php-general Digest 16 Feb 2009 06:54:27 -0000 Issue 5961
php-general Digest 16 Feb 2009 06:54:27 - Issue 5961 Topics (messages 288282 through 288299): Re: Simple Search Logic Issue... 288282 by: revDAVE 288284 by: revDAVE ?php= 288283 by: Richard Heyes Reverse IP lookup 288285 by: ×× ××× ×× ×× 288286 by: Richard Heyes 288298 by: Andrew Ballard Opinions Please, Describing PHP as Web Framework of C and C++ 288287 by: Sancar Saran Re: for the security minded web developer - secure way to login? 288288 by: German Geek 288291 by: Colin Guthrie 288293 by: Michael A. Peters Re: Sorting times 288289 by: German Geek 288290 by: Mattias Thorslund 288292 by: German Geek Re: Sorting times (SOLVED before tedds crappy SOLVED) 288294 by: Shawn McKenzie 288295 by: Shawn McKenzie Re: Sorting times (SOLVED) 288296 by: Shawn McKenzie 288297 by: Shawn McKenzie Back to Basics - Re: [PHP] Re: for the security minded web developer - secure way to login? 288299 by: Rene Veerman Administrivia: To subscribe to the digest, e-mail: php-general-digest-subscr...@lists.php.net To unsubscribe from the digest, e-mail: php-general-digest-unsubscr...@lists.php.net To post to the list, e-mail: php-gene...@lists.php.net -- ---BeginMessage--- On 2/15/2009 3:32 AM, David Robley robl...@aapt.net.au wrote: LIKE '%c%' will match a field containing 'c' anywhere If you are using that syntax, I'd suggest echoing your query to make sure that it is as it should be; I'm wondering if you are actually enclosing string values in single quotes in your query? Thanks David for your help The input form is basic like: input name=Message type=text value= Then dreamweaver cs3 created this $mess_list1 = -1; if (isset($_GET['Message'])) { $mess_list1 = $_GET['Message']; } ... But it doesn't look like it does what you say : actually enclosing string values in quotes Maybe ?: $mess_list1 = '$_GET['Message']'; Not $mess_list1 = $_GET['Message']; ??? As for multiple selection criteria, you need to test whether the passed in value is set or not, and only include set values in the query. Not sure - but isn't that what this code is doing ...??? $mess_list1 = -1; if (isset($_GET['Message'])) { $mess_list1 = $_GET['Message']; } OT: sprintf syntax is so hard to read :-) I agree - especially for this newbie... -- Thanks - RevDave Cool @ hosting4days . com [db-lists 09] ---End Message--- ---BeginMessage--- On 2/15/2009 3:32 AM, David Robley robl...@aapt.net.au wrote: If you are using that syntax, I'd suggest echoing your query to make sure that it is as it should be; I'm wondering if you are actually enclosing string values in single quotes in your query? Another part of the dw cs3 code uses switch - that seems to do as you mentioned... if (!function_exists(GetSQLValueString)) { function GetSQLValueString($theValue, $theType, $theDefinedValue = , $theNotDefinedValue = ) { $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue; $theValue = function_exists(mysql_real_escape_string) ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue); Here switch ($theType) { case text: $theValue = ($theValue != ) ? ' . $theValue . ' : NULL; break; etc. -- Thanks - RevDave Cool @ hosting4days . com [db-lists 09] ---End Message--- ---BeginMessage--- Hi, Does anyone the status of ?php=, as opposed to ?= ? And if it's even being implemented? Thanks. -- Richard Heyes HTML5 Canvas graphing for Firefox, Chrome, Opera and Safari: http://www.rgraph.org (Updated February 14th) ---End Message--- ---BeginMessage--- Hello, Is there anyway to get a list of sitess that are on a specific IP? I looked, But I couldn't find anything. I tried to make some with dns_get_record and gethostbyaddr, but couldn't make anything Thank Daniel ---End Message--- ---BeginMessage--- Is there anyway to get a list of sitess that are on a specific IP? Not AFAIK. You can get the name associated with that IP adress (IIRC), but one IP could be serving multiple sites using virtual hosting. -- Richard Heyes HTML5 Canvas graphing for Firefox, Chrome, Opera and Safari: http://www.rgraph.org (Updated February 14th) ---End Message--- ---BeginMessage--- On Sun, Feb 15, 2009 at 1:22 PM, דניאל דנון danondan...@gmail.com wrote: Hello, Is there anyway to get a list of sitess that are on a specific IP? I looked, But I couldn't find anything. I tried to make some with dns_get_record and gethostbyaddr, but couldn't make anything Thank Daniel You mean like this one? http://www.yougetsignal.com/tools/web-sites-on-web-server/ I don't know how reliable or up-to-date it is. Andrew ---End Message--- ---BeginMessage--- Hello list. Recently we had some serious discussion
[PHP] Re: Simple Search Logic Issue...
revDAVE wrote: Newbie question... I have a search page with multi lines of search criteria: Name Topic Message Etc... I'm hoping to get results based on what criteria I type - but I'm not getting what I expect. I think it's just getting results where in addition to getting search criteria I type - ALSO none of the search fields can be blank (not what I hoped) ... Like I type just 'c' in the name field and it shows 3 records (other search fields filled up) ... But I have many more records with name containing 'c' Goal: to search for what I type in whatever search fields and not worry about whether others are blank or not - like: Name contains 'c' Charles Chuck Chuck Chas Or Name contains 'c' and topic contains 'test1' Maybe just charles fits this criteria -- I made a simple results page, ... More code here ... ( DW CS3 ) $name_list1 = -1; if (isset($_GET['Name'])) { $name_list1 = $_GET['Name']; } $top_list1 = -1; if (isset($_GET['Topic'])) { $top_list1 = $_GET['Topic']; } $mess_list1 = -1; if (isset($_GET['Message'])) { $mess_list1 = $_GET['Message']; } mysql_select_db($database_test1, $test1); $query_list1 = sprintf(SELECT * FROM mytable WHERE Name LIKE %s and Message LIKE %s and Topic LIKE %s ORDER BY mytable.id desc, GetSQLValueString(% . $name_list1 . %, text),GetSQLValueString(% . $mess_list1 . %, text),GetSQLValueString(% . $top_list1 . %, text)); You do understand how LIKE works? You need to use wildcard characters if you want to match other than the exact string you pass to it. For example LIKE 'c' will only match a field that contains just 'c' LIKE '%c' will match a field starting with 'c' and containing any number of characters LIKE '%c%' will match a field containing 'c' anywhere If you are using that syntax, I'd suggest echoing your query to make sure that it is as it should be; I'm wondering if you are actually enclosing string values in single quotes in your query? As for multiple selection criteria, you need to test whether the passed in value is set or not, and only include set values in the query. OT: sprintf syntax is so hard to read :-) Cheers -- David Robley Make like a banana and split. Today is Sweetmorn, the 46th day of Chaos in the YOLD 3175. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] for the security minded web developer - secure way to login?
OK, i hear about this self signed certificate. Whenever i signed anything it just came up with all these warnings in FF which confuses users and i think is not good at all. Can someone paste a link in here to a website with a self signed cert please? Would like to see if there are any warnings etc. Thanks. Tim Tim-Hinnerk Heuer http://www.ihostnz.com Jay London - My father would take me to the playground, and put me on mood swings. 2009/2/15 Michael A. Peters mpet...@mac.com Sudheer wrote: Michael A. Peters wrote: Sites (like mine) that don't want to pay a certificate authority can use a self-signed cert. Even Red Hat does for some of their stuff (IE I believe their bugzilla server) Firefox scares its users when they encounter a website with self signed certificate. If your website users aren't worried about the warning Firefox throws at them, self signed cert works well. Yeah it does, hopefully they fix it. What scares me is allowing sites I have no reason to trust as non malicious and have no reason to trust as properly secured against XSS injection to load scripts that execute on my machine. People who use Firefox may be scared by the absurd warning FireFox 3 uses (something I've complained about to them) - other than informing users of the issue and hoping some read it, not much I can do about that. Hopefully FireFox will fix the issue and do something like what opera does (except the cert for session if you just click OK, accept it permanently if you click the security tab and check a box first). -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sorting times (SOLVED)
At 9:31 PM -0600 2/14/09, Shawn McKenzie wrote: Yeah, hif I had known that you wanted a function where you loop through your array twice, that would have done it. Bravo. Shawn: I don't see another way. You go through the array converting string to time (seconds), sort, and then convert back. You have to go through the array more than once. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Google Apps AuthSub = missing $_GET element
Do you have magic quotes on? Also, try a *print_r($_SERVER);* or even a *var_dump($_GET);* See what's actually in the arrays. Michael Kubler *G*rey *P*hoenix *P*roductions http://www.greyphoenix.biz John Corry wrote: I am completely baffled by this. I have a PHP script that is using Cameron Hinkle's LightweightPicasaAPIv3 to authenticate with the Google Picasa service using the AuthSub method. Basically, if we're not authenticated, redirect to the google authsub URL: (https://www.google.com/accounts/AuthSubRequest?next=http%3A%2F%2Ftwozerowest.com%2Fsnowdog%2520gallery%2Fadmin.phpscope=http%3A%2F%2Fpicasaweb.google.com%2Fdata%2Ffeed%2Fapisession=1) This page requests that the user either grant access or deny access. Grant access takes us to the URL specified (my authentication script) with a ?token=x added to the end of the URL. This all works. We get back to my URL with ?token=x appended to the URL. That's when it starts getting weirder than anything I've seen in PHP: My debugging output confirms that: 1. $_SERVER['request_method'] = GET 2. strlen($_GET['token']) = 0 3. $_GET - array()...but it's empty! 4. $_REQUEST[] contains no 'token' element 5. echo($_GET['token']) prints the value of ?token= from the URL So WTF?
Re: [PHP] for the security minded web developer - secure way to login?
German Geek wrote: OK, i hear about this self signed certificate. Whenever i signed anything it just came up with all these warnings in FF which confuses users and i think is not good at all. Can someone paste a link in here to a website with a self signed cert please? Would like to see if there are any warnings etc. Thanks. There still are all the warnings. There are some cheap (and free) CA's that FireFox recognizes so it still is possible to use SSL and not have the firefox 3 warning hell, but things like linksys routers are still problematic. https://www.scientificlinux.org/ Demonstrates the problem in FireFox 3. They use a self-signed cert. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Simple Search Logic Issue...
On 2/15/2009 3:32 AM, David Robley robl...@aapt.net.au wrote: LIKE '%c%' will match a field containing 'c' anywhere If you are using that syntax, I'd suggest echoing your query to make sure that it is as it should be; I'm wondering if you are actually enclosing string values in single quotes in your query? Thanks David for your help The input form is basic like: input name=Message type=text value= Then dreamweaver cs3 created this $mess_list1 = -1; if (isset($_GET['Message'])) { $mess_list1 = $_GET['Message']; } ... But it doesn't look like it does what you say : actually enclosing string values in quotes Maybe ?: $mess_list1 = '$_GET['Message']'; Not $mess_list1 = $_GET['Message']; ??? As for multiple selection criteria, you need to test whether the passed in value is set or not, and only include set values in the query. Not sure - but isn't that what this code is doing ...??? $mess_list1 = -1; if (isset($_GET['Message'])) { $mess_list1 = $_GET['Message']; } OT: sprintf syntax is so hard to read :-) I agree - especially for this newbie... -- Thanks - RevDave Cool @ hosting4days . com [db-lists 09] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] ?php=
Hi, Does anyone the status of ?php=, as opposed to ?= ? And if it's even being implemented? Thanks. -- Richard Heyes HTML5 Canvas graphing for Firefox, Chrome, Opera and Safari: http://www.rgraph.org (Updated February 14th) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Simple Search Logic Issue...
On 2/15/2009 3:32 AM, David Robley robl...@aapt.net.au wrote: If you are using that syntax, I'd suggest echoing your query to make sure that it is as it should be; I'm wondering if you are actually enclosing string values in single quotes in your query? Another part of the dw cs3 code uses switch - that seems to do as you mentioned... if (!function_exists(GetSQLValueString)) { function GetSQLValueString($theValue, $theType, $theDefinedValue = , $theNotDefinedValue = ) { $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue; $theValue = function_exists(mysql_real_escape_string) ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue); Here switch ($theType) { case text: $theValue = ($theValue != ) ? ' . $theValue . ' : NULL; break; etc. -- Thanks - RevDave Cool @ hosting4days . com [db-lists 09] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Reverse IP lookup
Hello, Is there anyway to get a list of sitess that are on a specific IP? I looked, But I couldn't find anything. I tried to make some with dns_get_record and gethostbyaddr, but couldn't make anything Thank Daniel
Re: [PHP] Reverse IP lookup
Is there anyway to get a list of sitess that are on a specific IP? Not AFAIK. You can get the name associated with that IP adress (IIRC), but one IP could be serving multiple sites using virtual hosting. -- Richard Heyes HTML5 Canvas graphing for Firefox, Chrome, Opera and Safari: http://www.rgraph.org (Updated February 14th) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Opinions Please, Describing PHP as Web Framework of C and C++
Hello list. Recently we had some serious discussion on local boards. I prefer calling PHP as Web Framework of C and C++ if you had a time for this fruitless discussion. Please send your opinions. Regards Sancar -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] for the security minded web developer - secure way to login?
Hi All again, What makes it so expensive to have a certificate? I mean, wouldn't it be possible to setup a new authority that doesn't charge as much or nothing at all? Wouldn't the major browsers be willing to support an authority that is free or costs next to nothing? I pay about $200 a year for my virtual server, so if i only issue 200 certifcates and charge a dollar each i wouldn't loose money. I have a v-server on the Internet and wouldn't mind setting it up as a free authority or even one based on donations. Or is there going to be so much traffic and processing that it wouldn't be able to handle it? Cannot be that bad because it needs to compute the authentication only periodically (once a year or so for each) and each time a user hits a page it is only checked which would only be a couple of bytes traffic (per domain?). Please enlighten me why it is so expensive? Is it maybe just the hassle of setting it up? Regards, Tim Tim-Hinnerk Heuer http://www.ihostnz.com Fred Allen - California is a fine place to live - if you happen to be an orange. 2009/2/16 Michael A. Peters mpet...@mac.com German Geek wrote: OK, i hear about this self signed certificate. Whenever i signed anything it just came up with all these warnings in FF which confuses users and i think is not good at all. Can someone paste a link in here to a website with a self signed cert please? Would like to see if there are any warnings etc. Thanks. There still are all the warnings. There are some cheap (and free) CA's that FireFox recognizes so it still is possible to use SSL and not have the firefox 3 warning hell, but things like linksys routers are still problematic. https://www.scientificlinux.org/ Demonstrates the problem in FireFox 3. They use a self-signed cert.
Re: [PHP] Re: Sorting times
The easiest would probably to use http://nz.php.net/manual/en/function.strnatcmp.php . It would happen to sort it the right way because am is before pm ;-). You can of course make it more challenging by converting it into a timestamp etc. That would be better if you want to sort by date as well etc. If you go that way you should look at http://nz.php.net/manual/en/function.usort.php . Regards, Tim Tim-Hinnerk Heuer http://www.ihostnz.com Alanis Morissette - We'll love you just the way you are if you're perfect. 2009/2/15 Shawn McKenzie nos...@mckenzies.net Shawn McKenzie wrote: tedd wrote: Hi gang: Anyone have/know a routine that will sort an array of times? For example, a function that would take an array like this: time[0] ~ '1:30pm' time[1] ~ '7:30am' time[2] ~ '12:30pm' and order it to: time[0] ~ '7:30am' time[1] ~ '12:30pm' time[2] ~ '1:30pm' Cheers, tedd Not tested: function time_sort($a, $b) { if (strtotime($a) == strtotime($b)) { return 0; } return (strtotime($a) strtotime($b) ? -1 : 1; } usort($time, time_sort); Well, I just thought, since the strtotime() uses the current timestamp to calculate the new timestamp, if you only give it a time then the returned timestamp is today's date with the new time you passed. If you had a large array and the callback started at 23:59:59 then you could end up with some times from the date it started and some from the next day, which of course would not be sorted correctly with respect to times only. So, this might be better (not tested): function time_sort($a, $b) { static $now = time(); if (strtotime($a, $now) == strtotime($b, $now)) { return 0; } return (strtotime($a, $now) strtotime($b, $now) ? -1 : 1; } -- Thanks! -Shawn http://www.spidean.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Sorting times
German Geek wrote: The easiest would probably to use http://nz.php.net/manual/en/function.strnatcmp.php . It would happen to sort it the right way because am is before pm ;-). Nope. Unfortunately 12 am (midnight) comes before 1 am, and 12 pm (noon) comes before 1 pm. Since you have to account for that, you solution won't be as elegant. Cheers, Mattias -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: for the security minded web developer - secure way to login?
'Twas brillig, and German Geek at 15/02/09 22:32 did gyre and gimble: Please enlighten me why it is so expensive? Is it maybe just the hassle of setting it up? The whole thing is about trust. Getting a certificate is nothing if the system is not backed up by a trust system. If a CA was setup that gave out certificates willy nilly to all and sundry, then this element of trust is lost. For $1 you're not likely to be able to afford to do much in the way of vetting or confirmation that said person is who they say they are. If browsers trusted that CA and an unscrupulous individual manages to get a secure certificate for a domain they do not own they could then use some form of DNS hijacking (e.g. via an open wireless network or similar) to perform some pretty convincing phishing scams. So it's not just about the cert. It's the trust that goes with it. Col -- Colin Guthrie gmane(at)colin.guthr.ie http://colin.guthr.ie/ Day Job: Tribalogic Limited [http://www.tribalogic.net/] Open Source: Mandriva Linux Contributor [http://www.mandriva.com/] PulseAudio Hacker [http://www.pulseaudio.org/] Trac Hacker [http://trac.edgewall.org/] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Sorting times
Yes, you are right. Hadn't thought about that. But usort is probably better than making your own sort function because it uses the quick sort algorithm i believe which is quite efficient. That was the other suggestion... Tim-Hinnerk Heuer http://www.ihostnz.com Fred Allen - California is a fine place to live - if you happen to be an orange. 2009/2/16 Mattias Thorslund matt...@thorslund.us German Geek wrote: The easiest would probably to use http://nz.php.net/manual/en/function.strnatcmp.php . It would happen to sort it the right way because am is before pm ;-). Nope. Unfortunately 12 am (midnight) comes before 1 am, and 12 pm (noon) comes before 1 pm. Since you have to account for that, you solution won't be as elegant. Cheers, Mattias -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: for the security minded web developer - secure way to login?
Colin Guthrie wrote: 'Twas brillig, and German Geek at 15/02/09 22:32 did gyre and gimble: Please enlighten me why it is so expensive? Is it maybe just the hassle of setting it up? The whole thing is about trust. Getting a certificate is nothing if the system is not backed up by a trust system. If a CA was setup that gave out certificates willy nilly to all and sundry, then this element of trust is lost. Cheap CA's do exist. They have crappy web sites and send you all kinds of junk mail etc. if you use them - but they do exist. I might end up just paying godaddy - I think they charge $12.00 / year, but since I already register through them, they already have my address etc. But the problem I have with FF3 is that I shouldn't have to. I don't need to prove to the user that I am really me, and I don't want to use a cert that some other organization has control over and can choose to revoke at any time. I just the flipping password encrypted by SSL so that when Betty who uses the same password for everything (it's amazing how many people do) logs onto my server while she has coffee at Starbucks, her uname/password isn't sniffed giving Cracker Jack access to Betty's PayPal account. If Cracker Jack wants to do a man in the middle attack - as long as Betty has already connected to me before, her browser will still inform her that the certificate doesn't match - whether or not I am self signed, so the man in the middle attack is really not the big deal FireFox makes it out to be. What they should do is a simple notification telling the user they can't verify the website is who it claims to be, and a link for more info if the user wants more info. But alas, that has nothing to do with php, so I apologize to the list. Anyway, back on topic - if you want to encrypt login, use SSL. You can self sign for free. If you don't want the FireFox 3 issue, there are a few free and plenty of cheap certificate authorties that FireFox recognizes. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Sorting times (SOLVED before tedds crappy SOLVED)
Shawn McKenzie wrote: Shawn McKenzie wrote: tedd wrote: Hi gang: Anyone have/know a routine that will sort an array of times? For example, a function that would take an array like this: time[0] ~ '1:30pm' time[1] ~ '7:30am' time[2] ~ '12:30pm' and order it to: time[0] ~ '7:30am' time[1] ~ '12:30pm' time[2] ~ '1:30pm' Cheers, tedd Not tested: function time_sort($a, $b) { if (strtotime($a) == strtotime($b)) { return 0; } return (strtotime($a) strtotime($b) ? -1 : 1; } usort($time, time_sort); Well, I just thought, since the strtotime() uses the current timestamp to calculate the new timestamp, if you only give it a time then the returned timestamp is today's date with the new time you passed. If you had a large array and the callback started at 23:59:59 then you could end up with some times from the date it started and some from the next day, which of course would not be sorted correctly with respect to times only. So, this might be better (not tested): function time_sort($a, $b) { static $now = time(); if (strtotime($a, $now) == strtotime($b, $now)) { return 0; } return (strtotime($a, $now) strtotime($b, $now) ? -1 : 1; } Your best bet above. -- Thanks! -Shawn http://www.spidean.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sorting times (SOLVED)
tedd wrote: At 9:31 PM -0600 2/14/09, Shawn McKenzie wrote: Yeah, hif I had known that you wanted a function where you loop through your array twice, that would have done it. Bravo. Shawn: I don't see another way. You go through the array converting string to time (seconds), sort, and then convert back. You have to go through the array more than once. Cheers, tedd The other way, is the most likely ultra-fast solution I posted. -- Thanks! -Shawn http://www.spidean.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Reverse IP lookup
On Sun, Feb 15, 2009 at 1:22 PM, דניאל דנון danondan...@gmail.com wrote: Hello, Is there anyway to get a list of sitess that are on a specific IP? I looked, But I couldn't find anything. I tried to make some with dns_get_record and gethostbyaddr, but couldn't make anything Thank Daniel You mean like this one? http://www.yougetsignal.com/tools/web-sites-on-web-server/ I don't know how reliable or up-to-date it is. Andrew
[PHP] Back to Basics - Re: [PHP] Re: for the security minded web developer - secure way to login?
Just for this case, where authentication of the server isn't an issue, and things like deployment cost are, i'd like to propose that we on this list look again at securing login/pass through onewayHash functions, in an otherwise non-ssl environment. i hate to be a critic of the community here, but isn't this insistence on SSL a bit eh... lazy? here's a starter for a onewayHash-based login crypto: and think that with a proper layout of authentication architecture, one can really secure a login system without having the administrative overhead of installing SSL everywhere, and the monetary cost for a SSL certificate for each domain. I wish to code such a solution into a really-free library (so probably LGPL or GPL + MIT) over the next 2 to 5 months. This library would be a complete SQL, PHP javascript package (jQuery plugged in), targetted for the novice programmer. I'm halfway (or more?) there, i think. For my own CMS, i have taken the following approach, which i'd like to hear your improvements on: (For onewayHash() i have MD5 and SHA256 implementations in both JS and PHP..) SQL: create table users ( user_id integer, user_login_name varchar(250), user_login_hash varchar(250), user_password_hash varchar(250), other fields primary key (user_id) ); create table preferences ( pref_system_hash varchar(250) ); PHP (pseudo-code) , on system installation: preferences.pref_system_hash = onewayHash ( randomStringLength(100) ); PHP , on user-create: users[user_id].user_login_hash = onewayHash(user_login_name + preferences.pref_system_hash); users[user_id].user_password_hash = onewayHash (someGooodPasswordNot + preferences.pref_system_hash); PHP, on request of a login form: challenge = makeNewChallenge (); //checks since when [browser IP] has last received a new challenge, if threshold : make a new challenge. else return old challenge. //a challenge is a random string (+ special chars) pushed through the onewayHash function. html = ' form id=loginForm input type=hidden id=sh name=sh value=preferences.pref_system_hash input type=hidden id=ch name=ch value=challenge input id=plain_user name=plain_user/ input id=plain_pass name=plain_pass/ input type=hidden id=user_hash name=user_hash/ input type=hidden id=pass_hash name=pass_hash/ /form '; sendHTMLtoBrowser (html); Javascript: on page with login form: jQuery('#loginForm').submit (function () { var sh = jQuery('#sh')[0]; //same for ch, plain_user, plain_pass, all the inputs in the html form. user_hash = onewayHash ( onewayHash ( plain_user.value + sh.value ) + challenge ); //same for pass_hash basically plain_user.value = ''; //clear out the plain text fields so they dont get transmitted (same for plain_pass ofcourse) jQuery.ajax ( /* submit login form through POST, handle results */ ) } PHP, on receiving the login form data: // walk through all the records in users table, for each, calculate: user_hash = onewayHash ( users[user_id].user_login_hash + challenge ); pass_hash = onewayHash ( users[user_id].user_password_hash + challenge ); // if they match what was sent, then it's the user we're looking for with the right password, so their $_SESSION['authenticated_user'] = updated. If you have a completely alternative way of securing a non-ssl login form, i'd like to hear about it too. Michael A. Peters wrote: Colin Guthrie wrote: 'Twas brillig, and German Geek at 15/02/09 22:32 did gyre and gimble: Please enlighten me why it is so expensive? Is it maybe just the hassle of setting it up? The whole thing is about trust. Getting a certificate is nothing if the system is not backed up by a trust system. If a CA was setup that gave out certificates willy nilly to all and sundry, then this element of trust is lost. Cheap CA's do exist. They have crappy web sites and send you all kinds of junk mail etc. if you use them - but they do exist. I might end up just paying godaddy - I think they charge $12.00 / year, but since I already register through them, they already have my address etc. But the problem I have with FF3 is that I shouldn't have to. I don't need to prove to the user that I am really me, and I don't want to use a cert that some other organization has control over and can choose to revoke at any time. I just the flipping password encrypted by SSL so that when Betty who uses the same password for everything (it's amazing how many people do) logs onto my server while she has coffee at Starbucks, her uname/password isn't sniffed giving Cracker Jack access to Betty's PayPal account. If Cracker Jack wants to do a man in the middle attack - as long as Betty has already connected to me before, her browser will still inform her that
Re: [PHP] Opinions Please, Describing PHP as Web Framework of C and C++
Sancar Saran wrote: Hello list. Recently we had some serious discussion on local boards. I prefer calling PHP as Web Framework of C and C++ PHP is a scripting language with syntactical roots in C. /Per -- Per Jessen, Zürich (-3.5°C) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Apache odd behavior
I'm submitting a url like this: http://mysite.com/index.php/alfa/bravo/charlie/delta The index.php calls has code to decode the url segments (alfa/bravo/charlie/delta). It determines that the controller is alfa, the method is bravo, and converts charlie and delta to $_GET['charlie'] = 'delta'. It verifies that the controller and method exist, and calls the controller and method. This works fine. The right controller gets called and the right method, and the GET parameter looks like it should. The method sets some variables and then calls a render() function to render the page, which is in the doc root of the site. The page does get rendered, but without the stylesheet, and none of the graphics show up. Why? Because, according to the logs, Apache appears to be looking for the images and everything else in the directory index.php/alfa/bravo/charlie/delta, which of course doesn't exist. No, I don't have an .htaccess file with RewriteEngine on. Apache figures out that index.php is the file to look for in the original URL, but can't figure out that everything else is relative to that file, not the entire URL. This method is in use in at least one other MVC framework. What am I doing wrong? Paul -- Paul M. Foster -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php