Re: [PHP] security and .htaccess
On Sat, December 2, 2006 3:35 pm, Alain Roger wrote: > I'm working on .htaccess file for improving security. > Based on documentation from PHPSEC.org, we should be able to store > DB_USER > login and DB_PASS password in some secret-stuff (for example) file, > which > should be located outside root of web document root. (for example in > some > /path_to_secret folder) I think .htaccess *is* the file being included... It might be possible to use Apache's . operator (I think it's . ) to suck in yet another file, outside the web root, so that a change to the rules about not serving up .ht* files would not matter to that file to be included... But you've strayed into the "this is an Apache question" realm pretty heavily... http://apache.org/ probably addresses this somewhere, one way or the other, if you dig enough. -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some starving artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] alternative method
The browser is not supposed to change that, unless you hard-link to
http:// somewhere in your application.
I don't guarantee no browser ever had a bug like that, but I never
heard of such a bug.
And there ain't no stopping a pesky user from taking the 's' out to
see what happens... So you should be ready for that, and Do The Right
Thing, whatever that might be for your application.
On Sat, December 2, 2006 3:31 pm, Alain Roger wrote:
> Hi Richard,
>
> i already work on SSL also.
> basically, if $_SERVER['HTTPS'] is not setup to 'on', i redirect
> everything
> on the logon form window.
>
> I'm just scared about how SSL can be hold on between pages...
> for example :
>
> if on page index.php, SSL is activate.
> customer click on submit button and his redirected to main.php, i will
> redirect him with https:// in link, but does it keep SSL working ?
> will it not stop it for a while and restart it ?
>
> Alain
>
> On 12/2/06, Richard Lynch <[EMAIL PROTECTED]> wrote:
>>
>> On Sat, December 2, 2006 10:29 am, Alain Roger wrote:
>> > Based on phpsec.org documentation it is written ("between lines")
>> that
>> > GET
>> > and POST methods are still used but they are not the most secured
>> > (except if
>> > we take care for that).
>> > So, i would like to know which other methods are more secured that
>> > those 2.
>>
>> In addendum to Larry's post:
>>
>> You should also consider requiring SSL for any sensitive data, to
>> protect it in its travels from their computer to your server.
>>
>> SSL is kind of like an armored truck on the information
>> super-highway.
>> It doesn't stop bank robbers (server hacks) or muggers (viruses on
>> your users' computers), but the data is safe in transit between the
>> two.
>>
>> --
>> Some people have a "gift" link here.
>> Know what I want?
>> I want you to buy a CD from some starving artist.
>> http://cdbaby.com/browse/from/lynch
>> Yeah, I get a buck. So?
>>
>>
>
>
> --
> Alain
>
> Windows XP SP2
> PostgreSQL 8.1.4
> Apache 2.0.58
> PHP 5
>
--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some starving artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Acceptably Converting a 24bit PNG to a JPEG?
using imagecopyresampled did the trick :)
This will be great for my css files.
If all goes well, the below will be used to dynamically convert PNG
images to Jpegs for IE6 and below.
For some bizarre reason, you can not use the background-position
property with PNGs for <= IE 6.
So, in my css, I'l dynamically convert the PNG to a JPG and replace
the transparency with a background color
many thanks
in case anyone is interested, here is the code
isset($_GET["type"]) ? $type=htmlspecialchars($_GET["type"] ):
$type="jpg";
isset($_GET["url"]) ? $url=realpath($_GET["url"] ): $url="blank.png";
isset($_GET["color"]) ?$color= htmlspecialchars($_GET["color"]):
$color="#ff";
//get path info on the $url
$path_parts= pathinfo($url);
$file= explode(".",$path_parts['basename']);
$image_name=$file[0];
list($sx, $sy)=getimagesize($url);
// Create a bg image from the color and image size variables
$bg_image=imagecreatetruecolor($sx,$sy);
list($R,$G,$B)= (HEX2RGB($color));
$mycolor= ImageColorAllocate($bg_image, $R,$G,$B);
ImageFill($bg_image, 0, 0, $mycolor);
//Create the PNG image from the $url variable
$image = imagecreatefrompng($url);
imageAlphaBlending($image,true ); imageSaveAlpha($image, true);
//Resample the merging of the background image and the original PNG file
imagecopyresampled($bg_image, $image, 0, 0, 0, 0, $sx, $sy, $sx, $sy);
// Send out as GIF or JPG
Switch ($type){
case "jpg": header('Content-type: image/jpeg'); imagejpeg
($bg_image,'',95); break;
case "gif": header('Content-type: image/gif'); imagegif($image);
break;
}
//Remove bg image and PNG from memory
imagedestroy($bg_image);
imagedestroy($image);
function HEX2RGB($color){
$color_array = array();
$hex_color = strtoupper($color);
for($i = 0; $i < 6; $i++){
$hex = substr($hex_color,$i,1);
switch($hex){
case "A": $num = 10; break;
case "B": $num = 11; break;
case "C": $num = 12; break;
case "D": $num = 13; break;
case "E": $num = 14; break;
case "F": $num = 15; break;
default: $num = $hex; break;
}
array_push($color_array,$num);
}
$R = (($color_array[0] * 16) + $color_array[1]);
$G = (($color_array[2] * 16) + $color_array[3]);
$B = (($color_array[4] * 16) + $color_array[5]);
return array($R,$G,$B);
unset($color_array,$hex,$R,$G,$B);
}
?>
On Dec 2, 2006, at 1:33 PM, Richard Lynch wrote:
I suspect that if you do an "imagecopyresampled" or somesuch into a
fresh NEW image, you'd get what you want.
Not saying you haven't found a bug ; Just suggesting a work-around.
On Fri, December 1, 2006 4:26 pm, Graham Anderson wrote:
Is there some trick to getting PHP GD to properly convert a 24bit PNG
[with alpha] into a JPEG without garbling the image output?
The below will output the jpg image, but it appears that the alpha
channel from the original png is garbling the jpeg a bit
To no avail, I tried setting imageAlphaBlending and imageSaveAlpha to
'false' and 'true'
I also tried setting the jpeg quality to 90 and 100.
$image_output = "myimage.jpeg";
$image = imagecreatefrompng($original_24bit_png_image);
imageAlphaBlending($image, true);
imageSaveAlpha($image, true);
header("Content-type: image/jpeg");
imagejpeg($image,'',100);
imagedestroy($image);
many thanks in advance
g
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some starving artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] alternative method
Am Samstag, den 02.12.2006, 13:57 -0600 schrieb Larry Garfield: > If you're talking about getting user data into a web script, then GET, POST, > and cookies are the only options. All three are insecure, because they're > coming from the user. The user is guilty until proven otherwise. Sanitize > thy input. There is also http://www.php.net/manual/en/features.http-auth.php which may be more secure than POST. With Client Side XSS form data maybe can be read. There is no access form javascript to http-auth parameters. Bernhard -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Security and methods
I personally chose the include method... I was scared also that the dispatch method will only finish by polluting a single file... on the other side, i like the idea to have a clear view on each php file, so include a security.inc file (which has the switch ...case function) was a logical path for me. Alain On 12/2/06, Richard Lynch <[EMAIL PROTECTED]> wrote: On Sat, December 2, 2006 9:47 am, Alain Roger wrote: > After reading the documentation about security from phpsec.org, i see > that 2 > "schools" exist (dispatch method or include method). > I do not see any huge difference between them. > I would like to know what is the most suitable method to centralize > security > in 1 single file. They both work fine. I found that the logic needed in the "dispatch" method to get what I wanted to happen in a complex web application often ended up "polluting" the single control file, so went for the "include" method. But that was a long time ago when I was much younger... I think it's more important that you understand what your goals are in either method, and push yourself to follow your own guidelines. Choose whichever one strikes your fancy. -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some starving artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- Alain Windows XP SP2 PostgreSQL 8.1.4 Apache 2.0.58 PHP 5
Re: [PHP] problem with register globals on new server
On Sat, December 2, 2006 5:31 am, Tony Marston wrote: > If you site administrator thinks that using an htaccess file is a > security > issue then he is very much mistaken. The directives in an htaccess > file DO > NOT enable you to access any one else's data on a shared server. All > they do > is apply additional settings to your own site while leaving UNTOUCHED > the > settings being used by other sites. > > Most professional web hosting companies do not have an issue with > htaccess > files, so if yours does I would suggest switching to one with a more > professional attuitude. I think it is quite possible for a sysAdmin to configure AllowOverride and .htaccess in such a way that "too much" latitude is granted to their clients to access each others' data... And there is alleged to be a significant performance loss to .htaccess, so a hurried sysAdmin may have over-simplified their decision process... At any rate, if you need .htaccess, and they don't want to provide it, there are a few thousand webhosts that do. I certainly wouldn't sign up with a host that didn't provide it, and would move to one that did ASAP if I found myself using one that didn't provide that. Actually, I'd settle for a way to schedule a "push" of an approved change into their httpd.conf (or include files thereof) for my site's VirtualHost directive, but I suppose that's a lot to ask of a host... :-) -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some starving artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to be sure to use SSL
Richard,
as i wrote you before, i've gotthe following suggestion to implement before
to run the rest of my PHP code.
if($_SERVER['HTTPS']!='on')
{
header('location:https://www.mysite.com');
exit;
}
...
but i do not know if it's enough.
Alain
On 12/2/06, Richard Lynch <[EMAIL PROTECTED]> wrote:
On Sat, December 2, 2006 2:17 am, Alain Roger wrote:
> I would like to know how can i be sure to make customer use the SSL
> all the
> time.
> all the time in my PHP code, i write links as relative links, so
> without
> HTTPS.
>
> I was thinking to check everything if the port is the SSL port
> (default :
> 443), but it does not mean that protocol is HTTPS.
> So, how do you ensure that customer uses SSL protocol all the time ?
I was asking myself that same question last week, but I searched on
http://php.net for the answer.
Did you try that?
:-)
--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some starving artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
--
Alain
Windows XP SP2
PostgreSQL 8.1.4
Apache 2.0.58
PHP 5
[PHP] security and .htaccess
Hi, I'm working on .htaccess file for improving security. Based on documentation from PHPSEC.org, we should be able to store DB_USER login and DB_PASS password in some secret-stuff (for example) file, which should be located outside root of web document root. (for example in some /path_to_secret folder) normally we should configure httpd.conf file to include this secret-stuff file, but in my case, i have a web hoster who does not allow me to modify the httpd.conf. However, i should be able to setup an .htaccess file. How can i setup/include this secret-stuff file in this .htaccess file (without decreasing security) ? thanks a lot. Alain Windows XP SP2 PostgreSQL 8.1.4 Apache 2.0.58 PHP 5
Re: [PHP] Acceptably Converting a 24bit PNG to a JPEG?
I suspect that if you do an "imagecopyresampled" or somesuch into a
fresh NEW image, you'd get what you want.
Not saying you haven't found a bug ; Just suggesting a work-around.
On Fri, December 1, 2006 4:26 pm, Graham Anderson wrote:
> Is there some trick to getting PHP GD to properly convert a 24bit PNG
> [with alpha] into a JPEG without garbling the image output?
>
> The below will output the jpg image, but it appears that the alpha
> channel from the original png is garbling the jpeg a bit
> To no avail, I tried setting imageAlphaBlending and imageSaveAlpha to
> 'false' and 'true'
> I also tried setting the jpeg quality to 90 and 100.
>
> $image_output = "myimage.jpeg";
> $image = imagecreatefrompng($original_24bit_png_image);
>
> imageAlphaBlending($image, true);
> imageSaveAlpha($image, true);
>
> header("Content-type: image/jpeg");
> imagejpeg($image,'',100);
> imagedestroy($image);
>
>
> many thanks in advance
> g
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some starving artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to be sure to use SSL
On Sat, December 2, 2006 2:17 am, Alain Roger wrote: > I would like to know how can i be sure to make customer use the SSL > all the > time. > all the time in my PHP code, i write links as relative links, so > without > HTTPS. > > I was thinking to check everything if the port is the SSL port > (default : > 443), but it does not mean that protocol is HTTPS. > So, how do you ensure that customer uses SSL protocol all the time ? I was asking myself that same question last week, but I searched on http://php.net for the answer. Did you try that? :-) -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some starving artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Security and methods
On Sat, December 2, 2006 9:47 am, Alain Roger wrote: > After reading the documentation about security from phpsec.org, i see > that 2 > "schools" exist (dispatch method or include method). > I do not see any huge difference between them. > I would like to know what is the most suitable method to centralize > security > in 1 single file. They both work fine. I found that the logic needed in the "dispatch" method to get what I wanted to happen in a complex web application often ended up "polluting" the single control file, so went for the "include" method. But that was a long time ago when I was much younger... I think it's more important that you understand what your goals are in either method, and push yourself to follow your own guidelines. Choose whichever one strikes your fancy. -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some starving artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] alternative method
On Sat, December 2, 2006 10:29 am, Alain Roger wrote:
> Based on phpsec.org documentation it is written ("between lines") that
> GET
> and POST methods are still used but they are not the most secured
> (except if
> we take care for that).
> So, i would like to know which other methods are more secured that
> those 2.
In addendum to Larry's post:
You should also consider requiring SSL for any sensitive data, to
protect it in its travels from their computer to your server.
SSL is kind of like an armored truck on the information super-highway.
It doesn't stop bank robbers (server hacks) or muggers (viruses on
your users' computers), but the data is safe in transit between the
two.
--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some starving artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] alternative method
If you're talking about getting user data into a web script, then GET, POST,
and cookies are the only options. All three are insecure, because they're
coming from the user. The user is guilty until proven otherwise. Sanitize
thy input.
Sensitive data like username and password should never be sent by GET, because
GET is bookmarkable while POST is not. GET should be used only for lookup of
data, POST for any modification of data. I generally default to POST unless
I specifically want something to be bookmarkable or copyable into an email to
send to someone.
On Saturday 02 December 2006 10:29, Alain Roger wrote:
> Hi,
>
> Based on phpsec.org documentation it is written ("between lines") that GET
> and POST methods are still used but they are not the most secured (except
> if we take care for that).
> So, i would like to know which other methods are more secured that those 2.
>
> thx.
> Alain
>
> Windows XP SP2
> PostgreSQL 8.1.4
> Apache 2.0.58
> PHP 5
--
Larry Garfield AIM: LOLG42
[EMAIL PROTECTED] ICQ: 6817012
"If nature has made any one thing less susceptible than all others of
exclusive property, it is the action of the thinking power called an idea,
which an individual may exclusively possess as long as he keeps it to
himself; but the moment it is divulged, it forces itself into the possession
of every one, and the receiver cannot dispossess himself of it." -- Thomas
Jefferson
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to be sure to use SSL
my solution:
if($_SERVER["HTTPS"] != 'on')
{
header ('location: https://www.your_domain_here.com');
exit;
}
-afan
> Hi,
>
> I would like to know how can i be sure to make customer use the SSL all
> the
> time.
> all the time in my PHP code, i write links as relative links, so without
> HTTPS.
>
> I was thinking to check everything if the port is the SSL port (default :
> 443), but it does not mean that protocol is HTTPS.
> So, how do you ensure that customer uses SSL protocol all the time ?
>
> thanks a lot,
>
> Alain
>
> Windows XP SP2
> PostgreSQL 8.1.4
> Apache 2.0.58
> PHP 5
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] alternative method
Hi,
Based on phpsec.org documentation it is written ("between lines") that GET
and POST methods are still used but they are not the most secured (except if
we take care for that).
So, i would like to know which other methods are more secured that those 2.
thx.
Alain
Windows XP SP2
PostgreSQL 8.1.4
Apache 2.0.58
PHP 5
[PHP] Security and methods
Hi, After reading the documentation about security from phpsec.org, i see that 2 "schools" exist (dispatch method or include method). I do not see any huge difference between them. I would like to know what is the most suitable method to centralize security in 1 single file. thx. Alain Windows XP SP2 PostgreSQL 8.1.4 Apache 2.0.58 PHP 5
Re: [PHP] problem with register globals on new server
<[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] >> [EMAIL PROTECTED] wrote: >>> hi, >>> I had to move my osComerce store to new hosting company. new server runs >>> on php5/mysql5. >>> >>> got this error: >>> FATAL ERROR: register_globals is disabled in php.ini, please enable it! >>> >>> since evenon old server globals was Off I was adding >>> >>> php_value register_globals 1 >>> >>> >>> Now, I tried with >>> >>> >>> php_value register_globals On >>> >>> >>> but it doesn't work. >> >> Maybe your host doesn't allow it to be changed through a htaccess.. >> >> Is htaccess support enabled? >> >> Put garbage in the file (random chars) and if you get a 500 internal >> server error, htaccess files work.. if you don't, that's the problem. > yup! that was the problem. > though, after I talked to administrator, he is not happy to reconfigure > Apache to allow .htaccess because of security issue. Is this REALLY so big > issue? If you site administrator thinks that using an htaccess file is a security issue then he is very much mistaken. The directives in an htaccess file DO NOT enable you to access any one else's data on a shared server. All they do is apply additional settings to your own site while leaving UNTOUCHED the settings being used by other sites. Most professional web hosting companies do not have an issue with htaccess files, so if yours does I would suggest switching to one with a more professional attuitude. -- Tony Marston http://www.tonymarston.net http://www.radicore.org -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] How to be sure to use SSL
Hi, I would like to know how can i be sure to make customer use the SSL all the time. all the time in my PHP code, i write links as relative links, so without HTTPS. I was thinking to check everything if the port is the SSL port (default : 443), but it does not mean that protocol is HTTPS. So, how do you ensure that customer uses SSL protocol all the time ? thanks a lot, Alain Windows XP SP2 PostgreSQL 8.1.4 Apache 2.0.58 PHP 5
