php-general Digest 16 Feb 2009 06:54:27 -0000 Issue 5961
Topics (messages 288282 through 288299):
Re: Simple Search Logic Issue...
288282 by: revDAVE
288284 by: revDAVE
<?php=
288283 by: Richard Heyes
Reverse IP lookup
288285 by: ×× ××× ×× ××
288286 by: Richard Heyes
288298 by: Andrew Ballard
Opinions Please, Describing PHP as Web Framework of C and C++
288287 by: Sancar Saran
Re: for the security minded web developer - secure way to login?
288288 by: German Geek
288291 by: Colin Guthrie
288293 by: Michael A. Peters
Re: Sorting times
288289 by: German Geek
288290 by: Mattias Thorslund
288292 by: German Geek
Re: Sorting times (SOLVED before tedds crappy SOLVED)
288294 by: Shawn McKenzie
288295 by: Shawn McKenzie
Re: Sorting times (SOLVED)
288296 by: Shawn McKenzie
288297 by: Shawn McKenzie
Back to Basics - Re: [PHP] Re: for the security minded web developer - secure
way to login?
288299 by: Rene Veerman
Administrivia:
To subscribe to the digest, e-mail:
php-general-digest-subscr...@lists.php.net
To unsubscribe from the digest, e-mail:
php-general-digest-unsubscr...@lists.php.net
To post to the list, e-mail:
php-gene...@lists.php.net
----------------------------------------------------------------------
--- Begin Message ---
On 2/15/2009 3:32 AM, "David Robley" <robl...@aapt.net.au> wrote:
>
> LIKE '%c%' will match a field containing 'c' anywhere
>
> If you are using that syntax, I'd suggest echoing your query to make sure
> that it is as it should be; I'm wondering if you are actually enclosing
> string values in single quotes in your query?
Thanks David for your help....
The input form is basic like:
<input name="Message" type="text" value="">
Then dreamweaver cs3 created this
$mess_list1 = "-1";
if (isset($_GET['Message'])) {
$mess_list1 = $_GET['Message'];
}
... But it doesn't look like it does what you say : actually enclosing
string values in quotes....
Maybe ?:
$mess_list1 = '$_GET['Message']';
Not
$mess_list1 = $_GET['Message'];
???
>
> As for multiple selection criteria, you need to test whether the passed in
> value is set or not, and only include set values in the query.
Not sure - but isn't that what this code is doing ...???
$mess_list1 = "-1";
if (isset($_GET['Message'])) {
$mess_list1 = $_GET['Message'];
}
>
> OT: sprintf syntax is so hard to read :-)
I agree - especially for this newbie...
--
Thanks - RevDave
Cool @ hosting4days . com
[db-lists 09]
--- End Message ---
--- Begin Message ---
On 2/15/2009 3:32 AM, "David Robley" <robl...@aapt.net.au> wrote:
> If you are using that syntax, I'd suggest echoing your query to make sure
> that it is as it should be; I'm wondering if you are actually enclosing
> string values in single quotes in your query?
Another part of the dw cs3 code uses switch - that seems to do as you
mentioned...
if (!function_exists("GetSQLValueString")) {
function GetSQLValueString($theValue, $theType, $theDefinedValue = "",
$theNotDefinedValue = "")
{
$theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;
$theValue = function_exists("mysql_real_escape_string") ?
mysql_real_escape_string($theValue) : mysql_escape_string($theValue);
Here....
switch ($theType) {
case "text":
$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
break;
etc.............
--
Thanks - RevDave
Cool @ hosting4days . com
[db-lists 09]
--- End Message ---
--- Begin Message ---
Hi,
Does anyone the status of <?php=, as opposed to <?= ? And if it's even
being implemented?
Thanks.
--
Richard Heyes
HTML5 Canvas graphing for Firefox, Chrome, Opera and Safari:
http://www.rgraph.org (Updated February 14th)
--- End Message ---
--- Begin Message ---
Hello,
Is there anyway to get a list of sitess that are on a specific IP?
I looked, But I couldn't find anything.
I tried to make some with dns_get_record and gethostbyaddr, but couldn't
make anything
Thank
Daniel
--- End Message ---
--- Begin Message ---
> Is there anyway to get a list of sitess that are on a specific IP?
Not AFAIK. You can get the name associated with that IP adress (IIRC),
but one IP could be serving multiple sites using virtual hosting.
--
Richard Heyes
HTML5 Canvas graphing for Firefox, Chrome, Opera and Safari:
http://www.rgraph.org (Updated February 14th)
--- End Message ---
--- Begin Message ---
On Sun, Feb 15, 2009 at 1:22 PM, דניאל דנון <danondan...@gmail.com> wrote:
> Hello,
>
> Is there anyway to get a list of sitess that are on a specific IP?
>
> I looked, But I couldn't find anything.
>
> I tried to make some with dns_get_record and gethostbyaddr, but couldn't
> make anything
>
> Thank
>
> Daniel
>
You mean like this one?
http://www.yougetsignal.com/tools/web-sites-on-web-server/
I don't know how reliable or up-to-date it is.
Andrew
--- End Message ---
--- Begin Message ---
Hello list.
Recently we had some serious discussion on local boards.
I prefer calling PHP as Web Framework of C and C++
if you had a time for this fruitless discussion. Please send your opinions.
Regards
Sancar
--- End Message ---
--- Begin Message ---
Hi All again,
What makes it so expensive to have a certificate? I mean, wouldn't it be
possible to setup a new authority that doesn't charge as much or nothing at
all? Wouldn't the major browsers be willing to support an authority that is
free or costs next to nothing? I pay about $200 a year for my virtual
server, so if i only issue 200 certifcates and charge a dollar each i
wouldn't loose money. I have a v-server on the Internet and wouldn't mind
setting it up as a free authority or even one based on donations. Or is
there going to be so much traffic and processing that it wouldn't be able to
handle it? Cannot be that bad because it needs to compute the authentication
only periodically (once a year or so for each) and each time a user hits a
page it is only checked which would only be a couple of bytes traffic (per
domain?).
Please enlighten me why it is so expensive? Is it maybe just the hassle of
setting it up?
Regards,
Tim
Tim-Hinnerk Heuer
http://www.ihostnz.com
Fred Allen - "California is a fine place to live - if you happen to be an
orange."
2009/2/16 Michael A. Peters <mpet...@mac.com>
> German Geek wrote:
>
>> OK, i hear about this self signed certificate. Whenever i signed anything
>> it
>> just came up with all these warnings in FF which confuses users and i
>> think
>> is not good at all. Can someone paste a link in here to a website with a
>> self signed cert please? Would like to see if there are any warnings etc.
>> Thanks.
>>
>
> There still are all the warnings.
>
> There are some cheap (and free) CA's that FireFox recognizes so it still is
> possible to use SSL and not have the firefox 3 warning hell, but things like
> linksys routers are still problematic.
>
> https://www.scientificlinux.org/
>
> Demonstrates the problem in FireFox 3.
> They use a self-signed cert.
>
--- End Message ---
--- Begin Message ---
'Twas brillig, and German Geek at 15/02/09 22:32 did gyre and gimble:
Please enlighten me why it is so expensive? Is it maybe just the hassle of
setting it up?
The whole thing is about trust. Getting a certificate is nothing if the
system is not backed up by a trust system. If a CA was setup that gave
out certificates willy nilly to all and sundry, then this element of
trust is lost. For $1 you're not likely to be able to afford to do much
in the way of vetting or confirmation that said person is who they say
they are. If browsers trusted that CA and an unscrupulous individual
manages to get a secure certificate for a domain they do not own they
could then use some form of DNS hijacking (e.g. via an open wireless
network or similar) to perform some pretty convincing phishing scams.
So it's not just about the cert. It's the trust that goes with it.
Col
--
Colin Guthrie
gmane(at)colin.guthr.ie
http://colin.guthr.ie/
Day Job:
Tribalogic Limited [http://www.tribalogic.net/]
Open Source:
Mandriva Linux Contributor [http://www.mandriva.com/]
PulseAudio Hacker [http://www.pulseaudio.org/]
Trac Hacker [http://trac.edgewall.org/]
--- End Message ---
--- Begin Message ---
Colin Guthrie wrote:
'Twas brillig, and German Geek at 15/02/09 22:32 did gyre and gimble:
Please enlighten me why it is so expensive? Is it maybe just the
hassle of
setting it up?
The whole thing is about trust. Getting a certificate is nothing if the
system is not backed up by a trust system. If a CA was setup that gave
out certificates willy nilly to all and sundry, then this element of
trust is lost.
Cheap CA's do exist. They have crappy web sites and send you all kinds
of junk mail etc. if you use them - but they do exist.
I might end up just paying godaddy - I think they charge $12.00 / year,
but since I already register through them, they already have my address etc.
But the problem I have with FF3 is that I shouldn't have to.
I don't need to prove to the user that I am really me, and I don't want
to use a cert that some other organization has control over and can
choose to revoke at any time. I just the flipping password encrypted by
SSL so that when Betty who uses the same password for everything (it's
amazing how many people do) logs onto my server while she has coffee at
Starbucks, her uname/password isn't sniffed giving Cracker Jack access
to Betty's PayPal account.
If Cracker Jack wants to do a man in the middle attack - as long as
Betty has already connected to me before, her browser will still inform
her that the certificate doesn't match - whether or not I am self
signed, so the man in the middle attack is really not the big deal
FireFox makes it out to be.
What they should do is a simple notification telling the user they can't
verify the website is who it claims to be, and a link for more info if
the user wants more info.
But alas, that has nothing to do with php, so I apologize to the list.
Anyway, back on topic - if you want to encrypt login, use SSL.
You can self sign for free.
If you don't want the FireFox 3 issue, there are a few free and plenty
of cheap certificate authorties that FireFox recognizes.
--- End Message ---
--- Begin Message ---
The easiest would probably to use
http://nz.php.net/manual/en/function.strnatcmp.php . It would happen to sort
it the right way because am is before pm ;-).
You can of course make it more challenging by converting it into a timestamp
etc. That would be better if you want to sort by date as well etc. If you go
that way you should look at http://nz.php.net/manual/en/function.usort.php .
Regards,
Tim
Tim-Hinnerk Heuer
http://www.ihostnz.com
Alanis Morissette - "We'll love you just the way you are if you're
perfect."
2009/2/15 Shawn McKenzie <nos...@mckenzies.net>
> Shawn McKenzie wrote:
> > tedd wrote:
> >> Hi gang:
> >>
> >> Anyone have/know a routine that will sort an array of times?
> >>
> >> For example, a function that would take an array like this:
> >>
> >> time[0] ~ '1:30pm'
> >> time[1] ~ '7:30am'
> >> time[2] ~ '12:30pm'
> >>
> >> and order it to:
> >>
> >> time[0] ~ '7:30am'
> >> time[1] ~ '12:30pm'
> >> time[2] ~ '1:30pm'
> >>
> >>
> >> Cheers,
> >>
> >> tedd
> >>
> >>
> >
> > Not tested:
> >
> > function time_sort($a, $b)
> > {
> > if (strtotime($a) == strtotime($b)) {
> > return 0;
> > }
> > return (strtotime($a) < strtotime($b) ? -1 : 1;
> > }
> >
> > usort($time, "time_sort");
> >
> Well, I just thought, since the strtotime() uses the current timestamp
> to calculate the new timestamp, if you only give it a time then the
> returned timestamp is today's date with the new time you passed. If you
> had a large array and the callback started at 23:59:59 then you could
> end up with some times from the date it started and some from the next
> day, which of course would not be sorted correctly with respect to times
> only. So, this might be better (not tested):
>
>
> function time_sort($a, $b)
> {
> static $now = time();
>
> if (strtotime($a, $now) == strtotime($b, $now)) {
> return 0;
> }
> return (strtotime($a, $now) < strtotime($b, $now) ? -1 : 1;
> }
>
>
> --
> Thanks!
> -Shawn
> http://www.spidean.com
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--- End Message ---
--- Begin Message ---
German Geek wrote:
The easiest would probably to use
http://nz.php.net/manual/en/function.strnatcmp.php . It would happen to sort
it the right way because am is before pm ;-).
Nope. Unfortunately 12 am (midnight) comes before 1 am, and 12 pm (noon)
comes before 1 pm. Since you have to account for that, you solution
won't be as elegant.
Cheers,
Mattias
--- End Message ---
--- Begin Message ---
Yes, you are right. Hadn't thought about that. But usort is probably better
than making your own sort function because it uses the quick sort algorithm
i believe which is quite efficient. That was the other suggestion...
Tim-Hinnerk Heuer
http://www.ihostnz.com
Fred Allen - "California is a fine place to live - if you happen to be an
orange."
2009/2/16 Mattias Thorslund <matt...@thorslund.us>
> German Geek wrote:
>
>> The easiest would probably to use
>> http://nz.php.net/manual/en/function.strnatcmp.php . It would happen to
>> sort
>> it the right way because am is before pm ;-).
>>
>>
>
>
> Nope. Unfortunately 12 am (midnight) comes before 1 am, and 12 pm (noon)
> comes before 1 pm. Since you have to account for that, you solution won't be
> as elegant.
>
> Cheers,
>
> Mattias
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--- End Message ---
--- Begin Message ---
Shawn McKenzie wrote:
> Shawn McKenzie wrote:
>> tedd wrote:
>>> Hi gang:
>>>
>>> Anyone have/know a routine that will sort an array of times?
>>>
>>> For example, a function that would take an array like this:
>>>
>>> time[0] ~ '1:30pm'
>>> time[1] ~ '7:30am'
>>> time[2] ~ '12:30pm'
>>>
>>> and order it to:
>>>
>>> time[0] ~ '7:30am'
>>> time[1] ~ '12:30pm'
>>> time[2] ~ '1:30pm'
>>>
>>>
>>> Cheers,
>>>
>>> tedd
>>>
>>>
>> Not tested:
>>
>> function time_sort($a, $b)
>> {
>> if (strtotime($a) == strtotime($b)) {
>> return 0;
>> }
>> return (strtotime($a) < strtotime($b) ? -1 : 1;
>> }
>>
>> usort($time, "time_sort");
>>
> Well, I just thought, since the strtotime() uses the current timestamp
> to calculate the new timestamp, if you only give it a time then the
> returned timestamp is today's date with the new time you passed. If you
> had a large array and the callback started at 23:59:59 then you could
> end up with some times from the date it started and some from the next
> day, which of course would not be sorted correctly with respect to times
> only. So, this might be better (not tested):
>
>
> function time_sort($a, $b)
> {
> static $now = time();
>
> if (strtotime($a, $now) == strtotime($b, $now)) {
> return 0;
> }
> return (strtotime($a, $now) < strtotime($b, $now) ? -1 : 1;
> }
>
>
Your best bet above.
--
Thanks!
-Shawn
http://www.spidean.com
--- End Message ---
--- Begin Message ---
Shawn McKenzie wrote:
> Shawn McKenzie wrote:
>> tedd wrote:
>>> Hi gang:
>>>
>>> Anyone have/know a routine that will sort an array of times?
>>>
>>> For example, a function that would take an array like this:
>>>
>>> time[0] ~ '1:30pm'
>>> time[1] ~ '7:30am'
>>> time[2] ~ '12:30pm'
>>>
>>> and order it to:
>>>
>>> time[0] ~ '7:30am'
>>> time[1] ~ '12:30pm'
>>> time[2] ~ '1:30pm'
>>>
>>>
>>> Cheers,
>>>
>>> tedd
>>>
>>>
>> Not tested:
>>
>> function time_sort($a, $b)
>> {
>> if (strtotime($a) == strtotime($b)) {
>> return 0;
>> }
>> return (strtotime($a) < strtotime($b) ? -1 : 1;
>> }
>>
>> usort($time, "time_sort");
>>
> Well, I just thought, since the strtotime() uses the current timestamp
> to calculate the new timestamp, if you only give it a time then the
> returned timestamp is today's date with the new time you passed. If you
> had a large array and the callback started at 23:59:59 then you could
> end up with some times from the date it started and some from the next
> day, which of course would not be sorted correctly with respect to times
> only. So, this might be better (not tested):
>
>
> function time_sort($a, $b)
> {
> static $now = time();
>
> if (strtotime($a, $now) == strtotime($b, $now)) {
> return 0;
> }
> return (strtotime($a, $now) < strtotime($b, $now) ? -1 : 1;
> }
>
>
Your best bet above.
--
Thanks!
-Shawn
http://www.spidean.com
--- End Message ---
--- Begin Message ---
tedd wrote:
> At 9:31 PM -0600 2/14/09, Shawn McKenzie wrote:
>>
>> Yeah, hif I had known that you wanted a function where you loop through
>> your array twice, that would have done it. Bravo.
>
> Shawn:
>
> I don't see another way. You go through the array converting string to
> time (seconds), sort, and then convert back. You have to go through the
> array more than once.
>
> Cheers,
>
> tedd
>
The "other way", is the most likely ultra-fast solution I posted.
--
Thanks!
-Shawn
http://www.spidean.com
--- End Message ---
--- Begin Message ---
tedd wrote:
> At 9:31 PM -0600 2/14/09, Shawn McKenzie wrote:
>>
>> Yeah, hif I had known that you wanted a function where you loop through
>> your array twice, that would have done it. Bravo.
>
> Shawn:
>
> I don't see another way. You go through the array converting string to
> time (seconds), sort, and then convert back. You have to go through the
> array more than once.
>
> Cheers,
>
> tedd
>
The "other way", is the most likely ultra-fast solution I posted.
--
Thanks!
-Shawn
http://www.spidean.com
--- End Message ---
--- Begin Message ---
Just for this case, where authentication of the server isn't an issue,
and things like deployment cost are,
i'd like to propose that we on this list look again at securing
login/pass through onewayHash functions, in an otherwise non-ssl
environment.
i hate to be a critic of the community here, but isn't this insistence
on SSL a bit eh... lazy?
here's a starter for a onewayHash-based login crypto:
and think that with a proper layout of authentication architecture, one
can really secure a login system without having the administrative
overhead of installing SSL everywhere, and the monetary cost for a SSL
certificate for each domain.
I wish to code such a solution into a really-free library (so probably
LGPL or GPL + MIT) over the next 2 to 5 months.
This library would be a complete SQL, PHP & javascript package (jQuery
"plugged in"), targetted for the novice programmer.
I'm halfway (or more?) there, i think.
For my own CMS, i have taken the following approach, which i'd like to
hear your improvements on:
(For onewayHash() i have MD5 and SHA256 implementations in both JS and
PHP..)
//// SQL:
create table users (
user_id integer,
user_login_name varchar(250),
user_login_hash varchar(250),
user_password_hash varchar(250),
....other fields....
primary key (user_id)
);
create table preferences (
pref_system_hash varchar(250)
....
);
//// PHP (pseudo-code) , on system installation:
preferences.pref_system_hash = onewayHash ( randomStringLength(100) );
//// PHP , on user-create:
users[user_id].user_login_hash = onewayHash(user_login_name +
preferences.pref_system_hash);
users[user_id].user_password_hash = onewayHash ("someGooodPasswordNot"
+ preferences.pref_system_hash);
//// PHP, on request of a login form:
challenge = makeNewChallenge ();
//checks since when [browser IP] has last received a new
challenge, if < threshold : make a new challenge. else return old
challenge.
//a challenge is a random string (+ special chars) pushed through
the onewayHash function.
html = '
<form id="loginForm">
<input type="hidden" id="sh" name="sh"
value="preferences.pref_system_hash">
<input type="hidden" id="ch" name="ch" value="challenge">
<input id="plain_user" name="plain_user"/>
<input id="plain_pass" name="plain_pass"/>
<input type="hidden" id="user_hash" name="user_hash"/>
<input type="hidden" id="pass_hash" name="pass_hash"/>
</form>
';
sendHTMLtoBrowser (html);
//// Javascript: on page with login form:
jQuery('#loginForm').submit (function () {
var sh = jQuery('#sh')[0]; //same for ch, plain_user,
plain_pass, all the inputs in the html form.
....
user_hash = onewayHash ( onewayHash ( plain_user.value +
sh.value ) + challenge );
//same for pass_hash basically
plain_user.value = ''; //clear out the plain text fields so
they dont get transmitted (same for plain_pass ofcourse)
jQuery.ajax ( /* submit login form through POST, handle results
*/ )
}
//// PHP, on receiving the login form data:
// walk through all the records in users table, for each, calculate:
user_hash = onewayHash ( users[user_id].user_login_hash +
challenge );
pass_hash = onewayHash ( users[user_id].user_password_hash +
challenge );
// if they match what was sent, then it's the user we're looking
for with the right password, so their $_SESSION['authenticated_user'] =
updated.
////
If you have a completely alternative way of securing a non-ssl login
form, i'd like to hear about it too.
Michael A. Peters wrote:
Colin Guthrie wrote:
'Twas brillig, and German Geek at 15/02/09 22:32 did gyre and gimble:
Please enlighten me why it is so expensive? Is it maybe just the
hassle of
setting it up?
The whole thing is about trust. Getting a certificate is nothing if
the system is not backed up by a trust system. If a CA was setup that
gave out certificates willy nilly to all and sundry, then this
element of trust is lost.
Cheap CA's do exist. They have crappy web sites and send you all kinds
of junk mail etc. if you use them - but they do exist.
I might end up just paying godaddy - I think they charge $12.00 /
year, but since I already register through them, they already have my
address etc.
But the problem I have with FF3 is that I shouldn't have to.
I don't need to prove to the user that I am really me, and I don't
want to use a cert that some other organization has control over and
can choose to revoke at any time. I just the flipping password
encrypted by SSL so that when Betty who uses the same password for
everything (it's amazing how many people do) logs onto my server while
she has coffee at Starbucks, her uname/password isn't sniffed giving
Cracker Jack access to Betty's PayPal account.
If Cracker Jack wants to do a man in the middle attack - as long as
Betty has already connected to me before, her browser will still
inform her that the certificate doesn't match - whether or not I am
self signed, so the man in the middle attack is really not the big
deal FireFox makes it out to be.
What they should do is a simple notification telling the user they
can't verify the website is who it claims to be, and a link for more
info if the user wants more info.
But alas, that has nothing to do with php, so I apologize to the list.
Anyway, back on topic - if you want to encrypt login, use SSL.
You can self sign for free.
If you don't want the FireFox 3 issue, there are a few free and plenty
of cheap certificate authorties that FireFox recognizes.
--- End Message ---
