php-general Digest 7 Aug 2010 02:22:49 -0000 Issue 6883
Topics (messages 307344 through 307359):
Protecting PHP scripts called via AJAX from evil
307344 by: Marc Guay
307345 by: Ashley Sheridan
307346 by: Joshua Kehn
307348 by: tedd
307349 by: Marc Guay
Re: Quotes vs. Single Quote
307347 by: tedd
307353 by: Bill Guion
307354 by: Richard Quadling
Re: PHP The Anthem
307350 by: Joshua Kehn
307351 by: tedd
307352 by: Joshua Kehn
how do you upload to a 3rd-party remote server?
307355 by: Govinda
307356 by: shiplu
307357 by: Govinda
307358 by: Daniel P. Brown
question about compiling a portable web server for linux
307359 by: lainme
Administrivia:
To subscribe to the digest, e-mail:
[email protected]
To unsubscribe from the digest, e-mail:
[email protected]
To post to the list, e-mail:
[email protected]
----------------------------------------------------------------------
--- Begin Message ---
Hi folks,
I'm looking for a straightforward way to protect PHP files which are
called via AJAX from being called from outside my application.
Currently, someone could forseeably open the console and watch the
javascript post variables to a public file (actions/delete_thing.php)
and then use this knowledge to trash the place. I found this thread
at stackoverflow which seems to cover the issue I'm looking at, but
it's pretty intense and I figure there's an easier way but I'm not
sure how.
http://stackoverflow.com/questions/2486327/jquery-post-and-php-prevent-the-ability-to-use-script-outside-of-main-website
It seems unlikely that this is the method everyone uses, but maybe
not. Advice is nice.
Marc
--- End Message ---
--- Begin Message ---
On Fri, 2010-08-06 at 09:41 -0400, Marc Guay wrote:
> Hi folks,
>
> I'm looking for a straightforward way to protect PHP files which are
> called via AJAX from being called from outside my application.
> Currently, someone could forseeably open the console and watch the
> javascript post variables to a public file (actions/delete_thing.php)
> and then use this knowledge to trash the place. I found this thread
> at stackoverflow which seems to cover the issue I'm looking at, but
> it's pretty intense and I figure there's an easier way but I'm not
> sure how.
>
> http://stackoverflow.com/questions/2486327/jquery-post-and-php-prevent-the-ability-to-use-script-outside-of-main-website
>
> It seems unlikely that this is the method everyone uses, but maybe
> not. Advice is nice.
> Marc
>
I think the only sensible way to solve this is to pass a unique
authentication key with each request. Usually this is done with the
session id, which is checked on the server-side each time an action is
triggered. Sure, someone could look at the session id and copy it to a
script, but sessions usually expire after a certain amount of time if
they don't remain active. Even if someone did start up a script with a
valid session id and make repeated requests to your system, they should
only have the session id if they are a valid user of your system anyway,
so whether they do it via a browser or not shouldn't make much of a
difference.
If you're worried about someone logging in and using an automated
process to abuse your system, you could add a logging method to your PHP
code that tracks every action a user makes. This way, you can then have
checks in your code to look for suspicious activity and destroy a
session. Suspicious activity could be anything from lots of invalid
requests to a continuous stream of requests and requests made at too
regular an interval.
Thanks,
Ash
http://www.ashleysheridan.co.uk
--- End Message ---
--- Begin Message ---
On Aug 6, 2010, at 9:41 AM, Marc Guay wrote:
> Hi folks,
>
> I'm looking for a straightforward way to protect PHP files which are
> called via AJAX from being called from outside my application.
> Currently, someone could forseeably open the console and watch the
> javascript post variables to a public file (actions/delete_thing.php)
> and then use this knowledge to trash the place. I found this thread
> at stackoverflow which seems to cover the issue I'm looking at, but
> it's pretty intense and I figure there's an easier way but I'm not
> sure how.
>
> http://stackoverflow.com/questions/2486327/jquery-post-and-php-prevent-the-ability-to-use-script-outside-of-main-website
>
> It seems unlikely that this is the method everyone uses, but maybe
> not. Advice is nice.
> Marc
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
Marc-
The best way (and what I currently use) is to add a nonce style value to the
form with a random name and then also add that to the session.
$nonce = sha1(microtime(true));
$name = sha1(rand(0,10));
$_SESSION['nonce'] = array($name => $nonce);
?><input type="hidden" value="<?php echo $nonce; ?>" name="<?php echo $name;
?>" /><?php
Then in the processing code check the nonce value to ensure (a) it exists, and
(b) it matches the current session.
You can also log all events in a table, filtering out user who make too many
requests per minute / second / etc, depending on what you are using the AJAX
bit for.
Thanks,
-Josh
--- End Message ---
--- Begin Message ---
At 9:41 AM -0400 8/6/10, Marc Guay wrote:
Hi folks,
I'm looking for a straightforward way to protect PHP files which are
called via AJAX from being called from outside my application.
Currently, someone could forseeably open the console and watch the
javascript post variables to a public file (actions/delete_thing.php)
and then use this knowledge to trash the place. I found this thread
at stackoverflow which seems to cover the issue I'm looking at, but
it's pretty intense and I figure there's an easier way but I'm not
sure how.
http://stackoverflow.com/questions/2486327/jquery-post-and-php-prevent-the-ability-to-use-script-outside-of-main-website
It seems unlikely that this is the method everyone uses, but maybe
not. Advice is nice.
Marc
Marc:
The logic should go like this.
Your initial PHP script [1] first generates a form that employs an
AJAX script to trigger the slave PHP script [2], right?
If so, then have script [1] generate a unique token and place it in a
SESSION, such as:
$_SESSION['token'] = $token.
Then have the PHP generated HTML form include a hidden input
statement, such as:
<input type="hidden" name="token" value="<?php echo($token);?>" >
Note, the "hidden" isn't providing any security -- it simply means
that the value isn't printed to the browser window.
Then have the slave PHP script [2] check the value in the
$_SESSION['token'] with the value provided by the form. If the two
match, then everything has been done via your server.
Cheers,
tedd
--
-------
http://sperling.com http://ancientstones.com http://earthstones.com
--- End Message ---
--- Begin Message ---
Thanks everyone.
--- End Message ---
--- Begin Message ---
At 9:09 AM -0400 8/6/10, Andrew Ballard wrote:
On Fri, Aug 6, 2010 at 8:31 AM, tedd <[email protected]> wrote:
While it may not be obvious, the statement:
> <table border="1">
is flawed (IMO).
The "best" way to handle this is to define a class (or id) for the table in
a css file and then set the border (i.e., styling) to whatever you want. For
example, your HTML would look like:
<table class="my_table">
And your CSS would contain:
.my_table
{
border: 1px solid black;
}
I more or less agree with you, but sometimes it's technically a little
more difficult than that.
-snip-
As is often the case with CSS, that's a good bit more text to
accomplish the same effect as an older, smaller attribute. :-)
Andrew
Andrew:
The problem you cite is well said and your point is well taken.
However, the main point I am making is to move this problem totally
out of the HTML/PHP arena and place it where it belongs, which is
inside CSS -- after it *is* a presentation problem.
IMO, it is *far* better to deal with browser comparability problems
from one CSS file than it is to sort through all your PHP files
looking for the phrase <table border="1">. From my experience, when
you have a problem, it is always better to give it a name and deal
with it from one location.
As for "older, smaller attributes", they are only getting older and
their importance lessens with time (I can relate.) :-)
Cheers,
tedd
--
-------
http://sperling.com http://ancientstones.com http://earthstones.com
--- End Message ---
--- Begin Message ---
At 8:31 AM -0400 08/06/10, tedd wrote:
Cheers,
tedd
PS: Considering that this is Friday. I have a grammar question for
the group. I said above:
"neither CSS, PHP, or any web language exist in a vacuum."
Is the word "neither" appropriate in this sentence?
Normally, two items can be compared by "neither" or "nor", but what
about more than two items? Is it appropriate to use "neither" or
"nor" for more than two items?
Somewhere along the line, probably in college (if it were before
college, it would have been so long ago I would have forgotten it), a
professor said to handle this sort of thing thusly:
neither A, nor B, nor C ....
A little more wordy, but completely unambiguous.
-----===== Bill =====-----
--
Don't find fault. Find a remedy. - Henry Ford
--- End Message ---
--- Begin Message ---
On 6 August 2010 16:18, Bill Guion <[email protected]> wrote:
> At 8:31 AM -0400 08/06/10, tedd wrote:
>
>> Cheers,
>>
>> tedd
>>
>> PS: Considering that this is Friday. I have a grammar question for the
>> group. I said above:
>>
>> "neither CSS, PHP, or any web language exist in a vacuum."
>>
>> Is the word "neither" appropriate in this sentence?
>>
>> Normally, two items can be compared by "neither" or "nor", but what about
>> more than two items? Is it appropriate to use "neither" or "nor" for more
>> than two items?
>
> Somewhere along the line, probably in college (if it were before college, it
> would have been so long ago I would have forgotten it), a professor said to
> handle this sort of thing thusly:
>
> neither A, nor B, nor C ....
>
> A little more wordy, but completely unambiguous.
"neither CSS, PHP, nor any web language exist in a vacuum."
would probably do. All negatives, so little wiggle room really.
--- End Message ---
--- Begin Message ---
On Aug 6, 2010, at 7:27 AM, tedd wrote:
> At 4:57 PM -0700 8/5/10, Daevid Vincent wrote:
>> http://www.youtube.com/watch?v=S8zhmiS-1kw
>>
>> http://shiflett.org/blog/2010/aug/php-anthem
>>
>> ...some people have way too much time. ;-)
>
> I agree. I don't have time to do nonsense and don't understand how people who
> are successful can waste time like this. Besides IMO, this is another example
> of hip-flop.
>
> Cheers,
>
> tedd
>
> --
> -------
> http://sperling.com http://ancientstones.com http://earthstones.com
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
There is something wrong with having a little fun?
Regards,
-Josh
____________________________________
Joshua Kehn | [email protected]
http://joshuakehn.com
--- End Message ---
--- Begin Message ---
At 10:30 AM -0400 8/6/10, Joshua Kehn wrote:
On Aug 6, 2010, at 7:27 AM, tedd wrote:
There is something wrong with having a little fun?
Regards,
-Josh
Yes, it's a waste of time -- humbug!
Cheers,
tedd
--
-------
http://sperling.com/
--- End Message ---
--- Begin Message ---
On Aug 6, 2010, at 11:12 AM, tedd wrote:
> At 10:30 AM -0400 8/6/10, Joshua Kehn wrote:
>> On Aug 6, 2010, at 7:27 AM, tedd wrote:
>>
>>
>> There is something wrong with having a little fun?
>>
>> Regards,
>>
>> -Josh
>
> Yes, it's a waste of time -- humbug!
>
> Cheers,
>
> tedd
>
> --
> -------
> http://sperling.com/
Tedd-
I guess that quarters game was a complete waste of time as well? :)
Regards,
-Josh
____________________________________
Joshua Kehn | [email protected]
http://joshuakehn.com
--- End Message ---
--- Begin Message ---
Hi All
I am working on a page which will write out a file (using another
server-side language) and then that file will get uploaded nightly to
someone else's FTP directory, on a 3rd party remote server.
As I start to contemplate that last part about auto-uploading to
someone else's FTP directory it escapes me what that code will need to
look like..
I have some ideas, but I thought to just ask you first.
Can someone outline that pseudo code in PHP for me? .. so I can
translate it to the language I am working with?
Or is this a shell operation? (where I am even more green.)
------------
Govinda
[email protected]
--- End Message ---
--- Begin Message ---
You have to maintain a queue if I understand it properly.
PHP page will send request on one end of queue.
And the server side cron will process from other end.
Cron will upload it to ftp.
Now you can implement a queue using database table or you can just use a file.
Shiplu Mokadd.im
My talks, http://talk.cmyweb.net
Follow me, http://twitter.com/shiplu
--- End Message ---
--- Begin Message ---
You have to maintain a queue if I understand it properly.
PHP page will send request on one end of queue.
And the server side cron will process from other end.
Cron will upload it to ftp.
Now you can implement a queue using database table or you can just
use a file.
can you elaborate? This kind of thing is all new to me. I need to
see some sample code to even start to get an idea.
Thanks for your (all) time,
-Govinda
--- End Message ---
--- Begin Message ---
On Fri, Aug 6, 2010 at 19:53, Govinda <[email protected]> wrote:
>
> can you elaborate? This kind of thing is all new to me. I need to see some
> sample code to even start to get an idea.
Hopefully Tedd will notice this thread. He's the man when it
comes to sample code. While there may be nothing directly-related to
this (I don't know, I haven't looked), you may want to check
http://php1.net/ to see some of his other samples for other issues
that come up.
--
</Daniel P. Brown>
UNADVERTISED DEDICATED SERVER SPECIALS
SAME-DAY SETUP
Just ask me what we're offering today!
[email protected] || [email protected]
http://www.parasane.net/ || http://www.pilotpig.net/
--- End Message ---
--- Begin Message ---
Hi, I recently compiled a portable portable web server for linux, using
lighttpd and php.
But it seems that php can only run on machine with the same glibc version
compiled it. How can I solve the problem?
--- End Message ---
