[PHP] PHP sessions, AJAX, authentication and security.
Hi all. A question about PHP sessions and their interaction with AJAX. I have a database containing sensitive information and users need to log in to my PHP script and be authenticated before they are granted access. For one of the forms I would like to retrieve information using AJAX, and some of that information is sensitive also. The request from AJAX is handled by another, simpler PHP script. It occurs to me that the AJAX handler could be used to bypass the user authentication and a crafted request sent directly to the AJAX handler to get information without authentication. Can anyone offer some advice about how to piggy-back the session/authentication data that the user originally used to the AJAX so that only an authenticated user will get a valid response from the AJAX handler? I know I could embed authentication information into the web-page and send this with the AJAX request but I'm interested to know if there are other methods also. I hope the explanation is clear. Thanks in advance.
Re: [PHP] PHP sessions, AJAX, authentication and security.
You could use a one time token on each request Bastien Sent from my iPod On Nov 21, 2009, at 6:30 AM, Angus Mann angusm...@pobox.com wrote: Hi all. A question about PHP sessions and their interaction with AJAX. I have a database containing sensitive information and users need to log in to my PHP script and be authenticated before they are granted access. For one of the forms I would like to retrieve information using AJAX, and some of that information is sensitive also. The request from AJAX is handled by another, simpler PHP script. It occurs to me that the AJAX handler could be used to bypass the user authentication and a crafted request sent directly to the AJAX handler to get information without authentication. Can anyone offer some advice about how to piggy-back the session/ authentication data that the user originally used to the AJAX so that only an authenticated user will get a valid response from the AJAX handler? I know I could embed authentication information into the web-page and send this with the AJAX request but I'm interested to know if there are other methods also. I hope the explanation is clear. Thanks in advance. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP sessions, AJAX, authentication and security.
At 9:30 PM +1000 11/21/09, Angus Mann wrote: Hi all. A question about PHP sessions and their interaction with AJAX. I have a database containing sensitive information and users need to log in to my PHP script and be authenticated before they are granted access. For one of the forms I would like to retrieve information using AJAX, and some of that information is sensitive also. The request from AJAX is handled by another, simpler PHP script. It occurs to me that the AJAX handler could be used to bypass the user authentication and a crafted request sent directly to the AJAX handler to get information without authentication. Can anyone offer some advice about how to piggy-back the session/authentication data that the user originally used to the AJAX so that only an authenticated user will get a valid response from the AJAX handler? I know I could embed authentication information into the web-page and send this with the AJAX request but I'm interested to know if there are other methods also. I hope the explanation is clear. Thanks in advance. Angus: First, don't trust anything that comes from the client -- period. Second, Ajax is just another way to send stuff to the server. When the data gets to the server then authenticate and set a session variable to indicate such. This is not rocket science, but if you don't do it right you'll leave a crater. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: RES: [PHP] CSS and variables
This might help: http://sperling.com/examples/pcss/ Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Creating users and generating privileges for users
At 6:36 PM -0600 11/20/09, nitin reddy wrote: Hey can one help me in creating different users using mysql for php and assigning different privileges for them ..any sample code available? -- PASULA NITIN REDDY Graduate Student in Computer Science Department University of Minnesota,Twin Cities Minneapolis. PASULA: And where do you want us to send your homework? Seriously, if you want help, please show us what you've done -- from there we can move on. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to create a web application like igoogle?
Hi. thanks for your reply. I learned php and I have created several web application before. But all i ever do, is creating php files with one html form an some php tags that manipulate data and sends it to a database or another web page (or to itself). Now i like try building a web pages that have several widgets, gadgets or anything. Therefore i make a web page like a portal that each segments work independently of each other, something like home page of gmail or in igoogle or anything. I examined HTML frames in a project, recently. But, indeed it wasn't a thing that i looking for. Because the gadgets can have been removed by user, but HTML frames are static absurd things in web page. *In summary, I looking for a technology to build php pages with some independent sections.* On Fri, Nov 20, 2009 at 11:21 PM, Ashley Sheridan a...@ashleysheridan.co.ukwrote: On Fri, 2009-11-20 at 23:15 +0330, Ali Asghar Toraby Parizy wrote: Hi How can i create a web page that include some gadgets? what kind of technology do i have to use to creating web pages like igoogle and gmail? How can i create them by php? Wow! Well, first what is it you want to do? Make another iGoogle or Gmail, as they are both pretty different beasts. One is a page of 'gadgets' as you call them, the other is a web-based email application. I'm guessing from your post that PHP is new to you. First then, I guess you need to decide on where are you getting the gadget parts from? If you can find things online that you can embed as Flash apps or iframes, then you probably won't need PHP at all. If you are planning on building them yourself, then you really will need to learn PHP. There is no magic solution to this question I'm afraid, and the scope of it is pretty huge, so you need to think about the parts that make it up and tackle each one. Thanks, Ash http://www.ashleysheridan.co.uk
[PHP] Extracting a time zone from a latitude longitude
Good Morning all, Having a look at the time zone functions in PHP you can enter a time zone city and get it's lat long. Does anybody know how you can run the function in reverse (or know of a similar function) i.e. get the time zone city from the geographic coordinates. Google maps was a thought but the functions are only for use in google maps which rules out my use for them. Have a great weekend. Cheers
Re: [PHP] Creating users and generating privileges for users
Check out the grant command in SQL for your database Bastien Sent from my iPod On Nov 21, 2009, at 9:05 AM, tedd tedd.sperl...@gmail.com wrote: At 6:36 PM -0600 11/20/09, nitin reddy wrote: Hey can one help me in creating different users using mysql for php and assigning different privileges for them ..any sample code available? -- PASULA NITIN REDDY Graduate Student in Computer Science Department University of Minnesota,Twin Cities Minneapolis. PASULA: And where do you want us to send your homework? Seriously, if you want help, please show us what you've done -- from there we can move on. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Extracting a time zone from a latitude longitude
This is a simple math problem. Create am array with a start and end longitude for that timezone and run a comapre from your lay/long co- ords to see where it falls. Bastien Sent from my iPod On Nov 21, 2009, at 12:25 PM, Haig Davis level...@gmail.com wrote: Good Morning all, Having a look at the time zone functions in PHP you can enter a time zone city and get it's lat long. Does anybody know how you can run the function in reverse (or know of a similar function) i.e. get the time zone city from the geographic coordinates. Google maps was a thought but the functions are only for use in google maps which rules out my use for them. Have a great weekend. Cheers -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Extracting a time zone from a latitude longitude
On 21 Nov 2009, at 17:51, Phpster wrote: This is a simple math problem. Create am array with a start and end longitude for that timezone and run a comapre from your lay/long co-ords to see where it falls. It's not that simple because timezones boundaries don't run in straight lines from pole to pole. I Googled and got this among several others... http://stackoverflow.com/questions/41504/timezone-lookup-from-latitude-longitude -Stuart -- http://3ft9.com/ On Nov 21, 2009, at 12:25 PM, Haig Davis level...@gmail.com wrote: Good Morning all, Having a look at the time zone functions in PHP you can enter a time zone city and get it's lat long. Does anybody know how you can run the function in reverse (or know of a similar function) i.e. get the time zone city from the geographic coordinates. Google maps was a thought but the functions are only for use in google maps which rules out my use for them. Have a great weekend. Cheers -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Extracting a time zone from a latitude longitude
Haig Davis wrote: Good Morning all, Having a look at the time zone functions in PHP you can enter a time zone city and get it's lat long. Does anybody know how you can run the function in reverse (or know of a similar function) i.e. get the time zone city from the geographic coordinates. Google maps was a thought but the functions are only for use in google maps which rules out my use for them. Have a great weekend. Cheers http://www.geonames.org/export/web-services.html#timezone -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Which query is more correct?
Rick Pasotto wrote: On Fri, Nov 20, 2009 at 04:41:58PM -0600, LAMP wrote: Hi, I need to pull all records from the table Registrants they are NOT in the table ToBeRecleared Registrants.Reg_ID is PK ToBeRecleared.tbrc_Reg_ID is PK Which query is more correct? SELECT r.* FROM registrants r where r.reg_status=1 AND r.reg_id NOT IN (SELECT tbrc_reg_id FROM toberecleared) SELECT r.* FROM registrants r where r.reg_status=1 AND (SELECT count(*) FROM toberecleared where tbrc_reg_id=r.reg_id) = 0 I checked explain of bot queries - but can't read them. :-) SELECT t1.* FROM registrants t1 LEFT JOIN ToBeRecleared t2 on t1.reg_id = t2.tbrc_reg_id where t2.tbrc_reg_id is NULL ^^^ what rick said; the left join with where null is the correct one -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: PHP sessions, AJAX, authentication and security.
Angus Mann wrote:
Hi all.
A question about PHP sessions and their interaction with AJAX.
I have a database containing sensitive information and users need to log in
to my PHP script and be authenticated before they are granted access.
For one of the forms I would like to retrieve information using AJAX, and
some of that information is sensitive also. The request from AJAX is handled
by another, simpler PHP script.
It occurs to me that the AJAX handler could be used to bypass the user
authentication and a crafted request sent directly to the AJAX handler to get
information without authentication.
Can anyone offer some advice about how to piggy-back the
session/authentication data that the user originally used to the AJAX so that
only an authenticated user will get a valid response from the AJAX handler? I
know I could embed authentication information into the web-page and send this
with the AJAX request but I'm interested to know if there are other methods
also.
I hope the explanation is clear.
Thanks in advance.
same as everywhere else in your apps.. ajax is no different in any way
at all, not even slightly. as far as PHP and web server is concerned
it's just a plain old request same as any other; thus..
if( !$_SESSION['is_logged_in'] ) {
exit();
}
// do stuff
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: PHP sessions, AJAX, authentication and security.
same as everywhere else in your apps.. ajax is no different in any way
at all, not even slightly. as far as PHP and web server is concerned
it's just a plain old request same as any other; thus..
if( !$_SESSION['is_logged_in'] ) {
exit();
}
// do stuff
Thanks for that. Sometimes the solution is right there in front of you.
The bit of code below does the job nicely for me :
session_start();
if(!isset($_SESSION['username'])){
echo(Go Away.);
exit();
}
// now work with sensitive data...
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Extracting a time zone from a latitude longitude
On Sat, 21 Nov 2009 09:25:16 -0800, level...@gmail.com (Haig Davis) wrote: Good Morning all, Having a look at the time zone functions in PHP you can enter a time zone city and get it's lat long. Does anybody know how you can run the function in reverse (or know of a similar function) i.e. get the time zone city from the geographic coordinates. Google maps was a thought but the functions are only for use in google maps which rules out my use for them. Don't know what you mean by Time Zone City. IF the world were organised scientifically the time zone for a given location would be given by Time zone = GMT + (int)Long/15 But, as Stuart has pointed out, it isn't. Melbourne, Sydney, Brisbane, Port Moresby, Sakhalin Okhosh are all on GMT +10, but treat summertime in at least two and probably three different ways. Also Okhosh, Tokyo, and Adelaide all have a longitude of approximately 140°, but are on GMT +10, +9, and +9.5. If you really want to know the time zone for an arbitrary latitude and longitude, I doubt if you have any alternative to looking it up in an atlas. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Recognizing double clicks
Hey all, Every site I've ever stuck a credit card into said only click once I just this requirement from a client. a.System should recognize a duplicated click, so the message in red “only click once” should be unnecessary. Is this doable??? Has anyone on the list ever done this??? -- Skip Evans PenguinSites.com, LLC 503 S Baldwin St, #1 Madison WI 53703 608.250.2720 http://penguinsites.com Those of you who believe in telekinesis, raise my hand. -- Kurt Vonnegut -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Recognizing double clicks
It just dawned on me the button may be disabled right when it's clicked to prevent a double submit? Is that doable? Skip Skip Evans wrote: Hey all, Every site I've ever stuck a credit card into said only click once I just this requirement from a client. a.System should recognize a duplicated click, so the message in red “only click once” should be unnecessary. Is this doable??? Has anyone on the list ever done this??? -- Skip Evans PenguinSites.com, LLC 503 S Baldwin St, #1 Madison WI 53703 608.250.2720 http://penguinsites.com Those of you who believe in telekinesis, raise my hand. -- Kurt Vonnegut -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Recognizing double clicks
Hello, on 11/22/2009 03:34 AM Skip Evans said the following: It just dawned on me the button may be disabled right when it's clicked to prevent a double submit? Is that doable? This forms generation class can do exactly that. It generates Javascript with form HTML that disables the form submit button while the form is submitted. Then it enables the submit button again. If the user clicks on the button again, an alert message appears asking whether the user really wants to submit the form again. http://www.phpclasses.org/formsgeneration Here you can see a live example: http://www.meta-language.net/forms-examples.html?example=test_form -- Regards, Manuel Lemos Find and post PHP jobs http://www.phpclasses.org/jobs/ PHP Classes - Free ready to use OOP components written in PHP http://www.phpclasses.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Recognizing double clicks
Write a function that generate a unique form id and one that checks if it already has been submitted. Store data that the script sends after a submit has been done in the session array and if it is a re-submit just re-send the the data. 2009/11/22 Skip Evans s...@bigskypenguin.com: Hey all, Every site I've ever stuck a credit card into said only click once I just this requirement from a client. a.System should recognize a duplicated click, so the message in red “only click once” should be unnecessary. Is this doable??? Has anyone on the list ever done this??? -- Skip Evans PenguinSites.com, LLC 503 S Baldwin St, #1 Madison WI 53703 608.250.2720 http://penguinsites.com Those of you who believe in telekinesis, raise my hand. -- Kurt Vonnegut -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- MvH / Hans Åhlin Tel: +46761488019 http//www.kronan-net.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
