php-general Digest 22 Nov 2009 05:31:36 -0000 Issue 6454
Topics (messages 300009 through 300023):
Re: PHP sessions, AJAX, authentication and security.
300009 by: Phpster
300010 by: tedd
300020 by: Nathan Rixham
300021 by: Angus Mann
Re: CSS and variables
300011 by: tedd
Re: Creating users and generating privileges for users
300012 by: tedd
300015 by: Phpster
Re: How to create a web application like igoogle?
300013 by: Ali Asghar Toraby Parizy
Extracting a time zone from a latitude longitude
300014 by: Haig Davis
300016 by: Phpster
300017 by: Stuart Dallas
300018 by: Nathan Rixham
300022 by: clancy_1.cybec.com.au
Re: Which query is more correct?
300019 by: Nathan Rixham
Recognizing double clicks
300023 by: Skip Evans
Administrivia:
To subscribe to the digest, e-mail:
php-general-digest-subscr...@lists.php.net
To unsubscribe from the digest, e-mail:
php-general-digest-unsubscr...@lists.php.net
To post to the list, e-mail:
php-gene...@lists.php.net
----------------------------------------------------------------------
--- Begin Message ---
You could use a one time token on each request
Bastien
Sent from my iPod
On Nov 21, 2009, at 6:30 AM, "Angus Mann" <angusm...@pobox.com> wrote:
Hi all.
A question about PHP sessions and their interaction with AJAX.
I have a database containing sensitive information and users need to
log in to my PHP script and be authenticated before they are granted
access.
For one of the forms I would like to retrieve information using
AJAX, and some of that information is sensitive also. The request
from AJAX is handled by another, simpler PHP script.
It occurs to me that the AJAX handler could be used to bypass the
user authentication and a crafted request sent directly to the AJAX
handler to get information without authentication.
Can anyone offer some advice about how to piggy-back the session/
authentication data that the user originally used to the AJAX so
that only an authenticated user will get a valid response from the
AJAX handler? I know I could embed authentication information into
the web-page and send this with the AJAX request but I'm interested
to know if there are other methods also.
I hope the explanation is clear.
Thanks in advance.
--- End Message ---
--- Begin Message ---
At 9:30 PM +1000 11/21/09, Angus Mann wrote:
Hi all.
A question about PHP sessions and their interaction with AJAX.
I have a database containing sensitive information and users need to
log in to my PHP script and be authenticated before they are granted
access.
For one of the forms I would like to retrieve information using
AJAX, and some of that information is sensitive also. The request
from AJAX is handled by another, simpler PHP script.
It occurs to me that the AJAX handler could be used to bypass the
user authentication and a crafted request sent directly to the AJAX
handler to get information without authentication.
Can anyone offer some advice about how to piggy-back the
session/authentication data that the user originally used to the
AJAX so that only an authenticated user will get a valid response
from the AJAX handler? I know I could embed authentication
information into the web-page and send this with the AJAX request
but I'm interested to know if there are other methods also.
I hope the explanation is clear.
Thanks in advance.
Angus:
First, don't trust anything that comes from the client -- period.
Second, Ajax is just another way to send stuff to the server. When
the data gets to the server then authenticate and set a session
variable to indicate such. This is not rocket science, but if you
don't do it right you'll leave a crater.
Cheers,
tedd
--
-------
http://sperling.com http://ancientstones.com http://earthstones.com
--- End Message ---
--- Begin Message ---
Angus Mann wrote:
> Hi all.
>
> A question about PHP sessions and their interaction with AJAX.
>
> I have a database containing sensitive information and users need to log in
> to my PHP script and be authenticated before they are granted access.
>
> For one of the forms I would like to retrieve information using AJAX, and
> some of that information is sensitive also. The request from AJAX is handled
> by another, simpler PHP script.
>
> It occurs to me that the AJAX handler could be used to bypass the user
> authentication and a crafted request sent directly to the AJAX handler to get
> information without authentication.
>
> Can anyone offer some advice about how to piggy-back the
> session/authentication data that the user originally used to the AJAX so that
> only an authenticated user will get a valid response from the AJAX handler? I
> know I could embed authentication information into the web-page and send this
> with the AJAX request but I'm interested to know if there are other methods
> also.
>
> I hope the explanation is clear.
>
> Thanks in advance.
same as everywhere else in your apps.. ajax is no different in any way
at all, not even slightly. as far as PHP and web server is concerned
it's just a plain old request same as any other; thus..
if( !$_SESSION['is_logged_in'] ) {
exit();
}
// do stuff
--- End Message ---
--- Begin Message ---
same as everywhere else in your apps.. ajax is no different in any way
at all, not even slightly. as far as PHP and web server is concerned
it's just a plain old request same as any other; thus..
if( !$_SESSION['is_logged_in'] ) {
exit();
}
// do stuff
Thanks for that. Sometimes the solution is right there in front of you.
The bit of code below does the job nicely for me :
session_start();
if(!isset($_SESSION['username'])){
echo("Go Away.");
exit();
}
// now work with sensitive data...
--- End Message ---
--- Begin Message ---
This might help:
http://sperling.com/examples/pcss/
Cheers,
tedd
--
-------
http://sperling.com http://ancientstones.com http://earthstones.com
--- End Message ---
--- Begin Message ---
At 6:36 PM -0600 11/20/09, nitin reddy wrote:
Hey can one help me in creating different users using mysql for php and
assigning different privileges for them ..any sample code available?
--
PASULA NITIN REDDY
Graduate Student in Computer Science Department
University of Minnesota,Twin Cities
Minneapolis.
PASULA:
And where do you want us to send your homework?
Seriously, if you want help, please show us what you've done -- from
there we can move on.
Cheers,
tedd
--
-------
http://sperling.com http://ancientstones.com http://earthstones.com
--- End Message ---
--- Begin Message ---
Check out the grant command in SQL for your database
Bastien
Sent from my iPod
On Nov 21, 2009, at 9:05 AM, tedd <tedd.sperl...@gmail.com> wrote:
At 6:36 PM -0600 11/20/09, nitin reddy wrote:
Hey can one help me in creating different users using mysql for php
and
assigning different privileges for them ..any sample code available?
--
PASULA NITIN REDDY
Graduate Student in Computer Science Department
University of Minnesota,Twin Cities
Minneapolis.
PASULA:
And where do you want us to send your homework?
Seriously, if you want help, please show us what you've done -- from
there we can move on.
Cheers,
tedd
--
-------
http://sperling.com http://ancientstones.com http://earthstones.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--- End Message ---
--- Begin Message ---
Hi. thanks for your reply. I learned php and I have created several web
application before. But all i ever do, is creating php files with one html
form an some php tags that manipulate data and sends it to a database or
another web page (or to itself). Now i like try building a web pages that
have several widgets, gadgets or anything. Therefore i make a web page like
a portal that each segments work independently of each other, something like
home page of gmail or in igoogle or anything. I examined HTML frames in a
project, recently. But, indeed it wasn't a thing that i looking for. Because
the gadgets can have been removed by user, but HTML frames are static absurd
things in web page.
*In summary, I looking for a technology to build php pages with some
independent sections.*
On Fri, Nov 20, 2009 at 11:21 PM, Ashley Sheridan
<a...@ashleysheridan.co.uk>wrote:
> On Fri, 2009-11-20 at 23:15 +0330, Ali Asghar Toraby Parizy wrote:
>
> Hi
> How can i create a web page that include some gadgets? what kind of
> technology do i have to use to creating web pages like igoogle and gmail?
> How can i create them by php?
>
>
> Wow!
>
> Well, first what is it you want to do? Make another iGoogle or Gmail, as
> they are both pretty different beasts. One is a page of 'gadgets' as you
> call them, the other is a web-based email application.
>
> I'm guessing from your post that PHP is new to you. First then, I guess you
> need to decide on where are you getting the gadget parts from? If you can
> find things online that you can embed as Flash apps or iframes, then you
> probably won't need PHP at all. If you are planning on building them
> yourself, then you really will need to learn PHP. There is no magic solution
> to this question I'm afraid, and the scope of it is pretty huge, so you need
> to think about the parts that make it up and tackle each one.
>
>
> Thanks,
> Ash
> http://www.ashleysheridan.co.uk
>
>
>
--- End Message ---
--- Begin Message ---
Good Morning all,
Having a look at the time zone functions in PHP you can enter a time zone
city and get it's lat long. Does anybody know how you can run the function
in reverse (or know of a similar function) i.e. get the time zone city from
the geographic coordinates. Google maps was a thought but the functions are
only for use in google maps which rules out my use for them.
Have a great weekend.
Cheers
--- End Message ---
--- Begin Message ---
This is a simple math problem. Create am array with a start and end
longitude for that timezone and run a comapre from your lay/long co-
ords to see where it falls.
Bastien
Sent from my iPod
On Nov 21, 2009, at 12:25 PM, Haig Davis <level...@gmail.com> wrote:
Good Morning all,
Having a look at the time zone functions in PHP you can enter a time
zone
city and get it's lat long. Does anybody know how you can run the
function
in reverse (or know of a similar function) i.e. get the time zone
city from
the geographic coordinates. Google maps was a thought but the
functions are
only for use in google maps which rules out my use for them.
Have a great weekend.
Cheers
--- End Message ---
--- Begin Message ---
On 21 Nov 2009, at 17:51, Phpster wrote:
> This is a simple math problem. Create am array with a start and end longitude
> for that timezone and run a comapre from your lay/long co-ords to see where
> it falls.
It's not that simple because timezones boundaries don't run in straight lines
from pole to pole.
I Googled and got this among several others...
http://stackoverflow.com/questions/41504/timezone-lookup-from-latitude-longitude
-Stuart
--
http://3ft9.com/
> On Nov 21, 2009, at 12:25 PM, Haig Davis <level...@gmail.com> wrote:
>
>> Good Morning all,
>>
>> Having a look at the time zone functions in PHP you can enter a time zone
>> city and get it's lat long. Does anybody know how you can run the function
>> in reverse (or know of a similar function) i.e. get the time zone city from
>> the geographic coordinates. Google maps was a thought but the functions are
>> only for use in google maps which rules out my use for them.
>>
>> Have a great weekend.
>>
>> Cheers
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
--- End Message ---
--- Begin Message ---
Haig Davis wrote:
> Good Morning all,
>
> Having a look at the time zone functions in PHP you can enter a time zone
> city and get it's lat long. Does anybody know how you can run the function
> in reverse (or know of a similar function) i.e. get the time zone city from
> the geographic coordinates. Google maps was a thought but the functions are
> only for use in google maps which rules out my use for them.
>
> Have a great weekend.
>
> Cheers
>
http://www.geonames.org/export/web-services.html#timezone
--- End Message ---
--- Begin Message ---
On Sat, 21 Nov 2009 09:25:16 -0800, level...@gmail.com (Haig Davis) wrote:
>Good Morning all,
>
>Having a look at the time zone functions in PHP you can enter a time zone
>city and get it's lat long. Does anybody know how you can run the function
>in reverse (or know of a similar function) i.e. get the time zone city from
>the geographic coordinates. Google maps was a thought but the functions are
>only for use in google maps which rules out my use for them.
Don't know what you mean by "Time Zone City". IF the world were organised
scientifically
the time zone for a given location would be given by
Time zone = GMT + (int)Long/15
But, as Stuart has pointed out, it isn't. Melbourne, Sydney, Brisbane, Port
Moresby,
Sakhalin & Okhosh are all on GMT +10, but treat summertime in at least two and
probably
three different ways. Also Okhosh, Tokyo, and Adelaide all have a longitude of
approximately 140°, but are on GMT +10, +9, and +9.5.
If you really want to know the time zone for an arbitrary latitude and
longitude, I doubt
if you have any alternative to looking it up in an atlas.
--- End Message ---
--- Begin Message ---
Rick Pasotto wrote:
> On Fri, Nov 20, 2009 at 04:41:58PM -0600, LAMP wrote:
>> Hi,
>> I need to pull all records from the table Registrants they are NOT
>> in the table ToBeRecleared
>>
>> Registrants.Reg_ID is PK
>> ToBeRecleared.tbrc_Reg_ID is PK
>>
>> Which query is more correct?
>>
>> SELECT r.*
>> FROM registrants r
>> where r.reg_status=1 AND r.reg_id NOT IN (SELECT tbrc_reg_id FROM
>> toberecleared)
>>
>>
>> SELECT r.*
>> FROM registrants r
>> where r.reg_status=1 AND (SELECT count(*) FROM toberecleared where
>> tbrc_reg_id=r.reg_id) = 0
>>
>> I checked explain of bot queries - but can't "read" them. :-)
>
> SELECT t1.*
> FROM registrants t1
> LEFT JOIN ToBeRecleared t2 on t1.reg_id = t2.tbrc_reg_id
> where t2.tbrc_reg_id is NULL
>
^^^ what rick said; the left join with where null is the "correct" one
--- End Message ---
--- Begin Message ---
Hey all,
Every site I've ever stuck a credit card into said "only click
once...". I just this requirement from a client.
a.System should recognize a duplicated click, so the message
in red “only click once” should be unnecessary.
Is this doable???
Has anyone on the list ever done this???
--
====================================
Skip Evans
PenguinSites.com, LLC
503 S Baldwin St, #1
Madison WI 53703
608.250.2720
http://penguinsites.com
------------------------------------
Those of you who believe in
telekinesis, raise my hand.
-- Kurt Vonnegut
--- End Message ---
