad. Unfortunate
>but true, and I distinctly remember observing this last time around in
>the late 90s. Once the bubble burst and the economy went into the
>toilet, all these folks went back to whatever it was they were doing
>before jumping on the web developer bandwagon in disguise.
>
>-- Mitch
>  
>
Wow Mitch, you just described the SEO field to a T.

-=john

-- 
-------------------------------------------------------------
Your web server traffic log file is the most important source of web business information available. Do you know where your logs are right now? Do you know who else has access to your log files? When they were last archived? Where those archives are? --John Andrews Competitive Webmaster and SEO Blogging at http://www.johnon.com



From elharo at metalab.unc.edu  Fri Sep 28 04:13:53 2007
From: elharo at metalab.unc.edu (Elliotte Harold)
Date: Fri, 28 Sep 2007 04:13:53 -0400
Subject: [nycphp-talk] Not-so-subtle attack on PHP
In-Reply-To: <46FB9241.3040404@secdat.com>
References: <46FA3A69.6000109@secdat.com>	<A3A1BB99-9742-4FF2-9790-F660A1E0888D@sala.ca>
	<46FB9241.3040404@secdat.com>
Message-ID: <46FCB7C1.8010205@metalab.unc.edu>

Kenneth Downs wrote:

> In SQL Injection, the user accesses some table they are not supposed to 
> access.  This can only be done if the application connects to the 
> database as some generic user, where that generic user can do anything 
> it wants.

Not always. Sometimes it's about accessing a row they're not supposed to 
access, or adding a WHERE clause they're not supposed to run, or a 
fucntion they're not supposed to be able to call. Table level security 
is not enough. For example, you may well have data from multiple users 
ion one table (you usually will in fact) but don't want Bob to be able 
to see Alice's data. If Bob can change "WHERE user = 'Bob'" to "WHERE 
user = 'Bob' or user = 'Alice'" your table level security has just been 
broken. :-(

There are also attacks that access columns the user isn't supposed to 
see. A credit card company may allow users to see their purchase 
history, for example, but not see the mercant ID numbers associated with 
each purchase.

Your scenario assumes users can see entire tables, and more often than 
not for random web surfers, that is not the security model we want.

-- 
Elliotte Rusty Harold  elharo at metalab.unc.edu
Java I/O 2nd Edition Just Published!
http://www.cafeaulait.org/books/javaio2/
http://www.amazon.com/exec/obidos/ISBN=0596527500/ref=nosim/cafeaulaitA/


From ken at secdat.com  Fri Sep 28 07:05:53 2007
From: ken at secdat.com (Kenneth Downs)
Date: Fri, 28 Sep 2007 07:05:53 -0400
Subject: [nycphp-talk] Not-so-subtle attack on PHP
In-Reply-To: <46FCB7C1.8010205@metalab.unc.edu>
References: <46FA3A69.6000109@secdat.com>	<A3A1BB99-9742-4FF2-9790-F660A1E0888D@sala.ca>	<46FB9241.3040404@secdat.com>
	<46FCB7C1.8010205@metalab.unc.edu>
Message-ID: <46FCE011.9040405@secdat.com>

Elliotte Harold wrote:
> Kenneth Downs wrote:
>
>> In SQL Injection, the user accesses some table they are not supposed 
>> to access.  This can only be done if the application connects to the 
>> database as some generic user, where that generic user can do 
>> anything it wants.
>
> Not always. Sometimes it's about accessing a row they're not supposed 
> to access, 

You are correct that row level and column level security are required to 
completely finish the picture (not something I was going to bring up in 
a first post).  I wasn't going to go that deep in a first exposition.  
In fact, the complete resolution down to cell-level security is in 
theory the final story.

Andromeda supports row-level and column-level security precisely for 
this reason.  I have one customer in particular for whom that is the 
most used feature.

But it remains true that the entire security model of a table-based 
system is security privileges on the tables (including rows and 
columns).  Everything else /resolves to this in the end/.  For this 
reason we also don't use or need any stored procedures, as they 
complicate the security picture without adding benefit.  By implementing 
security directly on tables and making use of triggers we have the 
tightest possible encapsulation of data and code.

Finally, you ain't never going to do better in code, because the 
possibilities for latent errors are too high.  By contrast, direct 
assignments to tables, being the /final action required anyway/, are the 
easiest to work out and assign, and the easiest to document and verify.  
Code-based solutions don't come close to providing the security you need.

-- 
Kenneth Downs
Secure Data Software, Inc.
www.secdat.com    www.andromeda-project.org
631-689-7200   Fax: 631-689-0527
cell: 631-379-0010

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070928/ac963817/attachment.html>

From bz-gmort at beezifies.com  Fri Sep 28 07:14:36 2007
From: bz-gmort at beezifies.com (bz-gmort at beezifies.com)
Date: Fri, 28 Sep 2007 07:14:36 -0400
Subject: [nycphp-talk] Not-so-subtle attack on PHP
In-Reply-To: <46FB9241.3040404@secdat.com>
References: <46FA3A69.6000109@secdat.com>	<A3A1BB99-9742-4FF2-9790-F660A1E0888D@sala.ca>
	<46FB9241.3040404@secdat.com>
Message-ID: <46FCE21C.9040901@beezifies.com>

Kenneth Downs wrote:
> 1) SQL Injection does not let them do anything they can't do anyway, so 
> at most it is a waste of the hacker's time

Many things are a waste of the cracker's time, but they do them anyway. 
  So counting on the result not being worth the time of cracker is 
wishful thinking. :-)

> 2) Our user interface design focuses on the idea that they should see 
> everything they can do, and everything they can see they can do.  Again, 
> SQL Injection only gives them a really crude way to do something that's 
> probably on the menu!

Hmm, I think in terms of online stores and credits.  Sure, the person 
can purchase a credit and have the data in their user record updated, 
but it is so much cheaper to do an "update usertable set credits=10000 
where uid = 'me')

Or someone who doesn't like the clunky deletion interface for the rows 
of a table, and instead wants to do a "delete * from customer_Table"

I suppose one way to work around this is to only give a user access to 
tables they are allowed to have complete control over.  But then 
creating thousands of user tables and then joining them together for 
reporting would be tedious(though you could do the reverse, have 1 user 
table and create an individualized view for each user so the user only 
accesses their data through the view.  Does MySQL 5 allow you to perform 
updates through views?)




From ken at secdat.com  Fri Sep 28 08:03:21 2007
From: ken at secdat.com (Kenneth Downs)
Date: Fri, 28 Sep 2007 08:03:21 -0400
Subject: [nycphp-talk] Not-so-subtle attack on PHP
In-Reply-To: <46FCE21C.9040901@beezifies.com>
References: <46FA3A69.6000109@secdat.com>	<A3A1BB99-9742-4FF2-9790-F660A1E0888D@sala.ca>	<46FB9241.3040404@secdat.com>
	<46FCE21C.9040901@beezifies.com>
Message-ID: <46FCED89.9020001@secdat.com>


bz-gmort at beezifies.com wrote:
> Kenneth Downs wrote:
>> 1) SQL Injection does not let them do anything they can't do anyway, 
>> so at most it is a waste of the hacker's time
>
> Many things are a waste of the cracker's time, but they do them 
> anyway.  So counting on the result not being worth the time of cracker 
> is wishful thinking. :-)

The focus is on "...does not let them do anything they can't do 
anyway...."   If the hacker wants to test the SQL injection abilities, 
let them.  Let them have fun.  Let them learn.  The real question is, 
can they do harm?  And the answer is NO, not if they are connected to 
the database with an account that has limited security abilities.

>
>> 2) Our user interface design focuses on the idea that they should see 
>> everything they can do, and everything they can see they can do.  
>> Again, SQL Injection only gives them a really crude way to do 
>> something that's probably on the menu!
>
> Hmm, I think in terms of online stores and credits.  Sure, the person 
> can purchase a credit and have the data in their user record updated, 
> but it is so much cheaper to do an "update usertable set credits=10000 
> where uid = 'me')

See Rusty's comment and my reply on row-level and column-level security.


-- 
Kenneth Downs
Secure Data Software, Inc.
www.secdat.com    www.andromeda-project.org
631-689-7200   Fax: 631-689-0527
cell: 631-379-0010



From bz-gmort at beezifies.com  Fri Sep 28 08:58:07 2007
From: bz-gmort at beezifies.com (bz-gmort at beezifies.com)
Date: Fri, 28 Sep 2007 08:58:07 -0400
Subject: [nycphp-talk] Not-so-subtle attack on PHP
In-Reply-To: <46FCED89.9020001@secdat.com>
References: <46FA3A69.6000109@secdat.com>	<A3A1BB99-9742-4FF2-9790-F660A1E0888D@sala.ca>	<46FB9241.3040404@secdat.com>	<46FCE21C.9040901@beezifies.com>
	<46FCED89.9020001@secdat.com>
Message-ID: <46FCFA5F.9010701@beezifies.com>

Kenneth Downs wrote:

> The focus is on "...does not let them do anything they can't do anyway...."   

>If the hacker wants to test the SQL injection abilities, let them.  
 >Let them have fun.  Let them learn.  The real question is, can they
 >do harm?  And the answer is NO, not if they are connected to the
 >database with an account that has limited security abilities.

Hmm, I would say tricking someone into wiping out all patient records by 
having them click a custom crafted link which uses their authority to 
wipe every record in the database(since they have delete authority) 
would be harm.


>> Hmm, I think in terms of online stores and credits.  Sure, the person 
>> can purchase a credit and have the data in their user record updated, 
>> but it is so much cheaper to do an "update usertable set credits=10000 
>> where uid = 'me')
> 
> See Rusty's comment and my reply on row-level and column-level security.
> 
> 

Looking over your project website, it seems your doing this with views, 
correct?

I also note your using Postgress as your DB Engine.  Is it possible to 
provide the same type of security through views in MySQL(to be honest, 
due to the large number of v4 servers out there, I haven't kept up with 
V5 in regards to views)

Row and column level security wouldn't help from an online store 
perspective.  You could establish a level of this security through 
triggers, for example in a credit based system, instead of updating 
credits directly, you could do inserts into a purchase table and that 
table has a trigger to update the credits based on the package purchased.

I'm not disputing that your model is a good model to follow where 
feasible(a database server where you can create user accounts for every 
user), and given unlimited funds of course it should always be 
implemented.  But even this method doesn't eliminate problems with SQL 
injection, it minimizes them(depending on the application design, this 
may or may not result in fairly comprehensive protection.)

I wonder how difficult it would be to design a functional application 
that would work both in the shared hosting/single db user model AND a 
dedicated server/multi user model, and would there even be a market for 
such an app(market defined as people who would use it in both modes)



From rmarscher at beaffinitive.com  Fri Sep 28 11:17:41 2007
From: rmarscher at beaffinitive.com (Rob Marscher)
Date: Fri, 28 Sep 2007 11:17:41 -0400
Subject: [nycphp-talk] SPL - Do you use?
In-Reply-To: <65430E89-BE46-43C4-818A-7CBB0523C3F1@jonbaer.com>
References: <65430E89-BE46-43C4-818A-7CBB0523C3F1@jonbaer.com>
Message-ID: <D8D27742-E0CC-476A-B78D-D0FA45255141@beaffinitive.com>

On Sep 27, 2007, at 8:14 AM, Jon Baer wrote:
> Do many here use the SPL library?
I know zend framework uses a bunch of it.  Zend_Registry, for  
example, extends from ArrayObject.  The DirectoryIterator seems kinda  
convenient.  I haven't gotten that into it yet though.

> I could never really understand this "library", on one side part of  
> the Java programming that I really felt to be a burden of added /  
> bloated code was the idea of the "Iterator" (you always had to grab  
> one) and that is pretty much what the SPL is (for PHP5), and part  
> of the joy to PHP was the ease + use of a foreach loop and then  
> Java took a step back and implemented the same foreach idea in  
> current JVMs but I barely see it used in many projects.  I would  
> guess that Java people coming to PHP would understand it's uses /  
> design pattern better but the part of the Zend article I don't  
> understand is ...
> "This library of interfaces creates a standard API for certain  
> kinds of built-in functionality, allowing your classes to interact  
> with the PHP engine in a much more seamless manner."
> Im just wondering if this means the use of saying "foreach($objects  
> as $object)" or does refactoring w/ PHP5 Iterators also get you  
> something else as well?

I think there are more built-in php functions that your objects can  
take advantage of... found this in the unit test code, for example:
<?php

$ar = array(0=>0, 1=>1);
$ar = new ArrayObject($ar);

var_dump($ar);

$ar[2] = 2;
var_dump($ar[2]);
var_dump($ar["3"] = 3);

var_dump(array_merge((array)$ar, array(4=>4, 5=>5)));
?>

On a side note, the initial reaction of a of mine friend to the zend  
framework was that it felt too much like java.  He's a former java  
developer, who switched to php, and now works in ruby as well).

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070928/1b30145d/attachment.html>

From ken at secdat.com  Fri Sep 28 12:42:11 2007
From: ken at secdat.com (Kenneth Downs)
Date: Fri, 28 Sep 2007 12:42:11 -0400
Subject: [nycphp-talk] Not-so-subtle attack on PHP
In-Reply-To: <46FCFA5F.9010701@beezifies.com>
References: <46FA3A69.6000109@secdat.com>	<A3A1BB99-9742-4FF2-9790-F660A1E0888D@sala.ca>	<46FB9241.3040404@secdat.com>	<46FCE21C.9040901@beezifies.com>	<46FCED89.9020001@secdat.com>
	<46FCFA5F.9010701@beezifies.com>
Message-ID: <46FD2EE3.3000802@secdat.com>

bz-gmort at beezifies.com wrote:
> Kenneth Downs wrote:
>
>> The focus is on "...does not let them do anything they can't do 
>> anyway...."   
>
>> If the hacker wants to test the SQL injection abilities, let them.  
> >Let them have fun.  Let them learn.  The real question is, can they
> >do harm?  And the answer is NO, not if they are connected to the
> >database with an account that has limited security abilities.
>
> Hmm, I would say tricking someone into wiping out all patient records 
> by having them click a custom crafted link which uses their authority 
> to wipe every record in the database(since they have delete authority) 
> would be harm.

....but of course we want to prevent session hijacking and forged urls 
no matter what the security mechanism, right? 

...and I assume your database has foreign keys and delete constraints 
that would prevent orphaning all of those customers' orders, right?

...and finally, who is it that is connecting with the ability to wipe 
every record in the database?

>
>
>>> Hmm, I think in terms of online stores and credits.  

The nature of the application does not determine the security model, 
anymore than it determines the language.  We don't use PHP for retail 
and Java for wholesale.  The nature of the app simply determines the 
security assignments made, just as it determines what actual PHP or Java 
we write.


>>
>
> Looking over your project website, it seems your doing this with 
> views, correct?

Column and row-level security, yes.

>
> I also note your using Postgress as your DB Engine.  Is it possible to 
> provide the same type of security through views in MySQL(to be honest, 
> due to the large number of v4 servers out there, I haven't kept up 
> with V5 in regards to views)

Prior to version 5, mySQL lacked so many basic database features that it 
was just not in the running.  That is why Andromeda uses Postgres (I 
certainly did not pick Postgres so I could enjoy opting out of what 
99.9% of the community is using, but it lets me deliver work to my 
customers).  With version 5 the non-MySQL world is looking at it and 
saying, "Hmmm, they're getting there, i'll be interested in looking at 
version 6 or 7."

>
> Row and column level security wouldn't help from an online store 
> perspective.

See comment above.  It's not about the kind of application. 

To give an analogy, lots of people don't think Javascript handles 
inheritance because there is no class.  Then they find out about 
prototypes and they say, "Oh, ok, there is a way to do everything, it's 
just different."  Now, whether or not its *better*, well I won't comment 
on that.

Same goes for database security. There is a way to do everything you can 
possibly want to do.  The stunning and obvious fact that I will keep 
repeating is, /it all comes down to table permission in the end 
anyway!/  Most people just don't think that way, so they can't see how 
to design in.  They think in terms of, "Who should be allowed to run 
this program that does these powerful and dangerous actions?"  I will 
claim that putting security directly into the database is better than 
any other way because it /does what is needed in the end with the least 
possible work./


> You could establish a level of this security through triggers, for 
> example in a credit based system, instead of updating credits 
> directly, you could do inserts into a purchase table and that table 
> has a trigger to update the credits based on the package purchased.

More or less, yes.  A public user is not allowed to write to the items 
availability table.  But he can insert a line into the orders table 
(which is always stamped with his user_id), and a trigger fires that 
decrements the availability. 

>
> I'm not disputing that your model is a good model to follow where 
> feasible(a database server where you can create user accounts for 
> every user), and given unlimited funds of course it should always be 
> implemented.  But even this method doesn't eliminate problems with SQL 
> injection, it minimizes them(depending on the application design, this 
> may or may not result in fairly comprehensive protection.)

You are making the classic "Javascript can't do OO because it doesn't 
have classes" mistake.  Andromeda systems costs less to develop, are 
more secure, and easier to document than any code-centric alternative, 
precisely because of the radical DRY (don't repeat yourself) element of 
our database design.  A single spec details table structure, 
calculations, and security, and the builder builds the database for me.

On a completely off-topic segue, the new UI that I showed off at LIPHP 
is really cool, I'll be making that public today or tomorrow, it really 
shows off the approach.



>
> I wonder how difficult it would be to design a functional application 
> that would work both in the shared hosting/single db user model AND a 
> dedicated server/multi user model, and would there even be a market 
> for such an app(market defined as people who would use it in both modes)

Actually an Andromeda node can host any number of applications, private 
business apps and public sites both (as SDS servers in fact do), with 
multiple instances of the same apps and multiple versions of the same 
apps all running simultaneously.  All database users are fully isolated 
into their individual apps.


-- 
Kenneth Downs
Secure Data Software, Inc.
www.secdat.com    www.andromeda-project.org
631-689-7200   Fax: 631-689-0527
cell: 631-379-0010

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070928/f6ff80e3/attachment.html>

From bz-gmort at beezifies.com  Fri Sep 28 13:02:27 2007
From: bz-gmort at beezifies.com (bz-gmort at beezifies.com)
Date: Fri, 28 Sep 2007 13:02:27 -0400
Subject: [nycphp-talk] Not-so-subtle attack on PHP
In-Reply-To: <46FD2EE3.3000802@secdat.com>
References: <46FA3A69.6000109@secdat.com>	<A3A1BB99-9742-4FF2-9790-F660A1E0888D@sala.ca>	<46FB9241.3040404@secdat.com>	<46FCE21C.9040901@beezifies.com>	<46FCED89.9020001@secdat.com>	<46FCFA5F.9010701@beezifies.com>
	<46FD2EE3.3000802@secdat.com>
Message-ID: <46FD33A3.1020803@beezifies.com>

Kenneth Downs wrote:
> ....but of course we want to prevent session hijacking and forged urls no matter what the security mechanism, right?  

I'd also like to prevent users entering something in an input field 
because their "friend" tells them it's a good idea.

But since I can't control users.....

> bz-gmort at beezifies.com wrote:
>>
>> I wonder how difficult it would be to design a functional application 
>> that would work both in the shared hosting/single db user model AND a 
>> dedicated server/multi user model, and would there even be a market 
>> for such an app(market defined as people who would use it in both modes)
> 
> Actually an Andromeda node can host any number of applications, private 
> business apps and public sites both (as SDS servers in fact do), with 
> multiple instances of the same apps and multiple versions of the same 
> apps all running simultaneously.  All database users are fully isolated 
> into their individual apps.

I'm thinking more from the perspective that the Application would run on 
a GoDaddy host, it will run on a Dreamhost account, and it will run on a 
dedicated server.

Designed in such a way to devolve down to the single db user access 
rights when that is all that is available, but will scale up to the 
multi user access level when it's available.

It would mean a lot of redundant code at the application level to manage 
security when the user access is lacking.

It seems to me it's better to start with an app dedicated for the shared 
hosting environment and then upgrade to something like Andromeda when it 
is economically justified.  But it would be cool to be able to use the 
same app under different security models.


From jcampbell1 at gmail.com  Fri Sep 28 13:35:44 2007
From: jcampbell1 at gmail.com (John Campbell)
Date: Fri, 28 Sep 2007 13:35:44 -0400
Subject: [nycphp-talk] Not-so-subtle attack on PHP
In-Reply-To: <46FD2EE3.3000802@secdat.com>
References: <46FA3A69.6000109@secdat.com>
	<A3A1BB99-9742-4FF2-9790-F660A1E0888D@sala.ca>
	<46FB9241.3040404@secdat.com> <46FCE21C.9040901@beezifies.com>
	<46FCED89.9020001@secdat.com> <46FCFA5F.9010701@beezifies.com>
	<46FD2EE3.3000802@secdat.com>
Message-ID: <8f0676b40709281035v34a197fag828134700357737e@mail.gmail.com>

On 9/28/07, Kenneth Downs <ken at secdat.com> wrote:

>   I will claim that putting security
> directly into the database is better than any other way because it does what
> is needed in the end with the least possible work.

I must be missing something.  Take a simple social networking
scenario: A user can only see another user's complete profile if and
only if they are mutual friends.  Implementing that in the tables
would be a huge pain in the ass and incur a big performance penalty.
Is there some super easy way to implement this that I am missing?

My problem with implementing security in the database, is that it
forces a relationship between data elements and users, where as if you
implement the security layer between the application and the data then
you can write policies that are a function of the data itself.


-Cheers
John Campbell


From bz-gmort at beezifies.com  Fri Sep 28 13:57:11 2007
From: bz-gmort at beezifies.com (bz-gmort at beezifies.com)
Date: Fri, 28 Sep 2007 13:57:11 -0400
Subject: [nycphp-talk] Not-so-subtle attack on PHP
In-Reply-To: <8f0676b40709281035v34a197fag828134700357737e@mail.gmail.com>
References: <46FA3A69.6000109@secdat.com>	<A3A1BB99-9742-4FF2-9790-F660A1E0888D@sala.ca>	<46FB9241.3040404@secdat.com>
	<46FCE21C.9040901@beezifies.com>	<46FCED89.9020001@secdat.com>
	<46FCFA5F.9010701@beezifies.com>	<46FD2EE3.3000802@secdat.com>
	<8f0676b40709281035v34a197fag828134700357737e@mail.gmail.com>
Message-ID: <46FD4077.7040603@beezifies.com>

John Campbell wrote:
> On 9/28/07, Kenneth Downs <ken at secdat.com> wrote:
> 
>>   I will claim that putting security
>> directly into the database is better than any other way because it does what
>> is needed in the end with the least possible work.
> 
> I must be missing something.  Take a simple social networking
> scenario: A user can only see another user's complete profile if and
> only if they are mutual friends.  Implementing that in the tables
> would be a huge pain in the ass and incur a big performance penalty.
> Is there some super easy way to implement this that I am missing?


It would?

Think of the profile information as follows:
ProfileTable
Username, userid, fullname, address, emailaddress, bio, Recordid
FriendTable:
Recordid, friendid


So, in the classic sense, if someone loads a profile, you might do a 
join between friendtable and profiletable and add a where clause where 
the friendid equals your userid- if you get data from it you display it. 
  Otherwise, you would pull just the public information.


In a DB driven sense, you would have:
ProfileTable
Username, fullname, address, emailaddress, bio, Recordid
FriendTable:
Recordid, friendusername

PublicProfiles:
A select only view of ProfileTable having only:
username, fullname, bio

And then for each and every userid, you have created automatically a set 
of views:
Myusername.friendprofiles
select Username, fullname, address, emailaddress, bio from profiletable 
where recordid in (select recordid from friendtable where friendusername 
= 'myusername')

(and to extend it a bit, you would also have a view for update:
Myusername.myprofile
select Username, fullname, address, emailaddress, bio from profiletable 
where username = 'myusername')


Now from the application perspective, you have 2 queries:
First you do a select to the myusername.firendprofiles table and if you 
locate the user your looking for, display the full data.
Second, if no record is found, than check the publicprofiles table for data


The important point here is that the only view you have UPDATE authority 
to is myusername.myprofile, wheras you have select authority on 
myusername.friendprofiles and publicprofiles.  You have no direct access 
to the profiletable.


Now, assume for a moment that the user get's some SQL injected past the 
program.

In the first case, since all the queries are run against the 
profiletable, the user can then view the private informaiton of other 
users(and worse, can change it since they have edit authority to edit 
their own record!)

With the view level security, the only view they can update is 
myusername.myprofile - so they can only change their personal record. 
As for selecting data, they can only select from the 
myusername.friendsprofile and myusername.publicprofiles.

Since the only data in those views is the data they are allowed to see 
anyway, even if they manage an SQL injection they still can't view data 
they were not authorized to access.




From jcampbell1 at gmail.com  Fri Sep 28 14:49:56 2007
From: jcampbell1 at gmail.com (John Campbell)
Date: Fri, 28 Sep 2007 14:49:56 -0400
Subject: [nycphp-talk] Not-so-subtle attack on PHP
In-Reply-To: <46FD4077.7040603@beezifies.com>
References: <46FA3A69.6000109@secdat.com>
	<A3A1BB99-9742-4FF2-9790-F660A1E0888D@sala.ca>
	<46FB9241.3040404@secdat.com> <46FCE21C.9040901@beezifies.com>
	<46FCED89.9020001@secdat.com> <46FCFA5F.9010701@beezifies.com>
	<46FD2EE3.3000802@secdat.com>
	<8f0676b40709281035v34a197fag828134700357737e@mail.gmail.com>
	<46FD4077.7040603@beezifies.com>
Message-ID: <8f0676b40709281149q7bd50053ued2825fb976c2b7f@mail.gmail.com>

That makes sense to me, I have never considered using eleventy
thousand views.  Is managing all of those views a problem?  Do you
create the views on the fly, or are they "fixed" when you create the
new user account?  How do you alter the views?


From mitch.pirtle at gmail.com  Fri Sep 28 15:04:12 2007
From: mitch.pirtle at gmail.com (Mitch Pirtle)
Date: Fri, 28 Sep 2007 15:04:12 -0400
Subject: [nycphp-talk] Not-so-subtle attack on PHP
In-Reply-To: <8f0676b40709281149q7bd50053ued2825fb976c2b7f@mail.gmail.com>
References: <46FA3A69.6000109@secdat.com>
	<A3A1BB99-9742-4FF2-9790-F660A1E0888D@sala.ca>
	<46FB9241.3040404@secdat.com> <46FCE21C.9040901@beezifies.com>
	<46FCED89.9020001@secdat.com> <46FCFA5F.9010701@beezifies.com>
	<46FD2EE3.3000802@secdat.com>
	<8f0676b40709281035v34a197fag828134700357737e@mail.gmail.com>
	<46FD4077.7040603@beezifies.com>
	<8f0676b40709281149q7bd50053ued2825fb976c2b7f@mail.gmail.com>
Message-ID: <330532b60709281204m1b92afd8y6128a3fe39e06fc5@mail.gmail.com>

On 9/28/07, John Campbell <jcampbell1 at gmail.com> wrote:
> That makes sense to me, I have never considered using eleventy
> thousand views.  Is managing all of those views a problem?  Do you
> create the views on the fly, or are they "fixed" when you create the
> new user account?  How do you alter the views?

If you're using MySQL, then you bypass views and give as much RAM as
you can to the query cache ;-)

Alternately, you could use something like memcache and store the
fetched values as arrays (based on userid) and then set your
application to update the key in the cache whenever that userid is
updated (from the relationship perspective).

With that approach, you offload the work to memcache which is purely
memory resident, meaning very very low load on the server to provide
that information. Also, you can set the value of the userid's for one
userid as an array, making it even easier to answer the question: So
who am I friends with, and can see their personal profiles?

-- Mitch


From bz-gmort at beezifies.com  Fri Sep 28 15:12:44 2007
From: bz-gmort at beezifies.com (bz-gmort at beezifies.com)
Date: Fri, 28 Sep 2007 15:12:44 -0400
Subject: [nycphp-talk] Not-so-subtle attack on PHP
In-Reply-To: <8f0676b40709281149q7bd50053ued2825fb976c2b7f@mail.gmail.com>
References: <46FA3A69.6000109@secdat.com>	<A3A1BB99-9742-4FF2-9790-F660A1E0888D@sala.ca>	<46FB9241.3040404@secdat.com>
	<46FCE21C.9040901@beezifies.com>	<46FCED89.9020001@secdat.com>
	<46FCFA5F.9010701@beezifies.com>	<46FD2EE3.3000802@secdat.com>	<8f0676b40709281035v34a197fag828134700357737e@mail.gmail.com>	<46FD4077.7040603@beezifies.com>
	<8f0676b40709281149q7bd50053ued2825fb976c2b7f@mail.gmail.com>
Message-ID: <46FD522C.2030506@beezifies.com>

John Campbell wrote:
> That makes sense to me, I have never considered using eleventy
> thousand views.  Is managing all of those views a problem?  Do you
> create the views on the fly, or are they "fixed" when you create the
> new user account?  How do you alter the views?

Dunno, I would assume it depends on the system.

I would imagine maintenance isn't that big of a deal, just like you can 
alter a table, you can alter a view and since you can list out all the 
views, it would be simple to script all that sort of thing.

The last time I used views was over 10 years ago on DB2.  Then I moved 
to using light weight relational DB's like MySQL - which lacked the 
features of an enterprise database, but also lacked the high hardware 
requirements of one.  Now MySQL is slowly approaching the features of 
enterprise databases, but it's a different time.  Memory and CPU are a 
lot cheaper now than 10 years ago.

DB2 was interesting, as every table had an "owner" which defaulted to 
the user who created it, but did not have to be.  If you ran a query and 
just specified a table name, it assumed the userid running the query to 
be the owner.

So we could create a view for every user with just the table/view 
name(for example: friendsprofile) and it would automatically be treated 
as username.friendsprofile.

Whereas for the general tables we would assign a generic "owner"(you 
could also use different generic owners the way MySQL uses a prefix, so 
instead of having prefix1_table, prefix2_table, prefix3_table we would 
have prod.table, dev.table, test.table)





From danielc at analysisandsolutions.com  Fri Sep 28 15:59:40 2007
From: danielc at analysisandsolutions.com (Daniel Convissor)
Date: Fri, 28 Sep 2007 15:59:40 -0400
Subject: [nycphp-talk] Webservice Issue with .NET
In-Reply-To: <1190900651.6021.6.camel@dorgan-mobile2>
References: <1190900651.6021.6.camel@dorgan-mobile2>
Message-ID: <20070928195939.GA1230@panix.com>

Heya:

On Thu, Sep 27, 2007 at 09:44:11AM -0400, Donald Organ wrote:
> 
> I have a webservice made using Services_Webservice(PEAR Package).
...
> but when invoking this service from .NET it
> seems that the property is null.

I've run into issues using PEAR SOAP with .NET.  For example:
http://pear.php.net/bugs/bug.php?id=7064

--Dan

-- 
 T H E   A N A L Y S I S   A N D   S O L U T I O N S   C O M P A N Y
            data intensive web and database programming
                http://www.AnalysisAndSolutions.com/
 4015 7th Ave #4, Brooklyn NY 11232  v: 718-854-0335 f: 718-854-0409


From ken at secdat.com  Fri Sep 28 16:18:44 2007
From: ken at secdat.com (Kenneth Downs)
Date: Fri, 28 Sep 2007 16:18:44 -0400
Subject: [nycphp-talk] Not-so-subtle attack on PHP
In-Reply-To: <8f0676b40709281149q7bd50053ued2825fb976c2b7f@mail.gmail.com>
References: <46FA3A69.6000109@secdat.com>	<A3A1BB99-9742-4FF2-9790-F660A1E0888D@sala.ca>	<46FB9241.3040404@secdat.com>
	<46FCE21C.9040901@beezifies.com>	<46FCED89.9020001@secdat.com>
	<46FCFA5F.9010701@beezifies.com>	<46FD2EE3.3000802@secdat.com>	<8f0676b40709281035v34a197fag828134700357737e@mail.gmail.com>	<46FD4077.7040603@beezifies.com>
	<8f0676b40709281149q7bd50053ued2825fb976c2b7f@mail.gmail.com>
Message-ID: <46FD61A4.1060207@secdat.com>

John Campbell wrote:
> That makes sense to me, I have never considered using eleventy
> thousand views.  Is managing all of those views a problem?  Do you
> create the views on the fly, or are they "fixed" when you create the
> new user account?  How do you alter the views?
>   

no no no no no no no.

If the server supports row-level security, all users access the table 
itself.  User A, with full powers, says:

SELECT * FROM examples

and sees:

COLUMN 1     |   COLUMN 2    |   USER_ID
-------------+---------------+--------------
Value xxxx   |  Value zzzz   |  Joe
abc-123      |  xyz-abc      |  Joe
tuscon       |  texas        |  Mary

When user Joe comes along, he issues exactly the same query, but he sees 
this:

COLUMN 1     |   COLUMN 2    |   USER_ID
-------------+---------------+--------------
Value xxxx   |  Value zzzz   |  Joe
abc-123      |  xyz-abc      |  Joe


The column-level is the same.  Let's say Joe was not allowed to see 
Column 2.  So joe says:

SELECT * FROM examples

he gets as his result:

COLUMN 1     |    USER_ID
-------------+--------------
Value xxxx   |    Joe
abc-123      |    Joe


You also need to know something about the concept of security roles or 
groups.  Joe is a member of a group, perhaps named "public", and the 
security assignment is made to the group, not to the user. 

The sad fact is that most servers do not support this directly, so you 
fake it out by creating one view per meaningful security definition.  In 
the most complicated Andromeda app a particular table has 4 different 
views for 200 users.  The framework then asks the server which view a 
particular user should use.  That particular view gives the effects 
described above.  If they try to user a different view they are denied 
access.//


> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
>   


-- 
Kenneth Downs
Secure Data Software, Inc.
www.secdat.com    www.andromeda-project.org
631-689-7200   Fax: 631-689-0527
cell: 631-379-0010

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070928/7bc50911/attachment.html>

From ken at secdat.com  Fri Sep 28 16:38:09 2007
From: ken at secdat.com (Kenneth Downs)
Date: Fri, 28 Sep 2007 16:38:09 -0400
Subject: [nycphp-talk] Not-so-subtle attack on PHP
In-Reply-To: <8f0676b40709281035v34a197fag828134700357737e@mail.gmail.com>
References: <46FA3A69.6000109@secdat.com>	<A3A1BB99-9742-4FF2-9790-F660A1E0888D@sala.ca>	<46FB9241.3040404@secdat.com>
	<46FCE21C.9040901@beezifies.com>	<46FCED89.9020001@secdat.com>
	<46FCFA5F.9010701@beezifies.com>	<46FD2EE3.3000802@secdat.com>
	<8f0676b40709281035v34a197fag828134700357737e@mail.gmail.com>
Message-ID: <46FD6631.8040904@secdat.com>

John Campbell wrote:
> On 9/28/07, Kenneth Downs <ken at secdat.com> wrote:
>
>   
>>   I will claim that putting security
>> directly into the database is better than any other way because it does what
>> is needed in the end with the least possible work.
>>     
>
> I must be missing something.  Take a simple social networking
> scenario: A user can only see another user's complete profile if and
> only if they are mutual friends.  Implementing that in the tables
> would be a huge pain in the ass and incur a big performance penalty.
> Is there some super easy way to implement this that I am missing?
>
>   

No matter how you do it, you have to define it first.  Your rules, in 
English, roughly, are:

1) A user can see his own profile
2) A user can see his friends' profiles

Translated into database terms:

1) A user can see row(s) in the profiles table where the user_id column 
matches his
2) A user can see row(s) in the profiles table if the user_id matches a 
cross-reference that lists him and the target user.

If you want public/private profiles you repeat the same process for 
defining column-by-column access. As I've said many times in this 
thread, it will all come down to database definitions in the end, so the 
real question is about the easiest way to implement the most reliable 
approach.

The Andromeda definition would be something like this:

table profiles:
    column user_id:
       primary_key: "Y"
       # Supergods can see any row, but....
       group supergods:
          permrow: "N"     
       # ...group "general" only sees rows where this
       #    column matches their user_id
       group general:
          permrow: "Y"
       # ...any member of the group friends can see
       #    a row here if they are on the left side
       #    of friends x-ref table
       group friends:
          permrow_table: friends

    column name:
    column address:
    column city:
    ....etc....
  
#  This is the cross-reference of friends
table friends:
    foreign_key profiles:
       suffix: _1  
    foreign_key profiles:
       suffix: _2
   

Now that its defined the question is what is the easiest way to 
implement it?  If the server can do it for you then you have no more 
work to do.  That's why I wrote Andromeda and that's what Andromeda does 
for me.   But I don't do social networking sites -- I wish I had 
something that simple!


-- 
Kenneth Downs
Secure Data Software, Inc.
www.secdat.com    www.andromeda-project.org
631-689-7200   Fax: 631-689-0527
cell: 631-379-0010

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070928/82ab98d4/attachment.html>

From elharo at metalab.unc.edu  Fri Sep 28 18:49:53 2007
From: elharo at metalab.unc.edu (Elliotte Harold)
Date: Fri, 28 Sep 2007 18:49:53 -0400
Subject: [nycphp-talk] Not-so-subtle attack on PHP
In-Reply-To: <46FCED89.9020001@secdat.com>
References: <46FA3A69.6000109@secdat.com>	<A3A1BB99-9742-4FF2-9790-F660A1E0888D@sala.ca>	<46FB9241.3040404@secdat.com>	<46FCE21C.9040901@beezifies.com>
	<46FCED89.9020001@secdat.com>
Message-ID: <46FD8511.9060705@metalab.unc.edu>

Kenneth Downs wrote:
> 
>> Many things are a waste of the cracker's time, but they do them 
>> anyway.  So counting on the result not being worth the time of cracker 
>> is wishful thinking. :-)
> 

Even if one has full cell level security in the DB, I expect there are 
still denial of service injection attacks that  may not access any cells 
at all. I'll leave it to the SQL experts to devise the nastiest, 
exponential time problems they can express in SQL. Brownie points for 
doing it in pure SQL without any vendor extensions. :-)

-- 
Elliotte Rusty Harold  elharo at metalab.unc.edu
Java I/O 2nd Edition Just Published!
http://www.cafeaulait.org/books/javaio2/
http://www.amazon.com/exec/obidos/ISBN=0596527500/ref=nosim/cafeaulaitA/


From lists at silmail.com  Sat Sep 29 06:33:33 2007
From: lists at silmail.com (Jiju Thomas Mathew)
Date: Sat, 29 Sep 2007 16:03:33 +0530
Subject: [nycphp-talk] Not-so-subtle attack on PHP
In-Reply-To: <46FD8511.9060705@metalab.unc.edu>
References: <46FA3A69.6000109@secdat.com>
	<A3A1BB99-9742-4FF2-9790-F660A1E0888D@sala.ca>
	<46FB9241.3040404@secdat.com> <46FCE21C.9040901@beezifies.com>
	<46FCED89.9020001@secdat.com> <46FD8511.9060705@metalab.unc.edu>
Message-ID: <6431a0f40709290333p3f82a0b4r7877f54670221ff9@mail.gmail.com>

Would some of you comment on the following bit?

class sqlDb
{
    var $link;
    function sqlDb($dsn){
        $pdsn = parse_url($dsn);
        if($pdsn['scheme'] !== 'mysql')
            die("System is designed for MySQL only.. Please Correct the
dsn");
        $mysql_db = preg_replace("@^\/@",'',$pdsn['path']);

        $this->link =
mysql_connect($pdsn['host'],$pdsn['user'],$pdsn['pass']) or die("Could not
connect");
        mysql_select_db($mysql_db) or die ("Could not select database");
    }

    function error($query, $errno, $error) {
        echo $error . "<br>" . $query;
        mysql_query("rollback");
        return false;
    }

    /**
     * Sends a query to the database
     *
     * @param sqlquery $query
     * @return result-resource
     */

      function query($query) {
            $result = mysql_query($query, $this->link) or
$this->error($query, mysql_errno(), mysql_error());
            return $result;
      }

      /**
       * Perform a modification query on database
       *
       * @param string $table
       * @param object $data
       * @param string $action
       * @param string $parameters
       * @return data resource
       */
  function perform($table, $data, $action = 'insert', $parameters = '') {
    reset($data);
    if ($action == 'insert') {
      $query = 'INSERT INTO ' . $table . ' (' . join(', ',
array_keys($data)) . ') VALUES (';
      reset($data);
      foreach ($data as $value){
          if(eregi("^func:", $value)){
               $query .= substr($value,5) . ', ';
          }else {
            switch ((string)$value) {
              case 'now()':
                $query .= 'NOW(), ';
                break;
              case 'null':
                $query .= 'NULL, ';
                break;
              default:
                $query .= '\'' . $this->input($value) . '\', ';
                break;
            }
        }
      }
      $query = substr($query, 0, -2) . ')';
    } elseif ($action == 'update') {
      $query = 'UPDATE ' . $table . ' SET ';
      foreach ($data as $columns => $value) {
          if(eregi("^func:", $value)){
               $query .= $columns . substr($value,5) . ', ';
          }else {
            switch ((string)$value) {
              case 'now()':
                $query .= $columns . ' = NOW(), ';
                break;
              case 'null':
                $query .= $columns . ' = NULL, ';
                break;
              case '++':
                $query .= $columns .' = '.$columns.' + 1, ';
                break;
              default:
                $query .= $columns . ' = \'' . $this->input($value) . '\',
';
                break;
            }
        }
      }
      $query = substr($query, 0, -2);
      if($parameters !== '')
          $query .= ' WHERE ' . $parameters;
    }
        return $this->query($query);
  }

  function fetch_object($result){
    return mysql_fetch_object($result);
  }

  function fetch_array($result) {
    return mysql_fetch_array($result, MYSQL_ASSOC);
  }

  function fetch_row($result) {
    return mysql_fetch_row($result);
  }

  function num_rows($result) {
    return mysql_num_rows($result);
  }

  function data_seek($result, $row_number) {
    return mysql_data_seek($result, $row_number);
  }

  function insert_id() {
    return mysql_insert_id();
  }

  function affected_rows() {
    return mysql_affected_rows();
  }

  function free_result($result) {
    return mysql_free_result($result);
  }

  function fetch_fields($result) {
    return mysql_fetch_field($result);
  }

  function output($string) {
    return htmlspecialchars($string);
  }

  function input($string) {
    return addslashes($string);
  }

  function prepare_input($string) {
    if (is_string($string)) {
      return trim(stripslashes($string));
    } elseif (is_array($string)) {
      reset($string);
      while (list($key, $value) = each($string)) {
        $string[$key] = $this->prepare_input($value);
      }
      return $string;
    } else {
      return $string;
    }
  }
}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070929/2be2653a/attachment.html>

From ramons at gmx.net  Sat Sep 29 07:39:56 2007
From: ramons at gmx.net (David Krings)
Date: Sat, 29 Sep 2007 07:39:56 -0400
Subject: [nycphp-talk] Not-so-subtle attack on PHP
In-Reply-To: <8f0676b40709281035v34a197fag828134700357737e@mail.gmail.com>
References: <46FA3A69.6000109@secdat.com>	<A3A1BB99-9742-4FF2-9790-F660A1E0888D@sala.ca>	<46FB9241.3040404@secdat.com>
	<46FCE21C.9040901@beezifies.com>	<46FCED89.9020001@secdat.com>
	<46FCFA5F.9010701@beezifies.com>	<46FD2EE3.3000802@secdat.com>
	<8f0676b40709281035v34a197fag828134700357737e@mail.gmail.com>
Message-ID: <46FE398C.4080502@gmx.net>

John Campbell wrote:
> On 9/28/07, Kenneth Downs <ken at secdat.com> wrote:
> 
>>   I will claim that putting security
>> directly into the database is better than any other way because it does what
>> is needed in the end with the least possible work.
> 
> I must be missing something.  Take a simple social networking
> scenario: A user can only see another user's complete profile if and
> only if they are mutual friends.  Implementing that in the tables
> would be a huge pain in the ass and incur a big performance penalty.
> Is there some super easy way to implement this that I am missing?
> 
> My problem with implementing security in the database, is that it
> forces a relationship between data elements and users, where as if you
> implement the security layer between the application and the data then
> you can write policies that are a function of the data itself.

And not only that, adding security to the database will basically put 
part of the business logic into the database, which makes it very 
difficult to abstract the db layer and be db platform independent. Not 
everyone runs MySQL or MSSQL or PostGres.
My experience is that the less you rely in logic on the db the better it 
is unless you are guranateed to have your pick in db platforms. That is 
why I do not get those who sell to unknown platform environments and jam 
pack MSSQL with stored procedures. Create a real server app - which, I 
know, has some disadvantages as well.

David



From ken at secdat.com  Sat Sep 29 09:28:01 2007
From: ken at secdat.com (Kenneth Downs)
Date: Sat, 29 Sep 2007 09:28:01 -0400
Subject: [nycphp-talk] Not-so-subtle attack on PHP
In-Reply-To: <46FD8511.9060705@metalab.unc.edu>
References: <46FA3A69.6000109@secdat.com>	<A3A1BB99-9742-4FF2-9790-F660A1E0888D@sala.ca>	<46FB9241.3040404@secdat.com>	<46FCE21C.9040901@beezifies.com>	<46FCED89.9020001@secdat.com>
	<46FD8511.9060705@metalab.unc.edu>
Message-ID: <46FE52E1.2060202@secdat.com>

Elliotte Harold wrote:
> Kenneth Downs wrote:
>>
>>> Many things are a waste of the cracker's time, but they do them 
>>> anyway.  So counting on the result not being worth the time of 
>>> cracker is wishful thinking. :-)
>>
>
> Even if one has full cell level security in the DB, I expect there are 
> still denial of service injection attacks that  may not access any 
> cells at all. I'll leave it to the SQL experts to devise the nastiest, 
> exponential time problems they can express in SQL. Brownie points for 
> doing it in pure SQL without any vendor extensions. :-)
>
Even with db security you have to escape the strings to save things like 
the name of our favorite publisher.

So the database has this row in it:

Name: Captian Cracker
Email:you at wont.ever.known
Company: O'Reilly
comments:  I will kill your system';drop database social_networking

And you say, 'hmmm, that's an interesting comment.'


-- 
Kenneth Downs
Secure Data Software, Inc.
www.secdat.com    www.andromeda-project.org
631-689-7200   Fax: 631-689-0527
cell: 631-379-0010



From chsnyder at gmail.com  Sat Sep 29 16:39:11 2007
From: chsnyder at gmail.com (csnyder)
Date: Sat, 29 Sep 2007 16:39:11 -0400
Subject: [nycphp-talk] SPL - Do you use?
In-Reply-To: <D8D27742-E0CC-476A-B78D-D0FA45255141@beaffinitive.com>
References: <65430E89-BE46-43C4-818A-7CBB0523C3F1@jonbaer.com>
	<D8D27742-E0CC-476A-B78D-D0FA45255141@beaffinitive.com>
Message-ID: <b76252690709291339h3d839cday803bf4425f2991d7@mail.gmail.com>

On 9/28/07, Rob Marscher <rmarscher at beaffinitive.com> wrote:

> On a side note, the initial reaction of a of mine friend to the zend
> framework was that it felt too much like java.  He's a former java
> developer, who switched to php, and now works in ruby as well).
>

Interesting... one of the excellent benefits of all the frameworks
(backend and front-end/ajax) that have emerged over the past few years
is that developers are getting exposed to a lot of new patterns and
concepts by using them.

-- 
Chris Snyder
http://chxo.com/


From ioplex at gmail.com  Sat Sep 29 18:34:55 2007
From: ioplex at gmail.com (Michael B Allen)
Date: Sat, 29 Sep 2007 18:34:55 -0400
Subject: [nycphp-talk] SPL - Do you use?
In-Reply-To: <65430E89-BE46-43C4-818A-7CBB0523C3F1@jonbaer.com>
References: <65430E89-BE46-43C4-818A-7CBB0523C3F1@jonbaer.com>
Message-ID: <78c6bd860709291534j125faca7g909bbef93a6ef5a6@mail.gmail.com>

On 9/27/07, Jon Baer <jonbaer at jonbaer.com> wrote:
> Do many here use the SPL library?
>
> I could never really understand this "library", on one side part of the Java
> programming that I really felt to be a burden of added / bloated code was
> the idea of the "Iterator" (you always had to grab one) and that is pretty
> much what the SPL is (for PHP5), and part of the joy to PHP was the ease +
> use of a foreach loop and then Java took a step back and implemented the
> same foreach idea in current JVMs but I barely see it used in many projects.
>  I would guess that Java people coming to PHP would understand it's uses /
> design pattern better

I did Java for many years. Now I do mostly C. But at the moment I've
been digging around inside Zend Framework. So I think I can add a few
opinions about this topic.

Whenever the topic of OOP comes up I can't help but wonder if they're
just enthusiastic about just having read Design Patterns or if they
really understand that OOP is just a tool that has certain use
scenarios.

It seems that a lot of people think that if a language supports OOP
that they should always use it as if it were "better" than not using
OOP. That is false.

For example, I did a network protocol client in Java that was
basically a lot of encoding and decoding of binary blobs and
multiplexing I/O and so on. Because Java's libraries required OOP
(unlike C++ which is backward compatible with straight C) it was
actually harder to write networking code. Aside from occasionally
using inheritance to do simple things like represent similar packet
formats, Java just got in the way. In some cases libraries were so
bloated and overdesigned we simply couldn't use them (even though they
were specifically designed for doing network programming (e.g. nio and
concurrency packages)).

OOP provides one major benefit - polymorphism. If you don't need
polymorphism, you should not be using OOP. But in some cases
polymorphism can make your code very simple and yet highly extensible.
It *can* be extremely powerful.

I don't know anything about SPL but if it doesn't make any difference
to use foreach instead of an Iterator then obviously you should use
foreach. But if it is desirable to allow users to redefine how the
behavior of the iteration works, then an Iterator class may be
appropriate.

> but the part of the Zend article I don't understand is
> ...
>
>
> "This library of interfaces creates a standard API for certain kinds of
> built-in functionality, allowing your classes to interact with the PHP
> engine in a much more seamless manner."

One of the more powerful use cases for polymorphism (and thus OOP
capabilities of the language being used) are frameworks. Frameworks
are by definition supposed to be extensible so the benefits of using
OOP can far out weigh the overhead of using it.

Currently I am writing Zend_Auth_Adapter classes for Kerberos
authentication (SPNEGO for SSO and vanilla Kerberos for the login
form) and a Zend_Controller plugin. With the Zend_Controller plugin
users will be able to tweak their bootstrap file and add Kerberos SSO
and a Kerberos login form without modifying the underlying code.

As for Zend Framework itself, my first impression is that it's
actually pretty well thought out. I've done a number of auth plugins
for various PHP apps the trend is to over-abstract the authentication
process. I'm very pleased to say that ZF did not do this. The
Zend_Auth_Adapter interface has one method 'authenticate()' and avoids
the common mistake of trying to manage and automatically persist
credentials.

The other ZF component I have experience with is Zend_Controller and
again, despite my reservations about OOP, it is not over-designed.
Sure there's overhead in creating all of those objects and resolving
methods but you do get significant flexibility in return. And another
thing that should not be overlooked is that that flexibility ensures
that there will be a heathy community which provides the operator with
invaluable support.

I predict that Zend Framework will be quite popular.

Mike


From jonbaer at jonbaer.com  Sat Sep 29 19:29:15 2007
From: jonbaer at jonbaer.com (Jon Baer)
Date: Sat, 29 Sep 2007 19:29:15 -0400
Subject: [nycphp-talk] PHP 5.3 / Namespaces
Message-ID: <3E0069C7-A673-424E-868E-63AEFC007240@jonbaer.com>

So according to a few (kinda old) blogs, etc, in 5.3 we should be  
able to accomplish something like this (correct me if Im wrong, Ive  
only poked through latest php-src):

<?php
     import MyCoolLibrary as MCL;
     echo MCL::Version;
?>

Just curious, does importing again as MCL create a stack or does it  
throw an exception?  If it is stacked this would give you a mixin  
like capability wouldn't it?

Either way I'd think it was possible if this is true:

6) Calls to qualified functions are resolved at run-time. Call to
A::B::foo() first tries to call function foo() from namespace A::B, then
it tries to find class A::B (__autoload() it if necessary) and call its
static method foo()

- Jon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070929/00e6d2a6/attachment.html>

From jonbaer at jonbaer.com  Sat Sep 29 19:34:51 2007
From: jonbaer at jonbaer.com (Jon Baer)
Date: Sat, 29 Sep 2007 19:34:51 -0400
Subject: [nycphp-talk] SPL - Do you use?
In-Reply-To: <78c6bd860709291534j125faca7g909bbef93a6ef5a6@mail.gmail.com>
References: <65430E89-BE46-43C4-818A-7CBB0523C3F1@jonbaer.com>
	<78c6bd860709291534j125faca7g909bbef93a6ef5a6@mail.gmail.com>
Message-ID: <AB72A2CD-B058-4AB5-8C97-751E0049C5BD@jonbaer.com>

Excellent feedback from everyone on SPL, thanks for taking time to  
post back.

- Jon

On Sep 29, 2007, at 6:34 PM, Michael B Allen wrote:

> On 9/27/07, Jon Baer <jonbaer at jonbaer.com> wrote:
>> Do many here use the SPL library?
>>
>> I could never really understand this "library", on one side part  
>> of the Java
>> programming that I really felt to be a burden of added / bloated  
>> code was
>> the idea of the "Iterator" (you always had to grab one) and that  
>> is pretty
>> much what the SPL is (for PHP5), and part of the joy to PHP was  
>> the ease +
>> use of a foreach loop and then Java took a step back and  
>> implemented the
>> same foreach idea in current JVMs but I barely see it used in many  
>> projects.
>>  I would guess that Java people coming to PHP would understand  
>> it's uses /
>> design pattern better
>
> I did Java for many years. Now I do mostly C. But at the moment I've
> been digging around inside Zend Framework. So I think I can add a few
> opinions about this topic.


From johnzabroski at yahoo.com  Sun Sep 30 22:50:07 2007
From: johnzabroski at yahoo.com (John Zabroski)
Date: Sun, 30 Sep 2007 19:50:07 -0700 (PDT)
Subject: [nycphp-talk] SPL - Do you use?
In-Reply-To: <78c6bd860709291534j125faca7g909bbef93a6ef5a6@mail.gmail.com>
Message-ID: <159033.76159.qm@web60221.mail.yahoo.com>

The benefit of object-orientation is message dispatch.  Objects are peers.  They define what to do, not how to do it.  Delegation of responsibilities is therefore way more dependable a concept than simply polymorphism.  If the notion of a network of inter-cooperating agents working together to accomplish a task resembles your task, then objects might make sense.

Polymorphism isn't why object-oriented frameworks are successful.  In general, frameworks are successful because the problem application domain was well understood before it was ever translated into code.  Frameworks tend to address a vertical line of business (some ill-defined problem application domain) or a horizontal line of business (i.e., security).  Frameworks are also successful because they usually glue together off-the-shelf software in interesting ways that rapidly solve problems.
  
  Also, if you want to make your code to be very simple, then just obey the first rule of programming: figure out what you want to say before you figure out how to say it.  Meaningful abstractions can never be crafted in the absence of a well-defined context.

Programming language concepts don't make programming simple.  Deep, penetrating knowledge of the problem application domain makes programming simpler.  Having a language that you can easily translate that knowledge into is also a boon, just as having off-the-shelf software that you can glue into your architecture is a boon.

Michael B Allen <ioplex at gmail.com> wrote:
 OOP provides one major benefit - polymorphism. If you don't need
polymorphism, you should not be using OOP. But in some cases
polymorphism can make your code very simple and yet highly extensible.
It *can* be extremely powerful.
       
---------------------------------
Fussy? Opinionated? Impossible to please? Perfect.  Join Yahoo!'s user panel and lay it on us.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20070930/b291d293/attachment.html>

From edwardpotter at gmail.com  Sun Sep 30 23:33:54 2007
From: edwardpotter at gmail.com (Edward Potter)
Date: Sun, 30 Sep 2007 23:33:54 -0400
Subject: [nycphp-talk] SPL - Do you use?
In-Reply-To: <159033.76159.qm@web60221.mail.yahoo.com>
References: <78c6bd860709291534j125faca7g909bbef93a6ef5a6@mail.gmail.com>
	<159033.76159.qm@web60221.mail.yahoo.com>
Message-ID: <c5949a380709302033i6dacd09bqb59f8d1b3feab8a2@mail.gmail.com>

When it get to this abstract level, just think of objects as cells &
functions as peptides carrying messages (variables) to hungry
mitochondria (http://en.wikipedia.org/wiki/Mitochondrion) waiting to
be fed to make those cells work for you. If you have all your code
working correctly, you'll be able to Interconnect them all and you'll
get a Paris Hilton - or something like that. :-)

Then take 2 Prozac, and re-boot . . .

ed  (works for me)

On 9/30/07, John Zabroski <johnzabroski at yahoo.com> wrote:
> The benefit of object-orientation is message dispatch.  Objects are peers.
> They define what to do, not how to do it.  Delegation of responsibilities is
> therefore way more dependable a concept than simply polymorphism.  If the
> notion of a network of inter-cooperating agents working together to
> accomplish a task resembles your task, then objects might make sense.
>
> Polymorphism isn't why object-oriented frameworks are successful.  In
> general, frameworks are successful because the problem application domain
> was well understood before it was ever translated into code.  Frameworks
> tend to address a vertical line of business (some ill-defined problem
> application domain) or a horizontal line of business (i.e., security).
> Frameworks are also successful because they usually glue together
> off-the-shelf software in interesting ways that rapidly solve problems.
>
>  Also, if you want to make your code to be very simple, then just obey the
> first rule of programming: figure out what you want to say before you figure
> out how to say it.  Meaningful abstractions can never be crafted in the
> absence of a well-defined context.
>
> Programming language concepts don't make programming simple.  Deep,
> penetrating knowledge of the problem application domain makes programming
> simpler.  Having a language that you can easily translate that knowledge
> into is also a boon, just as having off-the-shelf software that you can glue
> into your architecture is a boon.
>
>
> Michael B Allen <ioplex at gmail.com> wrote:
>  OOP provides one major benefit - polymorphism. If you don't need
> polymorphism, you should not be using OOP. But in some cases
> polymorphism can make your code very simple and yet highly extensible.
> It *can* be extremely powerful.
>
>  ________________________________
> Fussy? Opinionated? Impossible to please? Perfect. Join Yahoo!'s user panel
> and lay it on us.
>
>
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
>


-- 
the Blog: http://www.utopiaparkway.com
the Karma: http://www.coderswithconscience.com
the Projects: http://flickr.com/photos/86842405 at N00/
the Store: http://astore.amazon.com/httpwwwutopic-20