[PHP] Securing Use of PHP site
Hello all, I have recently built a site using PHP. I was a little loose with GET and POST methods because I was using it for personal/private use. Now I am thinking of going public and allow different companies to use the site. I want to secure and hide as much data as possible to guard against user abuse. I have several instances where I use the GET method to pass IDS. I can use a POST but even that is visible in the source. How does one allow for processing but never really let the user see that actual ID? Do I use a HASH for IDs? Do I need to get more familiar with SESSION VARS. I am doing some experimenting. Any words of wisdom or resources would be helpful. Thanks! Don Wieland D W D a t a C o n c e p t s ~ d...@dwdataconcepts.com Direct Line - (949) 336-4828 Integrated data solutions to fit your business needs. Need assistance in dialing in your FileMaker solution? Check out our Developer Support Plan at: http://www.dwdataconcepts.com/DevSup.html Appointment 1.0v9 - Powerful Appointment Scheduling for FileMaker Pro 9 or higher http://www.appointment10.com For a quick overview - http://www.appointment10.com/Appt10_Promo/Overview.html
Re: [PHP] Securing Use of PHP site
On Nov 17, 2010, at 6:51 AM, Don Wieland d...@dwdataconcepts.com wrote: Hello all, I have recently built a site using PHP. I was a little loose with GET and POST methods because I was using it for personal/private use. Now I am thinking of going public and allow different companies to use the site. I want to secure and hide as much data as possible to guard against user abuse. I have several instances where I use the GET method to pass IDS. I can use a POST but even that is visible in the source. How does one allow for processing but never really let the user see that actual ID? Do I use a HASH for IDs? Do I need to get more familiar with SESSION VARS. I am doing some experimenting. Any words of wisdom or resources would be helpful. Thanks! Don Wieland D W D a t a C o n c e p t s ~ d...@dwdataconcepts.com Direct Line - (949) 336-4828 Integrated data solutions to fit your business needs. Need assistance in dialing in your FileMaker solution? Check out our Developer Support Plan at: http://www.dwdataconcepts.com/DevSup.html Appointment 1.0v9 - Powerful Appointment Scheduling for FileMaker Pro 9 or higher http://www.appointment10.com For a quick overview - http://www.appointment10.com/Appt10_Promo/Overview.html A hash is useful, but I think you are on the right track with session vars. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] database design in a survey/poll system
I plan to design a small survey/poll system similar to polldaddyhttp://polldaddy.com/ . And I have some confusion in designing the database for the multiple/single choice questions. Of course, it is possible to use one table to store the question title and another table to store the choice item(one record for each choice item). My main concern is that whether we can place the choices together in the same table(and in one ) with the question title. I guess it can be faster to read from one table than reading from two table. And my idea is to use a delimiter to separate the choices. And the handling of the choices are done in the php script. But what delimiter should be used? Can anyone help? Thanks!
Re: [PHP] Securing Use of PHP site
On Wed, Nov 17, 2010 at 8:21 AM, Nicholas Kell n...@monkeyknight.com wrote: On Nov 17, 2010, at 6:51 AM, Don Wieland d...@dwdataconcepts.com wrote: Hello all, I have recently built a site using PHP. I was a little loose with GET and POST methods because I was using it for personal/private use. Now I am thinking of going public and allow different companies to use the site. I want to secure and hide as much data as possible to guard against user abuse. I have several instances where I use the GET method to pass IDS. I can use a POST but even that is visible in the source. How does one allow for processing but never really let the user see that actual ID? Do I use a HASH for IDs? Do I need to get more familiar with SESSION VARS. I am doing some experimenting. Any words of wisdom or resources would be helpful. Thanks! Don Wieland D W D a t a C o n c e p t s ~ d...@dwdataconcepts.com Direct Line - (949) 336-4828 Integrated data solutions to fit your business needs. Need assistance in dialing in your FileMaker solution? Check out our Developer Support Plan at: http://www.dwdataconcepts.com/DevSup.html Appointment 1.0v9 - Powerful Appointment Scheduling for FileMaker Pro 9 or higher http://www.appointment10.com For a quick overview - http://www.appointment10.com/Appt10_Promo/Overview.html A hash is useful, but I think you are on the right track with session vars. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php I use both. Hashes to id the record, and session vars to hold the user permission sets. -- Bastien Cat, the other other white meat -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Updating a GET variable
A bit late in the thread. However, IMO, I don't think session is necessary, unless you intend to save it for later use, during that same visit from the user. If it's just a 1 time request, you can just use (example) $_GET['lang']=en,de,fr,... Then just split up individual languages, process the request of each supported language, and place each relevant localization in its own tab panel, div (non js), etc... Hi Tommy, I read this at least 5 times and still don't quite get your meaning, but I'm curious enough to ask: Could you repeat in other words or give a short example? Marc -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] database design in a survey/poll system
On Wed, Nov 17, 2010 at 8:42 AM, 肖晗 xiaohan2...@gmail.com wrote: I plan to design a small survey/poll system similar to polldaddyhttp://polldaddy.com/ . And I have some confusion in designing the database for the multiple/single choice questions. Of course, it is possible to use one table to store the question title and another table to store the choice item(one record for each choice item). My main concern is that whether we can place the choices together in the same table(and in one ) with the question title. I guess it can be faster to read from one table than reading from two table. And my idea is to use a delimiter to separate the choices. And the handling of the choices are done in the php script. But what delimiter should be used? Can anyone help? Thanks! When you denormalize like this, it's important to make sure that you don't need to perform more complex queries on the items (sorting, max, min, etc.), as most DB's will outperform PHP for this type of work even if it does require one or more table relationships. That said, when the query needs are simple enough to merit this type of approach, I tend to JSON-encode the data ( http://php.net/manual/en/function.json-encode.php), leaving a simple JSON-decode operation (http://www.php.net/manual/en/function.json-decode.php) to get the queried data back into PHP form. Adam -- Nephtali: PHP web framework that functions beautifully http://nephtaliproject.com
RE: [PHP] Updating a GET variable
-Original Message- From: Marc Guay [mailto:marc.g...@gmail.com] Sent: Wednesday, November 17, 2010 6:30 AM To: PHP General Subject: Re: [PHP] Updating a GET variable A bit late in the thread. However, IMO, I don't think session is necessary, unless you intend to save it for later use, during that same visit from the user. If it's just a 1 time request, you can just use (example) $_GET['lang']=en,de,fr,... Then just split up individual languages, process the request of each supported language, and place each relevant localization in its own tab panel, div (non js), etc... Hi Tommy, I read this at least 5 times and still don't quite get your meaning, but I'm curious enough to ask: Could you repeat in other words or give a short example? Marc Marc, Nathan previously mention what if instead of a language specific request, you have request for multiple languages. I don't know if that's part of you web app feature/service or not but you don't need session to process that request unless you need the results for something else. This example based upon that you use URL query parameter to permit the users to change/select the languages. I don't know how your app is designed but you can process it via $_POST also. $languages = $_GET['lang']=en,de,fr; $langArray = explode(',', $languages); // you can use another separator such as - or _ Than you can process for each of the language: foreach ($langArray as $lang) process_request_func ($lang); div id='lang_en'results of process_request_func() for language en/div div id='lang_de'results of process_request_func() for language de/div div id='lang_fr'results of process_request_func() for language fr/div Or if you have jqueryui or something similar, use tabs for each of those html content where each language goes in its own tab. If you need to save the results for later use, then you'll need the session. Regards, Tommy -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Updating a GET variable
Nathan previously mention what if instead of a language specific request, you have request for multiple languages. I get it now, multiple _simultaneous_ languages. Cheers, Marc -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] database design in a survey/poll system
On Nov 17, 2010, at 7:42 AM, 肖晗 wrote: I plan to design a small survey/poll system similar to polldaddyhttp://polldaddy.com/ . And I have some confusion in designing the database for the multiple/ single choice questions. Of course, it is possible to use one table to store the question title and another table to store the choice item(one record for each choice item). As you have a many-to-one relationship of answers to questions, two tables would be necessary in a normalized database. My main concern is that whether we can place the choices together in the same table(and in one ) with the question title. I guess it can be faster to read from one table than reading from two table. It is possible, but really, why bother? It's not a very time consuming function whether you join two tables or read from one and end up parsing the results. String parsing can be expensive, too. And my idea is to use a delimiter to separate the choices. And the handling of the choices are done in the php script. But what delimiter should be used? You can easily choose any character and just make sure your responses never include that character, or escape it somehow (eg. via \ ) Can anyone help? Thanks! I really don't think you gain much, if anything, by having a single table in this instance. The retrieval is trivial for the sql engine, vs creating parsing code in PHP which may be trouble-prone or convoluted. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] DOMDocument/DOMElement problem
On 16 November 2010 21:30, Adam Richardson simples...@gmail.com wrote: Hmmm... Nothing really stands out to me, but as my wife would attest, I'm often less than observant. I would probably try sifting through fixes/upgrades in the change logs for possible conflicts and/or changes in behavior. Nothing jumped out at me after a quick glance. Sorry, Adam Thanks for having a look. Far as I can tell, the main problem was related to the encoding of the input data - and as such, the problem was as likely to be in libxml as in php. I haven't seen any updates to the DOM* extensions that would explain the change in behaviour and really find it weird - but, at least I found a solution to the problems :) Quick note, in case anyone has similar problems: make sure that the data you feed into DOMDocument is UTF8 encoded Regards Peter -- hype WWW: plphp.dk / plind.dk LinkedIn: plind BeWelcome/Couchsurfing: Fake51 Twitter: kafe15 /hype -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] DOMDocument/DOMElement problem
On Wed, Nov 17, 2010 at 10:27 AM, Peter Lind peter.e.l...@gmail.com wrote: Quick note, in case anyone has similar problems: make sure that the data you feed into DOMDocument is UTF8 encoded I can attest to this as well. I just fixed a bug in our sitemap-building code that was producing some items with empty titles for Google News. it turned out they had smart quotes from Word in them because the title field wasn't being passed through the filter. Once I filtered and converted to UTF-8, all is well again. The strange thing is that we just upgraded to PHP 5.3, and I can't believe no one had accidentally pasted in a smart quote before the upgrade. We're running 5.3.3 in fact, and I wouldn't be surprised if something changed in DOMElement. David
RE: [PHP] Updating a GET variable
-Original Message- From: Marc Guay [mailto:marc.g...@gmail.com] Sent: Wednesday, November 17, 2010 8:59 AM To: PHP General Subject: Re: [PHP] Updating a GET variable Nathan previously mention what if instead of a language specific request, you have request for multiple languages. I get it now, multiple _simultaneous_ languages. Cheers, Marc Also FYI, if you do support multiple languages, don't depend on entirely on $_SERVER[HTTP_ACCEPT_LANGUAGE]. I know many folks who are fluent in more than 1 languages but clueless on technology, specifically configuring their system and browser on how to read write those languages. As for myself, I don't configure the web browser because of privacy issue ;) Regards, Tommy -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Stripslashes
Adam Richardson simples...@gmail.com wrote in message news:aanlktin_9_tfe9q+dc2hoynsavccoyuecudkqd919...@mail.gmail.com... On Tue, Nov 16, 2010 at 10:10 PM, Gary gp...@paulgdesigns.com wrote: I was doing a test of stripslashes on a $_POST, when I recieved the email, all of the slashes were still in the data posted. I used : $fname = stripslashes($_POST['fname']); I input G\\a//r\y\\, and was expecting, according to the manuel G\a//r*y\, but got the original spelling. In this case, you should get the original, if I'm understanding correctly. Think of it like a basic math problem: Step 1: Happens automatically when you submit the form and PHP receives the form variables input + slashes = slashed_input Step 2: This happens when you call stripslashes. slashed_input - slashes = input The goal of stripslashes is that it will undo what happened automatically using magic_quotes_gpc (which essentially calls addslashes on the GPC vars behind the scenes) so you'll end up with the original input. So, working through your example: 1. You inputted into a form G\\a//r\y\\ and submitted the form. 2. PHP received G\\a//r\y\\ and added slashes (Ga//r\\y). 3. You called stripslashes (G\\a//r\y\\). I added: echo stripslashes($fname); and did get the expected result on the page, but not in the email from the $_POST. Here, you called stripslashes on something already stripped once, so you now have a new value (G\a//ry\). I also tried $fname = (stripslashes($_POST['fname'])); This would be no different than your attempt without enclosing parentheses. Now, let me just say that I detest magic_quotes, and it's best to run with them disabled so you don't even have to worry about this kind of issue (they've been deprecated.) But, perhaps you were just trying to learn about some piece of legacy code. Hope the explanation helps, Gary. Adam -- Nephtali: PHP web framework that functions beautifully http://nephtaliproject.com Adam Thanks for your reply. So if I disable magic_quotes, and I assume I can do that a script, then the stripslashes would work as the manuel said it would, meaning G\\a//r\y\\ becomes G\a//r'y\ I also assume that until php 6 is out and or I upgrade to it, I will have to deal with magic_quotes? Thank you for your help. Gary __ Information from ESET Smart Security, version of virus signature database 5627 (20101117) __ The message was checked by ESET Smart Security. http://www.eset.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Stripslashes
Adam Thanks for your reply. So if I disable magic_quotes, and I assume I can do that a script, then the stripslashes would work as the manuel said it would, meaning G\\a//r\y\\ becomes G\a//r'y\ I also assume that until php 6 is out and or I upgrade to it, I will have to deal with magic_quotes? Thank you for your help. Gary You can disable magic quotes with php.ini or htaccess or toss in the example #2 code on this page if you don't have access to php.ini (each of these examples are listed within the page below): http://php.net/manual/en/security.magicquotes.disabling.php http://php.net/manual/en/security.magicquotes.disabling.phpAdditionally, it doesn't look like you'll have to wait long before you can stop worrying about magic quotes (actually, several distros ship with them turned off: http://www.pubbs.net/201011/php/27311-php-dev-magic-quotes-in-trunk.html http://www.pubbs.net/201011/php/27311-php-dev-magic-quotes-in-trunk.htmlKeep coding, Adam -- Nephtali: PHP web framework that functions beautifully http://nephtaliproject.com