| Beginner's trouble with substr [message #179454] |
Mon, 29 October 2012 17:20  |
C
Messages: 24
Registered: January 2012
Karma: 0
|
Junior Member |
|
|
What am I doing wrong in this? The substr part does not seem to get processed properly.
<?php
global $host;
$host=@gethostbyaddr($REMOTE_ADDR);
if ($HTTP_SERVER_VARS["HTTP_X_FORWARDED_FOR"] != "")
{$realhost = @gethostbyaddr($HTTP_SERVER_VARS["HTTP_X_FORWARDED_FOR"]);}
$referer = $HTTP_REFERER;
if (substr($host, -3) == ".xy") {exit;} //
if (substr($host, 6) == "abcd29") {exit;} //
if (substr($referer, -4) == ".xyz") {exit;} //
if ($found == 1) {include 'simple.html';} else {include 'home.html';}
?>
|
|
|
|
| Re: Beginner's trouble with substr [message #179455 is a reply to message #179454] |
Mon, 29 October 2012 17:34  |
Salvatore
Messages: 38
Registered: September 2012
Karma: 0
|
Member |
|
|
On 2012-10-29, wrong(dot)address(dot)1(at)gmail(dot)com <wrong(dot)address(dot)1(at)gmail(dot)com> wrote:
>
> What am I doing wrong in this? The substr part does not seem to get processed properly.
>
> <?php
>
> global $host;
> $host=@gethostbyaddr($REMOTE_ADDR);
> if ($HTTP_SERVER_VARS["HTTP_X_FORWARDED_FOR"] != "")
> {$realhost = @gethostbyaddr($HTTP_SERVER_VARS["HTTP_X_FORWARDED_FOR"]);}
> $referer = $HTTP_REFERER;
>
> if (substr($host, -3) == ".xy") {exit;} //
> if (substr($host, 6) == "abcd29") {exit;} //
> if (substr($referer, -4) == ".xyz") {exit;} //
>
> if ($found == 1) {include 'simple.html';} else {include 'home.html';}
>
> ?>
The first thing I see wrong is that the variable "$found" is not
declared.
What are you trying to achieve?
--
Blah blah bleh...
GCS/CM d(-)@>-- s+:- !a C++$ UBL++++$ L+$ W+++$ w M++ Y++ b++
|
|
|
|
| Re: Beginner's trouble with substr [message #179456 is a reply to message #179455] |
Mon, 29 October 2012 17:40 |
C
Messages: 24
Registered: January 2012
Karma: 0
|
Junior Member |
|
|
On 29 loka, 19:34, Salvatore <s...@yojimbo.hack.invalid> wrote:
> On 2012-10-29, wrong.addres...@gmail.com <wrong.addres...@gmail.com> wrote:
>
>
>
>
>
>
>
>
>
>
>
>> What am I doing wrong in this? The substr part does not seem to get processed properly.
>
>> <?php
>
>> global $host;
>> $host=@gethostbyaddr($REMOTE_ADDR);
>> if ($HTTP_SERVER_VARS["HTTP_X_FORWARDED_FOR"] != "")
>> {$realhost = @gethostbyaddr($HTTP_SERVER_VARS["HTTP_X_FORWARDED_FOR"]);}
>> $referer = $HTTP_REFERER;
>
>> if (substr($host, -3) == ".xy") {exit;} //
>> if (substr($host, 6) == "abcd29") {exit;} //
>> if (substr($referer, -4) == ".xyz") {exit;} //
>
>> if ($found == 1) {include 'simple.html';} else {include 'home.html';}
>
>> ?>
>
> The first thing I see wrong is that the variable "$found" is not
> declared.
>
> What are you trying to achieve?
>
> --
> Blah blah bleh...
> GCS/CM d(-)@>-- s+:- !a C++$ UBL++++$ L+$ W+++$ w M++ Y++ b++
I took that code out which defines $found. The code is trying to avoid
some nasty visitors.
|
|
|
|
| Re: Beginner's trouble with substr [message #179457 is a reply to message #179456] |
Mon, 29 October 2012 19:46 |
Salvatore
Messages: 38
Registered: September 2012
Karma: 0
|
Member |
|
|
On 2012-10-29, C <wrong(dot)address(dot)1(at)gmail(dot)com> wrote:
> I took that code out which defines $found. The code is trying to avoid
> some nasty visitors.
Ah, okay. I tried all the substr() calls and they appear to work properly.
However, the second substr() call is taking the last six characters off
the end of the string "$host", and not the first six characters as I
imagine you are trying to do.
Here's some sample code I put together to test this:
<?php
$host = 'a1b2c3d4e5f6';
$sub = substr($host, 6);
print "$sub\n";
?>
The above code results in the string "d4e5f6" being printed out, and not
"a1b2c3" as you may expect. If you want only the first six characters,
set the second parameter to 0 (zero) and the third parameter to 6.
--
Blah blah bleh...
GCS/CM d(-)@>-- s+:- !a C++$ UBL++++$ L+$ W+++$ w M++ Y++ b++
|
|
|
|
| Re: Beginner's trouble with substr [message #179458 is a reply to message #179454] |
Mon, 29 October 2012 20:44 |
Doug Miller
Messages: 171
Registered: August 2011
Karma: 0
|
Senior Member |
|
|
wrong(dot)address(dot)1(at)gmail(dot)com wrote in news:c67eb83e-13d8-4263-b723-a10744fcd444
@googlegroups.com:
>
> What am I doing wrong in this? The substr part does not seem to get processed properly.
That is because you are not using it properly.
http://us3.php.net/manual/en/function.substr.php
The second parameter is the starting position, not (as you appear to believe) the length;
length is the *third* parameter.
>
> <?php
>
> global $host;
> $host=@gethostbyaddr($REMOTE_ADDR);
> if ($HTTP_SERVER_VARS["HTTP_X_FORWARDED_FOR"] != "")
> {$realhost = @gethostbyaddr($HTTP_SERVER_VARS
["HTTP_X_FORWARDED_FOR"]);}
> $referer = $HTTP_REFERER;
>
> if (substr($host, -3) == ".xy") {exit;} //
> if (substr($host, 6) == "abcd29") {exit;} //
> if (substr($referer, -4) == ".xyz") {exit;} //
>
> if ($found == 1) {include 'simple.html';} else {include 'home.html';}
>
> ?>
|
|
|
|
| Re: Beginner's trouble with substr [message #179459 is a reply to message #179456] |
Mon, 29 October 2012 22:47 |
Denis McMahon
Messages: 634
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On Mon, 29 Oct 2012 10:40:31 -0700, C wrote:
> On 29 loka, 19:34, Salvatore <s...@yojimbo.hack.invalid> wrote:
>> On 2012-10-29, wrong.addres...@gmail.com <wrong.addres...@gmail.com>
>> wrote:
>>
>>> What am I doing wrong in this? The substr part does not seem to get
>>> processed properly.
>>
>>> <?php
>>
>>> global $host;
>>> $host=@gethostbyaddr($REMOTE_ADDR);
>>> if ($HTTP_SERVER_VARS["HTTP_X_FORWARDED_FOR"] != "")
>>> {$realhost =
>>> @gethostbyaddr($HTTP_SERVER_VARS["HTTP_X_FORWARDED_FOR"]);}
>>> $referer = $HTTP_REFERER;
>>
>>> if (substr($host, -3) == ".xy") {exit;} //
>>> if (substr($host, 6) == "abcd29") {exit;} //
>>> if (substr($referer, -4) == ".xyz") {exit;} //
>>
>>> if ($found == 1) {include 'simple.html';} else {include 'home.html';}
>>
>>> ?>
>>
>> The first thing I see wrong is that the variable "$found" is not
>> declared.
>>
>> What are you trying to achieve?
>>
>> --
>> Blah blah bleh...
>> GCS/CM d(-)@>-- s+:- !a C++$ UBL++++$ L+$ W+++$ w M++ Y++ b++
>
> I took that code out which defines $found. The code is trying to avoid
> some nasty visitors.
If you know who your "nasty visitors" are, is it not possible (and maybe
better) to block them in the server config? eg for apache2:
# Stop these bastards accessing any php files
<Files ~ "\.php$">
SetEnvIf Remote_Host ^abcd29 bastard
Order allow,deny
Allow from all
Deny from .xy
Deny from .xyz
Deny from env = bastard
</Files>
Rgds
Denis McMahon
|
|
|
|
| Re: Beginner's trouble with substr [message #179460 is a reply to message #179456] |
Mon, 29 October 2012 23:17 |
Denis McMahon
Messages: 634
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On Mon, 29 Oct 2012 10:40:31 -0700, C wrote:
> On 29 loka, 19:34, Salvatore <s...@yojimbo.hack.invalid> wrote:
>> On 2012-10-29, wrong.addres...@gmail.com <wrong.addres...@gmail.com>
>> wrote:
>>
>>> What am I doing wrong in this? The substr part does not seem to get
>>> processed properly.
>>
>>> <?php
>>
>>> global $host;
>>> $host=@gethostbyaddr($REMOTE_ADDR);
>>> if ($HTTP_SERVER_VARS["HTTP_X_FORWARDED_FOR"] != "")
>>> {$realhost =
>>> @gethostbyaddr($HTTP_SERVER_VARS["HTTP_X_FORWARDED_FOR"]);}
>>> $referer = $HTTP_REFERER;
/** NEED TO CHECK $host and $referer HERE **/
>>> if (substr($host, -3) == ".xy") {exit;} //
>>> if (substr($host, 6) == "abcd29") {exit;} //
>>> if (substr($referer, -4) == ".xyz") {exit;} //
>>
>>> if ($found == 1) {include 'simple.html';} else {include 'home.html';}
>>
>>> ?>
>>
>> The first thing I see wrong is that the variable "$found" is not
>> declared.
>>
>> What are you trying to achieve?
> I took that code out which defines $found. The code is trying to avoid
> some nasty visitors.
Read http://php.net/manual/en/function.substr.php
I think this line:
if (substr($host, 6) == "abcd29") {exit;} //
perhaps should be this:
if (substr($host, 0, 6) == "abcd29") {exit;} //
unless you actually want to match on 12 character long strings ending
with "abcd29"
substr( string, -n ) // reads the characters from -n to end of string
substr( string, n ) // reads the characters from n to end of string
If you want the first n characters, you want substr( string, 0, n )
Also, why do you use: $REMOTE_ADDR, $HTTP_SERVER_VARS
["HTTP_X_FORWARDED_FOR"] and $HTTP_REFERER instead of $_SERVER
['REMOTE_HOST'], $_SERVER['HTTP_X_FORWARDED_FOR'] and $_SERVER
['HTTP_REFERER']
In addition, relying on HTTP_X_FORWARDED_FOR and HTTP_REFERER is
unreliable, as these fields can be spoofed anyway!
Are you relying on register_globals? Are register_globals enabled (they
won't be if you have competent server admins)?
Have you made *any* tests (at the point I marked the quoted code with "/
** NEED TO CHECK $host and $referer HERE **/") to check that the string
$host or $referrer you're checking is actually what you think it is?
How do you know the gethostbyaddr($REMOTE_ADDR) and gethostbyaddr
($HTTP_SERVER_VARS["HTTP_X_FORWARDED_FOR"]) calls are not failing (which
would indicate you were incorrectly assuming register_globals)? You have
the calls set to fail silently, which means that they could be delivering
the binary value FALSE and you don't even know it.
Also see my other comments about using the web server to do this without
letting the "nasty visitors" near the php!
Rgds
Denis McMahon
|
|
|
|
| Re: Beginner's trouble with substr [message #179461 is a reply to message #179457] |
Tue, 30 October 2012 05:18 |
C
Messages: 24
Registered: January 2012
Karma: 0
|
Junior Member |
|
|
On 29 loka, 21:46, Salvatore <s...@yojimbo.hack.invalid> wrote:
> On 2012-10-29, C <wrong.addres...@gmail.com> wrote:
>
>> I took that code out which defines $found. The code is trying to avoid
>> some nasty visitors.
>
> Ah, okay. I tried all the substr() calls and they appear to work properly.
> However, the second substr() call is taking the last six characters off
> the end of the string "$host", and not the first six characters as I
> imagine you are trying to do.
Yes, that is my mistake. Thanks.
>
> Here's some sample code I put together to test this:
>
> <?php
> $host = 'a1b2c3d4e5f6';
> $sub = substr($host, 6);
> print "$sub\n";
> ?>
>
> The above code results in the string "d4e5f6" being printed out, and not
> "a1b2c3" as you may expect. If you want only the first six characters,
> set the second parameter to 0 (zero) and the third parameter to 6.
>
> --
> Blah blah bleh...
> GCS/CM d(-)@>-- s+:- !a C++$ UBL++++$ L+$ W+++$ w M++ Y++ b++
|
|
|
|
| Re: Beginner's trouble with substr [message #179462 is a reply to message #179458] |
Tue, 30 October 2012 05:19 |
C
Messages: 24
Registered: January 2012
Karma: 0
|
Junior Member |
|
|
On 29 loka, 22:44, Doug Miller <doug_at_milmac_dot_...@example.com>
wrote:
> wrong.addres...@gmail.com wrote in news:c67eb83e-13d8-4263-b723-a10744fcd444
> @googlegroups.com:
>
>
>
>> What am I doing wrong in this? The substr part does not seem to get processed properly.
>
> That is because you are not using it properly.http://us3.php.net/manual/en/function.substr.php
>
> The second parameter is the starting position, not (as you appear to believe) the length;
> length is the *third* parameter.
>
Yes, that is what I did wrong. Thanks.
>
>
>> <?php
>
>> global $host;
>> $host=@gethostbyaddr($REMOTE_ADDR);
>> if ($HTTP_SERVER_VARS["HTTP_X_FORWARDED_FOR"] != "")
>> {$realhost = @gethostbyaddr($HTTP_SERVER_VARS
>
> ["HTTP_X_FORWARDED_FOR"]);}
>
>
>
>
>
>
>
>> $referer = $HTTP_REFERER;
>
>> if (substr($host, -3) == ".xy") {exit;} //
>> if (substr($host, 6) == "abcd29") {exit;} //
>> if (substr($referer, -4) == ".xyz") {exit;} //
>
>> if ($found == 1) {include 'simple.html';} else {include 'home.html';}
>
>> ?>
|
|
|
|
| Re: Beginner's trouble with substr [message #179463 is a reply to message #179459] |
Tue, 30 October 2012 05:21 |
C
Messages: 24
Registered: January 2012
Karma: 0
|
Junior Member |
|
|
On 30 loka, 00:47, Denis McMahon <denismfmcma...@gmail.com> wrote:
> On Mon, 29 Oct 2012 10:40:31 -0700, C wrote:
>> On 29 loka, 19:34, Salvatore <s...@yojimbo.hack.invalid> wrote:
>>> On 2012-10-29, wrong.addres...@gmail.com <wrong.addres...@gmail.com>
>>> wrote:
>
>>>> What am I doing wrong in this? The substr part does not seem to get
>>>> processed properly.
>
>>>> <?php
>
>>>> global $host;
>>>> $host=@gethostbyaddr($REMOTE_ADDR);
>>>> if ($HTTP_SERVER_VARS["HTTP_X_FORWARDED_FOR"] != "")
>>>> {$realhost =
>>>> @gethostbyaddr($HTTP_SERVER_VARS["HTTP_X_FORWARDED_FOR"]);}
>>>> $referer = $HTTP_REFERER;
>
>>>> if (substr($host, -3) == ".xy") {exit;} //
>>>> if (substr($host, 6) == "abcd29") {exit;} //
>>>> if (substr($referer, -4) == ".xyz") {exit;} //
>
>>>> if ($found == 1) {include 'simple.html';} else {include 'home.html';}
>
>>>> ?>
>
>>> The first thing I see wrong is that the variable "$found" is not
>>> declared.
>
>>> What are you trying to achieve?
>
>>> --
>>> Blah blah bleh...
>>> GCS/CM d(-)@>-- s+:- !a C++$ UBL++++$ L+$ W+++$ w M++ Y++ b++
>
>> I took that code out which defines $found. The code is trying to avoid
>> some nasty visitors.
>
> If you know who your "nasty visitors" are, is it not possible (and maybe
> better) to block them in the server config? eg for apache2:
This is new to me. I can look up how to do this.
>
> # Stop these bastards accessing any php files
> <Files ~ "\.php$">
> SetEnvIf Remote_Host ^abcd29 bastard
> Order allow,deny
> Allow from all
> Deny from .xy
> Deny from .xyz
> Deny from env = bastard
> </Files>
>
> Rgds
>
> Denis McMahon
|
|
|
|
| Re: Beginner's trouble with substr [message #179464 is a reply to message #179460] |
Tue, 30 October 2012 05:30 |
C
Messages: 24
Registered: January 2012
Karma: 0
|
Junior Member |
|
|
On 30 loka, 01:17, Denis McMahon <denismfmcma...@gmail.com> wrote:
> On Mon, 29 Oct 2012 10:40:31 -0700, C wrote:
>> On 29 loka, 19:34, Salvatore <s...@yojimbo.hack.invalid> wrote:
>>> On 2012-10-29, wrong.addres...@gmail.com <wrong.addres...@gmail.com>
>>> wrote:
>
>>>> What am I doing wrong in this? The substr part does not seem to get
>>>> processed properly.
>
>>>> <?php
>
>>>> global $host;
>>>> $host=@gethostbyaddr($REMOTE_ADDR);
>>>> if ($HTTP_SERVER_VARS["HTTP_X_FORWARDED_FOR"] != "")
>>>> {$realhost =
>>>> @gethostbyaddr($HTTP_SERVER_VARS["HTTP_X_FORWARDED_FOR"]);}
>>>> $referer = $HTTP_REFERER;
>
> /** NEED TO CHECK $host and $referer HERE **/
>
>>>> if (substr($host, -3) == ".xy") {exit;} //
>>>> if (substr($host, 6) == "abcd29") {exit;} //
>>>> if (substr($referer, -4) == ".xyz") {exit;} //
>
>>>> if ($found == 1) {include 'simple.html';} else {include 'home.html';}
>
>>>> ?>
>
>>> The first thing I see wrong is that the variable "$found" is not
>>> declared.
>
>>> What are you trying to achieve?
>> I took that code out which defines $found. The code is trying to avoid
>> some nasty visitors.
>
> Readhttp://php.net/manual/en/function.substr.php
>
> I think this line:
>
> if (substr($host, 6) == "abcd29") {exit;} //
>
> perhaps should be this:
>
> if (substr($host, 0, 6) == "abcd29") {exit;} //
>
> unless you actually want to match on 12 character long strings ending
> with "abcd29"
>
> substr( string, -n ) // reads the characters from -n to end of string
> substr( string, n ) // reads the characters from n to end of string
>
> If you want the first n characters, you want substr( string, 0, n )
Yes, this is clear to me now. Thanks.
>
> Also, why do you use: $REMOTE_ADDR, $HTTP_SERVER_VARS
> ["HTTP_X_FORWARDED_FOR"] and $HTTP_REFERER instead of $_SERVER
> ['REMOTE_HOST'], $_SERVER['HTTP_X_FORWARDED_FOR'] and $_SERVER
> ['HTTP_REFERER']
What is the difference?
>
> In addition, relying on HTTP_X_FORWARDED_FOR and HTTP_REFERER is
> unreliable, as these fields can be spoofed anyway!
I can use $_SERVER[***], but why are they more reliable?
>
> Are you relying on register_globals? Are register_globals enabled (they
> won't be if you have competent server admins)?
I have no idea. I am only recording some of these variables in a file.
I am not "relying" on them to do anything serious with them in the
code.
>
> Have you made *any* tests (at the point I marked the quoted code with "/
> ** NEED TO CHECK $host and $referer HERE **/") to check that the string
> $host or $referrer you're checking is actually what you think it is?
Yes, they seem to be working all right. The referer is often fake and
I am intending to use that also to keep out undesirable people. They
seem to fake it in certain ways.
>
> How do you know the gethostbyaddr($REMOTE_ADDR) and gethostbyaddr
> ($HTTP_SERVER_VARS["HTTP_X_FORWARDED_FOR"]) calls are not failing (which
> would indicate you were incorrectly assuming register_globals)? You have
> the calls set to fail silently, which means that they could be delivering
> the binary value FALSE and you don't even know it.
That is correct. Sometimes I get only the IP numeric address, and
sometimes the hostname.
>
> Also see my other comments about using the web server to do this without
> letting the "nasty visitors" near the php!
Yes. Thanks for all this.
>
> Rgds
>
> Denis McMahon
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]