Re: [PHP] keeping credit card info in session
[EMAIL PROTECTED] wrote: Thanks a lot every one. These are great replies. I guess I should have explained a bit more about what I'm doing. first of all, this is not my site, it's for a client of mine. second, I did suggest using a paypal API or a paid site to take care of this, but my client said no. She has a credit card processing account and how she works with it right now, is that interested users email her, she calls them, gets their credit card info and charges their card manually without the card present. so, this is not really my problem, it's what she's been doing before and wants to continue doing. All she asked me to do is that as part of the form that people send their requests through, now she wants their credit card info as well. So that she doesn't have to call them. Then *SHE* has to obey the rules laid down by the provider of that service. She may well be breaking the rules if she does not take the card number over the phone. The second you ask for a credit card number electronically you need *ALL* of the security you can get. I have seen a number of cases of sites that did not follow the rules and within minutes of a transaction being completed the card number is being used on the other side of the world ( My next door neighbour got stung after using the British Airways site - one you would have expected to be secure ) And the reason I'm keeping cc info in the session for a few steps, is to take them to confirmation page, and then the reciept page. and after wards, I want to keep it in there untill the client logs in to the admin page and sees new requests, charges them and then deletes them for ever. So now I've got two different responses, some people say do it, but use encryption/decryption methods, and some people say don't do it. But if I don't do it, that means I tell my client that I can't do it and I lose the job. Some jobs you do walk away from. One has to know when it is worth all the time you are going to pump into solving a problem that you will not actually get paid for. If YOU are setting up the security for using Credit Cards *YOU* may well be held liable when it gets cracked. So it is safer to pass the risk to the card companies where possible and use an existing security system where someone else takes the blame. Starting point - what does it say in the agreement that your client currently has with her credit card account? -- Lester Caine - G8HFL - Contact - http://home.lsces.co.uk/lsces/wiki/?page=contact L.S.Caine Electronic Services - http://home.lsces.co.uk MEDW - http://home.lsces.co.uk/ModelEngineersDigitalWorkshop/ Treasurer - Firebird Foundation Inc. - http://www.firebirdsql.org/index.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] foreach question
Quoting Lori Lay <[EMAIL PROTECTED]>: > [EMAIL PROTECTED] wrote: > > Sorry this is the full script... > > > > whois.php > > > > > > > > > > > > Enter Domain Names (one per line) > > > style="font-size:13;font-family:Arial,Verdana;"> > > Gotcha! A textarea does not produce an array. Even though the user > should be separating the lines with a line break, this turns into one > long string with line breaks in it, not separate array elements. You > will have to do this manually. Actually, you could probably use nl2br > to insert BR's before the line breaks (it doesn't replace them, but > that's usually good enough). > > Lori much better, it all makes sense now. This is what I would do: "; } ?> Siavash > > > > > > > > Whois Results: > > > > > > > foreach( $_POST as $key ) { > >echo "$key"; > > } > > ?> > > > > > > > > > > - Original Message - From: "Lori Lay" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Cc: > > Sent: Monday, April 09, 2007 5:20 AM > > Subject: Re: [PHP] foreach question > > > > > >> [EMAIL PROTECTED] wrote: > >>> "both examples do the same thing.." > >>> > >>> no, ex1 only has 1 > >>> > >>> so outputs like.. > >>> item1item2item3item4item5 > >>> > >>> Where as I want this.. > >>> > >>> item1 > >>> item2 > >>> item3 > >>> item4 > >>> item5 > >>> > >>> ie a line break after every item. > >>> > >> Silly question, perhaps, but are you sure $_POST is an array (with 5 > >> elements)? What you have written should produce a break after each > >> item if POST is a 5 element array. However if POST is a single > >> element with the five items concatenated together, then they would be > >> printed the way you have it listed above... > >> > >> It might be better to post the full script to the list. > >> > >> Lori > >>> > >>> - Original Message - From: "Sebe" <[EMAIL PROTECTED]> > >>> To: <[EMAIL PROTECTED]> > >>> Cc: > >>> Sent: Monday, April 09, 2007 1:22 AM > >>> Subject: Re: [PHP] foreach question > >>> > >>> > [EMAIL PROTECTED] wrote: > > I have .. > > > > foreach( $_POST as $key ) {echo "$key"; > > } > > > > and that gives me > > > > item1 > > item2 > > item3 > > item4 > > item5 > > > > how do I write it to give me > > > > item1 > > item2 > > item3 > > item4 > > item5 > > > > Thanks > > > both examples do the same thing.. > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > > > >>> > >> > >> -- > >> PHP General Mailing List (http://www.php.net/) > >> To unsubscribe, visit: http://www.php.net/unsub.php > >> > >> > >> > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] foreach question
[EMAIL PROTECTED] wrote: Sorry this is the full script... whois.php Enter Domain Names (one per line) style="font-size:13;font-family:Arial,Verdana;"> Gotcha! A textarea does not produce an array. Even though the user should be separating the lines with a line break, this turns into one long string with line breaks in it, not separate array elements. You will have to do this manually. Actually, you could probably use nl2br to insert BR's before the line breaks (it doesn't replace them, but that's usually good enough). Lori Whois Results: "; } ?> - Original Message - From: "Lori Lay" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Cc: Sent: Monday, April 09, 2007 5:20 AM Subject: Re: [PHP] foreach question [EMAIL PROTECTED] wrote: "both examples do the same thing.." no, ex1 only has 1 so outputs like.. item1item2item3item4item5 Where as I want this.. item1 item2 item3 item4 item5 ie a line break after every item. Silly question, perhaps, but are you sure $_POST is an array (with 5 elements)? What you have written should produce a break after each item if POST is a 5 element array. However if POST is a single element with the five items concatenated together, then they would be printed the way you have it listed above... It might be better to post the full script to the list. Lori - Original Message - From: "Sebe" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Cc: Sent: Monday, April 09, 2007 1:22 AM Subject: Re: [PHP] foreach question [EMAIL PROTECTED] wrote: I have .. foreach( $_POST as $key ) {echo "$key"; } and that gives me item1 item2 item3 item4 item5 how do I write it to give me item1 item2 item3 item4 item5 Thanks both examples do the same thing.. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] foreach question
Sorry this is the full script... whois.php Enter Domain Names (one per line) style="font-size:13;font-family:Arial,Verdana;"> Whois Results: "; } ?> - Original Message - From: "Lori Lay" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Cc: Sent: Monday, April 09, 2007 5:20 AM Subject: Re: [PHP] foreach question [EMAIL PROTECTED] wrote: "both examples do the same thing.." no, ex1 only has 1 so outputs like.. item1item2item3item4item5 Where as I want this.. item1 item2 item3 item4 item5 ie a line break after every item. Silly question, perhaps, but are you sure $_POST is an array (with 5 elements)? What you have written should produce a break after each item if POST is a 5 element array. However if POST is a single element with the five items concatenated together, then they would be printed the way you have it listed above... It might be better to post the full script to the list. Lori - Original Message - From: "Sebe" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Cc: Sent: Monday, April 09, 2007 1:22 AM Subject: Re: [PHP] foreach question [EMAIL PROTECTED] wrote: I have .. foreach( $_POST as $key ) {echo "$key"; } and that gives me item1 item2 item3 item4 item5 how do I write it to give me item1 item2 item3 item4 item5 Thanks both examples do the same thing.. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] foreach question
[EMAIL PROTECTED] wrote: "both examples do the same thing.." no, ex1 only has 1 so outputs like.. item1item2item3item4item5 Where as I want this.. item1 item2 item3 item4 item5 ie a line break after every item. Silly question, perhaps, but are you sure $_POST is an array (with 5 elements)? What you have written should produce a break after each item if POST is a 5 element array. However if POST is a single element with the five items concatenated together, then they would be printed the way you have it listed above... It might be better to post the full script to the list. Lori - Original Message - From: "Sebe" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Cc: Sent: Monday, April 09, 2007 1:22 AM Subject: Re: [PHP] foreach question [EMAIL PROTECTED] wrote: I have .. foreach( $_POST as $key ) {echo "$key"; } and that gives me item1 item2 item3 item4 item5 how do I write it to give me item1 item2 item3 item4 item5 Thanks both examples do the same thing.. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] keeping credit card info in session
Thanks a lot every one. These are great replies. I guess I should have explained a bit more about what I'm doing. first of all, this is not my site, it's for a client of mine. second, I did suggest using a paypal API or a paid site to take care of this, but my client said no. She has a credit card processing account and how she works with it right now, is that interested users email her, she calls them, gets their credit card info and charges their card manually without the card present. so, this is not really my problem, it's what she's been doing before and wants to continue doing. All she asked me to do is that as part of the form that people send their requests through, now she wants their credit card info as well. So that she doesn't have to call them. And the reason I'm keeping cc info in the session for a few steps, is to take them to confirmation page, and then the reciept page. and after wards, I want to keep it in there untill the client logs in to the admin page and sees new requests, charges them and then deletes them for ever. So now I've got two different responses, some people say do it, but use encryption/decryption methods, and some people say don't do it. But if I don't do it, that means I tell my client that I can't do it and I lose the job. Thanks again, Siavash Quoting Travis Doherty <[EMAIL PROTECTED]>: > Jochem Maas wrote: > > >unless you are a payment gateway or a bank don't touch credit card numbers. > >there are plenty of threads in the archive of this list that give good > reasons > >not to e.g. being sued out of existence. > > > > > 100% agreed. Never touch credit card numbers. You can't just take > credit card numbers and manually process them in 'card not present' > transactions (or MOTO in more archaic terms.) You need a merchant > account that allows for this -- usually at a higher discount rate. > Check the merchant agreement. > > Your client should get an account like this, or better yet, provide you > with the instructions on how to integrate his site with the payment > providers so that you never have to worry about credit cards. > > As an additional note... Maybe your SSL cert secures the numbers from > the client to the server, and just maybe your PHP scripts have no > security flaws in them, but you must remember the server itself and > everything else outside of PHP. What if someone found a flaw in the FTP > server for example, or the mail server even, and used that to get the CC > info. I would hate to be explaining to a list of 1000 clients that I > was responsible for their card numbers being stolen. > > Travis Doherty > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] foreach question
Your code is fine and it should work. but in any case, try: foreach ($_POST as $key){ echo $key . ''; } Also, what php version, and what browser are you using? good luck, Siavash > [EMAIL PROTECTED] wrote: > > "both examples do the same thing.." > > > > no, ex1 only has 1 > > > > so outputs like.. > > item1item2item3item4item5 > > > > Where as I want this.. > > > > item1 > > item2 > > item3 > > item4 > > item5 > > > > ie a line break after every item. > > > > hmm, if you're getting 5 results from the loop each should already have > a > so i dont understand what is wrong but the code it's set to put out a > line break after each item. maybe i'm blind but the code is fine (with > the exception that i don't use double quotes). > > > > - Original Message - From: "Sebe" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Cc: > > Sent: Monday, April 09, 2007 1:22 AM > > Subject: Re: [PHP] foreach question > > > > > >> [EMAIL PROTECTED] wrote: > >>> I have .. > >>> > >>> foreach( $_POST as $key ) {echo "$key"; > >>> } > >>> > >>> and that gives me > >>> > >>> item1 > >>> item2 > >>> item3 > >>> item4 > >>> item5 > >>> > >>> how do I write it to give me > >>> > >>> item1 > >>> item2 > >>> item3 > >>> item4 > >>> item5 > >>> > >>> Thanks > >>> > >> both examples do the same thing.. > >> > >> -- > >> PHP General Mailing List (http://www.php.net/) > >> To unsubscribe, visit: http://www.php.net/unsub.php > >> > >> > >> > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 & bot Question
At 4:38 AM -0700 4/8/07, benifactor wrote: hmm, why don't you md5 more then once.. I read somewhere that MD5'ing anything more than once, does not increase security. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 & bot Question
At 6:46 PM +0200 4/8/07, Jochem Maas wrote: just a few random thought on how to make it even more painful to crack. random colored borders, random border width, slight changes in width/height, random pixel noise or varying colors, animated gifs (where does the arrow stop), animated gifs (where does the red/pink/blue/green arrow point to), make the letters random with regard to character and position [and make the letters generated images them selves] that way know where the arrow is pointing is only half the solution. or may rather take this technique and combine it with std captcha such that you output an image with a stack of [freaky] letters in it and one of them has an arrow pointing at it. yadda yadda. in theory it's all crackable - but somewhere along the line the problem becomes too hard to make it worth the effort to try (unless your securing Fort Knox or something) My attempt here was only to show that a MD5 solution could become so vast that there would be no point in pursuing that avenue. As for other ways to crack this, of course there ARE other easier ways. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 & bot Question
At 6:33 PM +0200 4/8/07, Tijnema ! wrote: On 4/8/07, tedd <[EMAIL PROTECTED]> wrote: Remember, I could also use a jpeg file and have millions of colors to chose from. Unless, there is something here that I don't understand (which very well could be), I can't see how anyone, without massive computer resources, could break that. Am I wrong? Maybe... What about OCR programs? they can read letters from images, if you could transfrom that to an program that could read arrows instead of characters. then you probably could crack it, also if you store random pixels in it. And that doesn't use massive computer resources :) Yes, I was excluding that -- I was dealing only with MD5 solutions. Of course, OCR-like programs can decipher and interpret an arrow. It would not be too hard to find the center of the square and then determine in which one of eight zones the majority of contrasting pixels were. I did similar stuff many years ago detecting movement by comparing frames to see what was areas in a frame were changing and then direct stepping motors to control the camera. Neat stuff. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: session in forum
http://www.sitepoint.com/article/users-php-sessions-mysql -- itoctopus - http://www.itoctopus.com "uni uni" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > im trying to make a forum for my school assignment, its done and work well, but i want to make session where it is readonly for un-registered user, and the registered user can automaticly post new topics or comment the other topics without filling up name and email form cuz their name and email will be taken from the database as they have logged in. > > anyone can help me please? > > > - > Don't pick lemons. > See all the new 2007 cars at Yahoo! Autos. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] foreach question
[EMAIL PROTECTED] wrote: "both examples do the same thing.." no, ex1 only has 1 so outputs like.. item1item2item3item4item5 Where as I want this.. item1 item2 item3 item4 item5 ie a line break after every item. hmm, if you're getting 5 results from the loop each should already have a so i dont understand what is wrong but the code it's set to put out a line break after each item. maybe i'm blind but the code is fine (with the exception that i don't use double quotes). - Original Message - From: "Sebe" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Cc: Sent: Monday, April 09, 2007 1:22 AM Subject: Re: [PHP] foreach question [EMAIL PROTECTED] wrote: I have .. foreach( $_POST as $key ) {echo "$key"; } and that gives me item1 item2 item3 item4 item5 how do I write it to give me item1 item2 item3 item4 item5 Thanks both examples do the same thing.. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] foreach question
"both examples do the same thing.." no, ex1 only has 1 so outputs like.. item1item2item3item4item5 Where as I want this.. item1 item2 item3 item4 item5 ie a line break after every item. - Original Message - From: "Sebe" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Cc: Sent: Monday, April 09, 2007 1:22 AM Subject: Re: [PHP] foreach question [EMAIL PROTECTED] wrote: I have .. foreach( $_POST as $key ) {echo "$key"; } and that gives me item1 item2 item3 item4 item5 how do I write it to give me item1 item2 item3 item4 item5 Thanks both examples do the same thing.. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] session in forum
im trying to make a forum for my school assignment, its done and work well, but i want to make session where it is readonly for un-registered user, and the registered user can automaticly post new topics or comment the other topics without filling up name and email form cuz their name and email will be taken from the database as they have logged in. anyone can help me please? - Don't pick lemons. See all the new 2007 cars at Yahoo! Autos.
Re: [PHP] foreach question
[EMAIL PROTECTED] wrote: I have .. foreach( $_POST as $key ) {echo "$key"; } and that gives me item1 item2 item3 item4 item5 how do I write it to give me item1 item2 item3 item4 item5 Thanks both examples do the same thing.. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] foreach question
I have .. foreach( $_POST as $key ) { echo "$key"; } and that gives me item1 item2 item3 item4 item5 how do I write it to give me item1 item2 item3 item4 item5 Thanks -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] keeping credit card info in session
Jochem Maas wrote: >unless you are a payment gateway or a bank don't touch credit card numbers. >there are plenty of threads in the archive of this list that give good reasons >not to e.g. being sued out of existence. > > 100% agreed. Never touch credit card numbers. You can't just take credit card numbers and manually process them in 'card not present' transactions (or MOTO in more archaic terms.) You need a merchant account that allows for this -- usually at a higher discount rate. Check the merchant agreement. Your client should get an account like this, or better yet, provide you with the instructions on how to integrate his site with the payment providers so that you never have to worry about credit cards. As an additional note... Maybe your SSL cert secures the numbers from the client to the server, and just maybe your PHP scripts have no security flaws in them, but you must remember the server itself and everything else outside of PHP. What if someone found a flaw in the FTP server for example, or the mail server even, and used that to get the CC info. I would hate to be explaining to a list of 1000 clients that I was responsible for their card numbers being stolen. Travis Doherty -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Design Dilemma - Database Data Abstraction
2007/4/8, Paul Novitski <[EMAIL PROTECTED]>: At 4/7/2007 09:49 AM, Martin Alterisio wrote: >The solution I presented is to access, and act upon, a database as if they >were PHP arrays, meaning that a table is presented as an array of records. This implies to me that you'll read a series of tables into arrays, modify the arrays, then update or recreate the database tables from the arrays. I can't really see how this can work for multiple users because as soon as a second user reads and starts modifying the data there will be obvious discontinuities between the two data snapshots, and updating the tables from one user will erradicate changes made by others. Is this a single-user application you're working on? First of all, thanks for replying, I really appreaciate it. Second, I'm sorry, in my wild search for help I made the mistake of making assumptions that would only lead to problems of communication. I forgot to mention the base idea for the implementation. Actually no real arrays are made, just objects that look and function like normal arrays through the SPL interfaces ArrayAccess, Countable, Iterator and IteratorAggregate. Answering your question: no, this will be used in a multi-user enviroment. Basically all "array" operations will be traslated to the corresponding DB operation. No caching. No postponing operations. Except for the record object, which I think I will implement it so that field updates are done on object destruction, but I'm still thinking about this. I could index by the order as they are presented by the DB: > >$DB['users'][0] is the first user from the query "SELECT * FROM users" >$DB['users'][1] is the second user from the query "SELECT * FROM users" >etc.. > >But this have many cons. First, without a deterministic order, the array can >change its logic order on the whim of the DB, nobody assures that the order >will be kept after a modification is made to the data, and this can be >confusing and error prone: > >$name1 = $DB['users'][3]['name']; >$name2 = $DB['users'][5]['name']; >$DB['users'][3]['name'] = $name2; >$DB['users'][5]['name'] = $name1; > >The last sentence may not be writing to the adequate record. Hmm. I don't see why this wouldn't work -- you're not changing the keys (3 & 5) required to point to those unique records. I can see a problem if $name1 and $name2 were themselves the keys, but you're not doing that in this example. Well, it could not work if those operations are translated on the spot to the corresponding DB action. If that were the problem, though, you could simply mandate a rule that you can never change the key of an array element that represents a data record, so that the record sequence remains what it was originally. However, making your program logic depend on the record sequence as it was read from the database seems quite iffy anyway [especially in a multi-user system]; I'd just use the data table's primary key as the array key and leave it at that. Random access rocks! From what you write, it almost seems as though you're assuming that these statements: >$DB['users'][3]['name'] = $name2; >$DB['users'][5]['name'] = $name1; actually modify the database records they represent. If so, what system are you using? I just don't see this happening using simple PHP and MySQL. When you read a data record into a PHP array [with, for example, mysql_fetch_array()] that array is just a static copy of the data and doesn't possess any dynamic updating power over the database. Or are you using an I/O class that you're not showing in your example code that executes a modifying query each time an "array element" is changed? That's actually what will happen. Using the SPL is actually posible. Sorry, mi mistake for not explaining it throughly. Another possible indexation could be by the value of the PK, but this also >have some problems. First, it can be confusing if the PK is an autonumeric >int, as this might be seen as a numeric indexation. You can prefix an autonumber field with alphabetic characters to force it away from numeric indexing: $sKey = str_pad($aDataRecord['recno'], $iPadLength, 'pk_00', STR_PAD_LEFT); $aArray[$sKey] = $aDataRecord; e.g., recno 12345 becomes array key 'pk_012345' Using str_pad(...LEFT) ensures that the array keys will be in the same sequence as the data records even though the autonumber values will be composed of differing numbers of digits. You just have to choose a pad length that equals the longest series of digits your database will generate for an autonumber field. But suppose $user holds the info of an user record: $DB['users'][$user['id']] I would like that to point to the same user. Still, I'll think this thoughly. Thanks Second, not all tables >have only one field as PK (I can ask that all tables have at least a PK, but >I can't ask that the PK is made of only one field). You can construct a single array key from multiple databas
Re: [PHP] keeping credit card info in session
Em Domingo 08 Abril 2007 18:54, Jochem Maas escreveu: > > So... What about PayPal or another similar service?? =] > > well: > > a, your not paypal or F2B. > b, they are both payment providers. > Sorry... I didn't understand! =x []s -- Davi Vidal [EMAIL PROTECTED] [EMAIL PROTECTED] -- Agora com fortune: "/* * Should be panic but... (Why are BSD people panic obsessed ??) */ linux-2.0.38/net/ipv4/ip_fw.c" -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] keeping credit card info in session
Davi wrote: > Em Domingo 08 Abril 2007 18:37, Jochem Maas escreveu: >> unless you are a payment gateway or a bank don't touch credit card numbers. >> there are plenty of threads in the archive of this list that give good >> reasons not to e.g. being sued out of existence. >> >> get a payment provider and let them handle the transaction automatically, >> the site admin could be given a system whereby he/she can fire off email to >> customers that give them a url to (and instruct them to) complete a >> payment at your choose payment provider if a manual check needs to occur >> before a payment is initiated. >> >> storing CC numbers on your machine is rather like walking around carrying >> hot coals ... sooner or later you will be burned. >> > > So... What about PayPal or another similar service?? =] well: a, your not paypal or F2B. b, they are both payment providers. > > Here, on Brazil, I'm using PayPal [1] and F2B [2]. > > It's better than assume the riscs... =] > > []s > > [1] - www.paypal.com > [2] - www.f2b.com.br > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] keeping credit card info in session
Em Domingo 08 Abril 2007 18:37, Jochem Maas escreveu: > unless you are a payment gateway or a bank don't touch credit card numbers. > there are plenty of threads in the archive of this list that give good > reasons not to e.g. being sued out of existence. > > get a payment provider and let them handle the transaction automatically, > the site admin could be given a system whereby he/she can fire off email to > customers that give them a url to (and instruct them to) complete a > payment at your choose payment provider if a manual check needs to occur > before a payment is initiated. > > storing CC numbers on your machine is rather like walking around carrying > hot coals ... sooner or later you will be burned. > So... What about PayPal or another similar service?? =] Here, on Brazil, I'm using PayPal [1] and F2B [2]. It's better than assume the riscs... =] []s [1] - www.paypal.com [2] - www.f2b.com.br -- Davi Vidal [EMAIL PROTECTED] [EMAIL PROTECTED] -- Agora com fortune: "FORTUNE'S RANDOM QUOTES FROM MATCH GAME 75, NO. 1: Gene Rayburn: We'd like to close with a thought for the day, friends --- something ... Someone: (interrupting) Uh-oh Gene Rayburn: ...pithy, full of wisdom --- and we call on the Poet Laureate, Lipsy Russell Lipsy Russell: The young people are very different today, and there is one sure way to know: Kids to use to ask where they came from, now they'll tell you where you can go. All: (laughter)" -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] keeping credit card info in session
Notice the URL starts with 'usa'. In other countries you do have to go by the local laws. - Original Message - From: "Dan Harrington" <[EMAIL PROTECTED]> To: "'Satyam'" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; Sent: Sunday, April 08, 2007 11:32 PM Subject: RE: [PHP] keeping credit card info in session Its not the country rules to worry about, it is Visa and MasterCard who will come down hard on you with $$ penalties if you don't maintain cardholder security correctly. http://usa.visa.com/merchants/risk_management/cisp.html?ep=v_sym_cisp Dan -- Dan Harrington NXGEN Payment Services 112 12th Ave. S. Nampa, ID 83651 208-498-1666 (voice) 208-498-1667 (fax) [EMAIL PROTECTED] -Original Message- From: Satyam [mailto:[EMAIL PROTECTED] Sent: Sunday, April 08, 2007 3:25 PM To: [EMAIL PROTECTED]; php-general@lists.php.net Subject: Re: [PHP] keeping credit card info in session Check the local legislation regarding keeping such sensitive information. Many countries do have strict requirements for handling credit card info. Your bank might help you find what the rules are. Satyam - Original Message - From: <[EMAIL PROTECTED]> To: Sent: Sunday, April 08, 2007 8:26 PM Subject: [PHP] keeping credit card info in session Hi All, I've got quite a bit or php experience, but I've never had to deal with credit card info before. Now for a property rental site, I'm adding a way for users to be able to fill out a form which also has some credit card info in it. After they submit the form, there are a couple of more steps and to pass credit card info to the last page, I'm storing all the info in my session. Now, I did go and bought an SSL certificate, so the booking section of the site is on SSL (https). I'm just wondering if this is secure enough. as far as I know, SSL means connection to server is secured, so session variables should be secured too. no? Also after I get credit card info, I'm storing them in a mysql table until an admin would log in to the site, see new reservations, charge them manually and contact the customer, and then that entry will be removed from my database for ever. Is this ok? or is it a really bad idea? originally the plan was to send an email to the admin with credit card info, but then I realized that emails are very unsecure. so I decided to keep the info on the SSL section of the site. just because I'm dealing with credit cards, I'm so afraid of doing anything now. Any suggestions? or perhaps any links to how to make it all more secure? Thanks a lot in advance, Siavash -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.446 / Virus Database: 269.0.0/751 - Release Date: 07/04/2007 22:57 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.446 / Virus Database: 269.0.0/751 - Release Date: 07/04/2007 22:57 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] keeping credit card info in session
unless you are a payment gateway or a bank don't touch credit card numbers. there are plenty of threads in the archive of this list that give good reasons not to e.g. being sued out of existence. get a payment provider and let them handle the transaction automatically, the site admin could be given a system whereby he/she can fire off email to customers that give them a url to (and instruct them to) complete a payment at your choose payment provider if a manual check needs to occur before a payment is initiated. storing CC numbers on your machine is rather like walking around carrying hot coals ... sooner or later you will be burned. [EMAIL PROTECTED] wrote: > Hi All, > > I've got quite a bit or php experience, but I've never had to deal with > credit > card info before. Now for a property rental site, I'm adding a way for users > to > be able to fill out a form which also has some credit card info in it. > > After they submit the form, there are a couple of more steps and to pass > credit > card info to the last page, I'm storing all the info in my session. Now, I > did > go and bought an SSL certificate, so the booking section of the site is on > SSL > (https). I'm just wondering if this is secure enough. as far as I know, SSL > means connection to server is secured, so session variables should be secured > too. no? > > Also after I get credit card info, I'm storing them in a mysql table until an > admin would log in to the site, see new reservations, charge them manually > and > contact the customer, and then that entry will be removed from my database > for > ever. Is this ok? or is it a really bad idea? originally the plan was to send > an email to the admin with credit card info, but then I realized that emails > are very unsecure. so I decided to keep the info on the SSL section of the > site. > > just because I'm dealing with credit cards, I'm so afraid of doing anything > now. Any suggestions? or perhaps any links to how to make it all more secure? > > Thanks a lot in advance, > Siavash > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] keeping credit card info in session
Its not the country rules to worry about, it is Visa and MasterCard who will come down hard on you with $$ penalties if you don't maintain cardholder security correctly. http://usa.visa.com/merchants/risk_management/cisp.html?ep=v_sym_cisp Dan -- Dan Harrington NXGEN Payment Services 112 12th Ave. S. Nampa, ID 83651 208-498-1666 (voice) 208-498-1667 (fax) [EMAIL PROTECTED] -Original Message- From: Satyam [mailto:[EMAIL PROTECTED] Sent: Sunday, April 08, 2007 3:25 PM To: [EMAIL PROTECTED]; php-general@lists.php.net Subject: Re: [PHP] keeping credit card info in session Check the local legislation regarding keeping such sensitive information. Many countries do have strict requirements for handling credit card info. Your bank might help you find what the rules are. Satyam - Original Message - From: <[EMAIL PROTECTED]> To: Sent: Sunday, April 08, 2007 8:26 PM Subject: [PHP] keeping credit card info in session > > Hi All, > > I've got quite a bit or php experience, but I've never had to deal with > credit > card info before. Now for a property rental site, I'm adding a way for > users to > be able to fill out a form which also has some credit card info in it. > > After they submit the form, there are a couple of more steps and to pass > credit > card info to the last page, I'm storing all the info in my session. Now, I > did > go and bought an SSL certificate, so the booking section of the site is on > SSL > (https). I'm just wondering if this is secure enough. as far as I know, > SSL > means connection to server is secured, so session variables should be > secured > too. no? > > Also after I get credit card info, I'm storing them in a mysql table until > an > admin would log in to the site, see new reservations, charge them manually > and > contact the customer, and then that entry will be removed from my database > for > ever. Is this ok? or is it a really bad idea? originally the plan was to > send > an email to the admin with credit card info, but then I realized that > emails > are very unsecure. so I decided to keep the info on the SSL section of the > site. > > just because I'm dealing with credit cards, I'm so afraid of doing > anything > now. Any suggestions? or perhaps any links to how to make it all more > secure? > > Thanks a lot in advance, > Siavash > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > > > -- > No virus found in this incoming message. > Checked by AVG Free Edition. > Version: 7.5.446 / Virus Database: 269.0.0/751 - Release Date: 07/04/2007 > 22:57 > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] keeping credit card info in session
Check the local legislation regarding keeping such sensitive information. Many countries do have strict requirements for handling credit card info. Your bank might help you find what the rules are. Satyam - Original Message - From: <[EMAIL PROTECTED]> To: Sent: Sunday, April 08, 2007 8:26 PM Subject: [PHP] keeping credit card info in session Hi All, I've got quite a bit or php experience, but I've never had to deal with credit card info before. Now for a property rental site, I'm adding a way for users to be able to fill out a form which also has some credit card info in it. After they submit the form, there are a couple of more steps and to pass credit card info to the last page, I'm storing all the info in my session. Now, I did go and bought an SSL certificate, so the booking section of the site is on SSL (https). I'm just wondering if this is secure enough. as far as I know, SSL means connection to server is secured, so session variables should be secured too. no? Also after I get credit card info, I'm storing them in a mysql table until an admin would log in to the site, see new reservations, charge them manually and contact the customer, and then that entry will be removed from my database for ever. Is this ok? or is it a really bad idea? originally the plan was to send an email to the admin with credit card info, but then I realized that emails are very unsecure. so I decided to keep the info on the SSL section of the site. just because I'm dealing with credit cards, I'm so afraid of doing anything now. Any suggestions? or perhaps any links to how to make it all more secure? Thanks a lot in advance, Siavash -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.446 / Virus Database: 269.0.0/751 - Release Date: 07/04/2007 22:57 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: keeping credit card info in session
Usually paying should be the last step, so you might probably want to review your workflow. Anyways, if you're storing the credit card in the database, then why are you also storing it in the session, you can just query the database for the credit card based on the session id (so you should also store the session id in that table). Since you're storing the credit card in the database, then you should encrypt the credit card (there are plenty of encryption/decrypting algorithms on the internet for PHP). Other than that, I think everything is fine, and your system should work smoothly. -- itoctopus - http://www.itoctopus.com <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > > Hi All, > > I've got quite a bit or php experience, but I've never had to deal with credit > card info before. Now for a property rental site, I'm adding a way for users to > be able to fill out a form which also has some credit card info in it. > > After they submit the form, there are a couple of more steps and to pass credit > card info to the last page, I'm storing all the info in my session. Now, I did > go and bought an SSL certificate, so the booking section of the site is on SSL > (https). I'm just wondering if this is secure enough. as far as I know, SSL > means connection to server is secured, so session variables should be secured > too. no? > > Also after I get credit card info, I'm storing them in a mysql table until an > admin would log in to the site, see new reservations, charge them manually and > contact the customer, and then that entry will be removed from my database for > ever. Is this ok? or is it a really bad idea? originally the plan was to send > an email to the admin with credit card info, but then I realized that emails > are very unsecure. so I decided to keep the info on the SSL section of the site. > > just because I'm dealing with credit cards, I'm so afraid of doing anything > now. Any suggestions? or perhaps any links to how to make it all more secure? > > Thanks a lot in advance, > Siavash -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] which CMS are you using and why?
Fernando Cosso wrote: Well that's the question. I have to start a new project and I have to decide the CMS. I have thought mambo will do, but looking at the documentation, it disappointed me a little. I need a documentation with examples of the objects, functions and all that stuff. The project has to be mature (That why I like mambo). The cms has to be flexible, with a very large community. bitweaver www.bitweaver.org -- Lester Caine - G8HFL - Contact - http://home.lsces.co.uk/lsces/wiki/?page=contact L.S.Caine Electronic Services - http://home.lsces.co.uk MEDW - http://home.lsces.co.uk/ModelEngineersDigitalWorkshop/ Treasurer - Firebird Foundation Inc. - http://www.firebirdsql.org/index.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] keeping credit card info in session
Em Domingo 08 Abril 2007 15:26, [EMAIL PROTECTED] escreveu: > Hi All, > > I've got quite a bit or php experience, but I've never had to deal with > credit card info before. Now for a property rental site, I'm adding a way > for users to be able to fill out a form which also has some credit card > info in it. > > After they submit the form, there are a couple of more steps and to pass > credit card info to the last page, I'm storing all the info in my session. > Now, I did go and bought an SSL certificate, so the booking section of the > site is on SSL (https). I'm just wondering if this is secure enough. as far > as I know, SSL means connection to server is secured, so session variables > should be secured too. no? > > Also after I get credit card info, I'm storing them in a mysql table until > an admin would log in to the site, see new reservations, charge them > manually and contact the customer, and then that entry will be removed from > my database for ever. Is this ok? or is it a really bad idea? originally > the plan was to send an email to the admin with credit card info, but then > I realized that emails are very unsecure. so I decided to keep the info on > the SSL section of the site. > > just because I'm dealing with credit cards, I'm so afraid of doing anything > now. Any suggestions? or perhaps any links to how to make it all more > secure? > > Thanks a lot in advance, > Siavash Just one thing: how about cript the DB data with base64 or anything else? Some PGP key... Whatever... JMO... BTW, I liked your solution (store in DB)... I would use it... []s -- Davi Vidal [EMAIL PROTECTED] [EMAIL PROTECTED] -- Agora com fortune: "If a nation values anything more than freedom, it will lose its freedom; and the irony of it is that if it is comfort or money it values more, it will lose that, too. -- W. Somerset Maugham" -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] keeping credit card info in session
Hi All, I've got quite a bit or php experience, but I've never had to deal with credit card info before. Now for a property rental site, I'm adding a way for users to be able to fill out a form which also has some credit card info in it. After they submit the form, there are a couple of more steps and to pass credit card info to the last page, I'm storing all the info in my session. Now, I did go and bought an SSL certificate, so the booking section of the site is on SSL (https). I'm just wondering if this is secure enough. as far as I know, SSL means connection to server is secured, so session variables should be secured too. no? Also after I get credit card info, I'm storing them in a mysql table until an admin would log in to the site, see new reservations, charge them manually and contact the customer, and then that entry will be removed from my database for ever. Is this ok? or is it a really bad idea? originally the plan was to send an email to the admin with credit card info, but then I realized that emails are very unsecure. so I decided to keep the info on the SSL section of the site. just because I'm dealing with credit cards, I'm so afraid of doing anything now. Any suggestions? or perhaps any links to how to make it all more secure? Thanks a lot in advance, Siavash -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 & bot Question
just a few random thought on how to make it even more painful to crack. random colored borders, random border width, slight changes in width/height, random pixel noise or varying colors, animated gifs (where does the arrow stop), animated gifs (where does the red/pink/blue/green arrow point to), make the letters random with regard to character and position [and make the letters generated images them selves] that way know where the arrow is pointing is only half the solution. or may rather take this technique and combine it with std captcha such that you output an image with a stack of [freaky] letters in it and one of them has an arrow pointing at it. yadda yadda. in theory it's all crackable - but somewhere along the line the problem becomes too hard to make it worth the effort to try (unless your securing Fort Knox or something) Tijnema ! wrote: > On 4/8/07, tedd <[EMAIL PROTECTED]> wrote: >> At 9:42 AM +0200 4/8/07, Tijnema ! wrote: >> >You can't stop me :) >> > >> >http://86.86.80.41/dev/debug/tedd.php >> > >> >It's cracked again :) >> > >> >and of course i show you the code: >> > >> >http://86.86.80.41/dev/debug/tedd.txt >> > >> >Waiting for your next try :P >> > >> >> Tijnema: >> >> I might not be able to stop you, but I am sure I can wear you out. >> >> Here's my latest: >> >> http://sperling.com/a/arrows/ >> >> But before you spend too much time tying to figure it out, which with >> a HEX editor you should be able to easily discover -- this is what I >> did. >> >> 1. All my arrow GIF files range in size from about 500 bytes to 1.1 >> KB (it's not important to the solution, just a matter of range); >> >> 2. Between DEC 64 (HEX 40) to DEC 109 (HEX 6C) in the header exist >> all zeros. They don't provide any information regarding this image; >> >> 3. I simply used this area to store a single HEX number ranging from >> 0 to 255 DEC (HEX 0-255); >> >> 4. This gave me 11,475 different combinations for each GIF by >> changing a single bye in the header. If I used two bytes in the >> header, then the combinations would square. If I used all available >> space, then the possible combinations would be 11,475 to the 255 >> power (if my math is right) for each GIF. >> >> True, you could: >> >> 1. Record every MD5 of every combination for every GIF (8 x >> 11,475^255 different combinations) and then use those to crack this; >> >> 2. OR, simply zero out the area from DEC 64 to DEC 109 and use that. >> >> Either case would break my code. > > Since you're already telling how to break, i'm not gonna break it > anymore :) > Btw, also you should be able to convert it to JPEG/PNG/BMP/TIFF and > then convert it back to GIF. That should clean up the header :) > >> >> However, I am positive if I generated the image "on the fly" OR >> merged the image with a single randomized placement pixel I could >> generate an image that would be easily recognized by a human but not >> resolved by a MD5 solution. >> >> Remember, I could also use a jpeg file and have millions of colors to >> chose from. Unless, there is something here that I don't understand >> (which very well could be), I can't see how anyone, without massive >> computer resources, could break that. >> >> Am I wrong? > > Maybe... What about OCR programs? they can read letters from images, > if you could transfrom that to an program that could read arrows > instead of characters. then you probably could crack it, also if you > store random pixels in it. And that doesn't use massive computer > resources :) > > That's why i wanted to go for movies, because they are a lot harder to > process, but still they are processable by a bot, and so it could be > cracked > > I don't think any of us will ever find a code that's not crackable, > but the amount of time needed to crack needs to be as high as > possible, so that crackers will stay away because it takes way too > much time, and maybe also too much computer resources. But while doing > this, it should never disturb the normal user from using your site. > > >> >> Cheers, >> >> tedd >> >> PS: I love these types of discussions > > Me too :) >> -- >> --- >> http://sperling.com http://ancientstones.com http://earthstones.com >> > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] which CMS are you using and why?
I have just upgraded to Drupal 5 and so far am very impressed - D5 comes bundled with the jquery library and I have found drupal to be very powerful with a wide and supportive community.
Re: [PHP] MD5 & bot Question
On 4/8/07, tedd <[EMAIL PROTECTED]> wrote: At 9:42 AM +0200 4/8/07, Tijnema ! wrote: >You can't stop me :) > >http://86.86.80.41/dev/debug/tedd.php > >It's cracked again :) > >and of course i show you the code: > >http://86.86.80.41/dev/debug/tedd.txt > >Waiting for your next try :P > Tijnema: I might not be able to stop you, but I am sure I can wear you out. Here's my latest: http://sperling.com/a/arrows/ But before you spend too much time tying to figure it out, which with a HEX editor you should be able to easily discover -- this is what I did. 1. All my arrow GIF files range in size from about 500 bytes to 1.1 KB (it's not important to the solution, just a matter of range); 2. Between DEC 64 (HEX 40) to DEC 109 (HEX 6C) in the header exist all zeros. They don't provide any information regarding this image; 3. I simply used this area to store a single HEX number ranging from 0 to 255 DEC (HEX 0-255); 4. This gave me 11,475 different combinations for each GIF by changing a single bye in the header. If I used two bytes in the header, then the combinations would square. If I used all available space, then the possible combinations would be 11,475 to the 255 power (if my math is right) for each GIF. True, you could: 1. Record every MD5 of every combination for every GIF (8 x 11,475^255 different combinations) and then use those to crack this; 2. OR, simply zero out the area from DEC 64 to DEC 109 and use that. Either case would break my code. Since you're already telling how to break, i'm not gonna break it anymore :) Btw, also you should be able to convert it to JPEG/PNG/BMP/TIFF and then convert it back to GIF. That should clean up the header :) However, I am positive if I generated the image "on the fly" OR merged the image with a single randomized placement pixel I could generate an image that would be easily recognized by a human but not resolved by a MD5 solution. Remember, I could also use a jpeg file and have millions of colors to chose from. Unless, there is something here that I don't understand (which very well could be), I can't see how anyone, without massive computer resources, could break that. Am I wrong? Maybe... What about OCR programs? they can read letters from images, if you could transfrom that to an program that could read arrows instead of characters. then you probably could crack it, also if you store random pixels in it. And that doesn't use massive computer resources :) That's why i wanted to go for movies, because they are a lot harder to process, but still they are processable by a bot, and so it could be cracked I don't think any of us will ever find a code that's not crackable, but the amount of time needed to crack needs to be as high as possible, so that crackers will stay away because it takes way too much time, and maybe also too much computer resources. But while doing this, it should never disturb the normal user from using your site. Cheers, tedd PS: I love these types of discussions Me too :) -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 & bot Question
At 12:38 AM +0100 4/8/07, Stut wrote: tedd wrote: Okay, I think I figured out a fix -- try it again. :-) http://sperling.com/a/arrows/ A little knowledge is a dangerous thing. Give up now, while you're still sane. Think about what you're trying to do. You're trying to do something different on the client every time, but without letting that client know something is different. It really really really can't be done. Something needs to be visually different, therefore something in what the client gets needs to be different. Do you see why it's not possible now? -Stut -Stut: With all due respect, I figure that you've probably forgot more about php than I know, but sometimes people have to find out for themselves. That's what I'm doing. However, in the past I have gone up against conventional theory and changed it. I don't think this is one of those times, but who knows? Perhaps you know better, but I don't know yet. The way I figure it, in an image I have 72 dot per square inch -- so, in one square inch that's 5,184 places for me to store a 24 bit key. To me, that's a lot of places to hid my Easter egg -- is that not enough? Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 & bot Question
At 9:42 AM +0200 4/8/07, Tijnema ! wrote: You can't stop me :) http://86.86.80.41/dev/debug/tedd.php It's cracked again :) and of course i show you the code: http://86.86.80.41/dev/debug/tedd.txt Waiting for your next try :P Tijnema: I might not be able to stop you, but I am sure I can wear you out. Here's my latest: http://sperling.com/a/arrows/ But before you spend too much time tying to figure it out, which with a HEX editor you should be able to easily discover -- this is what I did. 1. All my arrow GIF files range in size from about 500 bytes to 1.1 KB (it's not important to the solution, just a matter of range); 2. Between DEC 64 (HEX 40) to DEC 109 (HEX 6C) in the header exist all zeros. They don't provide any information regarding this image; 3. I simply used this area to store a single HEX number ranging from 0 to 255 DEC (HEX 0-255); 4. This gave me 11,475 different combinations for each GIF by changing a single bye in the header. If I used two bytes in the header, then the combinations would square. If I used all available space, then the possible combinations would be 11,475 to the 255 power (if my math is right) for each GIF. True, you could: 1. Record every MD5 of every combination for every GIF (8 x 11,475^255 different combinations) and then use those to crack this; 2. OR, simply zero out the area from DEC 64 to DEC 109 and use that. Either case would break my code. However, I am positive if I generated the image "on the fly" OR merged the image with a single randomized placement pixel I could generate an image that would be easily recognized by a human but not resolved by a MD5 solution. Remember, I could also use a jpeg file and have millions of colors to chose from. Unless, there is something here that I don't understand (which very well could be), I can't see how anyone, without massive computer resources, could break that. Am I wrong? Cheers, tedd PS: I love these types of discussions -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: which CMS are you using and why?
Mambo/Joomla, they're both great. Wordpress is also excellent, though I'm not sure it would fit your needs. -- itoctopus - http://www.itoctopus.com ""Fernando Cosso"" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Well that's the question. > I have to start a new project and I have to decide the CMS. > I have thought mambo will do, but looking at the documentation, it > disappointed me a little. > I need a documentation with examples of the objects, functions and all that > stuff. The project has to be mature (That why I like mambo). The cms has to > be flexible, with a very large community. > Thanks in advance for your comments > Best regards > > -- > [EMAIL PROTECTED] > http://www.fernandocosso.com.ar > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: PHP textbook suggestions?
Chris Lott wrote: I will be teaching, so a book that a student can-- before the class-- work through and understand is good-- doesn't have to be a traditional textbook! But it shouldn't be a reference manual either. If you're looking for an up-to-date beginner's book that advocates (what I consider to be) good practice, you might want to consider my "PHP Solutions" (http://foundationphp.com/phpsolutions/). It takes a practical approach, is based on PHP 5, but also offers PHP alternatives if PHP 5 isn't available. It has received good reviews on Amazon. If you are considering it for adoption as a textbook, my publisher (friends of ED) supplies textbook review copies: http://www.friendsofed.com/contact.html#academic -- David Powers -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: PHP4 vs PHP5
Fernando Cosso wrote: > I'm sure Mambo is ready for php5. I personally prefer Joomla! which is a fork of Mambo from about a year or so ago. You may be happy with Mambo but I'd take a look at Jooma too as it may fit your needs better. It seems that the majority of community support is for Joomla and Mambo seems to have suffered as a result (the whole split/fork happened due to politics and license decisions and the formation of a for-profit Mambo Foundation which seemed to go against the spirit of the overall community. Just letting you know incase you've not found it out yourself yet! Cheers Col. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: which CMS are you using and why?
Fernando Cosso wrote: > Well that's the question. > I have to start a new project and I have to decide the CMS. > I have thought mambo will do, but looking at the documentation, it > disappointed me a little. > I need a documentation with examples of the objects, functions and all that > stuff. The project has to be mature (That why I like mambo). The cms has to > be flexible, with a very large community. > Thanks in advance for your comments > Best regards > I use Joomla a lot. It is basically Mambo but more community led. Version 1.5 which is on the horizon (in beta just now) will solve a lot of the "problems" when working with older Joomlas/Mambo e.g. plugins, documentation etc. Other people I know really like Drupal too but I've not really gone down that route myself so cannot comment. Col -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] which CMS are you using and why?
Fernando Cosso skrev: Well that's the question. I have to start a new project and I have to decide the CMS. I have thought mambo will do, but looking at the documentation, it disappointed me a little. I need a documentation with examples of the objects, functions and all that stuff. The project has to be mature (That why I like mambo). The cms has to be flexible, with a very large community. Thanks in advance for your comments Best regards Hiya.. Take a look at e107, I've been using it for quite some projects, and it's very flexible and has good support for multiple languages as well. Find it on http://e107.org -- Anders Norrbring Norrbring Consulting -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] spl DirectoryIterator
Matthew Dellar wrote: > I have a problem, > > I need to turn an iterator into an array, but when I do, some methods I > need to use stop working. why do you need to turn it into an array? maybe there is an alternative? my first reaction would be that if you really need an array then you'll probably be required to write your own conversion function, e.g. function myI2A(DirectoryIterator $i) { $a = array(); foreach ($i as $el) { $a[] = array( 'file' => $el->getFileName(), 'path' => $el->getPath(), // etc ); } return $a; } > > Take a look at the following example: > > $dir = 'c:/'; > $files = new DirectoryIterator($dir); > //$files = iterator_to_array($files); > foreach ($files as $file) { $file is, AFAIC tell, a reference to the DirectoryIterator object ... the methods $file exposes are methods of the DirectoryIterator object that return values in the context of the current position in the iterator. this thinking is based on the following docs: http://www.php.net/~helly/php/ext/spl/classDirectoryIterator.html and the stub-docs at php.net. > echo "{$file->getFileName()}";//works > echo "{$file->getPath()}";//works > } > > It works as expected. However, when the iterator is turned into an array: > > $dir = 'c:/'; > $files = new DirectoryIterator($dir); > $files = iterator_to_array($files); given what I said above (and assuming it is correct) this would explain why your getting back an array of DirectoryIterator objects. my guess is that iterator_to_array() can't currently handle all kinds of iterator (especially more exotic implementations) > foreach ($files as $file) { > echo "{$file->getFileName()}"; //does not work > echo "{$file->getPath()}";//works > } > > It stops working. Can someone please help me, as a have tried and failed > to find the cause of the problem. > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 & bot Question
but most people have different ones :) you could also use a random position :) fooeee. Robert Cummings wrote: On Sun, 2007-04-08 at 05:41 -0700, benifactor wrote: indeed. i was just throwing out the idea of ever changing values. Except IP addresses aren't ever changing ;) Cheers, Rob. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 & bot Question
On Sun, 2007-04-08 at 05:41 -0700, benifactor wrote: > indeed. i was just throwing out the idea of ever changing values. Except IP addresses aren't ever changing ;) Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 & bot Question
indeed. i was just throwing out the idea of ever changing values. Robert Cummings wrote: On Sun, 2007-04-08 at 04:38 -0700, benifactor wrote: hmm, why don't you md5 more then once.. for example, use a condition that will change with every visitor. like the third num in $_SERVER['REMOTE_ADDR']; or something of the sort. then make a loop.. say the third num in my ip address is 5 the person that visits after me would get my value, and say you were right before me and yours was a 7 the md5 check for me would look like md5(md5(md5(md5(md5(md5(md5($value))); and for the person right after me md5(md5(md5(md5(md5($value); this way for each visitor, a piece of the puzzle is changed. just an idea, and have no idea if it would even work for what your doing... Ugh, don't do that... it's no more differentiated than doing the following which is cleaner: md5( $_SERVER['REMOTE_ADDR'].$value ); The above uses the IP address as a salt. But better yet, since the above is still prone to abuse by the same server making repeat attempts, create a multi-salt system... $salt1 = 'YoUR SeKreT SaLT'; $salt2 = time(); $salt3 = uniqid(); $md5 = md5( $salt1.'__'.$salt2.'__'.$salt3.'__'.$value ); Then in your form you include the value of $salt2, $salt3, and $md5. In this way only those who know the secret salt can rebuilt the md5 to check validity. Presumably you won't allow the same md5 to be used twice. The time is tracked so that you can limit validity of the salt for a period of time. So if the time on your server is more than 20 minutes ahead of the time for the submission, you can feel free delete entries ion your database since the time has expired. This allows you to not need to track all md5s ever generated. Only the last X minutes of md5s. If you implement this, Tijnema won't be able to break it. Cheers, Rob. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 & bot Question
On Sun, 2007-04-08 at 04:38 -0700, benifactor wrote: > hmm, why don't you md5 more then once.. > > for example, use a condition that will change with every visitor. like > the third num in $_SERVER['REMOTE_ADDR']; or something of the sort. > then make a loop.. > > say the third num in my ip address is 5 > > the person that visits after me would get my value, and say you were > right before me and yours was a 7 > > the md5 check for me would look like > > md5(md5(md5(md5(md5(md5(md5($value))); > > and for the person right after me > > md5(md5(md5(md5(md5($value); > > this way for each visitor, a piece of the puzzle is changed. just an > idea, and have no idea if it would even work for what your doing... Ugh, don't do that... it's no more differentiated than doing the following which is cleaner: md5( $_SERVER['REMOTE_ADDR'].$value ); The above uses the IP address as a salt. But better yet, since the above is still prone to abuse by the same server making repeat attempts, create a multi-salt system... $salt1 = 'YoUR SeKreT SaLT'; $salt2 = time(); $salt3 = uniqid(); $md5 = md5( $salt1.'__'.$salt2.'__'.$salt3.'__'.$value ); Then in your form you include the value of $salt2, $salt3, and $md5. In this way only those who know the secret salt can rebuilt the md5 to check validity. Presumably you won't allow the same md5 to be used twice. The time is tracked so that you can limit validity of the salt for a period of time. So if the time on your server is more than 20 minutes ahead of the time for the submission, you can feel free delete entries ion your database since the time has expired. This allows you to not need to track all md5s ever generated. Only the last X minutes of md5s. If you implement this, Tijnema won't be able to break it. Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 & bot Question
hmm, why don't you md5 more then once.. for example, use a condition that will change with every visitor. like the third num in $_SERVER['REMOTE_ADDR']; or something of the sort. then make a loop.. say the third num in my ip address is 5 the person that visits after me would get my value, and say you were right before me and yours was a 7 the md5 check for me would look like md5(md5(md5(md5(md5(md5(md5($value))); and for the person right after me md5(md5(md5(md5(md5($value); this way for each visitor, a piece of the puzzle is changed. just an idea, and have no idea if it would even work for what your doing... Tijnema ! wrote: On 4/8/07, Tijnema ! <[EMAIL PROTECTED]> wrote: On 4/8/07, tedd <[EMAIL PROTECTED]> wrote: > >>Well, I cracked it for you :) > >> > >>http://86.86.80.41/dev/debug/tedd.php > >> > >>At the bottom it shows you the MD5 code of your arrow image, and it > >>shows you which way it points to :) > >> > >>If you're interested in the code: > >> > >>http://86.86.80.41/dev/debug/tedd.txt > >> > >>Tijnema > > Tijnema: > > Okay, I think I figured out a fix -- try it again. :-) > > http://sperling.com/a/arrows/ > > A little knowledge is a dangerous thing. > > Cheers, > > tedd Looks interesting. It generates a different MD5 each time I'll take a deeper look at it today, and hope to find a way to crack it :) Tijnema You can't stop me :) http://86.86.80.41/dev/debug/tedd.php It's cracked again :) and of course i show you the code: http://86.86.80.41/dev/debug/tedd.txt Waiting for your next try :P Tijnema -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: spl DirectoryIterator
On 4/8/07, itoctopus <[EMAIL PROTECTED]> wrote: After some testing and reading, I think this function is still experimental. Anyone else has some thoughts on this? I agree with you, this function seems not working correctly. From what i see of my testing is that this makes an array, with some iterators inside it. But all these iterators are the same iterator i started with. Meaning i get an array of all duplicate iterators. This is not what it should do i think, but there's no documentation on the fuction, so i can't compare with the "expected output". Tijnema -- itoctopus - http://www.itoctopus.com "Matthew Dellar" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > I have a problem, > > I need to turn an iterator into an array, but when I do, some methods I > need to use stop working. > > Take a look at the following example: > > $dir = 'c:/'; > $files = new DirectoryIterator($dir); > //$files = iterator_to_array($files); > foreach ($files as $file) { > echo "{$file->getFileName()}";//works > echo "{$file->getPath()}";//works > } > > It works as expected. However, when the iterator is turned into an array: > > $dir = 'c:/'; > $files = new DirectoryIterator($dir); > $files = iterator_to_array($files); > foreach ($files as $file) { > echo "{$file->getFileName()}"; //does not work > echo "{$file->getPath()}";//works > } > > It stops working. Can someone please help me, as a have tried and failed > to find the cause of the problem. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 & bot Question
On 4/8/07, Tijnema ! <[EMAIL PROTECTED]> wrote: On 4/8/07, tedd <[EMAIL PROTECTED]> wrote: > >>Well, I cracked it for you :) > >> > >>http://86.86.80.41/dev/debug/tedd.php > >> > >>At the bottom it shows you the MD5 code of your arrow image, and it > >>shows you which way it points to :) > >> > >>If you're interested in the code: > >> > >>http://86.86.80.41/dev/debug/tedd.txt > >> > >>Tijnema > > Tijnema: > > Okay, I think I figured out a fix -- try it again. :-) > > http://sperling.com/a/arrows/ > > A little knowledge is a dangerous thing. > > Cheers, > > tedd Looks interesting. It generates a different MD5 each time I'll take a deeper look at it today, and hope to find a way to crack it :) Tijnema You can't stop me :) http://86.86.80.41/dev/debug/tedd.php It's cracked again :) and of course i show you the code: http://86.86.80.41/dev/debug/tedd.txt Waiting for your next try :P Tijnema -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MD5 & bot Question
On 4/8/07, tedd <[EMAIL PROTECTED]> wrote: >>Well, I cracked it for you :) >> >>http://86.86.80.41/dev/debug/tedd.php >> >>At the bottom it shows you the MD5 code of your arrow image, and it >>shows you which way it points to :) >> >>If you're interested in the code: >> >>http://86.86.80.41/dev/debug/tedd.txt >> >>Tijnema Tijnema: Okay, I think I figured out a fix -- try it again. :-) http://sperling.com/a/arrows/ A little knowledge is a dangerous thing. Cheers, tedd Looks interesting. It generates a different MD5 each time I'll take a deeper look at it today, and hope to find a way to crack it :) Tijnema -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php