[PHP] Question regarding passwords/security
Not sure how to ask this question... I've always eschewed consulting a database on page loads to determine if a user is logged in, primarily because of latency issues. For example, you could store a nonce like the session ID in a table for a user when they log in. Then each time they arrive at a page which needs certain permissions to access, you'd check the table for the nonce and compare it to the actual session ID or whatever to determine that they're properly logged in. This seems reasonable but suffers from the lag on the database link's query-and-response lag time. So I've always preferred some solution where something is dragged along in a session cookie instead. Maybe something like the hash of user login, email and user name, which wouldn't be there unless you'd put it there on login. But this latter scheme just seems inherently less secure than consulting the table. Is there any concensus or overwhelming argument one way or the other? Paul -- Paul M. Foster http://noferblatz.com http://quillandmouse.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Online Form Creation
On Dec 21, 2011, at 2:14 AM, Tedd Sperling wrote: >I don't see a problem here. > >1. Figure out how to create a HTML form (Investigate HTML tables). >2. Then write a PHP that will scrub the data and submit it to MySQL. > >The length and layout of the forms are of no significance. > >This is basic html/php -- try creating something and submit your work for our >review. If you want us to write the >code for you, please look elsewhere. Tedd, I appreciate your reply to my post. In no way do I expect anyone to code for me. If that were the case I would hire someone. I have posted to this list numerous times and, if I am not mistaken, the list is designed to ask for suggestions, which I did. Being rude does not help anyone. I understand how to program radio buttons in a form that record 'instances' of a response. I just was not sure how to set-up a similar matrix to allow the user to enter a numerical value. I will follow your suggestion and submit my work. Best, Christopher -Original Message- From: Tedd Sperling [mailto:tedd.sperl...@gmail.com] Sent: Wednesday, December 21, 2011 12:05 PM To: PHP-General List Cc: Christopher Lee Subject: Re: [PHP] Online Form Creation On Dec 21, 2011, at 2:14 AM, Christopher Lee wrote: > Hello All, > > I have two forms (see attached) that I would like to recreate and enable the > user to complete the form online. The data would be collected in a MySQL DB. > > http://ucensys.com/activities.pdf > > http://ucensys.com/guidelines.pdf > > You will see that the forms are in a matrix format. I am having trouble > figuring out the best way to create the form and ensure the data is collected > properly in the DB. Any suggestions would be greatly appreciated. > > Best, > > Christopher I don't see a problem here. 1. Figure out how to create a HTML form (Investigate HTML tables). 2. Then write a PHP that will scrub the data and submit it to MySQL. The length and layout of the forms are of no significance. This is basic html/php -- try creating something and submit your work for our review. If you want us to write the code for you, please look elsewhere. Cheers, tedd _ t...@sperling.com http://sperling.com This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Online Form Creation
On 12/22/2011 8:22 AM, Christopher Lee wrote: > On Dec 21, 2011, at 2:14 AM, Tedd Sperling wrote: > >> I don't see a problem here. >> >> 1. Figure out how to create a HTML form (Investigate HTML tables). >> 2. Then write a PHP that will scrub the data and submit it to MySQL. >> >> The length and layout of the forms are of no significance. >> >> This is basic html/php -- try creating something and submit your work for >> our >> review. If you want us to write the code for you, please look elsewhere. > > Tedd, > > I appreciate your reply to my post. In no way do I expect anyone to code for > me. > If that were the case I would hire someone. I have posted to this list > numerous > times and, if I am not mistaken, the list is designed to ask for suggestions, > which I did. Being rude does not help anyone. He wasn't being rude. He was informing you of what to expect. Honestly, with how your two emails read, it seemed as though you were asking for examples of how to write the basic structure of the HTML and processing script. We like to see someone submit code that attempts to complete the task that they are looking to accomplish when they are asking for help. > > I understand how to program radio buttons in a form that record 'instances' > of a > response. If you understand how to program radio buttons, then you should know how to include an field and in your code as well. > I just was not sure how to set-up a similar matrix to allow the user > to enter a numerical value. matrix = table ?? wrap the table in a form and add the radio and text fields as needed. throwing in a needed textarea here and there would be helpful as well. > > I will follow your suggestion and submit my work. > > Best, > > Christopher > > -Original Message- > From: Tedd Sperling [mailto:tedd.sperl...@gmail.com] > Sent: Wednesday, December 21, 2011 12:05 PM > To: PHP-General List > Cc: Christopher Lee > Subject: Re: [PHP] Online Form Creation > > On Dec 21, 2011, at 2:14 AM, Christopher Lee wrote: > >> Hello All, >> >> I have two forms (see attached) that I would like to recreate and enable the >> user to complete the form online. The data would be collected in a MySQL DB. >> >> http://ucensys.com/activities.pdf >> >> http://ucensys.com/guidelines.pdf >> >> You will see that the forms are in a matrix format. I am having trouble >> figuring out the best way to create the form and ensure the data is collected >> properly in the DB. Any suggestions would be greatly appreciated. >> >> Best, >> >> Christopher > > I don't see a problem here. > > 1. Figure out how to create a HTML form (Investigate HTML tables). > 2. Then write a PHP that will scrub the data and submit it to MySQL. > > The length and layout of the forms are of no significance. > > This is basic html/php -- try creating something and submit your work for our > review. If you want us to write the code for you, please look elsewhere. > > Cheers, > > tedd > > _ > t...@sperling.com > http://sperling.com -- Jim Lucas http://www.cmsws.com/ http://www.cmsws.com/examples/ http://www.bendsource.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Online Form Creation
> I understand how to program radio buttons in a form that record 'instances' > of a response. I just was not sure how to set-up a similar matrix to allow > the user to enter a numerical value. Christopher, Maybe Tedd was a little curt, but the language you used just made it seem like you had not done enough HTML work to really be able to sort out the difference between HTML problems (missing pieces in your understanding), and PHP problems. HTML forms are totally independent of what you DO with the data that gets submitted when the user clicks the form's submit button. HTML lets you lay out the form to look however you want.. (you can use HTML's ... to achieve the visual layout you want). PHP is needed to HANDLE the data (receive it from the submitting form and save it to a db). When you say, "You will see that the forms are in a matrix format", and, "...[you] are not sure how to set-up a similar matrix..." it sounds like an HTML problem. If you do need help with HTML layout, then practice, Google, and consulting an HTML list will be your best bet. Now, if you need help with writing the PHP that handles the data, then great! This is the right place to ask! But we need to see code you attempted, in order to know your level of understanding, and so be able to guide better. > I will follow your suggestion and submit my work. -Govinda -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Online Form Creation
>Now, if you need help with writing the PHP that handles the data, then great! >This is the right place to ask! But we need to see code you attempted, in >order to know your level of understanding, and so be able to guide better. Hi Godiva, I appreciate all the great comments/suggestions from everyone. I probably could have worded my initial email a little better. Thank you to Tedd as well. Best, Christopher -Original Message- From: Govinda [mailto:govinda.webdnat...@gmail.com] Sent: Thursday, December 22, 2011 12:15 PM To: Christopher Lee Cc: PHP-General List Subject: Re: [PHP] Online Form Creation > I understand how to program radio buttons in a form that record 'instances' > of a response. I just was not sure how to set-up a similar matrix to allow > the user to enter a numerical value. Christopher, Maybe Tedd was a little curt, but the language you used just made it seem like you had not done enough HTML work to really be able to sort out the difference between HTML problems (missing pieces in your understanding), and PHP problems. HTML forms are totally independent of what you DO with the data that gets submitted when the user clicks the form's submit button. HTML lets you lay out the form to look however you want.. (you can use HTML's ... to achieve the visual layout you want). PHP is needed to HANDLE the data (receive it from the submitting form and save it to a db). When you say, "You will see that the forms are in a matrix format", and, "...[you] are not sure how to set-up a similar matrix..." it sounds like an HTML problem. If you do need help with HTML layout, then practice, Google, and consulting an HTML list will be your best bet. Now, if you need help with writing the PHP that handles the data, then great! This is the right place to ask! But we need to see code you attempted, in order to know your level of understanding, and so be able to guide better. > I will follow your suggestion and submit my work. -Govinda This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Relative includes and include_path
Hi all, On the the include_path php.net says: "Using a . in the include path allows for relative includes as it means the current directory. However, it is more efficient to explicitly use include './file' than having PHP always check the current directory for every include. " (http://www.php.net/manual/en/ini.core.php#ini.include-path) While this does not state that starting every include with "./" is equivalent to having an include_path that is ".", it does suggest exactly that. However, I tried this in the field, and came to a different conclusion. (I included my experiment below.) Is the idea that those two are equivalent wrong? Am I doing something wrong? Is something strange going on? Can anyone clear this issue up for me? Thanks, Jasper --- The experiment: On a machine where the include_path is ".", I had the following file structure: - A.php - B.php - C.php - file.php - sub/includeA.php - sub/includeB.php - sub/includeC.php The content of the files: A.php B.php C.php file.php includeA.php includeB.php includeC.php Now if you visit A.php or B.php the file will be included successfully. Obviously, C.php fails to include anything. includeA.php works all the same, but includeB.php can't find file.php. includeC.php, on the other hand, finds it just fine. This would suggest that include_path being "." means you can include from the path of the current file, while starting your "./" means you start looking from the current parh. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Question regarding passwords/security
On 12/22/2011 10:05 AM, Paul M Foster wrote: Not sure how to ask this question... I've always eschewed consulting a database on page loads to determine if a user is logged in, primarily because of latency issues. For example, you could store a nonce like the session ID in a table for a user when they log in. Then each time they arrive at a page which needs certain permissions to access, you'd check the table for the nonce and compare it to the actual session ID or whatever to determine that they're properly logged in. This seems reasonable but suffers from the lag on the database link's query-and-response lag time. So I've always preferred some solution where something is dragged along in a session cookie instead. Maybe something like the hash of user login, email and user name, which wouldn't be there unless you'd put it there on login. But this latter scheme just seems inherently less secure than consulting the table. Is there any concensus or overwhelming argument one way or the other? Paul Why not just use Sessions, that's what the function is for. http://php.net/manual/en/features.sessions.php There is a good example on this page. I'm also big on using the session buffer to maintain the current states for visitors. e.g., one I'm working on now. Obviously, most are binary switches. Makes condition logic simple. [confirmedRestrictedUser] => [idPassed] => [loggedIn] => [newRegRecordMode] => [pendingRestrictedUser] => [recordToken] => [regModeLoggedIn] => [regUserEditMode] => [restrictedMode] => 1 [secrCodePassed] => [securityPassed] => [sessionStart] => Thu, 22 Dec 2011 12:49:54 -0500 [userType] => restricted -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Online Form Creation
On Dec 22, 2011, at 11:22 AM, Christopher Lee wrote: > Tedd, > > I appreciate your reply to my post. In no way do I expect anyone to code for > me. If that were the case I would hire someone. I have posted to this list > numerous times and, if I am not mistaken, the list is designed to ask for > suggestions, which I did. Being rude does not help anyone. > > I understand how to program radio buttons in a form that record 'instances' > of a response. I just was not sure how to set-up a similar matrix to allow > the user to enter a numerical value. > > I will follow your suggestion and submit my work. > > Best, > > Christopher Christopher: My apologies if you took my comments as being rude. The point here is that if you want advice, then we need to see what is causing you problems. Giving us an outline of what you want isn't giving us anything other than "This is what I want" -- with an implied "Do it". My advice, the first step will be to create a form with elements like these: http://rebel.lcc.edu/sperlt/citw229/examples/postform/index.php http://rebel.lcc.edu/sperlt/citw229/examples/stickyradio/ http://rebel.lcc.edu/sperlt/citw229/examples/stickycheckbox/ http://rebel.lcc.edu/sperlt/citw229/examples/stickymultselect/ and then get it to work for you. If it fails, present it, and we'll comment. Cheers, tedd PS: Everything you need for this first step is provided above. The next step will be cleaning the data and placing it into the database. _ t...@sperling.com http://sperling.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Online Form Creation
>My apologies if you took my comments as being rude. The point here is that if >you want advice, then we need to see what is causing you problems. Giving us >an outline of what you want isn't giving us anything other than "This is what >I want" -- with an implied "Do it". Hi Tedd, I apologize as well Tedd. Reading back over my email it was not worded the best. I appreciate the assistance and promise to be more through when posting. This is part of the growing pains for me as a newbie. Best, Chris -Original Message- From: Tedd Sperling [mailto:tedd.sperl...@gmail.com] Sent: Thursday, December 22, 2011 1:43 PM To: PHP-General List Cc: Christopher Lee Subject: Re: [PHP] Online Form Creation On Dec 22, 2011, at 11:22 AM, Christopher Lee wrote: > Tedd, > > I appreciate your reply to my post. In no way do I expect anyone to code for > me. If that were the case I would hire someone. I have posted to this list > numerous times and, if I am not mistaken, the list is designed to ask for > suggestions, which I did. Being rude does not help anyone. > > I understand how to program radio buttons in a form that record 'instances' > of a response. I just was not sure how to set-up a similar matrix to allow > the user to enter a numerical value. > > I will follow your suggestion and submit my work. > > Best, > > Christopher Christopher: My apologies if you took my comments as being rude. The point here is that if you want advice, then we need to see what is causing you problems. Giving us an outline of what you want isn't giving us anything other than "This is what I want" -- with an implied "Do it". My advice, the first step will be to create a form with elements like these: http://rebel.lcc.edu/sperlt/citw229/examples/postform/index.php http://rebel.lcc.edu/sperlt/citw229/examples/stickyradio/ http://rebel.lcc.edu/sperlt/citw229/examples/stickycheckbox/ http://rebel.lcc.edu/sperlt/citw229/examples/stickymultselect/ and then get it to work for you. If it fails, present it, and we'll comment. Cheers, tedd PS: Everything you need for this first step is provided above. The next step will be cleaning the data and placing it into the database. _ t...@sperling.com http://sperling.com This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Question regarding passwords/security
On Thu, Dec 22, 2011 at 12:55:41PM -0500, Al wrote: > > > On 12/22/2011 10:05 AM, Paul M Foster wrote: > >Not sure how to ask this question... I've always eschewed consulting a > >database on page loads to determine if a user is logged in, primarily > >because of latency issues. For example, you could store a nonce like the > >session ID in a table for a user when they log in. Then each time they > >arrive at a page which needs certain permissions to access, you'd check > >the table for the nonce and compare it to the actual session ID or > >whatever to determine that they're properly logged in. This seems > >reasonable but suffers from the lag on the database link's > >query-and-response lag time. So I've always preferred some solution > >where something is dragged along in a session cookie instead. Maybe > >something like the hash of user login, email and user name, which > >wouldn't be there unless you'd put it there on login. But this latter > >scheme just seems inherently less secure than consulting the table. > > > >Is there any concensus or overwhelming argument one way or the other? > > > >Paul > > > > Why not just use Sessions, that's what the function is for. > http://php.net/manual/en/features.sessions.php There is a good example on > this page. > > I'm also big on using the session buffer to maintain the current > states for visitors. e.g., one I'm working on now. Obviously, most > are binary switches. Makes condition logic simple. > > [confirmedRestrictedUser] => > [idPassed] => > [loggedIn] => > [newRegRecordMode] => > [pendingRestrictedUser] => > [recordToken] => > [regModeLoggedIn] => > [regUserEditMode] => > [restrictedMode] => 1 > [secrCodePassed] => > [securityPassed] => > [sessionStart] => Thu, 22 Dec 2011 12:49:54 -0500 > [userType] => restricted I have concerns that the items in a session buffer can be copied and used to spoof legitimate logins. This is harder to do when the info is held in a database. Paul -- Paul M. Foster http://noferblatz.com http://quillandmouse.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Question regarding passwords/security
On 22 Dec 2011, at 19:34, Paul M Foster wrote: > I have concerns that the items in a session buffer can be copied and > used to spoof legitimate logins. This is harder to do when the info is > held in a database. Storing stuff in a database is no more secure, it simply requires one single extra step... finding the DB credentials in the source code. Given that the only way a user could read session data (assuming you're using the default session handler, i.e. file-based) is if they have access to those files. If they do have access to those files they almost certainly also have access to your source code (since the web user must be able to read both), especially if you're using a shared host. If you're using a dedicated server then you should address the reason you're worried about people having access to session files first. -Stuart -- Stuart Dallas 3ft9 Ltd http://3ft9.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Question regarding passwords/security
On 12/22/2011 2:54 PM, Stuart Dallas wrote: On 22 Dec 2011, at 19:34, Paul M Foster wrote: I have concerns that the items in a session buffer can be copied and used to spoof legitimate logins. This is harder to do when the info is held in a database. Storing stuff in a database is no more secure, it simply requires one single extra step... finding the DB credentials in the source code. Given that the only way a user could read session data (assuming you're using the default session handler, i.e. file-based) is if they have access to those files. If they do have access to those files they almost certainly also have access to your source code (since the web user must be able to read both), especially if you're using a shared host. If you're using a dedicated server then you should address the reason you're worried about people having access to session files first. -Stuart Sessions are faster, one step to read the session array. Encode a token e.g., MD5 the timestamp, and save it in the session buffer. Gets pretty secure. If you're on a shared host with poor security, bad folks can do anything on your site. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
