[PHP] mid-level PHP/MySQL people in Los Angeles?

2002-09-17 Thread PHP freak 

I'm looking for 1 or 2 people with good PHP/MySQL experience in the Los Angeles area.

I have a few steady projects that pay $20/hr.
(All of them 100% PHP/MySQL.  All of them fun/non-corporate music-based sites.)

If interested, please email my personal address:  "[EMAIL PROTECTED]"
Include your contact info & any sites/projects you've worked on.

Thanks!


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Better standards in PHP-coding

2002-04-20 Thread PHP freak 


Change "terrible" to "readable" and I agree completely!

A carriage return and tab is the same size as two space-bar spaces, but is MUCH easier 
to read.

It's when you're going through someone ELSE's code that you start to appreciate things 
being all clearly spaced out with all nested things in their own indent.




> that whole wasting of lines:
> 
> if(exp)
> {
>   yabba
> }
> else
> {
>   yadda
> }
> 
> is terrible..

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] sessions not so secure..solution?

2002-03-19 Thread PHP freak 

I came to the PHP list today with the same question/problem.

My cart doesn't require cookies.  If the user doesn't have them it just puts the 
SESSID in the URL.  (Good ol PHP!)

BUT - it's actually happening often that someone linking to our store
from their own website is including the long SESSID in the URL
that links to us, to that everyone who follows that link from
that website is getting the same shopping cart!

What to do?  Not sure yet.  

I've seen that Amazon does this:

Here's a shopping cart I just made in a browser with no cookies:
http://www.amazon.com/exec/obidos/shopping-basket/ref=top_nav_sb_music/102-7862797-5184911

You can cut-n-paste that into a DIFFERENT browser with no cookies, and my cart items 
come up.
(I think the 102-7862797-5184911 is my SESSID in this case.)

I can go SSH into a remote server on the other side of the world, and type:
lynx 
http://www.amazon.com/exec/obidos/shopping-basket/ref=top_nav_sb_music/102-7862797-5184911

Tell it to never allow cookies, and yes my cart STILL comes up.

... so they're not doing it by IP address.

BUT - if I now take that URL that I've pasted in many cookie-less browsers, and put it 
in 
a browser WITH cookies, it says my cart is empty.

IDEA:
Maybe it's comparing the SESSID in the URL with the cookie, and if they match
(rather - if they don't conflict) - then it's OK.

I just was able to log all the way into my existing account at Amazon
AND complete an order all without cookies.

It did ask for my password 2 different times, though.

Ah - i dunno.  IF I WERE YOU, I'd approach it like http://my.yahoo.com

At Yahoo, they have one level of authentication that lets you just see
your basic "my.yahoo" page.  Even if I haven't been there in months,
it knows it's me.  Let's assume it's a 1-year cookie.

THEN - if I actually want to check my email, I need to enter the password
every few hours.

So make one cookie/SESSID last forever that only shows cart items.
(As you say - no big deal, just a cart.)

Then make another cookie/SESSID that only lasts a few hours, for that login stuff.

That 2nd one could perhaps be concerned with IP address & whatnot.

I dunno... keep me in the loop.  Let me know what you decide.
And vice-versa.  


On Tue, Mar 19, 2002 at 07:13:00AM -0500, Steve Clay wrote:
> Hello,
>   I'm building an e-commerce site which uses sessions to
> hold my $cart object.  This works great but I've two worries:
> 
> 1) When the user connects through our secure hostname, can I ensure
> the browser will send the server the cookie (w/ SESSID)?  The user
> will shop through domain.com and checkout via https:secure.domain.com.
> (haven't got cert yet)
> 
> 2) While the user shops the SESSID is thrown around insecurely (no big
> deal, just a cart).  But when I move the user to a secure server to
> get sensitive info a resourceful hacker could also go to the checkout
> script using this SESSID and 'confirm' the real user's personal
> details (kept in another registered session object).
> 
> If I can't keep the user's details in the old session, can I delete
> the old session and copy the cart to a new session?  Should I do this
> anytime the user goes back to the insecure site and returns to finish
> checking out?
> 
> As an alternative, would there be any problems with keeping the IP of
> the user in a session variable for further authentication?  I assume
> I'd record the IP immediately upon checking in at the secure server
> then enforcing this per request.  That way, worst case scenario the
> hackers gets a SESSID and heads to checkout first, server restricts
> real user from accessing (because of different IP).
> 
> This is my first time coding for a secure server and my first post
> here as well..
> 
> Steve
> -- 
> [EMAIL PROTECTED] ** http://mrclay.org

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] two different MySQL connections without always select_db?

2002-03-08 Thread PHP freak 

How would you keep two different MySQL connections to two different MySQL databases 
(on two different MySQL servers) up and available with two different pointers (id), 
and not need to always do "select_db()" to switch between them?

I thought that if I did this:

--- php: -
$aaa_link = mysql_pconnect("localhost", "u", "p");
mysql_select_db("apples", $aaa_link);

$zzz_link = mysql_pconnect("remotehost", "u", "p");
mysql_select_db("zebras", $zzz_link);
--

... that I'd be able to access both pretty easily. Like this:

--- php: -
$aaa_result = mysql_query("select * from apples", $aaa_link);
$orchard = mysql_fetch_assoc($aaa_result);

$zzz_result = mysql_query("select * from zebras", $zzz_link);
$zoo = mysql_fetch_assoc($zzz_result);

$aaa_result = mysql_query("update apples set something='" . $zoo['zebrafur'] . "'", 
$aaa_link);
--

But it seems to tell me that $zzz_result is not a valid resource - unless I do the 
select_db thing inbetween the two commands.

Is there anyone doing this successfully?  Back-n-forth between two databases?

Thanks for any help.



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] how long will REGISTERED GLOBALS be around?

2001-12-30 Thread PHP freak 

For what it's worth - casting my vote - I would vote that the PHP/Zend people keep 
REGISTER_GLOBALS as an option for one main reason:

NEWBIES!

Think of how nice it is for the total newbies to be able to have this first tutorial:




what is your name?





Think of how many PHP-CURIOUS people it'd turn off if you could ONLY do it with 
$_REQUEST["myname"]

Hell - I *still* have to go to the php.net announcement page to remember the syntax of 
the new type.  It doesn't come naturally.  Nothing like $variablename.

I think the EASE of the form example, above, is what got me into PHP in the first 
place.


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

[PHP] how long will REGISTERED GLOBALS be around?

2001-12-30 Thread PHP freak 

About PHP 4.1

What I can't tell from the PHP announcement is how long they plan to keep 
register_globals around.

In ONE place it says something like "We have no plans to discontinue 
register_globals", but in another place it says it might be
discontinued or devalued soon.

It'd be a REAL drag to have to go audit everything I've ever written in PHP to change 
all my global variables.
(Especially since I'd been so careful about security while writing them.)

Anyone know what the internal PHP/Zend plans are for it?


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]