Re: [PHP-DB] password in md5 to connect to mysql instead of clear password
On Sunday 27 February 2005 20:53, Micah Stevens wrote: I think about as safe as you can get is by putting the connection data out of the served directory, somewhere that's not directly accessable, and concentrate on system integrity. (security wise) A refinement of this technique is available on Unix boxes to which you have root access. Create a simple program that can read data about passwords etc. from a file. Create a file that can be read by the program you've written with the 'secrets' you want to keep secure in it. Make this file owned and readable only by root. Set the program owned by root, executable by everyone and suid. This will allow any user that can execute programs on the machine to obtain the password. Attackers who have just 'escaped' the web server root, say by taking advantage of a coding flaw, will not be able to read the password file. You can use groups to give finer grained access by making the program executable by a specific group only. However if an attacker has managed to obtain an account on your box they could probably just use a rootkit. In practice I use a simple c program (for speed) to read the password file and a system call in my php script to call the c program. A PHP program could be used for reading the password file but will need to be executed by a shebang rather than as a parameter to php. I can post further details if anyone is interested. cheers Simon -- ~~ Simon Rees | [EMAIL PROTECTED] | ORA-03113: end-of-file on communication channel ~~ -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] password in md5 to connect to mysql instead of clear password
On Monday 28 February 2005 18:44, Simon Rees wrote: On Sunday 27 February 2005 20:53, Micah Stevens wrote: I think about as safe as you can get is by putting the connection data out of the served directory, somewhere that's not directly accessable, and concentrate on system integrity. (security wise) A refinement of this technique is available on Unix boxes to which you have root access. Create a simple program that can read data about passwords etc. from a file. Create a file that can be read by the program you've written with the 'secrets' you want to keep secure in it. Make this file owned and readable only by root. Set the program owned by root, executable by everyone and suid. If you don't need the flexibility of the custom program and would rather make use of existing infrastructure: http://marc.theaimsgroup.com/?l=php-generalm=110137778213700w=2 -- Jason Wong - Gremlins Associates - www.gremlins.biz Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * -- Search the list archives before you post http://marc.theaimsgroup.com/?l=php-db -- New Year Resolution: Ignore top posted posts -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] MySQLPHP decrypt(password)
Thank you Bastien It works fine, but i do have a problem with login. MySQL does not allowed the user to login. I did try to use sending email without using the change_password(), but it is sending different password each time: 1. Why is it sending different password for one user? 2. How could I get a user password without changing a user password? kind regards m gt;From: quot;Bastien Koertquot; lt;[EMAIL PROTECTED]gt; gt;To: [EMAIL PROTECTED], php-db@lists.php.net gt;Subject: RE: [PHP-DB] MySQLPHP decrypt(password) gt;Date: Fri, 25 Feb 2005 14:04:30 -0500 gt; gt;You can't. Its an MD5 hash, not an encryption...I reset the password to a random one, and email it to the user, also flag the account to force them to change the password upon login... gt; gt;[code] gt;function mail_password() gt;{ gt; global $err_msg; gt; //get the variables from the form gt; if ((isset($_POST['email']))amp;amp;(isset($_POST['lg_name']))){ gt; $email = $_POST['email']; gt; $mid = $_POST['lg_name']; gt; $date_cookie = $_COOKIE['last_time']; gt; }else{ gt; $err_msg = quot;lt;bgt;Please enter both your email address and your username. Thank you.lt;/bgt;quot;; gt; show_form(); gt; die(); gt; }//end if gt; gt; //create the sql and run the query gt; $sql = quot;SELECT * FROM users WHERE user_email='$email' and user_name = '$mid'quot;; gt; gt; $result = connect($sql); gt; gt; //check the query results gt; if (mysql_num_rows($result)!=1){ gt; $err_msg = quot;lt;font color=redgt;No results found. Please re-enter your username and email address to try again.lt;/fontgt;quot;; gt; show_form(); gt; gt; }else{ gt; gt; $row = mysql_fetch_array($result); gt; $email2 = $row['cust_email']; gt; $pass = $row['cust_pw']; gt; gt; //call the change password function and pass it the information related to the record to create the temp password gt; $new_pass = change_password($mid, $pass); gt; gt; $sendto = $email2; gt; $from = quot;WebMaster lt;[EMAIL PROTECTED]gt;quot;; gt; $subject = quot;Forgotten Passwordquot;; gt; $message = quot;Dear $email2, gt; gt; Your password is $new_pass. gt; gt; Regards, gt; Webmasterquot;; gt; echo $message; gt; gt; $headers = quot;MIME-Version: 1.0\nquot;; gt; $headers .= quot;Content-type: text/plain; charset=iso-8859-1\nquot;; gt; $headers .= quot;X-Priority: 3\nquot;; gt; $headers .= quot;X-MSMail-Priority: Normal\nquot;; gt; $headers .= quot;X-Mailer: php\nquot;; gt; $headers .= quot;From: \quot;quot;.$from.quot;\quot; lt;quot;.$from.quot;gt;\nquot;; gt; gt; if (!mail($sendto, $subject, $message, $headers)){ gt; echo quot;Mail failed to sendquot;; gt; }else{ gt; header(quot;location:confirm1.htmquot;); gt; }//end if gt; }//end if gt;}//end function gt; gt;//--- gt;// change password function gt;//--- gt;function change_password($id, $password) gt;{ gt; //generate a random password gt; $pass = quot;quot;; gt; $salt = quot;abchefghjkmnpqrstuvwxyz0123456789quot;; gt; srand((double)microtime()*100); gt; $i = 0; gt; while ($i lt;= 7) { gt; $num = rand() % 33; gt; $tmp = substr($salt, $num, 1); gt; $pass = $pass . $tmp; gt; $i++; gt; } gt; //change the password in the db gt; $sql = quot;update cust_info set cust_pw ='quot;.md5($pass).quot;', temp_pass = 1 where cust_lg = '$id' and cust_pw = '$password'quot;; gt; $result = connect($sql); gt; if ($result){ gt; return $pass; gt; }else{ gt; change_password($id, $password); gt; } gt;}//end function gt;[/code] gt; gt; gt;bastien gt; gt; gt; gt; gt;From: quot;moses Woldeselassiequot; lt;[EMAIL PROTECTED]gt; gt; gt;To: php-db@lists.php.net gt; gt;Subject: [PHP-DB] MySQLPHP decrypt(password) gt; gt;Date: Fri, 25 Feb 2005 10:20:55 + gt; gt; gt; gt;hi all gt; gt; gt; gt;I am using password() to crypt a user password online. but how do i decrypt a user password, when user forgot his/her password? gt; gt; gt; gt; gt; gt;kind regards gt; gt;m gt; gt; gt; gt;-- gt; gt;PHP Database Mailing List (http://www.php.net/) gt; gt;To unsubscribe, visit: http://www.php.net/unsub.php gt; gt; gt; -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] password in md5 to connect to mysql instead of clear password
On Monday 28 February 2005 10:52, Jason Wong wrote: If you don't need the flexibility of the custom program and would rather make use of existing infrastructure: http://marc.theaimsgroup.com/?l=php-generalm=110137778213700w=2 You said in that post: Set default MySQL user and password in your virtual host container. Then connect to MySQL without specifying user and password. Presumably the file which contains the virtual host directive is readable by the process the webserver is running as - if not how does this work? Therefore the technique you describe is no more secure than that described earlier of putting the passwords in a file outside the webserver root. The technique I described keeps you passwords secret even if an attacker has read access to files they shouldn't. A similar strategy is used for the shadow password file on Unix boxes. cheers Simon -- ~~ Simon Rees | [EMAIL PROTECTED] | ORA-03113: end-of-file on communication channel ~~ -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] password in md5 to connect to mysql instead of clear password
On Monday 28 February 2005 19:33, Simon Rees wrote: You said in that post: Set default MySQL user and password in your virtual host container. Then connect to MySQL without specifying user and password. Presumably the file which contains the virtual host directive is readable by the process the webserver is running as - if not how does this work? When Apache starts up it does so as root and thus has the necessary privileges to read those files. After it has read all its config files it drops root privileges and assumes which whichever user you have configured httpd to run as. -- Jason Wong - Gremlins Associates - www.gremlins.biz Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * -- Search the list archives before you post http://marc.theaimsgroup.com/?l=php-db -- New Year Resolution: Ignore top posted posts -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Re: password in md5 to connect to mysql instead of clear password
Hi All, Thanks for all the answers received :-) I understand now that, if someone can read the md5 hash, he/she can connect. I will check later the certificate stuff. What I will do for time being will be to: - move the php connection file out of the web root - change the privileges so that only root can read it - pass the phpsec security guide to the php developers :-) Simon, I read your post regarding the use of a C program and I would be interested in having some more details as we started thinking about implementing something similar. Our idea is to 'obfuscate' the password in some way and then process the value to get back to the plain text password. E.g. let's assume our password is 'cabernet'. We could e.g. encrypt the password in some way (using a two-way algorithm) so that the resulting output can't be directly used to connect to Oracle. If F is the encryption function we compute: F(cabernet) = tenrebac (in this case F is the reverse string function) In order to perform the connection to Oracle, the php code would then apply the reverse function If someone 'steals' the connection file, he can't use the password unless he reverse engineers the code as well, to find out what the function F is. We could get an extra bit of security by encoding the reverse F function in a compiled C program. This is not secure at all, since getting hold of the code gives the secret key as well, but it's (probably) the best we can do Thanks again for all the interesting answer :-) Have a nice day all, Gaël __ Do you Yahoo!? Yahoo! Mail - 250MB free storage. Do more. Manage less. http://info.mail.yahoo.com/mail_250 -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] How to emulate phpMyadmin for editing with checkboxes
On Thu, 2005-02-24 at 13:57, Mahmoud Badreddine wrote: Thank you for your generous response. I am almost there, but not quite. I changed my checkbox statement to looke like the following: INPUT type=checkbox name=isSelected[] value=?php $row['ID'] ? try ?php print $row['id'] ? ^ your not doing anything with $row Bret -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] Pear help
Hi There, I'm trying to configure my OS X box to work with PEAR. Everything seems to be working (updating PEAR libraries, etc.) except when I run my test script I get the following error: Fatal error: Cannot redeclare class db in /usr/lib/php/DB.php on line 271 Here is my test script: ?php require 'DB.php'; if (class_exists('DB')) { print 'Ok'; } else { print 'Nope'; } ? I've included the path in my PHP.INI file and I still get this error. I've tested this script on another PEAR server and it works fine. Does anyone have any ideas? If this is wrong list, my apologies. Any help would be greatly appreciated. - Craig -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Pear help
Craig Hoffman wrote: Hi There, I'm trying to configure my OS X box to work with PEAR. Everything seems to be working (updating PEAR libraries, etc.) except when I run my test script I get the following error: Fatal error: Cannot redeclare class db in /usr/lib/php/DB.php on line 271 Here is my test script: ?php require 'DB.php'; if (class_exists('DB')){ print 'Ok'; } else { print 'Nope'; } ? I've included the path in my PHP.INI file and I still get this error. I've tested this script on another PEAR server and it works fine. Does anyone have any ideas? If this is wrong list, my apologies. Any help would be greatly appreciated. Comment out the 'require' line - and run your test script. I expect you'll get the result Ok. If so, you have something somewhere that's already including DB.php. Are you running this test script from within something, or do you actually include some 'common libraries' (your own custom, or some frameworks?). You may also try changing it to require_once, in case something is already require'ing it. The error is clearly stating that there's already a class DB defined. It's defined somewhere. Cheers, -- - Martin Norland, Sys Admin / Database / Web Developer, International Outreach x3257 The opinion(s) contained within this email do not necessarily represent those of St. Jude Children's Research Hospital. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] MySQLPHP decrypt(password)
thank you. I do have login and registration script, which work fine. the problem is with new password. I am using password() to registrate a user. I did change in the change_password() md5() into password(), it changes the user password. I coud easliy see it in mysql db. but a user could not login using the new password. do i have to change the password() into md5() in the registration php script? 1. is it anyway i could get the password without changing a user password from mysql. kind regards m gt;From: quot;Bastien Koertquot; lt;[EMAIL PROTECTED]gt; gt;To: [EMAIL PROTECTED] gt;Subject: RE: [PHP-DB] MySQLPHP decrypt(password) gt;Date: Mon, 28 Feb 2005 09:31:20 -0500 gt; gt;There needs to be a separate login page...The previous page was simply to change the password... gt; gt;here is my login function... gt; gt;//--- gt;// login function gt;//--- gt;function login() gt;{ gt; global $err_msg; gt; $errors = array(); gt; gt; if ((empty ($_POST['lg_name']))amp;amp;(!eregi(quot;[[:alnum:]]quot;,$_POST['lg_name']))){ gt; $errors[] = quot;lt;font color=redgt;You didn't enter a correct login name.lt;/fontgt;quot;;} gt; if ((empty ($_POST['lg_pw']))amp;amp;(!eregi(quot;[[:alnum:]]quot;,$_POST['lg_pw']))){ gt; $errors[] = quot;lt;font color=redgt;You didn't enter a password.lt;/fontgt;quot;;} gt; gt; if (count($errors) gt; 0) { gt; gt; for ($i = 0; $i lt; $nerrors; $i++){ gt; $err_msg .= $errors[$i].quot;lt;br /gt;quot;; gt; } gt; show_form(); gt; exit(); gt; }//end if gt; gt; $lg_name = $_POST['lg_name']; gt; $lg_pw = $_POST['lg_pw']; gt; gt; $new_select = quot;select cust_lg, cust_pw, temp_pass from cust_info where cust_lg = '$lg_name' and cust_pw = '$lg_pw'quot;; gt; $result = connect($new_select); gt; $num_result = mysql_num_rows ($result); gt; gt; if ($num_result == 1) { gt; gt; //if the temp_password value is set to 1 then have the user change the password. gt; $row = mysql_fetch_array($result); gt; if ($row['temp_pass']==1){ gt; header(quot;location:change_pass.phpquot;); gt; die(); gt; }//end if gt; gt; setcookie('last_time', date(quot;Ymd-hisquot;),time()+60*60*24*30,'/'); gt; echo quot;herequot;; gt; header(quot;location:/login_unit/brokerpanel.htmquot;); gt; exit(); gt; }else{ gt; $err_msg = quot;lt;font color=redgt;No match found! If you have forgotten your password, please click the link at the right.lt;/fontquot;; gt; show_form(); gt; exit(); gt; } gt;}//end functon gt; gt;?gt; gt; gt;bastien gt; gt; gt;From: quot;moses Woldeselassiequot; lt;[EMAIL PROTECTED]gt; gt; gt;To: [EMAIL PROTECTED], php-db@lists.php.net gt; gt;Subject: RE: [PHP-DB] MySQLPHP decrypt(password) gt; gt;Date: Mon, 28 Feb 2005 11:16:23 + gt; gt; gt; gt;Thank you Bastien gt; gt; gt; gt;It works fine, but i do have a problem with login. MySQL does not allowed the user to login. gt; gt; gt; gt; gt; gt;I did try to use sending email without using the change_password(), but it is sending different password each time: gt; gt; gt; gt;1. Why is it sending different password for one user? gt; gt;2. How could I get a user password without changing a user password? gt; gt; gt; gt; gt; gt; gt; gt; gt; gt;kind regards gt; gt;m gt; gt; gt; gt; gt; gt; gt; gt; gt; gt; gt; gt; gt; gt;amp;gt;From: amp;quot;Bastien Koertamp;quot; amp;lt;[EMAIL PROTECTED]amp;gt; gt; gt;amp;gt;To: [EMAIL PROTECTED], php-db@lists.php.net gt; gt;amp;gt;Subject: RE: [PHP-DB] MySQLPHP decrypt(password) gt; gt;amp;gt;Date: Fri, 25 Feb 2005 14:04:30 -0500 gt; gt;amp;gt; gt; gt;amp;gt;You can't. Its an MD5 hash, not an encryption...I reset the password to a random one, and email it to the user, also flag the account to force them to change the password upon login... gt; gt;amp;gt; gt; gt;amp;gt;[code] gt; gt;amp;gt;function mail_password() gt; gt;amp;gt;{ gt; gt;amp;gt; global $err_msg; gt; gt;amp;gt; //get the variables from the form gt; gt;amp;gt; if ((isset($_POST['email']))amp;amp;amp;amp;(isset($_POST['lg_name']))){ gt; gt;amp;gt; $email = $_POST['email']; gt; gt;amp;gt; $mid = $_POST['lg_name']; gt; gt;amp;gt; $date_cookie = $_COOKIE['last_time']; gt; gt;amp;gt; }else{ gt; gt;amp;gt; $err_msg = amp;quot;amp;lt;bamp;gt;Please enter both your email address and your username. Thank you.amp;lt;/bamp;gt;amp;quot;; gt; gt;amp;gt; show_form(); gt; gt;amp;gt; die(); gt; gt;amp;gt; }//end if gt; gt;amp;gt; gt; gt;amp;gt; //create the sql and run the query gt; gt;amp;gt; $sql = amp;quot;SELECT * FROM users WHERE user_email='$email' and user_name = '$mid'amp;quot;; gt; gt;amp;gt; gt; gt;amp;gt; $result = connect($sql); gt; gt;amp;gt; gt; gt;amp;gt; //check the query results gt; gt;amp;gt; if (mysql_num_rows($result)!=1){ gt; gt;amp;gt; $err_msg = amp;quot;amp;lt;font color=redamp;gt;No results found. Please re-enter your username and
Re: [PHP-DB] Pear help
Thanks for getting back to me... Comments below - On Feb 28, 2005, at 10:49 AM, Martin Norland wrote: Craig Hoffman wrote: Hi There, I'm trying to configure my OS X box to work with PEAR. Everything seems to be working (updating PEAR libraries, etc.) except when I run my test script I get the following error: Fatal error: Cannot redeclare class db in /usr/lib/php/DB.php on line 271 Here is my test script: ?php require 'DB.php'; if (class_exists('DB')){ print 'Ok'; } else { print 'Nope'; } ? I've included the path in my PHP.INI file and I still get this error. I've tested this script on another PEAR server and it works fine. Does anyone have any ideas? If this is wrong list, my apologies. Any help would be greatly appreciated. Comment out the 'require' line - and run your test script. I expect you'll get the result Ok. If so, you have something somewhere that's already including DB.php. If I comment out the //require it prints my else statement 'Nope' Are you running this test script from within something, or do you actually include some 'common libraries' (your own custom, or some frameworks?). You may also try changing it to require_once, in case something is already require'ing it. I've tried require_once and it just gives me another error: Ok Fatal error: Class 'PEAR_Error' not found in /usr/lib/php/DB.php on line 728 The error is clearly stating that there's already a class DB defined. It's defined somewhere. I'm not sure if this relevant, but I have used db.php (another file) in an include statements to connect mysql for a few websites. Cheers, -- - Martin Norland, Sys Admin / Database / Web Developer, International Outreach x3257 The opinion(s) contained within this email do not necessarily represent those of St. Jude Children's Research Hospital. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] MySQLPHP decrypt(password)
Password and MD$ return different values. They are not compatible. Since both are one way encryptions, you can not retrive the orginal value From: moses Woldeselassie [EMAIL PROTECTED] To: [EMAIL PROTECTED], php-db@lists.php.net Subject: RE: [PHP-DB] MySQLPHP decrypt(password) Date: Mon, 28 Feb 2005 16:44:56 + thank you Bastien I do have a login and registration php sript, which work fine. the problem is I am using password(passwd) to registrat the user, and i did change md5 into password() but how do i get the password that a user has registrated in the first time? other problem: i did try to use the sending email using the following: select passwd from users where username=$mid and email = $email but it doesn't work. If i put * instead of passwd it works fine. select * from users where username=$mid and email=$email what is the problem? I didn't get it, a user should easliy login using the new password, which was changed using change_password(). kind regards m gt;From: quot;Bastien Koertquot; lt;[EMAIL PROTECTED]gt; gt;To: [EMAIL PROTECTED] gt;Subject: RE: [PHP-DB] MySQLPHP decrypt(password) gt;Date: Mon, 28 Feb 2005 09:31:20 -0500 gt; gt;There needs to be a separate login page...The previous page was simply to change the password... gt; gt;here is my login function... gt; gt;//--- gt;// login function gt;//--- gt;function login() gt;{ gt; global $err_msg; gt; $errors = array(); gt; gt; if ((empty ($_POST['lg_name']))amp;amp;(!eregi(quot;[[:alnum:]]quot;,$_POST['lg_name']))){ gt; $errors[] = quot;lt;font color=redgt;You didn't enter a correct login name.lt;/fontgt;quot;;} gt; if ((empty ($_POST['lg_pw']))amp;amp;(!eregi(quot;[[:alnum:]]quot;,$_POST['lg_pw']))){ gt; $errors[] = quot;lt;font color=redgt;You didn't enter a password.lt;/fontgt;quot;;} gt; gt; if (count($errors) gt; 0) { gt; gt; for ($i = 0; $i lt; $nerrors; $i++){ gt; $err_msg .= $errors[$i].quot;lt;br /gt;quot;; gt; } gt; show_form(); gt; exit(); gt; }//end if gt; gt; $lg_name = $_POST['lg_name']; gt; $lg_pw = $_POST['lg_pw']; gt; gt; $new_select = quot;select cust_lg, cust_pw, temp_pass from cust_info where cust_lg = '$lg_name' and cust_pw = '$lg_pw'quot;; gt; $result = connect($new_select); gt; $num_result = mysql_num_rows ($result); gt; gt; if ($num_result == 1) { gt; gt; //if the temp_password value is set to 1 then have the user change the password. gt; $row = mysql_fetch_array($result); gt; if ($row['temp_pass']==1){ gt; header(quot;location:change_pass.phpquot;); gt; die(); gt; }//end if gt; gt; setcookie('last_time', date(quot;Ymd-hisquot;),time()+60*60*24*30,'/'); gt; echo quot;herequot;; gt; header(quot;location:/login_unit/brokerpanel.htmquot;); gt; exit(); gt; }else{ gt; $err_msg = quot;lt;font color=redgt;No match found! If you have forgotten your password, please click the link at the right.lt;/fontquot;; gt; show_form(); gt; exit(); gt; } gt;}//end functon gt; gt;?gt; gt; gt;bastien gt; gt; gt;From: quot;moses Woldeselassiequot; lt;[EMAIL PROTECTED]gt; gt; gt;To: [EMAIL PROTECTED], php-db@lists.php.net gt; gt;Subject: RE: [PHP-DB] MySQLPHP decrypt(password) gt; gt;Date: Mon, 28 Feb 2005 11:16:23 + gt; gt; gt; gt;Thank you Bastien gt; gt; gt; gt;It works fine, but i do have a problem with login. MySQL does not allowed the user to login. gt; gt; gt; gt; gt; gt;I did try to use sending email without using the change_password(), but it is sending different password each time: gt; gt; gt; gt;1. Why is it sending different password for one user? gt; gt;2. How could I get a user password without changing a user password? gt; gt; gt; gt; gt; gt; gt; gt; gt; gt;kind regards gt; gt;m gt; gt; gt; gt; gt; gt; gt; gt; gt; gt; gt; gt; gt; gt;amp;gt;From: amp;quot;Bastien Koertamp;quot; amp;lt;[EMAIL PROTECTED]amp;gt; gt; gt;amp;gt;To: [EMAIL PROTECTED], php-db@lists.php.net gt; gt;amp;gt;Subject: RE: [PHP-DB] MySQLPHP decrypt(password) gt; gt;amp;gt;Date: Fri, 25 Feb 2005 14:04:30 -0500 gt; gt;amp;gt; gt; gt;amp;gt;You can't. Its an MD5 hash, not an encryption...I reset the password to a random one, and email it to the user, also flag the account to force them to change the password upon login... gt; gt;amp;gt; gt; gt;amp;gt;[code] gt; gt;amp;gt;function mail_password() gt; gt;amp;gt;{ gt; gt;amp;gt; global $err_msg; gt; gt;amp;gt; //get the variables from the form gt; gt;amp;gt; if ((isset($_POST['email']))amp;amp;amp;amp;(isset($_POST['lg_name']))){ gt; gt;amp;gt; $email = $_POST['email']; gt; gt;amp;gt; $mid = $_POST['lg_name']; gt; gt;amp;gt; $date_cookie = $_COOKIE['last_time']; gt; gt;amp;gt; }else{ gt; gt;amp;gt; $err_msg = amp;quot;amp;lt;bamp;gt;Please enter both your email address and your username. Thank you.amp;lt;/bamp;gt;amp;quot;; gt; gt;amp;gt; show_form(); gt; gt;amp;gt;
Re: [PHP-DB] Pear help
Craig Hoffman wrote: Thanks for getting back to me... Comments below - On Feb 28, 2005, at 10:49 AM, Martin Norland wrote: Craig Hoffman wrote: Hi There, I'm trying to configure my OS X box to work with PEAR. Everything seems to be working (updating PEAR libraries, etc.) except when I run my test script I get the following error: Fatal error: Cannot redeclare class db in /usr/lib/php/DB.php on line 271 [snip] The error is clearly stating that there's already a class DB defined. It's defined somewhere. I'm not sure if this relevant, but I have used db.php (another file) in an include statements to connect mysql for a few websites. Try printing the results of get_declared_classes() and go from there. Maybe class names are case sensitive, I've never had to find out. in any case, as I said - it definitely has already seen a declaration of class db somewhere, the question is finding where that is and whether it's useful or not. One last bit - is DB.php the class you're supposed to use in PEAR, or are you supposed to use something out of the DB directory within PEAR (or is that just the DB specific stuff which is handled by the parent)? I've been working too abstracted a level lately, can't recall :) Cheers, -- - Martin Norland, Sys Admin / Database / Web Developer, International Outreach x3257 The opinion(s) contained within this email do not necessarily represent those of St. Jude Children's Research Hospital. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Re: password in md5 to connect to mysql instead of clear password
On Monday 28 February 2005 13:52, Gael Lams wrote: Simon, I read your post regarding the use of a C program and I would be interested in having some more details as we started thinking about implementing something similar. Unfortunately I've misplaced the program I'd used in the past to do this. It was written by a colleague at a workplace we've now both left. As an exercise I've tried to re-implement it myself. The source code is inline at the end of this message. Note I'm still learning C so it may be worth getting someone more experienced to check it over before setting it suid and using it in a secure environment! - it does appear to work however. It may be worth considering one of the many C libs already written for accessing config information as well... Our idea is to 'obfuscate' the password in some way and then process the value to get back to the plain text password. I don't know that this would be much help - if someone can read the file the passwords are in it is likely they can read and copy the executable that reads that file. Running the executable themselves they will be able to figure out the obfuscation used... Still any obstacle is an obstacle! In order to perform the connection to Oracle, the php I liked Jason's suggestion of setting the password in an apache config file that was only readable by root which has the same benefits as my suggestion but much simpler. I didn't realise you could do that. AFAICT the feature to set a default password, user etc doesn't seem to be available for Oracle connections. Although I'm going to investigate that further as I'm working with oracle at the moment. cheers Simon --- keyinfo.c: /* * keyinfo.c: * * Retrieve information from a config file. * * Reads a text file. Splits each line on the first whitespace. If the token * before the whitespace matches the program's argument everything after the * whitespace up until the end of line is returned. Processing of further lines * stops on the first match. * Lines starting # are ignored. * * $Id: keyinfo.c,v 1.3 2005/02/28 18:30:12 sr Exp $ */ #include stdio.h #include stdlib.h #include string.h /* hard coded location of the file which contains secret information */ #define SECRETS_FILE /etc/keyinfo.conf /* maximum length of lines in the secrets file */ #define MAX_LINE_LENGTH 80 int main ( int argc, char *argv[] ) { FILE *in_fileh; char buffer[MAX_LINE_LENGTH + 1]; char *sought_key; char *key, *value; char delimiter_chars[] = \t; /* check a single parameter was passed */ if ( argc != 2 ) { fprintf( stderr, Required single command argument not supplied\n ); exit( 8 ); } else { sought_key = argv[1]; } /* open keyinfo.conf file */ in_fileh = fopen( SECRETS_FILE, r ); if ( in_fileh == NULL ) { fprintf( stderr, Error: Unable to open file %s\n, SECRETS_FILE ); exit( 8 ); } /* read lines in file looking for key match */ while ( fgets( buffer, sizeof( buffer ), in_fileh ) ) { /* skip lines that start with # */ if ( buffer[0] == '#' ) { continue; } key = strtok( buffer, delimiter_chars ); value = strtok( NULL, delimiter_chars ); if ( strcmp( key, sought_key ) == 0 ) { /* remove trailing \n from value and print to stdout */ value[ strlen( value ) - 1 ] = '\0'; printf( %s, value ); break; } } fclose( in_fileh ); exit( 0 ); } --- /etc/keyinfo.conf: # database 1 password db1_pass 6dioqlFq # database 2 db2_passxx55usp --- -- ~~ Simon Rees | [EMAIL PROTECTED] | ORA-03113: end-of-file on communication channel ~~ -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] PHP form processing
Is there a way to find out the IP address of the computer submitting a form --- other than through a cookie. Is there a header command or something like this? Ron -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] PHP form processing
Ron Piggott wrote: Is there a way to find out the IP address of the computer submitting a form --- other than through a cookie. Is there a header command or something like this? Ron Response: rtfm / wrong list Answer: for Apache, $_SERVER['REMOTE_ADDR']; Cheers, -- - Martin Norland, Sys Admin / Database / Web Developer, International Outreach x3257 The opinion(s) contained within this email do not necessarily represent those of St. Jude Children's Research Hospital. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] onClick
Another question: Is there a way that I may set up an IF command with the onClick function so that my_web_page.php3 will not be displayed unless a web form was used to generate it? Ron -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] Referring web page
I want to change my question --- Is there a way to check the referring web page --- IE where the link came from and what would that variable name be? I mean this in the same fashion that $_SERVER['REMOTE_ADDR'] gives you the IP address of the user. Ron -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] Referring web page
$_SERVER['HTTP_REFERER'] is what you want bastien From: Ron Piggott [EMAIL PROTECTED] To: PHP DB php-db@lists.php.net Subject: [PHP-DB] Referring web page Date: Mon, 28 Feb 2005 22:30:32 -0500 I want to change my question --- Is there a way to check the referring web page --- IE where the link came from and what would that variable name be? I mean this in the same fashion that $_SERVER['REMOTE_ADDR'] gives you the IP address of the user. Ron -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] changing output method
Hi forum i have a simple problem as im new to php how do i set the output type from table to columner like below: CompanyName :Data Address :Data City:Data Zipcode :Data ... Please help me know that loop i tried very much but i was unable to find that out. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] changing output method
There's not enough information from your question to provide a good answer.. Where are you getting the data from? Is there more than one record available? -Micah On Monday 28 February 2005 11:05 pm, chintan wrote: Hi forum i have a simple problem as im new to php how do i set the output type from table to columner like below: CompanyName :Data Address :Data City :Data Zipcode :Data ... Please help me know that loop i tried very much but i was unable to find that out. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php