php-general Digest 15 Apr 2007 17:07:25 -0000 Issue 4736
Topics (messages 252959 through 252968):
Re: isset
252959 by: Jochem Maas
252968 by: afan.afan.net
secure login
252960 by: Ross
252961 by: Alain Roger
252962 by: Stut
252966 by: tedd
Re: WWE in Stamford, CT needs a kick ass PHP Developer!
252963 by: tedd
252964 by: Robert Cummings
Re: how to get var name and value from function?
252965 by: Zoltán Németh
Re: preg_replace and regular expressions.
252967 by: Buesching, Logan J
Administrivia:
To subscribe to the digest, e-mail:
[EMAIL PROTECTED]
To unsubscribe from the digest, e-mail:
[EMAIL PROTECTED]
To post to the list, e-mail:
[EMAIL PROTECTED]
----------------------------------------------------------------------
--- Begin Message ---
Afan Pasalic wrote:
>
> Jochem Maas wrote:
>> Richard Kurth wrote:
>>
>>> What do you do when isset does not work? If I send data in a
>>> $_REQUEST['var'] like
>>> if (isset($_REQUEST['var'])) {
>>> }
>>> Put var has no data it still says it is set. Because $_REQUEST['var'] = ""
>>> and isset thinks "" is set
>>>
>>
>> php -r ' $r = array("foo" => "");
>> var_dump(isset($r["foo"]),empty($r["foo"]));'
>>
>> so empty() should give you the result your looking for ...
>> some tips:
>>
>> 1. generally use $_GET or $_POST in preference to $_REQUEST
>> 2. be specific about your input validation, e.g.:
>>
>> if (isset($_GET['var']) && ($_GET['var'] == 'foo')) {
>> echo "got it!";
>> }
>>
> I always wondered about this. if $_GET['var'] == 'foo' is true, isn't
> automatically isset($_GET['var']) true too?
> I mean, isn't
> if ($_GET['var'] == 'foo')
> {
> echo "got it!";
> }
> just enough?
it doesn't cover the situation where $_GET['var'] doesn't exist,
and using uninitialized var is not recommended.
of course it's your call whether you write/run code that spits out
E_NOTICEs all over the place due to usage of uninitialized vars.
>
> -afan
--- End Message ---
--- Begin Message ---
> Afan Pasalic wrote:
>>
>> Jochem Maas wrote:
>>> Richard Kurth wrote:
>>>
>>>> What do you do when isset does not work? If I send data in a
>>>> $_REQUEST['var'] like
>>>> if (isset($_REQUEST['var'])) {
>>>> }
>>>> Put var has no data it still says it is set. Because $_REQUEST['var']
>>>> = ""
>>>> and isset thinks "" is set
>>>>
>>>
>>> php -r ' $r = array("foo" => "");
>>> var_dump(isset($r["foo"]),empty($r["foo"]));'
>>>
>>> so empty() should give you the result your looking for ...
>>> some tips:
>>>
>>> 1. generally use $_GET or $_POST in preference to $_REQUEST
>>> 2. be specific about your input validation, e.g.:
>>>
>>> if (isset($_GET['var']) && ($_GET['var'] == 'foo')) {
>>> echo "got it!";
>>> }
>>>
>> I always wondered about this. if $_GET['var'] == 'foo' is true, isn't
>> automatically isset($_GET['var']) true too?
>> I mean, isn't
>> if ($_GET['var'] == 'foo')
>> {
>> echo "got it!";
>> }
>> just enough?
>
> it doesn't cover the situation where $_GET['var'] doesn't exist,
> and using uninitialized var is not recommended.
>
> of course it's your call whether you write/run code that spits out
> E_NOTICEs all over the place due to usage of uninitialized vars.
>
not quite sure. if $_GET['var'] doesn't exists it's DEFINITLY not equal to
'foo', right?
how I understand:
clause one: isset($_GET['var'])
clause two: ($_GET['var'] == 'foo')
if clause two is true, clause one MUST be true.
if clause one is true, clause two could be true or false.
means, if I look for solutions where ($_GET['var'] == 'foo') they wil
lautomaticaly cover isset($_GET['var']) part.
if ($_GET['var'] != 'foo') I erally do not care isset($_GET['var']) or
!isset($_GET['var']).
or I'm missing something here?
I have E_NOTICE turned off. :)
thanks.
-afan
>>
>> -afan
>
>
--- End Message ---
--- Begin Message ---
I am creating a single user secure login based on this:
http://www.phpnoise.com/tutorials/26/1
Can anyone see any potential security issues with this method? Where should
I store the password/username can I just have it located in the pagehead?
R.
--- End Message ---
--- Begin Message ---
Hi Ross,
I previously worked on this theme and the general feeling / feedback from
the mailing list was the following one :
- access to your login window, via HTTPS (SSL)
- hash you password (inspired by :
http://phpsec.org/articles/2005/password-hashing.html)
- when user is authenticated, you can authorize him to go further, therefore
use a session and store in session array ONLY his login. (as he is already
identified).
all the webpages should be accessible in HTTPS (with first check on
$_SERVER["HTTPS"] != 'on')
HTH.
Alain
On 4/15/07, Ross <[EMAIL PROTECTED]> wrote:
I am creating a single user secure login based on this:
http://www.phpnoise.com/tutorials/26/1
Can anyone see any potential security issues with this method? Where
should
I store the password/username can I just have it located in the pagehead?
R.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
Alain
------------------------------------
Windows XP SP2
PostgreSQL 8.1.4
Apache 2.0.58
PHP 5
--- End Message ---
--- Begin Message ---
Ross wrote:
I am creating a single user secure login based on this:
http://www.phpnoise.com/tutorials/26/1
Can anyone see any potential security issues with this method? Where should
I store the password/username can I just have it located in the pagehead?
I would be careful about using any code from that site. The code
presented in that tutorial does not escape variables before putting them
into SQL queries.
In addition it appears to be storing the MD5 of the password in a
cookie. This leaves it open to offline dictionary attacks. The author
falsly represents MD5 hashes as encryption. MD5 is not encryption, it's
a checksum.
By all means use it as an example, but please be aware that it is not
particularly secure and could open your site to attacks.
-Stut
--- End Message ---
--- Begin Message ---
I am creating a single user secure login based on this:
http://www.phpnoise.com/tutorials/26/1
Can anyone see any potential security issues with this method? Where should
I store the password/username can I just have it located in the pagehead?
R.
Ross:
Yes, as Stut pointed out, the example above is problematic.
What kind of secure log-in are you wanting?
[1] http://sperling.com/a/pw/index.php
[2] http://sperling.com/a/users/index.php
In [1] the password and user id are "test". The user id and password
are stored in the header of the script, but they could be included in
an php configuration script. I think that method is secure.
In [2] the password is emailed to you AND your user id and password
are stored in a MySQL.
Cheers,
tedd
--
-------
http://sperling.com http://ancientstones.com http://earthstones.com
--- End Message ---
--- Begin Message ---
At 3:27 PM -0400 4/14/07, Robert Cummings wrote:
> >Statistics are easy to find:
> >
> > http://www.frontpagewebmaster.com/m-281187/tm.htm#281187
>
> Okay, so read them.
I did just before I posted the link :)
> In the first post you'll find (from my old college CSUN) this:
>
> http://www.imtc.gatech.edu/csun/stats.html
>
> It states that 19.4 percent of the population is disabled -- that's
> about twenty times the number you cited.
I just want to clarify a point, you previously said that less than 1%
of the population is disabled and then to support your claim you
provide a link that says something different. Instead, the link
quotes a figure twenty times your estimation, so what is your claim?
Is the percent of disabled one or twenty?
Cheers,
tedd
--
-------
http://sperling.com http://ancientstones.com http://earthstones.com
--- End Message ---
--- Begin Message ---
On Sun, 2007-04-15 at 08:23 -0400, tedd wrote:
> At 3:27 PM -0400 4/14/07, Robert Cummings wrote:
> >
> > > >Statistics are easy to find:
> > > >
> > > > http://www.frontpagewebmaster.com/m-281187/tm.htm#281187
> > >
> > > Okay, so read them.
> >
> >I did just before I posted the link :)
> >
> > > In the first post you'll find (from my old college CSUN) this:
> > >
> > > http://www.imtc.gatech.edu/csun/stats.html
> > >
> > > It states that 19.4 percent of the population is disabled -- that's
> > > about twenty times the number you cited.
>
> I just want to clarify a point, you previously said that less than 1%
> of the population is disabled and then to support your claim you
> provide a link that says something different. Instead, the link
> quotes a figure twenty times your estimation, so what is your claim?
> Is the percent of disabled one or twenty?
I didn't provide a link to support my claim, I provided a link to prove
how easy it was to find statistics. That my 1% asstistic was wrong was
not surprising; however, your claim is not quite right either since the
value of 19.4% is a value for all disabilities, not just ones that
benefit from visual issues. The actual number of visual disabilities I
believe was around a third of the given number, so closer to 6.5%-- I
would increase that a bit for mental disabilities that may make
processing of information more difficult. That said, I live in Canada,
our disability numbers are around 12% versus the US 19.4%. So, there is
marked difference between countries. So to set the record straight, I
wasn't claiming anything and neither of our asstistics were correct :)
Cheers,
Rob.
--
.------------------------------------------------------------.
| InterJinn Application Framework - http://www.interjinn.com |
:------------------------------------------------------------:
| An application and templating framework for PHP. Boasting |
| a powerful, scalable system for accessing system services |
| such as forms, properties, sessions, and caches. InterJinn |
| also provides an extremely flexible architecture for |
| creating re-usable components quickly and easily. |
`------------------------------------------------------------'
--- End Message ---
--- Begin Message ---
2007. 04. 14, szombat keltezéssel 08.15-kor Afan Pasalic ezt írta:
> Tijnema ! wrote:
> > On 4/14/07, Afan Pasalic <[EMAIL PROTECTED]> wrote:
> >> hi,
> >> this one I can't figure out:
> >>
> >> I have to assign value of an array to variable named after key of the
> >> array several times in my project to , e.g. after I submit a form with
> >> personal info I have
> >> $_POST['name'] = 'john doe';
> >> $_POST['address'] = '123 main st.';
> >> $_POST['city'] = 'urbandale';
> >> $_POST['zip'] = '12345';
> >> $_POST['phone'] = '123-456-7980';
> >> etc.
> >>
> >> Then I assign value to the var name:
> >> foreach ($_POST as $key => $value)
> >> {
> >> ${$key} = $value;
> >> }
> >> and then validate submitted.
> >
> > Are you sure you want to do this? You never know what a hacker inserts
> > to your POST data, so he could easily define variables inside your
> > script, especially when you're using more dangerous functions like
> > system().
> I do validation after this step. :)
you should validate before this step, not after. let's say you have an
important variable called $system_setting
then someone sends you a POST with 'system_setting' in it. then you're
writing that POST value to your important variable with that foreach
stuff, and trying to validate after it - but your system_setting value
is corrupted still!
greets
Zoltán Németh
> >
> >>
> >> Though, to avoid writing all over again the same lines (even it's only 3
> >> lines) I was thinking to create a function something like:
> >>
> >> function value2var($array, $print=0)
> >> {
> >> foreach ($_POST as $key => $value)
> >
> > I think you should change above line to :
> >
> > foreach ($array as $key => $value)
> yup! it's print error. I meant $array.
> >> {
> >> ${$key} = $value;
> >> echo ($print ==1) ? $key.': '.$value.'<br>'; // to test
> >> results and seeing array variables and values
> >> }
> >> }
> >>
> >> value2var($_POST, 1);
> >>
> >> but, I don't know how to get info from function back to script?!?!?
> >> :-(
> >
> > Uhm, it's not even possible when you don't know the keys i believe.
> after 2 hours of testing and research I realized this too, but want to
> be sure.
> :-(
>
> thanks.
>
> -afan
>
>
> >
> > Tijnema
> >>
> >> any help appreciated.
> >>
> >> -afan
> >
>
--- End Message ---
--- Begin Message ---
In your regex, you have a greedy matcher, i.e. ".*" will match as much
as it can to satisfy its condition. I believe you can do ".*?" and it
will work, as ".*?" will match as little as it can to be satisfied.
-Logan
-----Original Message-----
From: Travis Moore [mailto:[EMAIL PROTECTED]
Sent: Sunday, April 15, 2007 12:22 AM
To: [EMAIL PROTECTED]
Subject: [PHP] preg_replace and regular expressions.
Okay, so what I have is a BB code type of thing for a CMS, which I for
obvious reasons can't allow HTML.
Here's the snippet of my function:
********
function bbCode($str)
{
$db = new _Mysql;
$strOld = $str;
$strNew = $str;
$getRegexs = $db->query("SELECT `regex`,`replace`,`search` FROM
`_bb_codes`");
while ($getRegex = mysql_fetch_assoc($getRegexs))
{
$search = base64_decode($getRegex['search']);
$regex = base64_decode($getRegex['regex']);
$replace = base64_decode($getRegex['replace']);
if (preg_match($search,$strNew) == 1)
{
for ($i = 1; $i < 20; $i++)
{
$strNew = $strOld;
$strNew = preg_replace($regex,$replace,$strNew);
if ($strNew == $strOld)
{
break;
}
else
{
$strOld = $strNew;
}
}
}
}
$return = $strNew;
return $return;
}
**********
But, for something like this:
[quote][quote]Quote #2[/quote]Quote #1[/quote]No quote.
I'll get:
<div class="quoteContainer">
[quote]Quote #2[/quote]Quote #1</div>
No quote.
Despite being in the loop.
Regex is: /\[quote\]((.*|\n)*)\[\/quote\]/
Replace is: <div class="messageQuote">$1</div>
Both are stored base64 encoded in a database.
Any help / suggestions much appreciated.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--- End Message ---
