php-general Digest 14 Jun 2008 15:32:48 -0000 Issue 5514
Topics (messages 275382 through 275394):
Re: Capture homepage screenshot
275382 by: Manuel Lemos
Re: why are passwords stored encrypted in databases even when thedatathey
protect is stored in the same database?
275383 by: Dietrich Bollmann
275384 by: Usamah M. Ali
Re: Memory cache problem
275385 by: Nathan Nobbe
Developing a recursive command parser
275386 by: Straps
Re: PHP connection to external application
275387 by: hce
275390 by: Per Jessen
Can I do in Drupal
275388 by: mukesh yadav
275391 by: Bastien Koert
275392 by: Daniel Brown
275394 by: Robert Cummings
PHP time out for socket_recvfrom or socket_read block call
275389 by: hce
Re: Kindla 0T, but here goes...
275393 by: Daniel Brown
Administrivia:
To subscribe to the digest, e-mail:
[EMAIL PROTECTED]
To unsubscribe from the digest, e-mail:
[EMAIL PROTECTED]
To post to the list, e-mail:
[EMAIL PROTECTED]
----------------------------------------------------------------------
--- Begin Message ---
Hello,
on 06/13/2008 02:46 PM Shiplu said the following:
> Hello,
> How can i capture homepage screenshot of a webpage by php?
>
> I know a way.
> I'll run a executable written in C/C++. when It will be called to process a
> screen shot It will just load the webpage in firefox and capture the image.
> It'll send the image path to php. The executable will be running.
> The problem with this solution is, I have to run X, Firefox in my web
> server, which doesn't look efficient for a server.
>
> I wanna know, is there any other way to achieve this? without creating a
> screen shot server.
If you run PHP on Windows, you can use this PHP class that was just
released and does exactly what you need. I think it could be adapted to
work with Firefox too.
http://www.phpclasses.org/win-screenshot
--
Regards,
Manuel Lemos
PHP professionals looking for PHP jobs
http://www.phpclasses.org/professionals/
PHP Classes - Free ready to use OOP components written in PHP
http://www.phpclasses.org/
--- End Message ---
--- Begin Message ---
On Fri, 2008-06-13 at 14:20 +0200, M. Sokolewicz wrote:
> Considering you're already jailing access by linking a specific url to a
> specific password you're making the impact of a hacked password pretty
> small. Which is a good thing :)
> I would recommend, if you go this way, to add an expiry date to the
> url/password combo. So for example you can only use that url/password
> combo for 3 days before it expires, after that, you need a new combo.
> Doing it this way (with server-generated passwords) you make sure that
> _if_ it were ever to fall into hands-it-should-not-be-in, it won't be
> there for long.
>
> - Tul
>
> P.S. in other words, sounds fine to me :)
Thank you again!
...so finally I can get to work :)
Best wishes, Dietrich
On Fri, 2008-06-13 at 14:20 +0200, M. Sokolewicz wrote:
> Dietrich Bollmann wrote:
> > Hi tul,
> >
> > So this was a very long and informative answer :)
> > Thank you very much!
> >
> > On Fri, 2008-06-13 at 12:02 +0200, M. Sokolewicz wrote:
> >> [...] However, people usually write code which may (and will most
> >> of the time) containt exploitable sections which might give a malicious
> >> user the ability to get a dump of the database. A password dump is
> >> always interesting, since it gives a LOT of information. People usually
> >> don't use 1 password per login, but rather have a "standard password"
> >> for most things.
> >
> > So if the user is allowed to change his password, it should be encrypted
> > always as there are chances that the same password is used at some other
> > place? That makes a lot of sense to me :)
> >
> > If all passwords are generated by the system on the other hand and the
> > user is not allowed to change his password, if further all the protected
> > data is in the same database as the password, there would be no need for
> > encrypting the passwords following your argumentation?
> >
> > But if some information is stored outside the database - in my case
> > (simple file server) for example, the database only contains the file
> > meta-data while the files themselves are stored in some data directory
> > on the server - some malicious user who would have broken into the
> > database could get hold of the files if the passwords are stored
> > unencrypted; if some encryption scheme would have been used on the
> > other hand the data found in the database wouldn't be of any use at all?
> >
> > And if the password should be recoverable some encryption with a key
> > stored somewhere else would force the hacker to break into two systems,
> > the database itself and the system which is used to store the key.
> >
> > That makes sense also. I didn't think about the fact that database and
> > a directory on the server are two different things which would have to
> > be hacked separately. So I am happy about writing my mail and getting
> > such a nice answer before implementing some stupid password logic
> > myself :)
> >
> >> Now, if it were unprotected, the person getting the information can
> >> instantly log in as that user, or if he wants might even take over that
> >> person's identity in other places (rare, but it happens). If it were
> >> protected by encryption of some kind then it would first need to be
> >> decrypted to be usable (unless there is a designflaw which makes this
> >> unnecessery as has been the case in a few messageboards a few years ago).
> >> Now, you can either encrypt or hash your passwords. Hashes are one-way,
> >> encryption two-way. If the malicious user gets hold of a hash: he'll
> >> still not have anything useful in his hands. He might make a reverse
> >> lookup table and figure out the password from that (though there's an
> >> infinite number of possible inputs for each single [hash] output), but
> >> add a salt and don't put that in the database and the user has a low
> >> chance of ever finding out what it was. But, just as the malicious user
> >> can't figure out what the password was, neither can you: so goodby
> >> lost-password feature. Instead you'd have to regenerate a new password
> >> and send that over, or do some other fancy magic which doesn't involve
> >> sending the current password as-is, since you don't know it either.
> >> If you were to use encryption there, you could always decrypt it. If you
> >> have the key. Storing the key separately from the encrypted password
> >> would make this quite safe. enctpyed_string = (data + key), if you know
> >> neither the data nor the key, things get very tough. Because you know
> >> the key, you can figure out the password and make a forgot-password
> >> feature easily which sends out the actual password.
> >> But, because your key is publicly available (if your page has to use it,
> >> then it's automatically publicly available, maybe not easily, but a
> >> malicious user which managed to get hold of a full password table, could
> >> just aswell get hold of the key for the encryption)!
> >> Putting in neither, so just keeping the passwords in their plain form is
> >> safe. As long as noone _ever_ sees them. Guarantee that and you won't
> >> have to bother with hashing/encrypting. If you can't guarantee it, build
> >> in some extra safety in the form of hashing and/or encrypting.
> >>
> >> hope that explains it all a bit,
> >> - tul
> >
> > Yes. A bit. I am actually impressed. But I better read some more
> > redundant book about intelligent malicious users as I still feel like
> > not understanding everything of what you said completely.
> >
> > ...any nice book recommendation for naive people like me :?
> >
> > So how about the following solution to my simple file-server problem:
> >
> > I generate a new url for every user who is allowed to download a file
> > and a private password for every new url. Using this approach, the same
> > file will be downloaded by different users via different urls and
> > passwords. The password for an url is stored in the database encrypted
> > and send over to the user unencrypted per email. Of course this makes
> > some more logic and tables necessary - and a new row for every user also
> > - but who cares :) What do you think?
> >
> > Thanks for your interesting explanation!
> > Dietrich
> Considering you're already jailing access by linking a specific url to a
> specific password you're making the impact of a hacked password pretty
> small. Which is a good thing :)
> I would recommend, if you go this way, to add an expiry date to the
> url/password combo. So for example you can only use that url/password
> combo for 3 days before it expires, after that, you need a new combo.
> Doing it this way (with server-generated passwords) you make sure that
> _if_ it were ever to fall into hands-it-should-not-be-in, it won't be
> there for long.
>
> - Tul
>
> P.S. in other words, sounds fine to me :)
>
>
--- End Message ---
--- Begin Message ---
Taking into mind that email addresses extracted out of hacked
databases is one of the main spam industry seeders, I always wonder
why web application developers don't consider encrypting emails the
same way they consider encrypting password! Once a hacker has full
access to a database, an encrypted password becomes like locking the
door while keeping the window open!
Say a user has an account in some discussion forum, that uses an open
source, or visible-source software. She has about 5000 posts in which
she has expressed her personal opinions on just about many things. Now
what a hacker has to do is to dump the database into a local server
running the same software, and begin analyzing the data, creating
well-crafted lists of "potential customers" for which he's going to
deliver very well-targeted mailing newsletters!
Regards,
Usamah
--- End Message ---
--- Begin Message ---
On Fri, Jun 13, 2008 at 8:02 PM, tedd <[EMAIL PROTECTED]> wrote:
> At 11:47 PM +0100 6/13/08, Stut wrote:
>
>> On 13 Jun 2008, at 23:20, R B wrote:
>>
>>> I search in both caches, and the video appears in the memory cache.
>>>
>>
>> Sorry, but that doesn't answer the question of why you/he doesn't want it
>> to be cached. If he's trying to protect the videos from being copied then
>> you're going to need to make it clear to him that you can't stop that from
>> happening without DRM which is a whole other kettle of fish and usually not
>> worth it.
>>
>> Aside from that I'm not aware of anything else you can do to stop clients
>> caching your content. At the end of the day you have no reliable control
>> over what happens after the data leaves the server.
>>
>> -Stut
>>
>
> Caching is one thing, but viewing the video is another -- unless I am
> mistaken.
>
> While it's true that you have no control over the video file once it leaves
> the server, however, what the file does in a foreign environment is
> something else.
>
> Typically, DRM schemes are needed when someone wants to protect digital
> media from being copied to play in standard players. But, if you want to
> restrict playing a video to just your site, then that's another matter.
>
> One can place actionscript in the video that will stop it from playing if
> certain conditions are not met. For example, you can have a file that exits
> in your site, but no where else. If the video is downloaded and an attempt
> is made to play it, then the video simply looks for the companion file and
> if it's not there, then it won't play.
>
> Is this not true?
are you asking a rhetorical question here tedd? i thought you implemented
something like that w/ help of the list some months back.
-nathan
--- End Message ---
--- Begin Message ---
Hi all, i'm trying to develop an application able to interpret
commands loaded from a database or any other source similiar to this
$strParam = 'title=%SESSION(sessionvar)'
or a more complicated
$strParam = 'title=%SESSION(sessionvar_%COOKIE(mycookievar))'
What I need, is to find any special command starting width a
configurable special char (% in this case), get the text inside it and
elaborate it...
The final result could be a simple string like these
$strParam = 'title=My Session Title'
and
$strParam = 'title=My Session and Koookie Value'
I'm starting to working on it, do you know if is there a way to
accomplish to this using PCRE or if there is something just developed?
Thanks, Straps
--- End Message ---
--- Begin Message ---
On 6/13/08, Per Jessen <[EMAIL PROTECTED]> wrote:
> hce wrote:
>
> > I am not certain if the msg_send / msg_receive in PHP can talk to the
> > external C program msg_send / msg_receive as PHP and external C
> > program are in different processes, different memory spaces.
>
>
> System V message queues are intended for just that; IPC = Inter Process
> Communication.
>
>
> > (a) A simple way is if for every PHP request, it opens socket, sends a
> > request and gets a response from the C server then closes the socket.
> > It should work, but I am not sure:
> > (i) if the open / close socket per request will cause delays and
> > performance issues.
>
>
> They will cause both delays and performance issues. But whether these
> will matter for your use is a different question. The process you've
> describe (open,get,close) is no different to sending an email or
> getting a web-page. People send a lot of email and serve a lot of
> webpages without major performance issues :-)
>
>
> > (ii) What is the maximum number concurrent requests in a PHP web
> > application?
>
>
> That's up to your webserver - if it's big enough, you can serve a lot of
> concurrent requests.
>
>
> > Will the maximum socket number / or port number (up to 2^16) be a
> > bottleneck for large number of concurrent requests (hundred
> > and thousands)?
>
>
> Probably not.
>
>
> > (b) If for all PHP requests share only one socket to connect to the
> > external C server, I am not sure if the PHP is able to do multiplex
> > responses for each request as the PHP is stateless.
>
>
> "PHP is stateless" ?? PHP is a scripting language, not a protocol.
> Besides, it would take quite a bit of work to make your thousands of
> concurrent PHP requests share a single socket.
Sorry for not being clear here. I was saying PHP web application is
stateless, not the PHP. You are right, it would take more efforts to
use the share a single socket. It is not an option.
Anyway, thanks for all your responses and suggestions. It was good
suggestion to use SOAP and Web services, but we have very small
latency requirement, I have already worried about the delay in the
lower level of socket, it will be evern more processing delays for
useing SOAP and Web services. I'll keep eye on that option if our
processing delay requirement can be altered.
Thank you.
Kind Regards,.
Jim
--- End Message ---
--- Begin Message ---
hce wrote:
> Anyway, thanks for all your responses and suggestions. It was good
> suggestion to use SOAP and Web services, but we have very small
> latency requirement, I have already worried about the delay in the
> lower level of socket, it will be evern more processing delays for
> useing SOAP and Web services.
Agree - it's only extra overhead.
Jim, if I were you, I'd go for the socket-communication, i.e. TCP. That
setup is being used for all kinds of stuff - unless your latency
requirements are extreme, I think TCP will be fine.
/Per Jessen, Zürich
--- End Message ---
--- Begin Message ---
Hi,
I'm new to PHP and i have got an asign a job in PHP. I need to develop a
site where a admin can handle a site like a CMS. e.g. updating a site
without any tech guy.
Is it possible using Drupal? If yes then can you please suggest how to go..
thank you
--- End Message ---
--- Begin Message ---
On Sat, Jun 14, 2008 at 5:57 AM, mukesh yadav <[EMAIL PROTECTED]> wrote:
> Hi,
> I'm new to PHP and i have got an asign a job in PHP. I need to develop a
> site where a admin can handle a site like a CMS. e.g. updating a site
> without any tech guy.
> Is it possible using Drupal? If yes then can you please suggest how to go..
>
> thank you
>
yes, download drupal and install it
--
Bastien
Cat, the other other white meat
--- End Message ---
--- Begin Message ---
On Sat, Jun 14, 2008 at 5:57 AM, mukesh yadav <[EMAIL PROTECTED]> wrote:
> Hi,
> I'm new to PHP and i have got an asign a job in PHP. I need to develop a
> site where a admin can handle a site like a CMS. e.g. updating a site
> without any tech guy.
> Is it possible using Drupal? If yes then can you please suggest how to go..
http://www.catb.org/esr/jargon/html/S/STFW.html
--
</Daniel P. Brown>
Dedicated Servers - Intel 2.4GHz w/2TB bandwidth/mo. starting at just
$59.99/mo. with no contract!
Dedicated servers, VPS, and hosting from $2.50/mo.
--- End Message ---
--- Begin Message ---
On Sat, 2008-06-14 at 10:35 -0400, Daniel Brown wrote:
> On Sat, Jun 14, 2008 at 5:57 AM, mukesh yadav <[EMAIL PROTECTED]> wrote:
> > Hi,
> > I'm new to PHP and i have got an asign a job in PHP. I need to develop a
> > site where a admin can handle a site like a CMS. e.g. updating a site
> > without any tech guy.
> > Is it possible using Drupal? If yes then can you please suggest how to go..
>
>
> http://www.catb.org/esr/jargon/html/S/STFW.html
*lol* Whoever did that webpage needs to STFW about character encodings.
Cheers,
Rob.
--
http://www.interjinn.com
Application and Templating Framework for PHP
--- End Message ---
--- Begin Message ---
Hi,
How can use time out mechanism in PHP when calling socket_recvfrom or
socket_read (in block service)?
I know the non-block system call can be used, but I need to use a
block system call, the block socket_recvfrom or socket_read should be
either returned to be failed, or canceled when a time out is occurred.
Thank you.
Kind Regards,
Jim
--- End Message ---
--- Begin Message ---
On Fri, Jun 13, 2008 at 7:58 PM, Ryan S <[EMAIL PROTECTED]> wrote:
> Hey guys!
>
> Thanks for replying!
>
> Cant find any midi flash player... looks like it has to be mp3, in which case
> can anybody recommend a place for open licensed mp3s for songs like "happy
> birthday" etc
> maybe just instrumental stuff?
You can install stuff to convert MIDI files to MP3's. FFMPEG is
the most popular, but doesn't do it directly. You'd have to first use
something like Timidity to convert MIDI to PCM Waveform, and then the
resulting .wav to MP3 with FFMPEG.
Doing that would allow you to convert files on the fly, without
having to find a specific format each time you need a media file.
--
</Daniel P. Brown>
Dedicated Servers - Intel 2.4GHz w/2TB bandwidth/mo. starting at just
$59.99/mo. with no contract!
Dedicated servers, VPS, and hosting from $2.50/mo.
--- End Message ---
