RE: [PHP] Anybody have a function to encode a string?

2002-03-19 Thread Drew Lopucki

Alexander,

This is a fairly condescending reply given that the license statement for
PGP is present on every download screen from which it is available.  Careful
not to hurt my feelings please :(  After all, I went to a lot of trouble
looking all these things up very carefully when I implemented my own PHP
script for encrypting an email message.

Anyway, I'm sure GnuPG is great too, but as with PGP it also is not part of
most standard distributions of Linux/Unix and as a result, may not be
present on a production server (where downloading and installing new
packages may not be an option.)  OpenSSL, on the other hand, is available on
virtuall all systems since it is required for https servers.


-Original Message-
From: Alexander Skwar [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, March 19, 2002 2:52 PM
To: Drew Lopucki
Cc: Leif K-Brooks; [EMAIL PROTECTED]
Subject: Re: [PHP] Anybody have a function to encode a string?


»Drew Lopucki« sagte am 2002-03-19 um 10:25:02 -0500 :
> Lots of people will tell you to use PGP.  However since PGP is not *free*,
> in that you cannot use it for commercial purposes without a license, I
avoid
> it.  Also it has to be downloaded and installed as most systems do not

Well, use GnuPG.  Then you can use "PGP".  And what you stated above is
also plain wrong.  You might need some sort of license for the more
obscure uses (like VPN and thus), but for encryption, PGP is freely
available.  And lastly, even if you were willing to pay money, I would
not recommend PGP to anyone, as NA has stopped developing PGP and is
trying to sell it.  PGP is dead - long live GnuPG!

Alexander Skwar
--
How to quote:   http://learn.to/quote (german) http://quote.6x.to (english)
Homepage:   http://www.iso-top.de  | Jabber: [EMAIL PROTECTED]
   iso-top.de - Die günstige Art an Linux Distributionen zu kommen
   Uptime: 2 days 8 hours 43 minutes


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




RE: [PHP] sessions not so secure..solution?

2002-03-19 Thread Drew Lopucki

I can't answer your overall question but I can tell you that a 'resourceful'
hacker can also easily spoof an IP address, or so I'm told ;)

Why not just have the entire session encrypted.  The user could browse
around the catalog sessionless and as soon as a cart was necessary (wants to
put something in it) the https starts. (?)

Drew Lopucki
[EMAIL PROTECTED]

-Original Message-
From: Steve Clay [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, March 19, 2002 7:13 AM
To: PHP-GENERAL
Subject: [PHP] sessions not so secure..solution?


Hello,
  I'm building an e-commerce site which uses sessions to
hold my $cart object.  This works great but I've two worries:

1) When the user connects through our secure hostname, can I ensure
the browser will send the server the cookie (w/ SESSID)?  The user
will shop through domain.com and checkout via https:secure.domain.com.
(haven't got cert yet)

2) While the user shops the SESSID is thrown around insecurely (no big
deal, just a cart).  But when I move the user to a secure server to
get sensitive info a resourceful hacker could also go to the checkout
script using this SESSID and 'confirm' the real user's personal
details (kept in another registered session object).

If I can't keep the user's details in the old session, can I delete
the old session and copy the cart to a new session?  Should I do this
anytime the user goes back to the insecure site and returns to finish
checking out?

As an alternative, would there be any problems with keeping the IP of
the user in a session variable for further authentication?  I assume
I'd record the IP immediately upon checking in at the secure server
then enforcing this per request.  That way, worst case scenario the
hackers gets a SESSID and heads to checkout first, server restricts
real user from accessing (because of different IP).

This is my first time coding for a secure server and my first post
here as well..

Steve
--
[EMAIL PROTECTED] ** http://mrclay.org


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




RE: [PHP] Anybody have a function to encode a string?

2002-03-19 Thread Drew Lopucki

Lots of people will tell you to use PGP.  However since PGP is not *free*,
in that you cannot use it for commercial purposes without a license, I avoid
it.  Also it has to be downloaded and installed as most systems do not
include it because of it's non-free open source status.

The best alternative I found is OpenSSL.  Yes it does key management,
creation, encryption, decryption and even SMIME EMAIL!  That's right you can
even send encrypted emails with it.  Try  'man smime' on a linux system for
the email portion.  Also, 'man rsautl' for just encryption and decryption of
an arbitrary string.


Hope I've been helpful,

Drew Lopucki
Mrdrew.com
[EMAIL PROTECTED]

-Original Message-
From: Leif K-Brooks [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, March 19, 2002 2:19 AM
To: [EMAIL PROTECTED]
Subject: [PHP] Anybody have a function to encode a string?


I need a function that encodes stuff, with a key.  It, of course, needs to
be decodable too.  Does anbody know/have a function like this?

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




RE: [PHP] How to get the IP of a visitor

2002-03-18 Thread Drew Lopucki

use .  you'll see all the variable in the http request
header.

-Original Message-
From: Ulrik Witschass [mailto:[EMAIL PROTECTED]]
Sent: Monday, March 18, 2002 11:57 AM
To: [EMAIL PROTECTED]
Subject: [PHP] How to get the IP of a visitor


Hi, I am new to this list and to PHP, so please excuse any newbie questions
:)

Want I need to know is how to get either the ISP or the IP of the visitor of
a page. I guess this is a environment variable, but I don't know which.
Any help is greatly appreciated :)

Thanx!

Ulrik


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php