Re: [PHP] Session Problem

[Fergus Gibson]

Brad Bonkoski wrote:
> How do you move from one page to the other?  You have to pass the
> session along, I believe..
> Something like:
> $s = SID; // session contant
> page2.php?$s

You only need to pass the session identifier in the query string if you
aren't using cookies.  By default, sessions will be handled with
cookies, so they work transparently.  I suspect, as others have
suggested, that there is a path/permission problem and the session data
is not getting saved.

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Re: Securing user table with sha function

[Fergus Gibson]

Haydar Tuna wrote:
> 1) If you protect your site from SQL Injection, you must replace all quote 
> and blank character in your form data. (with string functions)

A better approach is data inspection.  For example, if you know a field
should only ever contain letters, you can use ctype_alpha() to confirm
that.  Since alpha characters would never create a script injection, you
don't even need to do anything further with it.

If you need to allow dangerous characters, use an appropriate escaping
algorithm.  I work with MySQL all the time, so I use the
real_escape_string() method of the mysqli object when necessary.

The conceptual key to writing secure applications is understanding that
ALL input is tainted (i.e. potentially dangerous).  This includes the
results of database queries.  Your PHP application has no way to know
the data coming out of the database is positively safe.  Using
inspection and escaping as appropriate, you transform tainted data into
safe data.  I will often do so this way:

$mysql = array();
if (isset($_POST['firstName']) && ctype_alpha($_POST['firstName']))
$mysql['firstName'] = $_POST['firstName'];
if (isset($_POST['comments']))
// $database holds a mysqli object
$mysql['comments'] = $database->real_escape_string($_POST['comments']);

>From this point onward in my application, all operations work with the
values in the $mysql array, because I have either confirmed it as safe
or escaped it appropriately.


> 3) if comparing passwords are true, then you must use session variables for 
> username

You don't have to, but it's generally convenient to do so.  You should
be aware of session hijacking and place safeguards in the session data,
such as checking IP and/or user agent.


> 4) if user forget his or her password, you can send email to the user when 
> the user answer password protected question.

Kinda impossible if the password is hashed, isn't it?  What a strange
thought, though.  I guess all those sites with password reminder
functions have the password stored in plain text somewhere.

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Re: Securing user table with sha function

[Fergus Gibson]

Tim wrote:
> Now moving on into other aspects of security :P I was thinking of a way to
> secure my login inputs the best way possible.
[...]

Maybe I'm missing something, but why not simply inspect and clean input
to ensure that it's always properly escaped and safe to send to your
database?  It seems to me that's the most sensible way to address SQL
injection.

Hashing the data in your database has drawbacks, and anyway, do you want
them to see even hashed data?  I sure don't.

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] counting hyperlink clicks in php

[Fergus Gibson]

Brad Bonkoski wrote:
> I think the best way to do this would be to set an onClick (Javascript)
> event handler for each of the links, and then use AJAX style stuff to
> send the information to PHP on the server side, then PHP can log the
> link that was clicked, and keep track of the most clicked links.

The only problem with this suggestion is the dependency on Javascript.
This would not count clicks from browsers that don't support JS or from
users who have disabled it in their browsers.

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] css in mail()

[Fergus Gibson]

Sancar Saran wrote:
> $mail="
> 
> 
>   Title
>   ".$data."
> 
> 
> Html content
> 
> ";

I stopped being a designer quite a long time ago, and I never learned
how to compose HTML e-mail because I think it's a blight.  I do,
however, work with some talented designers, and they (and Google) tell
me that the above is basically a terrible idea.

Apparently e-mail clients do not support properly formed HTML very well.
 It is suggested not to use  tags or a  (most
clients apparently strip the HTML header).  The CSS should be inclined
in the body, as wrong as that is in HTML/XHTML.

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Re: Change in 5.2.1 re. parsing of URL

[Fergus Gibson]

Lewis Kapell wrote:
> http://www.mydomain.com/mypage.php/phonypage.pdf
> 
> In this example there is a PHP script called mypage.php which serves
> up a PDF.  Putting the extra text at the end of the URL makes it
> appear to the user's browser that the URL ends with '.pdf' rather
> than '.php'.  We introduced this hack at my company because a few
> users were unable to view pages containing PDF or RTF content,
> presumably because of some combination of browser and/or firewall
> settings.

This is the proper way to handle this.  If it doesn't work, the user's
browser is misconfigured.



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Re: re another hand wringer

[Fergus Gibson]

jekillen wrote:
>  for($i = 0; $i < $flen; $i++) // now it works
>   {
>array_push($edata, $_POST["a_$z"]);
>print $_POST["a_$z"].''; //  prints all values.
>$z++;
>   };

I recommend you consider changing your loop to:

for ($i = 1; $i <= $flen; $i++) {
array_push($edata, $_POST["a_$i"]);
print $_POST["a_$i"] . "\n";
}

There is no need whatsoever for a $z variable.  It's just a waste of
memory (albeit a little bit of memory, but why?). :)  You're already
iterating a loop, why not use the loop counter for your index?  It'll
make the code more readable too.

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Re: WHERE problem

[Fergus Gibson]

How about this instead, Mike?

"%s"-Omniversalism.com',
$fortune[0]
);

// some more code
?>

MySQL is implemented in random code, so it can probably perform this
operation faster, and this code is much cleaner.  You may want to move
away from mysql since it's essentially deprecated.  I have switched to
mysqli and prefer it.

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Re: Change in 5.2.1 re. parsing of URL

[Fergus Gibson]

Lewis Kapell wrote:
> We are already using the Content-type header (I should have mentioned
>  that in my first message).

Hmmm.  So you have a PHP script that sets the mimetype correctly and
then outputs straight PDF data, but the user's browser does not accept
it as a PDF because the extension of the script is PHP?  I find that
strange.

If you can't find a better solution (something weird is going on in my
mind) maybe a work-around is mod_rewrite?  You could link to the PHP
script with a PDF extension and then rewrite it to the PHP extension
behind the scenes.


> And to say that the user's browser is misconfigured is no solution, 
> since we don't have the ability to reconfigure it.  If all of our 
> users were on a local network there would be no problem.  But that's 
> not our situation.

I agree it's not a solution, but client misconfiguration is difficult,
often impossible, to solve with server-side scripting.  If you could
identify the misconfiguration, your site could offer a how-to document
to instruct users how to configure their software correctly.

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] pictures stored in PostgreSQL DB

[Fergus Gibson]

Alain Roger wrote:
> I know how to do that for 1 picture. But i want to display the pictures as
> thumbnail... so several pictures on the same PHP pages, with some texts.

Seems to me that Matt's suggestion is perfectly applicable.  You could
simple add  tags as necessary, each with the call to the other
script with the correct parameter.

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Re: Matching logins to an old htpasswd file

[Fergus Gibson]

Ryan A wrote:
> Hey, I have a old htpasswd file with a lot of logins in this format:
> 
> test:dGRkPurkuWmW2 (test:test) test1:dGlAW3zdxeAG2 (test1:test1)
> 
> now I have a login form what takes a POST "user" and a POST "pw"...
> but if you look at my above first example login.. the username and
> pass are "test:test" but it gets encoded into "test:dGRkPurkuWmW2" so
> how do I try to match the data I get from the POST "pw" field when
> that will come in as normal text?

Hi, Ryan.  I did some research on this.  As I recollected, the .htpasswd
entries are saved using the hashing performed by PHP's crypt() function.
  The function requires a salt, which appears to be the string 'dG' in
the .htpasswd data you provided.

Here's some example code to use this.

 'dGRkPurkuWmW2', 'test1' =>
'dGlAW3zdxeAG2');

// represents logins as they would be supplied by users
$logins = array(array('name' => 'test',  'password' => 'test'),
array('name' => 'test1', 'password' => 'test1'));

foreach ($logins as $login) {
if (isset($htpasswordData[$login['name']])) {
$salt = substr($htpasswordData[$login['name']], 0, 2);
$suppliedPasswordHash = crypt($login['password'], $salt);

if ($suppliedPasswordHash == $htpasswordData[$login['name']]) {
echo "User {$login['name']} logged in.";
} else {
echo "Wrong password.  Access denied.";
}
} else {
echo "No such user.";
}
}
?>

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php