php-general Digest 23 Nov 2006 06:27:32 -0000 Issue 4475
Topics (messages 245057 through 245077):
Re: Coding Standards Document
245057 by: Børge Holen
Re: security question
245058 by: Richard Lynch
245070 by: Jon Anderson
245073 by: Sumeet
245074 by: Sumeet
245075 by: Robert Cummings
245076 by: Larry Garfield
Re: what settings I have to use in php 5.1.2?
245059 by: Richard Lynch
245063 by: Jochem Maas
245066 by: afan.afan.net
Re: Encoding
245060 by: Richard Lynch
245071 by: Nuno Vaz Oliveira
Re: backing up a database
245061 by: Richard Lynch
Re: problem using imagejpeg function all
245062 by: Richard Lynch
Re: Little script that might help against some email-/webcrawlers
245064 by: Jonesy
Re: Powered by?
245065 by: Richard Lynch
245069 by: Paul Novitski
Programmatic POST
245067 by: Gabe
245068 by: Brad Fuller
245072 by: Manuel Lemos
245077 by: Vincent DUPONT
Administrivia:
To subscribe to the digest, e-mail:
[EMAIL PROTECTED]
To unsubscribe from the digest, e-mail:
[EMAIL PROTECTED]
To post to the list, e-mail:
[email protected]
----------------------------------------------------------------------
--- Begin Message ---
On Wednesday 22 November 2006 16:31, tedd wrote:
> At 7:14 PM -0500 11/21/06, Robert Cummings wrote:
> >On Tue, 2006-11-21 at 16:19 -0500, tedd wrote:
> >> It seems that every time I ask a security question, I find that I'm
> >> currently practicing the answers to avoid the pit-falls.
> >
> >Except that one time when his site got defaced... that was news ;) ;)
> >
> >Cheers,
> >Rob.
>
> Rob:
>
> Good point, but that was a problem my host had and not something that
> was my fault. It seems that everyone who hosted with that company had
> every file that even contained the word" index" replaced. I keep a
> redirect index in every folder, so I had well over 200 indexes to
> replace -- joy, joy.
>
> Since then, that host has not answered any of my emails, but I can't
> complain too much because I use very inexpensive hosts for my test
> sites.
>
> You see, I'm at the other end of the spectrum than you guys. You can
> afford high-priced host, but I can't -- you probably can't guess as
> to how cheap I can buy hosting -- it's unbelievable.
Everyone can setup a cheapass old pentium to use as a testhost.
These crappy hostings sites never put in any finecrafted unix tools nor any
ssh support.
Anyway, point is: Its free
>
> However, when it comes to providing a client with a host, that's a
> different matter and it's their cost,not mine -- for I can (and do)
> work with much less.
>
> Cheers,
>
> tedd
> --
> -------
> http://sperling.com http://ancientstones.com http://earthstones.com
--
---
Børge
Kennel Arivene
http://www.arivene.net
---
--- End Message ---
--- Begin Message ---
On Wed, November 22, 2006 11:20 am, Alain Roger wrote:
> Now that i finished the client side of the web application i would
> like to
> improve the security of my administration side of this web
> application.
> My web hoster support a shared SSL protocol, however i would like to
> do more
> than simply use the SSL...
I think the amazing thing is that you just used "simply" and "SSL" in
the same sentence... :-)
SSL is a VERY safe way to ensure that the data traveling from the
browser to the server, and data going back from server to browser, is
secure in transit.
SSL is pretty much the armored truck ploughing its way through the
Internet, shedding bullets like a duck sheds water.
> I've heard that cookies and sessions can be easily hacked...so what do
> you
> use to secure your web page.
> which methods ?
With SSL in place, you have reduced your vulnerabilities to,
essentially, the "endpoints" of the communication:
who has access to the browser/client
who has access to the webhost/server
The sentence "cookies can be easily hacked" is true in the sense that
anybody who can get ahold of your laptop/desktop can add cookie files.
Or, if they can run a virus on it, they can install any cookie files
they like, for any site.
There is very very very little you can do to secure the computers of
your users, even your admin users. Probably your best bet is to
EDUCATE those users, as early and often as you can, about safe
computer practices.
You should also be very careful to use sensible things in your Cookies
-- Actually, with PHP, you should send JUST ONE cookie for your entire
site, and track everything else you need in your $_SESSION data.
Okay, if you've installed some "forum" software or something, maybe
integrating its authentication into your main login is a Bad Idea, so
you can have "extra" cookies for the forum. Though most forum
software comes with its own whole new set of Security issues. :-(
The sessions getting hacked generally mostly boils down to the session
getting hijacked by a compromised client/browser (see above), or
somebody who already can login to the webhost/server -- at which point
the sesssion itself is a tiny part of a much bigger problem, which is
the whole SERVER is compromised.
My best advice would be to use *ONE* session_start() in a single
include file, probably the same way you are doing your DB connection,
and let PHP experts worry about the mechanics of sending a "good"
cookie.
You may want to use http://session_set_cookie_params to require the
your SSL cookie ONLY go through SSL, though.
You then "only" need to focus on the parts of the process that you
scripted in PHP.
Your authentication, for example, should be simple and straightforward
enough that you can sit down and test it in an afternoon and be
absolutely certain that you can't manage to get "through" to anything
you shouldn't, without a valid username/password.
Other things to consider:
Educate users about what is or isn't a Good Password.
Attempt to steer users away from using Bad Passwords.
Read this site over and over until you internalize it:
http://phpsec.org/
And, just a general note, not directed at the question/post/Alain:
Security is not something one can just slap on to the site after one
finishes it -- It has to be a living breathing process that is in
symbiosis with the life-cycle of the project.
--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some starving artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
--- End Message ---
--- Begin Message ---
Alain Roger wrote:
I've heard that cookies and sessions can be easily hacked...so what do
you
use to secure your web page.
which methods ?
If you want to be secure, don't trust anything. Cookies are easily
modified by a user, so never store anything sensitive in there without
masking it well. Personally, I don't like $_SESSION either, 'cause it
doesn't work across clustered servers by default, and isn't usually
terribly secure on a shared web host.
I tend to use hashed data in the cookie for anything that needs to be
semi-secure, and store everything sensitive in a database, one-way
hashed wherever possible.
jon
--- End Message ---
--- Begin Message ---
dear richard,
yours was an amazing reply... simple and true ....and well written...
where did u learn all the stuff?... ;-)
anyway. is there a step by step process for checking if your site is
secure?... i know you would say to get a hacker or something... but as a
programmer, i would like to know (some) more info...
i use GET instead of POST for most of the forms... even in a shopping
cart or admin panel... do u think that is risky?
one the biggest threat is sql injections and now xml injections... but
can u give some more info... like what commands do i need to use and
what part of the website do i need to check?...
what is penetration and black box testing for a php website....?
is there any software for this kind of testing... some part of the
process can be automated... like grabbing all the links or urls and
purposely bombarding them with sql statements.
if i do the same from a professional, what should be a average cost for
testing a website for security?...
also
> Security is not something one can just slap on to the site after one
> finishes it -- It has to be a living breathing process that is in
> symbiosis with the life-cycle of the project.
>
that is a beautiful statement...
thanks a lot...
sumeet
Richard Lynch wrote:
On Wed, November 22, 2006 11:20 am, Alain Roger wrote:
Now that i finished the client side of the web application i would
like to
improve the security of my administration side of this web
application.
My web hoster support a shared SSL protocol, however i would like to
do more
than simply use the SSL...
I think the amazing thing is that you just used "simply" and "SSL" in
the same sentence... :-)
SSL is a VERY safe way to ensure that the data traveling from the
browser to the server, and data going back from server to browser, is
secure in transit.
SSL is pretty much the armored truck ploughing its way through the
Internet, shedding bullets like a duck sheds water.
Security is not something one can just slap on to the site after one
finishes it -- It has to be a living breathing process that is in
symbiosis with the life-cycle of the project.
--
Thanking You
Sumeet Shroff
http://www.prateeksha.com
Web Designers and PHP / Mysql Ecommerce Development, Mumbai India
--- End Message ---
--- Begin Message ---
Western, Matthew wrote:
where did u learn all the stuff?... ;-)
Maybe reading the manual?
thanks matthew,
maybe we should all refer to forum and google, and stop posting in this
forum.... can u please start first...
thanks anyway...man....i needed some silly sarcastic comments to get
past my day.
--
Thanking You
Sumeet Shroff
http://www.prateeksha.com
Web Designers and PHP / Mysql Ecommerce Development, Mumbai India
--- End Message ---
--- Begin Message ---
On Thu, 2006-11-23 at 09:56 +0530, Sumeet wrote:
> Western, Matthew wrote:
> >
> >> where did u learn all the stuff?... ;-)
> > Maybe reading the manual?
>
> thanks matthew,
>
> maybe we should all refer to forum and google
Teach a man to fish...
Cheers,
Rob.
--
.------------------------------------------------------------.
| InterJinn Application Framework - http://www.interjinn.com |
:------------------------------------------------------------:
| An application and templating framework for PHP. Boasting |
| a powerful, scalable system for accessing system services |
| such as forms, properties, sessions, and caches. InterJinn |
| also provides an extremely flexible architecture for |
| creating re-usable components quickly and easily. |
`------------------------------------------------------------'
--- End Message ---
--- Begin Message ---
On Wednesday 22 November 2006 22:38, Robert Cummings wrote:
> > maybe we should all refer to forum and google
>
> Teach a man to fish...
And you lose your monopoly on fisheries.
--
Larry Garfield AIM: LOLG42
[EMAIL PROTECTED] ICQ: 6817012
"If nature has made any one thing less susceptible than all others of
exclusive property, it is the action of the thinking power called an idea,
which an individual may exclusively possess as long as he keeps it to
himself; but the moment it is divulged, it forces itself into the possession
of every one, and the receiver cannot dispossess himself of it." -- Thomas
Jefferson
--- End Message ---
--- Begin Message ---
On Wed, November 22, 2006 11:10 am, [EMAIL PROTECTED] wrote:
> the company I work for moves our web server to other hosting company
> (dedicated server). we use php 5.1.2, apache 2.2, mysql 5.0.18, and I
> wonder what else I have to change in php.ini settings?
>
> register_globals is Off
> magic_quotes_gpc is Off
>
> what else you recomand to do?
It depends on what the application does or doesn't do.
If it never ever sends out email, get rid of the sendmail stuff in
php.ini, so there's no chance of a silly mistake leading to sending
bulk email.
If you never need to use PHP to read content from a URL, turn off
allow_url_fopen.
Moving to a dedicated server is great for performance/features, but if
you're inexperienced as a sysadmin, you might want to consider hiring
a local sysadmin to help out.
And, of course, there are a TON of things you can (and I should) read
about sysadmin work, security, and more security. Finding the time to
DO that, however, can be problematic.
I personally work very very very hard to be sure that I have to admin
a minimum number of boxes with very limited functionality, and foist
off any generalized sysadmin work to a shared host, for precisely the
reason that I *know* my limitations in being a sysadmin. :-)
--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some starving artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
--- End Message ---
--- Begin Message ---
[EMAIL PROTECTED] wrote:
> hi!
>
> the company I work for moves our web server to other hosting company
> (dedicated server). we use php 5.1.2, apache 2.2, mysql 5.0.18, and I
> wonder what else I have to change in php.ini settings?
>
> register_globals is Off
> magic_quotes_gpc is Off
>
> what else you recomand to do?
r2 turn off ALL the garbage disposers.
and have a look at php.ini-recommended (or whatever it's
called exactly)
>
> thanks.
>
> -afan
>
--- End Message ---
--- Begin Message ---
> [EMAIL PROTECTED] wrote:
>> hi!
>>
>> the company I work for moves our web server to other hosting company
>> (dedicated server). we use php 5.1.2, apache 2.2, mysql 5.0.18, and I
>> wonder what else I have to change in php.ini settings?
>>
>> register_globals is Off
>> magic_quotes_gpc is Off
>>
>> what else you recomand to do?
>
> r2 turn off ALL the garbage disposers.
what do you mean?
> and have a look at php.ini-recommended (or whatever it's
> called exactly)
Thanks Jochem!
>
>>
>> thanks.
>>
>> -afan
>>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--- End Message ---
--- Begin Message ---
On Wed, November 22, 2006 9:15 am, João Cândido de Souza Neto wrote:
> I am facing a trouble in my system in which i am not able to show
> ISO-8859-1
> encoding data. When i tried to use the follow meta tag it works in
> firefox
> but still not working in IE.
>
> <meta http-equiv="Content-Type" content="text/html;
> charset=ISO-8859-1">
>
> In firefox it shows: REMÉDIO PARA O GADO
>
> In IE it shows: REM?IOS PARA O GADO
IE looks at the META tag, which you have.
FF looks at the HTTP headers, which you probably do not have:
<?php
//this should be your very first line:
header("Content-type: text/html; charset=ISO-8859-1");
?>
It seems to me that you would want UTF-8 or some other charset, not
ISO-8859-1, to get the accent...
So IE is actually doing what you asked, and FF is "guessing" you
really wanted that accented E and using UTF-8, I think.
I'm NOT Unicode-savvy, really, but this is my best guess.
--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some starving artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
--- End Message ---
--- Begin Message ---
Hi
I'm working on a site and I'm using the same encoding you
use and everything displays ok both in Firefox 1.5/2.0
and IE 6.
The only difference is that I have the ISO in small letters
and the tag terminator like this:
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
I can display João, Mão, Mãe, õ, and everything else
(todos os acentos e caracteres portugueses)
So, I think that the problem is not in the code because I
only use the meta and never use the header...
Hope this helps...
(Se precisares de alguma coisa em Português diz...
Mas sou novato no PHP)
--- End Message ---
--- Begin Message ---
On Wed, November 22, 2006 3:53 am, Ross wrote:
> I have a database and it needs to get backed up on a daily basis. Is
> there a
> class that allows me to create a backup and then save it as a .sql or
> excel
> or both to a folder of her choice?
I personally would not involve PHP in this process, in general, as the
existing database backup software for almost any database will be more
efficient and have less overhead than piping any of it through PHP...
So just create a cron job in a shell to do:
mysql_dump > backup_path_here
Of course, if one has no shell access, you're kinda stuck using PHP to
run the http://php.net/exec to do that, and then some kind of hinky
way to pretend to run cron... Finding a new webhost is my usual
solution to that :-)
--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some starving artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
--- End Message ---
--- Begin Message ---
On Tue, November 21, 2006 10:31 pm, Tom wrote:
> Im trying to use the imagejpeg function call in a php script and
> I
> cant quite seem to get it working properly.
Can you clarify "working properly" into something a bit more concrete?
Right now, we're left guessing from the most likely scenario, that you
are seeing the:
yoya%#(*&H*([EMAIL PROTECTED]
on your screen, because you've commented out the "header" line to tell
the browser to expect an image, all the way up through "the aliens
attack and put me to sleep every time I reload" :-)
> Would I need to have T1Lib support in order for this it work?
No.
Only if you wanted to use the T1 font/string functions within GD would
you need the T1Lib support.
> As a quick example, here is some code Ive been playing around with
> that I
> found somewhere.
>
> <?php
> $image = imagecreate(200, 200);
> $colorRed = imagecolorallocate($image, 255, 0, 0);
> imagefill($image, 0, 0, $colorRed);
ImageFill might not do what you want with a new raw JPEG...
I mean, what color are all the pixels to start with?...
I would suggest that this is more suitable:
imagerectangle($image, 0, 0, 199, 199, $colorRed);
> //send image
> //header("Content-type: image/jpeg");
If you took this out for testing/debugging, that's great, but you have
to put it back in for the browser to know that it's a JPEG and not
HTML.
> imagejpeg($image);
> Should make a red square.
What did it actually make?
--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some starving artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
--- End Message ---
--- Begin Message ---
On Mon, 20 Nov 2006 13:37:29 +0000, Brynjar Guðnason wrote:
> I saw a clever solution to this once.
>
> There was a line of names: name1, name2, name3 etc.
> And then at the end stood all these are at someurl.com.
>
> That is the best way, I think.
If they're all in the same domain, I guess.
See my .sig for another tactic -- which I also employ on web pages.
Jonesy
--
Marvin L Jones | jonz | W3DHJ | linux
38.24N 104.55W | @ config.com | Jonesy | OS/2
*** Killfiling google posts: <http//jonz.net/ng.htm>
--- End Message ---
--- Begin Message ---
On Tue, November 21, 2006 6:21 pm, Robert Cummings wrote:
> Personally, if the customer pays me money to make a site, I don't put
> dirty little ego fluffers on their pages... I put them in the HTML
> comments or meta tags *heheh*.
Frequently, by the time the Customer and the Designer have finished
destroying a perfectly good site with a lot of cruft that makes zero
sense, I don't even WANT my name on the damn thing.
:-)
I think it would be appropriate to negotiate for reasonable
attribution before you build the site, but not to slap it in there at
the end, nor ask for it upon delivery.
--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some starving artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
--- End Message ---
--- Begin Message ---
At 11/21/2006 03:02 PM, pub wrote:
Is it appropriate to ask your client to add "Powered by your company"
to the sites you design and maintain?
And when you see "Powered by" does it mean designed by or maintained
by or both?
'Powered by' sounds like an engine or a fuel, so I imagine it to mean
that the site utilizes is driven by a software package you wrote or
runs on hardware you manage, both on an ongoing basis. For me it
strongly implies that the agency credited for powering the site is
not the one that designed or created it; otherwise they'd say so.
'Designed by' implies to me just graphic design. Since I'm primarily
a programmer, most of my work is either implementing another agency's
graphic design or, when my partner and I do all the work, both design
and implementation. If this is a credit on page footers, brevity is golden.
I generally just say 'Website by' and allow that ambiguity to fill
the available space. It works by itself and also in conjunciton with
a separate 'Design by' credit.
Regards,
Paul
--- End Message ---
--- Begin Message ---
I'm looking to write a function that will receive the contents of a web
form, do some data manipulation, then pass on the manipulated data to
another URL via POST. Is there a built-in function in PHP that I can
use to send the data to another URL via POST without a user having to
click submit on a form?
--- End Message ---
--- Begin Message ---
> -----Original Message-----
> From: Gabe [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, November 22, 2006 3:08 PM
> To: [email protected]
> Subject: [PHP] Programmatic POST
>
> I'm looking to write a function that will receive the contents of a web
> form, do some data manipulation, then pass on the manipulated data to
> another URL via POST. Is there a built-in function in PHP that I can
> use to send the data to another URL via POST without a user having to
> click submit on a form?
Yep. There are several.
I prefer to use cURL.
http://www.php.net/curl
-B
--- End Message ---
--- Begin Message ---
Hello,
on 11/22/2006 06:07 PM Gabe said the following:
> I'm looking to write a function that will receive the contents of a web
> form, do some data manipulation, then pass on the manipulated data to
> another URL via POST. Is there a built-in function in PHP that I can
> use to send the data to another URL via POST without a user having to
> click submit on a form?
You may want to use this HTTP client class. It can emulate form
submission via HTTP POST, and if necessary it can collect cookies,
handle redirection, access SSL pages, etc...
http://www.phpclasses.org/httpclient
--
Regards,
Manuel Lemos
Metastorage - Data object relational mapping layer generator
http://www.metastorage.net/
PHP Classes - Free ready to use OOP components written in PHP
http://www.phpclasses.org/
--- End Message ---
--- Begin Message ---
in PHP5, you could have a look at objects HTTPRequest and HTTPResponse.
I never used them yet, though...
vincent
-----Original Message-----
From: Brad Fuller [mailto:[EMAIL PROTECTED]
Sent: Wed 22/11/2006 21:25
To: [email protected]
Subject: RE: [PHP] Programmatic POST
> -----Original Message-----
> From: Gabe [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, November 22, 2006 3:08 PM
> To: [email protected]
> Subject: [PHP] Programmatic POST
>
> I'm looking to write a function that will receive the contents of a web
> form, do some data manipulation, then pass on the manipulated data to
> another URL via POST. Is there a built-in function in PHP that I can
> use to send the data to another URL via POST without a user having to
> click submit on a form?
Yep. There are several.
I prefer to use cURL.
http://www.php.net/curl
-B
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--- End Message ---
