php-general Digest 3 Dec 2006 00:02:25 -0000 Issue 4493
Topics (messages 245446 through 245459):
Security and methods
245446 by: Alain Roger
245451 by: Richard Lynch
245457 by: Alain Roger
alternative method
245447 by: Alain Roger
245449 by: Larry Garfield
245450 by: Richard Lynch
245458 by: Bernhard Zwischenbrugger
Re: How to be sure to use SSL
245448 by: afan.afan.net
245452 by: Richard Lynch
245455 by: Alain Roger
Re: Acceptably Converting a 24bit PNG to a JPEG?
245453 by: Richard Lynch
245459 by: Graham Anderson
security and .htaccess
245454 by: Alain Roger
Re: problem with register globals on new server
245456 by: Richard Lynch
Administrivia:
To subscribe to the digest, e-mail:
[EMAIL PROTECTED]
To unsubscribe from the digest, e-mail:
[EMAIL PROTECTED]
To post to the list, e-mail:
php-general@lists.php.net
----------------------------------------------------------------------
--- Begin Message ---
Hi,
After reading the documentation about security from phpsec.org, i see that 2
"schools" exist (dispatch method or include method).
I do not see any huge difference between them.
I would like to know what is the most suitable method to centralize security
in 1 single file.
thx.
Alain
------------------------------------
Windows XP SP2
PostgreSQL 8.1.4
Apache 2.0.58
PHP 5
--- End Message ---
--- Begin Message ---
On Sat, December 2, 2006 9:47 am, Alain Roger wrote:
> After reading the documentation about security from phpsec.org, i see
> that 2
> "schools" exist (dispatch method or include method).
> I do not see any huge difference between them.
> I would like to know what is the most suitable method to centralize
> security
> in 1 single file.
They both work fine.
I found that the logic needed in the "dispatch" method to get what I
wanted to happen in a complex web application often ended up
"polluting" the single control file, so went for the "include" method.
But that was a long time ago when I was much younger...
I think it's more important that you understand what your goals are in
either method, and push yourself to follow your own guidelines.
Choose whichever one strikes your fancy.
--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some starving artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
--- End Message ---
--- Begin Message ---
I personally chose the include method...
I was scared also that the dispatch method will only finish by polluting a
single file...
on the other side, i like the idea to have a clear view on each php file, so
include a security.inc file (which has the switch ...case function) was a
logical path for me.
Alain
On 12/2/06, Richard Lynch <[EMAIL PROTECTED]> wrote:
On Sat, December 2, 2006 9:47 am, Alain Roger wrote:
> After reading the documentation about security from phpsec.org, i see
> that 2
> "schools" exist (dispatch method or include method).
> I do not see any huge difference between them.
> I would like to know what is the most suitable method to centralize
> security
> in 1 single file.
They both work fine.
I found that the logic needed in the "dispatch" method to get what I
wanted to happen in a complex web application often ended up
"polluting" the single control file, so went for the "include" method.
But that was a long time ago when I was much younger...
I think it's more important that you understand what your goals are in
either method, and push yourself to follow your own guidelines.
Choose whichever one strikes your fancy.
--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some starving artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
--
Alain
------------------------------------
Windows XP SP2
PostgreSQL 8.1.4
Apache 2.0.58
PHP 5
--- End Message ---
--- Begin Message ---
Hi,
Based on phpsec.org documentation it is written ("between lines") that GET
and POST methods are still used but they are not the most secured (except if
we take care for that).
So, i would like to know which other methods are more secured that those 2.
thx.
Alain
------------------------------------
Windows XP SP2
PostgreSQL 8.1.4
Apache 2.0.58
PHP 5
--- End Message ---
--- Begin Message ---
If you're talking about getting user data into a web script, then GET, POST,
and cookies are the only options. All three are insecure, because they're
coming from the user. The user is guilty until proven otherwise. Sanitize
thy input.
Sensitive data like username and password should never be sent by GET, because
GET is bookmarkable while POST is not. GET should be used only for lookup of
data, POST for any modification of data. I generally default to POST unless
I specifically want something to be bookmarkable or copyable into an email to
send to someone.
On Saturday 02 December 2006 10:29, Alain Roger wrote:
> Hi,
>
> Based on phpsec.org documentation it is written ("between lines") that GET
> and POST methods are still used but they are not the most secured (except
> if we take care for that).
> So, i would like to know which other methods are more secured that those 2.
>
> thx.
> Alain
> ------------------------------------
> Windows XP SP2
> PostgreSQL 8.1.4
> Apache 2.0.58
> PHP 5
--
Larry Garfield AIM: LOLG42
[EMAIL PROTECTED] ICQ: 6817012
"If nature has made any one thing less susceptible than all others of
exclusive property, it is the action of the thinking power called an idea,
which an individual may exclusively possess as long as he keeps it to
himself; but the moment it is divulged, it forces itself into the possession
of every one, and the receiver cannot dispossess himself of it." -- Thomas
Jefferson
--- End Message ---
--- Begin Message ---
On Sat, December 2, 2006 10:29 am, Alain Roger wrote:
> Based on phpsec.org documentation it is written ("between lines") that
> GET
> and POST methods are still used but they are not the most secured
> (except if
> we take care for that).
> So, i would like to know which other methods are more secured that
> those 2.
In addendum to Larry's post:
You should also consider requiring SSL for any sensitive data, to
protect it in its travels from their computer to your server.
SSL is kind of like an armored truck on the information super-highway.
It doesn't stop bank robbers (server hacks) or muggers (viruses on
your users' computers), but the data is safe in transit between the
two.
--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some starving artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
--- End Message ---
--- Begin Message ---
Am Samstag, den 02.12.2006, 13:57 -0600 schrieb Larry Garfield:
> If you're talking about getting user data into a web script, then GET, POST,
> and cookies are the only options. All three are insecure, because they're
> coming from the user. The user is guilty until proven otherwise. Sanitize
> thy input.
There is also
http://www.php.net/manual/en/features.http-auth.php
which may be more secure than POST.
With Client Side XSS form data maybe can be read.
There is no access form javascript to http-auth parameters.
Bernhard
--- End Message ---
--- Begin Message ---
my solution:
if($_SERVER["HTTPS"] != 'on')
{
header ('location: https://www.your_domain_here.com');
exit;
}
-afan
> Hi,
>
> I would like to know how can i be sure to make customer use the SSL all
> the
> time.
> all the time in my PHP code, i write links as relative links, so without
> HTTPS.
>
> I was thinking to check everything if the port is the SSL port (default :
> 443), but it does not mean that protocol is HTTPS.
> So, how do you ensure that customer uses SSL protocol all the time ?
>
> thanks a lot,
>
> Alain
> ------------------------------------
> Windows XP SP2
> PostgreSQL 8.1.4
> Apache 2.0.58
> PHP 5
>
--- End Message ---
--- Begin Message ---
On Sat, December 2, 2006 2:17 am, Alain Roger wrote:
> I would like to know how can i be sure to make customer use the SSL
> all the
> time.
> all the time in my PHP code, i write links as relative links, so
> without
> HTTPS.
>
> I was thinking to check everything if the port is the SSL port
> (default :
> 443), but it does not mean that protocol is HTTPS.
> So, how do you ensure that customer uses SSL protocol all the time ?
I was asking myself that same question last week, but I searched on
http://php.net for the answer.
Did you try that?
:-)
--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some starving artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
--- End Message ---
--- Begin Message ---
Richard,
as i wrote you before, i've gotthe following suggestion to implement before
to run the rest of my PHP code.
if($_SERVER['HTTPS']!='on')
{
header('location:https://www.mysite.com');
exit;
}
...
but i do not know if it's enough.
Alain
On 12/2/06, Richard Lynch <[EMAIL PROTECTED]> wrote:
On Sat, December 2, 2006 2:17 am, Alain Roger wrote:
> I would like to know how can i be sure to make customer use the SSL
> all the
> time.
> all the time in my PHP code, i write links as relative links, so
> without
> HTTPS.
>
> I was thinking to check everything if the port is the SSL port
> (default :
> 443), but it does not mean that protocol is HTTPS.
> So, how do you ensure that customer uses SSL protocol all the time ?
I was asking myself that same question last week, but I searched on
http://php.net for the answer.
Did you try that?
:-)
--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some starving artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
--
Alain
------------------------------------
Windows XP SP2
PostgreSQL 8.1.4
Apache 2.0.58
PHP 5
--- End Message ---
--- Begin Message ---
I suspect that if you do an "imagecopyresampled" or somesuch into a
fresh NEW image, you'd get what you want.
Not saying you haven't found a bug ; Just suggesting a work-around.
On Fri, December 1, 2006 4:26 pm, Graham Anderson wrote:
> Is there some trick to getting PHP GD to properly convert a 24bit PNG
> [with alpha] into a JPEG without garbling the image output?
>
> The below will output the jpg image, but it appears that the alpha
> channel from the original png is garbling the jpeg a bit
> To no avail, I tried setting imageAlphaBlending and imageSaveAlpha to
> 'false' and 'true'
> I also tried setting the jpeg quality to 90 and 100.
>
> $image_output = "myimage.jpeg";
> $image = imagecreatefrompng($original_24bit_png_image);
>
> imageAlphaBlending($image, true);
> imageSaveAlpha($image, true);
>
> header("Content-type: image/jpeg");
> imagejpeg($image,'',100);
> imagedestroy($image);
>
>
> many thanks in advance
> g
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some starving artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
--- End Message ---
--- Begin Message ---
using imagecopyresampled did the trick :)
This will be great for my css files.
If all goes well, the below will be used to dynamically convert PNG
images to Jpegs for IE6 and below.
For some bizarre reason, you can not use the background-position
property with PNGs for <= IE 6.
So, in my css, I'l dynamically convert the PNG to a JPG and replace
the transparency with a background color
many thanks
in case anyone is interested, here is the code
<?php
isset($_GET["type"]) ? $type=htmlspecialchars($_GET["type"] ):
$type="jpg";
isset($_GET["url"]) ? $url=realpath($_GET["url"] ): $url="blank.png";
isset($_GET["color"]) ?$color= htmlspecialchars($_GET["color"]):
$color="#ffffff";
//get path info on the $url
$path_parts= pathinfo($url);
$file= explode(".",$path_parts['basename']);
$image_name=$file[0];
list($sx, $sy)=getimagesize($url);
// Create a bg image from the color and image size variables
$bg_image=imagecreatetruecolor($sx,$sy);
list($R,$G,$B)= (HEX2RGB($color));
$mycolor= ImageColorAllocate($bg_image, $R,$G,$B);
ImageFill($bg_image, 0, 0, $mycolor);
//Create the PNG image from the $url variable
$image = imagecreatefrompng($url);
imageAlphaBlending($image,true ); imageSaveAlpha($image, true);
//Resample the merging of the background image and the original PNG file
imagecopyresampled($bg_image, $image, 0, 0, 0, 0, $sx, $sy, $sx, $sy);
// Send out as GIF or JPG
Switch ($type){
case "jpg": header('Content-type: image/jpeg'); imagejpeg
($bg_image,'',95); break;
case "gif": header('Content-type: image/gif'); imagegif($image);
break;
}
//Remove bg image and PNG from memory
imagedestroy($bg_image);
imagedestroy($image);
function HEX2RGB($color){
$color_array = array();
$hex_color = strtoupper($color);
for($i = 0; $i < 6; $i++){
$hex = substr($hex_color,$i,1);
switch($hex){
case "A": $num = 10; break;
case "B": $num = 11; break;
case "C": $num = 12; break;
case "D": $num = 13; break;
case "E": $num = 14; break;
case "F": $num = 15; break;
default: $num = $hex; break;
}
array_push($color_array,$num);
}
$R = (($color_array[0] * 16) + $color_array[1]);
$G = (($color_array[2] * 16) + $color_array[3]);
$B = (($color_array[4] * 16) + $color_array[5]);
return array($R,$G,$B);
unset($color_array,$hex,$R,$G,$B);
}
?>
On Dec 2, 2006, at 1:33 PM, Richard Lynch wrote:
I suspect that if you do an "imagecopyresampled" or somesuch into a
fresh NEW image, you'd get what you want.
Not saying you haven't found a bug ; Just suggesting a work-around.
On Fri, December 1, 2006 4:26 pm, Graham Anderson wrote:
Is there some trick to getting PHP GD to properly convert a 24bit PNG
[with alpha] into a JPEG without garbling the image output?
The below will output the jpg image, but it appears that the alpha
channel from the original png is garbling the jpeg a bit
To no avail, I tried setting imageAlphaBlending and imageSaveAlpha to
'false' and 'true'
I also tried setting the jpeg quality to 90 and 100.
$image_output = "myimage.jpeg";
$image = imagecreatefrompng($original_24bit_png_image);
imageAlphaBlending($image, true);
imageSaveAlpha($image, true);
header("Content-type: image/jpeg");
imagejpeg($image,'',100);
imagedestroy($image);
many thanks in advance
g
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some starving artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
--- End Message ---
--- Begin Message ---
Hi,
I'm working on .htaccess file for improving security.
Based on documentation from PHPSEC.org, we should be able to store DB_USER
login and DB_PASS password in some secret-stuff (for example) file, which
should be located outside root of web document root. (for example in some
/path_to_secret folder)
normally we should configure httpd.conf file to include this secret-stuff
file, but in my case, i have a web hoster who does not allow me to modify
the httpd.conf.
However, i should be able to setup an .htaccess file.
How can i setup/include this secret-stuff file in this .htaccess file
(without decreasing security) ?
thanks a lot.
Alain
------------------------------------
Windows XP SP2
PostgreSQL 8.1.4
Apache 2.0.58
PHP 5
--- End Message ---
--- Begin Message ---
On Sat, December 2, 2006 5:31 am, Tony Marston wrote:
> If you site administrator thinks that using an htaccess file is a
> security
> issue then he is very much mistaken. The directives in an htaccess
> file DO
> NOT enable you to access any one else's data on a shared server. All
> they do
> is apply additional settings to your own site while leaving UNTOUCHED
> the
> settings being used by other sites.
>
> Most professional web hosting companies do not have an issue with
> htaccess
> files, so if yours does I would suggest switching to one with a more
> professional attuitude.
I think it is quite possible for a sysAdmin to configure AllowOverride
and .htaccess in such a way that "too much" latitude is granted to
their clients to access each others' data...
And there is alleged to be a significant performance loss to
.htaccess, so a hurried sysAdmin may have over-simplified their
decision process...
At any rate, if you need .htaccess, and they don't want to provide it,
there are a few thousand webhosts that do.
I certainly wouldn't sign up with a host that didn't provide it, and
would move to one that did ASAP if I found myself using one that
didn't provide that.
Actually, I'd settle for a way to schedule a "push" of an approved
change into their httpd.conf (or include files thereof) for my site's
VirtualHost directive, but I suppose that's a lot to ask of a host...
:-)
--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some starving artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
--- End Message ---
