Re: [PHP] how to not show login info in the url ...what am I looking for?
On Wed, Dec 10, 2008 at 10:03 AM, tedd <[EMAIL PROTECTED]> wrote: > At 9:52 PM + 12/9/08, Ashley Sheridan wrote: >> >> > >>> >>> Thanks guys and gals! >> >> You shouldn't be passing info like that over the URL; use sessions >> instead. >> >> I saw a shopping cart system once that passed the price of items over >> the URL, and when I found out and alerted them, we won the contract for >> a rebuild and then got accused of hacking by their previous web guys >> (who incidentally built the system!) >> >> Ash > > Ash: > > Even if you did hack the site, all that means is that site was hack-able and > thus should have been fixed anyway. > > In my mind, hacking a site (without doing damage) is a good introduction to > a client. > > Cheers, > > tedd > > -- > --- > http://sperling.com http://ancientstones.com http://earthstones.com > *Ahem*You mean 'cracking'? :-P -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Is MD5 still considered safe for storing application user passwords?
On Tue, Dec 30, 2008 at 9:02 PM, Murray wrote: > Hi All, > > I've been vaguely aware that more and more effort is going into proving that > MD5 isn't secure anymore, but this article in particular - > http://www.win.tue.nl/hashclash/rogue-ca/ - has me wondering if MD5 is still > safe for storing hashed user passwords? > > I realise that article is talking about a very different use of an attack on > MD5, but I'm curious if other developers are still using MD5, or if another > hashing algorithm is considered better? > > Many thanks for any advice, > > M is for Murray > http://www.ulblog.org > Yeah, it's been proven several years ago (1998 rings a bell for some reason, but I'm not sure) that MD5 has some security vulnerabilities. If I recall correctly, even SHA-1 has had some collision vulnerabilities. I personally use salted SHA-512 hashes for storing my passwords. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] PHP IRC Bot - Listening on a Socket
Hey, I'm writing an IRC bot from scratch in PHP. I'd like to be able to announce events, such as SVN commit notifications, through the bot. The only way to do this that I can think of is to have the bot listen on a socket and have the program (in this example, the SVN post-commit hook script) send some data over the socket. I know a bit about connecting via sockets in PHP, but not about listening on sockets. What would be the best way to setup a non-blocking listening socket, while being connected via IRC (and parsing input/output) simultaneously? Or, does anyone have any suggestions on alternative ways to send data to the IRC Bot (other than sockets)? I could possibly have the external scripts store data in a text file, then just have the PHP Bot read and delete the data on a timer. Thank you for any and all help/suggestions, ~Steve -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] APC problem with PHP
On Tue, Feb 10, 2009 at 10:11 PM, Nathan Nobbe wrote: > On Tue, Feb 10, 2009 at 5:53 PM, Jamie Krasnoo wrote: > > > Hmm, I'll try taking down the optimizer and seeing if it segfaults or > > not. If that's what it is it's a crying shame that apc and > > zend_optimizer can't get along. > > > maybe give eaccelerator a shot, i believe theyve got an optimizer in there. > im not sure how it stacks up to zend's, but it will do both caching and > optimization, afaik. also, you will find a not yet stable optimization > extension haging out in pecl for apc, > > http://pecl.php.net/package/optimizer > > -nathan > I'd recommend using X-Cache. I've had nothing but good experiences with it.
Re: [PHP] PHP AS an FTP server
On Tue, Feb 17, 2009 at 10:53 AM, Michael Kubler wrote: > Hi, > This is probably a bit stupid, but I've been having issues getting any of > the good FTP servers running on my Ubuntu 6.06 (LTS) box. > I've tried Pro-FTP, Pure-FTP, and briefly installed some others, but the > versions available for my distro don't seem to support MySQL (or I'm simply > doing something wrong). > > Anyway, I had the thought that the FTP server won't be used much, as I > mainly use SSH, however I need to be able to give other people access, which > is why I'm wondering if there are any PHP scripts that can be used AS an FTP > server. That is, I'd setup Apache to accept on the standard FTP port(s), and > get it to point everything to a PHP script, which I could then use to pull > user/pass details each of which would have their own directories, allowing > each user to access a sym-link to their domain(s) log file, website > directory, and anything else. > > Has someone already got a script that does this (at least accepting FTP > connections), or is this a crazy idea that's just not possible? > Should I just compile the latest version of some FTP server, and try and > configure that to do what I want instead? > > Thanks. > -- > Although possible, that's probably not a good idea for numerous reasons. I'd strongly recommend using vsFTPd. I've used it for years and never had any problem with it. http://vsftpd.beasts.org -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Which file "Included" me?
On Wed, Feb 18, 2009 at 1:16 PM, Ed Curtis wrote: > Is there a function or variable that will tell me if a file has asked > another file to include something much the same as $_SERVER['HTTP_REFERER'] > works. I have a script that is included on every page of a site but also > needs to include some javascript only if it's called from a certain URL. > > thanks, > > Ed > Maybe include_once() would help? Or require_once() ? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Cookies/Sessions and how they work
On Mon, Mar 9, 2009 at 10:26 PM, Paul M Foster wrote: > This is in two parts. First cookies. I'm a little unclear on how they > work. From what I've read, cookies are stored by the browser. When a > request for that cookie comes in from the server, the browser returns > only the value, and no other data. One question: When the browser > requests a page from a server, does it automatically search its cookies > for that domain and send them along with the other requests? If that's > now how it works, then how does it work? > > Second part is about sessions. According to the notes for the cookies > page at php.net, it's considered bad practice to store user IDs and > passwords in cookies. It's considered better practice to use PHP's > native session-handling code to do this. But if a user has cookies > turned on in the browser, then PHP will store the session information > (possibly user ID and password) as a cookie. So what's the difference? > > The reference for the above is: > http://us2.php.net/manual/en/features.cookies.php#36058 > > > Paul > > -- > Paul M. Foster > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > When a website sends the "Cookie:" in a HTTP header, the browser decides what to do with it (or not to do). Generally, it saves the cookie name and contents into a file. Although, various browsers handle cookies differently, and some browsers ignore them completely (or have options to). Within the cookie data are various things, such as the domain and expiration. When you point the browser to a website, the browser checks all it's cookies and see if the website matches the "domain" field in any of the cookies. If so, it sends the name/content of the cookie/cookies to the site in a/an HTTP header automatically. A very useful tool in monitoring all this and viewing what your browser does behind the scenes is the Firefox extension "Live HTTP Headers." https://addons.mozilla.org/en-US/firefox/addon/3829 PHP sessions use cookies. When you call session_start() for the first time, php randomly generates a unique hash ID for that session. It sends it to the browser as a cookie with the name PHPSESSID (this is customizable in php.ini). The server keeps a list of all the sessions on the HDD (and expires them when needed, of course). When you store any variable into the $_SESSION superglobal var, it stores the data ON THE SERVER - nothing is sent to the browser. The browser only sends the session ID cookie, which tells the server "hey, get the $_SESSION data for this session ID." So it's up to the browser to send the session cookie each time, else all the $_SESSION data is lost. Help clear it up for ya? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Spawn-FCGI, PHP-FPM
Hey, I'm looking into moving my site over to Nginx from apache. I've been reading up on how FastCGI works with PHP, and I've found two main solutions, either use spawn-fcgi or use php-fpm. However, it looks like there isn't any php-fpm code for the current stable version of PHP. Does anyone use php-fpm? Can you give me an intro to how it works? And is there a patch for php 5.2.9? Thanks for any help and suggestions. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] GeoIP Character Encoding
Hey, I'm using the PECL GeoIP module on php 5.2.10. When I look up an IP address, the geoip_record_by_name() function is giving me a string that contains "special" characters, such as the following: 'Portugal, 09, Vila Real De Santo António' 'Norway, 08, Ålesund' 'Portugal, 04, Vila Nova De Famalicão' (Note the ó, Å, and ã). I'm using PostgreSQL as my database. The database's encoding is UTF8, and the locale is C. When I try to insert the above strings into a VARCHAR column, I get errors similar to the following: ERROR: invalid byte sequence for encoding "UTF8": 0xf36e696f ERROR: invalid byte sequence for encoding "UTF8": 0xc56c ERROR: invalid byte sequence for encoding "UTF8": 0xe36f2c Now, I believe I can solve the problem by changing the client_encoding of my postgresql client (Right now, it is set to UTF8). However, I'm trying to figure out what encoding the GeoIP function is returning to me so that I can set the client_encoding appropriately. Is it LATIN1? How can I figure it out? And can I change it to UTF8? Thank you for your time. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Performance of while(true) loop
Hey list, I have a php cli script that listens on a UDP socket and, when data is sent to the socket, the script inserts it into a database. I'm using the real BSD socket functions, not fsock. The script runs socket_create(), then socket_bind(). Then it starts a while(TRUE) loop. Within the loop, it runs socket_recvfrom(). I have it running 24/7 inside a screen window. I'm curious as to the cpu/memory/etc usage of a while(true) loop. The `top` command shows that the process is in the sbwait state (the OS is FreeBSD). I'm contemplating adding a usleep or even a sleep inside to loop. Would this be beneficial? I'm not too sure of how the internals of PHP work in terms of loops and such. Thanks. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Performance of while(true) loop
On Wed, Sep 9, 2009 at 10:39 PM, Eddie Drapkin wrote:
> On Wed, Sep 9, 2009 at 10:32 PM, APseudoUtopia
> wrote:
>> Hey list,
>>
>> I have a php cli script that listens on a UDP socket and, when data is
>> sent to the socket, the script inserts it into a database. I'm using
>> the real BSD socket functions, not fsock.
>>
>> The script runs socket_create(), then socket_bind(). Then it starts a
>> while(TRUE) loop. Within the loop, it runs socket_recvfrom(). I have
>> it running 24/7 inside a screen window.
>>
>> I'm curious as to the cpu/memory/etc usage of a while(true) loop. The
>> `top` command shows that the process is in the sbwait state (the OS is
>> FreeBSD). I'm contemplating adding a usleep or even a sleep inside to
>> loop. Would this be beneficial? I'm not too sure of how the internals
>> of PHP work in terms of loops and such.
>>
>> Thanks.
>>
>> --
>> PHP General Mailing List (http://www.php.net/)
>> To unsubscribe, visit: http://www.php.net/unsub.php
>>
>>
>
> Is your socket blocking? If so, what's the timeout?
>
> while(true) {
>
> //wait for socket timeout
>
> }
>
> is the same as:
>
> while(true) {
>
> //read nothing from socket and sleep
>
> }
>
> Without the usleep(), the loop is going to loop as fast as your CPU
> will let it - meaning 100% CPU usage, all the time, at least in linux,
> although I'm pretty sure BSD would behave the same.
>
> As far as I'm aware, sockets in PHP behave almost identically to the
> way that they behave in C. I had an asynchronous TCP server written
> with the socket_* functions and noticed that the while(true) loop used
> 100% of the CPU because of the nonblocking sockets in use, but a
> usleep() solved that quite easily. Using blocking sockets with
> socket_select and a sane timeout relieved the high CPU usage as well.
>
I believe it is blocking. Here's my socket_recvfrom:
$Recv = socket_recvfrom($Socket, $Data, 512, MSG_WAITALL, $Name, $Port);
So I think the the MSG_WAITALL is causing it to block until incoming
data connection is closed (it never reaches the 512 byte mark before
it echos the data). Here's the full script, minus the debugging/error
catching stuff:
$Socket = socket_create(AF_INET, SOCK_DGRAM, SOL_UDP);
$Bind = socket_bind($Socket, '127.0.0.1', 1223);
while(TRUE){
$Recv = socket_recvfrom($Socket, $Data, 512, MSG_WAITALL, $Name, $Port);
print_r($Data);
}
As soon as the message is sent on the socket, it displays it. There's
no delay until it builds up 512 bytes or anything. Also, I was playing
around with ps and it looks like it's using 0% CPU, so I suppose it
must be blocking.
In the case that it is blocking, would it still be wise to throw a
usleep in there just to be sure?
Thanks.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] OOP: __construct() and "extend"
Hey list,
I'm writing my own class which extends upon the Memcached class
(php.net/memcached).
I'm a bit confused as to how the constructor works when extending a class.
class caching extends Memcached {
function __construct() {
echo "Caching Class Construct!";
}
}
For something like the above code, is the Memcached constructor
called? Or do I have to explicitly call it via parent::__construct()
within the caching class?
Thanks.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] MySQL ID -- what happens when you run out of range?
On Mon, Jan 25, 2010 at 10:00 PM, Michael A. Peters wrote: > Shawn McKenzie wrote: >> >> Joseph Thayne wrote: >>> >>> That is incorrect. What will happen is as follows: >>> >>> 1. The value will be incremented by 1 causing the value to be greater >>> than the maximum integer allowed. >>> 2. MySQL will see this as a problem and "truncate" it to the closest >>> value. >>> 3. MySQL will then try and insert the new row with the updated id. >>> 4. MySQL will find that the id already exists, and will return a >>> duplicate ID error. >> >> 5. A tear is rendered in the space time continuum! >> > > 6. An alternate version of Dr. Rodney McKay from an alternate universe > appears, and goes by "Rod". > 7. Then you realize that MySQL handles certain things, such as the aforementioned problem, very badly and does not comply to standards and isn't even ACID compliant, so you then switch to PostgreSQL instead. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] protecting pages with a login system
On Thu, Mar 18, 2010 at 11:42 AM, Ashley Sheridan wrote: > > On Thu, 2010-03-18 at 11:40 -0400, David Mehler wrote: > > > Hi, > > I am wanting to protect some pages by requiring a user to log in to > > access them. I'd prefer this be as simple as possible, and without > > requiring a database. > > So for example when a user goes to www.domain.com/example.php they'll > > get a page prompting for their log in credentials, and only after > > providing them will the page display. I'd prefer to avoid basic > > authentication dialog boxes if possible. > > Suggestions appreciated. > > Thanks. > > Dave. > > > > > By basic authentication dialog boxes, do you mean the sort that come > with password protection added through the use of an .htaccess file? > > If that's the case, then you're left with authenticating the same way > you'd do it with a database, but using some sort of flat file storage. > Ideally, this flat file would be kept out of your web root for > protection. > Unless you want to have only one (or another very small number) login. You can make a normal HTML form, then the code that processes the $_POST data can just compare the username and password to the "correct" username and password to login. You could make the valid logins into an array and compare the $_POST data to the array of valid logins. Also, look into sessions. http://us.php.net/manual/en/book.session.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Global Var Disappearing After Function
Hey list, I have a very odd problem which has been driving me crazy for two days. I've been trying to debug my code and gave up. I finally coded a very simple representation of what the code does, and I get the same problem. However, I still don't understand what's causing it. The representational code: http://pastie.org/private/fz3lgvsjopz3dhid8cf9a As you can see, it's very simple. A variable is set, then a function is called which modifies the variable in the global scope. However, the modifications CANNOT BE SEEN after the function is called. The output from the script is here: http://pastie.org/private/29r5mrr1k7rtqmw7eyoja As you can see, the modifications in do_test() cannot be seen after the function is called. What is causing this? And how can I fix it? Thanks! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Global Var Disappearing After Function
On Mon, Mar 22, 2010 at 5:13 PM, Peter van der Does wrote: > On Mon, 22 Mar 2010 16:58:33 -0400 > APseudoUtopia wrote: > >> Hey list, >> >> I have a very odd problem which has been driving me crazy for two >> days. I've been trying to debug my code and gave up. I finally coded a >> very simple representation of what the code does, and I get the same >> problem. However, I still don't understand what's causing it. >> >> The representational code: >> http://pastie.org/private/fz3lgvsjopz3dhid8cf9a >> >> As you can see, it's very simple. A variable is set, then a function >> is called which modifies the variable in the global scope. However, >> the modifications CANNOT BE SEEN after the function is called. >> >> The output from the script is here: >> http://pastie.org/private/29r5mrr1k7rtqmw7eyoja >> >> As you can see, the modifications in do_test() cannot be seen after >> the function is called. >> >> What is causing this? And how can I fix it? >> >> Thanks! >> > > From PHP.net: > > If a globalized variable is unset() inside of a function, only the > local variable is destroyed. The variable in the calling environment > will retain the same value as before unset() was called. [1] > > [1] http://php.net/manual/en/function.unset.php > > Ah ha! I was looking on the php.net/global page for hints, but didn't see any. I should've looked on the unset page. Thanks! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File encryption under PHP
On Thu, Apr 1, 2010 at 3:47 PM, Paul M Foster wrote: > Folks: > > If I wanted to encrypt a file in PHP and then write it out to disk > (one-way encryption, requiring a password), what PHP built-ins might you > recommend to encrypt the contents of the file before writing it out to > disk? > > Paul > I use the MCrypt extension to encrypt strings (login hashes in cookies, other such things). I don't see why you couldn't read the file into a string and then use mcrypt. You'd have to play with it though. Like make sure performance doesn't degrade massively for large files (rather than small strings), as well as making sure everything is binary-safe. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File encryption under PHP
On Thu, Apr 1, 2010 at 4:05 PM, Ashley Sheridan wrote: > On Thu, 2010-04-01 at 16:04 -0400, Paul M Foster wrote: > >> On Thu, Apr 01, 2010 at 08:45:53PM +0100, Ashley Sheridan wrote: >> >> > On Thu, 2010-04-01 at 15:47 -0400, Paul M Foster wrote: >> > >> > Folks: >> > >> > If I wanted to encrypt a file in PHP and then write it out to disk >> > (one-way encryption, requiring a password), what PHP built-ins might >> > you >> > recommend to encrypt the contents of the file before writing it out to >> > disk? >> > >> > Paul >> > >> > -- >> > Paul M. Foster >> > >> > >> > >> > I don't think you want one-way encryption, that would mean you can't >> > unencrypt >> > it! >> >> Then "one-way encryption" would be something no one would do. I must be >> using the wrong term. What I mean is that it needs a password, which is >> used to encrypt and decrypt the file. >> >> > >> > What about the usual functions for encrypting strings in PHP? Couldn't you >> > encrypt the file as a string and output that? Or did you want the file to >> > request a password when it was opened? What about a password-protected >> > compressed archive file? >> >> Well, when you say, "usual functions for encrypting strings in PHP", >> what are my options there? And which are the best (most secure) methods? >> It looks like mcrypt_*() will do the job, but there are 20-30 >> algorithms, and I have no idea which are the most secure. Or would >> something else be better (than mcrypt_*())? >> >> Paul >> >> -- >> Paul M. Foster >> > > > There's a good reason for one-way encryption. The crypt function in PHP > is one-way, and the use case is to compare an entered password without > the encrypted password ever being unencryptable. > > Thanks, > Ash Technically, "one-way encryption" is called hashing, as encryption by definition is two-way. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] PHP Image Host - Sending HTTP Headers Twice?
I have a php script which serves an image. It's very simple:
header('Content-Type: image/' . $ImageData['content_type']);
readfile($File);
When viewing the script with the Firefox Extension: LiveHTTPHeaders,
it gives the following output for a SINGLE request:
--
https://domain.tld/img.php?i=260
GET /img.php?i=260 HTTP/1.1
Host: domain.tld
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US;
rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: UTF-8,*
Keep-Alive: 115
Connection: keep-alive
Cookie: session=blahblah
Cache-Control: max-age=0
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 10 May 2010 20:17:09 GMT
Content-Type: image/jpeg
Transfer-Encoding: chunked
Connection: keep-alive
--
https://domain.tld/img.php?i=260
GET /img.php?i=260 HTTP/1.1
Host: domain.tld
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US;
rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: UTF-8,*
Keep-Alive: 115
Connection: keep-alive
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 10 May 2010 20:17:10 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Content-Encoding: gzip
--
As you can see, the browser is requesting the image twice, and PHP is
sending two different Content-Type headers. Why is this?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Memcached as Session Handler
Hey list, I run a website that integrates MemCache, MySQL, and PHP sessions very heavily. I recently came across some documentation on the PHP site that informs me that I can use MemCache as the session.save_handler, instead of files. I know there would be no redundancy of the session data with this type of setup, in the event that the MemCache daemon fails. However the website is run on a single server and a single MemCache daemon, with a single IDE HDD. I'm curious as to if anyone else uses MemCache as the session.save_handler? What are the pros and cons of doing this? I figured it would help out with disk I/O and overall performance because MemCache would be much faster than the IDE drive, and I update/reference the $_SESSION data very often. Thanks! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
