drtravix

Issue fixed, thanks for the help!

I'm trying to get PHP mail to work... it was working, but somewhere over the last month or so it stopped. I've compiled a test script to check things out: ================ <?php $mail = mail("removed@gmail.com", "test subject","test body", "From: test<test@removed.com>"); if(!$mail){ echo '<font color="red">failed</font>'; } else { echo '<font color="#00FF00">success</font>'; } ?> ================ When I run this script, it produces "success". However, the mail never arrives. I contacted TCH support and they said the following error (below) was occuring, and to use the forums for more info. A search of the forums on keywords from the error produced no results. 2008-01-07 12:16:46 xxxxx-0008WR-Hq <= nobody@serverxx.tchmachines.com U=nobody P=local S=<removed> 2008-01-07 12:16:46 xxxxx-0008WR-Hq ** xxxxxxxxx@gmail.com R=checkspam2: Gid 99 is not permitted to relay mail, or has directly called /usr/sbin/exim instead of /usr/sbin/sendmail. Any idea how I can change the script to work? Thanks.

I'm writing a script which handles receiving order information from an eCommerce provider and keeping it in a database, which can then be queried for information from both customers and employees. However, I would like to restrict the customer script from being able to query some information, such as e-mail addresses (which should only be accessible to employees). This is mainly because I would need to store the mysql password in the php script for the "customer" interface, so "just in case" someone is able to either make the script do something weird or read the password from the script, their access to customer data would be very limited. The staff passwords would never be stored in the scripts, as they would be required to input a password each time to ensure security. That said, I am wondering if it's possible for me to set fine-tuned permissions for mySQL access, like only allowing a user account to do SELECT on a specific table or field. I didn't see how to do this via the mySQL management interface... The only other option I can see would be to separate out the data into different databases, and only allow the account that is being used by the "customer interface" to access a database with non-critical customer data. Thanks for any info...

Nevermind, figured the above question out.

I've looked at PHP, and it does seem to be quite like C. Does anyone know how to do a regex which allows me to find tags like <ORDER>......</ORDER> but *not* if they include another <ORDER> tag within them? For example, there may be one or more <ORDER>...</ORDER> tags in a string, and the way I have it searching now is: $num_matches = preg_match_all("/<OrderLines>(.*)<\/OrderLines>/",$raw_post,$matches); But, this appears to find the broadest match, and hence returns 1 all the time even if two of these tags exist. I'm guessing I need something in the place of (.*) which will exclude the string "<OrderLines>" in any matching, but I'm not sure how to do that. Any suggestions? Thanks!

>>It might help to know more about what you are doing. This might narrow down the issues that you could encounter. My eCommerce provider posts XML data to my web server. For purposes of the example, let's say it provides fields as follows: ORDER table contains fields SECRET, NAME, EMAIL, and ORDERID. Then, we have a DETAIL table which specify each SKU that they ordered, with fields of SKU, DESCRIPTION and QTY. The SECRET field is intended to be used to verify the poster (ie, basically a password). Then, upon receiving and verifying the information, I want to post it to a mySQL database. I am encoding both a username and password into the SECRET field, so that I don't have to locally store the mySQL database password in the script.

>>Personally I'm wondering why you think C code is more secure than perl? Is it the uncompiled/text thing that bothers you? Thanks for the reply. Actually, I am referring to handling potentially invalid requests. For example, if a user is able to locate the "non-advertised" URL for this posting script, and then they start posting invalid data in hopes of exploiting the system and inserting their own orders... I feel that I am able to handle those situations and detect those attempts much better in C. It comes down to the fact that I don't feel that I have enough experience in Perl to fully ensure that I am not allowing some vulnerability in the code for an attacker to exploit (ie, overflows, and anything else that Perl may need checked). In C I can account for most every possibility. And, of course, when a script deals with inserting order information to a database, it is extremely important that these vulnerabilities don't exist.

Hi All, I'm a long-time C coder and really enjoy the power and control that you have over input data and strings in C. I've recently started into the CGI/perl stuff, and since it's a bit new I don't feel completely comfortable with the string parsing, storage, etc that it offers. In particular, I am writing a script with takes Post data and puts it into a customer database of orders. Obviously this needs to be secure. My question is: Is there a way, on the TCH servers, for me to receive the POST data via a CGI script, pass that off to a C program (which I am more comfortable writing secure code for) where I can process, verify and prepare the data, and then either having the C code write the appropriate data to a mySQL database, or having the C program call a CGI program which can do the actual inserting? Thanks for any suggestions!

I have customer data that I want to keep in a mySQL database, but also worry about a script (such as a forum script) having a flaw which could potentially let a hacker get access to those DB's (either directly, or through being able to view files or scripts which contain the password). The best solution I've been able to think up is to store the customer database on a separate server hosted by TCH. The only problem is that customers need to verify their order number to gain access to a customer area of the site - which means that some data from the database needs to be on the "public" server. This would probably require some automated way to "sync" a table of the database across two servers. Another option would be to have two separate databases - one with "private" information (like full customer detail) and the other "public" (well, at least accessible) data which the script can access and verify against. Then, whenever an employee makes a change to the customer data, or inserts/removes a customer in the "private" database, do the same thing for the "public" database. This could potentially have synchronization issues since it would be possible to modify each database independantly. Do any database experts have suggestions on the best way to implement this type of thing? Thanks!

Currently, at least on server 48, awstats does not resolve IPs to hostnames (which is required for the country report, plus others). Can this be enabled? Or, is there a reason that it isn't? Thanks.

Using the mailing list software installed at TCH, is it possible to have users subscribe by sending an e-mail to some address, with "subscribe" in the subject line or something similar? This would let me, ideally, put a box on my main site where users can type their e-mail address, and I can formmail it over to the address for the mailing list. The idea is to make it as simple as possible for the user to signup. Thanks for any ideas!

Solved. I just started to get the e-mails... it appears that it takes an hour or two to work it's way through sendmail for some reason. Seems to work halfway decent.

Oh, I also tried to create a file that contains: =================== To: addr@**** From: addr2@**** Subject: My subject here Here is test data =================== And then running: /usr/sbin/sendmail -t < testfile It doesn't give any error, but I also don't receive the e-mail.

I've worked out a shell script which collects various information, parses it a bit with grep and a few other standard commands, and spits out a file called 'error.log' which, if it contains anything, needs to be e-mailed to an address of my choosing along with the unparsed file. Both files are plain text, and don't need to be actually attached to the message - they just need to be printed in the body. I've played around with sendmail a bit, tried piping in my file with the 'proper' header, but can't quite get it to shoot the e-mail off. Does anyone know a good way to do this, or even better have a small code snippet to show how to do this? I know it's fairly simple, I'm probably just missing something small. Thanks for any help.