Re: [PHP] Credit Card encryption
On Sun, 2010-05-30 at 01:49 -0400, Paul M Foster wrote: > This question is for people who take and store credit card information > for customers. > > Credit card companies, in an attempt to lessen fraud, are tightening the > screws on merchants who take credit cards. One aspect of this is a > requirement to store credit card information from customers encrypted. > > So let's say you have a customer whose credit card you keep on file, > because they'll be charging other items with you. The credit card > companies would like you to store this information with strong > encryption, which in their mind is one-way encryption. > > Now let's say that the credit card number is part of the customer > record. When looking at the customer record, you see just the last four > digits of the card. But when editing the record or when printing out > reports of things which must be charged, you will see the whole number. > Assume the users of the system have logins and passwords. > > Now if you one-way encrypt the credit card numbers in the customer > records, then it seems to me that any time that field has to be accessed > (to edit the record or charge something to the card), you'd have to have > the user enter a specific "password" to unlock the encryption. This > would be quite in addition to their username and password. Moreover for > this to be as secure as the credit card companies would like it, > whatever "password" is used would need to be changed frequently, > particularly at any change of personnel. This means you'd have to > re-encrypt all the credit card numbers using the new "password" every > few months or when you fire someone who had access to the data. > > This seems like an excessively cumbersome solution. Is this seriously > the way it's done? Does anyone have a better solution? > > > Paul > > -- > Paul M. Foster > It's not just a matter of encrypting the credit card details. You also have to ensure the server meets specific security requirements, every last little bit of software has to be updated and patched. There are services that will check your server out for you (last one I used was McAffee Secure) I am certain that this is a legal requirement in order to allow you to process credit card details. You won't have to encrypt the password against the username of whoever has access to it. Just encrypt it the once, and use the DBMS side of things to manage access rights. Maybe use a couple of fields in the DB to store the credit card number in two versions, one that is two-way encrypted, the second that is one-way. You can set up your web system to only have access to the one-way version, meaning that the actual number can't be got by that user. The two-way encrypted version would be accessible only by a specific second DB user, the access details of which could change when personnel changes. Thanks, Ash http://www.ashleysheridan.co.uk
[PHP] Credit Card encryption
This question is for people who take and store credit card information for customers. Credit card companies, in an attempt to lessen fraud, are tightening the screws on merchants who take credit cards. One aspect of this is a requirement to store credit card information from customers encrypted. So let's say you have a customer whose credit card you keep on file, because they'll be charging other items with you. The credit card companies would like you to store this information with strong encryption, which in their mind is one-way encryption. Now let's say that the credit card number is part of the customer record. When looking at the customer record, you see just the last four digits of the card. But when editing the record or when printing out reports of things which must be charged, you will see the whole number. Assume the users of the system have logins and passwords. Now if you one-way encrypt the credit card numbers in the customer records, then it seems to me that any time that field has to be accessed (to edit the record or charge something to the card), you'd have to have the user enter a specific "password" to unlock the encryption. This would be quite in addition to their username and password. Moreover for this to be as secure as the credit card companies would like it, whatever "password" is used would need to be changed frequently, particularly at any change of personnel. This means you'd have to re-encrypt all the credit card numbers using the new "password" every few months or when you fire someone who had access to the data. This seems like an excessively cumbersome solution. Is this seriously the way it's done? Does anyone have a better solution? Paul -- Paul M. Foster -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] get classname without namespace
On Sun, May 30, 2010 at 1:50 AM, Tanel Tammik wrote:
> Hi,
>
> is there a way to get the called classname without the namespace?
>
> //PHP 5.3.x
> namespace some\where;
>
> abstract class ParentClass {
> public static function name() {
> return strtolower(get_called_class());
> }
>
> public static function get_name() {
> echo 'name: ' . static::name();
> }
> }
>
> class ChildClass extends ParentClass {
> }
>
> ChildClass::get_name();
> ?>
>
> the result i need: childclass
> the result i get: some\where\childclass
>
> also is it possible to get the name() into the static variable if only
> static method is called?
>
> Br
> Tanel
>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
You need to extract that using strrpos and substr
$name = substr($fullname_with_namespace,
strrpos($fullname_with_namespace, '/'));
--
Nilesh Govindarajan
Facebook: nilesh.gr
Twitter: nileshgr
Website: www.itech7.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] get classname without namespace
Hi, is there a way to get the called classname without the namespace? the result i need: childclass the result i get: some\where\childclass also is it possible to get the name() into the static variable if only static method is called? Br Tanel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Convert UTF-8 to PHP defines
On Sat, 29 May 2010 10:16:39 -0400, tedd wrote: > At 7:15 AM +0200 5/29/10, Nisse =?utf-8?Q?Engstr=C3=B6m?= wrote: >> >>No. There are no glyphs in Unicode. This is spelled out for >>you in chapter 2, figure 2-2. "Characters versus Glyphs". > Code points are simply unique numbers assigned to specific characters > in an approved char set. To better understand which character is > represented a representative Glyph is used -- what else would we use, Right. I should have phrased that differently. > a chicken? U+9e21 ? U+540D ? /Nisse -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] MVC logic
Hello, i'm trying to break this thing down for my self. i made little application for that. could someone please take a look and let me know if what i wrote resembles MVC inviroment or not. http://keevitaja.com/kool http://keevitaja.com/kool/kool.rar Idea is to create it from scratch for educational purpose! Br Tanel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Select Values Didn't Get Passed in From Two Different Forms
> Date: Sat, 29 May 2010 11:50:50 -0400 > To: php-general@lists.php.net; aj...@alumni.iu.edu > From: tedd.sperl...@gmail.com > Subject: RE: [PHP] Select Values Didn't Get Passed in From Two Different > Forms > > At 7:31 PM -0400 5/28/10, Alice Wei wrote: > > > >Anything I want? > > > >Seriously, I do know how to pass a "non-dynamic" element from one > >page to another page, but when I started researching on how to > >utilize dynamic menus based on user input, I found Ajax, until this > >problem that I am running into hits me. > > > >Is there some way that I could generate dynamic select menus without > >using Ajax? Or, is that asking too much? > > > >Thanks for your help. > > > >Alice > > Alice: > > No offense, but considering what you posted when you started this > exchange, it did not appear that you knew how to use forms. But on > the other hand, I don't know what "non-dynamic" elements are. > > Now on to your problem -- you want to "generate dynamic select menu" > -- I'm not sure what those are either. I think you need to start > using the terminology used in html, controls, and such. You can't > just throw terms together hoping that the person at the other end > knows what you're talking about. > > In any event, here's something for you to consider: > > http://www.webbytedd.com/a/ajax-controls/ > > It shows how to use javascript to detect user's actions in input > elements (i.e., text, radio, checkboxes, etc.) and select elements. > From those routines, you should be able to construct whatever > "dynamic select menus" you want. All the code is there -- just review > it. > > It would be a trivial matter to add a Submit button to the form to > pass these values to the server via traditional means and thus the > Submit was omitted to show how Ajax Controls work. > > However, it is important to note that the example provided above is > not unobtrusive -- it is an early example of how all of this was > done. There are more appropriate ways to accomplish this, but they > require more abstraction, which would probably lead to more confusion > on your part -- no offense meant. > > I suggest you read "DOM Scripting" and "Advance DOM Scripting" both > published by Friends of ED. They are well worth the cost/effort to > read and would give you a better understanding of the processes > involved. > > Cheers, > > tedd > At the time of writing this, I got all the functionality I wanted, only that it takes 3 submits, which is 4 pages in total, which includes two dependent select menus based on user input by clicking on the radio button and some other static drop downs and text inputs. I am not sure if it is possible to cut it down two only two submits, I just went online and found this, http://www.w3schools.com/dhtml/tryit.asp?filename=trydhtml_event_onchange. If I could change this function to using the radio button, and process the other searching for the dependent drop downs using case statements with PHP , do you think this is a good idea? Anyway, I found this method is kind of ugly for the time being, but less daunting with what I was doing before. Thanks. Alice > --- > http://sperling.com http://ancientstones.com http://earthstones.com _ The New Busy think 9 to 5 is a cute idea. Combine multiple calendars with Hotmail. http://www.windowslive.com/campaign/thenewbusy?tile=multicalendar&ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_5
RE: [PHP] Select Values Didn't Get Passed in From Two Different Forms
At 7:31 PM -0400 5/28/10, Alice Wei wrote: Anything I want? Seriously, I do know how to pass a "non-dynamic" element from one page to another page, but when I started researching on how to utilize dynamic menus based on user input, I found Ajax, until this problem that I am running into hits me. Is there some way that I could generate dynamic select menus without using Ajax? Or, is that asking too much? Thanks for your help. Alice Alice: No offense, but considering what you posted when you started this exchange, it did not appear that you knew how to use forms. But on the other hand, I don't know what "non-dynamic" elements are. Now on to your problem -- you want to "generate dynamic select menu" -- I'm not sure what those are either. I think you need to start using the terminology used in html, controls, and such. You can't just throw terms together hoping that the person at the other end knows what you're talking about. In any event, here's something for you to consider: http://www.webbytedd.com/a/ajax-controls/ It shows how to use javascript to detect user's actions in input elements (i.e., text, radio, checkboxes, etc.) and select elements. From those routines, you should be able to construct whatever "dynamic select menus" you want. All the code is there -- just review it. It would be a trivial matter to add a Submit button to the form to pass these values to the server via traditional means and thus the Submit was omitted to show how Ajax Controls work. However, it is important to note that the example provided above is not unobtrusive -- it is an early example of how all of this was done. There are more appropriate ways to accomplish this, but they require more abstraction, which would probably lead to more confusion on your part -- no offense meant. I suggest you read "DOM Scripting" and "Advance DOM Scripting" both published by Friends of ED. They are well worth the cost/effort to read and would give you a better understanding of the processes involved. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File Downloads
At 4:41 PM -0500 5/28/10, Karl DeSaulniers wrote: On May 28, 2010, at 4:25 PM, tedd wrote: At 3:39 PM -0500 5/28/10, Karl DeSaulniers wrote: Hello, How can I go about restricting the number of downloads of a file on my server? For Eg: if I want a music track to only be able to be downloaded by 150 people and thats it.. ever, how can I go about doing this? Karl: Just have the download pass through a script that counts, such as found here: http://sperling.com/freeware.php When someone click the link, it activates a script that provides the download and saves a count. It would be trivial to stop the download at a specific number. Cheers, tedd Hey thanks Tedd. Quick question. Were you referring me to this link to download one of their demos or just to show that they count their downloads? EG: Binary-Tree v1.1 Downloads: 2806 Karl: What I was showing you was a working example of what you want. The link simply calls a script that: 1) provides the download for the user; 2) writes a count to a file. You also said: The users will have gone through a registration and login to get to the downloads. The files will be served from MySQL and output to HTML of Flash. This is for a small project of limited edition audio or pictures or scripts, etc. Hens, "I'd like" to limit each user in the allotted 150 to be able to download (whatever it is) only once. But up to 150 users can get in on it kind of thing. That's simply a two step problem. 1) filter the people who can access the link (only approved members); 2) then have the protected link be tied to a script that monitors the download count for that member. It should be easy enough to create a table for each member having their logon id, password, and download count for whatever item you want to restrict download. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Convert UTF-8 to PHP defines
At 7:15 AM +0200 5/29/10, Nisse =?utf-8?Q?Engstr=C3=B6m?= wrote: No. There are no glyphs in Unicode. This is spelled out for you in chapter 2, figure 2-2. "Characters versus Glyphs". *blink* *blink* *blink* I read it, but that's not addressing the issue here -- that's something different. You are not understanding the difference between characters, fonts, glyphs, and code points. Here are some definitions taken directly from a Unicode Standard that might help: -- quote Character. The smallest component of written language that has semantic-value; refers to the abstract meaning and/or shape, rather than a specific shape (see also glyph), though in code tables some form of visual representation is essential for members understanding. Font. A collection of glyphs used for the visual depiction of character data. A font is often associated with a set of parameters (for example, size posture, weight, and serifness), which, when set to particular values, generates a collection of imaginable glyphs. Glyph. (1) An abstract for that represents one or more glyph images. (2) A synonym for "glyph image". In displaying Unicode character data, one or more glyphs may be selected to depict a particular character. These glyphs are selected by a rendering engine during composition and layout processing. -- unquote As such, you cannot claim "There are no glyphs in Unicode" for that is silly. Code points are simply unique numbers assigned to specific characters in an approved char set. To better understand which character is represented a representative Glyph is used -- what else would we use, a chicken? I may have been liberal in my use of the term "Glyph" in previous brief email, but "Glyph" in Unicode has a special meaning. The Glyph 'A' is 'A' regardless of if it is Helvetical or Times, bold or italic, 12pt or 24pt glyph. Likewise the Yin-Yang symbol is a Glyph that has a single code point regardless of if it is red and black or green and blue glyph. But the point is -- there is a unique code point (041 HEX) for the Latin 'A' Glyph and one unique code point (262F HEX) for the Miscellaneous Symbols Yin-Yang Glyph -- WITH -- a representative Glyph in the Unicode table defining each code point! So, when I say that just about every Glyph in the world has been provided a code point I am basically and technically correct -- excepting of course those glyphs that are not considered appropriate for inclusion or are variation glyphs of the representative Glyph that is already included -- understand? After all is said and done, what is Unicode all about? It is assigning a universal and unique code point system to Glyphs that are considered to be appropriate representative members of abstract written forms of communication. But of course those are Glyphs for what else could they be? Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] authentication issue...
On May 29, 2010, at 12:02 AM, Nathan Nobbe wrote:
On Fri, May 28, 2010 at 7:43 PM, Jason Pruim > wrote:
Hey Everyone,
So I'm sitting here on a friday night trying to figure out how in
the world I'm going to fix an issue that should probably be simple
to me but is escaping me at the moment
Take this authentication function:
$loginQuery = "SELECT * FROM {$cfgtableAuth} WHERE
userLogin='".$authUser."' AND userPass='".$md5pass."' LIMIT 0,1;";
$loginResult = mysql_query($loginQuery) or die("Wrong
data supplied or database error" .mysql_error());
$row1 = mysql_fetch_assoc($loginResult);
if($row1['access'] == "500"){
foreach (array_keys($_SESSION) as $key)
unset($_SESSION[$key]);
die('account disabled');
}
if(is_array($row1)){
$_SESSION['userInfo'] = array( "userLogin" =>
$row1['userName'], "loggedin" => TRUE, "userName" =>
$row1['userName'], "userPermission" => $row1['userPermission']);
error_log("User has logged in: ".
$row1['userLogin']);
}else{
//$_SESSION['userInfo'] =array("loggedin" =>
FALSE);
die('authentication failed');
}
return TRUE;
}
?>
Here is how I am displaying the login form:
CSS;
include("nav.php");
if ($_SESSION['userInfo']['loggedin'] == TRUE) {
MAIN PAGE DISPLAY HERE
}else{
//Display login info
echo <<
You must login to proceed!
User Name: name="txtUser">
Password: name="txtPass">
FORM;
if(isset($_POST['txtUser'])) {
$authUser = $_POST['txtUser'];
$authPass = $_POST['txtPass'];
$auth = authentication($authUser, $authPass, $cfgtableAuth);
}
}
?>
Now... the authentication actually works, and it logs me in
properly, but I have to click the login button twice Ideally I
should just do it once, so I'm wondering if anyone can spot my
grievous misstep here?
it looks to me like you need to move the authentication() call
if(isset($_POST['txtUser'])) {
$authUser = $_POST['txtUser'];
$authPass = $_POST['txtPass'];
$auth = authentication($authUser, $authPass, $cfgtableAuth);
}
above the check to see if the user has logged in, right after the
include("nav.php");
line. right now, when the user submits the form, your code is first
finding that the user isnt logged in, spitting out the 'please log
in' portion of the html then logging them in, so youre actually
already logged in when the form shows itself the second time!
Hey nathan,
You were close actually... :) If I moved just the $auth call it came
up and said that the auth failed... BUT if I moved that entire if
block to just below the include("nav.php"); line it works as it should!
Thanks for the pointer in the right direction! :)
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] authentication issue...
On Sat, 2010-05-29 at 07:40 -0400, Floyd Resler wrote:
> On May 28, 2010, at 9:43 PM, Jason Pruim wrote:
>
> > Hey Everyone,
> >
> > So I'm sitting here on a friday night trying to figure out how in
> > the world I'm going to fix an issue that should probably be simple
> > to me but is escaping me at the moment
> >
> > Take this authentication function:
> >
> > >
> > function authentication($authUser, $authPass, $cfgtableAuth){
> >
> > // Keep in mind, PASSWORD has meaning in MySQL
> > // Do your string sanitizing here
> > // (e.g. - $user = mysql_real_escape_string($_POST['user']);)
> > $authUser = mysql_real_escape_string($_POST['txtUser']);
> > $authPass = mysql_real_escape_string($_POST['txtPass']);
> > $md5pass = md5($authPass);
> >
> >$loginQuery = "SELECT * FROM {$cfgtableAuth} WHERE
> > userLogin='".$authUser."' AND userPass='".$md5pass."' LIMIT 0,1;";
> >
> >$loginResult = mysql_query($loginQuery) or die("Wrong
> > data supplied or database error" .mysql_error());
> > $row1 = mysql_fetch_assoc($loginResult);
> > if($row1['access'] == "500"){
> >foreach (array_keys($_SESSION) as $key)
> >unset($_SESSION[$key]);
> >
> > die('account disabled');
> > }
> >
> > if(is_array($row1)){
> >
> >$_SESSION['userInfo'] = array( "userLogin" =>
> > $row1['userName'], "loggedin" => TRUE, "userName" =>
> > $row1['userName'], "userPermission" => $row1['userPermission']);
> >
> >error_log("User has logged in: ".
> > $row1['userLogin']);
> >
> >}else{
> > //$_SESSION['userInfo'] =array("loggedin" => FALSE);
> > die('authentication failed');
> >
> > }
> > return TRUE;
> >
> > }
> >
> > ?>
> >
> > Here is how I am displaying the login form:
> >
> > > session_start();
> >
> > $link = dbconnect($server, $username, $password, $database);
> >
> > $page = $_GET['page'];
> >
> > echo << >
> >
> >
> > CSS;
> > include("nav.php");
> >
> > if ($_SESSION['userInfo']['loggedin'] == TRUE) {
> >
> > MAIN PAGE DISPLAY HERE
> >
> > }else{
> >
> > //Display login info
> > echo << >
> >
> >
> >You must login to proceed!
> > User Name: > name="txtUser">
> > Password: > name="txtPass">
> >
> >
> >
> >
> > FORM;
> >
> > if(isset($_POST['txtUser'])) {
> > $authUser = $_POST['txtUser'];
> > $authPass = $_POST['txtPass'];
> > $auth = authentication($authUser, $authPass, $cfgtableAuth);
> >
> > }
> >
> > }
> >
> > ?>
> >
> > Now... the authentication actually works, and it logs me in
> > properly, but I have to click the login button twice Ideally I
> > should just do it once, so I'm wondering if anyone can spot my
> > grievous misstep here?
> >
> > Thanks in advance for the help and pointers I am bound to receive
> > from this list! :)
> >
>
> Your problem kind of made me laugh. Not because you're having this
> problem but because the problem you're having that you want to correct
> is something a co-worker of mine did by design. She writes in FoxPro
> and on her login page you actually have to click the login button
> twice in order to log in! She did it that way because she has a
> profile button on the login page. Still, clicking on a login button
> twice is annoying! :)
>
> Take care,
> Floyd
>
>
The problem I often see in this area is where the login check is
performed in an include file, and then included in every page, including
the login page itself. Takes a little while sometimes to figure out why
it is stuck in an eternal loop!
Thanks,
Ash
http://www.ashleysheridan.co.uk
Re: [PHP] authentication issue...
On May 28, 2010, at 9:43 PM, Jason Pruim wrote:
Hey Everyone,
So I'm sitting here on a friday night trying to figure out how in
the world I'm going to fix an issue that should probably be simple
to me but is escaping me at the moment
Take this authentication function:
$loginQuery = "SELECT * FROM {$cfgtableAuth} WHERE
userLogin='".$authUser."' AND userPass='".$md5pass."' LIMIT 0,1;";
$loginResult = mysql_query($loginQuery) or die("Wrong
data supplied or database error" .mysql_error());
$row1 = mysql_fetch_assoc($loginResult);
if($row1['access'] == "500"){
foreach (array_keys($_SESSION) as $key)
unset($_SESSION[$key]);
die('account disabled');
}
if(is_array($row1)){
$_SESSION['userInfo'] = array( "userLogin" =>
$row1['userName'], "loggedin" => TRUE, "userName" =>
$row1['userName'], "userPermission" => $row1['userPermission']);
error_log("User has logged in: ".
$row1['userLogin']);
}else{
//$_SESSION['userInfo'] =array("loggedin" => FALSE);
die('authentication failed');
}
return TRUE;
}
?>
Here is how I am displaying the login form:
CSS;
include("nav.php");
if ($_SESSION['userInfo']['loggedin'] == TRUE) {
MAIN PAGE DISPLAY HERE
}else{
//Display login info
echo <<
You must login to proceed!
User Name:
Password:
FORM;
if(isset($_POST['txtUser'])) {
$authUser = $_POST['txtUser'];
$authPass = $_POST['txtPass'];
$auth = authentication($authUser, $authPass, $cfgtableAuth);
}
}
?>
Now... the authentication actually works, and it logs me in
properly, but I have to click the login button twice Ideally I
should just do it once, so I'm wondering if anyone can spot my
grievous misstep here?
Thanks in advance for the help and pointers I am bound to receive
from this list! :)
Your problem kind of made me laugh. Not because you're having this
problem but because the problem you're having that you want to correct
is something a co-worker of mine did by design. She writes in FoxPro
and on her login page you actually have to click the login button
twice in order to log in! She did it that way because she has a
profile button on the login page. Still, clicking on a login button
twice is annoying! :)
Take care,
Floyd
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
