php-general Digest 31 Dec 2010 12:03:25 -0000 Issue 7109
Topics (messages 310403 through 310417):
Re: [PHP-DB] Re: [PHP] Regex for telephone numbers
310403 by: Daniel Brown
memory usage/release & GC
310404 by: Tommy Pham
310416 by: Peter Lind
Re: goto - My comments
310405 by: Ethan Rosenberg
Re: Do you trim() usernames and passwords?
310406 by: Tamara Temple
310407 by: Tamara Temple
310408 by: Mujtaba Arshad
310409 by: Joshua Kehn
310410 by: Joshua Kehn
310411 by: Tamara Temple
310413 by: Tamara Temple
310414 by: Tamara Temple
310415 by: Tamara Temple
310417 by: Nathan Rixham
Re: Regex for telephone numbers
310412 by: Tamara Temple
Administrivia:
To subscribe to the digest, e-mail:
[email protected]
To unsubscribe from the digest, e-mail:
[email protected]
To post to the list, e-mail:
[email protected]
----------------------------------------------------------------------
--- Begin Message ---
On Thu, Dec 30, 2010 at 14:07, Ethan Rosenberg <[email protected]> wrote:
>
> Josh -
>
> I used use \d{3}-\d{3}-\d{4}.
>
> It works beautifully!!
Just keep in mind that invalid numbers will also pass that check,
such as 000-000-0000 or 123-456-6789. That's why my example was a bit
more involved.
--
</Daniel P. Brown>
Network Infrastructure Manager
Documentation, Webmaster Teams
http://www.php.net/
--- End Message ---
--- Begin Message ---
Hi folks,
With the recent thread about password & security, I wrote a small quick
script to generate a random or all possible passwords based on certain
parameters for a brute force use. On a very long running execution for a
complex password in length with full use of the keys (94 characters),
including upper case, the script seems to consumes more memory (shown in
Windows task manager) as time progress. Below are snippets from the script
file that does the workload:
while (!$this->isMax())
{
for ($b = 0; $b <= $this->pwdLength; $b++)
{
if ($this->counter[$b] < $this->max)
{
$this->pwd[$b] =
$this->charList[$this->counter[$b]];
$this->counter[$b]++;
break;
}
else
{
$this->counter[$b] = 1;
$this->pwd[$b] = $this->charList[0];
}
}
}
private function isMax()
{
for ($a = $this->pwdLength-1; $a>=0; $a--)
{
if ($this->counter[$a] < $this->max) return false;
}
return true;
}
Could someone please tell me why the above code consumes additional memory
as time progress for the execution of the while loop? Researching PHP GC on
google didn't shed light on problem. Generating all possible combinations
for 20 length with 94 possibilities each, the script easily consumes more
than 1GB RAM in few minutes. BTW, gc_enabled() reports on.
Thanks,
Tommy
--- End Message ---
--- Begin Message ---
On Dec 31, 2010 6:20 AM, "Tommy Pham" <[email protected]> wrote:
>
> Hi folks,
>
> With the recent thread about password & security, I wrote a small quick
> script to generate a random or all possible passwords based on certain
> parameters for a brute force use. On a very long running execution for a
> complex password in length with full use of the keys (94 characters),
> including upper case, the script seems to consumes more memory (shown in
> Windows task manager) as time progress. Below are snippets from the
script
> file that does the workload:
>
> while (!$this->isMax())
> {
> for ($b = 0; $b <= $this->pwdLength; $b++)
> {
> if ($this->counter[$b] < $this->max)
> {
> $this->pwd[$b] =
> $this->charList[$this->counter[$b]];
> $this->counter[$b]++;
> break;
> }
> else
> {
> $this->counter[$b] = 1;
> $this->pwd[$b] = $this->charList[0];
> }
> }
> }
>
> private function isMax()
> {
> for ($a = $this->pwdLength-1; $a>=0; $a--)
> {
> if ($this->counter[$a] < $this->max) return false;
> }
> return true;
> }
>
> Could someone please tell me why the above code consumes additional memory
> as time progress for the execution of the while loop? Researching PHP GC
on
> google didn't shed light on problem. Generating all possible combinations
> for 20 length with 94 possibilities each, the script easily consumes more
> than 1GB RAM in few minutes. BTW, gc_enabled() reports on.
>
> Thanks,
> Tommy
>
>
Are you storing or throwing away the passwords? Also, lots of code is
missing from that post, no idea if you've got a memory leak in the rest of
the code
Regards
Peter
--- End Message ---
--- Begin Message ---
At 02:38 PM 12/27/2010, Jim Lucas wrote:
On 12/27/2010 10:42 AM, Ethan Rosenberg wrote:
<snip>
>
> Now, here is the real puzzler....
>
> The purpose of this routine is to be able to have two(2) forms on
one page,but
> not simultaneously.Additionally, l do not wish to call a separate
program every
> time a new form is used. The assumption is that the second form
depends on the
> entries in the first form. I realize this is not the case here.
>
> The age request and the kitten form both appear on the page
together. How do I
> accomplish having them appear separately? If it requires Java
Script or jQuery,
> what is the code to be used?
>
> <snip>
>
>
The key is to look at the value of the submit button. This needs to
be unique.
Change around your logic a little and you will have it.
<?php
// if form not yet submitted
// display form
if ( isset($_POST['submit']) && $_POST['submit'] === 'Submit' ) {
// process form input
// split date value into components
$dateArr = explode('/', $_POST['dob']);
// calculate timestamp corresponding to date value
$dateTs = strtotime($_POST['dob']);
// calculate timestamp corresponding to 'today'
$now = strtotime('today');
// check that the value entered is in the correct format
if ( sizeof($dateArr) != 3 ) {
die('ERROR: Please enter a valid date of birth');
}
// check that the value entered is a valid date
if ( !checkdate($dateArr[0], $dateArr[1], $dateArr[2]) ) {
die('ERROR: Please enter a valid date of birth');
}
// check that the date entered is earlier than 'today'
if ( $dateTs >= $now ) {
die('ERROR: Please enter a date of birth earlier than today');
}
// calculate difference between date of birth and today in days
// convert to years
// convert remaining days to months
// print output
$ageDays = floor(($now - $dateTs) / 86400);
$ageYears = floor($ageDays / 365);
$ageMonths = floor(($ageDays - ($ageYears * 365)) / 30);
echo "You are approximately $ageYears years and $ageMonths
months old.";
} else if ( isset($_POST['submit']) && $_POST['submit'] === 'Submit
Kitten' ) {
$name_cat = $_POST['cat'];
echo "Your Kitten is $name_cat";
} else {
echo <<<HTML
<form method="post" action="agecalc3.php">
Enter your date of birth, in mm/dd/yyyy format: <br />
<input type="text" name="dob" />
<input type="submit" name="submit" value="Submit" />
</form>
<br /><br />
<form method="post" action="agecalc3.php">
Enter your kitten's name: <br />
<input type="text" name="cat" />
<input type="submit" name="submit" value="Submit Kitten" />
</form>
HTML;
}
?>
Jim Lucas
Jim -
Thanks.
Would you please look at the code you wrote again. I must have
botched it, because both the age and kitten form still are on the
same page. The age page should appear, the data should be accepted
and then the kitten page should appear.
Ethan
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--- End Message ---
--- Begin Message ---
On Dec 28, 2010, at 2:11 PM, Joshua Kehn wrote:
Specifically:
Dotan Cohen wrote:
I seem to have an issue with users who copy-paste their usernames
and
passwords coping and pasting leading and trailing space characters.
Users should not be copy-pasting passwords or usernames. Do not
compromise a system to cater to bad [stupid, ignorant, you pick]
users. If this is an issue then educate the users.
I'm sorry, but this is just bloody stupid. I keep my usernames and
randomly generated, very long passwords in a password keeper. If
you're not going to let me copy paste them into a web page, i'm just
not going to ever use your application. Copy/pasting is something that
happens on the *local* machine -- it never goes out to the net. By
forcing people to type in their user names and passwords you are going
to cause them to enter easily-remembered, and typically easily-
crackable combinations. What is the possible logic for disallowing
someone to paste in their usernames/passwords???
--- End Message ---
--- Begin Message ---
On Dec 28, 2010, at 10:28 PM, Joshua Kehn wrote:
On Dec 28, 2010, at 6:28 PM, Paul M Foster wrote:
On Tue, Dec 28, 2010 at 03:11:56PM -0500, Joshua Kehn wrote:
Specifically:
Dotan Cohen wrote:
I seem to have an issue with users who copy-paste their
usernames and
passwords coping and pasting leading and trailing space
characters.
Users should not be copy-pasting passwords or usernames. Do not
compromise a system to cater to bad [stupid, ignorant, you pick]
users. If this is an issue then educate the users.
Wrong. I use a program called pwgen to generate passwords for me,
which
I cannot remember. I use another program I built to store them in an
encrypted file. When I have to supply a password which I've forgotten
(as usual), I fire up my password "vault", find the password, and
paste
it wherever it's needed. Users would be wise to follow a scheme like
this, rather than using their dog's name or somesuch as their
passwords.
Paul
--
Paul M. Foster
http://noferblatz.com
What is "wrong?" That users should not be copy-pasting passwords or
don't compromise the system?
I agree that users should not use weak passwords, but not everyone
goes everywhere with a vault. I am more then capable of memorizing
20 or so 16-32 character full set passwords.
20? child's play. How about 250+ randomly generated passwords and
username combinations?
--- End Message ---
--- Begin Message ---
Won't there also be a higher chance of getting your username/password
combination stolen if you are keylogged, if you are typing in your passwords
all day everyday? Obviously, the people on this list will say "I don't get
keylogged, cause I am that pro" but whatever, just don't force people to
enter passwords, no one appreciates it.
On Fri, Dec 31, 2010 at 1:26 AM, Tamara Temple <[email protected]>wrote:
>
> On Dec 28, 2010, at 2:11 PM, Joshua Kehn wrote:
>
> Specifically:
>>
>> Dotan Cohen wrote:
>>>>
>>>>> I seem to have an issue with users who copy-paste their usernames and
>>>>> passwords coping and pasting leading and trailing space characters.
>>>>>
>>>>
>> Users should not be copy-pasting passwords or usernames. Do not compromise
>> a system to cater to bad [stupid, ignorant, you pick] users. If this is an
>> issue then educate the users.
>>
>
> I'm sorry, but this is just bloody stupid. I keep my usernames and randomly
> generated, very long passwords in a password keeper. If you're not going to
> let me copy paste them into a web page, i'm just not going to ever use your
> application. Copy/pasting is something that happens on the *local* machine
> -- it never goes out to the net. By forcing people to type in their user
> names and passwords you are going to cause them to enter easily-remembered,
> and typically easily-crackable combinations. What is the possible logic for
> disallowing someone to paste in their usernames/passwords???
>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--
Mujtaba
--- End Message ---
--- Begin Message ---
On Dec 31, 2010, at 1:26 AM, Tamara Temple wrote:
>
> On Dec 28, 2010, at 2:11 PM, Joshua Kehn wrote:
>
>> Specifically:
>>
>>>> Dotan Cohen wrote:
>>>>> I seem to have an issue with users who copy-paste their usernames and
>>>>> passwords coping and pasting leading and trailing space characters.
>>
>> Users should not be copy-pasting passwords or usernames. Do not compromise a
>> system to cater to bad [stupid, ignorant, you pick] users. If this is an
>> issue then educate the users.
>
> I'm sorry, but this is just bloody stupid. I keep my usernames and randomly
> generated, very long passwords in a password keeper. If you're not going to
> let me copy paste them into a web page, i'm just not going to ever use your
> application. Copy/pasting is something that happens on the *local* machine --
> it never goes out to the net. By forcing people to type in their user names
> and passwords you are going to cause them to enter easily-remembered, and
> typically easily-crackable combinations. What is the possible logic for
> disallowing someone to paste in their usernames/passwords???
>
My point has been completely missed by you. I'm not saying don't allow copy
pasting usernames and passwords (though I think that this is a poor choice).
I'm saying don't automatically trim the passwords.
Regards,
-Josh
____________________________________
Joshua Kehn | [email protected]
http://joshuakehn.com
--- End Message ---
--- Begin Message ---
On Dec 31, 2010, at 1:31 AM, Tamara Temple wrote:
>
> On Dec 28, 2010, at 10:28 PM, Joshua Kehn wrote:
>
>> On Dec 28, 2010, at 6:28 PM, Paul M Foster wrote:
>>
>>> On Tue, Dec 28, 2010 at 03:11:56PM -0500, Joshua Kehn wrote:
>>>
>>>> Specifically:
>>>>
>>>>>> Dotan Cohen wrote:
>>>>>>> I seem to have an issue with users who copy-paste their usernames and
>>>>>>> passwords coping and pasting leading and trailing space characters.
>>>>
>>>> Users should not be copy-pasting passwords or usernames. Do not compromise
>>>> a system to cater to bad [stupid, ignorant, you pick] users. If this is an
>>>> issue then educate the users.
>>>>
>>>
>>> Wrong. I use a program called pwgen to generate passwords for me, which
>>> I cannot remember. I use another program I built to store them in an
>>> encrypted file. When I have to supply a password which I've forgotten
>>> (as usual), I fire up my password "vault", find the password, and paste
>>> it wherever it's needed. Users would be wise to follow a scheme like
>>> this, rather than using their dog's name or somesuch as their passwords.
>>>
>>> Paul
>>>
>>> --
>>> Paul M. Foster
>>> http://noferblatz.com
>>>
>>
>> What is "wrong?" That users should not be copy-pasting passwords or don't
>> compromise the system?
>>
>> I agree that users should not use weak passwords, but not everyone goes
>> everywhere with a vault. I am more then capable of memorizing 20 or so 16-32
>> character full set passwords.
>
> 20? child's play. How about 250+ randomly generated passwords and username
> combinations?
Why do you randomly generate 250+ usernames and passwords??
Regards,
-Josh
____________________________________
Joshua Kehn | [email protected]
http://joshuakehn.com
--- End Message ---
--- Begin Message ---
On Dec 29, 2010, at 7:27 PM, Mujtaba Arshad wrote:
craphound.com/images/xkcdwrongoninternet.jpg
Least you could do is give Randall the love, instead of Cory :)
http://xkcd.com/386/
--- End Message ---
--- Begin Message ---
On Dec 31, 2010, at 12:41 AM, Joshua Kehn wrote:
On Dec 31, 2010, at 1:26 AM, Tamara Temple wrote:
On Dec 28, 2010, at 2:11 PM, Joshua Kehn wrote:
Specifically:
Dotan Cohen wrote:
I seem to have an issue with users who copy-paste their
usernames and
passwords coping and pasting leading and trailing space
characters.
Users should not be copy-pasting passwords or usernames. Do not
compromise a system to cater to bad [stupid, ignorant, you pick]
users. If this is an issue then educate the users.
I'm sorry, but this is just bloody stupid. I keep my usernames and
randomly generated, very long passwords in a password keeper. If
you're not going to let me copy paste them into a web page, i'm
just not going to ever use your application. Copy/pasting is
something that happens on the *local* machine -- it never goes out
to the net. By forcing people to type in their user names and
passwords you are going to cause them to enter easily-remembered,
and typically easily-crackable combinations. What is the possible
logic for disallowing someone to paste in their usernames/
passwords???
My point has been completely missed by you. I'm not saying don't
allow copy pasting usernames and passwords (though I think that this
is a poor choice). I'm saying don't automatically trim the passwords.
Sorry, I was mislead by your use of the phrase "Users should not be
copy-pasting passwords or usernames" above. I'd love to hear what you
think is an alternative to identifying with web app that keeps track
of information about someone that is more secure.
--- End Message ---
--- Begin Message ---
On Dec 31, 2010, at 12:41 AM, Joshua Kehn wrote:
On Dec 31, 2010, at 1:31 AM, Tamara Temple wrote:
20? child's play. How about 250+ randomly generated passwords and
username combinations?
Why do you randomly generate 250+ usernames and passwords??
I generate unique pairs for the various website, email account,
computer systems, and other things i've signed up for.
--- End Message ---
--- Begin Message ---
On Dec 31, 2010, at 12:37 AM, Mujtaba Arshad wrote:
Won't there also be a higher chance of getting your username/
password combination stolen if you are keylogged, if you are typing
in your passwords all day everyday? Obviously, the people on this
list will say "I don't get keylogged, cause I am that pro" but
whatever, just don't force people to enter passwords, no one
appreciates it.
On Fri, Dec 31, 2010 at 1:26 AM, Tamara Temple <[email protected]
> wrote:
On Dec 28, 2010, at 2:11 PM, Joshua Kehn wrote:
Specifically:
Dotan Cohen wrote:
I seem to have an issue with users who copy-paste their usernames and
passwords coping and pasting leading and trailing space characters.
Users should not be copy-pasting passwords or usernames. Do not
compromise a system to cater to bad [stupid, ignorant, you pick]
users. If this is an issue then educate the users.
I'm sorry, but this is just bloody stupid. I keep my usernames and
randomly generated, very long passwords in a password keeper. If
you're not going to let me copy paste them into a web page, i'm just
not going to ever use your application. Copy/pasting is something
that happens on the *local* machine -- it never goes out to the net.
By forcing people to type in their user names and passwords you are
going to cause them to enter easily-remembered, and typically easily-
crackable combinations. What is the possible logic for disallowing
someone to paste in their usernames/passwords???
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
This is an entirely different problem than not letting people copy/
paste their user/password info. I *never* said i do this every day.
--- End Message ---
--- Begin Message ---
Tamara Temple wrote:
On Dec 28, 2010, at 2:11 PM, Joshua Kehn wrote:
Specifically:
Dotan Cohen wrote:
I seem to have an issue with users who copy-paste their usernames and
passwords coping and pasting leading and trailing space characters.
Users should not be copy-pasting passwords or usernames. Do not
compromise a system to cater to bad [stupid, ignorant, you pick]
users. If this is an issue then educate the users.
I'm sorry, but this is just bloody stupid. I keep my usernames and
randomly generated, very long passwords in a password keeper. If you're
not going to let me copy paste them into a web page, i'm just not going
to ever use your application. Copy/pasting is something that happens on
the *local* machine -- it never goes out to the net. By forcing people
to type in their user names and passwords you are going to cause them to
enter easily-remembered, and typically easily-crackable combinations.
What is the possible logic for disallowing someone to paste in their
usernames/passwords???
Tamara, you're missing half the context, the whole point was don't send
username and password combo's in plaintext via email to users (thus
forcing them to copy and paste from email) - this point was made but
then that context has been stripped from the above email, obviously
copy+pasting from a password keeper and such like is totally fine..
--- End Message ---
--- Begin Message ---
On Dec 29, 2010, at 6:12 PM, Ethan Rosenberg wrote:
I would like to have a regex which would validate that a telephone
number is in the format xxx-xxx-xxxx.
http://lmgtfy.com/?q=regex+to+validate+US+phone+numbers
--- End Message ---
