php-general Digest 13 Feb 2009 13:35:38 -0000 Issue 5956
Topics (messages 288200 through 288214):
Re: Don't Forget to Punch the Clock, Shorty!
288200 by: Kyle Terry
288201 by: George Langley
Re: PHP OOP
288202 by: Virgilio Quilario
Re: How can an elephant count for nothing?
288203 by: Clancy
288206 by: Yeti
Re: Opinions needed
288204 by: Per Jessen
288211 by: Rene Veerman
288213 by: Al
Re: fork/spawnzombie question
288205 by: Per Jessen
Re: Extract result from a https remote server response
288207 by: m a r k u s
288208 by: m a r k u s
288209 by: Bruno Fajardo
288212 by: m a r k u s
[Fwd] How to make a secured login form
288210 by: Rene Veerman
288214 by: Virgilio Quilario
Administrivia:
To subscribe to the digest, e-mail:
php-general-digest-subscr...@lists.php.net
To unsubscribe from the digest, e-mail:
php-general-digest-unsubscr...@lists.php.net
To post to the list, e-mail:
php-gene...@lists.php.net
----------------------------------------------------------------------
--- Begin Message ---
On Thu, Feb 12, 2009 at 5:03 PM, Richard Whitney <phpmy...@gmail.com> wrote:
> On Thu, Feb 12, 2009 at 5:05 PM, Daevid Vincent <dae...@daevid.com> wrote:
>
> > On Thu, 2009-02-12 at 15:58 -0700, Richard Whitney wrote:
> >
> > Anyone care to try this out? Feedback welcome.
> > http://dftpcs.com
> >
> > Thanks
> >
> >
> > Also, given that this was formatted and sounded as vague as a spam email,
> I
> > simply dismissed it and moved on. Even the URL is very cryptic (although
> I
> > realize NOW that it's an acronym, at the time it looked random letters as
> > phishers use).
> >
> > I have no interest in registering and giving you my email, etc. just to
> try
> > a SaaS that i have ZERO idea how it works or what it does. There is no
> > description. No screenshots. no anything. Why not provide a
> 'test/test123'
> > account if you want people to try it out. Not to mention the time it
> would
> > take for me to populate your tool with data to be useful enough to
> evaluate.
> >
> > http://daevid.com
> >
>
>
> good idea Daevid!
> Thanks!
>
> http://dftpcs.com
> u: testing
> p: testing123
>
>
>
> --
> Richard Whitney
> phpmy...@gmail.com
> http://phpmydev.com
> 602-288-5340
> 310-943-6498
>
> "You come up with ideas, I come up with solutions."
>
Haha...Information management and timesheets... That's what I write for a
living.
--
Kyle Terry | www.kyleterry.com
Help kick start VOOM (Very Open Object Model) for a library of PHP classes.
http://www.voom.me | IRC EFNet #voom
--- End Message ---
--- Begin Message ---
On 12-Feb-09, at 8:55 PM, Kyle Terry wrote:
On Thu, 2009-02-12 at 15:58 -0700, Richard Whitney wrote:
Anyone care to try this out? Feedback welcome.
http://dftpcs.com
Thanks
--------------
Hi there! The right panel is not always refreshing correctly in my
Mac Safari 3.2.1 Sometimes is leaving lines through the various
elements, or not drawing them at all. This is occurring mostly when I
click a "Submit" or other button in the right panel, but also when I
click an item in the left panel. It does seem to be fine until after
I have added a new company to the list, and then it starts having
problems.
Don't know if something in your code, or just my machine acting up!
But may be worth testing somewhere else.
HTH.
George Langley
Multimedia Developer, Audio/Video Editor, Musician, Arranger, Composer
http://www.georgelangley.ca
--- End Message ---
--- Begin Message ---
Java is really awesome at OOP and it is great for teaching OOP or,
shall we say "illustrating OOP".
OOP is a programming technique in general without any bias towards any
programming language.
Good background on OOP concepts is essential in learning language
specific OOP implementation.
So don't worry about languages.
The important thing is, you know what OOP means.
Also you can't compare PHP to other programming languages.
PHP is new and mainly built for the web.
With its raw power, it is simply incomparable.
virgil
http://www.jampmark.com
--- End Message ---
--- Begin Message ---
On Thu, 12 Feb 2009 23:47:31 +0800, huixinc...@baidu.com (???) wrote:
>Jochem Maas wrote:
>> Clancy schreef:
>>
>>> While PHP has a lot of nice features, it also has some traps which I am
>>> forever falling
>>> into. One which I find particularly hard to understand is how mixed mode
>>> comparisons work.
.........
>> you can avoid auto-casting if needed, in a variety of ways:
>>
>> php -r '
>> $foo = "elephant";
>> if (!empty($foo))
>> echo "$foo found!\n";
>> if (strlen($foo))
>> echo "$foo found!\n";
>> if (is_string($foo) && strlen($foo))
>> echo "$foo found!\n";
>> if ($foo !== "")
>> echo "$foo found!\n";
>> if ($foo === "elephant")
>> echo "$foo found!\n";
>> '
>>
>> those last 2 show how to use 'type-checked' equality
>> testing.
>>
>because intval("elephant") == 0;
>intval will convert the string into integer , Strings will most likely
>return 0 although this depends on the leftmost characters of the string.
This seems to be the nearest to the correct answer. In fact it appears that if
you compare
a string with an integer the effective value of the string is the value of the
first
character(s), if it/they are integers, or zero.
elephant == 0; true
an elephant == 0; true
1 elephant == 0; false
0 elephants == 0; true
a herd of elephants == 0; true
7 elephants == 7; true
9999 elephants == 9999; true
The next question is ' how is the order of conversion determined?' I thought it
might have
converted the second element to the same type as the first element, so I
reversed the
comparison, but I got exactly the same results, so perhaps it converts from the
more
complex type to the simpler type.
Clearly the lesson is to be learnt is not to compare disparate types, unless
you really
have to.
One situation where this is unavoidable is if you are searching an arbitrary
set of
strings for a given word. In this case it is essential to do the exact
comparison, or you
will get erroneous results.
Thank you all for your suggestions.
--- End Message ---
--- Begin Message ---
I guess the main reason for PHP to behave like this is to make life
easier for many everyday situations.
EXAMPLE:
User input via GET or POST - usually string
You compare it to some value - int/string or whatever
So if a user posts '17' (string) and you compare it to 17 (int),
unless you are using ===, PHP won't complain.
--- End Message ---
--- Begin Message ---
Al wrote:
> I'm scripting a light-weight, low volume signup registry for a running
> club. Folks sign up to volunteer for events and the like. There will
> generally be a handful of signup registries at any one time. A typical
> registry will only contain 50 to 100 names. Each registry is only in
> existence for a month or so.
>
> I really don't see the advantage of using a real DB [e.g., mySQL,] for
> this. Don't need any special searching, etc.
You might as well just go with MySQL. It'll make it a lot easier both
to start with and in the long run.
--
Per Jessen, Zürich (-1.0°C)
--- End Message ---
--- Begin Message ---
Al wrote:
I'm scripting a light-weight, low volume signup registry for a running
club. Folks sign up to volunteer for events and the like. There will
generally be a handful of signup registries at any one time. A typical
registry will only contain 50 to 100 names. Each registry is only in
existence for a month or so.
I really don't see the advantage of using a real DB [e.g., mySQL,] for
this. Don't need any special searching, etc.
Am thinking of using a simple serialized array file for each registry;
or, using Pear Cache_lite. Cache_lite has several nice functions I
can take advantage of. In spite of its name, it can be configured to
be permanent.
I'd just go ahead and use Cache_lite; but, I'm always reluctant to use
a Pear package for fear it may not be updated for for future php
releases, etc. I aways aim to keep maintenance to a minimum.
Anyone had experience with Cache_Lite? Anyone have an opinion on the
alternatives or maybe another storage approach?
Thanks, Al........
AdoDB + SQL = easier to maintain than a half dozen custom storage
interfaces..
imo.
--- End Message ---
--- Begin Message ---
Rene Veerman wrote:
Al wrote:
I'm scripting a light-weight, low volume signup registry for a running
club. Folks sign up to volunteer for events and the like. There will
generally be a handful of signup registries at any one time. A typical
registry will only contain 50 to 100 names. Each registry is only in
existence for a month or so.
I really don't see the advantage of using a real DB [e.g., mySQL,] for
this. Don't need any special searching, etc.
Am thinking of using a simple serialized array file for each registry;
or, using Pear Cache_lite. Cache_lite has several nice functions I
can take advantage of. In spite of its name, it can be configured to
be permanent.
I'd just go ahead and use Cache_lite; but, I'm always reluctant to use
a Pear package for fear it may not be updated for for future php
releases, etc. I aways aim to keep maintenance to a minimum.
Anyone had experience with Cache_Lite? Anyone have an opinion on the
alternatives or maybe another storage approach?
Thanks, Al........
AdoDB + SQL = easier to maintain than a half dozen custom storage
interfaces..
imo.
I don't really have any custom storage interfaces. To create a new signup
registry, we simply place a file in the topic directory [e.g.,
/10Krace/Volunteers.php] that contains one line of code that includes the
operational scripts.
require_once $_SERVER['DOCUMENT_ROOT'] . '/signups/commonReg.php';
commonReg.php takes care of everything and the signup's ID is simply
"/10Krace/Volunteers"
--- End Message ---
--- Begin Message ---
bruce wrote:
> Hi Nathan/Torok...
>
> Hey guys... got a bit of a question.
>
> I'm playing around with the php/for/pcntl_exec functions and I've got
> a process that spawns off a bunch of child processes. Unfortunately,
> I'm getting to where I have 100's of zombie child processes that I can
> see from the linux/processTBL.
>
> I don't want to have my master loop do a waitpid() call, as it would
> block on the wait for one of the child processes to exit.
No, it wouldn't - just use WNOHANG:
pcntl_waitpid( -1, $status, WNOHANG );
/Per Jessen
--
Per Jessen, Zürich (-0.9°C)
--- End Message ---
--- Begin Message ---
Shawn McKenzie wrote:
m a r k u s wrote:
Hi all,
Example :
https://www.moneybookers.com/app/email_check.pl?email=t...@toto.com&cust_id=123546&password=123
The MB server response displayed is : Illegal operation.
We would like to put the result below in a php variable and process it .
An idea ?
PS: The server is secured. The php functions like file(),
file_get_contents(), readfile(), fopen() has been tested.
Regards
--
m a r k u s
Well, I don't know how you tested, but if fopen_wrappers are enabled in
php.ini, then this:
echo
file_get_contents('https://www.moneybookers.com/app/email_check.pl?email=t...@toto.com&cust_id=123546&password=123');
displays this:
Illegal operation
Seems to work for me.
The question is how to extract what is displayed to be processed by our script ?
--- End Message ---
--- Begin Message ---
Shawn McKenzie wrote:
Shawn McKenzie wrote:
m a r k u s wrote:
Hi all,
Example :
https://www.moneybookers.com/app/email_check.pl?email=t...@toto.com&cust_id=123546&password=123
The MB server response displayed is : Illegal operation.
We would like to put the result below in a php variable and process it .
An idea ?
PS: The server is secured. The php functions like file(),
file_get_contents(), readfile(), fopen() has been tested.
Regards
--
m a r k u s
allow_url_fopen = On
We have no control of the MB remote server configuration.
--
m a r k u s
--- End Message ---
--- Begin Message ---
Assigning the return of file_get_contents to a variable?
Didn't get your point...
2009/2/13 m a r k u s <queribus2...@hotmail.com>
>
> Shawn McKenzie wrote:
>>
>> Shawn McKenzie wrote:
>>>
>>> m a r k u s wrote:
>>>>
>>>> Hi all,
>>>>
>>>> Example :
>>>> https://www.moneybookers.com/app/email_check.pl?email=t...@toto.com&cust_id=123546&password=123
>>>> The MB server response displayed is : Illegal operation.
>>>> We would like to put the result below in a php variable and process it .
>>>> An idea ?
>>>>
>>>> PS: The server is secured. The php functions like file(),
>>>> file_get_contents(), readfile(), fopen() has been tested.
>>>> Regards
>>>>
>>>> --
>>>>
>>>> m a r k u s
>
>
>> allow_url_fopen = On
>
>
> We have no control of the MB remote server configuration.
>
> --
> m a r k u s
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
--- End Message ---
--- Begin Message ---
Sorry all, I was testing in a Windows environment.
I feel like an idiot... :)
Thanks to all.
--
m a r k u s
Bruno Fajardo wrote:
Assigning the return of file_get_contents to a variable?
Didn't get your point...
2009/2/13 m a r k u s <queribus2...@hotmail.com>
Shawn McKenzie wrote:
Shawn McKenzie wrote:
m a r k u s wrote:
Hi all,
Example :
https://www.moneybookers.com/app/email_check.pl?email=t...@toto.com&cust_id=123546&password=123
The MB server response displayed is : Illegal operation.
We would like to put the result below in a php variable and process it .
An idea ?
PS: The server is secured. The php functions like file(), file_get_contents(),
readfile(), fopen() has been tested.
Regards
--
m a r k u s
allow_url_fopen = On
We have no control of the MB remote server configuration.
--
m a r k u s
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--- End Message ---
--- Begin Message ---
Hi, I'm cross-posting this (from jquery-en js mailinglist) because it's
something that i think is relevant for this list too..
You can ignore the jQuery in it, since all the jquery calls can be
replaced with document.getElementById().
I have secured the login form for my CMS with a challenge-response thing
that encrypts both username and password with the
(login-attempts-counted) challenge (and; here's my problem: a system
hash) sent by the server (it would end up in your html as a hidden
inputs, or as part of a json transmission)..
Since then, i've found these libs that do even longer one-way-crypto:
http://mediabeez.ws/downloads/sha256.js-php.zip
The principles i'm about to explain stay the same.
*but i'd really like to know if my crypto can be improved*
So instead of the browser getting just a text-field for username and
password, you also send the "challenge" (and "system_hash") value.
That's a 100-character random string (include special characters!), then
sha256-ed (for prettiness mostly i think).
I really wonder if i can do without the systemhash..
------------------------------------ HTML --------------------------------
<form id="myForm">
<input type="hidden" id="system_hash" name="system_hash"
value="[SHA256 SORTA-MASTER-KEY__DUNNO-WHAT-TO-DO-WITH-THIS]"/>
<input type="hidden" id="challenge" name="challenge"
value="[SHA256RANDOMSTRINGFROMPHP]"/>
<table>
<tr><td>Login</td><td> </td><td><input id='login'
name='login'/></td></tr>
<tr><td>Password</td><td> </td><td><input id='pass'
name='pass'/></td></tr>
</table>
</form>
------------------------------------ JS ------------------------------------
$('#myform').submit (function() {
var s = ($'system_hash')[0];
var c = ($'challenge')[0];
var l = $('#login')[0];
var p = $('#pass')[0];
l.value = sha256 (sha256 (l.value + s.value) + c.value);
p.value = sha256 (sha256 (p.value + s.value) + c.value);
//Here, submit the form using ajax routines in plain text,
as both the login name and
//password are now one-way-encrypted.
//
//on the PHP end, authentication is done against a mysql
table "users".
//
//in this table i have 3 relevant fields:
//user_login_name (for administrative and display purposes)
//user_login_name_hash (==sha256 (user_login_name +
system_hash))
//user_password_hash (== passwords aint stored unencrypted
in my cms, to prevent admin corruption and pw-theft by third parties;
the password is encrypted by the browser in the "new-password-form" with
the system hash before it's ever sent to the server. server Never knows
about the cleartext password, ever.)
//
//when a login-attempt is evaluated, all the records in
"users" table have to be traversed (which i admit can get slow on larger
userbases... help!?! :)
//for each user in the users table, the loginhash and
password hash are calculated;
// $uh = sha256 ($users->rec["user_login_name_hash"] .
$challenge);
// $pwh = sha256 ($users->rec["user_password_hash"] .
$challenge);
//and then,
// if they match the hash strings that were sent (both of
them),
// if the number of login-attempts isn't exceeded,
// if the IP is still the same (as the one who first
requested the html login form with new challenge value)
//then, maybe, i'll let 'm log in :)
});
phicarre wrote:
How to secure this jquery+php+ajax login procedure ?
$('#myform').submit( function()
{
$(this).ajaxSubmit( {
type:'POST', url:'login.php',
success: function(msg)
{
**** login ok : how to call the welcome.php ***
},
error: function(request,iderror)
{
alert(iderror + " " + request);
}
});
return false;
})
<form id="myForm" action="" >
Name : <input type='text' name='login' size='15' />
<div>Password : <input type='password' name='passe' size='15' /
</div>
<input type="submit" value="login" class="submit" />
</form>
Login.php check the parameters and reply by echo "ok" or echo "ko"
Logically if the answer is ok we must call a welcome.php module BUT,
if someone read the client code, he will see the name of the module
and can hack the server.
May I wrong ? how to secure this code ?
--- End Message ---
--- Begin Message ---
> I have secured the login form for my CMS with a challenge-response thing
> that encrypts both username and password with the
> (login-attempts-counted) challenge (and; here's my problem: a system
> hash) sent by the server (it would end up in your html as a hidden
> inputs, or as part of a json transmission)..
>
> Since then, i've found these libs that do even longer one-way-crypto:
> http://mediabeez.ws/downloads/sha256.js-php.zip
> The principles i'm about to explain stay the same.
>
> *but i'd really like to know if my crypto can be improved*
>
> So instead of the browser getting just a text-field for username and
> password, you also send the "challenge" (and "system_hash") value.
> That's a 100-character random string (include special characters!), then
> sha256-ed (for prettiness mostly i think).
>
> I really wonder if i can do without the systemhash..
>
> ------------------------------------ HTML --------------------------------
> <form id="myForm">
> <input type="hidden" id="system_hash" name="system_hash"
> value="[SHA256 SORTA-MASTER-KEY__DUNNO-WHAT-TO-DO-WITH-THIS]"/>
> <input type="hidden" id="challenge" name="challenge"
> value="[SHA256RANDOMSTRINGFROMPHP]"/>
> <table>
> <tr><td>Login</td><td> </td><td><input id='login'
> name='login'/></td></tr>
> <tr><td>Password</td><td> </td><td><input id='pass'
> name='pass'/></td></tr>
> </table>
> </form>
>
>
> ------------------------------------ JS ------------------------------------
>
> $('#myform').submit (function() {
> var s = ($'system_hash')[0];
> var c = ($'challenge')[0];
> var l = $('#login')[0];
> var p = $('#pass')[0];
>
> l.value = sha256 (sha256 (l.value + s.value) + c.value);
> p.value = sha256 (sha256 (p.value + s.value) + c.value);
>
> //Here, submit the form using ajax routines in plain text,
> as both the login name and
> //password are now one-way-encrypted.
> //
> //on the PHP end, authentication is done against a mysql
> table "users".
> //
> //in this table i have 3 relevant fields:
> //user_login_name (for administrative and display purposes)
> //user_login_name_hash (==sha256 (user_login_name +
> system_hash))
> //user_password_hash (== passwords aint stored unencrypted
> in my cms, to prevent admin corruption and pw-theft by third parties;
> the password is encrypted by the browser in the "new-password-form" with
> the system hash before it's ever sent to the server. server Never knows
> about the cleartext password, ever.)
> //
> //when a login-attempt is evaluated, all the records in
> "users" table have to be traversed (which i admit can get slow on larger
> userbases... help!?! :)
> //for each user in the users table, the loginhash and
> password hash are calculated;
> // $uh = sha256 ($users->rec["user_login_name_hash"] .
> $challenge);
> // $pwh = sha256 ($users->rec["user_password_hash"] .
> $challenge);
> //and then,
> // if they match the hash strings that were sent (both of
> them),
> // if the number of login-attempts isn't exceeded,
> // if the IP is still the same (as the one who first
> requested the html login form with new challenge value)
> //then, maybe, i'll let 'm log in :)
> });
>
>
>
>
> phicarre wrote:
>>
>> How to secure this jquery+php+ajax login procedure ?
>>
>> $('#myform').submit( function()
>> {
>> $(this).ajaxSubmit( {
>> type:'POST', url:'login.php',
>> success: function(msg)
>> {
>> **** login ok : how to call the welcome.php ***
>> },
>> error: function(request,iderror)
>> {
>> alert(iderror + " " + request);
>> }
>> });
>> return false;
>> })
>>
>>
>> <form id="myForm" action="" >
>>
>> Name : <input type='text' name='login' size='15' />
>> <div>Password : <input type='password' name='passe' size='15' /
>>
>>>
>>> </div>
>>>
>>
>> <input type="submit" value="login" class="submit" />
>>
>> </form>
>>
>> Login.php check the parameters and reply by echo "ok" or echo "ko"
>>
>> Logically if the answer is ok we must call a welcome.php module BUT,
>> if someone read the client code, he will see the name of the module
>> and can hack the server.
>> May I wrong ? how to secure this code ?
>>
i think you should drop the IP address out of the equation because
when you're behind a firewall with rotating outgoing IP addresses, you
will never get authenticated.
also, traversing users table is a slow operation as you pointed out.
i guess you should look into two way encryption or use ssl which is
better and easier to implement.
virgil
http://www.jampmark.com
--- End Message ---
