2009/8/27 Paul Gardiner <lists@xxxxxxxxxx>:
> Torben Wilson wrote:
>>
>> 2009/8/26 Paul Gardiner <lists@xxxxxxxxxx>:
>>>
>>> Paul Gardiner wrote:
>>>>
>>>> I want to write a simple indexing script to display a
>>>> directory full of photos as a gallery of thumbnails.
>>>> (There are various solutions out there for this, but
>>>> they're all a bit more complicated than I need).
>>>>
>>>> I've added a file in /etc/apache2/conf.d that
>>>> looks like this:
>>>>
>>>> Alias /photos /home/public/photos
>>>> <Directory "/home/public/photos">
>>>> AllowOverride None
>>>> Order allow,deny
>>>> Allow from all
>>>>
>>>> DirectoryIndex /cgi-bin/index.php
>>>> </Directory>
>>>>
>>>>
>>>> I use "Alias" so that I can leave the photos where they are
>>>> and not have to move them to DocumentRoot. I use "DirectoryIndex"
>>>> so that the script doesn't have to be in with the photos. My
>>>> problem is that the running script seems to have no way to
>>>> work out the photos are in /home/public/photos.
>>>>
>>>> $_SERVER[REQUEST_URI] is "/photos/", but I can't see how to
>>>> derive the server path from that, since $_SERVER[DOCUMENT_ROOT]
>>>> is "/srv/www/htdocs".
>>>>
>>>> $_SERVER[PHP_SELF] is "/cgi-bin/index.php", so no use either.
>>>>
>>>>
>>>> How can I do this? Is there a way to interrogate the alias,
>>>> or can I set a variable in the conf file that PHP can pick up?
>>>
>>> I've sussed it. If I use this apache2 conf file, where I
>>> tag the server path onto the end of the index url:
>>>
>>> Alias /photos /home/public/photos
>>> <Directory "/home/public/photos">
>>> AllowOverride None
>>> Order allow,deny
>>> Allow from all
>>>
>>> DirectoryIndex /cgi-bin/index.php/home/public/photos
>>> </Directory>
>>>
>>> then the script can pick up the path as $_SERVER[PATH_INFO]
>>>
>>> P.
>>
>> Hi Paul,
>>
>> Glad you got it working.
>
> Actually, since posting, I've given up on that method,
> partly because I realised that in doing so I was opening up
> a security hole and being close to allowing enumeration of
> any apache-readable directory on my server, via direct use
> of the url http:/<host>/cgi-bin/index.php/<path>/. I've
> found a much better way (using SetEnv):
>
> Alias /photos /home/public/photos
> <Directory "/home/public/photos">
> AllowOverride None
> Order allow,deny
> Allow from all
>
> SetEnv GalleryPath /home/public/photos
> DirectoryIndex /cgi-bin/index.php
> </Directory>
>
> And then the script can pick up the path as $_SERVER['GalleryPath']
>
>> I would add one note: I don't know if this is
>> what your actual code contains or if it's just in your emails, but not
>> quoting string indices in arrays is a Bad Idea (TM). i.e. I'd
>> recommend avoiding the use of something like $_SERVER[PATH_INFO] and
>> instead use $_SERVER['PATH_INFO']. While the unquoted version will
>> work much of the time, it's untrustworthy. In this case, PHP sees the
>> label PATH_INFO and looks for a constant named PATH_INFO.
>
> Thanks for the advice. I've always been a little uncertain of that. I
> don't generally leave the quotes out, but I had been tending to, just
> for accessing $_SERVER (not sure why - some example code I must have
> read I think). Anyway, I'll put the quotes in.
>
> What about the case of including an array within a string, e.g.,
>
> $line = "<tr><td>$array['name']<td>$array['address']";
Hi Paul,
For that, you use curly braces inside strings:
$line = "<tr><td>{$array['name']}<td>{$array['address']}";
http://www.php.net/manual/en/language.types.string.php#language.types.string.parsing
Regards,
Torben
> I've read something about that not working with the quotes in place.
> Is that best avoided too?
>
> Cheers,
> Paul.
>
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
