| [PHP-DEV] Session security |
|
 |
Index ‹ php-dev
|
- Previous
- 1
- #33997 [Asn]: Returned: Bug #16069 - ICONV transliteration failure ID: 33997
Updated by: email***@***.com
Reported By: RVaughn at pheedo dot com
Status: Assigned
Bug Type: ICONV related
Operating System: *
PHP Version: 5CVS, 4CVS (2005-08-30)
Assigned To: derick
New Comment:
Jani, I tried your patch and it does not fix the bug, at least on my
system.
Previous Comments:
------------------------------------------------------------------------
[2005-08-08 00:10:15] email***@***.com
Assigning to Derick who's comment about my patch was "It's funny" and
other comment about the iconv code "this is a mess"
:)
------------------------------------------------------------------------
[2005-08-07 23:47:31] RVaughn at pheedo dot com
The patch Sniper referred to:
http://www.php.net/~jani/patches/bug33997.patch
Does fix the bug properly and completely, we've tested it thoroughly,
so I won't close this bug but I do think you can roll that patch
forward into 4.4.1 as a fix and close this once that's done?
Please let me know if there's anything else I can provide? Do you
really need the .out and .exp if I can assure you the patch fixes the
bug? Or do you want to see the results from the patched install?
Thanks, Rob
------------------------------------------------------------------------
[2005-08-07 14:42:23] email***@***.com
Please provide a location where we can download your failed test's .out
and .exp file.
------------------------------------------------------------------------
[2005-08-05 22:15:08] email***@***.com
Well, the patch is not approved/applied to CVS yet so keep this report
open. We'll close this once the bug is really fixed.
------------------------------------------------------------------------
[2005-08-05 01:18:33] RVaughn at pheedo dot com
Works perfectly! Hopefully this patch can be rolled into PHP 4.4.1?
This one can be closed, that was the fix. Thanks much! Cheers!
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/33997
--
Edit this bug report at http://bugs.php.net/?id=33997&edit=1
- 2
- #26045 [Opn->Asn]: Mono extension fails to compile ID: 26045
Updated by: email***@***.com
Reported By: kris dot hofmans at pandora dot be
-Status: Open
+Status: Assigned
Bug Type: Compile Failure
Operating System: Linux 2.4.21
PHP Version: 5CVS-2003-10-30 (dev)
-Assigned To:
+Assigned To: sterling
New Comment:
Assigned to the author of this extension.
Previous Comments:
------------------------------------------------------------------------
[2003-10-30 19:11:06] kris dot hofmans at pandora dot be
Description:
------------
/home/blacky/builds/php-5.0.0b2/ext/mono/php_mono.c: In function
`method_get':
/home/blacky/builds/php-5.0.0b2/ext/mono/php_mono.c:667: structure has
no member
named `arg_types'
/home/blacky/builds/php-5.0.0b2/ext/mono/php_mono.c: At top level:
/home/blacky/builds/php-5.0.0b2/ext/mono/php_mono.c:740: warning:
initialization
from incompatible pointer type
/home/blacky/builds/php-5.0.0b2/ext/mono/php_mono.c:742: warning:
initialization
from incompatible pointer type
/home/blacky/builds/php-5.0.0b2/ext/mono/php_mono.c:745: warning:
initialization
from incompatible pointer type
/home/blacky/builds/php-5.0.0b2/ext/mono/php_mono.c:746: warning:
initialization
from incompatible pointer type
/home/blacky/builds/php-5.0.0b2/ext/mono/php_mono.c:748: warning:
initialization
from incompatible pointer type
/home/blacky/builds/php-5.0.0b2/ext/mono/php_mono.c:749: warning:
initialization
from incompatible pointer type
/home/blacky/builds/php-5.0.0b2/ext/mono/php_mono.c:750: warning:
initialization
from incompatible pointer type
/home/blacky/builds/php-5.0.0b2/ext/mono/php_mono.c:751: warning:
initialization
from incompatible pointer type
/home/blacky/builds/php-5.0.0b2/ext/mono/php_mono.c:753: warning:
initialization
from incompatible pointer type
/home/blacky/builds/php-5.0.0b2/ext/mono/php_mono.c:755: warning:
initialization
from incompatible pointer type
/home/blacky/builds/php-5.0.0b2/ext/mono/php_mono.c: In function
`zm_startup_mon
o':
/home/blacky/builds/php-5.0.0b2/ext/mono/php_mono.c:1041: structure has
no membe
r named `arg_types'
/home/blacky/builds/php-5.0.0b2/ext/mono/php_mono.c:1054: structure has
no membe
r named `arg_types'
make: *** [ext/mono/php_mono.lo] Error 1
make: *** Waiting for unfinished jobs....
Expected result:
----------------
I hope the mono extension will be fixed since the last working version
I saw was PHP5-B1 and it got broken soon after that.
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=26045&edit=1
- 2
- [PHP-DEV] Allow functions in namespaces?Right now, my patch is complete as respects classes inside namespaces,
simple import, namespace imports, etc. I just made a few changes locally to
see how feasible it was to allow functions inside namespaces, and it was
actually very simple. Like classes, the functions internally are prefixed
with the namespace name and a colon, e.g.:
<?php
namespace test_ns
{
function test_func
{
echo "hello!\n";
}
}
test_func(); // generates an error, 'test_func' does not exist
test_ns:test_func(); // prints "hello!"
?>
I haven't done anything with functions as regards imports, and I think it
would be difficult/useless to do so. Simple imports might be easy, but what
about namespace imports? There is no such concept as __autoload for
functions, so namespace imports for functions would be discarded. Also, if
you import foo:bar, you don't know if this is a function or a class. The
former syntax of "import function/class foo from bar" would need to be
used, and this syntax was very ugly IMHO.
So, I ask, would it be useful to have functions inside namespaces and only
use it as above? Imports would only work for classes, and the only change
would be that you can reference functions with a colon (of course, just
like classes, you cannot declare a function name with a colon, only
reference it).
Let me know what you guys think. My Beta 2 patch is working great as it is,
and I suspect the majority of the users who want namespaces is to simply
group/organize their classes anyways.
Regards,
Jessie Hernandez
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
- 5
- #42600 [Com]: Invalid access to memory location. ID: 42600
Comment by: stijn dot peeters at gmail dot com
Reported By: php at littlekp dot ddo dot jp
Status: No Feedback
Bug Type: EXIF related
Operating System: Windows Series
PHP Version: 5.2.4
New Comment:
same problem here.
when activated the exif extension
php gives an error: Invalid access to memory location.
when the session.save path is qouted to disable it, php works once
again.
Previous Comments:
------------------------------------------------------------------------
[2007-09-18 01:00:00] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
------------------------------------------------------------------------
[2007-09-10 09:44:43] email***@***.com
Thank you for this bug report. To properly diagnose the problem, we
need a backtrace to see what is happening behind the scenes. To
find out how to generate a backtrace, please read
http://bugs.php.net/bugs-generating-backtrace.php for *NIX and
http://bugs.php.net/bugs-generating-backtrace-win32.php for Win32
Once you have generated a backtrace, please submit it to this bug
report and change the status back to "Open". Thank you for helping
us make PHP better.
------------------------------------------------------------------------
[2007-09-09 11:09:13] php at littlekp dot ddo dot jp
I havent tried as I preferred to use ISAPI rather than CGI (php.exe).
CGI seems unsafe in IIS and hard to configurate.
------------------------------------------------------------------------
[2007-09-09 10:08:29] email***@***.com
Does this happen if you don't use ISAPI but use the FastCGI instead
(which is the preferred SAPI to use with IIS anyway..) ?
------------------------------------------------------------------------
[2007-09-09 06:01:18] php at littlekp dot ddo dot jp
ISAPI is being used with IIS 6.0 in Windows Server 2003 STD
Slow computer P3-733 is used with 512MB PC133 RAM
Only phpinfo() is running.
Page is viewed in any computer with IE 6.
Until now, this only happened when turning php_exif.dll on in PHP EXT.
Thanks!!
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/42600
--
Edit this bug report at http://bugs.php.net/?id=42600&edit=1
- 5
- #39402 [Bgs->Csd]: Not able to access the desired cookie ID: 39402
User updated by: pradeep_elixir at yahoo dot com
Reported By: pradeep_elixir at yahoo dot com
-Status: Bogus
+Status: Closed
Bug Type: *General Issues
Operating System: LINUX
PHP Version: 4.4.4
New Comment:
It is not related with php rather it is an issue of some privecy
policies related to the browser.
Previous Comments:
------------------------------------------------------------------------
[2006-11-07 14:13:19] email***@***.com
This is a browser issue, not a bug in PHP.
------------------------------------------------------------------------
[2006-11-06 15:29:25] pradeep_elixir at yahoo dot com
Description:
------------
I tried to access cookie from a php file using javascript tag:
<script language="javascript" >
source = "http://mysite.com/accesscookie.php"
document.write('\<\script language="javascript" src="' + source
+'"\>\<\/SCRIPT\>');
</script>
The php script could not read the cookie stored for the damain
mysite.com
Browser is Internet explorer 6.0
When I tred the same url directly in the browser it was able to read
the cookie.
The problem i am facing for the Internet explorer while it is working
fine in Mozila Firefox 1.5.0.7
Reproduce code:
---------------
I tried to access cookie from a php file using javascript tag:
<script language="javascript" >
source = "http://mysite.com/accesscookie.php"
document.write('\<\script language="javascript" src="' + source
+'"\>\<\/SCRIPT\>');
</script>
The php script could not read the cookie stored for the damain
mysite.com
Browser is Internet explorer 6.0
When I tred the same url directly in the browser it was able to read
the cookie.
The problem i am facing for the Internet explorer while it is working
fine in Mozila Firefox 1.5.0.7
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=39402&edit=1
- 8
- [PHP-DEV] type hints and default valuesHi,
As default values for type-hinted parameters are now pointless, should
we still allow them ?
--
Ard
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
- 10
- [PHP-DEV] Re: [PHP-CVS] cvs: php-src /ext/dio dio.cIlia Alshanetsky wrote:
> iliaa Thu Sep 2 23:35:22 2004 EDT
>
> Modified files:
> /php-src/ext/dio dio.c
> Log:
> Adjusted input check.
>
>
>
> http://cvs.php.net/diff.php/php-src/ext/dio/dio.c?r1=1.36&r2=1.37&ty=u
> Index: php-src/ext/dio/dio.c
> diff -u php-src/ext/dio/dio.c:1.36 php-src/ext/dio/dio.c:1.37
> --- php-src/ext/dio/dio.c:1.36 Mon Aug 30 18:21:09 2004
> +++ php-src/ext/dio/dio.c Thu Sep 2 23:35:22 2004
> @@ -249,8 +249,8 @@
> return;
> }
>
> - if (trunc_len <= 0 || trunc_len > data_len) {
> - php_error_docref(NULL TSRMLS_CC, E_WARNING, "length must be greater then zero and less then the length of specified string.");
> + if (trunc_len < 0 || trunc_len > data_len) {
> + php_error_docref(NULL TSRMLS_CC, E_WARNING, "length must be greater or equal to zero and less then the length of the specified string.");
> RETURN_FALSE;
> }
Typo, it's "less than".
Dave
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
- 11
- #42603 [Opn->Bgs]: Followup Comment for bug #42596 ID: 42603
Updated by: email***@***.com
Reported By: randy at rcs-comp dot com
-Status: Open
+Status: Bogus
Bug Type: Session related
Operating System: Linux
PHP Version: 5.2.4
New Comment:
I'm bogusing this and reopening the first one. :)
(this is undocumented feature, apart from the note in php.ini-* files)
Previous Comments:
------------------------------------------------------------------------
[2007-09-09 17:48:49] randy at rcs-comp dot com
Description:
------------
The bug #42596 was classified as bogus but its not. I couldn't post a
comment on that thread, so here is my followup:
Are you kidding me! From the php.ini file:
; The file storage module creates files using mode 600 by default.
; You can change that by using
;
; session.save_path = "N;MODE;/path"
;
; where MODE is the octal representation of the mode. Note that this
; does not overwrite the process's umask.
;session.save_path = "/tmp"
I realize its not in the documentation, but it should be.
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=42603&edit=1
- 12
- #34266 [Fbk->Opn]: Apache 2.0.50 crashes from time to time ID: 34266
User updated by: email***@***.com
-Summary: Apache 2.0.50 craches from time to time
Reported By: email***@***.com
-Status: Feedback
+Status: Open
Bug Type: Reproducible crash
Operating System: W2K SP4
PHP Version: 4.4.0
New Comment:
Ok, read that. What info do you need and how can I get it?
In other words - how can I find where crash happens?
Framework is not a simple .php script - you cannot just incrementally
comment it to get a 10-20 line working example.
I can send you a 500k 7zipped sources to test on another W2K.
Previous Comments:
------------------------------------------------------------------------
[2005-08-26 09:23:30] email***@***.com
Not enough information was provided for us to be able
to handle this bug. Please re-read the instructions at
http://bugs.php.net/how-to-report.php
If you can provide more information, feel free to add it
to this bug and change the status back to "Open".
Thank you for your interest in PHP.
------------------------------------------------------------------------
[2005-08-26 09:17:42] email***@***.com
Description:
------------
I'm testing binarycloud framework at the moment. From time to time on
some pages Apache crashes. I can't provide a simple script, because
framework is rather big and I unable to trace where the error comes
from.
There are instructions how to get debug info for GDB under *nix on this
site, but no instructions how to get it on windows platform. Perhaps I
could dig more if such information will be available. For now I've got
this from WinDBG and Dr.Watson (second is available at
http://rapidshare.de/files/4379016/drwtsn32.log.html)
Reproduce code:
---------------
Loading Dump File [G:\Documents and Settings\All
Users\Documents\DrWatson\user.dmp]
User Dump File: Only application data is available
Windows 2000 Version 2195 UP Free x86 compatible
Product: WinNt
System Uptime: not available
Process Uptime: not available
Symbol search path is: *** Invalid *** : Verify _NT_SYMBOL_PATH
setting
Executable search path is:
.........................................................................
(5c0.270): Access violation - code c0000005 (!!! second chance !!!)
eax=0000006c ebx=0000003d ecx=023f76a8 edx=00000000 esi=00002c28
edi=0198b768
eip=008f5774 esp=018afbd4 ebp=000024f8 iopl=0 nv up ei ng nz na
po cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00000287
*** WARNING: Unable to verify checksum for php4ts.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols
for php4ts.dll -
php4ts!shutdown_memory_manager+64:
008f5774 8910 mov [eax],edx
ds:0023:0000006c=????????
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=34266&edit=1
- 15
- #35582 [NEW]: Socket Timeout on SOAP request causes program terminationFrom: s dot strampelli at isinet dot it
Operating system: Windows
PHP version: 5.1.1
PHP Bug Type: SOAP related
Bug description: Socket Timeout on SOAP request causes program termination
Description:
------------
If a soap request timeout waiting http header, the program terminate
abnormally.
I think the bug is the call of efree without checking if http_headers is
not null in ext/soap/php_http.c , function http_connect about line 182:
if (!get_http_headers(stream, &http_headers, &http_header_size
TSRMLS_CC) || http_headers == NULL) {
php_stream_close(stream);
stream = NULL;
}
efree(http_headers);
Reproduce code:
---------------
$dati = "test";
$client = new SoapClient($wsdl);
$res = $client->test($dati);
If the execution time of test method is more than default_socket_timeout
seconds, the php interpret terminate with a dr watson stack trace.
Expected result:
----------------
A SoapException would be thrown ?
Certainly, the PHP script could be expected to continue rather than die.
Actual result:
--------------
PHP interpret (php.exe) dies with a dr watson stack trace.
--
Edit bug report at http://bugs.php.net/?id=35582&edit=1
--
Try a CVS snapshot (PHP 4.4): http://bugs.php.net/fix.php?id=35582&r=trysnapshot44
Try a CVS snapshot (PHP 5.1): http://bugs.php.net/fix.php?id=35582&r=trysnapshot51
Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=35582&r=trysnapshot60
Fixed in CVS: http://bugs.php.net/fix.php?id=35582&r=fixedcvs
Fixed in release: http://bugs.php.net/fix.php?id=35582&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=35582&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=35582&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=35582&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=35582&r=support
Expected behavior: http://bugs.php.net/fix.php?id=35582&r=notwrong
Not enough info: http://bugs.php.net/fix.php?id=35582&r=notenoughinfo
Submitted twice: http://bugs.php.net/fix.php?id=35582&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=35582&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=35582&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=35582&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=35582&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=35582&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=35582&r=float
No Zend Extensions: http://bugs.php.net/fix.php?id=35582&r=nozend
MySQL Configuration Error: http://bugs.php.net/fix.php?id=35582&r=mysqlcfg
- 15
- #32598 [Fbk->NoF]: pspell, custom dictionary isn't being passed as mod_php, fine on CLI ID: 32598
Updated by: email***@***.com
Reported By: drew at iws dot co dot nz
-Status: Feedback
+Status: No Feedback
Bug Type: Pspell related
Operating System: Debian Woody
PHP Version: 4.3.11
New Comment:
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
Previous Comments:
------------------------------------------------------------------------
[2005-04-07 00:28:51] email***@***.com
Thank you for this bug report. To properly diagnose the problem, we
need a backtrace to see what is happening behind the scenes. To
find out how to generate a backtrace, please read
http://bugs.php.net/bugs-generating-backtrace.php
Once you have generated a backtrace, please submit it to this bug
report and change the status back to "Open". Thank you for helping
us make PHP better.
------------------------------------------------------------------------
[2005-04-05 23:48:26] drew at iws dot co dot nz
Description:
------------
pspell is not passing the custom dictionary or it is being munched up
and gobbled through the API call.
I have tested it via a script with CLI php, which works fine , but via
apahce it disregards the custom dictionary variable
YES, I have checked permissions, but the filename for the custom
dictionary isn't being passed, so permissions aren't even the issue in
this case.
Reproduce code:
---------------
http://webhost2.inspire.net.nz/~drew/testpspell.phps
Expected result:
----------------
I expected the custom dictionary to be created and filled with custom
entries.
Actual result:
--------------
Errors in error_log:
-----------------------------------------
[Wed Apr 6 09:35:36 2005] [notice] child pid 3051 exit signal
Segmentation fault (11)
Can't create
Can't create
[Wed Apr 6 09:35:44 2005] [notice] child pid 3031 exit signal
Segmentation fault (11)
[Wed Apr 6 09:36:21 2005] [notice] child pid 2987 exit signal
Segmentation fault (11)
Can't create
Can't create
[Wed Apr 6 09:36:26 2005] [notice] child pid 30088 exit signal
Segmentation fault (11)
[Wed Apr 6 09:37:01 2005] [notice] child pid 3083 exit signal
Segmentation fault (11)
Can't create
Can't create
[Wed Apr 6 09:37:05 2005] [notice] child pid 3082 exit signal
Segmentation fault (11)
[Wed Apr 6 09:40:10 2005] [notice] child pid 30115 exit signal
Segmentation fault (11)
Can't create
Can't create
[Wed Apr 6 09:40:14 2005] [notice] child pid 3078 exit signal
Segmentation fault (11)
-----------------------------------------
Error should be:
Can't create /home/drew/dictionary/custom
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=32598&edit=1
- 15
- #43307 [Opn->Fbk]: compiled php CLI does not show interactive prompt ID: 43307
Updated by: email***@***.com
Reported By: keith at karsites dot net
-Status: Open
+Status: Feedback
-Bug Type: Output Control
+Bug Type: *General Issues
Operating System: Fedora 8
PHP Version: 5.2.5
New Comment:
Those urls don't work. What was the configure line you used?
(I tested and php -a works just fine for me)
Previous Comments:
------------------------------------------------------------------------
[2007-11-15 21:10:09] keith at karsites dot net
New URL for the same bug report:
http://www.karsites.net/bug-reports-php/php-5.2.5-bug-43307.tar.gz
------------------------------------------------------------------------
[2007-11-15 21:05:13] keith at karsites dot net
Description:
------------
$ php -a does not show a command prompt
Reproduce code:
---------------
Here is a url to a tar.gz file containing the php executable, my
config.nice file, a screenshoot of what php -a does (or doesn't do), and
the full output from php -i saved to a text file.
http://www.karsites.net/bug-reports-php/php-5.2.5-bug.tar.gz
Expected result:
----------------
I expect php -a to output a command prompt so I can use php
interactively in a shell.
Actual result:
--------------
Please see the screenshot in the .png file inside the
php-5.2.5-bug.tar.gz file
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=43307&edit=1
- 15
- #43831 [NEW]: $this gets mangled when extending PDO with persistent connectionFrom: mjs at beebo dot org
Operating system: OS X/Linux
PHP version: 5.2.5
PHP Bug Type: PDO related
Bug description: $this gets mangled when extending PDO with persistent connection
Description:
------------
The class of $this changes after the instantiation of a class which
extends PDO, and which specifies PDO::ATTR_PERSISTENT attribute.
Reproduce code:
---------------
class Foo extends PDO {
function __construct($dsn) {
parent::__construct($dsn, null, null, array(PDO::ATTR_PERSISTENT =>
true));
}
}
class Baz extends PDO {
function __construct($dsn) {
parent::__construct($dsn, null, null, array(PDO::ATTR_PERSISTENT =>
true));
}
}
class Bar extends Baz {
function quux() {
echo get_class($this), "\n";
$foo = new Foo("sqlite::memory:");
echo get_class($this), "\n";
}
}
$bar = new Bar("sqlite::memory:");
$bar->quux();
Expected result:
----------------
Bar
Bar
i.e. get_class($this) returns the same value each time
Actual result:
--------------
Bar
Foo
i.e. $this gets mangled
--
Edit bug report at http://bugs.php.net/?id=43831&edit=1
--
Try a CVS snapshot (PHP 4.4): http://bugs.php.net/fix.php?id=43831&r=trysnapshot44
Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=43831&r=trysnapshot52
Try a CVS snapshot (PHP 5.3): http://bugs.php.net/fix.php?id=43831&r=trysnapshot53
Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=43831&r=trysnapshot60
Fixed in CVS: http://bugs.php.net/fix.php?id=43831&r=fixedcvs
Fixed in release: http://bugs.php.net/fix.php?id=43831&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=43831&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=43831&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=43831&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=43831&r=support
Expected behavior: http://bugs.php.net/fix.php?id=43831&r=notwrong
Not enough info: http://bugs.php.net/fix.php?id=43831&r=notenoughinfo
Submitted twice: http://bugs.php.net/fix.php?id=43831&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=43831&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=43831&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=43831&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=43831&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=43831&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=43831&r=float
No Zend Extensions: http://bugs.php.net/fix.php?id=43831&r=nozend
MySQL Configuration Error: http://bugs.php.net/fix.php?id=43831&r=mysqlcfg
- 16
- #38178 [Com]: Problem with parameter detection in queries (HY093) ID: 38178
Comment by: bugs at mytrashmail dot com
Reported By: gerald at copix dot org
Status: No Feedback
Bug Type: PDO related
Operating System: Windows
PHP Version: 5.1.4
Assigned To: wez
New Comment:
Problem verified on SunOS 5.8 using PHP 5.1.2 und MySQL 4.1.5-gamma for
prepared select queries to be executed. Used Driver: MySQL for PDO in
the original version for PHP 5.1.2.
Workaround: Last char in query must be semicolon.
Greetings.
Previous Comments:
------------------------------------------------------------------------
[2006-08-09 01:00:01] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
------------------------------------------------------------------------
[2006-08-01 14:07:27] email***@***.com
What database driver are you using?
------------------------------------------------------------------------
[2006-07-21 16:08:00] gerald at copix dot org
Description:
------------
Using PDO, a simple insert query does not work with "prepare / execute"
but works fine using "exec"
This exact query does work correctly if I remove the text '\r\n' at its
end.
The query is :
'INSERT INTO myTable VALUES (\'xml:lang="fr" lang="fr">\r\n\')'
It may be related to the following bugs :
#36923 & #37646
Reproduce code:
---------------
//FOLLOWING DOES NOT WORK
$stmt = $pdo->prepare ('INSERT INTO myTable VALUES (\'xml:lang="fr"
lang="fr">\r\n\')');
if (! $stmt->execute ()){
print_r ($stmt->errorInfo ());//contains Array ( [0] => HY093 )
}
//FOLLOWING CODE IS OK (using exec)
if (! $pdo->exec ('INSERT INTO myTable VALUES (\'xml:lang="fr"
lang="fr">\r\n\')')){
print_r ($pdo->errorInfo ());
}
//FOLLOWING CODE IS OK (removed \r\n at the end of the query)
$stmt = $pdo->prepare ('INSERT INTO myTable VALUES (\'xml:lang="fr"
lang="fr">\')');
$stmt->execute ();//OK
Expected result:
----------------
PDO should insert the value 'xml:lang="fr" lang="fr">\r\n' in the
myTable table, wish is
CREATE TABLE `myTable` (
`test` VARCHAR( 255 ) NOT NULL
)
Actual result:
--------------
Warning: PDOStatement::execute() [function.PDOStatement-execute]:
SQLSTATE[HY093]: Invalid parameter number: no parameters were bound in
C:\Program Files\wamp\www\test_3\www\index.php on line 40
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=38178&edit=1
- 16
- #29071 [NEW]: CLI returns an extra carriage return after exits.From: nathan at nightsys dot net
Operating system: Linux 2.4.26 (Gentoo)
PHP version: 5.0.0RC3
PHP Bug Type: Output Control
Bug description: CLI returns an extra carriage return after exits.
Description:
------------
CLI executable returns an extra carriage return after exit, example
below.
Linux nathan1 2.4.26-gentoo-r4 #1 SMP Fri Jul 9 12:42:20 EST 2004 i686
Intel(R) Pentium(R) 4 CPU 2.00GHz GenuineIntel GNU/Linux
Dont know if the kernel upgrade (from 2.4.25) could have affected this.
Reproduce code:
---------------
/usr/local/php/bin/php -v
Expected result:
----------------
nathan@nathan1 nathan $ /usr/local/php/bin/php -v
PHP 5.0.0RC3 (cli) (built: Jul 1 2004 14:52:38)
Copyright (c) 1997-2004 The PHP Group
Zend Engine v2.0.0RC3, Copyright (c) 1998-2004 Zend Technologies
nathan@nathan1 nathan $
Actual result:
--------------
nathan@nathan1 nathan $ /usr/local/php/bin/php -v
PHP 5.0.0RC3 (cli) (built: Jul 1 2004 14:52:38)
Copyright (c) 1997-2004 The PHP Group
Zend Engine v2.0.0RC3, Copyright (c) 1998-2004 Zend Technologies
nathan@nathan1 nathan $
nathan@nathan1 nathan $
--
Edit bug report at http://bugs.php.net/?id=29071&edit=1
--
Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=29071&r=trysnapshot4
Try a CVS snapshot (php5): http://bugs.php.net/fix.php?id=29071&r=trysnapshot5
Fixed in CVS: http://bugs.php.net/fix.php?id=29071&r=fixedcvs
Fixed in release: http://bugs.php.net/fix.php?id=29071&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=29071&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=29071&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=29071&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=29071&r=support
Expected behavior: http://bugs.php.net/fix.php?id=29071&r=notwrong
Not enough info: http://bugs.php.net/fix.php?id=29071&r=notenoughinfo
Submitted twice: http://bugs.php.net/fix.php?id=29071&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=29071&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=29071&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=29071&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=29071&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=29071&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=29071&r=float
|
| Author |
Message |
stuttle
|
 Posted: 2007-5-30 1:09:45 |
Top |
php-dev, [PHP-DEV] Session security
Hi all,
Just wanted to get your opinion on a discussion currently going on on
the general list.
Why does the PHP session extension not use something like the user agent
to validate that a session ID has not been hijacked? Or is this
something that just hasn't been implemented yet?
-Stut
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
|
| |
|
| |
|
antony
|
| Posted: 2007-5-30 1:17:00 |
Top |
php-dev >> [PHP-DEV] Session security
On 29.05.2007 21:04, Stut wrote:
> Hi all,
>
> Just wanted to get your opinion on a discussion currently going on on
> the general list.
>
> Why does the PHP session extension not use something like the user agent
> to validate that a session ID has not been hijacked? Or is this
> something that just hasn't been implemented yet?
Please elaborate.
--
Wbr,
Antony Dovgal
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
|
| |
|
| |
|
rasmus
|
| Posted: 2007-5-30 1:19:00 |
Top |
php-dev >> [PHP-DEV] Session security
Stut wrote:
> Hi all,
>
> Just wanted to get your opinion on a discussion currently going on on
> the general list.
>
> Why does the PHP session extension not use something like the user agent
> to validate that a session ID has not been hijacked? Or is this
> something that just hasn't been implemented yet?
The user agent is trivial to spoof. If you are going to hijack
someone's session, it is very easy to also hijack their user agent
string, so I don't see how that solves anything.
-Rasmus
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
|
| |
|
| |
|
mikespook
|
| Posted: 2007-5-30 1:55:00 |
Top |
php-dev >> [PHP-DEV] Session security
Stut 鍐欓亾:
> Hi all,
>
> Just wanted to get your opinion on a discussion currently going on on
> the general list.
>
> Why does the PHP session extension not use something like the user
> agent to validate that a session ID has not been hijacked? Or is this
> something that just hasn't been implemented yet?
>
> -Stut
>
Some http proxy may modify the user agent~
If there are some http proxy in a cluster, and one of them do some
different on user agent, there must be a trouble.
And, the other way, to aganst the attacker getting the real user agent,
we could do something like: md5(user agent + secrete key) . then if the
attacker get the string of md5, it is no use to forge the real user agent.
Any way, this should be done in the script layer, not in the session
mechanism. you need more security, do it in script, needn't, do nothing~~
Xing
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
|
| |
|
| |
|
robert
|
| Posted: 2007-5-30 2:10:00 |
Top |
php-dev >> [PHP-DEV] Session security
On Tue, 2007-05-29 at 10:16 -0700, Rasmus Lerdorf wrote:
> Stut wrote:
> > Hi all,
> >
> > Just wanted to get your opinion on a discussion currently going on on
> > the general list.
> >
> > Why does the PHP session extension not use something like the user agent
> > to validate that a session ID has not been hijacked? Or is this
> > something that just hasn't been implemented yet?
>
> The user agent is trivial to spoof. If you are going to hijack
> someone's session, it is very easy to also hijack their user agent
> string, so I don't see how that solves anything.
I agree mostly, but in the case of idiots that post a URL to a site that
includes a PHPSESSID in the URL it would provide a teency bit more
protection from casual hijacking :)
I agree more with Xing Xing's responde though, in that it belongs in the
script layer.
Cheers,
Rob.
--
.------------------------------------------------------------.
| InterJinn Application Framework - http://www.interjinn.com |
:------------------------------------------------------------:
| An application and templating framework for PHP. Boasting |
| a powerful, scalable system for accessing system services |
| such as forms, properties, sessions, and caches. InterJinn |
| also provides an extremely flexible architecture for |
| creating re-usable components quickly and easily. |
`------------------------------------------------------------'
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
|
| |
|
| |
|
rasmus
|
| Posted: 2007-5-30 2:17:00 |
Top |
php-dev >> [PHP-DEV] Session security
Robert Cummings wrote:
> On Tue, 2007-05-29 at 10:16 -0700, Rasmus Lerdorf wrote:
>> Stut wrote:
>>> Hi all,
>>>
>>> Just wanted to get your opinion on a discussion currently going on on
>>> the general list.
>>>
>>> Why does the PHP session extension not use something like the user agent
>>> to validate that a session ID has not been hijacked? Or is this
>>> something that just hasn't been implemented yet?
>> The user agent is trivial to spoof. If you are going to hijack
>> someone's session, it is very easy to also hijack their user agent
>> string, so I don't see how that solves anything.
>
> I agree mostly, but in the case of idiots that post a URL to a site that
> includes a PHPSESSID in the URL it would provide a teency bit more
> protection from casual hijacking :)
>
> I agree more with Xing Xing's responde though, in that it belongs in the
> script layer.
Well, obviously you need an authentication layer separate from the
session layer. If people are using the session extension as if it was
an authentication layer, then they are amazingly misguided. The
solution to that is not the session code, but better documentation.
-Rasmus
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
|
| |
|
| |
|
robert
|
| Posted: 2007-5-30 2:37:00 |
Top |
php-dev >> [PHP-DEV] Session security
On Tue, 2007-05-29 at 11:14 -0700, Rasmus Lerdorf wrote:
> Robert Cummings wrote:
> > On Tue, 2007-05-29 at 10:16 -0700, Rasmus Lerdorf wrote:
> >> Stut wrote:
> >>> Hi all,
> >>>
> >>> Just wanted to get your opinion on a discussion currently going on on
> >>> the general list.
> >>>
> >>> Why does the PHP session extension not use something like the user agent
> >>> to validate that a session ID has not been hijacked? Or is this
> >>> something that just hasn't been implemented yet?
> >> The user agent is trivial to spoof. If you are going to hijack
> >> someone's session, it is very easy to also hijack their user agent
> >> string, so I don't see how that solves anything.
> >
> > I agree mostly, but in the case of idiots that post a URL to a site that
> > includes a PHPSESSID in the URL it would provide a teency bit more
> > protection from casual hijacking :)
> >
> > I agree more with Xing Xing's responde though, in that it belongs in the
> > script layer.
>
> Well, obviously you need an authentication layer separate from the
> session layer. If people are using the session extension as if it was
> an authentication layer, then they are amazingly misguided. The
> solution to that is not the session code, but better documentation.
Well the two are quite related. Not that the session is responsible for
authentication, but once authenticated the session data (stored server
side I hope) usually indicates whether a user has already performed
authentication for the current temporary session -- otherwise you'd need
to log back in on every request. As such, a URL posted in the wild
containing a PHPSESSID is vulnerable to hijacking for the lifespan of
the temporary session. Better documentation won't help the completely
ignorant masses of end users :)
Cheers,
Rob.
--
.------------------------------------------------------------.
| InterJinn Application Framework - http://www.interjinn.com |
:------------------------------------------------------------:
| An application and templating framework for PHP. Boasting |
| a powerful, scalable system for accessing system services |
| such as forms, properties, sessions, and caches. InterJinn |
| also provides an extremely flexible architecture for |
| creating re-usable components quickly and easily. |
`------------------------------------------------------------'
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
|
| |
|
| |
|
rasmus
|
| Posted: 2007-5-30 3:22:00 |
Top |
php-dev >> [PHP-DEV] Session security
Robert Cummings wrote:
> On Tue, 2007-05-29 at 11:14 -0700, Rasmus Lerdorf wrote:
>> Robert Cummings wrote:
>>> On Tue, 2007-05-29 at 10:16 -0700, Rasmus Lerdorf wrote:
>>>> Stut wrote:
>>>>> Hi all,
>>>>>
>>>>> Just wanted to get your opinion on a discussion currently going on on
>>>>> the general list.
>>>>>
>>>>> Why does the PHP session extension not use something like the user agent
>>>>> to validate that a session ID has not been hijacked? Or is this
>>>>> something that just hasn't been implemented yet?
>>>> The user agent is trivial to spoof. If you are going to hijack
>>>> someone's session, it is very easy to also hijack their user agent
>>>> string, so I don't see how that solves anything.
>>> I agree mostly, but in the case of idiots that post a URL to a site that
>>> includes a PHPSESSID in the URL it would provide a teency bit more
>>> protection from casual hijacking :)
>>>
>>> I agree more with Xing Xing's responde though, in that it belongs in the
>>> script layer.
>> Well, obviously you need an authentication layer separate from the
>> session layer. If people are using the session extension as if it was
>> an authentication layer, then they are amazingly misguided. The
>> solution to that is not the session code, but better documentation.
>
> Well the two are quite related. Not that the session is responsible for
> authentication, but once authenticated the session data (stored server
> side I hope) usually indicates whether a user has already performed
> authentication for the current temporary session -- otherwise you'd need
> to log back in on every request. As such, a URL posted in the wild
> containing a PHPSESSID is vulnerable to hijacking for the lifespan of
> the temporary session. Better documentation won't help the completely
> ignorant masses of end users :)
You really want a separate and distinct signed authentication cookie
that has nothing to do with the session. The stored session should
indicate which logged in user the session belongs to, but it should
never ever be used as the sole authentication cookie. That's what I
meant by a separate authentication layer.
-Rasmus
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
|
| |
|
| |
|
stuttle
|
| Posted: 2007-5-30 3:28:00 |
Top |
php-dev >> [PHP-DEV] Session security
Rasmus Lerdorf wrote:
> You really want a separate and distinct signed authentication cookie
> that has nothing to do with the session. The stored session should
> indicate which logged in user the session belongs to, but it should
> never ever be used as the sole authentication cookie. That's what I
> meant by a separate authentication layer.
Thanks to everyone for their responses.
The issue is not about how a user is initially validated, it's about how
you prevent the session ID from being used on a different machine while
it's still active on the server. AFAICT using a signed authentication
cookie will not do this since it's still coming from the client and can
therefore be copied.
The basic question is... is there any way to validate that a session ID
coming from the client is coming from the same client?
I don't believe there is since, as Xing pointed out, anything that comes
from the client can a) be faked, and b) may change from request to
request. This includes the user agent and IP address.
However, I'd like clarification on that just in case there's a reliable
way to make sessions more secure. Oh, and also to validate the argument
I'm making on PHP-General, but that's really a secondary goal ;)
Cheers.
-Stut
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
|
| |
|
| |
|
stas
|
| Posted: 2007-5-30 3:34:00 |
Top |
php-dev >> [PHP-DEV] Session security
>> You really want a separate and distinct signed authentication cookie
>> that has nothing to do with the session. The stored session should
>> indicate which logged in user the session belongs to, but it should
>> never ever be used as the sole authentication cookie. That's what I
>> meant by a separate authentication layer.
Could you explain why? If you can steal session cookie, you definitely
could steal any other cookie too. So stealing-wise, nothing is gained by
using separate cookie. Signing would help you to know the cookie is from
you, but I don't see how it's going to help you to know the cookie
belongs to whoever is attempting to use it. Could you elaborate?
--
Stanislav Malyshev, Zend Products Engineer
email***@***.com http://www.zend.com/
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
|
| |
|
| |
|
stas
|
| Posted: 2007-5-30 3:41:00 |
Top |
php-dev >> [PHP-DEV] Session security
> The basic question is... is there any way to validate that a session ID
> coming from the client is coming from the same client?
I'm afraid since there's no way (well, except for described below :) to
uniquely and securely identify the clients I don't see how you could do
that. You could use client certificates as a secure client
identification, and then probably you could verify that current client
presented the same valid certificate as before, but that doesn't really
belong to sessions - it's external to sessions. Not sure how well PHP
support for client certificates is, in any case unless you have a lot of
control over your users they probably won't like to install any
certificates.
Also, if you use SSL (which you probably do if you care about security),
as I see it most frequent way to steal the cookie is to control user's
browser. If the hostile code gained control over the user's browser,
it's essentially the same client, so you couldn't distinguish it from
the legitimate code. You could of course tryng to counter replay attacks
(which are only part of the possible attacks) by matching IPs and other
auxiliary data but if you don't have secure ID for the client there
would be cases when it could be still not enough.
--
Stanislav Malyshev, Zend Products Engineer
email***@***.com http://www.zend.com/
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
|
| |
|
| |
|
jacques
|
| Posted: 2007-5-30 3:49:00 |
Top |
php-dev >> [PHP-DEV] Session security
--Apple-Mail-3-297288992
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
charset=US-ASCII;
delsp=yes;
format=flowed
On 29 May 2007, at 7:16 PM, Rasmus Lerdorf wrote:
> Stut wrote:
>> Hi all,
>>
>> Just wanted to get your opinion on a discussion currently going on on
>> the general list.
>>
>> Why does the PHP session extension not use something like the user
>> agent
>> to validate that a session ID has not been hijacked? Or is this
>> something that just hasn't been implemented yet?
>
> The user agent is trivial to spoof. If you are going to hijack
> someone's session, it is very easy to also hijack their user agent
> string, so I don't see how that solves anything.
>
I think he's trying to figure out how to do something similar to using a
'browser fingerprint' as part of his session. One thing I noticed with
doing creating and checking a 'browser fingerprint' a few years back
was depending on what you were doing / using it would change things
between requests.
With web requests, a lot of things are easy to spoof from the client
side.
Locking a session to an IP address has it uses provided the user does
not make their requests from various IP addresses like the AOL proxy
farms used to do afaik.
If you are really paranoid, use SSL and regenerate the session
identifier
on the first request from the user. That way it's not known. It's
generally
advised to regenerate the session identifier on privilege change.
There is no real way of detecting if a session has been hijacked
given for
example for .za users we tend to be transparently proxied for
requests to
international sites, so forcing locking a session to a IP will lock
that session
to an ISP's netcache.
Something along the lines of:
if (!isset($_SESSION['initiated'])) {
session_regenerate_id();
$_SESSION['initiated'] = true;
}
When you change privilege do something along the lines of
session_regenerate_id(true);
Which will delete the previous session and keep the current session
information.
YMMV.
Regards
--jm
> -Rasmus
#include <std/disclaimer.h>
--Apple-Mail-3-297288992--
|
| |
|
| |
|
rasmus
|
| Posted: 2007-5-30 3:57:00 |
Top |
php-dev >> [PHP-DEV] Session security
Stanislav Malyshev wrote:
>>> You really want a separate and distinct signed authentication cookie
>>> that has nothing to do with the session. The stored session should
>>> indicate which logged in user the session belongs to, but it should
>>> never ever be used as the sole authentication cookie. That's what I
>>> meant by a separate authentication layer.
>
> Could you explain why? If you can steal session cookie, you definitely
> could steal any other cookie too. So stealing-wise, nothing is gained by
> using separate cookie. Signing would help you to know the cookie is from
> you, but I don't see how it's going to help you to know the cookie
> belongs to whoever is attempting to use it. Could you elaborate?
The session store is just a session store. It is not a
login/authentication mechanism and thus doesn't have any of the
protections you might want to add to that. Therefore a separate
authentication cookie is needed that can separate the two concepts
completely. This also allows you to have different timeouts on the two.
For example, many sites let you stay logged in for weeks, but for any
critical operation they have a much shorter timeout so they ask you to
re-enter your credentials in order to perform that critical action.
Also, any pages that have some sort of user action, typically a form,
will have a crumb in it which is a small signed bit of data which is
usually in a hidden field. This helps prevent cross site request
forgeries by making each form specific to the logged in user.
But yes, there isn't any standard approach to prevent cookie theft. It
is up to the application to come up with a set of checks and
restrictions that best meet the specific needs of that app.
-Rasmus
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
|
| |
|
| |
|
stas
|
| Posted: 2007-5-30 4:03:00 |
Top |
php-dev >> [PHP-DEV] Session security
> The session store is just a session store. It is not a
> login/authentication mechanism and thus doesn't have any of the
> protections you might want to add to that. Therefore a separate
> authentication cookie is needed that can separate the two concepts
I don't see how it's "therefore". Yes, session is just a storage. But
how you derive from it that authentication information can not be stored
in this storage and how the separate cookie is helping you in any way
make it more secure?
> completely. This also allows you to have different timeouts on the two.
That's a very specific case which doesn't really concern security but
site policies. You could also expire values inside session, there are
numerous wrappers doing it AFAIK, and even if you don't use such wrapper
there's nothing hard in storing timestamp inside the session and
expiring auth once the timestamp goes old.
> For example, many sites let you stay logged in for weeks, but for any
> critical operation they have a much shorter timeout so they ask you to
> re-enter your credentials in order to perform that critical action.
That doesn't mean it should be implemented using separate cookie.
> Also, any pages that have some sort of user action, typically a form,
> will have a crumb in it which is a small signed bit of data which is
> usually in a hidden field. This helps prevent cross site request
> forgeries by making each form specific to the logged in user.
That's nice but again is not related to cookies or sessions. This can be
done without having separate auth cookie.
--
Stanislav Malyshev, Zend Products Engineer
email***@***.com http://www.zend.com/
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
|
| |
|
| |
|
rasmus
|
| Posted: 2007-5-30 4:10:00 |
Top |
php-dev >> [PHP-DEV] Session security
Stanislav Malyshev wrote:
>> The session store is just a session store. It is not a
>> login/authentication mechanism and thus doesn't have any of the
>> protections you might want to add to that. Therefore a separate
>> authentication cookie is needed that can separate the two concepts
>
> I don't see how it's "therefore". Yes, session is just a storage. But
> how you derive from it that authentication information can not be stored
> in this storage and how the separate cookie is helping you in any way
> make it more secure?
Because you don't have full control over the session cookie since it is
generated by PHP. For an authentication cookie you want to layer other
application-specific checks on top of it.
-Rasmus
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
|
| |
|
| |
|
stuttle
|
| Posted: 2007-5-30 4:14:00 |
Top |
php-dev >> [PHP-DEV] Session security
Rasmus Lerdorf wrote:
> Stanislav Malyshev wrote:
>>> The session store is just a session store. It is not a
>>> login/authentication mechanism and thus doesn't have any of the
>>> protections you might want to add to that. Therefore a separate
>>> authentication cookie is needed that can separate the two concepts
>> I don't see how it's "therefore". Yes, session is just a storage. But
>> how you derive from it that authentication information can not be stored
>> in this storage and how the separate cookie is helping you in any way
>> make it more secure?
>
> Because you don't have full control over the session cookie since it is
> generated by PHP. For an authentication cookie you want to layer other
> application-specific checks on top of it.
I'm still unclear on how you validate that the authentication cookie
came from the same client machine as the one the application first sent
it to, which was the core of my question.
The answer seems to be that you can't do it reliably.
-Stut
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
|
| |
|
| |
|
stas
|
| Posted: 2007-5-30 4:19:00 |
Top |
php-dev >> [PHP-DEV] Session security
> Because you don't have full control over the session cookie since it is
> generated by PHP. For an authentication cookie you want to layer other
> application-specific checks on top of it.
Could you give an example of such checks?
--
Stanislav Malyshev, Zend Products Engineer
email***@***.com http://www.zend.com/
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
|
| |
|
| |
|
robert
|
| Posted: 2007-5-30 4:20:00 |
Top |
php-dev >> [PHP-DEV] Session security
On Tue, 2007-05-29 at 21:11 +0100, Stut wrote:
> Rasmus Lerdorf wrote:
> > Stanislav Malyshev wrote:
> >>> The session store is just a session store. It is not a
> >>> login/authentication mechanism and thus doesn't have any of the
> >>> protections you might want to add to that. Therefore a separate
> >>> authentication cookie is needed that can separate the two concepts
> >> I don't see how it's "therefore". Yes, session is just a storage. But
> >> how you derive from it that authentication information can not be stored
> >> in this storage and how the separate cookie is helping you in any way
> >> make it more secure?
> >
> > Because you don't have full control over the session cookie since it is
> > generated by PHP. For an authentication cookie you want to layer other
> > application-specific checks on top of it.
>
> I'm still unclear on how you validate that the authentication cookie
> came from the same client machine as the one the application first sent
> it to, which was the core of my question.
>
> The answer seems to be that you can't do it reliably.
You don't have any cookie if the user has cookies disabled. So either
you use a policy that enforces the user to enable cookies or you fall
back on trans sid in which case, all bets are off since all you have is
the PHPSESSID stuck in the URL or form POST.
Cheers,
Rob.
--
.------------------------------------------------------------.
| InterJinn Application Framework - http://www.interjinn.com |
:------------------------------------------------------------:
| An application and templating framework for PHP. Boasting |
| a powerful, scalable system for accessing system services |
| such as forms, properties, sessions, and caches. InterJinn |
| also provides an extremely flexible architecture for |
| creating re-usable components quickly and easily. |
`------------------------------------------------------------'
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
|
| |
|
| |
|
stas
|
| Posted: 2007-5-30 4:21:00 |
Top |
php-dev >> [PHP-DEV] Session security
> I'm still unclear on how you validate that the authentication cookie
> came from the same client machine as the one the application first sent
> it to, which was the core of my question.
>
> The answer seems to be that you can't do it reliably.
As far as I understand, no, you can't, unless you have secure external
means to establish client identity (like client certificate).
--
Stanislav Malyshev, Zend Products Engineer
email***@***.com http://www.zend.com/
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
|
| |
|
| |
|
rasmus
|
| Posted: 2007-5-30 4:21:00 |
Top |
php-dev >> [PHP-DEV] Session security
Stut wrote:
> Rasmus Lerdorf wrote:
>> Stanislav Malyshev wrote:
>>>> The session store is just a session store. It is not a
>>>> login/authentication mechanism and thus doesn't have any of the
>>>> protections you might want to add to that. Therefore a separate
>>>> authentication cookie is needed that can separate the two concepts
>>> I don't see how it's "therefore". Yes, session is just a storage. But
>>> how you derive from it that authentication information can not be stored
>>> in this storage and how the separate cookie is helping you in any way
>>> make it more secure?
>>
>> Because you don't have full control over the session cookie since it is
>> generated by PHP. For an authentication cookie you want to layer other
>> application-specific checks on top of it.
>
> I'm still unclear on how you validate that the authentication cookie
> came from the same client machine as the one the application first sent
> it to, which was the core of my question.
>
> The answer seems to be that you can't do it reliably.
Correct, which is why it needs to be up to the application. You may
deem it appropriate to do it based on ip because your user base aren't
likely to be coming from AOL or other dynamic connections, or you may
find it useful to tie it to the user agent, or some other mechanism
entirely. Like an RSA token plugin thing, for example. But at the
general level that can't really be hardcoded into PHP since the right
answer will be different for everyone.
-Rasmus
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
|
| |
|
| |
|
| |
|
Index ‹ php-dev |
- Next
- 1
- #32089 [Opn]: Crash during Make with Oracle Instant Client Support ID: 32089
User updated by: andrew dot nagy at villanova dot edu
Reported By: andrew dot nagy at villanova dot edu
Status: Open
Bug Type: OCI8 related
Operating System: Fedora Core 3
PHP Version: 4CVS-2005-02-23 (stable)
New Comment:
Here is the path structure:
]$ ll /usr/lib/oracle/10.1.0.3/client/lib/
total 89576
-r--r--r-- 1 root root 1461081 Dec 2 15:03 classes12.jar
-r--r--r-- 1 root root 1353 Dec 2 15:03 glogin.sql
lrwxrwxrwx 1 root root 17 Feb 21 20:06 libclntsh.so ->
libclntsh.so.10.1
-rwxr-xr-x 1 root root 13495923 Dec 2 15:03 libclntsh.so.10.1
-r-xr-xr-x 1 root root 28400 Dec 2 15:03 libheteroxa10.so
-r-xr-xr-x 1 root root 2121849 Dec 2 15:03 libnnz10.so
lrwxrwxrwx 1 root root 15 Feb 21 20:06 libocci.so ->
libocci.so.10.1
-rwxr-xr-x 1 root root 913575 Dec 2 15:03 libocci.so.10.1
-rwxr-xr-x 1 root root 66159152 Dec 2 15:03 libociei.so
-rwxr-xr-x 1 root root 96517 Dec 2 15:03 libocijdbc10.so
-rwxr-xr-x 1 root root 760686 Dec 2 15:03 libsqlplus.so
-r--r--r-- 1 root root 54032 Dec 2 15:03 ocrs12.jar
-r--r--r-- 1 root root 1397543 Dec 2 15:03 ojdbc14.jar
-r--r--r-- 1 root root 5018319 Dec 2 15:03 orai18n.jar
Could the symbolic link becausing this error?
Previous Comments:
------------------------------------------------------------------------
[2005-02-24 21:38:26] andrew dot nagy at villanova dot edu
Here is the statement from the make process:
/usr/bin/ld: warning: libnnz10.so, needed by
/usr/lib/oracle/10.1.0.3/client/lib/libclntsh.so, not found (try using
-rpath or -rpath-link)
And then followed by a bunch of statements such as the following:
/usr/lib/oracle/10.1.0.3/client/lib/libclntsh.so: undefined reference
to `nzos_ServiceWriteQueue'
Am I doing something wrong with this? It seems as if these errors
should be checked for in the configuration process right?
------------------------------------------------------------------------
[2005-02-24 21:24:07] email***@***.com
We can't wait to see..
------------------------------------------------------------------------
[2005-02-23 23:36:23] andrew dot nagy at villanova dot edu
Description:
------------
I am running FC3 and am trying to compile PHP4 from snaps with Oracle
Instant Client support. I installed all 4 rpms from Oracle's site and
the ./configure runs fine. However during the make process it crashes
right around the Oracle section.
[root@localhost php4-STABLE-200502230130]# grep -in 'oracle' config.log
|more
616:configure:60531: checking for Oracle (OCI8) support using
ORACLE_HOME installation
617:configure:60577: checking for Oracle (OCI8) support using Oracle
Instant Client
618:configure:62528: checking Oracle Instant Client directory
619:configure:62540: checking Oracle Instant Client SDK header
directory
620:configure:62696: checking Oracle Instant Client version
633:configure:64631: checking for Oracle-ORACLE support
695:configure:82132: gcc -o conftest -g -O2 -L/usr/lib
-Wl,-rpath,/usr/kerberos/lib -L/usr/kerberos/lib
-Wl,-rpath,/usr/lib/oracle/10.1.0.3/client/lib -L/u
sr/lib/oracle/10.1.0.3/client/lib conftest.c -lcrypt -lpcre -lgmp
-ldb-4.2 -ldb-4.2 -lbz2 -lz -lresolv -lm -ldl -lnsl -lgssapi_krb5
-lkrb5 -lk5crypto -lcom_
err -lssl -lcrypto -lgssapi_krb5 -lkrb5 -lcom_err -lk5crypto -lresolv
-ldl -lz -lclntsh -lcrypt 1>&5
I will post the results from the make process later.
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=32089&edit=1
- 2
- #27828 [Opn->Ver]: sybase_free_result() crashes ID: 27828
Updated by: email***@***.com
Reported By: deanb at gbtn dot net
-Status: Open
+Status: Verified
Bug Type: Sybase-ct (ctlib) related
Operating System: *
PHP Version: 4CVS, 5CVS (2004-04-02)
Previous Comments:
------------------------------------------------------------------------
[2004-04-13 09:41:41] r dot vanicek at seznam dot cz
It worked fine in PHP 4.3.4 and PHP 4.3.5RC2, but PHP 4.3.5 (final) is
broken, and PHP 4.3.6RC3 is broken too. When sybase_free_result is
called, there is segmentation fault (my system is Debian GNU/Linux
woody, Apache 1.3.26).
------------------------------------------------------------------------
[2004-04-07 10:46:37] hager at transgene dot fr
Hello,
same bug with PHP5.0.0-RC1 and the latest PHP5 snapshot
PHP5-200404071230 : sybase_free_result() crashes. Should I open a new
bug report for PHP 5 ?
------------------------------------------------------------------------
[2004-04-02 13:20:29] deanb at gbtn dot net
Nope, same crash with php4-STABLE-200404021630.
------------------------------------------------------------------------
[2004-04-02 06:12:19] email***@***.com
Please try using this CVS snapshot:
http://snaps.php.net/php4-STABLE-latest.tar.gz
For Windows:
http://snaps.php.net/win32/php4-win32-STABLE-latest.zip
------------------------------------------------------------------------
[2004-04-02 04:21:50] tvoigt at informatik dot tu-cottbus dot de
Hi there!
The bug ist reproducible here on Debian Woody + apache-1.3.29/php >=
4.3.4RC3, too.
It was most probably introduced while fixing
http://bugs.php.net/bug.php?id=26407: sybase_free_result() works
properly up to php-4.3.4RC2, but not with a patched 4.3.4RC2 to solve
bug #26407 (that patch then made it into 4.3.4RC3).
Well, I'm sorry for not testing sybase_free_result() afterwards, never
used it before...
Best regards,
Thomas
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/27828
--
Edit this bug report at http://bugs.php.net/?id=27828&edit=1
- 3
- #32455 [Opn->Fbk]: wrong setting property to unseted value ID: 32455
Updated by: email***@***.com
Reported By: becicka at aarongroup dot cz
-Status: Open
+Status: Feedback
Bug Type: SOAP related
PHP Version: 5.0.3
New Comment:
Please try using this CVS snapshot:
http://snaps.php.net/php5-latest.tar.gz
For Windows:
http://snaps.php.net/win32/php5-win32-latest.zip
Previous Comments:
------------------------------------------------------------------------
[2005-03-25 15:17:10] becicka at aarongroup dot cz
Description:
------------
When I set a object property to unseted variable and than I call a SOAP
function with this paramater, I get message
Fatal error: SOAP-ERROR: Encoding: object hasn't 'name' property .
Reproduce code:
---------------
class Passenger {
var $name;
}
$wsdl =& new SoapClient(WSDL_LOCATION, array("trace" => 1, 'exceptions'
=> 0));
$p = new Passenger;
/* if ($xyz === null) $xyz = null; //if here is this row, it's works
fine otherwise calling SOAP function failed */
$p->name = $xyz; //$xyz is not set!!!
$wsdl->setPassenger($p); //call SOAP function failed
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=32455&edit=1
- 4
- #34939 [Fbk->Opn]: Undefined reference make failed ID: 34939
User updated by: marcel dot bariou at brasnah dot com
Reported By: marcel dot bariou at brasnah dot com
-Status: Feedback
+Status: Open
Bug Type: PDO related
Operating System: LINUX RH ES3
PHP Version: 5.1.0RC3
Assigned To: wez
New Comment:
Yes, I add ----enable-pdo=shared (last line of ./configure as you can
see..)
Previous Comments:
------------------------------------------------------------------------
[2005-10-21 16:51:45] email***@***.com
Did you --enable-pdo ?
------------------------------------------------------------------------
[2005-10-21 14:16:01] email***@***.com
Wez, take a look at it please.
------------------------------------------------------------------------
[2005-10-21 06:20:54] marcel dot bariou at brasnah dot com
Description:
------------
I start with this configure directive :
./configure --prefix=/etc/httpd --with-apxs2=/usr/sbin/apxs
--with-config-file-path=/etc/httpd/conf --with-mysql=/usr/local/mysql
--enable-bc-math --enable-calendar --with-curl=/usr --enable-exif
--with-gettext --with-gmp --enable-id3
--with-java=/usr/local/java=/usr/local/j2sdk --with-mcrypt=/usr/local
--with-mhash=/usr/local --enable-overload --enable-pcntl
--with-regex=PHP --enable-soap --enable-sockets --with-tidy=/usr/local
--enable-wddx --with-xsl=/usr/local --enable-xslt --with-xslt-sablot
--with-expat-dir=/usr --enable-php-streams --enable-memory-limit
--enable-cli --enable-posix --enable-pcre --enable-sysvmsg
--enable-sysvsem --enable-sysvshm --enable-shmop --with-pear
--with-xmlrpc --with-zlib=/usr --with-iconv --with-iconv-dir=/usr/local
--with-pdo-mysql=/usr/local/mysql --enable-pdo=shared
Make message => :
ext/pdo_mysql/.libs/pdo_mysql.o(.text+0x13): In function
`zm_startup_pdo_mysql':
/usr/local/xtra_targz/php5-200510202030/ext/pdo_mysql/pdo_mysql.c:78:
undefined reference to `php_pdo_declare_long_constant'
ext/pdo_mysql/.libs/pdo_mysql.o(.text+0x34): In function
`zm_shutdown_pdo_mysql':
/usr/local/xtra_targz/php5-200510202030/ext/pdo_mysql/pdo_mysql.c:88:
undefined reference to `php_pdo_unregister_driver'
ext/pdo_mysql/.libs/pdo_mysql.o(.text+0x23): In function
`zm_startup_pdo_mysql':
/usr/local/xtra_targz/php5-200510202030/ext/pdo_mysql/pdo_mysql.c:80:
undefined reference to `php_pdo_register_driver'
ext/pdo_mysql/.libs/mysql_driver.o(.text+0x197): In function
`_pdo_mysql_error':
/usr/local/xtra_targz/php5-200510202030/ext/pdo_mysql/mysql_driver.c:100:
undefined reference to `php_pdo_get_exception'
ext/pdo_mysql/.libs/mysql_driver.o(.text+0x378): In function
`mysql_handle_preparer':
/usr/local/xtra_targz/php5-200510202030/ext/pdo_mysql/mysql_driver.c:169:
undefined reference to `pdo_parse_params'
ext/pdo_mysql/.libs/mysql_driver.o(.text+0x57a): In function
`pdo_mysql_last_insert_id':
/usr/local/xtra_targz/php5-200510202030/ext/pdo_mysql/mysql_driver.c:250:
undefined reference to `php_pdo_int64_to_str'
ext/pdo_mysql/.libs/mysql_driver.o(.text+0x84e): In function
`pdo_mysql_handle_factory':
/usr/local/xtra_targz/php5-200510202030/ext/pdo_mysql/mysql_driver.c:403:
undefined reference to `php_pdo_parse_data_source'
ext/pdo_mysql/.libs/mysql_statement.o(.text+0x835): In function
`pdo_mysql_stmt_param_hook':
/usr/local/xtra_targz/php5-200510202030/ext/pdo_mysql/mysql_statement.c:332:
undefined reference to `pdo_raise_impl_error'
ext/pdo_sqlite/.libs/pdo_sqlite.o(.text+0x1c): In function
`zm_shutdown_pdo_sqlite':
/usr/local/xtra_targz/php5-200510202030/ext/pdo_sqlite/pdo_sqlite.c:87:
undefined reference to `php_pdo_unregister_driver'
ext/pdo_sqlite/.libs/pdo_sqlite.o(.text+0xc): In function
`zm_startup_pdo_sqlite':
/usr/local/xtra_targz/php5-200510202030/ext/pdo_sqlite/pdo_sqlite.c:80:
undefined reference to `php_pdo_register_driver'
ext/pdo_sqlite/.libs/sqlite_driver.o(.text+0xa5): In function
`_pdo_sqlite_error':
/usr/local/xtra_targz/php5-200510202030/ext/pdo_sqlite/sqlite_driver.c:78:
undefined reference to `php_pdo_get_exception'
ext/pdo_sqlite/.libs/sqlite_driver.o(.text+0x37e): In function
`pdo_sqlite_last_insert_id':
/usr/local/xtra_targz/php5-200510202030/ext/pdo_sqlite/sqlite_driver.c:197:
undefined reference to `php_pdo_int64_to_str'
ext/pdo_sqlite/.libs/sqlite_driver.o(.text+0xb62): In function
`zif_SQLite_sqliteCreateFunction':
/usr/local/xtra_targz/php5-200510202030/ext/pdo_sqlite/sqlite_driver.c:471:
undefined reference to `pdo_raise_impl_error'
ext/pdo_sqlite/.libs/sqlite_driver.o(.text+0xcd6): In function
`zif_SQLite_sqliteCreateAggregate':
/usr/local/xtra_targz/php5-200510202030/ext/pdo_sqlite/sqlite_driver.c:543:
undefined reference to `pdo_raise_impl_error'
ext/pdo_sqlite/.libs/sqlite_driver.o(.text+0x1077): In function
`pdo_sqlite_handle_factory':
/usr/local/xtra_targz/php5-200510202030/ext/pdo_sqlite/sqlite_driver.c:697:
undefined reference to `php_pdo_get_exception'
ext/pdo_sqlite/.libs/sqlite_statement.o(.text+0x2d6): In function
`pdo_sqlite_stmt_param_hook':
/usr/local/xtra_targz/php5-200510202030/ext/pdo_sqlite/sqlite_statement.c:116:
undefined reference to `pdo_raise_impl_error'
ext/sqlite/.libs/sqlite.o(.text+0x172f): In function
`zm_startup_sqlite':
/usr/local/xtra_targz/php5-200510202030/ext/sqlite/sqlite.c:1100:
undefined reference to `php_pdo_register_driver'
ext/sqlite/.libs/sqlite.o(.text+0x175e): In function
`zm_shutdown_sqlite':
/usr/local/xtra_targz/php5-200510202030/ext/sqlite/sqlite.c:1113:
undefined reference to `php_pdo_unregister_driver'
ext/sqlite/.libs/pdo_sqlite2.o(.text+0x4df): In function
`_pdo_sqlite2_error':
/usr/local/xtra_targz/php5-200510202030/ext/sqlite/pdo_sqlite2.c:291:
undefined reference to `php_pdo_get_exception'
ext/sqlite/.libs/pdo_sqlite2.o(.text+0x73f): In function
`pdo_sqlite2_last_insert_id':
/usr/local/xtra_targz/php5-200510202030/ext/sqlite/pdo_sqlite2.c:373:
undefined reference to `php_pdo_int64_to_str'
ext/sqlite/.libs/pdo_sqlite2.o(.text+0xbfc): In function
`pdo_sqlite2_handle_factory':
/usr/local/xtra_targz/php5-200510202030/ext/sqlite/pdo_sqlite2.c:579:
undefined reference to `php_pdo_get_exception'
collect2: ld returned 1 exit status
make: *** [sapi/cli/php] Erreur 1
Thanks for your help
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=34939&edit=1
- 5
- #26278 [Opn->Bgs]: Can not user integer variable in $_SESSION ID: 26278
Updated by: email***@***.com
Reported By: glumtail at yahoo dot com
-Status: Open
+Status: Bogus
Bug Type: Session related
Operating System: FreeBSD
PHP Version: 4.3.2
New Comment:
Of course you can't.
RTFM (http://www.php.net/session):
"The keys in the $_SESSION associative array are subject to the same
limitations as regular variable names in PHP, i.e. they cannot start
with a number and must start with a letter or underscore. For more
details see the section on variables in this manual."
Previous Comments:
------------------------------------------------------------------------
[2003-11-16 20:01:32] glumtail at yahoo dot com
Description:
------------
I found it can not save integer variable in session.
e.g:
$_SESSION['TEST'] = 'SOMETHING' // OK
$_SESSION[1] = 'SOMETHING' // ERROR
My environment: FreeBSD + PHP 4.3.2
I think it must be a BIG bug.
Reproduce code:
---------------
<?php
session_start();
print_r($_SESSION); // always can not print $_SESSION[1]
$_SESSION[1] = 'TEST';
$_SESSION['TEST'] = 'MY TEST';
print_r($_SESSION);
?>
Expected result:
----------------
Result (after refresh):
Array ( )
Array ( [1] => TEST [TEST] => MY TEST )
The correct result should be:
Array ( [1] => TEST [TEST] => MY TEST )
Array ( [1] => TEST [TEST] => MY TEST )
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=26278&edit=1
- 6
- #42040 [Ana->Bgs]: cURL cookiejar resets default timezone to GMT ID: 42040
Updated by: email***@***.com
Reported By: lkc at pobox dot sk
-Status: Analyzed
+Status: Bogus
Bug Type: cURL related
Operating System: Windows
PHP Version: 5.2.3
New Comment:
I agree with Derick - I had the priorities confused when I was looking
at src, but this makes perfect sense.
Passing the bug on to the libcurl team and 'bogusifying' this report -
it's a bug, Jim, but not as we know it.
Previous Comments:
------------------------------------------------------------------------
[2007-07-22 17:39:06] email***@***.com
It's affecting it because the TZ env var takes priority over the
date.timezone ini setting as can be read here:
http://no.php.net/manual/en/function.date-default-timezone-get.php
I'd say this is a curl bug, it should unset the env var when it's done
with it.
------------------------------------------------------------------------
[2007-07-22 17:07:13] email***@***.com
I can reproduce this under Windows XP. (It appears to be a Windows-only
bug.)
Further info: The only way to reproduce this is if the timezone is set
via the date.timezone setting in php.ini. The bug does NOT occur when
the TZ env var is set via put_env(), nor when
date_default_timezone_set() is called from the script. The workaround is
to do either of those things before calling
curl_setopt(CURLOPT_COOKIEJAR);.
Somehow DATEG(timezone) is being unset and the TZ env var populated
with 'GMT', regardless of the timezone on the client.
The TZ env var is populated during libcurl configuration (tzset() is
called after putenv('TZ=whatever')). That's the only place in the entire
libcurl source it's used, given that the libcurl shipped with PHP
doesn't have IDNA support. Neither tzset() nor putenv() is called in
ext/curl.
At runtime, the TZ env var is only populated when CURLOPT_COOKIEJAR is
set (not for CURLOPT_COOKIESESSION). I've no idea why, much less why
setting TZ should interfere with PHP's global datetime values.
------------------------------------------------------------------------
[2007-07-19 04:26:50] lkc at pobox dot sk
Description:
------------
Using cURL with COOKIEJAR option resets timezone setting to GMT.
This only occurs if:
1. The default timezone is set using date.timezone in php.ini, NOT
through date_default_timezone_set().
2. The cookie file contains timestamp(s).
Reproduce code:
---------------
echo date_default_timezone_get(), "\n";
$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_COOKIEJAR, "cookie.txt");
curl_setopt($ch, CURLOPT_URL, "http://www.google.com");
$f = curl_exec($ch);
curl_close($ch);
echo date_default_timezone_get(), "\n";
Expected result:
----------------
Show identical timezones.
Actual result:
--------------
Second timezone is always GMT.
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=42040&edit=1
- 7
- #26614 [Asn->Bgs]: linebreaks in CDATA sections ignored in line count ID: 26614
Updated by: email***@***.com
Reported By: email***@***.com
-Status: Assigned
+Status: Bogus
Bug Type: XML related
Operating System: *
PHP Version: 5CVS-2004-03-15
Assigned To: sterling
New Comment:
libxml bugs belong elsewhere..
Previous Comments:
------------------------------------------------------------------------
[2004-03-31 12:19:07] email***@***.com
line numbering is fixed with libxml cvs. will be released in 2.6.9.
column and byte position still an issue
------------------------------------------------------------------------
[2004-03-29 00:46:52] email***@***.com
further investigation shows that not only the line number count
is broken with CDATA but also column number and byte position
produced with libxml2 are in no way consistent with expat results
-> regression test updated
------------------------------------------------------------------------
[2003-12-13 11:04:06] email***@***.com
regression test added: ext/xml/test/bug26614.phpt
------------------------------------------------------------------------
[2003-12-13 09:11:38] email***@***.com
Description:
------------
xml_get_current_line_number() results differ between PHP 4 (expat) and
PHP 5 (libxml2) as libxml2 seems to skip over CDATA sections when
counting source lines
Reproduce code:
---------------
<?php
$xml ='<?xml version="1.0"?>
<data>
<![CDATA[
multi
line
CDATA
block
]]>
</data>';
function startElement($parser, $name, $attrs) {
echo "<$name> at line ".xml_get_current_line_number($parser)."\n";
}
function endElement($parser, $name) {
echo "</$name> at line
".xml_get_current_line_number($parser)."\n";
}
$xml_parser = xml_parser_create();
xml_set_element_handler($xml_parser, "startElement", "endElement");
xml_parse($xml_parser, file_get_contents("test.xml", true));
xml_parser_free($xml_parser);
?>
Expected result:
----------------
<DATA> at line 2
</DATA> at line 9
Actual result:
--------------
<DATA> at line 2
</DATA> at line 4
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=26614&edit=1
- 8
- #37951 [Opn->Fbk]: Segfaul when using certain curl_setopt option ID: 37951
Updated by: email***@***.com
Reported By: headhunter at c-plusplus dot de
-Status: Open
+Status: Feedback
Bug Type: cURL related
Operating System: SLES 10.0 - 64 Bit
PHP Version: 5.1.4
New Comment:
Please try using this CVS snapshot:
http://snaps.php.net/php5.2-latest.tar.gz
For Windows:
http://snaps.php.net/win32/php5.2-win32-latest.zip
Previous Comments:
------------------------------------------------------------------------
[2006-06-28 18:14:47] headhunter at c-plusplus dot de
Description:
------------
Hello,
I have found a bug which crashes PHP when using
CURLOPT_FOLLOWLOCATION.
This happens on certain adresses only, the one specified in the example
later gives a crash.
Example line:
curl_setopt ($curl_handle, CURLOPT_FOLLOWLOCATION, 1); // <<< CRASH
HERE
I don't know my configure line exactly. Anyway, I compiled PHP by hand
with--curl and --with-mysql and --with-cli. Rest is as untouched.
Unique to my systems where the problems I had getting mysql5 working.
It seems there is a bug in the configure Script of PHP which makes it
ignore the 64bit Libraries of mysql. I had to copy /usr/lib64/mysql to
/usr/lib/mysql to make compiling work.
The problem is indenpendant from the php.ini, I tried different one.
The default configuration also produces the crash.
Reproduce code:
---------------
<?php
$curl_handle = curl_init();
$timeout = 10;
curl_setopt ($curl_handle,CURLOPT_URL, 'www.vipnet.at');
curl_setopt ($curl_handle, CURLOPT_FOLLOWLOCATION, 1); // <<< CRASH
HERE
$buffer = curl_exec ($curl_handle);
print_r ($buffer);
?>
Expected result:
----------------
jojo@suse10064lamp:~> php bug.php
*** glibc detected *** free(): invalid pointer: 0x00002aaaab7dcb00 ***
Aborted
Actual result:
--------------
jojo@suse10064lamp:~> strace php bug.php
[ snip ]
open("/dev/tty", O_RDWR|O_NONBLOCK|O_NOCTTY) = 4
writev(4, [{"*** glibc detected *** ", 23}, {"free(): invalid pointer",
23}, {": 0x", 4}, {"00002aaaab7dcb00", 16}, {" ***\n", 5}], 5*** glibc
detected *** free(): invalid pointer: 0x00002aaaab7dcb00 ***
) = 71
rt_sigprocmask(SIG_UNBLOCK, [ABRT], NULL, 8) = 0
tgkill(12461, 12461, SIGABRT) = 0
--- SIGABRT (Aborted) @ 0 (0) ---
+++ killed by SIGABRT +++
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=37951&edit=1
- 9
- #25285 [NEW]: Unable to get IDispatch interface to ado but ACL's all correct and it's randomFrom: bodgadle at yahoo dot co dot uk
Operating system: Windows 2000
PHP version: 4.3.3
PHP Bug Type: COM related
Bug description: Unable to get IDispatch interface to ado but ACL's all correct and it's random
Description:
------------
Just upgraded to 4.3.3 last night and noticing some errors in my php log
file. Now this is not related to ACL's on the machine as that has been
setup correctly, there are no errors in the windows event viewer either.
And even weirder is that the code works fine for a few hours and then just
suddenly i get the above errors everytime i try to access our database
using ADO. A full restart of apache fixes it but until that's done our
site doesnt show any data.
The exact error is
[28-Aug-2003 02:51:00] PHP Warning: (null)(): Unable to obtain IDispatch
interface for CLSID {00000514-0000-0010-8000-00AA006D2EA4}: CoInitialize
has not been called. in E:\www\reports\monitoring.php on line 4
Here's 2 examples of code it happens a lot in
$query = "SET NOCOUNT ON;DELETE T_ARTICLE_LINKS WHERE
AL_ID=".$linkID.";SELECT @@ROWCOUNT AS ROWS";
$result = 0;
$conn = new
COM("ADODB.Connection");$conn->CommandTimeout=0;$conn->ConnectionTimeout=0;
@$conn->Open($_ENV["OUR_CONN"]);
if ($conn->state == 1) {
$rs = $conn->Execute($query);
$rows=$rs->Fields[0]->Value;$rs->Close();$rs->Release();$rs=null;unset($rs);
$conn->Close();
$conn->Release();$conn=null;unset($conn);
}
return $rows;
and here's an example using a stored procedure
$conn = new
COM("ADODB.Connection");$conn->CommandTimeout=0;$conn->ConnectionTimeout=0;
@$conn->Open($_ENV["NUSONLINE_CONN"]);
if ($type != '') {
$t_id = ($typeID != '') ? $typeID : 0;
$cmd = new COM("ADODB.Command");
$cmd->ActiveConnection = $conn;
$cmd->CommandType = 4;
$cmd->CommandText = "proc_POSTER_TYPES";
$cmd->Parameters->Append($cmd->CreateParameter("@RETURN_VALUE", 3, 4,
0, ($RETURN_VALUE=0)));
$cmd->Parameters->Append($cmd->CreateParameter("@typeid", 131, 3, 0,
$t_id));
$cmd->Parameters->Append($cmd->CreateParameter("@name", 200, 1, 1,
stripslashes($typeName)));
$cmd->Parameters->Append($cmd->CreateParameter("@successflag", 131, 3,
0, $successflag));
$cmd->Parameters["@typeid"]->Precision = 18;
$cmd->Parameters["@successflag"]->Precision = 18;
$cmd->Execute();
$typeid = $cmd->Parameters["@typeid"]->Value;
$successflag = $cmd->Parameters["@successflag"]->Value;
$conn->Close();
$cmd->Release();$cmd=null;unset($cmd);
$conn->Release();$conn=null;unset($conn);
}
again the errors arent to do with the SQL/SP's used as they happen on the
creation of the COM object.
--
Edit bug report at http://bugs.php.net/?id=25285&edit=1
--
Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=25285&r=trysnapshot4
Try a CVS snapshot (php5): http://bugs.php.net/fix.php?id=25285&r=trysnapshot5
Fixed in CVS: http://bugs.php.net/fix.php?id=25285&r=fixedcvs
Fixed in release: http://bugs.php.net/fix.php?id=25285&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=25285&r=needtrace
Try newer version: http://bugs.php.net/fix.php?id=25285&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=25285&r=support
Expected behavior: http://bugs.php.net/fix.php?id=25285&r=notwrong
Not enough info: http://bugs.php.net/fix.php?id=25285&r=notenoughinfo
Submitted twice: http://bugs.php.net/fix.php?id=25285&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=25285&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=25285&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=25285&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=25285&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=25285&r=gnused
- 10
- #27052 [Fbk->Opn]: rand() returns easily predictable numbers ID: 27052
User updated by: webmaster at armondc dot com
Reported By: webmaster at armondc dot com
-Status: Feedback
+Status: Open
Bug Type: Math related
Operating System: Windows 2000 Professional
-PHP Version: 4.3.4
+PHP Version: 4.3.5RC2-dev
New Comment:
I tried it on 4.3.5RC2-dev, and it's still relativly the same. The
pattern is slightly different, but is still as predictable as before.
Previous Comments:
------------------------------------------------------------------------
[2004-01-26 19:04:34] email***@***.com
Please try using this CVS snapshot:
http://snaps.php.net/php4-STABLE-latest.tar.gz
For Windows:
http://snaps.php.net/win32/php4-win32-STABLE-latest.zip
Some rand() related bugs have already been fixed..
------------------------------------------------------------------------
[2004-01-26 15:56:22] webmaster at armondc dot com
On the "actual result" its not as easily spotted without wrapping.
This should give a better picture:
]F[LIBGHU^SDAZ_`MVK\YRWXENCTQJOP]F[LIBGHU^SDAZ_`MVK\YRWXENCTQJOP]F
[LIBGHU^SDAZ_`MVK\YRWXENCTQJOP]F[LIBGHU^SDAZ_`MVK\YRWXENCTQJOP]F
[LIBGHU^SDAZ_`MVK\YRWXENCTQJOP]F[LIBGHU^SDAZ_`MVK\YRWXENCTQJOP]F
[LIBGHU^SDAZ_`MVK\YRWXENCTQJOP]F[LIBGHU^SDAZ_`MVK\YRWXENCTQJOP]F
[LIBGHU^SDAZ_`MVK\YRWXENCTQJOP]F[LIBGHU^SDAZ_`MVK\YRWXENCTQJOP]F
[LIBGHU^SDAZ_`MVK\YRWXENCTQJOP]F[LIBGHU^SDAZ_`MVK\YRWXENCTQJOP]F
[LIBGHU^SDAZ_`MVK\YRWXENCTQJOP]F[LIBGHU^SDAZ_`MVK\YRWXENCTQJOP]F
[LIBGHU^SDAZ_`MVK\YRWXENCTQJOP]F[LIBGHU^SDAZ_`MVK\
------------------------------------------------------------------------
[2004-01-26 15:53:26] webmaster at armondc dot com
Description:
------------
I'm not sure if this is a very major problem, or even a bug, but here
goes:
It seems rand() on Windows is very predictable.
I've tried it on 2 Windows Systems, and they were both predictable. It
showed a breif unpredictable segment, then followed by the same string
of characters over and over, and finally a few more unpredictable
characters.
I tried this on a FreeBSD 5.2 System, and it was unpreditable enough.
Seems to be a windows-only problem.
I also noticed bug#11108 - It seems similar, but the submitter was
using his own seeds, and I am using without.
Reproduce code:
---------------
<?php
// This will reproduce the problem
// on windows
for($x = 0; $x < 500; $x++) {
echo chr((rand()%32)+65);
}
// This is a quick-fix, but
// goes agaist the documentation's
// 'no need for srand()'
for($x = 0; $x < 500; $x++) {
srand(hexdec(substr(md5(microtime()), 0, 8)));
echo chr((rand()%32)+65);
}
?>
Expected result:
----------------
Something a bit random like:
HEOSITFS[ZYH_EVIVVXSLCWRHHC_]_L^PIBTC\TXPBWQLCM^VZSU`UHOG[\VF[KCDGFZM^Q\IG^KAIYPIYBSBIMGHXIBMPHLY\OAZMYAZPJ_`D`F\X\QXR[GP]DQLRHMYIOERBMEKBDJMJPN]J\\KPES^EGRKKO^S[`XL\SSHQXOYQU_JDMM`ZEUEOQOYMHJPYDTRRU_URHYJGXRQYDYADD]OBVUGC^GGSXPRJJAOAKRAYYN^Q\`XFQJNOWQKAJBFONFXNDZFFIMYRL`ROH^]IM_MINJI\MJJAVG`]_B_EAV`C\O_\DHCHLX_NIO`U^KMJF\`K]VZDOZ_FAWCZC_IQK^[NTPZCC]XEFZ[`\AG[PV^XLPRYVAS]ZPH`^WAXYAZYGK_M_QK`F]PRMP^BBPTRV^KV_VDOLFIM]WQNHVF^DYWGGSGLJ_ZMODG[Z_AAXBYD^FS\MITLZESC`DXLH]NWNIVWZZMVMSXFQMG[O[W[YSPVMTQLHD
Actual result:
--------------
An easily spotted pattern:
]F[LIBGHU^SDAZ_`MVK\YRWXENCTQJOP]F[LIBGHU^SDAZ_`MVK\YRWXENCTQJOP]F[LIBGHU^SDAZ_`MVK\YRWXENCTQJOP]F[LIBGHU^SDAZ_`MVK\YRWXENCTQJOP]F[LIBGHU^SDAZ_`MVK\YRWXENCTQJOP]F[LIBGHU^SDAZ_`MVK\YRWXENCTQJOP]F[LIBGHU^SDAZ_`MVK\YRWXENCTQJOP]F[LIBGHU^SDAZ_`MVK\YRWXENCTQJOP]F[LIBGHU^SDAZ_`MVK\YRWXENCTQJOP]F[LIBGHU^SDAZ_`MVK\YRWXENCTQJOP]F[LIBGHU^SDAZ_`MVK\YRWXENCTQJOP]F[LIBGHU^SDAZ_`MVK\YRWXENCTQJOP]F[LIBGHU^SDAZ_`MVK\YRWXENCTQJOP]F[LIBGHU^SDAZ_`MVK\YRWXENCTQJOP]F[LIBGHU^SDAZ_`MVK\YRWXENCTQJOP]F[LIBGHU^SDAZ_`MVK\
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=27052&edit=1
- 11
- [PHP-DEV] last Tidy api changesHello all,
I'm currently documenting the Tidy extension and I've noted that John has
changed the API in PHP 5.
He changed all is_xxx to isXxx. This makes Tidy 1 and 2 (PHP 4 and 5)
complitely imcompatible.
I don't see any advantages in changing the API. And I prefer the is_xxx
form....
Is it possible to revert this change, please?
(http://cvs.php.net/diff.php/php-src/ext/tidy/tidy.c?r1=1.35&r2=1.36)
Thanks,
Nuno
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
- 12
- #30868 [NEW]: PHP Fails to compile when mbstring is enabledFrom: touv at ouvaton dot org
Operating system: HP-UX 11
PHP version: 5.0.2
PHP Bug Type: Compile Failure
Bug description: PHP Fails to compile when mbstring is enabled
Description:
------------
% export CC=cc
% export CFLAGS="-O +DS2.0 +DA2.0W"
% ./configure --with-libxml-dir=/usr/local/libs/libxml2-2.6.9-64
--enable-mbstring
(...)
% make
(...)
cc -DNOT_RUBY -DHAVE_CONFIG_H -Iext/mbstring/
-I/tmp/php-5.0.2/ext/mbstring/ -DPHP_ATOM_INC -I/tmp/php-5.0.2/include
-I/tmp/php-5.0.2/main -I/tmp/php-5.0.2 -I/tmp/php-5.0.2/Zend
-I/usr/local/libs/libxml2-2.6.9-64/include/libxml2
-I/usr/local/libs/libiconv-1.9.1-64/include
-I/tmp/php-5.0.2/ext/mbstring/oniguruma
-I/tmp/php-5.0.2/ext/mbstring/libmbfl
-I/tmp/php-5.0.2/ext/mbstring/libmbfl/mbfl -I/usr/include
-I/usr/include/X11 -I/usr/contrib/include -I/usr/contrib/include/X11
-I/usr/local/libs/zlib-1.1.4-64/include
-I/usr/local/libs/libxml2-2.6.9-64/include -I/tmp/php-5.0.2/TSRM -w -O
+DS2.0 +DA2.0W -c /tmp/php-5.0.2/ext/mbstring/php_mbregex.c -o
ext/mbstring/php_mbregex.o && echo > ext/mbstring/php_mbregex.lo
cc: "/tmp/php-5.0.2/ext/mbstring/php_mbregex.c", line 488: error 1649:
Illegal integer-pointer combination for <.
cc: "/tmp/php-5.0.2/ext/mbstring/php_mbregex.c", line 488: error 1563:
Expression in if must be scalar.
*** Error exit code 1
--
Edit bug report at http://bugs.php.net/?id=30868&edit=1
--
Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=30868&r=trysnapshot4
Try a CVS snapshot (php5.0): http://bugs.php.net/fix.php?id=30868&r=trysnapshot50
Try a CVS snapshot (php5.1): http://bugs.php.net/fix.php?id=30868&r=trysnapshot51
Fixed in CVS: http://bugs.php.net/fix.php?id=30868&r=fixedcvs
Fixed in release: http://bugs.php.net/fix.php?id=30868&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=30868&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=30868&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=30868&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=30868&r=support
Expected behavior: http://bugs.php.net/fix.php?id=30868&r=notwrong
Not enough info: http://bugs.php.net/fix.php?id=30868&r=notenoughinfo
Submitted twice: http://bugs.php.net/fix.php?id=30868&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=30868&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=30868&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=30868&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=30868&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=30868&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=30868&r=float
MySQL Configuration Error: http://bugs.php.net/fix.php?id=30868&r=mysqlcfg
- 13
- #32633 [Opn]: Warning message from imagecreatefromjpeg not suppressed when using @ ID: 32633
Updated by: email***@***.com
Reported By: anders at apt dot no
Status: Open
Bug Type: GD related
Operating System: Windows 2003 Advanced Server
PHP Version: 4.3.11
New Comment:
It *is* a broken image - the GIMP says so too.
Previous Comments:
------------------------------------------------------------------------
[2005-04-08 10:42:35] anders at apt dot no
Description:
------------
I'm trying import a JPEG image
(http://kunde.apt.no/aso/imagecreatefromjpeg/demo.jpg) to a resource
using imagecreatefromjpeg. This function fails and even though I use @
infront of the function, it still generates an error warning 'Corrupt
JPEG data: 203 extraneous bytes before marker 0xd9'. The image works
fine in every other program I've tested it with.
Some guy has found his own workaround:
http://www-personal.umd.umich.edu/~dennismv/corruptjpeg.html
Reproduce code:
---------------
if ($im =
@imagecreatefromjpeg('http://kunde.apt.no/aso/imagecreatefromjpeg/demo.jpg'))
{
echo 'Valid JPEG file';
imagedestroy($im);
} else {
echo 'Not a valid JPEG file';
}
Expected result:
----------------
I expect the code to output 'Not a valid JPEG file', since the JPEG
contains errors, and nothing else (since I've suppressed error messages
with the @)
Actual result:
--------------
Not a valid JPEG fileCorrupt JPEG data: 203 extraneous bytes before
marker 0xd9
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=32633&edit=1
- 14
- #32455 [NoF->Opn]: wrong setting property to unseted value ID: 32455
User updated by: becicka at aarongroup dot cz
Reported By: becicka at aarongroup dot cz
-Status: No Feedback
+Status: Open
Bug Type: SOAP related
PHP Version: 5CVS-2005-03-31
Assigned To: dmitry
New Comment:
I'm sorry to response too late. I send You requested email.
Previous Comments:
------------------------------------------------------------------------
[2005-04-28 01:00:04] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
------------------------------------------------------------------------
[2005-04-20 16:28:06] email***@***.com
I need to look into WSDL file to understand the bug.
Can you email it to me.
------------------------------------------------------------------------
[2005-04-03 18:25:11] email***@***.com
Assigning to the maintainer.
------------------------------------------------------------------------
[2005-04-01 10:58:10] becicka at aarongroup dot cz
I try this (http://snaps.php.net/php5-latest.tar.gz) and there are the
same situation.
------------------------------------------------------------------------
[2005-03-25 23:34:17] email***@***.com
Please try using this CVS snapshot:
http://snaps.php.net/php5-latest.tar.gz
For Windows:
http://snaps.php.net/win32/php5-win32-latest.zip
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/32455
--
Edit this bug report at http://bugs.php.net/?id=32455&edit=1
- 15
- #35039 [Opn->Bgs]: strftime weird math ID: 35039
Updated by: email***@***.com
Reported By: arcivanov at mail dot ru
-Status: Open
+Status: Bogus
Bug Type: Date/time related
Operating System: Slackware 10.1 (kern v2.6.14)
PHP Version: 5.0.5
New Comment:
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php
Please read the documentation, %G is the ISO year, and if you use it
together with the ISO week modifier (%V) then you'll see that jan 01
falls in the last week of the previous year.
Previous Comments:
------------------------------------------------------------------------
[2005-10-31 19:41:18] arcivanov at mail dot ru
Description:
------------
strftime always displays Jan of year X as Jan of year X-1 when using
'%B, %G' format for some years
Reproduce code:
---------------
function print_time($curr_time)
{
echo ("Time according to date:\t\t" . date("Y-m-d H:i:s",
$curr_time) . "\n");
echo ("Time according to strftime:\t" . strftime('%B, %G',
$curr_time) . "\n");
}
$curr_time = strtotime("2006-01-01 00:00:01");print_time ($curr_time);
$curr_time = strtotime("2005-01-01 00:00:01");print_time ($curr_time);
$curr_time = strtotime("2004-01-01 00:00:01");print_time ($curr_time);
$curr_time = strtotime("2003-01-01 00:00:01");print_time ($curr_time);
$curr_time = strtotime("2002-01-01 00:00:01");print_time ($curr_time);
$curr_time = strtotime("2001-01-01 00:00:01");print_time ($curr_time);
$curr_time = strtotime("2000-01-01 00:00:01");print_time ($curr_time);
$curr_time = strtotime("1999-01-01 00:00:01");print_time ($curr_time);
Expected result:
----------------
Time according to date: 2006-01-01 00:00:01
Time according to strftime: January, 2006
Time according to date: 2005-01-01 00:00:01
Time according to strftime: January, 2005
Time according to date: 2004-01-01 00:00:01
Time according to strftime: January, 2004
Time according to date: 2003-01-01 00:00:01
Time according to strftime: January, 2003
Time according to date: 2002-01-01 00:00:01
Time according to strftime: January, 2002
Time according to date: 2001-01-01 00:00:01
Time according to strftime: January, 2001
Time according to date: 2000-01-01 00:00:01
Time according to strftime: January, 2000
Time according to date: 1999-01-01 00:00:01
Time according to strftime: January, 1999
Actual result:
--------------
Time according to date: 2006-01-01 00:00:01
Time according to strftime: January, 2005
Time according to date: 2005-01-01 00:00:01
Time according to strftime: January, 2004
Time according to date: 2004-01-01 00:00:01
Time according to strftime: January, 2004
Time according to date: 2003-01-01 00:00:01
Time according to strftime: January, 2003
Time according to date: 2002-01-01 00:00:01
Time according to strftime: January, 2002
Time according to date: 2001-01-01 00:00:01
Time according to strftime: January, 2001
Time according to date: 2000-01-01 00:00:01
Time according to strftime: January, 1999
Time according to date: 1999-01-01 00:00:01
Time according to strftime: January, 1998
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=35039&edit=1
|
|
|
