FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » Nested PHP
Show: Today's Messages :: Polls :: Message Navigator
Switch to threaded view of this topic Create a new topic Submit Reply
Nested PHP [message #184821] Mon, 10 February 2014 20:24 Go to next message
adrian is currently offline  adrian
Messages: 27
Registered: December 2012
Karma: 0
Junior Member
I am using a php program to generate and download a webpage as an HTML
file, the HTML file draws its headers and navigation bar from another
HTML file using some embedded php with an "include" command.

The embedded php doesn't run when the file is downloaded, so the page
appears in the browser without its headers or navigation.

Is there a way of making the HTML file run the php or do I have to
tackle this from another angle?

--
~ Adrian Tuddenham ~
(Remove the ".invalid"s and add ".co.uk" to reply)
www.poppyrecords.co.uk
Re: Nested PHP [message #184822 is a reply to message #184821] Mon, 10 February 2014 20:56 Go to previous messageGo to next message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
Senior Member
On 2/10/2014 3:24 PM, Adrian Tuddenham wrote:
> I am using a php program to generate and download a webpage as an HTML
> file, the HTML file draws its headers and navigation bar from another
> HTML file using some embedded php with an "include" command.
>
> The embedded php doesn't run when the file is downloaded, so the page
> appears in the browser without its headers or navigation.
>
> Is there a way of making the HTML file run the php or do I have to
> tackle this from another angle?
>

The PHP code in your generated file is only executed when the file is
processed as a web page. This is done by the web server, based on the
file extension (default is .php; you do have that as the file extension,
right?).

Any other means of downloading the file (i.e. ftp) will not cause the
PHP code to be executed.

--
==================
Remove the "x" from my email address
Jerry Stuckle
jstucklex(at)attglobal(dot)net
==================
Re: Nested PHP [message #184823 is a reply to message #184822] Mon, 10 February 2014 21:44 Go to previous messageGo to next message
adrian is currently offline  adrian
Messages: 27
Registered: December 2012
Karma: 0
Junior Member
Jerry Stuckle <jstucklex(at)attglobal(dot)net> wrote:

> On 2/10/2014 3:24 PM, Adrian Tuddenham wrote:
>> I am using a php program to generate and download a webpage as an HTML
>> file, the HTML file draws its headers and navigation bar from another
>> HTML file using some embedded php with an "include" command.
>>
>> The embedded php doesn't run when the file is downloaded, so the page
>> appears in the browser without its headers or navigation.
>>
>> Is there a way of making the HTML file run the php or do I have to
>> tackle this from another angle?
>>
>
> The PHP code in your generated file is only executed when the file is
> processed as a web page. This is done by the web server, based on the
> file extension (default is .php; you do have that as the file extension,
> right?).

Yes - and the same code runs perfectly well with all its headers if the
file is sitting on the server and I call it up with a browser. It is
only if I 'create' it on the fly from a php program that it doesn't work
- the HTML runs but the php doesn't.

> Any other means of downloading the file (i.e. ftp) will not cause the
> PHP code to be executed.

I was using a browser to view it, but the source code was coming from a
php program, not directly from a file on the server.


--
~ Adrian Tuddenham ~
(Remove the ".invalid"s and add ".co.uk" to reply)
www.poppyrecords.co.uk
Re: Nested PHP [message #184824 is a reply to message #184823] Mon, 10 February 2014 21:51 Go to previous messageGo to next message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
Senior Member
On 2/10/2014 4:44 PM, Adrian Tuddenham wrote:
> Jerry Stuckle <jstucklex(at)attglobal(dot)net> wrote:
>
>> On 2/10/2014 3:24 PM, Adrian Tuddenham wrote:
>>> I am using a php program to generate and download a webpage as an HTML
>>> file, the HTML file draws its headers and navigation bar from another
>>> HTML file using some embedded php with an "include" command.
>>>
>>> The embedded php doesn't run when the file is downloaded, so the page
>>> appears in the browser without its headers or navigation.
>>>
>>> Is there a way of making the HTML file run the php or do I have to
>>> tackle this from another angle?
>>>
>>
>> The PHP code in your generated file is only executed when the file is
>> processed as a web page. This is done by the web server, based on the
>> file extension (default is .php; you do have that as the file extension,
>> right?).
>
> Yes - and the same code runs perfectly well with all its headers if the
> file is sitting on the server and I call it up with a browser. It is
> only if I 'create' it on the fly from a php program that it doesn't work
> - the HTML runs but the php doesn't.
>
>> Any other means of downloading the file (i.e. ftp) will not cause the
>> PHP code to be executed.
>
> I was using a browser to view it, but the source code was coming from a
> php program, not directly from a file on the server.
>
>

Anything output by a PHP program is sent directly to the client. It is
not processed (again) by the web server, so the php code you generate
will never be processed.

The browser will see exactly what you sent - nothing more, nothing less.

--
==================
Remove the "x" from my email address
Jerry Stuckle
jstucklex(at)attglobal(dot)net
==================
Re: Nested PHP [message #184825 is a reply to message #184823] Mon, 10 February 2014 22:09 Go to previous messageGo to next message
The Natural Philosoph is currently offline  The Natural Philosoph
Messages: 993
Registered: September 2010
Karma: 0
Senior Member
On 10/02/14 21:44, Adrian Tuddenham wrote:
> Jerry Stuckle <jstucklex(at)attglobal(dot)net> wrote:
>
>> On 2/10/2014 3:24 PM, Adrian Tuddenham wrote:
>>> I am using a php program to generate and download a webpage as an HTML
>>> file, the HTML file draws its headers and navigation bar from another
>>> HTML file using some embedded php with an "include" command.
>>>
>>> The embedded php doesn't run when the file is downloaded, so the page
>>> appears in the browser without its headers or navigation.
>>>
>>> Is there a way of making the HTML file run the php or do I have to
>>> tackle this from another angle?
>>>
>>
>> The PHP code in your generated file is only executed when the file is
>> processed as a web page. This is done by the web server, based on the
>> file extension (default is .php; you do have that as the file extension,
>> right?).
>
> Yes - and the same code runs perfectly well with all its headers if the
> file is sitting on the server and I call it up with a browser. It is
> only if I 'create' it on the fly from a php program that it doesn't work
> - the HTML runs but the php doesn't.
>
>> Any other means of downloading the file (i.e. ftp) will not cause the
>> PHP code to be executed.
>
> I was using a browser to view it, but the source code was coming from a
> php program, not directly from a file on the server.
>
>
I haven't a clue what you are talking about which may be a strong hint
that you havent a clue what you are doing...

Just provide an example of two files that 'don't work'


--
Ineptocracy

(in-ep-toc’-ra-cy) – a system of government where the least capable to
lead are elected by the least capable of producing, and where the
members of society least likely to sustain themselves or succeed, are
rewarded with goods and services paid for by the confiscated wealth of a
diminishing number of producers.
Re: Nested PHP [message #184826 is a reply to message #184823] Mon, 10 February 2014 22:23 Go to previous messageGo to next message
Christoph Michael Bec is currently offline  Christoph Michael Bec
Messages: 207
Registered: June 2013
Karma: 0
Senior Member
Adrian Tuddenham wrote:

> Jerry Stuckle <jstucklex(at)attglobal(dot)net> wrote:
>
>> On 2/10/2014 3:24 PM, Adrian Tuddenham wrote:
>>> I am using a php program to generate and download a webpage as an HTML
>>> file, the HTML file draws its headers and navigation bar from another
>>> HTML file using some embedded php with an "include" command.
>>>
>>> The embedded php doesn't run when the file is downloaded, so the page
>>> appears in the browser without its headers or navigation.
>>>
>>> Is there a way of making the HTML file run the php or do I have to
>>> tackle this from another angle?
>>>
>>
>> The PHP code in your generated file is only executed when the file is
>> processed as a web page. This is done by the web server, based on the
>> file extension (default is .php; you do have that as the file extension,
>> right?).
>
> Yes - and the same code runs perfectly well with all its headers if the
> file is sitting on the server and I call it up with a browser. It is
> only if I 'create' it on the fly from a php program that it doesn't work
> - the HTML runs but the php doesn't.

Why do you create PHP code on the fly?

--
Christoph M. Becker
Re: Nested PHP [message #184827 is a reply to message #184823] Mon, 10 February 2014 22:27 Go to previous messageGo to next message
Tim Streater is currently offline  Tim Streater
Messages: 328
Registered: September 2010
Karma: 0
Senior Member
In article <1lgvg1s.y70pl0agwbrgN%adrian(at)poppyrecords(dot)invalid(dot)invalid>,
Adrian Tuddenham <adrian(at)poppyrecords(dot)invalid(dot)invalid> wrote:

> Jerry Stuckle <jstucklex(at)attglobal(dot)net> wrote:
>
>> On 2/10/2014 3:24 PM, Adrian Tuddenham wrote:
>>> I am using a php program to generate and download a webpage as an HTML
>>> file, the HTML file draws its headers and navigation bar from another
>>> HTML file using some embedded php with an "include" command.
>>>
>>> The embedded php doesn't run when the file is downloaded, so the page
>>> appears in the browser without its headers or navigation.
>>>
>>> Is there a way of making the HTML file run the php or do I have to
>>> tackle this from another angle?
>>
>> The PHP code in your generated file is only executed when the file is
>> processed as a web page. This is done by the web server, based on the
>> file extension (default is .php; you do have that as the file extension,
>> right?).
>
> Yes - and the same code runs perfectly well with all its headers if the
> file is sitting on the server and I call it up with a browser. It is
> only if I 'create' it on the fly from a php program that it doesn't work
> - the HTML runs but the php doesn't.

Where is this PHP program that is doing this work "on the fly"? Where
is its input and what do you do with its output?

>> Any other means of downloading the file (i.e. ftp) will not cause the
>> PHP code to be executed.
>
> I was using a browser to view it, but the source code was coming from a
> php program, not directly from a file on the server.

It's unclear to me what your sequence is. If you have the file locally
and open it from within the browser no PHP will be executed. It's the
remote webserver, if so configured, that hands off the requested file
to PHP which runs any PHP code within the file. The result of that is
then sent to your browser.

--
"People don't buy Microsoft for quality, they buy it for compatibility
with what Bob in accounting bought last year. Trace it back - they buy
Microsoft because the IBM Selectric didn't suck much" - P Seebach, afc
Re: Nested PHP [message #184828 is a reply to message #184823] Mon, 10 February 2014 22:30 Go to previous messageGo to next message
Geoff Muldoon is currently offline  Geoff Muldoon
Messages: 19
Registered: July 2011
Karma: 0
Junior Member
adrian(at)poppyrecords(dot)invalid(dot)invalid says...

> I was using a browser to view it, but the source code was coming from
> a php program, not directly from a file on the server.

What "php program"? Do you mean just an engine-less editor? If your
"program" doesn't have an inbuilt PHP code parser then the include
statements won't work.

GM
Re: Nested PHP [message #184829 is a reply to message #184823] Mon, 10 February 2014 23:06 Go to previous messageGo to next message
Denis McMahon is currently offline  Denis McMahon
Messages: 634
Registered: September 2010
Karma: 0
Senior Member
On Mon, 10 Feb 2014 21:44:02 +0000, Adrian Tuddenham wrote:

> Jerry Stuckle <jstucklex(at)attglobal(dot)net> wrote:
>
>> On 2/10/2014 3:24 PM, Adrian Tuddenham wrote:
>>> I am using a php program to generate and download a webpage as an
>>> HTML file, the HTML file draws its headers and navigation bar from
>>> another HTML file using some embedded php with an "include" command.
>>>
>>> The embedded php doesn't run when the file is downloaded, so the page
>>> appears in the browser without its headers or navigation.
>>>
>>> Is there a way of making the HTML file run the php or do I have to
>>> tackle this from another angle?

>> The PHP code in your generated file is only executed when the file is
>> processed as a web page. This is done by the web server, based on the
>> file extension (default is .php; you do have that as the file
>> extension,
>> right?).

> Yes - and the same code runs perfectly well with all its headers if the
> file is sitting on the server and I call it up with a browser. It is
> only if I 'create' it on the fly from a php program that it doesn't work
> - the HTML runs but the php doesn't.

What happens is that php script is executed by a script processor in the
server, and the output of the php script is delivered by the server as
html.

>> Any other means of downloading the file (i.e. ftp) will not cause the
>> PHP code to be executed.

> I was using a browser to view it, but the source code was coming from a
> php program, not directly from a file on the server.

When you say "the source code was coming from a php program" do you mean
that you were viewing a php script with a web browser, or do you mean
that you were running a script through a php interpreter and viewing the
output?

Any php processing for web pages that is needed is generally carried out
in a process called from the main server process in the web server.
Normally when a .php file is requested, the webserver passes the file to
the php processor, and takes the output of the php processor and sends
that to the requesting client as html (unless another content type is
specified).

It's also possible for php to be embedded in html files, in which case
the same thing happens for html files.

I can't quite map your description of what you're doing and what you seem
to expect with my knowledge of how web servers work, this suggests that
either you're using the terminology in a way that I don't understand, or
possibly that your perception of what is happening is not what is
actually happening.

--
Denis McMahon, denismfmcmahon(at)gmail(dot)com
Re: Nested PHP [message #184830 is a reply to message #184829] Tue, 11 February 2014 01:46 Go to previous messageGo to next message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
Senior Member
On 2/10/2014 6:06 PM, Denis McMahon wrote:
> On Mon, 10 Feb 2014 21:44:02 +0000, Adrian Tuddenham wrote:
>
>> Jerry Stuckle <jstucklex(at)attglobal(dot)net> wrote:
>>
>>> On 2/10/2014 3:24 PM, Adrian Tuddenham wrote:
>>>> I am using a php program to generate and download a webpage as an
>>>> HTML file, the HTML file draws its headers and navigation bar from
>>>> another HTML file using some embedded php with an "include" command.
>>>>
>>>> The embedded php doesn't run when the file is downloaded, so the page
>>>> appears in the browser without its headers or navigation.
>>>>
>>>> Is there a way of making the HTML file run the php or do I have to
>>>> tackle this from another angle?
>
>>> The PHP code in your generated file is only executed when the file is
>>> processed as a web page. This is done by the web server, based on the
>>> file extension (default is .php; you do have that as the file
>>> extension,
>>> right?).
>
>> Yes - and the same code runs perfectly well with all its headers if the
>> file is sitting on the server and I call it up with a browser. It is
>> only if I 'create' it on the fly from a php program that it doesn't work
>> - the HTML runs but the php doesn't.
>
> What happens is that php script is executed by a script processor in the
> server, and the output of the php script is delivered by the server as
> html.
>
>>> Any other means of downloading the file (i.e. ftp) will not cause the
>>> PHP code to be executed.
>
>> I was using a browser to view it, but the source code was coming from a
>> php program, not directly from a file on the server.
>
> When you say "the source code was coming from a php program" do you mean
> that you were viewing a php script with a web browser, or do you mean
> that you were running a script through a php interpreter and viewing the
> output?
>
> Any php processing for web pages that is needed is generally carried out
> in a process called from the main server process in the web server.
> Normally when a .php file is requested, the webserver passes the file to
> the php processor, and takes the output of the php processor and sends
> that to the requesting client as html (unless another content type is
> specified).
>
> It's also possible for php to be embedded in html files, in which case
> the same thing happens for html files.
>
> I can't quite map your description of what you're doing and what you seem
> to expect with my knowledge of how web servers work, this suggests that
> either you're using the terminology in a way that I don't understand, or
> possibly that your perception of what is happening is not what is
> actually happening.
>

Denis,

From what I can gather, he's generating a page which contains PHP code
from another PHP script, and sending the generated page to the browser -
expecting the generated PHP code to be executed (which, of course, it
isn't).

--
==================
Remove the "x" from my email address
Jerry Stuckle
jstucklex(at)attglobal(dot)net
==================
Re: Nested PHP [message #184834 is a reply to message #184830] Tue, 11 February 2014 10:11 Go to previous messageGo to next message
adrian is currently offline  adrian
Messages: 27
Registered: December 2012
Karma: 0
Junior Member
Jerry Stuckle <jstucklex(at)attglobal(dot)net> wrote:

> On 2/10/2014 6:06 PM, Denis McMahon wrote:
>> On Mon, 10 Feb 2014 21:44:02 +0000, Adrian Tuddenham wrote:
>>
>>> Jerry Stuckle <jstucklex(at)attglobal(dot)net> wrote:
>>>
>>>> On 2/10/2014 3:24 PM, Adrian Tuddenham wrote:
>>>> > I am using a php program to generate and download a webpage as an
>>>> > HTML file, the HTML file draws its headers and navigation bar from
>>>> > another HTML file using some embedded php with an "include" command.
>>>> >
>>>> > The embedded php doesn't run when the file is downloaded, so the page
>>>> > appears in the browser without its headers or navigation.
>>>> >
>>>> > Is there a way of making the HTML file run the php or do I have to
>>>> > tackle this from another angle?
>>
>>>> The PHP code in your generated file is only executed when the file is
>>>> processed as a web page. This is done by the web server, based on the
>>>> file extension (default is .php; you do have that as the file
>>>> extension,
>>>> right?).
>>
>>> Yes - and the same code runs perfectly well with all its headers if the
>>> file is sitting on the server and I call it up with a browser. It is
>>> only if I 'create' it on the fly from a php program that it doesn't work
>>> - the HTML runs but the php doesn't.
>>
>> What happens is that php script is executed by a script processor in the
>> server, and the output of the php script is delivered by the server as
>> html.
>>
>>>> Any other means of downloading the file (i.e. ftp) will not cause the
>>>> PHP code to be executed.
>>
>>> I was using a browser to view it, but the source code was coming from a
>>> php program, not directly from a file on the server.
>>
>> When you say "the source code was coming from a php program" do you mean
>> that you were viewing a php script with a web browser, or do you mean
>> that you were running a script through a php interpreter and viewing the
>> output?
>>
>> Any php processing for web pages that is needed is generally carried out
>> in a process called from the main server process in the web server.
>> Normally when a .php file is requested, the webserver passes the file to
>> the php processor, and takes the output of the php processor and sends
>> that to the requesting client as html (unless another content type is
>> specified).
>>
>> It's also possible for php to be embedded in html files, in which case
>> the same thing happens for html files.
>>
>> I can't quite map your description of what you're doing and what you seem
>> to expect with my knowledge of how web servers work, this suggests that
>> either you're using the terminology in a way that I don't understand, or
>> possibly that your perception of what is happening is not what is
>> actually happening.
>>
>
> Denis,
>
> From what I can gather, he's generating a page which contains PHP code
> from another PHP script, and sending the generated page to the browser -
> expecting the generated PHP code to be executed (which, of course, it
> isn't).

That's right.

I'll try to elaborate and show some of the code, which might answer many
of the previous replies at the same time:

A typical webpage in this site uses embedded php to operate the hit
counter (PROCaddlog.php), pick up its headers (SCCSheaders.php) and pick
up its navigation table (SCCSnavtable.php).


~~~~~~~ Typical webpage ~~~~~~~~
<HTML>
<HEAD>
<TITLE>Picture Gallery</TITLE>
<meta name="KEYWORDS" content="Coal Canal, Somersetshire Coal Canal,
Somerset Coal Canal, locks, caissons, Kennet & Avon,Weldon, Robert
Weldon, Caisoon Lock, Inclined plane, Combe Hay, Bath, Wellow, Weldon,
William Smith, Tuckingmill Tramway, Dorset & Somerset Canal">
</HEAD>
<BODY BGCOLOR="#CCFFFF">
<CENTER><!--NOEDIT--><?php
include($_SERVER['DOCUMENT_ROOT'] . "/PHP/counters/PROCaddlog.php");
addlog("Gallery");
include("http://www.coalcanal.org/PHP/SCCSheaders.php");
include("http://www.coalcanal.org/PHP/SCCSnavtable.php");
?><!--/NOEDIT-->

<P><FONT COLOR="#996633"><B>GALLERY</B></FONT>

<P>&nbsp;

<P><A HREF="http://www.flickr.com/photos/114362147@N06/">Photostream
on Flickr</A>

<P><A HREF="gallery/gallery-old.htm">Old pictures of the canal</A>

<P>&nbsp;

<P>&nbsp;

<P><TABLE BORDER=0 CELLSPACING=0 CELLPADDING=5 WIDTH="100%">
<TR>
<TD>
<P><A HREF="index.htm">Return to home page</A>
</TD>
<TD>
<CENTER><A HREF="alphabetical.htm"><IMG SRC="images/Find.gif"
WIDTH=75 HEIGHT=26 BORDER=0 ALIGN=bottom></A></CENTER>
</TD>
<TD>
<P ALIGN=right><A HREF="#TOP">Return to top of this page</A>
</TD>
</TR>
</TABLE>
</CENTER>
</BODY>
</HTML>

~~~~~~~~~~ End of Typical Webpage ~~~~~~~

The resulting output can be seen at:
<http://www.coalcanal.org/gallery.php>

I am now trying to build some password-protected pages and downloads,
where a link to a page or PDF file calls up a page delivery program
which decodes an encryped file and generates the PDF or page source code
on-the-fly. The PDF-delivery program works fine, but when I use the
same code to deliver an HTML page, the php within the HTML appears as
text and fails to run.

~~~~~~~~~~ PDF Delivery Program ~~~~~~~~~~
<?php

$cookie1 = $_COOKIE["uservalid"];
stripslashes($cookie1);
setcookie ("uservalid", $cookie1 , time() + 900);
$cookie2 = strrev($cookie1);
$filename = $_GET["url"];
stripslashes($filename);
$text = "Empty string";

#Cookie check removed for security
#If ($cookie2~~~~~~~~~
{
### Read file ###

$filenamer = $filename . "r";
$fh = fopen($filenamer, 'r') or ("Downloader can't open
file $filenamer");
$text = fread($fh, filesize($filenamer));
fclose($fh);


### Decode file ###

# Decoding section removed for security#
}

### Send file or refer to Login page ###

#Cookie check removed for security
#If ($cookie2~~~~~~~~~
{
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment;
filename="'.basename($filename).'"');
header('Content-Length: ' . filesize($filenamer));
print $text;
}
else
{
print "
<HTML>
<HEAD>
</HEAD>
<BODY BGCOLOR='#FFFFFF'>
<CENTER><BR><BR>
<FORM ACTION=\"Login2.php\" METHOD=POST>
<P>Please <INPUT TYPE=submit NAME=Submit VALUE=\"Log in\">if you
want to download this file
<P> <A
HREF='http://www.coalcanal.org.uk/contactform1.php'>Contact the
webmaster</A> if you continue to have difficulties</CENTER>
</BODY>
</HTML>
";
}

?>

~~~~~~~~~~~~ End of PDF Delivery Program ~~~~~~~~~

As suggested by one of the replies, I am currently using a modification
of the above program to deliver webpages, whereby the 'include' is
processed by the delivery program (not by the HTML page) and the result
delivered to the HTML page at the appropriate point in the generated
source code.

I wondered if there was a command which I could embed instead of the
"print $text;", which would cause the resulting HTML to be processed
like a normal webpage, so that the php within it would also run?



--
~ Adrian Tuddenham ~
(Remove the ".invalid"s and add ".co.uk" to reply)
www.poppyrecords.co.uk
Re: Nested PHP [message #184835 is a reply to message #184834] Tue, 11 February 2014 11:17 Go to previous messageGo to next message
Tim Streater is currently offline  Tim Streater
Messages: 328
Registered: September 2010
Karma: 0
Senior Member
In article
<1lgwd91.6d77v31qehadcN%adrian(at)poppyrecords(dot)invalid(dot)invalid>, Adrian
Tuddenham <adrian(at)poppyrecords(dot)invalid(dot)invalid> wrote:

> Jerry Stuckle <jstucklex(at)attglobal(dot)net> wrote:

>> From what I can gather, he's generating a page which contains PHP code
>> from another PHP script, and sending the generated page to the browser -
>> expecting the generated PHP code to be executed (which, of course, it
>> isn't).
>
> That's right.
>
> I'll try to elaborate and show some of the code, which might answer many
> of the previous replies at the same time:
>
> A typical webpage in this site uses embedded php to operate the hit
> counter (PROCaddlog.php), pick up its headers (SCCSheaders.php) and pick
> up its navigation table (SCCSnavtable.php).

You should really put a doctype here:

<!DOCTYPE html>

> <HTML>

at the top of your html so that the browser doesn't operate in quirks
mode (q.v.).

> <HEAD>
> <TITLE>Picture Gallery</TITLE>
> <meta name="KEYWORDS" content="Coal Canal, Somersetshire Coal Canal,
> Somerset Coal Canal, locks, caissons, Kennet & Avon,Weldon, Robert
> Weldon, Caisoon Lock, Inclined plane, Combe Hay, Bath, Wellow, Weldon,
> William Smith, Tuckingmill Tramway, Dorset & Somerset Canal">
> </HEAD>
> <BODY BGCOLOR="#CCFFFF">
> <CENTER><!--NOEDIT--><?php
> include($_SERVER['DOCUMENT_ROOT'] . "/PHP/counters/PROCaddlog.php");
> addlog("Gallery");
> include("http://www.coalcanal.org/PHP/SCCSheaders.php");
> include("http://www.coalcanal.org/PHP/SCCSnavtable.php");
> ?><!--/NOEDIT-->
>
> <P><FONT COLOR="#996633"><B>GALLERY</B></FONT>
>
> <P>&nbsp;
>
> <P><A HREF="http://www.flickr.com/photos/114362147@N06/">Photostream
> on Flickr</A>
>
> <P><A HREF="gallery/gallery-old.htm">Old pictures of the canal</A>
>
> <P>&nbsp;
>
> <P>&nbsp;
>
> <P><TABLE BORDER=0 CELLSPACING=0 CELLPADDING=5 WIDTH="100%">
> <TR>
> <TD>
> <P><A HREF="index.htm">Return to home page</A>
> </TD>
> <TD>
> <CENTER><A HREF="alphabetical.htm"><IMG SRC="images/Find.gif"
> WIDTH=75 HEIGHT=26 BORDER=0 ALIGN=bottom></A></CENTER>
> </TD>
> <TD>
> <P ALIGN=right><A HREF="#TOP">Return to top of this page</A>
> </TD>
> </TR>
> </TABLE>
> </CENTER>
> </BODY>
> </HTML>
>
> ~~~~~~~~~~ End of Typical Webpage ~~~~~~~
>
> The resulting output can be seen at:
> <http://www.coalcanal.org/gallery.php>
>
> I am now trying to build some password-protected pages and downloads,
> where a link to a page or PDF file calls up a page delivery program
> which decodes an encryped file and generates the PDF or page source code
> on-the-fly. The PDF-delivery program works fine, but when I use the
> same code to deliver an HTML page, the php within the HTML appears as
> text and fails to run.
>
> ~~~~~~~~~~ PDF Delivery Program ~~~~~~~~~~
> <?php
>
> $cookie1 = $_COOKIE["uservalid"];
> stripslashes($cookie1);

This ...

> setcookie ("uservalid", $cookie1 , time() + 900);
> $cookie2 = strrev($cookie1);
> $filename = $_GET["url"];
> stripslashes($filename);

.... and this are surely no-ops as you don't assign the output of
stripslashes (q.v.) to anything.

> $text = "Empty string";
>
> #Cookie check removed for security
> #If ($cookie2~~~~~~~~~
> {
> ### Read file ###
>
> $filenamer = $filename . "r";
> $fh = fopen($filenamer, 'r') or ("Downloader can't open
> file $filenamer");
> $text = fread($fh, filesize($filenamer));
> fclose($fh);
>
>
> ### Decode file ###
>
> # Decoding section removed for security#
> }
>
> ### Send file or refer to Login page ###
>
> #Cookie check removed for security
> #If ($cookie2~~~~~~~~~
> {
> header('Content-Type: application/octet-stream');
> header('Content-Disposition: attachment;
> filename="'.basename($filename).'"');
> header('Content-Length: ' . filesize($filenamer));
> print $text;
> }
> else
> {
> print "
> <HTML>
> <HEAD>
> </HEAD>
> <BODY BGCOLOR='#FFFFFF'>
> <CENTER><BR><BR>
> <FORM ACTION=\"Login2.php\" METHOD=POST>
> <P>Please <INPUT TYPE=submit NAME=Submit VALUE=\"Log in\">if you
> want to download this file
> <P> <A
> HREF='http://www.coalcanal.org.uk/contactform1.php'>Contact the
> webmaster</A> if you continue to have difficulties</CENTER>
> </BODY>
> </HTML>
> ";
> }
>
> ?>
>
> ~~~~~~~~~~~~ End of PDF Delivery Program ~~~~~~~~~
>
> As suggested by one of the replies, I am currently using a modification
> of the above program to deliver webpages, whereby the 'include' is
> processed by the delivery program (not by the HTML page)

The include is *always* processed by PHP - see:

http://uk3.php.net/manual/en/function.include.php

> and the result delivered to the HTML page at the
> appropriate point in the generated source code.
>
> I wondered if there was a command which I could embed instead of the
> "print $text;", which would cause the resulting HTML to be processed
> like a normal webpage, so that the php within it would also run?

Well, include might do it, I suppose. On first reading of the include
ref I gave above, I assumed that include's argument had always to be a
specific file, but there seem to be some hints in the user examples
that imply you could do:

include $filenamer;

instead of

print $text;

but I've never tried this myself.

BTW I've read that google etc ignore <meta keywords...> these days but
that's another story.

--
"People don't buy Microsoft for quality, they buy it for compatibility
with what Bob in accounting bought last year. Trace it back - they buy
Microsoft because the IBM Selectric didn't suck much" - P Seebach, afc
Re: Nested PHP [message #184836 is a reply to message #184835] Tue, 11 February 2014 12:01 Go to previous messageGo to next message
adrian is currently offline  adrian
Messages: 27
Registered: December 2012
Karma: 0
Junior Member
Tim Streater <timstreater(at)greenbee(dot)net> wrote:

[...]
>> I wondered if there was a command which I could embed instead of the
>> "print $text;", which would cause the resulting HTML to be processed
>> like a normal webpage, so that the php within it would also run?
>
> Well, include might do it, I suppose. On first reading of the include
> ref I gave above, I assumed that include's argument had always to be a
> specific file, but there seem to be some hints in the user examples
> that imply you could do:
>
> include $filenamer;
>
> instead of
>
> print $text;
>
> but I've never tried this myself.

I had already tried it and it didn't work. :-(

--
~ Adrian Tuddenham ~
(Remove the ".invalid"s and add ".co.uk" to reply)
www.poppyrecords.co.uk
Re: Nested PHP [message #184837 is a reply to message #184823] Tue, 11 February 2014 12:12 Go to previous messageGo to next message
bill is currently offline  bill
Messages: 310
Registered: October 2010
Karma: 0
Senior Member
On 2/10/2014 4:44 PM, Adrian Tuddenham wrote:
> Jerry Stuckle <jstucklex(at)attglobal(dot)net> wrote:
>
>> On 2/10/2014 3:24 PM, Adrian Tuddenham wrote:
>>> I am using a php program to generate and download a webpage as an HTML
>>> file, the HTML file draws its headers and navigation bar from another
>>> HTML file using some embedded php with an "include" command.
>>>
>>> The embedded php doesn't run when the file is downloaded, so the page
>>> appears in the browser without its headers or navigation.
>>>
>>> Is there a way of making the HTML file run the php or do I have to
>>> tackle this from another angle?
>>>
>>
>> The PHP code in your generated file is only executed when the file is
>> processed as a web page. This is done by the web server, based on the
>> file extension (default is .php; you do have that as the file extension,
>> right?).
>
> Yes - and the same code runs perfectly well with all its headers if the
> file is sitting on the server and I call it up with a browser. It is
> only if I 'create' it on the fly from a php program that it doesn't work
> - the HTML runs but the php doesn't.
>
>> Any other means of downloading the file (i.e. ftp) will not cause the
>> PHP code to be executed.
>
> I was using a browser to view it, but the source code was coming from a
> php program, not directly from a file on the server.
>
>
perhaps you could include a code snippett that shows the
sequence, or perhaps a pseudo code example.
bill
Re: Nested PHP [message #184839 is a reply to message #184836] Tue, 11 February 2014 12:45 Go to previous messageGo to next message
Tim Streater is currently offline  Tim Streater
Messages: 328
Registered: September 2010
Karma: 0
Senior Member
In article
<1lgwk0i.o5j5ms19glf6kN%adrian(at)poppyrecords(dot)invalid(dot)invalid>, Adrian
Tuddenham <adrian(at)poppyrecords(dot)invalid(dot)invalid> wrote:

> Tim Streater <timstreater(at)greenbee(dot)net> wrote:
>
> [...]
>>> I wondered if there was a command which I could embed instead of the
>>> "print $text;", which would cause the resulting HTML to be processed
>>> like a normal webpage, so that the php within it would also run?
>>
>> Well, include might do it, I suppose. On first reading of the include
>> ref I gave above, I assumed that include's argument had always to be a
>> specific file, but there seem to be some hints in the user examples
>> that imply you could do:
>>
>> include $filenamer;
>>
>> instead of
>>
>> print $text;
>>
>> but I've never tried this myself.
>
> I had already tried it and it didn't work. :-(

Then either the file has to be in a specific place, or you can write
$text out to a /tmp file with a specific name and use that with the
include.

--
Tim

"That excessive bail ought not to be required, nor excessive fines imposed,
nor cruel and unusual punishments inflicted" -- Bill of Rights 1689
Re: Nested PHP [message #184841 is a reply to message #184839] Tue, 11 February 2014 12:55 Go to previous messageGo to next message
Christoph Michael Bec is currently offline  Christoph Michael Bec
Messages: 207
Registered: June 2013
Karma: 0
Senior Member
Tim Streater wrote:

> In article
> <1lgwk0i.o5j5ms19glf6kN%adrian(at)poppyrecords(dot)invalid(dot)invalid>, Adrian
> Tuddenham <adrian(at)poppyrecords(dot)invalid(dot)invalid> wrote:
>
>> Tim Streater <timstreater(at)greenbee(dot)net> wrote:
>>
>> [...]
>>>> I wondered if there was a command which I could embed instead of the
>>>> "print $text;", which would cause the resulting HTML to be processed
>>>> like a normal webpage, so that the php within it would also run?
>>>> Well, include might do it, I suppose. On first reading of the include
>>> ref I gave above, I assumed that include's argument had always to be a
>>> specific file, but there seem to be some hints in the user examples
>>> that imply you could do:
>>>> include $filenamer;
>>>> instead of
>>>> print $text;
>>>> but I've never tried this myself.
>>
>> I had already tried it and it didn't work. :-(
>
> Then either the file has to be in a specific place, or you can write
> $text out to a /tmp file with a specific name and use that with the
> include.

Or evaluate the generated PHP code with eval(). However, I suppose
there's a design mistake here. Generating and executing PHP code on the
fly doesn't seem to be reasonable (at least for most purposes).

--
Christoph M. Becker
Re: Nested PHP [message #184843 is a reply to message #184834] Tue, 11 February 2014 13:15 Go to previous messageGo to next message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
Senior Member
On 2/11/2014 5:11 AM, Adrian Tuddenham wrote:
> Jerry Stuckle <jstucklex(at)attglobal(dot)net> wrote:
>
>> On 2/10/2014 6:06 PM, Denis McMahon wrote:
>>> On Mon, 10 Feb 2014 21:44:02 +0000, Adrian Tuddenham wrote:
>>>
>>>> Jerry Stuckle <jstucklex(at)attglobal(dot)net> wrote:
>>>>
>>>> > On 2/10/2014 3:24 PM, Adrian Tuddenham wrote:
>>>> >> I am using a php program to generate and download a webpage as an
>>>> >> HTML file, the HTML file draws its headers and navigation bar from
>>>> >> another HTML file using some embedded php with an "include" command.
>>>> >>
>>>> >> The embedded php doesn't run when the file is downloaded, so the page
>>>> >> appears in the browser without its headers or navigation.
>>>> >>
>>>> >> Is there a way of making the HTML file run the php or do I have to
>>>> >> tackle this from another angle?
>>>
>>>> > The PHP code in your generated file is only executed when the file is
>>>> > processed as a web page. This is done by the web server, based on the
>>>> > file extension (default is .php; you do have that as the file
>>>> > extension,
>>>> > right?).
>>>
>>>> Yes - and the same code runs perfectly well with all its headers if the
>>>> file is sitting on the server and I call it up with a browser. It is
>>>> only if I 'create' it on the fly from a php program that it doesn't work
>>>> - the HTML runs but the php doesn't.
>>>
>>> What happens is that php script is executed by a script processor in the
>>> server, and the output of the php script is delivered by the server as
>>> html.
>>>
>>>> > Any other means of downloading the file (i.e. ftp) will not cause the
>>>> > PHP code to be executed.
>>>
>>>> I was using a browser to view it, but the source code was coming from a
>>>> php program, not directly from a file on the server.
>>>
>>> When you say "the source code was coming from a php program" do you mean
>>> that you were viewing a php script with a web browser, or do you mean
>>> that you were running a script through a php interpreter and viewing the
>>> output?
>>>
>>> Any php processing for web pages that is needed is generally carried out
>>> in a process called from the main server process in the web server.
>>> Normally when a .php file is requested, the webserver passes the file to
>>> the php processor, and takes the output of the php processor and sends
>>> that to the requesting client as html (unless another content type is
>>> specified).
>>>
>>> It's also possible for php to be embedded in html files, in which case
>>> the same thing happens for html files.
>>>
>>> I can't quite map your description of what you're doing and what you seem
>>> to expect with my knowledge of how web servers work, this suggests that
>>> either you're using the terminology in a way that I don't understand, or
>>> possibly that your perception of what is happening is not what is
>>> actually happening.
>>>
>>
>> Denis,
>>
>> From what I can gather, he's generating a page which contains PHP code
>> from another PHP script, and sending the generated page to the browser -
>> expecting the generated PHP code to be executed (which, of course, it
>> isn't).
>
> That's right.
>

Then no, anything generated by your code is NOT processed by the
interpreter. It is simply sent to the client.

> I'll try to elaborate and show some of the code, which might answer many
> of the previous replies at the same time:
>
> A typical webpage in this site uses embedded php to operate the hit
> counter (PROCaddlog.php), pick up its headers (SCCSheaders.php) and pick
> up its navigation table (SCCSnavtable.php).
>
>
> ~~~~~~~ Typical webpage ~~~~~~~~
> <HTML>
> <HEAD>
> <TITLE>Picture Gallery</TITLE>
> <meta name="KEYWORDS" content="Coal Canal, Somersetshire Coal Canal,
> Somerset Coal Canal, locks, caissons, Kennet & Avon,Weldon, Robert
> Weldon, Caisoon Lock, Inclined plane, Combe Hay, Bath, Wellow, Weldon,
> William Smith, Tuckingmill Tramway, Dorset & Somerset Canal">
> </HEAD>
> <BODY BGCOLOR="#CCFFFF">
> <CENTER><!--NOEDIT--><?php
> include($_SERVER['DOCUMENT_ROOT'] . "/PHP/counters/PROCaddlog.php");
> addlog("Gallery");
> include("http://www.coalcanal.org/PHP/SCCSheaders.php");
> include("http://www.coalcanal.org/PHP/SCCSnavtable.php");
> ?><!--/NOEDIT-->
>
> <P><FONT COLOR="#996633"><B>GALLERY</B></FONT>
>
> <P>&nbsp;
>
> <P><A HREF="http://www.flickr.com/photos/114362147@N06/">Photostream
> on Flickr</A>
>
> <P><A HREF="gallery/gallery-old.htm">Old pictures of the canal</A>
>
> <P>&nbsp;
>
> <P>&nbsp;
>
> <P><TABLE BORDER=0 CELLSPACING=0 CELLPADDING=5 WIDTH="100%">
> <TR>
> <TD>
> <P><A HREF="index.htm">Return to home page</A>
> </TD>
> <TD>
> <CENTER><A HREF="alphabetical.htm"><IMG SRC="images/Find.gif"
> WIDTH=75 HEIGHT=26 BORDER=0 ALIGN=bottom></A></CENTER>
> </TD>
> <TD>
> <P ALIGN=right><A HREF="#TOP">Return to top of this page</A>
> </TD>
> </TR>
> </TABLE>
> </CENTER>
> </BODY>
> </HTML>
>
> ~~~~~~~~~~ End of Typical Webpage ~~~~~~~
>
> The resulting output can be seen at:
> <http://www.coalcanal.org/gallery.php>
>

Is this supposed to be the page your code has generated? Or is this a
file on your site? The code here is being processed.

> I am now trying to build some password-protected pages and downloads,
> where a link to a page or PDF file calls up a page delivery program
> which decodes an encryped file and generates the PDF or page source code
> on-the-fly. The PDF-delivery program works fine, but when I use the
> same code to deliver an HTML page, the php within the HTML appears as
> text and fails to run.
>

It won't work.

> ~~~~~~~~~~ PDF Delivery Program ~~~~~~~~~~
> <?php
>
> $cookie1 = $_COOKIE["uservalid"];
> stripslashes($cookie1);
> setcookie ("uservalid", $cookie1 , time() + 900);
> $cookie2 = strrev($cookie1);
> $filename = $_GET["url"];
> stripslashes($filename);
> $text = "Empty string";
>
> #Cookie check removed for security
> #If ($cookie2~~~~~~~~~
> {
> ### Read file ###
>
> $filenamer = $filename . "r";
> $fh = fopen($filenamer, 'r') or ("Downloader can't open
> file $filenamer");
> $text = fread($fh, filesize($filenamer));
> fclose($fh);
>
>
> ### Decode file ###
>
> # Decoding section removed for security#
> }
>
> ### Send file or refer to Login page ###
>
> #Cookie check removed for security
> #If ($cookie2~~~~~~~~~
> {
> header('Content-Type: application/octet-stream');
> header('Content-Disposition: attachment;
> filename="'.basename($filename).'"');
> header('Content-Length: ' . filesize($filenamer));
> print $text;
> }
> else
> {
> print "
> <HTML>
> <HEAD>
> </HEAD>
> <BODY BGCOLOR='#FFFFFF'>
> <CENTER><BR><BR>
> <FORM ACTION=\"Login2.php\" METHOD=POST>
> <P>Please <INPUT TYPE=submit NAME=Submit VALUE=\"Log in\">if you
> want to download this file
> <P> <A
> HREF='http://www.coalcanal.org.uk/contactform1.php'>Contact the
> webmaster</A> if you continue to have difficulties</CENTER>
> </BODY>
> </HTML>
> ";
> }
>
> ?>
>
> ~~~~~~~~~~~~ End of PDF Delivery Program ~~~~~~~~~
>
> As suggested by one of the replies, I am currently using a modification
> of the above program to deliver webpages, whereby the 'include' is
> processed by the delivery program (not by the HTML page) and the result
> delivered to the HTML page at the appropriate point in the generated
> source code.
>
> I wondered if there was a command which I could embed instead of the
> "print $text;", which would cause the resulting HTML to be processed
> like a normal webpage, so that the php within it would also run?
>
>
>

You could use eval(), if your host allows it. But that is a huge
security risk. You're just asking to be hacked.

My main question here would be - what are you trying to accomplish by
having files encrypted on your server. Since the decryption code is
right in plain sight, encrypting the files adds no security. If they
can get to your raw files, they can get to your decryption code.

And in any case, the decrypted page (along with images, etc.) is
available at the browser just as soon as someone requests it.

I think your whole approach needs rethinking.

--
==================
Remove the "x" from my email address
Jerry Stuckle
jstucklex(at)attglobal(dot)net
==================
Re: Nested PHP [message #184846 is a reply to message #184841] Tue, 11 February 2014 13:29 Go to previous messageGo to next message
Denis McMahon is currently offline  Denis McMahon
Messages: 634
Registered: September 2010
Karma: 0
Senior Member
On Tue, 11 Feb 2014 13:55:57 +0100, Christoph Michael Becker wrote:

> Or evaluate the generated PHP code with eval(). However, I suppose
> there's a design mistake here. Generating and executing PHP code on the
> fly doesn't seem to be reasonable (at least for most purposes).

I'll second that. Instead of dynamically generating php code to generate
html and inserting the dynamically generated php code into your file, you
should refactor the script that produces the dynamic php to instead
generate the resultant html that the dynamically generated php is
expected to create, and arrange the code so that the html is just
inserted at the appropriate place

--
Denis McMahon, denismfmcmahon(at)gmail(dot)com
Re: Nested PHP [message #184847 is a reply to message #184824] Tue, 11 February 2014 14:14 Go to previous messageGo to next message
Peter H. Coffin is currently offline  Peter H. Coffin
Messages: 245
Registered: September 2010
Karma: 0
Senior Member
On Mon, 10 Feb 2014 16:51:37 -0500, Jerry Stuckle wrote:
> On 2/10/2014 4:44 PM, Adrian Tuddenham wrote:
>> I was using a browser to view it, but the source code was coming from a
>> php program, not directly from a file on the server.
>>
>>
>
> Anything output by a PHP program is sent directly to the client. It is
> not processed (again) by the web server, so the php code you generate
> will never be processed.
>
> The browser will see exactly what you sent - nothing more, nothing less.

Right.

Hmm... Might be worth trying writing to a temporary file, include()ing
it, then cleaning up at the end of the script. It's a LITTLE
complicated, but...

--
For every rational explanation there are an infinite number of
irrational explanations.
-- Staples' Observation
Re: Nested PHP [message #184848 is a reply to message #184847] Tue, 11 February 2014 14:27 Go to previous messageGo to next message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
Senior Member
On 2/11/2014 9:14 AM, Peter H. Coffin wrote:
> On Mon, 10 Feb 2014 16:51:37 -0500, Jerry Stuckle wrote:
>> On 2/10/2014 4:44 PM, Adrian Tuddenham wrote:
>>> I was using a browser to view it, but the source code was coming from a
>>> php program, not directly from a file on the server.
>>>
>>>
>>
>> Anything output by a PHP program is sent directly to the client. It is
>> not processed (again) by the web server, so the php code you generate
>> will never be processed.
>>
>> The browser will see exactly what you sent - nothing more, nothing less.
>
> Right.
>
> Hmm... Might be worth trying writing to a temporary file, include()ing
> it, then cleaning up at the end of the script. It's a LITTLE
> complicated, but...
>

And subject to all kinds of problems - such as concurrency with others
requesting the same page, getting rid of old copies, having to redirect
the browser to the temporary file, the user bookmarking the temporary
file... and probably several others.


--
==================
Remove the "x" from my email address
Jerry Stuckle
jstucklex(at)attglobal(dot)net
==================
Re: Nested PHP [message #184850 is a reply to message #184843] Tue, 11 February 2014 14:31 Go to previous messageGo to next message
adrian is currently offline  adrian
Messages: 27
Registered: December 2012
Karma: 0
Junior Member
Jerry Stuckle <jstucklex(at)attglobal(dot)net> wrote:

[...]
> My main question here would be - what are you trying to accomplish by
> having files encrypted on your server. Since the decryption code is
> right in plain sight, encrypting the files adds no security. If they
> can get to your raw files, they can get to your decryption code.

I'm not trying to produce a high-security system, just something which
deters the casual user from downloading PDFs that members of the group
have paid their membership fee to receive. I doubt if anyone wants to
go to all the trouble of decrypting a PDF file in order to avoid paying
£7.50

I am a bit worried by your statement that the decryption code is in
plain sight, how can that be protected better than it already is? The
filename in the GET of the link url is also encrypted (very crudely) so,
although it is in plain view, it wouldn't lead the hacker directly to
the encrypted PDF file.

>
> And in any case, the decrypted page (along with images, etc.) is
> available at the browser just as soon as someone requests it.

That 'someone' would have to be a member and they could equally well
send their password to a friend. There is a download log which should
alert me if something untoward is happening through the password system.


> I think your whole approach needs rethinking.

I agree it isn't suitable for a high security website, it is just making
the best of a "Topsy".


--
~ Adrian Tuddenham ~
(Remove the ".invalid"s and add ".co.uk" to reply)
www.poppyrecords.co.uk
Re: Nested PHP [message #184851 is a reply to message #184846] Tue, 11 February 2014 14:31 Go to previous messageGo to next message
adrian is currently offline  adrian
Messages: 27
Registered: December 2012
Karma: 0
Junior Member
Denis McMahon <denismfmcmahon(at)gmail(dot)com> wrote:

> On Tue, 11 Feb 2014 13:55:57 +0100, Christoph Michael Becker wrote:
>
>> Or evaluate the generated PHP code with eval(). However, I suppose
>> there's a design mistake here. Generating and executing PHP code on the
>> fly doesn't seem to be reasonable (at least for most purposes).
>
> I'll second that. Instead of dynamically generating php code to generate
> html and inserting the dynamically generated php code into your file, you
> should refactor the script that produces the dynamic php to instead
> generate the resultant html that the dynamically generated php is
> expected to create, and arrange the code so that the html is just
> inserted at the appropriate place

That's what I've decided to do. It just means that the protected pages
will have to have a different sort of 'include' command from the
unprotected ones.

--
~ Adrian Tuddenham ~
(Remove the ".invalid"s and add ".co.uk" to reply)
www.poppyrecords.co.uk
Re: Nested PHP [message #184852 is a reply to message #184834] Tue, 11 February 2014 14:41 Go to previous messageGo to next message
Ben Bacarisse is currently offline  Ben Bacarisse
Messages: 82
Registered: November 2013
Karma: 0
Member
adrian(at)poppyrecords(dot)invalid(dot)invalid (Adrian Tuddenham) writes:

> Jerry Stuckle <jstucklex(at)attglobal(dot)net> wrote:
<snip>
>> From what I can gather, he's generating a page which contains PHP code
>> from another PHP script, and sending the generated page to the browser -
>> expecting the generated PHP code to be executed (which, of course, it
>> isn't).
>
> That's right.

I'll second (third?, forth?) the question: what are trying to do that
has lead to this design? It seems all wrong.

The only time I saw anything like it, the author was unaware that
functions can be created by PHP functions (though how well this works
depends on the version of PHP that you have). It may be that your task
can be achieved with any special re-execution mechanism.

<snip>
--
Ben.
Re: Nested PHP [message #184853 is a reply to message #184850] Tue, 11 February 2014 15:10 Go to previous messageGo to next message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
Senior Member
On 2/11/2014 9:31 AM, Adrian Tuddenham wrote:
> Jerry Stuckle <jstucklex(at)attglobal(dot)net> wrote:
>
> [...]
>> My main question here would be - what are you trying to accomplish by
>> having files encrypted on your server. Since the decryption code is
>> right in plain sight, encrypting the files adds no security. If they
>> can get to your raw files, they can get to your decryption code.
>
> I'm not trying to produce a high-security system, just something which
> deters the casual user from downloading PDFs that members of the group
> have paid their membership fee to receive. I doubt if anyone wants to
> go to all the trouble of decrypting a PDF file in order to avoid paying
> £7.50
>

First of all, you don't need to go to all the trouble of encrypting a
pdf to make it unavailable to the casual user. Just place the file
outside of your document_root hierarchy and download it with PHP.

Second, it's still no security. Once someone has the pdf, they can make
and send all the copies they want.

> I am a bit worried by your statement that the decryption code is in
> plain sight, how can that be protected better than it already is? The
> filename in the GET of the link url is also encrypted (very crudely) so,
> although it is in plain view, it wouldn't lead the hacker directly to
> the encrypted PDF file.
>

That's correct. Anyone who can access your source files can see the
decryption code.

What you have is security by obfuscation - which is only the illusion of
security. And you're going to a whole lot of unnecessary work to get it.

>>
>> And in any case, the decrypted page (along with images, etc.) is
>> available at the browser just as soon as someone requests it.
>
> That 'someone' would have to be a member and they could equally well
> send their password to a friend. There is a download log which should
> alert me if something untoward is happening through the password system.
>

But if they send the file to their pals (or post it on another website),
you would never know.

>
>> I think your whole approach needs rethinking.
>
> I agree it isn't suitable for a high security website, it is just making
> the best of a "Topsy".
>
>

It's not even suitable for a low security website.

--
==================
Remove the "x" from my email address
Jerry Stuckle
jstucklex(at)attglobal(dot)net
==================
Re: Nested PHP [message #184854 is a reply to message #184850] Tue, 11 February 2014 15:26 Go to previous messageGo to next message
Ben Bacarisse is currently offline  Ben Bacarisse
Messages: 82
Registered: November 2013
Karma: 0
Member
adrian(at)poppyrecords(dot)invalid(dot)invalid (Adrian Tuddenham) writes:
<snip>
> I'm not trying to produce a high-security system, just something which
> deters the casual user from downloading PDFs that members of the group
> have paid their membership fee to receive. I doubt if anyone wants to
> go to all the trouble of decrypting a PDF file in order to avoid paying
> £7.50

I missed your explanation of what you were doing. It was a bit buried.
Sorry about that.

User must authenticate n some way, yes? Having done that, they can get
one or more documents that they have paid for? They get send the
documents "in the clear", yes?

If that's the application, I can't see how you got to where you are.
The documents can (usually) be put somewhere where PHP can see them, but
a browser can't. A simple bit of PHP checks the credentials and
delivers that document. I don't see any need for encrypting the PDFs or
generating PHP to be executed.

<snip>
--
Ben.
Re: Nested PHP [message #184855 is a reply to message #184852] Tue, 11 February 2014 15:31 Go to previous messageGo to next message
adrian is currently offline  adrian
Messages: 27
Registered: December 2012
Karma: 0
Junior Member
Ben Bacarisse <ben(dot)usenet(at)bsb(dot)me(dot)uk> wrote:

> adrian(at)poppyrecords(dot)invalid(dot)invalid (Adrian Tuddenham) writes:
>
>> Jerry Stuckle <jstucklex(at)attglobal(dot)net> wrote:
> <snip>
>>> From what I can gather, he's generating a page which contains PHP code
>>> from another PHP script, and sending the generated page to the browser -
>>> expecting the generated PHP code to be executed (which, of course, it
>>> isn't).
>>
>> That's right.
>
> I'll second (third?, forth?) the question: what are trying to do that
> has lead to this design? It seems all wrong.
>
> The only time I saw anything like it, the author was unaware that
> functions can be created by PHP functions (though how well this works
> depends on the version of PHP that you have). It may be that your task
> can be achieved with any special re-execution mechanism.

I think this is running on some version php 4.

I was not only unaware that functions could be created, but was
convinced by the results of several searches that they could not. I was
probably searching for the wrong thing (until you know the answer, it is
not obvious how to ask the right question), so could you please tell me
what I should be looking for?


--
~ Adrian Tuddenham ~
(Remove the ".invalid"s and add ".co.uk" to reply)
www.poppyrecords.co.uk
Re: Nested PHP [message #184856 is a reply to message #184853] Tue, 11 February 2014 15:31 Go to previous messageGo to next message
adrian is currently offline  adrian
Messages: 27
Registered: December 2012
Karma: 0
Junior Member
Jerry Stuckle <jstucklex(at)attglobal(dot)net> wrote:

> On 2/11/2014 9:31 AM, Adrian Tuddenham wrote:
>> Jerry Stuckle <jstucklex(at)attglobal(dot)net> wrote:
>>
>> [...]
>>> My main question here would be - what are you trying to accomplish by
>>> having files encrypted on your server. Since the decryption code is
>>> right in plain sight, encrypting the files adds no security. If they
>>> can get to your raw files, they can get to your decryption code.
>>
>> I'm not trying to produce a high-security system, just something which
>> deters the casual user from downloading PDFs that members of the group
>> have paid their membership fee to receive. I doubt if anyone wants to
>> go to all the trouble of decrypting a PDF file in order to avoid paying
>> £7.50
>>
>
> First of all, you don't need to go to all the trouble of encrypting a
> pdf to make it unavailable to the casual user. Just place the file
> outside of your document_root hierarchy and download it with PHP.

I have no access to the server outside my own directory.


> Second, it's still no security. Once someone has the pdf, they can make
> and send all the copies they want.

That is why I said it is only a deterrent. Members who receive the
printed copy can photocopy it and send it to their friends - or even
scan it in and distribute their own PDF of it.

>> I am a bit worried by your statement that the decryption code is in
>> plain sight,

> That's correct. Anyone who can access your source files can see the
> decryption code.

How would they get access the source files? I thought the server
blocked that sort of thing.

--
~ Adrian Tuddenham ~
(Remove the ".invalid"s and add ".co.uk" to reply)
www.poppyrecords.co.uk
Re: Nested PHP [message #184857 is a reply to message #184855] Tue, 11 February 2014 15:53 Go to previous messageGo to next message
Ben Bacarisse is currently offline  Ben Bacarisse
Messages: 82
Registered: November 2013
Karma: 0
Member
adrian(at)poppyrecords(dot)invalid(dot)invalid (Adrian Tuddenham) writes:

> Ben Bacarisse <ben(dot)usenet(at)bsb(dot)me(dot)uk> wrote:
<snip>
>> The only time I saw anything like it, the author was unaware that
>> functions can be created by PHP functions (though how well this works
>> depends on the version of PHP that you have). It may be that your task
>> can be achieved with any special re-execution mechanism.
>
> I think this is running on some version php 4.

That's quite old now.

> I was not only unaware that functions could be created, but was
> convinced by the results of several searches that they could not. I was
> probably searching for the wrong thing (until you know the answer, it is
> not obvious how to ask the right question), so could you please tell me
> what I should be looking for?

As it happens the main function is called create_function (PHP 4.0.1 and
newer). A more convenient and flexible kind -- anonymous functions, or
closures -- was introduced in PHP 5.3.

However, I've now seen an outline of what you want to do and it does not
seem to need this sort of thing.

--
Ben.
Re: Nested PHP [message #184858 is a reply to message #184856] Tue, 11 February 2014 16:24 Go to previous messageGo to next message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
Senior Member
On 2/11/2014 10:31 AM, Adrian Tuddenham wrote:
> Jerry Stuckle <jstucklex(at)attglobal(dot)net> wrote:
>
>> On 2/11/2014 9:31 AM, Adrian Tuddenham wrote:
>>> Jerry Stuckle <jstucklex(at)attglobal(dot)net> wrote:
>>>
>>> [...]
>>>> My main question here would be - what are you trying to accomplish by
>>>> having files encrypted on your server. Since the decryption code is
>>>> right in plain sight, encrypting the files adds no security. If they
>>>> can get to your raw files, they can get to your decryption code.
>>>
>>> I'm not trying to produce a high-security system, just something which
>>> deters the casual user from downloading PDFs that members of the group
>>> have paid their membership fee to receive. I doubt if anyone wants to
>>> go to all the trouble of decrypting a PDF file in order to avoid paying
>>> £7.50
>>>
>>
>> First of all, you don't need to go to all the trouble of encrypting a
>> pdf to make it unavailable to the casual user. Just place the file
>> outside of your document_root hierarchy and download it with PHP.
>
> I have no access to the server outside my own directory.
>

Then I would suggest you change hosting companies. Any decent hosting
company will give you access to one level below your web root directory.
I wouldn't host with one which does not.
>
>> Second, it's still no security. Once someone has the pdf, they can make
>> and send all the copies they want.
>
> That is why I said it is only a deterrent. Members who receive the
> printed copy can photocopy it and send it to their friends - or even
> scan it in and distribute their own PDF of it.
>

No, it's not even a deterrent. It's only the illusion of one.

>>> I am a bit worried by your statement that the decryption code is in
>>> plain sight,
>
>> That's correct. Anyone who can access your source files can see the
>> decryption code.
>
> How would they get access the source files? I thought the server
> blocked that sort of thing.
>

If everything is working correctly, and hackers don't get into the
server. But this also includes potentially other websites on the same
server, for instance, if the server isn't properly secured, as well as
anyone who has direct access to the server itself.

Personally, if your hosting company don't even give you access to a
directory below your document root, I wouldn't be trusting them to
properly secure the server, either (that doesn't necessarily mean they
DO secure the server if they give you this access - it's just more
LIKELY they know what they're doing).

--
==================
Remove the "x" from my email address
Jerry Stuckle
jstucklex(at)attglobal(dot)net
==================
Re: Nested PHP [message #184859 is a reply to message #184855] Tue, 11 February 2014 16:26 Go to previous messageGo to next message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
Senior Member
On 2/11/2014 10:31 AM, Adrian Tuddenham wrote:
> Ben Bacarisse <ben(dot)usenet(at)bsb(dot)me(dot)uk> wrote:
>
>> adrian(at)poppyrecords(dot)invalid(dot)invalid (Adrian Tuddenham) writes:
>>
>>> Jerry Stuckle <jstucklex(at)attglobal(dot)net> wrote:
>> <snip>
>>>> From what I can gather, he's generating a page which contains PHP code
>>>> from another PHP script, and sending the generated page to the browser -
>>>> expecting the generated PHP code to be executed (which, of course, it
>>>> isn't).
>>>
>>> That's right.
>>
>> I'll second (third?, forth?) the question: what are trying to do that
>> has lead to this design? It seems all wrong.
>>
>> The only time I saw anything like it, the author was unaware that
>> functions can be created by PHP functions (though how well this works
>> depends on the version of PHP that you have). It may be that your task
>> can be achieved with any special re-execution mechanism.
>
> I think this is running on some version php 4.
>

In that case I would *DEFINITELY* be looking for another hosting
company. PHP4 has been OOS for years now; not even security fixes are
being issued for it.

> I was not only unaware that functions could be created, but was
> convinced by the results of several searches that they could not. I was
> probably searching for the wrong thing (until you know the answer, it is
> not obvious how to ask the right question), so could you please tell me
> what I should be looking for?
>
>

Another hosting company.

PHP functions can be created on the fly - but they still won't be
executed the way you are trying to do things. They have to be executed
in your script.

--
==================
Remove the "x" from my email address
Jerry Stuckle
jstucklex(at)attglobal(dot)net
==================
Re: Nested PHP [message #184860 is a reply to message #184851] Tue, 11 February 2014 17:24 Go to previous messageGo to next message
Denis McMahon is currently offline  Denis McMahon
Messages: 634
Registered: September 2010
Karma: 0
Senior Member
On Tue, 11 Feb 2014 14:31:51 +0000, Adrian Tuddenham wrote:

> Denis McMahon <denismfmcmahon(at)gmail(dot)com> wrote:
>
>> On Tue, 11 Feb 2014 13:55:57 +0100, Christoph Michael Becker wrote:
>>
>>> Or evaluate the generated PHP code with eval(). However, I suppose
>>> there's a design mistake here. Generating and executing PHP code on
>>> the fly doesn't seem to be reasonable (at least for most purposes).
>>
>> I'll second that. Instead of dynamically generating php code to
>> generate html and inserting the dynamically generated php code into
>> your file, you should refactor the script that produces the dynamic php
>> to instead generate the resultant html that the dynamically generated
>> php is expected to create, and arrange the code so that the html is
>> just inserted at the appropriate place
>
> That's what I've decided to do. It just means that the protected pages
> will have to have a different sort of 'include' command from the
> unprotected ones.

If you want to protect the included files from being accessed directly,
move them outside of the webroot structure.

The web server can only "serve" files inside it's directory structure,
but a php include can access any file according to file system access
constraints, so you can even include a file from a directory on another
computer as long as you specify the pathname correctly.

I always put files that include things like database access usernames and
passwords outside of the webroot, that way no one can request
"db_passwords.php" and get the mysql password and user that php is using.

--
Denis McMahon, denismfmcmahon(at)gmail(dot)com
Re: Nested PHP [message #184862 is a reply to message #184848] Wed, 12 February 2014 00:41 Go to previous messageGo to next message
Peter H. Coffin is currently offline  Peter H. Coffin
Messages: 245
Registered: September 2010
Karma: 0
Senior Member
On Tue, 11 Feb 2014 09:27:54 -0500, Jerry Stuckle wrote:
> On 2/11/2014 9:14 AM, Peter H. Coffin wrote:
>> On Mon, 10 Feb 2014 16:51:37 -0500, Jerry Stuckle wrote:
>>> On 2/10/2014 4:44 PM, Adrian Tuddenham wrote:
>>>> I was using a browser to view it, but the source code was coming from a
>>>> php program, not directly from a file on the server.
>>>>
>>>>
>>>
>>> Anything output by a PHP program is sent directly to the client. It is
>>> not processed (again) by the web server, so the php code you generate
>>> will never be processed.
>>>
>>> The browser will see exactly what you sent - nothing more, nothing less.
>>
>> Right.
>>
>> Hmm... Might be worth trying writing to a temporary file, include()ing
>> it, then cleaning up at the end of the script. It's a LITTLE
>> complicated, but...
>>
>
> And subject to all kinds of problems - such as concurrency with others
> requesting the same page, getting rid of old copies, having to redirect
> the browser to the temporary file, the user bookmarking the temporary
> file... and probably several others.

I think those are surmountable, with proper planning. Generating a
guaranteed unique filename for the temporary file is essentially a
solved problem, for example.

The big question, though, is why can't this be solved WITHOUT the clunky
mechanism. It almost smells richard-ish...

--
The trouble with things that extend your lifespan is that they happen
at wrong end. I'd hate to be wearing Depends at 85 and thinking "I gave
up booze and cigarettes for three more years of this."
Re: Nested PHP [message #184863 is a reply to message #184862] Wed, 12 February 2014 01:03 Go to previous messageGo to next message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
Senior Member
On 2/11/2014 7:41 PM, Peter H. Coffin wrote:
> On Tue, 11 Feb 2014 09:27:54 -0500, Jerry Stuckle wrote:
>> On 2/11/2014 9:14 AM, Peter H. Coffin wrote:
>>> On Mon, 10 Feb 2014 16:51:37 -0500, Jerry Stuckle wrote:
>>>> On 2/10/2014 4:44 PM, Adrian Tuddenham wrote:
>>>> > I was using a browser to view it, but the source code was coming from a
>>>> > php program, not directly from a file on the server.
>>>> >
>>>> >
>>>>
>>>> Anything output by a PHP program is sent directly to the client. It is
>>>> not processed (again) by the web server, so the php code you generate
>>>> will never be processed.
>>>>
>>>> The browser will see exactly what you sent - nothing more, nothing less.
>>>
>>> Right.
>>>
>>> Hmm... Might be worth trying writing to a temporary file, include()ing
>>> it, then cleaning up at the end of the script. It's a LITTLE
>>> complicated, but...
>>>
>>
>> And subject to all kinds of problems - such as concurrency with others
>> requesting the same page, getting rid of old copies, having to redirect
>> the browser to the temporary file, the user bookmarking the temporary
>> file... and probably several others.
>
> I think those are surmountable, with proper planning. Generating a
> guaranteed unique filename for the temporary file is essentially a
> solved problem, for example.
>
> The big question, though, is why can't this be solved WITHOUT the clunky
> mechanism. It almost smells richard-ish...
>

That takes care of the concurrency problem - but that's all it takes
care of. When do you delete the file, for instance? Or what if the
user bookmarks the file?

But I also agree with you it sounds almost richard-ish.


--
==================
Remove the "x" from my email address
Jerry Stuckle
jstucklex(at)attglobal(dot)net
==================
Re: Nested PHP [message #184866 is a reply to message #184863] Wed, 12 February 2014 10:13 Go to previous messageGo to next message
adrian is currently offline  adrian
Messages: 27
Registered: December 2012
Karma: 0
Junior Member
Jerry Stuckle <jstucklex(at)attglobal(dot)net> wrote:

> On 2/11/2014 7:41 PM, Peter H. Coffin wrote:
>> On Tue, 11 Feb 2014 09:27:54 -0500, Jerry Stuckle wrote:
>>> On 2/11/2014 9:14 AM, Peter H. Coffin wrote:
>>>> On Mon, 10 Feb 2014 16:51:37 -0500, Jerry Stuckle wrote:
>>>> > On 2/10/2014 4:44 PM, Adrian Tuddenham wrote:
>>>> >> I was using a browser to view it, but the source code was coming from a
>>>> >> php program, not directly from a file on the server.
>>>> >>
>>>> >>
>>>> >
>>>> > Anything output by a PHP program is sent directly to the client. It is
>>>> > not processed (again) by the web server, so the php code you generate
>>>> > will never be processed.
>>>> >
>>>> > The browser will see exactly what you sent - nothing more, nothing less.
>>>>
>>>> Right.
>>>>
>>>> Hmm... Might be worth trying writing to a temporary file, include()ing
>>>> it, then cleaning up at the end of the script. It's a LITTLE
>>>> complicated, but...
>>>>
>>>
>>> And subject to all kinds of problems - such as concurrency with others
>>> requesting the same page, getting rid of old copies, having to redirect
>>> the browser to the temporary file, the user bookmarking the temporary
>>> file... and probably several others.
>>
>> I think those are surmountable, with proper planning. Generating a
>> guaranteed unique filename for the temporary file is essentially a
>> solved problem, for example.
>>
>> The big question, though, is why can't this be solved WITHOUT the clunky
>> mechanism. It almost smells richard-ish...
>>
>
> That takes care of the concurrency problem - but that's all it takes
> care of. When do you delete the file, for instance? Or what if the
> user bookmarks the file?

How do you delete the file? I have tried a few 'obvious' (obvious to
me, that is) methods, but they don't seem to work. I initially tried
going down the temporary file route, but my inability to find a way of
deleting the files was one reason why I abandoned it.


> But I also agree with you it sounds almost richard-ish.

Sorry if my beginner's questions sound like that, but I have started
trying to teach myself php from a position of almost complete ignorance,
especially in the way servers work. My previous experience of using a
'server', if you can call it that, was programming in AlgolW under
Multics on an ICL System 4 mainframe in the 1970s; what little
programming I have done since then has been on desktop machines.

There are plenty of references to php on the Web, but using them to
learn a programming language is like trying to learn to drive a car by
reading detailed descriptions of the clutch pedal, the brake pedal and
the accelerator pedal.

I feet I needed to read through a selection of easy-to-follow examples
of how real programmers solve real (straightforward) problems in the
world of php - but as these don't seem to be available in any sort of
collected form, I have turned to this group for guidance.


--
~ Adrian Tuddenham ~
(Remove the ".invalid"s and add ".co.uk" to reply)
www.poppyrecords.co.uk
Re: Nested PHP [message #184867 is a reply to message #184858] Wed, 12 February 2014 10:13 Go to previous messageGo to next message
adrian is currently offline  adrian
Messages: 27
Registered: December 2012
Karma: 0
Junior Member
Jerry Stuckle <jstucklex(at)attglobal(dot)net> wrote:

> On 2/11/2014 10:31 AM, Adrian Tuddenham wrote:
>> Jerry Stuckle <jstucklex(at)attglobal(dot)net> wrote:
>>
>>> On 2/11/2014 9:31 AM, Adrian Tuddenham wrote:
>>>> Jerry Stuckle <jstucklex(at)attglobal(dot)net> wrote:
>>>>
>>>> [...]
>>>> > My main question here would be - what are you trying to accomplish by
>>>> > having files encrypted on your server. Since the decryption code is
>>>> > right in plain sight, encrypting the files adds no security. If they
>>>> > can get to your raw files, they can get to your decryption code.
>>>>
>>>> I'm not trying to produce a high-security system, just something which
>>>> deters the casual user from downloading PDFs that members of the group
>>>> have paid their membership fee to receive. I doubt if anyone wants to
>>>> go to all the trouble of decrypting a PDF file in order to avoid paying
>>>> £7.50
>>>>
>>>
>>> First of all, you don't need to go to all the trouble of encrypting a
>>> pdf to make it unavailable to the casual user. Just place the file
>>> outside of your document_root hierarchy and download it with PHP.
>>
>> I have no access to the server outside my own directory.
>>
>
> Then I would suggest you change hosting companies. Any decent hosting
> company will give you access to one level below your web root directory.
> I wouldn't host with one which does not.

I may have unintentionally misled you because of my ignorance of server
terminology. I might be able to do what you suggest, but I have no idea
how to do it. I presume that raises questions outside the the scope of
a php newsgroup and is something I should folow up separately.


--
~ Adrian Tuddenham ~
(Remove the ".invalid"s and add ".co.uk" to reply)
www.poppyrecords.co.uk
Re: Nested PHP [message #184868 is a reply to message #184866] Wed, 12 February 2014 10:33 Go to previous messageGo to next message
Tim Streater is currently offline  Tim Streater
Messages: 328
Registered: September 2010
Karma: 0
Senior Member
In article <1lgy8o1.4vb3i3fbpwjqN%adrian(at)poppyrecords(dot)invalid(dot)invalid>,
Adrian Tuddenham <adrian(at)poppyrecords(dot)invalid(dot)invalid> wrote:

> Jerry Stuckle <jstucklex(at)attglobal(dot)net> wrote:
>
>> On 2/11/2014 7:41 PM, Peter H. Coffin wrote:
>>> On Tue, 11 Feb 2014 09:27:54 -0500, Jerry Stuckle wrote:
>>>> On 2/11/2014 9:14 AM, Peter H. Coffin wrote:
>>>> > On Mon, 10 Feb 2014 16:51:37 -0500, Jerry Stuckle wrote:
>>>> >> On 2/10/2014 4:44 PM, Adrian Tuddenham wrote:
>>>> >>> I was using a browser to view it, but the source code was coming from
>>>> >>> a
>>>> >>> php program, not directly from a file on the server.
>>>> >>>
>>>> >>>
>>>> >>
>>>> >> Anything output by a PHP program is sent directly to the client. It is
>>>> >> not processed (again) by the web server, so the php code you generate
>>>> >> will never be processed.
>>>> >>
>>>> >> The browser will see exactly what you sent - nothing more, nothing
>>>> >> less.
>>>> >
>>>> > Right.
>>>> >
>>>> > Hmm... Might be worth trying writing to a temporary file, include()ing
>>>> > it, then cleaning up at the end of the script. It's a LITTLE
>>>> > complicated, but...
>>>> >
>>>>
>>>> And subject to all kinds of problems - such as concurrency with others
>>>> requesting the same page, getting rid of old copies, having to redirect
>>>> the browser to the temporary file, the user bookmarking the temporary
>>>> file... and probably several others.
>>>
>>> I think those are surmountable, with proper planning. Generating a
>>> guaranteed unique filename for the temporary file is essentially a
>>> solved problem, for example.
>>>
>>> The big question, though, is why can't this be solved WITHOUT the clunky
>>> mechanism. It almost smells richard-ish...
>>>
>>
>> That takes care of the concurrency problem - but that's all it takes
>> care of. When do you delete the file, for instance? Or what if the
>> user bookmarks the file?
>
> How do you delete the file? I have tried a few 'obvious' (obvious to
> me, that is) methods, but they don't seem to work. I initially tried
> going down the temporary file route, but my inability to find a way of
> deleting the files was one reason why I abandoned it.

unlink ('/path/to/file');

> I felt I needed to read through a selection of easy-to-follow examples
> of how real programmers solve real (straightforward) problems in the
> world of php - but as these don't seem to be available in any sort of
> collected form, I have turned to this group for guidance.

Yes, in 2000 I was given a 20 minutes tutorial about PHP and webpages
by the chap doing the company's assets database; he then (having
resigned a little before) walked out the door and was not seen again.
Luckily for me I had 35 years of programming experience. That was my
intro to PHP, javascript, and how web servers work.

The best resource is the PHP web site; it's one reason I don't use
perl. PHP folks seem to do things in a straightforward way and don't
try to be smart-alecs.

See here for the docs:

<http://www.php.net/manual/en/>

You can find a simple example of how ajax can be used (how I use it in
my email client, f'rinstance) here:

<http://www.clothears.org.uk>

Anyway, keep coming back here with questions.

--
Tim

"That excessive bail ought not to be required, nor excessive fines imposed,
nor cruel and unusual punishments inflicted" -- Bill of Rights 1689
Re: Nested PHP [message #184869 is a reply to message #184866] Wed, 12 February 2014 11:30 Go to previous messageGo to next message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
Senior Member
On 2/12/2014 5:13 AM, Adrian Tuddenham wrote:
> Jerry Stuckle <jstucklex(at)attglobal(dot)net> wrote:
>
>> On 2/11/2014 7:41 PM, Peter H. Coffin wrote:
>>> On Tue, 11 Feb 2014 09:27:54 -0500, Jerry Stuckle wrote:
>>>> On 2/11/2014 9:14 AM, Peter H. Coffin wrote:
>>>> > On Mon, 10 Feb 2014 16:51:37 -0500, Jerry Stuckle wrote:
>>>> >> On 2/10/2014 4:44 PM, Adrian Tuddenham wrote:
>>>> >>> I was using a browser to view it, but the source code was coming from a
>>>> >>> php program, not directly from a file on the server.
>>>> >>>
>>>> >>>
>>>> >>
>>>> >> Anything output by a PHP program is sent directly to the client. It is
>>>> >> not processed (again) by the web server, so the php code you generate
>>>> >> will never be processed.
>>>> >>
>>>> >> The browser will see exactly what you sent - nothing more, nothing less.
>>>> >
>>>> > Right.
>>>> >
>>>> > Hmm... Might be worth trying writing to a temporary file, include()ing
>>>> > it, then cleaning up at the end of the script. It's a LITTLE
>>>> > complicated, but...
>>>> >
>>>>
>>>> And subject to all kinds of problems - such as concurrency with others
>>>> requesting the same page, getting rid of old copies, having to redirect
>>>> the browser to the temporary file, the user bookmarking the temporary
>>>> file... and probably several others.
>>>
>>> I think those are surmountable, with proper planning. Generating a
>>> guaranteed unique filename for the temporary file is essentially a
>>> solved problem, for example.
>>>
>>> The big question, though, is why can't this be solved WITHOUT the clunky
>>> mechanism. It almost smells richard-ish...
>>>
>>
>> That takes care of the concurrency problem - but that's all it takes
>> care of. When do you delete the file, for instance? Or what if the
>> user bookmarks the file?
>
> How do you delete the file? I have tried a few 'obvious' (obvious to
> me, that is) methods, but they don't seem to work. I initially tried
> going down the temporary file route, but my inability to find a way of
> deleting the files was one reason why I abandoned it.
>

Which is only one reason this is a bad way of doing it. But these were
questions to point out problems with this method.

BTW - to delete files, you use unlink(). See the documentation at
www.php.net - it's the best reference around.

>
>> But I also agree with you it sounds almost richard-ish.
>
> Sorry if my beginner's questions sound like that, but I have started
> trying to teach myself php from a position of almost complete ignorance,
> especially in the way servers work. My previous experience of using a
> 'server', if you can call it that, was programming in AlgolW under
> Multics on an ICL System 4 mainframe in the 1970s; what little
> programming I have done since then has been on desktop machines.
>
> There are plenty of references to php on the Web, but using them to
> learn a programming language is like trying to learn to drive a car by
> reading detailed descriptions of the clutch pedal, the brake pedal and
> the accelerator pedal.
>
> I feet I needed to read through a selection of easy-to-follow examples
> of how real programmers solve real (straightforward) problems in the
> world of php - but as these don't seem to be available in any sort of
> collected form, I have turned to this group for guidance.
>
>

Forget most of the web-based references. There's a lot more crap out
there than there is good stuff. The best reference is the doc at
www.php.net, as I said above. Other than that, I would highly suggest
you visit your local book store. At least books have been through an
editorial process, and in general are better. Sorry I don't have any
specific ones to suggest; it's been a while since I've looked.

Normally I also suggest your public library - but if it's like the one
we have, the books will be several years old and way out of date for PHP.

--
==================
Remove the "x" from my email address
Jerry Stuckle
jstucklex(at)attglobal(dot)net
==================
Re: Nested PHP [message #184870 is a reply to message #184867] Wed, 12 February 2014 11:33 Go to previous messageGo to next message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
Senior Member
On 2/12/2014 5:13 AM, Adrian Tuddenham wrote:
> Jerry Stuckle <jstucklex(at)attglobal(dot)net> wrote:
>
>> On 2/11/2014 10:31 AM, Adrian Tuddenham wrote:
>>> Jerry Stuckle <jstucklex(at)attglobal(dot)net> wrote:
>>>
>>>> On 2/11/2014 9:31 AM, Adrian Tuddenham wrote:
>>>> > Jerry Stuckle <jstucklex(at)attglobal(dot)net> wrote:
>>>> >
>>>> > [...]
>>>> >> My main question here would be - what are you trying to accomplish by
>>>> >> having files encrypted on your server. Since the decryption code is
>>>> >> right in plain sight, encrypting the files adds no security. If they
>>>> >> can get to your raw files, they can get to your decryption code.
>>>> >
>>>> > I'm not trying to produce a high-security system, just something which
>>>> > deters the casual user from downloading PDFs that members of the group
>>>> > have paid their membership fee to receive. I doubt if anyone wants to
>>>> > go to all the trouble of decrypting a PDF file in order to avoid paying
>>>> > £7.50
>>>> >
>>>>
>>>> First of all, you don't need to go to all the trouble of encrypting a
>>>> pdf to make it unavailable to the casual user. Just place the file
>>>> outside of your document_root hierarchy and download it with PHP.
>>>
>>> I have no access to the server outside my own directory.
>>>
>>
>> Then I would suggest you change hosting companies. Any decent hosting
>> company will give you access to one level below your web root directory.
>> I wouldn't host with one which does not.
>
> I may have unintentionally misled you because of my ignorance of server
> terminology. I might be able to do what you suggest, but I have no idea
> how to do it. I presume that raises questions outside the the scope of
> a php newsgroup and is something I should folow up separately.
>
>

Yes, it's out of the range of this newsgroup. However, it's an
important feature any time you need to control access to files.

And yes, there are some companies out there which don't allow access
outside of the document root. I would not host with any of these companies.


--
==================
Remove the "x" from my email address
Jerry Stuckle
jstucklex(at)attglobal(dot)net
==================
Re: Nested PHP [message #184872 is a reply to message #184866] Wed, 12 February 2014 12:14 Go to previous messageGo to next message
Stefan+Usenet is currently offline  Stefan+Usenet
Messages: 3
Registered: June 2013
Karma: 0
Junior Member
On Wed, 12 Feb 2014 11:13:04 Adrian Tuddenham wrote:
>>>> > Might be worth trying writing to a temporary file, include()ing
>>>> > it, then cleaning up at the end of the script. It's a LITTLE
>>>> > complicated, but...

>>>> And subject to all kinds of problems - such as concurrency with
>>>> others requesting the same page, getting rid of old copies, having
>>>> to redirect the browser to the temporary file, the user bookmarking
>>>> the temporary file... and probably several others.

> How do you delete the file? I have tried a few 'obvious' (obvious to
> me, that is) methods, but they don't seem to work. I initially tried
> going down the temporary file route, but my inability to find a way of
> deleting the files was one reason why I abandoned it.

If you do something like:

-----------------------------------------
<?php

$file = tempnam('/tmp/', 'tmp');
$handle = fopen($file, 'w');
fwrite(
$handle,
'<html><body><p><?php echo "hello world"; ?></p></body></html>'
);
fclose($handle);

include $file;

unlink($file);

?>
-----------------------------------------

....then this is quite safe (one could create a race condition by
guessing the temporary filename and opening it in another process,
but this cannot be done from the outside and is thus IMHO rather
neglectible) and does what it should do.

But:

>>> The big question, though, is why can't this be solved WITHOUT the
>>> clunky mechanism. It almost smells richard-ish...

That's the point. Even though the code above works, it is ugly and
very difficult to maintain. I would use it as a base for fun programs
and brainteasers ("read in the current program file, modify it, write
it out with a different name and include it" comes to my mind), but
definitely not for real world applications.

> Sorry if my beginner's questions sound like that, but I have started
> trying to teach myself php from a position of almost complete ignorance,
> especially in the way servers work. My previous experience of using a
> 'server', if you can call it that, was programming in AlgolW under
> Multics on an ICL System 4 mainframe in the 1970s; what little
> programming I have done since then has been on desktop machines.

No problem with that. It's just that most things *can* be done in a much
easier way nowadays and therefore *should* be done that way.

Bye,
Stefan

--
http://kontaktinser.at/ - die kostenlose Kontaktboerse fuer Oesterreich
Offizieller Erstbesucher(TM) von mmeike

Die letzte Steigerungsform von "super", oder warum Stefan so massgebend eifert!
(Sloganizer)
Re: Nested PHP [message #184873 is a reply to message #184869] Wed, 12 February 2014 12:52 Go to previous messageGo to previous message
adrian is currently offline  adrian
Messages: 27
Registered: December 2012
Karma: 0
Junior Member
Jerry Stuckle <jstucklex(at)attglobal(dot)net> wrote:

> On 2/12/2014 5:13 AM, Adrian Tuddenham wrote:
>> Jerry Stuckle <jstucklex(at)attglobal(dot)net> wrote:
>>
[...]
>> How do you delete the file? I have tried a few 'obvious' (obvious to
>> me, that is) methods, but they don't seem to work. I initially tried
>> going down the temporary file route, but my inability to find a way of
>> deleting the files was one reason why I abandoned it.
>>
>
> Which is only one reason this is a bad way of doing it. But these were
> questions to point out problems with this method.
>
> BTW - to delete files, you use unlink(). See the documentation at
> www.php.net - it's the best reference around.

I found that function and tried it, but the file didn't seem to go away
- its name was still visible even after I updated the file listings in
my ftp program. Eventually I deleted it manually by ftp.

Perhaps I got something wrong or I didn't wait long enough before
checking; I'll try again.
>
>>
>>> But I also agree with you it sounds almost richard-ish.
>>
>> Sorry if my beginner's questions sound like that, but I have started
>> trying to teach myself php from a position of almost complete ignorance,
>> especially in the way servers work. My previous experience of using a
>> 'server', if you can call it that, was programming in AlgolW under
>> Multics on an ICL System 4 mainframe in the 1970s; what little
>> programming I have done since then has been on desktop machines.
>>
>> There are plenty of references to php on the Web, but using them to
>> learn a programming language is like trying to learn to drive a car by
>> reading detailed descriptions of the clutch pedal, the brake pedal and
>> the accelerator pedal.
>>
>> I feet I needed to read through a selection of easy-to-follow examples
>> of how real programmers solve real (straightforward) problems in the
>> world of php - but as these don't seem to be available in any sort of
>> collected form, I have turned to this group for guidance.
>>
>>
>
> Forget most of the web-based references. There's a lot more crap out
> there than there is good stuff. The best reference is the doc at
> www.php.net, as I said above. Other than that, I would highly suggest
> you visit your local book store. At least books have been through an
> editorial process, and in general are better. Sorry I don't have any
> specific ones to suggest; it's been a while since I've looked.
>
> Normally I also suggest your public library - but if it's like the one
> we have, the books will be several years old and way out of date for PHP.

I have put a visit to the bookshop on my shopping list for this
afternoon.

[OT]
Sadly, not all books now go through a worthwhile editorial process.
There was a recent glaring example published by Focal Press of a book
relating to the history of analogue electronics (which is one of my
specialities) full of utter nonsense. You couldn't really say the
statements contained 'errors', they were just complete gobbledeygook
made up by an author with no knowledge of the subject whatsoever.


--
~ Adrian Tuddenham ~
(Remove the ".invalid"s and add ".co.uk" to reply)
www.poppyrecords.co.uk
Pages (2): [1  2    »]  Switch to threaded view of this topic Create a new topic Submit Reply
Previous Topic: Filling an array with random input doesn't quite work
Next Topic: string length
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Sun Nov 24 13:19:45 GMT 2024

Total time taken to generate the page: 0.03027 seconds