php-general Digest 24 Aug 2010 13:08:45 -0000 Issue 6908
Topics (messages 307630 through 307636):
Re: strtotime()
307630 by: Ashley Sheridan
307631 by: Daniel Brown
307632 by: Rick Pasotto
307633 by: Daniel P. Brown
307634 by: Rick Pasotto
307635 by: Daniel Brown
Re: How safe is a .htaccess file?
307636 by: Jan G.B.
Administrivia:
To subscribe to the digest, e-mail:
[email protected]
To unsubscribe from the digest, e-mail:
[email protected]
To post to the list, e-mail:
[email protected]
----------------------------------------------------------------------
--- Begin Message ---
On Mon, 2010-08-23 at 16:04 -0400, Rick Pasotto wrote:
> On my home machine running 5.3.2-2 in debian linux the commands:
>
> echo date('Y-m-d',strtotime('first day of this month')).'<br/>';
> echo date('Y-m-d',strtotime('last day of next month'));
>
> give the expected results.
>
> I just got setup with a hosting provider running 5.2.13 on BSD and both
> give '1969-12-31'.
>
> What could be causing this? The second command is straight from the
> manual and the first is clearly implied.
>
> So far everything else seems to work as expected.
>
> --
> "Economics is extremely useful as a form of employment for economists."
> -- John Kenneth Galbraith
> Rick Pasotto [email protected] http://www.niof.net
>
The example you quote as being straight from the manual page is actually
from the user-submitted code snippets, and I can't find the
documentation to support it. I can only assume that it's possibly an
experimental thing, or something that shouldn't work but by freak
coincidence does occasionally. Maybe use mktime() instead to get the
dates?
Thanks,
Ash
http://www.ashleysheridan.co.uk
--- End Message ---
--- Begin Message ---
On Mon, Aug 23, 2010 at 17:02, Ashley Sheridan <[email protected]>
wrote:
>
> The example you quote as being straight from the manual page is actually
> from the user-submitted code snippets, and I can't find the
> documentation to support it. I can only assume that it's possibly an
> experimental thing, or something that shouldn't work but by freak
> coincidence does occasionally. Maybe use mktime() instead to get the
> dates?
Relative date strings - specifically including those terms - are
in PHP5 >= 5.3.0 exclusively, for now. I don't believe there are any
plans to backport it to the 5.2 branch.
Rick, if you want to add this as a "Documentation Problem" to
http://bugs.php.net/, one of us will likely add it to the
documentation, as it probably should not only be noted, but also be in
an easy-to-find place (you know, such as right there on the
strtotime() manual entry).
--
</Daniel P. Brown>
UNADVERTISED DEDICATED SERVER SPECIALS
SAME-DAY SETUP
Just ask me what we're offering today!
[email protected] || [email protected]
http://www.parasane.net/ || http://www.pilotpig.net/
--- End Message ---
--- Begin Message ---
On Mon, Aug 23, 2010 at 05:57:28PM -0400, Daniel Brown wrote:
> On Mon, Aug 23, 2010 at 17:02, Ashley Sheridan <[email protected]>
> wrote:
> >
> > The example you quote as being straight from the manual page is actually
> > from the user-submitted code snippets, and I can't find the
> > documentation to support it. I can only assume that it's possibly an
> > experimental thing, or something that shouldn't work but by freak
> > coincidence does occasionally. Maybe use mktime() instead to get the
> > dates?
>
> Relative date strings - specifically including those terms - are
> in PHP5 >= 5.3.0 exclusively, for now. I don't believe there are any
> plans to backport it to the 5.2 branch.
>
> Rick, if you want to add this as a "Documentation Problem" to
> http://bugs.php.net/, one of us will likely add it to the
> documentation, as it probably should not only be noted, but also be in
> an easy-to-find place (you know, such as right there on the
> strtotime() manual entry).
After I sent my original post the one and only user comment on the
relative date strings man page was pointed out to me. So, it's there but
how many people make a habit of reading all the user comments?
Anyway, the following work:
// first day of this month
$t1 = strtotime(date('Y-m',strtotime('this month')));
// last day of next month
// get the first day of month after next and subtract one day
$t2 = strtotime(date('Y-m',$t1 + (86400 * 70)))-86400;
--
"I'm so optimistic I'd go after Moby Dick in a row boat and take the
tartar sauce with me." -- Zig Zigler
Rick Pasotto [email protected] http://www.niof.net
--- End Message ---
--- Begin Message ---
On Mon, Aug 23, 2010 at 22:27, Rick Pasotto <[email protected]> wrote:
>
> After I sent my original post the one and only user comment on the
> relative date strings man page was pointed out to me. So, it's there but
> how many people make a habit of reading all the user comments?
A few thousand per day, give or take.
I do remember seeing which page had the note, but I don't recall
which one. Can you send me the link so that I can pop that out and
put the info in the documentation?
--
</Daniel P. Brown>
UNADVERTISED DEDICATED SERVER SPECIALS
SAME-DAY SETUP
Just ask me what we're offering today!
[email protected] || [email protected]
http://www.parasane.net/ || http://www.pilotpig.net/
--- End Message ---
--- Begin Message ---
On Mon, Aug 23, 2010 at 11:38:41PM -0400, Daniel P. Brown wrote:
> On Mon, Aug 23, 2010 at 22:27, Rick Pasotto <[email protected]> wrote:
> >
> > After I sent my original post the one and only user comment on the
> > relative date strings man page was pointed out to me. So, it's there but
> > how many people make a habit of reading all the user comments?
>
> A few thousand per day, give or take.
>
> I do remember seeing which page had the note, but I don't recall
> which one. Can you send me the link so that I can pop that out and
> put the info in the documentation?
http://us2.php.net/manual/en/datetime.formats.relative.php
--
"There are always three speeches, for every one you actually gave. The
one you practiced, the one you gave, and the one you wish you gave."
-- Dale Carnegie
Rick Pasotto [email protected] http://www.niof.net
--- End Message ---
--- Begin Message ---
On Tue, Aug 24, 2010 at 00:37, Rick Pasotto <[email protected]> wrote:
>
> http://us2.php.net/manual/en/datetime.formats.relative.php
Thank you, sir!
--
</Daniel P. Brown>
UNADVERTISED DEDICATED SERVER SPECIALS
SAME-DAY SETUP
Just ask me what we're offering today!
[email protected] || [email protected]
http://www.parasane.net/ || http://www.pilotpig.net/
--- End Message ---
--- Begin Message ---
2010/8/19 Andre Polykanine <[email protected]>:
> Hello Nathan,
>
> Sorry, could you provide any links to read for a security noob?)
> Actually, I know that the md5 is decryptable (there are bases with
> words encrypted in md5), but I thought the SHA1 was secure...
> --
> With best regards from Ukraine,
> Andre
> ----- Original message -----
> From: Nathan Rixham <[email protected]>
> To: tedd <[email protected]>
> Date: Thursday, August 19, 2010, 12:03:12 PM
> Subject: [PHP] Re: How safe is a .htaccess file?
>
> tedd wrote:
>> Hi gang:
>>
>> The subject line says it all.
>>
>> How secure is a .htaccess file to store passwords and other sensitive
>> stuff?
>>
>> Can a .htaccess file be viewed remotely?
>
> Semi-safe,
>
> .htaccess is prevented from being served by configuration options (which
> come as default), however these can be overwritten so best to check by
> doing a GET on the resource URI.
>
> This doesn't prevent them from being exposed via other processes though,
> for instance a poorly coded 'download.php?path=/path/to/.htaccess' could
> still expose the file.
>
> Typically, its obviously better to store only a hash of a password
> rather than the pass in plain text, choosing the strongest algorithm you
> can; password security is of course relative though, a sha-512 of
> 'password1' is far from secure.
>
> A good way to approach encryption for files is to openssl_seal them
> using a public key which is only available to your application - this
> doesn't negate insecure code, but it at least ensures the raw files are
> encrypted securely enough to negate any of these worries. (just keep
> your private key safe, preferably in a pkcs12 w/a strong 64char+ pass)
>
> Best,
>
> Nathan
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
Hi Nathan,
I'm not a crypto expert.. but I'll try to explain it:
The weakness of MD5 is mainly because MD5 collisions are possible.
That means, that different strings can have the same MD5-hash...
When you use "test" as a secret password, then no hashing algorythm at
can be considered as "safe". The first two passwords a cracker will
try might be "1234" and "test".. No big deal.
Databases of MD5-hashes exists. And so can exist Databases of SHA-*
hashes. To get around these databases you can just "salt" your hash..
that way the Hash of the word "test" will not be the same as the hash
in the database without *your* salt. No matter if you use MD5 or
SHA256
$ echo -ne test | md5sum
098f6bcd4621d373cade4e832627b4f6 -
$ echo -ne test-mySecretSalt | md5sum
c62fb41567c476e36ba46e5b53ae6d59 -
Only the first string will be available in a hash-database.
So you see - as long as a cracker only get's your salted hashes
WITHOUT the used salt, it's pretty safe.. as long as you don't think
about ignore collisions!
Back to topic:
- as mentioned before the biggest risk in authentication via .ht*
files is that one can try to get these files via a bug in an
application.. (e.g. ?read_file=.htaccess%00)
- that's why you don't want to use plain text-passwords in .htaccess
files. most used is the htdigest algorythm. Be sure to use a STRONG
password: long string with letter, numbers and more chars.
- if you're curious, get a copy of "John the Ripper password cracker"
and try to decode your passwords.. that's what the bad guys use once
they get your .htaccess file.
Regards
Regards
--- End Message ---
