php-general Digest 28 Aug 2006 16:02:00 -0000 Issue 4317
Topics (messages 241152 through 241158):
Re: S: function to remove & break URLs
241152 by: Paul Scott
241154 by: RalfGesellensetter
Re: Comparing strings... need advice. :)
241153 by: Stut
241155 by: Micky Hulse
241156 by: David Tulloh
241157 by: Ivo F.A.C. Fokkema
getting there- just need to output the data
241158 by: Ross
Administrivia:
To subscribe to the digest, e-mail:
[EMAIL PROTECTED]
To unsubscribe from the digest, e-mail:
[EMAIL PROTECTED]
To post to the list, e-mail:
[email protected]
----------------------------------------------------------------------
--- Begin Message ---
On Sun, 2006-08-27 at 20:31 -0400, Jon Anderson wrote:
> In reference to the detection part; In my case, 95%+ of the spam entries
> have links that contain one of about 5 words (casino, pharm, drug,
> stock, or invest), so I could eliminate most spam by automatically
> trashing all entries that contains a link with one of those key words. I
> don't know if you're lucky enough to have spammers as predictable as
> mine, so that may not be an effective solution for anyone but me.
>
I wrote a mailing list application (GNU Mailman style) in PHP and wrote
in an excellent spam filter into that - not one spam mail yet...
Basically, I had the users sign up through a web interface, and then
fill in their details during registration. The users in my users table
are assigned a unique userId, which I then reference through the mailing
list module. Basically what happens is:
1. Mail comes in through a POP3 account
2. The messages are downloaded and MIME messages decoded.
3. Message "From" headers are checked for a valid email address
4. The email address is looked up in the users table
5. The userId in the users table is compared to the userId in the
mailing list subscribers table
6. If the email addresses from both match, and the userId is the same,
the mail is inserted into the mail table, with a ref to the
attachment(s) if any
7. A cron picks it up and emails the new mail to all subscribers.
Basically, in order to get a mail through, you need to be a valid user,
and subscribe to a list, otherwise you are treated as spam and
discarded.
--Paul
All Email originating from UWC is covered by disclaimer
http://www.uwc.ac.za/portal/uwc2006/content/mail_disclaimer/index.htm
--- End Message ---
--- Begin Message ---
Dear Jon,
cheers for your lines ...
Am Montag 28 August 2006 02:31 schrieb Jon Anderson:
> Guestbook spam (and comment spam) is something I'd like to try to
> eliminate altogether myself. I don't think there are any
> one-size-fits all solutions out there yet for detection/elimination.
> I'd personally like to hear any effective solutions people have found
> in PHP to combat this stuff.
My approach here is to make a fuzzy decision if an entry is shown by
default or needs a further check by myself before being published.
>
> In reference to the detection part; In my case, 95%+ of the spam
> entries have links that contain one of about 5 words (casino, pharm,
> drug, stock, or invest), so I could eliminate most spam by
> automatically trashing all entries that contains a link with one of
> those key words. I don't know if you're lucky enough to have spammers
> as predictable as mine, so that may not be an effective solution for
> anyone but me.
Okay, these words occur also very often - but not exclusively - I could
regards occurances of those words an criteria.
>
> In terms of destroying URLs, what happens when a real guest wants to
> put a URL in their entry? Seems to me that you might be
> overshooting...
Well, my application is not exactly a Guestbook, and the field in
question is not meant to display any URLs. There is a separate field to
state an URL that is not displayed by default.
>
> You might be better off finding some way of preventing the data from
> even entering the system, for example, a captcha type system. They
> have accessibility problems, but I've read about solutions that use
> simple JavaScript to automatically enter the captcha code into the
> correct field and hide the captcha and the field so that the whole
> process is transparent to the user (including users with screen
> readers), whereas if JS is disabled, the captcha is shown and the
> code must be entered. This is based on the assumption that current
> spam robots that don't incorporate a JavaScript execution engine. Not
> sure how effective it is, but it's an interesting idea.
You are speaking of those skewed letters one has to retype before the
action is taken? I'd like to see some code for it - however in my case
I have the impression that it is real persons who enter the spam. Can
I, by the way, collect the IP of the visitor in a PHP form? You might
have realized: I am an absolute beginner with PHP.
>
> Anyone want to share some spam-fighting success stories?
Yes, pleaze ;)
Regards
Ralf
--- End Message ---
--- Begin Message ---
Micky Hulse wrote:
> I am looking for the most secure/efficient way to compare these two
> strings:
>
> /folder1/folder2/folder3/folder4/
> /folder1/folder2/folder3/folder4/file.php
>
> Basically I am trying to setup as many security features as possible for
> a simplistic (home-grown/hand-coded) CMS...
>
> This appears to work:
>
> $haystack = '/folder1/folder2/folder3/folder4/someFileName.php';
> $needle = '/folder1/folder2/folder3/folder4/';
> if(substr_count($haystack, $needle) === 1) echo "yea";
>
> Before making changes to "someFileName.php" I want to make sure it is
> within the allowed path ($needle).
First of all make sure you are sending both strings through realpath
(http://php.net/realpath) to remove any symbolic links and relative
references. Then you can compare the two strings. The way you're doing
it will work but it's probably not very efficient. This is what I use...
$valid = (strcmp($needle, substr($haystack, 0, strlen($needle))) == 0);
-Stut
--- End Message ---
--- Begin Message ---
Stut wrote:
First of all make sure you are sending both strings through realpath
(http://php.net/realpath) to remove any symbolic links and relative
references. Then you can compare the two strings. The way you're doing
it will work but it's probably not very efficient. This is what I use...
$valid = (strcmp($needle, substr($haystack, 0, strlen($needle))) == 0);
Awsome! Thanks for the info. Reading-up on realpath right now. I
appreciate the tips/example code. :)
Have a great day/night.
Cheers,
Micky
--- End Message ---
--- Begin Message ---
Micky Hulse wrote:
> Hi,
>
> I am looking for the most secure/efficient way to compare these two
> strings:
>
> /folder1/folder2/folder3/folder4/
> /folder1/folder2/folder3/folder4/file.php
>
> Basically I am trying to setup as many security features as possible for
> a simplistic (home-grown/hand-coded) CMS...
>
> This appears to work:
>
> $haystack = '/folder1/folder2/folder3/folder4/someFileName.php';
> $needle = '/folder1/folder2/folder3/folder4/';
> if(substr_count($haystack, $needle) === 1) echo "yea";
>
> Before making changes to "someFileName.php" I want to make sure it is
> within the allowed path ($needle).
>
> I would appreciate any advice. Even RTFM is cool. :D
>
Using your technique I would try an attack like:
'/etc/passwd;/folder1/folder2/folder3/folder4/' or
'/folder1/folder2/folder3/folder4/../../../../etc/passwd'
or some other variant depending on how you then use the file.
I'm a big fan of lists of allowed files, typically I use aliases too.
$allow_files = array('page' => '/folder/.../filename.php').
This list can be automatically generated and used by mod_rewrite to
boost speed.
By using a fixed list of files like this it's impossible to be attacked
on your filename.
Assuming you don't want to go that strong and want to allow your users
to set the filename you have to try and lock down the path. By not
allowing them to change the path you can hold them in the directory you set.
Check for any / characters and reject or strip them out.
Use '/folder1/folder2/.../'.$file.
It's vital if you do this that you don't allow any way to upload files
in to the directory you execute from.
If you want to allow them to set the path or part of the path then the
check gets far more complicated. You have to catch .. and // patterns,
ensuring that you don't combine to form a // and catch cases like
'.\./'. If you need to have multiple directories I would strongly
suggest using dynamically generated fixed lists.
David
--- End Message ---
--- Begin Message ---
On Mon, 28 Aug 2006 09:47:02 +0100, Stut wrote:
> Micky Hulse wrote:
>> I am looking for the most secure/efficient way to compare these two
>> strings:
>>
>> /folder1/folder2/folder3/folder4/
>> /folder1/folder2/folder3/folder4/file.php
>>
>> Basically I am trying to setup as many security features as possible for
>> a simplistic (home-grown/hand-coded) CMS...
>>
>> This appears to work:
>>
>> $haystack = '/folder1/folder2/folder3/folder4/someFileName.php';
>> $needle = '/folder1/folder2/folder3/folder4/';
>> if(substr_count($haystack, $needle) === 1) echo "yea";
>>
>> Before making changes to "someFileName.php" I want to make sure it is
>> within the allowed path ($needle).
>
> First of all make sure you are sending both strings through realpath
> (http://php.net/realpath) to remove any symbolic links and relative
> references. Then you can compare the two strings. The way you're doing
> it will work but it's probably not very efficient. This is what I use...
>
> $valid = (strcmp($needle, substr($haystack, 0, strlen($needle))) == 0);
>
Personally, this seems simpler to me:
$valid = (dirname($haystack) == $needle);
But the way the above folders are presented, it should become
$valid = (dirname($haystack) == rtrim($needle, '/'));
less simple already... Possibly, this is not the best solution for some
reason I don't know. If so, I would like to know :)
Ivo
--- End Message ---
--- Begin Message ---
I have retireved the unique gallery and all the data from the row. I now
need to output the data ($row['bin_data']) as a jpg.
<?
include("includes/config.php");
$link = mysql_connect($host, $user, $password) or die ('somethng went
wrong:' .mysql_error() );
mysql_select_db($dbname, $link) or die ('somethng went wrong, DB error:'
.mysql_error() );
$query = "SELECT DISTINCT gallery FROM thumbnails";
$result = @mysql_query( $query,$link );
while ($row = @mysql_fetch_assoc($result) ) {
$gallery_id=$row['gallery'];
$query2 = "SELECT * FROM thumbnails WHERE gallery ='$gallery_id' LIMIT 1";
$result2 = @mysql_query($query2);
while ($row = @mysql_fetch_array($result2, MYSQL_ASSOC)){
echo $id=$row['id'];
//i want to output the jpeg here
}
}
--- End Message ---
