There was an exploit for mambo some time ago, sql injection i believe, perhaps several others also, so mambo is a likely culprit. One cannot say it was PHP directly that got the machine compromised. It was an exploit in a script written in PHP. A box isn't going to get compromised if PHP was installed alone on the box without any scripts (at least it's very very unlikely). Is C the direct cause of your box owned when their is an exploit in say, proftpd for example?
I mean, I could also say... "yeah, you'd have to be mad to run sendmail on a box you don't want to get owned" "yeah, you'd have to be mad to run proftpd on a box you don't want to get owned" "yeah, you'd have to be mad to run bind on a box you don't want to get owned" "yeah, you'd have to be mad to run a linux kernel on a box you don't want to get owned"
These applications have all had their problems in the past, maybe some still have problems, but overall they get fixed when new exploits/bugs are discovered.
I'm not quite sure why, but a lot of people/webmasters/admins do not check for updates to the 3rd party php scripts they have installed, they just install them once and leave them running... Then they wonder why their box was compromised due to them running out of date software. You wouldn't leave your windows machine unpatched and never check for updates, would you?
Variables are untyped, so if you do $a + $b, it's not clear what the result might be.
There is a section of the manual which describes the behaviour to expect when types are mixed. See... Type juggling
You should always be developing with error_reporting(E_ALL|E_STRICT); This would throw a Notice warning about the use of an undeclared variable when the code tries to access it. Error reporting should more than likely be disabled for your production enviroment however.
(E_STRICT is PHP5, E_ALL on its own will still generate the Notice)
Some time ago in the 70s the CIA ran a program to test ESP and related parapychology and it's usefulness in the intellegence field. I believe the tested both telekinesis and remote viewing, under great scruitiny. I don't know what they concluded for telekinesis but their remote viewing experiements they came to the conclusion that it was a real and somewhat provable phenomenon but could not be used for intellegence purposes as it was not always accurate enough and there was too much wrong info amongst the accurate info. Shortly after, the project was dropped.
Read this report for more info. Report or search for: 'Parapsychology in Intelligence: A Personal Review and Conclusions'
On a related note, I did an experiment with 'mind reading' over the internet, where I had a webpage which asked people to look at a picture in the bottom right and then think of a number between 0 and 9 and enter it into a text field in the top left of the page. The webpage had already predicted the number they would enter before they submitted it. The results were that over 50% of the time, the number was predicted correctly. Which is far far better than the ~10% one would get if guessing.
Of course, what the page didn't mention was that in the middle, between the text box and the picture were large numbers of the predicted number in a very light grey color that was nearly impossible to see against the white background without looking very closely. So mind reading... not quite... but quite an interesting subliminal suggestion experiment.
The bittorrent client BitComet has been doing this for a long time now. Simply what it does is shares lists of peers between clients for matching infohashes... It dosn't nessecerely decentralize it or remove the need for a tracker, as you need to get at least 1 ip from a member of the swarm (who has a compatible client) It can help to get new peers if a tracker fails half way through, but you still need the initial peers ips from a tracker or similar.
You are not quite right. The tracker does not need the.torrent, nor does it need to know anything about the contents of a torrent. All the tracker does is keep a list of ips that are associated with an infohash.
your problem is probably that you havn't correctly forwarded ports from your router. or it just happens to be a slow torrent. i regularly get >600k/s with bittorrent, fastest being 2mb/s but not having forwarded ports limits the speed quite a bit.
performance i agree, loose typing isn't as fast. bugs i would disagree with however, rarely in an application i develop are bugs a result of the language being loosely typed. loosely typed code i often find 'cleaner' than strongly typed code, you can do things in a lot less code. for example: on my website, i have a bunch of 'modules' (consider them to be diffrent pages), each module is a class ModuleName, and has a render method to draw the page. now i can do things like this:
now if doing this in a strongly typed way, i wouldn't beable to instantiate an object based on a variable class name. which would lead to similar code. if(module == 'home') mod = new Home; elseif(module == 'about') mod = new About; elseif(module == 'download') mod = new Download; etc. (dosn't look too big, but if i had 10 pages it starts to add up) if i want to add a new page to the site, i can simply drop in a file into the modules directory, with the strongly typed way, i would have to add a new elseif statement too. i belive loose typing (especially in php context) adds a LOT of flexibility in programming
obviously i wouldn't like to see every language use loose typing, but it's well suited to php.
you musn't of seen Turck mmCache when a php script it first run after change it is kept (cached) in it's bytecode form, thus eliminating compile time for subsequent requests. true there is no JIT in php, but for a web application the bottlenecks will most likely be elsewhere. And of course, if the best performance it required, intensive bits of the application can be offloaded into a C extension.
scripting languages (as in, compiled at runtime) do have advantages over compiled languages. if i'm out of the office and i get a call saying something is broken, if i'm somewhere with internet access then i can ftp/ssh into the server, make a quick fix and all is well until i can fix it properly. with compiled languages, i need access to ide/compiler/etc and that's not too practical from most places. admitidly, debugging php code can be quite a pain, altho with zend studio it can be done quite effectively.
why would you want to throw away the benifits of loose typing? there are things i can do in php that i just simply couldn't (with ease) in strongly typed languages. loose typing also cuts down development time dramatically. similarly with OOP, there are some things that OOP can't do well, things that work much better in procedural coding. i personally develop in a mix of OOP and non-OOP code. often i find myself writing a lot more code doing it the OOP way, so i'll do it procedurally. OOP to me seems a bit of a con. it's not the all-singing-all-dancing-best-thing-in-the-world-ev er that some people make it out to be. i don't have anything against OOP itself, more the way that people promote it and claim it brings great "benifits" which in reality don't provide any additional benefits over doing it procedurally. OOP seems to loose a lot of power and flexibility too when coding too.
i'm not quite sure where you're getting this from. i've been using php5 since the first beta and afaik it has never required overloaded child methods to require the same number of arguments as the parent class.
<? error_reporting(E_ALL|E_STRICT); class SomeParent {
function __construct($var1, $var2)
{
echo "Parent: $var1, $var2\n";
} } class SomeChild extends SomeParent {
function __construct($var1,$var2,$var3)
{
echo "Child: $var1, $var2, $var3\n";
} }
$x = new SomeParent(1,2);
$y = new SomeChild(3,4,5);
$z = new SomeParent(6,7,8);/* outputs: Parent: 1, 2 Child: 3, 4, 5 Parent: 6, 7 */ ?>
as for sqlite as session handler, it is not the default, nor has it ever been the default. there was a patch to ALLOW it to be used as a session handler, by setting session.save_handler = sqlite in php.ini but if we look at the php.inis in the php5 distribution: [solidox@server150 php-5.0.0]$ cat php.ini-*|grep "session.save_handler" session.save_handler = files session.save_handler = files
both dist and recommended use flat files as the default session handler.
this is partly the reason IE got it's dominance in the first place, by supporting propriatry crap they added that nothing else supported. there are still many high profile sites (banking sites are a big offender) that simply won't work on anything other than IE, mainly because they've used IE-only features that other browsers don't support. If i visit a site with firefox (my primary browser) and it needs IE then i'll either switch to IE or leave the site never to return (depending on importance). If IE-using-Lasmer visits a site and it tells him he requires [otherbrowser], they're unlikely to go and get [otherbrowser], install it, then visit the site. They'll just leave the site and not come back.
not quite, mysql (dunno about other dbs) will return unescaped strings. take the string "hel'lo" with magic quotes it'll be "hel\'lo" then read it back, it will come back as "hel'lo" so, assuming you addslashes/mysql_Escape_string first: insert addslashes("hel\'lo") ["hel\\\'lo"] (stored internally and read back as "hel\'lo") read stripslashes("hel\'lo") ["hel'lo"]
first case:
mysql> SELECT 'hel\'lo'; +--------+ | hel'lo | +--------+ 1 row in set (0.00 sec)
second: do addslashes first.
mysql> SELECT 'hel\\\'lo'; +---------+ | hel\'lo | +---------+ 1 row in set (0.00 sec)
do stripslashes on the result. and we end up with "hel'lo".
gaming isn't the only thing you do on a computer that requires a high spec.
music production is one other, you much cpu speed as you can get, plenty of ram and preferably fast hard drives.
3d rendering, again requires lots of cpu/ram
image manipulation, yep.
compiling large programs, it helps.
the last 3 listed don't strictly NEED fast speeds, they will just take longer doing it. music production is realtime however and needs as much as you can throw at it. (my xp2200+ is still doing it fine tho)
i do agree tho, most people who just use their comp for browsing/IM/email/WP won't need an ultra-super-duper-0day computer, but for some reason they buy them anyways. all those wasted clockcycles that could go to much better use in my possession.
GNER trains arn't electric. they don't have a means to connect to the limited amounts of overhead electric wires and the tracks arn't electric either. nice idea tho
IIRC the lethal caffeine dose is 10g oraly and 3.2g intravenously.
a cup of coffee contains ~80-120mg of caffine, so 100cups of coffee could well kill you...
if you drank them all simultaniously.
one after another... you'll just feel REALLY shit.
Re:Sys Admin stuff with PHP? Really?
on
PHP 5 RC 1 released
·
· Score: 2, Interesting
i got a few php scripts on a cronjob to do database backups and such things. i also use it for quick admin type hackie scripts. personally i recon it's far superior to bash/perl/etc for shell scripting
Where's the semantic analysis? Where's the intelligence in the software? How come we can block 99.997% of email spam - but not 5% of google spam.
well, the theory goes that google implemented Latent Semantic Indexing around the start of december with it's florida update. the problem was that it arsed the search results and created many pages of irrelevent mung. very few people (webmasters) were happy with the update, nor were the searchers. so a few weeks ago google removed it (or lessened it's importance) and things are starting to get back to normal. intellegent software obviously dosn't nessicerely give better results. (disclaimer: the above isn't proven fact as google hasn't said anything about it, but it seems to be the case based on the facts availible)
this (PageRank) is how google used to work and google rated the popularity (and thus it's position) of a site based very heavily on how many incoming links it has. nowadays tho, this is a fairly minor factor in positioning. it's still used by googlebot deciding what stuff shuold get spidered and how deeply.
Slashdot Mirror
There was an exploit for mambo some time ago, sql injection i believe, perhaps several others also, so mambo is a likely culprit.
One cannot say it was PHP directly that got the machine compromised. It was an exploit in a script written in PHP.
A box isn't going to get compromised if PHP was installed alone on the box without any scripts (at least it's very very unlikely).
Is C the direct cause of your box owned when their is an exploit in say, proftpd for example?
I mean, I could also say...
"yeah, you'd have to be mad to run sendmail on a box you don't want to get owned"
"yeah, you'd have to be mad to run proftpd on a box you don't want to get owned"
"yeah, you'd have to be mad to run bind on a box you don't want to get owned"
"yeah, you'd have to be mad to run a linux kernel on a box you don't want to get owned"
These applications have all had their problems in the past, maybe some still have problems, but overall
they get fixed when new exploits/bugs are discovered.
I'm not quite sure why, but a lot of people/webmasters/admins do not check for updates to the 3rd party php scripts
they have installed, they just install them once and leave them running... Then they wonder why their box was compromised
due to them running out of date software.
You wouldn't leave your windows machine unpatched and never check for updates, would you?
There is a section of the manual which describes the behaviour to expect when types are mixed.
See... Type juggling
You should always be developing with error_reporting(E_ALL|E_STRICT);
This would throw a Notice warning about the use of an undeclared variable when the code tries to access it.
Error reporting should more than likely be disabled for your production enviroment however.
(E_STRICT is PHP5, E_ALL on its own will still generate the Notice)
Some time ago in the 70s the CIA ran a program to test ESP and related parapychology
and it's usefulness in the intellegence field.
I believe the tested both telekinesis and remote viewing, under great scruitiny.
I don't know what they concluded for telekinesis but their remote viewing experiements
they came to the conclusion that it was a real and somewhat provable phenomenon but could not be used
for intellegence purposes as it was not always accurate enough and there was too much wrong info
amongst the accurate info.
Shortly after, the project was dropped.
Read this report for more info.
Report
or search for:
'Parapsychology in Intelligence: A Personal Review and Conclusions'
On a related note, I did an experiment with 'mind reading' over the internet,
where I had a webpage which asked people to look at a picture in the bottom right
and then think of a number between 0 and 9 and enter it into a text field in the
top left of the page.
The webpage had already predicted the number they would enter before they submitted it.
The results were that over 50% of the time, the number was predicted correctly.
Which is far far better than the ~10% one would get if guessing.
Of course, what the page didn't mention was that in the middle, between
the text box and the picture were large numbers of the predicted number in a very light
grey color that was nearly impossible to see against the white background without
looking very closely.
So mind reading... not quite... but quite an interesting subliminal suggestion experiment.
The bittorrent client BitComet has been doing this for a long time now.
Simply what it does is shares lists of peers between clients for matching infohashes...
It dosn't nessecerely decentralize it or remove the need for a tracker, as you need to get at least 1 ip from a member of the swarm (who has a compatible client)
It can help to get new peers if a tracker fails half way through, but you still need the initial peers ips from a tracker or similar.
You are not quite right. .torrent, nor does it need to know anything about the contents of a torrent.
The tracker does not need the
All the tracker does is keep a list of ips that are associated with an infohash.
The links provided are very slow... here are normal ones.
Scott Berkun
basic principles of web browser design
del.icio.us integration
unified tool
Open Text Summarizer
your problem is probably that you havn't correctly forwarded ports from your router. or it just happens to be a slow torrent.
i regularly get >600k/s with bittorrent, fastest being 2mb/s
but not having forwarded ports limits the speed quite a bit.
performance i agree, loose typing isn't as fast.
9 ]", $module))$ module}.php");
bugs i would disagree with however,
rarely in an application i develop are bugs a result of the language being loosely typed.
loosely typed code i often find 'cleaner' than strongly typed code, you can do things in a lot less code.
for example: on my website, i have a bunch of 'modules' (consider them to be diffrent pages), each module is a class ModuleName, and has a render method to draw the page. now i can do things like this:
$module = strtolower($_GET['module']);
if(!ereg("[a-zA-Z0-
die("noshoes");
include("modules/mod{
$mod = new $module;
if(method_exists($mod, 'Render'))
$mod->Render();
now if doing this in a strongly typed way, i wouldn't beable to instantiate an object based on a variable class name. which would lead to similar code.
if(module == 'home')
mod = new Home;
elseif(module == 'about')
mod = new About;
elseif(module == 'download')
mod = new Download;
etc. (dosn't look too big, but if i had 10 pages it starts to add up)
if i want to add a new page to the site, i can simply drop in a file into the modules directory, with the strongly typed way, i would have to add a new elseif statement too.
i belive loose typing (especially in php context) adds a LOT of flexibility in programming
obviously i wouldn't like to see every language use loose typing, but it's well suited to php.
you musn't of seen Turck mmCache
when a php script it first run after change it is kept (cached) in it's bytecode form, thus eliminating compile time for subsequent requests.
true there is no JIT in php, but for a web application the bottlenecks will most likely be elsewhere.
And of course, if the best performance it required, intensive bits of the application can be offloaded into a C extension.
scripting languages (as in, compiled at runtime) do have advantages over compiled languages.
v er that some people make it out to be. i don't have anything against OOP itself, more the way that people promote it and claim it brings great "benifits" which in reality don't provide any additional benefits over doing it procedurally.
if i'm out of the office and i get a call saying something is broken, if i'm somewhere with internet access then i can ftp/ssh into the server, make a quick fix and all is well until i can fix it properly.
with compiled languages, i need access to ide/compiler/etc and that's not too practical from most places.
admitidly, debugging php code can be quite a pain, altho with zend studio it can be done quite effectively.
why would you want to throw away the benifits of loose typing?
there are things i can do in php that i just simply couldn't (with ease) in strongly typed languages.
loose typing also cuts down development time dramatically.
similarly with OOP, there are some things that OOP can't do well, things that work much better in procedural coding.
i personally develop in a mix of OOP and non-OOP code. often i find myself writing a lot more code doing it the OOP way, so i'll do it procedurally.
OOP to me seems a bit of a con.
it's not the all-singing-all-dancing-best-thing-in-the-world-e
OOP seems to loose a lot of power and flexibility too when coding too.
i'm not quite sure where you're getting this from.
/* outputs:
i've been using php5 since the first beta and afaik it has never required overloaded child methods to require the same number of arguments as the parent class.
<?
error_reporting(E_ALL|E_STRICT);
class SomeParent
{
function __construct($var1, $var2)
{
echo "Parent: $var1, $var2\n";
}
}
class SomeChild extends SomeParent
{
function __construct($var1,$var2,$var3)
{
echo "Child: $var1, $var2, $var3\n";
}
}
$x = new SomeParent(1,2);
$y = new SomeChild(3,4,5);
$z = new SomeParent(6,7,8);
Parent: 1, 2
Child: 3, 4, 5
Parent: 6, 7
*/
?>
as for sqlite as session handler, it is not the default, nor has it ever been the default.
there was a patch to ALLOW it to be used as a session handler, by setting session.save_handler = sqlite in php.ini
but if we look at the php.inis in the php5 distribution:
[solidox@server150 php-5.0.0]$ cat php.ini-*|grep "session.save_handler"
session.save_handler = files
session.save_handler = files
both dist and recommended use flat files as the default session handler.
here in the uk we've been getting spam through our mobiles for a long time now, many years.
there has also been chainmail too.
this is partly the reason IE got it's dominance in the first place, by supporting propriatry crap they added that nothing else supported.
there are still many high profile sites (banking sites are a big offender) that simply won't work on anything other than IE, mainly because they've used IE-only features that other browsers don't support.
If i visit a site with firefox (my primary browser) and it needs IE then i'll either switch to IE or leave the site never to return (depending on importance).
If IE-using-Lasmer visits a site and it tells him he requires [otherbrowser], they're unlikely to go and get [otherbrowser], install it, then visit the site. They'll just leave the site and not come back.
oh no, only Intel are made in America.
AMD are made in third world countries using child labour in sweatshops.
at least according to this Adequacy.org
take the string "hel'lo"
with magic quotes it'll be "hel\'lo"
then read it back, it will come back as "hel'lo"
so, assuming you addslashes/mysql_Escape_string first:
insert addslashes("hel\'lo") ["hel\\\'lo"]
(stored internally and read back as "hel\'lo")
read stripslashes("hel\'lo") ["hel'lo"]
first case:second:
do addslashes first.do stripslashes on the result.
and we end up with "hel'lo".
so there we go
providing you addslashes before entering and stripslashes after reading from db then it'll be fine whether it's on or off.
gaming isn't the only thing you do on a computer that requires a high spec.
music production is one other, you much cpu speed as you can get, plenty of ram and preferably fast hard drives.
3d rendering, again requires lots of cpu/ram
image manipulation, yep.
compiling large programs, it helps.
the last 3 listed don't strictly NEED fast speeds, they will just take longer doing it.
music production is realtime however and needs as much as you can throw at it. (my xp2200+ is still doing it fine tho)
i do agree tho, most people who just use their comp for browsing/IM/email/WP won't need an ultra-super-duper-0day computer, but for some reason they buy them anyways. all those wasted clockcycles that could go to much better use in my possession.
in my personal experience, ATI cards have always been much much sharper than nvidia equivilents
at 2d rendering.
GNER trains arn't electric.
they don't have a means to connect to the limited amounts of overhead electric wires and the tracks arn't electric either.
nice idea tho
IIRC the lethal caffeine dose is 10g oraly and 3.2g intravenously.
a cup of coffee contains ~80-120mg of caffine, so 100cups of coffee could well kill you...
if you drank them all simultaniously.
one after another... you'll just feel REALLY shit.
$arr[] = 42;
i got a few php scripts on a cronjob to do database backups and such things.
i also use it for quick admin type hackie scripts.
personally i recon it's far superior to bash/perl/etc for shell scripting
Where's the semantic analysis? Where's the intelligence in the software? How come we can block 99.997% of email spam - but not 5% of google spam.
well, the theory goes that google implemented Latent Semantic Indexing around the start of december with it's florida update.
the problem was that it arsed the search results and created many pages of irrelevent mung. very few people (webmasters) were happy with the update, nor were the searchers.
so a few weeks ago google removed it (or lessened it's importance) and things are starting to get back to normal.
intellegent software obviously dosn't nessicerely give better results.
(disclaimer: the above isn't proven fact as google hasn't said anything about it, but it seems to be the case based on the facts availible)
this (PageRank) is how google used to work and google rated the popularity (and thus it's position) of a site based very heavily on how many incoming links it has.
nowadays tho, this is a fairly minor factor in positioning.
it's still used by googlebot deciding what stuff shuold get spidered and how deeply.