[PHP] for the security minded web developer - secure way to login?
Hi All, A few months ago it came to my mind, that it might be possible to make non-https session (reasonably) secure by at least not letting people login that shouldn't because they might have sniffed the password from a user. Please let me know if you can find a loop hole in this process. I think it would be interesting for anybody on this list (or anybody really) who has a bit of knowlege and appreciation about security: Assumptions: The session variables are stored on the web server and not transferred to the client at all. The client has Javascript enabled. We have a secure hash function, say sha1. We can generate truly random numbers/strings with PHP which cannot be guessed call it salt. A session cannot be stolen. ... add more if needed. :-) So, we could on the server generate a random salt value and send that to the client along with the login form. On the client, when the user submits the form, we take the entered password value (with Javascript), hash it with our sha1 function, concatenate it with the salt and compute the hash value of the password together with the salt (again). All this in Javascript or whatever runs on the client. We then send this hash value, call it h(h(p) + s) (hash(hash(password) + salt)), to the server. Its useless for the sniffer, because the same value will never be sent twice, unless of course the user (password) and the salt are the same (or there is a collision, but we assumed its a secure hash function). We could make sure that a user doesn't get sent the same salt twice by storing them in the database when used and checking against them when it is generated. On the server we could do the same process with the stored hash of the password (assuming the hash of the password is stored), otherwise it becomes necessary to also send the actual salt of the password along with the login form and this would become even a little more complex. So, if h(p) is stored, we would simply compute h(h(p) + s) where s is the salt that was sent and stored in a session variable. Assuming we don't use a salt to store the password hash, this seems quite secure to me, don't you think? I mean, of course someone can still steel the session but it becomes a lot harder to figure out the password by sniffing. What do you think? If everybody agrees this is worth implementing, i might give it a go and make a library. Sorry this is not directly PHP related, but since i like this list, i thought i would share it with you. Regards, Tim Tim-Hinnerk Heuer http://www.ihostnz.com Joan Rivers - "Never floss with a stranger."
Re: [PHP] [Fwd] How to make a secured login form
Have a look at my post called "for the security minded web developer -
secure way to login?". It seems like a similar idea with less overhead.
Regards,
Tim
Tim-Hinnerk Heuer
http://www.ihostnz.com
Joan Rivers - "Never floss with a stranger."
2009/2/14 Virgilio Quilario
> > I have secured the login form for my CMS with a challenge-response thing
> > that encrypts both username and password with the
> > (login-attempts-counted) challenge (and; here's my problem: a system
> > hash) sent by the server (it would end up in your html as a hidden
> > inputs, or as part of a json transmission)..
> >
> > Since then, i've found these libs that do even longer one-way-crypto:
> > http://mediabeez.ws/downloads/sha256.js-php.zip
> > The principles i'm about to explain stay the same.
> >
> > *but i'd really like to know if my crypto can be improved*
> >
> > So instead of the browser getting just a text-field for username and
> > password, you also send the "challenge" (and "system_hash") value.
> > That's a 100-character random string (include special characters!), then
> > sha256-ed (for prettiness mostly i think).
> >
> > I really wonder if i can do without the systemhash..
> >
> > HTML
>
> >
> >> value="[SHA256 SORTA-MASTER-KEY__DUNNO-WHAT-TO-DO-WITH-THIS]"/>
> >> value="[SHA256RANDOMSTRINGFROMPHP]"/>
> >
> > Login > name='login'/>
> > Password > name='pass'/>
> >
> >
> >
> >
> > JS
>
> >
> > $('#myform').submit (function() {
> > var s = ($'system_hash')[0];
> > var c = ($'challenge')[0];
> > var l = $('#login')[0];
> > var p = $('#pass')[0];
> >
> > l.value = sha256 (sha256 (l.value + s.value) + c.value);
> > p.value = sha256 (sha256 (p.value + s.value) + c.value);
> >
> > //Here, submit the form using ajax routines in plain text,
> > as both the login name and
> > //password are now one-way-encrypted.
> > //
> > //on the PHP end, authentication is done against a mysql
> > table "users".
> > //
> > //in this table i have 3 relevant fields:
> > //user_login_name (for administrative and display purposes)
> > //user_login_name_hash (==sha256 (user_login_name +
> > system_hash))
> > //user_password_hash (== passwords aint stored unencrypted
> > in my cms, to prevent admin corruption and pw-theft by third parties;
> > the password is encrypted by the browser in the "new-password-form" with
> > the system hash before it's ever sent to the server. server Never knows
> > about the cleartext password, ever.)
> > //
> > //when a login-attempt is evaluated, all the records in
> > "users" table have to be traversed (which i admit can get slow on larger
> > userbases... help!?! :)
> > //for each user in the users table, the loginhash and
> > password hash are calculated;
> > //$uh = sha256 ($users->rec["user_login_name_hash"] .
> > $challenge);
> > //$pwh = sha256 ($users->rec["user_password_hash"] .
> > $challenge);
> > //and then,
> > //if they match the hash strings that were sent (both of
> > them),
> > //if the number of login-attempts isn't exceeded,
> > //if the IP is still the same (as the one who first
> > requested the html login form with new challenge value)
> > //then, maybe, i'll let 'm log in :)
> > });
> >
> >
> >
> >
> > phicarre wrote:
> >>
> >> How to secure this jquery+php+ajax login procedure ?
> >>
> >> $('#myform').submit( function()
> >>{
> >>$(this).ajaxSubmit( {
> >>type:'POST', url:'login.php',
> >>success: function(msg)
> >>{
> >> login ok : how to call the welcome.php ***
> >>},
> >>error: function(request,iderror)
> >>{
> >>alert(iderror + " " + request);
> >>}
> >>});
> >>return false;
> >>})
> >>
> >>
> >>
> >>
> >>Name :
> >>Password : >>
> >>>
> >>>
> >>>
> >>
> >>
> >>
> >>
> >>
> >> Login.php check the parameters and reply by echo "ok" or echo "ko"
> >>
> >> Logically if the answer is ok we must call a welcome.php module BUT,
> >> if someone read the client code, he will see the name of the module
> >> and can hack the server.
> >> May I wrong ? how to secure this code ?
> >>
>
> i think you should drop the IP address out of the equation because
> when you're behind a firewall with rotating outgoing IP addresses, you
> will never get authenticated.
>
> also, traversing users table is a slow operation as you pointed out.
>
> i guess you should look into two way encryption or use ssl which is
> better and easier to implement.
Re: [PHP] Execute EXE with variables
Hi,
I've had a lot of problems with shell_exec too. Mostly it was permissions or
environment variables not being set. i dont know if there is a way to set
environment variables in the php.ini but if not you can set them with
shell_exec as well, at least on unix it works. You can simply concatenate
the commands necessary with a colon (;) inbetween. Maybe you can have
multiple shell_exec commands and it stays in the same env. Not sure about
this though. Please someone enlighten us on this...
Hope some of this helped.
Regards,
Tim
Tim-Hinnerk Heuer
http://www.ihostnz.com
Jay London - "My father would take me to the playground, and put me on mood
swings."
2009/2/14 Dan Shirah
> >
> > Use the system() command, and enclose both your command and its
> > parameters in a pair of single quotes, as:
> >
> > system('mycmd -a alfa -b bravo');
> >
> > Paul
> > --
> > Paul M. Foster
> >
>
> Using both exec() and system() I am getting the error: Unable to fork
>
Re: [PHP] list all constitute group of array ?
Do you want exactly that list or simply all the possible combinations?
If you want all possible combinations, search for a permute or permutation
function in php...
Does sound like homework lol. :-)
Regards,
Tim
Tim-Hinnerk Heuer
http://www.ihostnz.com
Alanis Morissette - "We'll love you just the way you are if you're
perfect."
2009/2/14 LKSunny
> $a = array("a", "b", "c", "d");
>
> /*
> how to list:
> abcd
> abc
> ab
> ac
> ad
> bcd
> bc
> bd
> cd
> a
> b
> c
> d
>
> who have idea ? thank you very much !!
> */
> ?>
>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
Re: [PHP] Execute EXE with variables
On Sun, 2009-02-15 at 00:16 +1300, German Geek wrote:
> Hi,
>
> I've had a lot of problems with shell_exec too. Mostly it was permissions or
> environment variables not being set. i dont know if there is a way to set
> environment variables in the php.ini but if not you can set them with
> shell_exec as well, at least on unix it works. You can simply concatenate
> the commands necessary with a colon (;) inbetween. Maybe you can have
> multiple shell_exec commands and it stays in the same env. Not sure about
> this though. Please someone enlighten us on this...
>
> Hope some of this helped.
>
> Regards,
> Tim
>
> Tim-Hinnerk Heuer
>
> http://www.ihostnz.com
> Jay London - "My father would take me to the playground, and put me on mood
> swings."
>
> 2009/2/14 Dan Shirah
>
> > >
> > > Use the system() command, and enclose both your command and its
> > > parameters in a pair of single quotes, as:
> > >
> > > system('mycmd -a alfa -b bravo');
> > >
> > > Paul
> > > --
> > > Paul M. Foster
> > >
> >
> > Using both exec() and system() I am getting the error: Unable to fork
> >
I use the exec() function regularly and have no troubles passing more
than one argument to it. Admittedly, I've not tried this on a Windows
system, just a Linux one, and I was using exec() to call a Bash script,
which should behave like an exe I guess.
Ash
www.ashleysheridan.co.uk
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] for the security minded web developer - secure way to login?
German Geek wrote: > What do you think? I think just use a flippin' ssl server and be done with it. When I go to a website that requires me to let them execute JavaScript I rarely go back. You can use SSL for the login and only the login - I know that it means either using a self signed cert or paying big bucks, for anything with e-commerce you want to pay big bucks for a cert, there is no other option. For anything not e-commerce, using a self signed cert seems a lot more secure to me than having the browser grab some salt off your server, use javascript to encrypt the pass, and then sending it back. Public / Private key is the way to go, and self signed cert still gives you that, the only issue is the user get's a warning the first time they connect to the server - and have to manually accept your cert. You may make the password a little more difficult to sniff by sending some salt to the client and using js to make a password hash, but the bottom line is a user has no reason to trust a login is secure if you don't use SSL and every reason not to trust that it is secure, so use SSL if you want to provide secure login and don't cripple your site by having the audacity to require users to allow you to execute code on their machine in order to use your website. It will drive some users away. Not exactly what you asked, but it is my opinion. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] for the security minded web developer - secure way to login?
Michael A. Peters wrote: > German Geek wrote: > > > What do you think? > > I think just use a flippin' ssl server and be done with it. > That was my thought too. > You can use SSL for the login and only the login - I know that it > means either using a self signed cert or paying big bucks, for > anything with e-commerce you want to pay big bucks for a cert, there > is no other option. http://www.cacert.org/ /Per -- Per Jessen, Zürich (0.2°C) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] for the security minded web developer - secure way to login?
> I think just use a flippin' ssl server and be done with it. > ++$i > When I go to a website that requires me to let them execute JavaScript I > rarely go back. > Many people do this, I hope that the OP realizes this. > You can use SSL for the login and only the login - I know that it means > either using a self signed cert or paying big bucks, for anything with > e-commerce you want to pay big bucks for a cert, there is no other option. > For anything not e-commerce, using a self signed cert seems a lot more > secure to me than having the browser grab some salt off your server, use > javascript to encrypt the pass, and then sending it back. > Have you seen the fit Firefox 3 makes for self-signed certs? So far as the end user is concerned, the site is inaccesible. -- Dotan Cohen http://what-is-what.com http://gibberish.co.il א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת ا-ب-ت-ث-ج-ح-خ-د-ذ-ر-ز-س-ش-ص-ض-ط-ظ-ع-غ-ف-ق-ك-ل-م-ن-ه-و-ي А-Б-В-Г-Д-Е-Ё-Ж-З-И-Й-К-Л-М-Н-О-П-Р-С-Т-У-Ф-Х-Ц-Ч-Ш-Щ-Ъ-Ы-Ь-Э-Ю-Я а-б-в-г-д-е-ё-ж-з-и-й-к-л-м-н-о-п-р-с-т-у-ф-х-ц-ч-ш-щ-ъ-ы-ь-э-ю-я ä-ö-ü-ß-Ä-Ö-Ü
Re: [PHP] for the security minded web developer - secure way to login?
Dotan Cohen wrote: Have you seen the fit Firefox 3 makes for self-signed certs? So far as the end user is concerned, the site is inaccesible. Yes I have. That's why on my site I have an instruction page - and a demonstration of how Opera does it, which is just as secure and less of a PITA, and a suggestion that users go ahead and try Opera - something I never did before FF messed up the self signed SSL process. The FF3 really bugged me - 1) The purpose of SSL is to provide public/private key encryption. 2) The purpose of signing is so that they know you are really you on future visits. 3) The purpose of certificate authorities is so that they know you are you on the first visit. Many web sites benefit from the first two without needing the complexity of the third, a concept FireFox seems to have lost. I don't need the paperwork hassle etc. for the few sites I run - I just need a way for a user to authenticate so I can give 'em a session cookie, no sensitive data is ever collected. Ah well. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] for the security minded web developer - secure way to login?
Hi gang, Was just thinking of a cheap solution for sites that don't require absolute security. A SSL cert cost about $150 a year. Sites like facebook could use this... Of course it's not for banks etc. You could degrade gracefully when javascript is turned off to just sending the form and checking the password normally if the first test fails which would happen anyway wouldnt it? ... Mainly this was just ment to be a proof of concept. An alternative to SSL for those who have more time than $$ and not quite so high a security requirement. Of course SSL is better! Duh! Just wanted to give you guys something to think about. The password would not be given away like this would it? It just makes it a little more difficult for script kiddies. They would have to have a keylogger running or steal the session. :P Regards, Tim Tim-Hinnerk Heuer http://www.ihostnz.com Mike Ditka - "If God had wanted man to play soccer, he wouldn't have given us arms." 2009/2/15 Michael A. Peters > Dotan Cohen wrote: > > >> Have you seen the fit Firefox 3 makes for self-signed certs? So far as >> the end user is concerned, the site is inaccesible. >> >> > Yes I have. > That's why on my site I have an instruction page - and a demonstration of > how Opera does it, which is just as secure and less of a PITA, and a > suggestion that users go ahead and try Opera - something I never did before > FF messed up the self signed SSL process. > > The FF3 really bugged me - > > 1) The purpose of SSL is to provide public/private key encryption. > 2) The purpose of signing is so that they know you are really you on future > visits. > 3) The purpose of certificate authorities is so that they know you are you > on the first visit. > > Many web sites benefit from the first two without needing the complexity of > the third, a concept FireFox seems to have lost. > > I don't need the paperwork hassle etc. for the few sites I run - I just > need a way for a user to authenticate so I can give 'em a session cookie, no > sensitive data is ever collected. Ah well. > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > >
[PHP] Heredoc inside eval?
I have a html template with php variables. I then run it through eval().
All that works fine. Problem is that when I add simple html attributes
or javascript calls I need to use single or double quotes. And this is
where eval throws an error. So I then used htmlspecialchars to mask all
the non-php code and then decode after eval. Then I remembered the
heredoc syntax which allows both single and double quotes. So I wrote
this line:
eval("\$html=<
Re: [PHP] for the security minded web developer - secure way to login?
German Geek wrote: Hi gang, Was just thinking of a cheap solution for sites that don't require absolute security. A SSL cert cost about $150 a year. Sites like facebook could use this... Sites (like mine) that don't want to pay a certificate authority can use a self-signed cert. Even Red Hat does for some of their stuff (IE I believe their bugzilla server) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Google Apps AuthSub = missing $_GET element
I am completely baffled by this.
I have a PHP script that is using Cameron Hinkle's
LightweightPicasaAPIv3 to authenticate with the Google Picasa service
using the AuthSub method.
Basically, if we're not authenticated, redirect to the google authsub
URL:
(https://www.google.com/accounts/AuthSubRequest?next=http%3A%2F%2Ftwozerowest.com%2Fsnowdog%2520gallery%2Fadmin.php&scope=http%3A%2F%2Fpicasaweb.google.com%2Fdata%2Ffeed%2Fapi&session=1
)
This page requests that the user either grant access or deny access.
Grant access takes us to the URL specified (my authentication script)
with a ?token=x added to the end of the URL.
This all works. We get back to my URL with ?token=x appended to
the URL.
That's when it starts getting weirder than anything I've seen in PHP:
My debugging output confirms that:
1. $_SERVER['request_method'] = GET
2. strlen($_GET['token']) = 0
3. $_GET - array()...but it's empty!
4. $_REQUEST[] contains no 'token' element
5. echo($_GET['token']) prints the value of ?token= from the URL
So WTF?
My code:
Note the comments inside/around the try/catch statement inside the if
block.
WTF? This evaluates to false...or seems to anyway. Code that is inside
it's if{} statement does not execute.
if(strlen($_GET['token']) > 0)
But then, other code that IS in it's if{} statement DOES execute...and
the $_GET['token'] that has a 0 strlen in the if() statement now echos
as a 16 character string!
WTF!!???
if(strlen($_GET['token']) > 0) {
// evaluates ???...
$firephp->info('got a token: ' . $_GET['token']); #this
doesn't happen
echo ('echo $_GET[\'token\'] output: ' . $_GET['token']);
#this doesn't happen
// try to authenticate with it
# this try/catch block DOES NOT happen!
try{
$token = $pic->authorizeWithAuthSub($_GET['token']);
$firephp->info('running authorizeWithAuthSub() with
token: ' . $_GET['token']);
if($pic->isAuthenticated()){
$firephp->info('there we go...authenticated!');
$firephp->info('token :' . $pic->getAuthToken());
echo 'inside try/catch :' . $_GET['token']; #this
echo statement inside the try/catch DOES happen...WTF!?
}
} catch (Picasa_Exception_FailedAuthorizationException $e){
$firephp->log($e, 'error');
}
} else {
$pic->redirectToLoginPage('http://twozerowest.com/snowdog%20gallery/admin.php'
, 1);
}
Anyone have ANY idea what's going on?
John Corry
email: jco...@gmail.com
Re: [PHP] Heredoc inside eval?
For instance you have:
The simplest way to eval() it is to use:
eval("?>" . $string_of_html_and_php . "
On Sat, Feb 14, 2009 at 3:58 PM, Michael wrote:
> I have a html template with php variables. I then run it through eval().
> All that works fine. Problem is that when I add simple html attributes or
> javascript calls I need to use single or double quotes. And this is where
> eval throws an error. So I then used htmlspecialchars to mask all the
> non-php code and then decode after eval. Then I remembered the heredoc
> syntax which allows both single and double quotes. So I wrote this line:
>
>eval("\$html=<<
> But eval keeps giving me a parse error:
>
>Parse error: syntax error, unexpected $end in index.php(33) :
>eval()'d code on line 13
>
> I have tried using \r\n instead which returns error at line 11.
> If I wrap the variable in {} as it should results in line 11 also.
> If I insert a space after the 'hds' I get a T_SL error.
> I have tried to make a wrapper heredoc variable for $html but that didn't
> have any effect.
>
> I am running out of ideas...
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
Re: [PHP] Heredoc inside eval?
Sorry for not including a a code example of the template.
..
{$content}
This template I read into a variable using file_get_contents() so I
don't think escaping php will work but I will have to test this.
Your suggestion for the heredoc problem is simple, yet I didn't think of
it :D
Thanks for help, I'll post back when I have tested it.
For others who come across this situation, the way I solved it was to
simply use the addslashes()/stripslashes() functions as they only target
double quotes by default. Should be (much?) less cpu intensive then
using htmlspecialchars() as most of the html template would be altered.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Heredoc inside eval?
I haven't figured from your sayings if my solutions worked? I haven't tested
them so I thought you would check them out ;)
Nitsan
On Sat, Feb 14, 2009 at 6:59 PM, Michael N. Madsen wrote:
> Sorry for not including a a code example of the template.
>
>
> ..
>{$content}
>
> This template I read into a variable using file_get_contents() so I don't
> think escaping php will work but I will have to test this.
>
> Your suggestion for the heredoc problem is simple, yet I didn't think of it
> :D
>
> Thanks for help, I'll post back when I have tested it.
>
> For others who come across this situation, the way I solved it was to
> simply use the addslashes()/stripslashes() functions as they only target
> double quotes by default. Should be (much?) less cpu intensive then using
> htmlspecialchars() as most of the html template would be altered.
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
Re: [PHP] Heredoc inside eval?
Hehe ok.. First problem was that eval() was giving error because there was double-quotes in the template. Second problem an attempt to fix problem 1 by wrapping the template in a heredoc syntax. Problem 1 I solved as described with add/strip-slashes(). Out of curiosity I will test your suggestions to see if they would have worked and this I will post back on :) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] for the security minded web developer - secure way to login?
Michael A. Peters wrote: German Geek wrote: Hi gang, Was just thinking of a cheap solution for sites that don't require absolute security. A SSL cert cost about $150 a year. Sites like facebook could use this... Sites (like mine) that don't want to pay a certificate authority can use a self-signed cert. Even Red Hat does for some of their stuff (IE I believe their bugzilla server) Firefox scares its users when they encounter a website with self signed certificate. If your website users aren't worried about the warning Firefox throws at them, self signed cert works well. -- With warm regards, Sudheer. S Business: http://binaryvibes.co.in, Tech stuff: http://techchorus.net, Personal: http://sudheer.net -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] for the security minded web developer - secure way to login?
Firefox scares its users when they encounter a website with self signed certificate. If your website users aren't worried about the warning Firefox throws at them, self signed cert works well. I just realized Dotan Cohen already mentioned this. -- With warm regards, Sudheer. S Business: http://binaryvibes.co.in, Tech stuff: http://techchorus.net, Personal: http://sudheer.net -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] for the security minded web developer - secure way to login?
Sudheer wrote: Michael A. Peters wrote: Sites (like mine) that don't want to pay a certificate authority can use a self-signed cert. Even Red Hat does for some of their stuff (IE I believe their bugzilla server) Firefox scares its users when they encounter a website with self signed certificate. If your website users aren't worried about the warning Firefox throws at them, self signed cert works well. Yeah it does, hopefully they fix it. What scares me is allowing sites I have no reason to trust as non malicious and have no reason to trust as properly secured against XSS injection to load scripts that execute on my machine. People who use Firefox may be scared by the absurd warning FireFox 3 uses (something I've complained about to them) - other than informing users of the issue and hoping some read it, not much I can do about that. Hopefully FireFox will fix the issue and do something like what opera does (except the cert for session if you just click OK, accept it permanently if you click the security tab and check a box first). -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Sorting times
Hi gang: Anyone have/know a routine that will sort an array of times? For example, a function that would take an array like this: time[0] ~ '1:30pm' time[1] ~ '7:30am' time[2] ~ '12:30pm' and order it to: time[0] ~ '7:30am' time[1] ~ '12:30pm' time[2] ~ '1:30pm' Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sorting times
1. convert the string representation of times to timestamps using
strtotime()
2. sort the timestamps
3. display the timestamps as strings using date('format', timestamp)
Would that work?
John Corry
email: jco...@gmail.com
On Feb 14, 2009, at 4:07 PM, tedd wrote:
Hi gang:
Anyone have/know a routine that will sort an array of times?
For example, a function that would take an array like this:
time[0] ~ '1:30pm'
time[1] ~ '7:30am'
time[2] ~ '12:30pm'
and order it to:
time[0] ~ '7:30am'
time[1] ~ '12:30pm'
time[2] ~ '1:30pm'
Cheers,
tedd
--
---
http://sperling.com http://ancientstones.com http://earthstones.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Sorting times
tedd wrote:
> Hi gang:
>
> Anyone have/know a routine that will sort an array of times?
>
> For example, a function that would take an array like this:
>
> time[0] ~ '1:30pm'
> time[1] ~ '7:30am'
> time[2] ~ '12:30pm'
>
> and order it to:
>
> time[0] ~ '7:30am'
> time[1] ~ '12:30pm'
> time[2] ~ '1:30pm'
>
>
> Cheers,
>
> tedd
>
>
Not tested:
function time_sort($a, $b)
{
if (strtotime($a) == strtotime($b)) {
return 0;
}
return (strtotime($a) < strtotime($b) ? -1 : 1;
}
usort($time, "time_sort");
--
Thanks!
-Shawn
http://www.spidean.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sorting times
John Corry wrote:
> 1. convert the string representation of times to timestamps using
> strtotime()
> 2. sort the timestamps
> 3. display the timestamps as strings using date('format', timestamp)
>
> Would that work?
>
> John Corry
> email: jco...@gmail.com
>
>
>
>
> On Feb 14, 2009, at 4:07 PM, tedd wrote:
>
>> Hi gang:
>>
>> Anyone have/know a routine that will sort an array of times?
>>
>> For example, a function that would take an array like this:
>>
>> time[0] ~ '1:30pm'
>> time[1] ~ '7:30am'
>> time[2] ~ '12:30pm'
>>
>> and order it to:
>>
>> time[0] ~ '7:30am'
>> time[1] ~ '12:30pm'
>> time[2] ~ '1:30pm'
>>
>>
>> Cheers,
>>
>> tedd
>>
>>
>> --
>> ---
>> http://sperling.com http://ancientstones.com http://earthstones.com
>>
>> --
>> PHP General Mailing List (http://www.php.net/)
>> To unsubscribe, visit: http://www.php.net/unsub.php
>>
>
Yes, I would probably store and manipulate times as a timestamp and then
format them for printing, but then there would always be a date
associated with the timestamp as well (whether you need it or not). So
you could store them in 24hr time format and sort those and then format
to display in the 12 hour format.
--
Thanks!
-Shawn
http://www.spidean.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Sorting times
Shawn McKenzie wrote:
> tedd wrote:
>> Hi gang:
>>
>> Anyone have/know a routine that will sort an array of times?
>>
>> For example, a function that would take an array like this:
>>
>> time[0] ~ '1:30pm'
>> time[1] ~ '7:30am'
>> time[2] ~ '12:30pm'
>>
>> and order it to:
>>
>> time[0] ~ '7:30am'
>> time[1] ~ '12:30pm'
>> time[2] ~ '1:30pm'
>>
>>
>> Cheers,
>>
>> tedd
>>
>>
>
> Not tested:
>
> function time_sort($a, $b)
> {
> if (strtotime($a) == strtotime($b)) {
> return 0;
> }
> return (strtotime($a) < strtotime($b) ? -1 : 1;
> }
>
> usort($time, "time_sort");
>
Well, I just thought, since the strtotime() uses the current timestamp
to calculate the new timestamp, if you only give it a time then the
returned timestamp is today's date with the new time you passed. If you
had a large array and the callback started at 23:59:59 then you could
end up with some times from the date it started and some from the next
day, which of course would not be sorted correctly with respect to times
only. So, this might be better (not tested):
function time_sort($a, $b)
{
static $now = time();
if (strtotime($a, $now) == strtotime($b, $now)) {
return 0;
}
return (strtotime($a, $now) < strtotime($b, $now) ? -1 : 1;
}
--
Thanks!
-Shawn
http://www.spidean.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sorting times (SOLVED)
At 4:15 PM -0500 2/14/09, John Corry wrote:
1. convert the string representation of times to timestamps using strtotime()
2. sort the timestamps
3. display the timestamps as strings using date('format', timestamp)
Would that work?
John Corry
email: jco...@gmail.com
John:
Bingo -- that worked!
Thanks.
tedd
---
Here's the code.
--
---
http://sperling.com http://ancientstones.com http://earthstones.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Simple Search Logic Issue...
Newbie question...
I have a search page with multi lines of search criteria:
Name
Topic
Message
Etc...
I'm hoping to get results based on what criteria I type - but I'm not
getting what I expect. I think it's just getting results where in addition
to getting search criteria I type - ALSO none of the search fields can be
blank (not what I hoped) ...
Like I type just 'c' in the name field and it shows 3 records (other search
fields filled up) ... But I have many more records with name containing 'c'
Goal: to search for what I type in whatever search fields and not worry
about whether others are blank or not - like:
Name contains 'c'
Charles
Chuck
Chuck
Chas
Or
Name contains 'c' and topic contains 'test1'
Maybe just charles fits this criteria
--
I made a simple results page,
... More code here ... ( DW CS3 )
$name_list1 = "-1";
if (isset($_GET['Name'])) {
$name_list1 = $_GET['Name'];
}
$top_list1 = "-1";
if (isset($_GET['Topic'])) {
$top_list1 = $_GET['Topic'];
}
$mess_list1 = "-1";
if (isset($_GET['Message'])) {
$mess_list1 = $_GET['Message'];
}
mysql_select_db($database_test1, $test1);
$query_list1 = sprintf("SELECT * FROM mytable WHERE Name LIKE %s and Message
LIKE %s and Topic LIKE %s ORDER BY mytable.id desc", GetSQLValueString("%" .
$name_list1 . "%", "text"),GetSQLValueString("%" . $mess_list1 . "%",
"text"),GetSQLValueString("%" . $top_list1 . "%", "text"));
--
Thanks - RevDave
Cool @ hosting4days . com
[db-lists 09]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: list all constitute group of array ?
On Sat, 14 Feb 2009 07:41:28 +0800, a...@pc86.com ("LKSunny") wrote:
>$a = array("a", "b", "c", "d");
>
>/*
>how to list:
>abcd
>abc
>ab
>ac
>ad
>bcd
>bc
>bd
>cd
>a
>b
>c
>d
>
>who have idea ? thank you very much !!
>*/
>?>
>
If you are talking about arrays of strings,use my function larec (list array
recursively).
This has proved to be one of the most useful things I have ever written. The
first
parameter is the name of the array (or subsection of an array) you wish to
list, and the
second parameter is the arbitrary name used for the array in the listing. (it
would be
quite easy to modify the procedure to use the actual name of the array, but I
wrote it
this way, and it is quite handy to be able to use different names if you are
listing
different sections of the same array. It will work with an array of almost any
complexity.
I have seen it choof out (almost instantly!) several thousand lines.
'.$line.' = '.$array.'';
}
}
?>
This is a sample of part of a listing. The call for this would have been 'larec
($wkg_data[$entry], 'Entry');
Entry['phone']['ph_o'] = 9978 4749
Entry['phone']['ph_h'] =
Entry['phone']['ph_m'] =
Entry['phone']['ph_f'] = 9978 4516
Entry['phone']['ph_a'] = 02
Entry['phone']['ph_e'] =
Entry['phone']['ph_w'] =
Entry['phone']['ph_b'] =
Entry['bursary']['CY']['b_name'] = Cybec Scholarship
Entry['bursary']['CY']['b_status'] =
Entry['bursary']['EB']['b_name'] = Evan Burge Scholarship
Entry['bursary']['EB']['b_status'] =
Entry['bursary']['MAP']['b_name'] = Cybec MAP Scholarship
Entry['bursary']['MAP']['b_status'] =
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sorting times (SOLVED)
tedd wrote:
> At 4:15 PM -0500 2/14/09, John Corry wrote:
>> 1. convert the string representation of times to timestamps using
>> strtotime()
>> 2. sort the timestamps
>> 3. display the timestamps as strings using date('format', timestamp)
>>
>> Would that work?
>>
>> John Corry
>> email: jco...@gmail.com
>
>
> John:
>
> Bingo -- that worked!
>
> Thanks.
>
> tedd
>
> ---
>
> Here's the code.
>
> // == returns a time array sorted
>
> function sortTime($in_times)
> {
> $time = array();
> foreach ($in_times as $t)
> {
> $time [] = strtotime($t);
> }
>
> sort($time);
>
> $sort_time = array();
> foreach ($time as $t)
> {
> $sort_time[] = date('g:ia', $t);
> }
> return $sort_time;
> }
> ?>
>
>
Yeah, hif I had known that you wanted a function where you loop through
your array twice, that would have done it. Bravo.
--
Thanks!
-Shawn
http://www.spidean.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
