Re: [PHP] Sensitive Information (like CC)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Have the email be a you've got an order email that has a URL in it which the then can view the order via SSL. That way you don't have to put all the information in the email. PGP is another option, but I find it beyond the abilities of many winblows users. - -- Aaron Turner [EMAIL PROTECTED]|synfin.net|linuxkb.org URI:www.synfin.net They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -- Benjamin Franklin pub 1024D/F86EDAE6 Sig: 3167 CCD6 6081 0FFC B749 9A8F 8707 9817 F86E DAE6 All emails by me are PGP signed; a lack of a signature indicates a forgery. I have retired my PGP 2.6.2 key: FBE1 CEED 57E4 AB80 596E 60BF 451B 20E8 On Mon, 23 Apr 2001, Ashley M. Kirchner wrote: What's the best (secure?) way of transmitting sensitive information over email? I'm helping some friends build an online order form. They have a Thawte certificate and are already using it for the order form, but they would like the information to be emailed to them when an order is placed. The problem is, the information contains everything, the person's name, address, credit card information. Obviously I can't just email this over over the ether, so how do people deal with this type of stuff? The server is a unix machine, and they are using winblows to read email. -- H | Hi, I'm currently out of my mind. Please leave a message. BP! | ~ Ashley M. Kirchner mailto:[EMAIL PROTECTED] . 303.442.6410 x130 Director of Internet Operations / SysAdmin. 800.441.3873 x130 Photo Craft Laboratories, Inc. .eFax 248.671.0909 http://www.pcraft.com .3550 Arapahoe Ave, #6 .. . . . .Boulder, CO 80303, U.S.A. -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: Public key at: http://www.synfin.net/aturner/pgpkey.asc iEYEARECAAYFAjrk9FwACgkQhweYF/hu2uaojACfQB0rb/s6fE2TJdc0JVIfgOAD ZdkAn15Cly3vZ2cwUwOFZrmEt+T7ZP/G =fORj -END PGP SIGNATURE- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] file upload temp file is and isn't there
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Solaris 7 Apache 1.3.14 PHP 4.0.4p1 For the life of me I can't figure out what's going on. I have: form enctype='multipart/form-data' action='/admin/upload.php' method='post' input type=hidden name=MAX_FILE_SIZE value=5000 input type=hidden name=uploadingfile value=true Choose File: input name=userfile size=69 type=fileP input type=submit value='Send File'/form and I can try to upload a file, but then the HTTP_POST_FILES hash doesn't get properly populated and no file is stored in the upload directory. Basically: HTTP_POST_FILES["userfile"] Array ( [name] =1323.txt [type] =text/plain [tmp_name] =none [size] = 0 ) I've set my php.ini with: upload_tmp_dir = /tmp and nothing gets put in there (I've verified that the dir has world r/w w/ suid). Any ideas of how to debug this futher? - -- Aaron Turner [EMAIL PROTECTED]|synfin.net|linuxkb.org URI:www.synfin.net They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -- Benjamin Franklin pub 1024D/F86EDAE6 Sig: 3167 CCD6 6081 0FFC B749 9A8F 8707 9817 F86E DAE6 All emails by me are PGP signed; a lack of a signature indicates a forgery. I have retired my PGP 2.6.2 key: FBE1 CEED 57E4 AB80 596E 60BF 451B 20E8 -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: Public key at: http://www.synfin.net/aturner/pgpkey.asc iEYEARECAAYFAjqJwWEACgkQhweYF/hu2uYnjgCfbXQVLYBwVnmAE5RHRxeTtdFI YgAAoIf9w7fNcbFmxyT/LlRUHa3lHfqB =Jqdm -END PGP SIGNATURE- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] file upload temp file is and isn't there
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 13 Feb 2001, Michael McGlothlin wrote: A lil clip from Devedge.. you need a VALUE="" field along w/ a NAME="" maybe? A VALUE= isn't required for TYPE=file (and adding it didn't solve my problem). This places an element on an HTML form that lets the user supply a file as input. When the form is submitted, the content of the specified file is sent to the server as the value portion of the name/value pair for this input element. Netscape Navigator displays a "Browse" button next to the file input element that lets users select a file from their system to use as the value of the file input element. *Navigator 2.0* Yep, and if you look at the HTTP_POST_FILES hash you'll see that the browser/form properly sent the filename. The problem is with the temporary file that isn't created/stored. More specifically, HTTP_POST_FILES[userfile][tmp_name] is set to 'none' when it should be something like /tmp/abc123 and the size is 0. - -- Aaron Turner [EMAIL PROTECTED]|synfin.net|linuxkb.org URI:www.synfin.net They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -- Benjamin Franklin pub 1024D/F86EDAE6 Sig: 3167 CCD6 6081 0FFC B749 9A8F 8707 9817 F86E DAE6 All emails by me are PGP signed; a lack of a signature indicates a forgery. I have retired my PGP 2.6.2 key: FBE1 CEED 57E4 AB80 596E 60BF 451B 20E8 -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: Public key at: http://www.synfin.net/aturner/pgpkey.asc iEYEARECAAYFAjqJyJEACgkQhweYF/hu2ua1gwCfU6P+ScZCxAKlOFqlAzcZLkX7 KoEAoJDPG7AvelXPlLusT3BME1EZQQX/ =is6w -END PGP SIGNATURE- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] file upload temp file is and isn't there
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Tue, 13 Feb 2001, jason cox wrote:
Aaron,
Are you processing the file on the page you're
"posting" to?
Yep. A little more info this time. Ok this makes no freaking sense to
me:
I can upload my /etc/passwd file
- -rw-r--r--1 root root 998 Dec 9 01:44 /etc/passwd
I can't upload other random files in my home directory which I own/have
read access to.
- -rw-rw-r--1 aturner aturner 84558 Jan 9 17:01 /home/aturner/1323.txt
Could you send your processing code so
we can have a look? If you're still having problems,
I can send you an example.
Sure:
?PHP
require "security.inc"; # checks user cookie to see if they have access
include "connect.inc"; # connects to database
function is_an_uploaded_file($filename) {
if (! $tmp_file = get_cfg_var('upload_tmp_dir')) {
$tmp_file = dirname(tempname('', ''));
}
$tmp_file .= '/' . basename($filename);
# User might have trailing / in php.ini
return (ereg_replace('/+', '/', $tmp_file) == $filename);
}
function abortupload($message) {
echo "H1 align=center$message/H1";
unlink ($HTTP_POST_FILES[userfile][tmp_name]);
phpinfo();
echo "/BODY/HTML";
exit;
}
?
HTML
HEAD
TITLESunnyvale Staging Server/TITLE
/HEAD
!-- Background white, links blue (unvisited), navy (visited), red (active) --
BODY
BGCOLOR="#FF"
TEXT="#00"
LINK="#FF"
VLINK="#80"
ALINK="#FF"
font size=-1[ a href="/"Main Index/a ]/font
?PHP
if ($uploadingfile == "") {
$line = "form enctype='multipart/form-data' action='/admin/upload.php' method='post'
input type=hidden name=MAX_FILE_SIZE value=5000
input type=hidden name=uploadingfile value=true
Choose upload location: select name=directory
option name=FilesFiles/option
option name=DocsDocumentation/option
/select\nP";
echo $line;
echo "Link Description: input type=text name=description size=80 value=''P\n";
echo "Detailed Description:brtextarea wrap=soft name=info rows=5
cols=80/textareaP\n";
echo "input type=hidden name=urltype value=file";
echo "Active: select name=activeoption value=yYes/optionoption
value=nNo/optionoption value=sSubmitted/option/selectP\n";
$result = mysql_query("SELECT * FROM groups");
$line = "select name=urlgroup";
while ($row = mysql_fetch_array($result)) {
$line .= "option value=$row[groupID]$row[groupname] ($row[page])/option";
}
$line .= "/selectP\n";
# echo "Group: $line";
echo "input type=hidden name=urlgroup value=1";
echo "Choose File: input name=userfile size=69 type=file value=''P\n";
echo "input type=submit value='Send File'/form";
} else {
$location = "";
if ($HTTP_POST_VARS[directory] = "Files") {
$location = "/usr/local/apache1.3.14/htdocs/Files";
} elseif ($HTTP_POST_VARS[directory] = "Docs") {
$location = "/usr/local/apache1.3.14/htdocs/Docs";
} else {
abortupload ("Error! Invalid Directory value: $HTTP_POST_VARS[directory]");
}
if ($description == "") {
abortupload("Error! Please provide a description for this document");
} elseif ($info == "") {
abortupload("Error! Please provide information for this document");
}
if ($uploadfile = is_an_uploaded_file($userfile)) {
$uploadfile = $location . "/" . $HTTP_POST_FILES[userfile][name];
copy ($userfile, $uploadfile);
$result = mysql_query("SELECT * FROM users WHERE LoginName = '$loginname'
LIMIT 1");
$userrow = mysql_fetch_array($result);
$url = "/" . $HTTP_POST_VARS[directory] . "/" .
$HTTP_POST_FILES[userfile][name];
$mirror = 0;
$result = mysql_query("SELECT * FROM urls WHERE url = '$url'");
if ($existing = mysql_fetch_array($result)) {
if ($existing[owner] != $userrow[UserID]) {
abortupload("Error: Your user ID doesn't have permission to modify
this file.");
}
} else {
$result = mysql_query("INSERT INTO urls (owner, urlgroup, url, urldesc, info,
active, mirror, urltype) VALUES ('$userrow[UserID]', '$HTTP_POST_VARS[urlgroup]',
'$url', '$HTTP_POST_VARS[description]', '$HTTP_POST_VARS[info]',
'$HTTP_POST_VARS[active]', '$mirror', '$HTTP_POST_VARS[urltype]')");
echo "H1 align=centerFile upload complete!/H1";
}
} else {
abortupload("Possible file upload attack: filename: " .
$HTTP_POST_FILES["userfile"]["name"] . ".");
}
}
?
/body
/html
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: Public key at: http://www.synfin.net/aturner/pgpkey.asc
iEYEARECAAYFAjqJ08sACgkQhweYF/hu2ubukACbBij1wtVYr1gTngdHsXgrKmOr
ai8AnicSOVkP6OS1qiwfSQBBPqmL566k
=kNOr
-END PGP SIGNATURE-
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] file upload temp file is and isn't there
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ah, figured out the problem. MAX_FILE_SIZE is in BYTES not Kilobytes. Any file 5K was killed. - -- Aaron Turner [EMAIL PROTECTED]|synfin.net|linuxkb.org URI:www.synfin.net They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -- Benjamin Franklin pub 1024D/F86EDAE6 Sig: 3167 CCD6 6081 0FFC B749 9A8F 8707 9817 F86E DAE6 All emails by me are PGP signed; a lack of a signature indicates a forgery. I have retired my PGP 2.6.2 key: FBE1 CEED 57E4 AB80 596E 60BF 451B 20E8 -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: Public key at: http://www.synfin.net/aturner/pgpkey.asc iEYEARECAAYFAjqJ/gsACgkQhweYF/hu2ubzAACfRt9l+TvifIobJyOqs5UlvAA1 uS0AniXKKTuvazWZHCZeW5QZyXpHztnZ =Zpnk -END PGP SIGNATURE- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] Cookie with Netscape
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Mon, 29 Jan 2001, Eugene Yi (InfoSpace Inc) wrote:
I set up a cookie using the following command and it works fine under IE but
not in Netscape. Am I doing something wrong?
setcookie("mycookie[1]",$domain,"","/","mydomain.com");
Should be:
setcookie("mycookie[1]", $domain, 0, "/", "mydomain.com");
the expire time is an integer, not a string.
- --
Aaron Turner [EMAIL PROTECTED]|synfin.net|linuxkb.org URI:www.synfin.net
They that can give up essential liberty to obtain a little temporary safety
deserve neither liberty nor safety. -- Benjamin Franklin
pub 1024D/F86EDAE6 Sig: 3167 CCD6 6081 0FFC B749 9A8F 8707 9817 F86E DAE6
All emails by me are PGP signed; a lack of a signature indicates a forgery.
I have retired my PGP 2.6.2 key: FBE1 CEED 57E4 AB80 596E 60BF 451B 20E8
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: Public key at: http://www.synfin.net/aturner/pgpkey.asc
iEYEARECAAYFAjp17rkACgkQhweYF/hu2ubpNgCdH1/7RrnWldqfUfjJntSSe3D9
lhEAnjquZx1k+m+LgPzZV0xSr/k15iNJ
=iVu3
-END PGP SIGNATURE-
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] Cookie with Netscape
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
That's becuase the cookie variable is not available to PHP until the next
page load. It's a limitation of cookies/HTTP not PHP.
On Mon, 29 Jan 2001, Eugene Yi (InfoSpace Inc) wrote:
Thank you for your feedback! I tried it but it didn't make a difference. I
printed the var right after the set and it returns null.
setcookie("cbcookie1",$domain,0,"/","mydomain.com");
$domain = $HTTP_COOKIE_VARS["cbcookie1"];
echo "domain($domain)br";
-Original Message-
From: Aaron D. Turner [mailto:[EMAIL PROTECTED]]
Sent: Monday, January 29, 2001 2:29 PM
To: Eugene Yi (InfoSpace Inc)
Cc: [EMAIL PROTECTED]
Subject: Re: [PHP] Cookie with Netscape
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Mon, 29 Jan 2001, Eugene Yi (InfoSpace Inc) wrote:
I set up a cookie using the following command and it works
fine under IE but
not in Netscape. Am I doing something wrong?
setcookie("mycookie[1]",$domain,"","/","mydomain.com");
Should be:
setcookie("mycookie[1]", $domain, 0, "/", "mydomain.com");
the expire time is an integer, not a string.
- --
Aaron Turner [EMAIL PROTECTED]|synfin.net|linuxkb.org
URI:www.synfin.net
They that can give up essential liberty to obtain a little
temporary safety
deserve neither liberty nor safety. -- Benjamin Franklin
pub 1024D/F86EDAE6 Sig: 3167 CCD6 6081 0FFC B749 9A8F 8707
9817 F86E DAE6
All emails by me are PGP signed; a lack of a signature
indicates a forgery.
I have retired my PGP 2.6.2 key: FBE1 CEED 57E4 AB80 596E
60BF 451B 20E8
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: Public key at: http://www.synfin.net/aturner/pgpkey.asc
iEYEARECAAYFAjp17rkACgkQhweYF/hu2ubpNgCdH1/7RrnWldqfUfjJntSSe3D9
lhEAnjquZx1k+m+LgPzZV0xSr/k15iNJ
=iVu3
-END PGP SIGNATURE-
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: Public key at: http://www.synfin.net/aturner/pgpkey.asc
iEYEARECAAYFAjp18dUACgkQhweYF/hu2uZ+LwCfZfjsoyS7ZLXCyZs+9BwYEhCR
4KkAnj39fqbYrykBB1TovSGx4kMBQ9gN
=rwDT
-END PGP SIGNATURE-
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] Using PHP as generic security wrapper for content
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 While this isn't a really a PHP problem, I figured I can't be the first person to ever have tried to solve this problem. Basically I have a web site with many kinds of content (static html, PHP, cgi's of various flavors, etc) and I'm looking to create a way to do user authentication and authorization against a DB for all this content. While there are various existing solutions to do this (like mod_auth_db), none of them seemed to fit my requirements: 1) Support *my* MySQL database schema 2) Light memory usage (ie, no modperl) 3) Support any kind of content (cgi, php, static html, etc) 4) Not require changes to existing content (ie, I don't want to do a require "security.php"; in all the php pages I want to secure). The closest I've come so far is using mod_layout to allow my custom PHP script to generate HTTP headers so that I can do the user authentication myself. This is actually working very well for most pages and is completely content agnostic since it's sourced via the Apache server, not the content. The problem with this is that mod_layout's LayoutHTTPHeader option seems to be eating any POST's that CGI's or PHP scripts use. The mod_layout list has been completely useless in trying to find the answer to this issue. So, does anyone have another viable solution to this problem? Are there any builtin PHP options to source a php script during the http header generation process for any content (not just other PHP scripts)? Are there any other modules other than mod_layout that can do this? I know I can do this with mod_perl, but it's a lot more memory intensive than PHP so I'd like to avoid it if possible. Thanks. - -- Aaron Turner [EMAIL PROTECTED]|synfin.net|linuxkb.org URI:www.synfin.net They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -- Benjamin Franklin pub 1024D/F86EDAE6 Sig: 3167 CCD6 6081 0FFC B749 9A8F 8707 9817 F86E DAE6 All emails by me are PGP signed; a lack of a signature indicates a forgery. I have retired my PGP 2.6.2 key: FBE1 CEED 57E4 AB80 596E 60BF 451B 20E8 -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: Public key at: http://www.synfin.net/aturner/pgpkey.asc iEYEARECAAYFAjp2CJUACgkQhweYF/hu2ubc2gCfWeJTNlVgKrv/CrOyHoqRzbaI XLkAn2LuiTg0lkYIyAdutAqXRyPnT8i4 =ytFC -END PGP SIGNATURE- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] Using PHP to do centralized site authentication
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm trying to do something in PHP4.0.4p1 that in the past I've done in mod_perl, but appears to be more difficult. Basically I have some PHP code that does access checks against a DB to see if that user has access to the requested URL. I'm using mod_layout to call the PHP script so I can wrap static html pages, CGI's, and not just PHP pages. The issue is that for CGI's, I don't seem to be able to prevent the CGI from actually executing and displaying content. About the best I can do is generate a 302 with a 0 second delay in the meta tags to send them to a "Sorry buddy" page, but the CGI output is displayed briefly. Does anyone know of a way to force the Apache process to abort further processing? exit and die just kill off the PHP processing engine, leaving the CGI running. I tried trigger_error, but that just displayed a nice error message. Anyone have any other ideas? I've thought about generating a 302 in the http-headers and using the Location: parameter to send them someplace else (like how mod_rewrite does redirection) but I can't seem to get it to work. Thanks. - -- Aaron Turner [EMAIL PROTECTED]|synfin.net|linuxkb.org URI:www.synfin.net They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -- Benjamin Franklin pub 1024D/F86EDAE6 Sig: 3167 CCD6 6081 0FFC B749 9A8F 8707 9817 F86E DAE6 All emails by me are PGP signed; a lack of a signature indicates a forgery. I have retired my PGP 2.6.2 key: FBE1 CEED 57E4 AB80 596E 60BF 451B 20E8 -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: Public key at: http://www.synfin.net/aturner/pgpkey.asc iEYEARECAAYFAjpx1jEACgkQhweYF/hu2ubKJwCfXrm/sQEy3t8u7vefaGlD/Pyb zTYAn1EcoNK+fBdnF8IFLMn6ojANnbyb =PGwr -END PGP SIGNATURE- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
