[Gmail-Lounge] Re: php questions

On 12/3/05, Allen Day <so.orange@gmail.com> wrote:
>
> Kass Lloyd <kasslloyd@gmail.com> wrote:
>
> >On 12/2/05, Allen Day <so.orange@gmail.com> wrote:
> >> Indeed, I've done this to make it possible to use a dynamically generated
> >> image on phpbb message boards so my signature can be a random quote file.
> >> (http://theprawn.com/imagiine/)
> >> example: http://theprawn.com/imagiine/src/blimpsig.png
> >
> >Ya, but some forums flip a nut on dynamic images.. ;-)
>
> Yeah, like phpbb -- that one, really, can't be detected short of someone
> pointing a finger and saying it. Software proof ;)

The admins not the software, dynamic images can be used to exploit
things like cross-site scripting bugs.

> >> Actually, if you can do the following item you can probably do this. All
> >> you need is to be running apache and have the ability to use .htaccess --
> >> nearly every web host I've used over the years (though it's been the same
> >> one since '01 so people may have changed policy) haven't limited this.
> >
> >*MOST* do not allow you to modify those kind of settings in the
> >.htaccess file. I would say all do, but you may find some ineptly run
> >web host somewhere that would, like you apparently did. ;-)
>
> Free hosts, I can see this--but you're saying most hosts you pay money for
> don't give you these basic options these days? Man, the Internet sucks
> these days. As for my web host, by no means is it ineptly run. They
> understand that serious web developers need serious power. .htaccess is
> pretty basic stuff that should be available to paying folk. I'm going to
> go out on a limb and assume that your "most do" bit is referring to free
> hosts and plans for hosting without your own domain name.

They give you .htaccess, but they DO NOT let you change apache
variables like what files execute as scripts.

> >> >2. mod_rewrite, not many web servers enable this, because it can be
> >> >abusive to some degree. If it is enabled you can easyly make
> >> >http://whatever.com/file.js point to http://whatever.com/file.php.
> >>
> >> With a little regex knowledge, mod_rewrite is a great way to make the urls
> >> for scripts that rely heavily on _get variables more "readable"
> >> (protempore.org is where I've used it the most)
> >
> >mod_rerwite is nice, but definitely not all web hosts allow it.
>
> Once again, I think [hope] we're simply dealing with whether or not you're
> using your own domain here -- at any rate, it's good stuff.

Most web hosts don't enable this either, and it definitely can't be
enabled in a .htaccess, no web host in their right mind would allow
clients to enable apache mods on the fly, that would be stupid. This
again can be used to facilitate cross-site scripting exploits, since
you mask scripts to look like innocent images.

> >> >Maybe you've all moved onto other things, I donno... confuseing. I hate
> >> >regex.
> >>
> >> I learned php just because I loved regex so much . . . but I'm a
> >> text-parsing fiend. :-)
> >
> >Regex is for.. i donno.. not humans.
>
> Regex is beautiful. I can't tell you how many man hours it has saved me
> doing text cleanup, database populating, and so on.

It's still not for humans.