php-general Digest 23 Feb 2009 06:14:20 -0000 Issue 5974
Topics (messages 288658 through 288662):
Securing web services
288658 by: Yannick Warnier
288659 by: Nathan Rixham
Re: Which file "Included" me?
288660 by: RottenEye
ldap_search filter with memberOf
288661 by: Zaitchik, Alan
need help on the BBcode extension: What's the syntax of the Object Oriented
Notation content_handling
288662 by: Zhang Qingcheng
Administrivia:
To subscribe to the digest, e-mail:
[email protected]
To unsubscribe from the digest, e-mail:
[email protected]
To post to the list, e-mail:
[email protected]
----------------------------------------------------------------------
--- Begin Message ---
Hi there,
Another Web Service related question. Obviously, Google gives me enough
hints to find *many* documents on the topic (searching for "securing web
services"), but I am developing open-source soft and I'd like to secure
my web services to the maximum without forcing the user to use HTTPS/SSL
(the generation of buying of a certificate is not what our lambda users
can do).
Following the very nice table on page 32 of
http://csrc.nist.gov/publications/nistpubs/800-95/SP800-95.pdf
using a combination of XML Encryption and XML Signature would provide a
cover for almost all security risks related to providing web services.
This article:
http://webservices.xml.com/pub/a/ws/2003/01/15/ends.html
also goes away from the SSL method and *talks* about XML-DSIG and
WS-Security, but that's out of PHP context.
Finally, the following article talks about NuSOAP and the SetCredentials
method, which is probably the closest I can get to secure web services
using existing PHP code.
Would anybody out here have gotten further and be able to tell me how
they did it?
Thanks,
Yannick
--- End Message ---
--- Begin Message ---
Yannick Warnier wrote:
Hi there,
Another Web Service related question. Obviously, Google gives me enough
hints to find *many* documents on the topic (searching for "securing web
services"), but I am developing open-source soft and I'd like to secure
my web services to the maximum without forcing the user to use HTTPS/SSL
(the generation of buying of a certificate is not what our lambda users
can do).
Yanick,
I'm hoping to save you some time here; Web Services are very poorly
implemented in PHP (and that sentence is the reason I'm emailing you
off-list).
Everything you need is catered for in SOAP and by using the WS-xxx
extensions which are common place in the Java and .net world (infact
most languages) - thankfully those who are fortunate enough to know can
do this in PHP as well and consume all manner of web services, as well
as generate them.
You need WSO2 (oxygen) - specifically WSO2 WSF/PHP; it's the finest web
service library for all languages and has a massive community behind it.
http://wso2.org/projects/wsf/php
docs: http://wso2.org/project/wsf/php/2.0.0/docs/api.html
Honestly my friend, everything you need - I've been through the same
thing as you for moths over many projects and this framework saved my life.
it also has very nice scripts for working with wsdl including an
automatic wsdl2php and a full WSDL generation API :)
Many Regards,
Nathan
ps: I'm no affiliation :)
--- End Message ---
--- Begin Message ---
But we could use rawurlencode($_SERVER['PHP_SELF']), no?
João
Michael A. Peters wrote:
Nisse Engström wrote:
On Wed, 18 Feb 2009 10:37:53 -0800, "Michael A. Peters" wrote:
http://www.gfx-depot.com/forum/-php-server-php-self-validation-t-1636.html
explains a technique to validate the input as well (don't trust that
is clean)
Amazing! Not once did they mention htmlspecialchars().
/Nisse
htmlspecialchars causes problems if you are going to use the data with
DOMDocument.
I believe the point was to produce a proper _SERVER['PHP_SELF'] - not a
sanitized but still borked version.
--- End Message ---
--- Begin Message ---
I am trying to construct a filter for ldap_search that tests the AD memberOf
attribute. The latter has possibly multiple values for a given user, and I want
something like (memberOf=*Student*) to get all and only the students. I realize
that the above does not work, that the memberOf attribute has some internal
structure that requires something more complicated, but I cannot seem to get it
working.
What I have done is use a very broad $filter, an $attribs that includes
"memberOf"-- and then loop through the results keeping only the students, thus:
$sr= ldap_search($ldapconn, $dn, $filter, $attribs);
for
($entryid=ldap_first_entry($ldapconn,$sr);$entryid!=false;$entryid=ldap_next_entry($ldapconn,$entryid)){
$this_memberof =
implode(ldap_get_values($ldapconn,$entryid,'memberof'));
If (stripos($this_memberof,'student') ) {
// do something, etc.
}
}
But this is wildly inefficient. How can I just create the filter I need for
ldap_search?
Thanks!
Alan
--- End Message ---
--- Begin Message ---
Hi there,
I'm using the BBcode extension(version 1.0.2), and the manual(url: http://www.php.net/manual/en/function.bbcode-create.php)
said the "bbcode_initial_tags" accepted Object Oriented Notation on
content_handling, but I don't find any document on this notation or
syntax, so could anyone tell me how to use the Object Oriented Notation?
Regards,
Kinch
--- End Message ---
