php-general Digest 22 Nov 2009 05:31:36 -0000 Issue 6454

Topics (messages 300009 through 300023):

Re: PHP sessions, AJAX, authentication and security.
        300009 by: Phpster
        300010 by: tedd
        300020 by: Nathan Rixham
        300021 by: Angus Mann

Re: CSS and variables
        300011 by: tedd

Re: Creating users and generating privileges for users
        300012 by: tedd
        300015 by: Phpster

Re: How to create a web application like igoogle?
        300013 by: Ali Asghar Toraby Parizy

Extracting a time zone from a latitude longitude
        300014 by: Haig Davis
        300016 by: Phpster
        300017 by: Stuart Dallas
        300018 by: Nathan Rixham
        300022 by: clancy_1.cybec.com.au

Re: Which query is more correct?
        300019 by: Nathan Rixham

Recognizing double clicks
        300023 by: Skip Evans

Administrivia:

To subscribe to the digest, e-mail:
        php-general-digest-subscr...@lists.php.net

To unsubscribe from the digest, e-mail:
        php-general-digest-unsubscr...@lists.php.net

To post to the list, e-mail:
        php-gene...@lists.php.net


----------------------------------------------------------------------
--- Begin Message ---
You could use a one time token on each request

Bastien

Sent from my iPod

On Nov 21, 2009, at 6:30 AM, "Angus Mann" <angusm...@pobox.com> wrote:

Hi all.

A question about PHP sessions and their interaction with AJAX.

I have a database containing sensitive information and users need to log in to my PHP script and be authenticated before they are granted access.

For one of the forms I would like to retrieve information using AJAX, and some of that information is sensitive also. The request from AJAX is handled by another, simpler PHP script.

It occurs to me that the AJAX handler could be used to bypass the user authentication and a crafted request sent directly to the AJAX handler to get information without authentication.

Can anyone offer some advice about how to piggy-back the session/ authentication data that the user originally used to the AJAX so that only an authenticated user will get a valid response from the AJAX handler? I know I could embed authentication information into the web-page and send this with the AJAX request but I'm interested to know if there are other methods also.

I hope the explanation is clear.

Thanks in advance.

--- End Message ---
--- Begin Message ---
At 9:30 PM +1000 11/21/09, Angus Mann wrote:
Hi all.

A question about PHP sessions and their interaction with AJAX.

I have a database containing sensitive information and users need to log in to my PHP script and be authenticated before they are granted access.

For one of the forms I would like to retrieve information using AJAX, and some of that information is sensitive also. The request from AJAX is handled by another, simpler PHP script.

It occurs to me that the AJAX handler could be used to bypass the user authentication and a crafted request sent directly to the AJAX handler to get information without authentication.

Can anyone offer some advice about how to piggy-back the session/authentication data that the user originally used to the AJAX so that only an authenticated user will get a valid response from the AJAX handler? I know I could embed authentication information into the web-page and send this with the AJAX request but I'm interested to know if there are other methods also.

I hope the explanation is clear.

Thanks in advance.

Angus:

First, don't trust anything that comes from the client -- period.

Second, Ajax is just another way to send stuff to the server. When the data gets to the server then authenticate and set a session variable to indicate such. This is not rocket science, but if you don't do it right you'll leave a crater.

Cheers,

tedd

--
-------
http://sperling.com  http://ancientstones.com  http://earthstones.com

--- End Message ---
--- Begin Message ---
Angus Mann wrote:
> Hi all.
> 
> A question about PHP sessions and their interaction with AJAX.
> 
> I have a database containing sensitive information and users need to log in 
> to my PHP script and be authenticated before they are granted access.
> 
> For one of the forms I would like to retrieve information using AJAX, and 
> some of that information is sensitive also. The request from AJAX is handled 
> by another, simpler PHP script.
> 
> It occurs to me that the AJAX handler could be used to bypass the user 
> authentication and a crafted request sent directly to the AJAX handler to get 
> information without authentication.
> 
> Can anyone offer some advice about how to piggy-back the 
> session/authentication data that the user originally used to the AJAX so that 
> only an authenticated user will get a valid response from the AJAX handler? I 
> know I could embed authentication information into the web-page and send this 
> with the AJAX request but I'm interested to know if there are other methods 
> also.
> 
> I hope the explanation is clear.
> 
> Thanks in advance. 

same as everywhere else in your apps.. ajax is no different in any way
at all, not even slightly. as far as PHP and web server is concerned
it's just a plain old request same as any other; thus..

if( !$_SESSION['is_logged_in'] ) {
  exit();
}
// do stuff

--- End Message ---
--- Begin Message ---
same as everywhere else in your apps.. ajax is no different in any way
at all, not even slightly. as far as PHP and web server is concerned
it's just a plain old request same as any other; thus..

if( !$_SESSION['is_logged_in'] ) {
 exit();
}
// do stuff



Thanks for that. Sometimes the solution is right there in front of you.
The bit of code below does the job nicely for me :

session_start();
if(!isset($_SESSION['username'])){
echo("Go Away.");
exit();
}
// now work with sensitive data...


--- End Message ---
--- Begin Message ---
This might help:

http://sperling.com/examples/pcss/

Cheers,

tedd

--
-------
http://sperling.com  http://ancientstones.com  http://earthstones.com

--- End Message ---
--- Begin Message ---
At 6:36 PM -0600 11/20/09, nitin reddy wrote:
Hey can one help me in creating different users using mysql for php and
assigning different privileges for them ..any sample code available?
--
PASULA NITIN REDDY
Graduate Student in Computer Science Department
University of Minnesota,Twin Cities
Minneapolis.

PASULA:

And where do you want us to send your homework?

Seriously, if you want help, please show us what you've done -- from there we can move on.

Cheers,

tedd
--
-------
http://sperling.com  http://ancientstones.com  http://earthstones.com

--- End Message ---
--- Begin Message ---
Check out the grant command in SQL for your database

Bastien

Sent from my iPod

On Nov 21, 2009, at 9:05 AM, tedd <tedd.sperl...@gmail.com> wrote:

At 6:36 PM -0600 11/20/09, nitin reddy wrote:
Hey can one help me in creating different users using mysql for php and
assigning different privileges for them ..any sample code available?
--
PASULA NITIN REDDY
Graduate Student in Computer Science Department
University of Minnesota,Twin Cities
Minneapolis.

PASULA:

And where do you want us to send your homework?

Seriously, if you want help, please show us what you've done -- from there we can move on.

Cheers,

tedd
--
-------
http://sperling.com  http://ancientstones.com  http://earthstones.com

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


--- End Message ---
--- Begin Message ---
Hi. thanks for your reply. I learned php and I have created several web
application before. But all i ever do, is creating php files with one html
form an some php tags that manipulate data and sends it to a database or
another web page (or to itself). Now i like try building a web pages that
have several widgets, gadgets or anything. Therefore i make a web page like
a portal that each segments work independently of each other, something like
home page of gmail or in igoogle or anything. I examined HTML frames in a
project, recently. But, indeed it wasn't a thing that i looking for. Because
the gadgets can have been removed by user, but HTML frames are static absurd
things in web page.
*In summary, I looking for a technology to build php pages with some
independent sections.*

On Fri, Nov 20, 2009 at 11:21 PM, Ashley Sheridan
<a...@ashleysheridan.co.uk>wrote:

>  On Fri, 2009-11-20 at 23:15 +0330, Ali Asghar Toraby Parizy wrote:
>
> Hi
> How can i create a web page that include some gadgets? what kind of
> technology do i have to use to creating web pages like igoogle and gmail?
> How can i create them by php?
>
>
> Wow!
>
> Well, first what is it you want to do? Make another iGoogle or Gmail, as
> they are both pretty different beasts. One is a page of 'gadgets' as you
> call them, the other is a web-based email application.
>
> I'm guessing from your post that PHP is new to you. First then, I guess you
> need to decide on where are you getting the gadget parts from? If you can
> find things online that you can embed as Flash apps or iframes, then you
> probably won't need PHP at all. If you are planning on building them
> yourself, then you really will need to learn PHP. There is no magic solution
> to this question I'm afraid, and the scope of it is pretty huge, so you need
> to think about the parts that make it up and tackle each one.
>
>
>   Thanks,
> Ash
> http://www.ashleysheridan.co.uk
>
>
>

--- End Message ---
--- Begin Message ---
Good Morning all,

Having a look at the time zone functions in PHP you can enter a time zone
city and get it's lat long. Does anybody know how you can run the function
in reverse (or know of a similar function) i.e. get the time zone city from
the geographic coordinates. Google maps was a thought but the functions are
only for use in google maps which rules out my use for them.

Have a great weekend.

Cheers

--- End Message ---
--- Begin Message --- This is a simple math problem. Create am array with a start and end longitude for that timezone and run a comapre from your lay/long co- ords to see where it falls.

Bastien

Sent from my iPod

On Nov 21, 2009, at 12:25 PM, Haig Davis <level...@gmail.com> wrote:

Good Morning all,

Having a look at the time zone functions in PHP you can enter a time zone city and get it's lat long. Does anybody know how you can run the function in reverse (or know of a similar function) i.e. get the time zone city from the geographic coordinates. Google maps was a thought but the functions are
only for use in google maps which rules out my use for them.

Have a great weekend.

Cheers

--- End Message ---
--- Begin Message ---
On 21 Nov 2009, at 17:51, Phpster wrote:
> This is a simple math problem. Create am array with a start and end longitude 
> for that timezone and run a comapre from your lay/long co-ords to see where 
> it falls.

It's not that simple because timezones boundaries don't run in straight lines 
from pole to pole.

I Googled and got this among several others...

http://stackoverflow.com/questions/41504/timezone-lookup-from-latitude-longitude

-Stuart

-- 
http://3ft9.com/


> On Nov 21, 2009, at 12:25 PM, Haig Davis <level...@gmail.com> wrote:
> 
>> Good Morning all,
>> 
>> Having a look at the time zone functions in PHP you can enter a time zone
>> city and get it's lat long. Does anybody know how you can run the function
>> in reverse (or know of a similar function) i.e. get the time zone city from
>> the geographic coordinates. Google maps was a thought but the functions are
>> only for use in google maps which rules out my use for them.
>> 
>> Have a great weekend.
>> 
>> Cheers
> 
> -- 
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
> 


--- End Message ---
--- Begin Message ---
Haig Davis wrote:
> Good Morning all,
> 
> Having a look at the time zone functions in PHP you can enter a time zone
> city and get it's lat long. Does anybody know how you can run the function
> in reverse (or know of a similar function) i.e. get the time zone city from
> the geographic coordinates. Google maps was a thought but the functions are
> only for use in google maps which rules out my use for them.
> 
> Have a great weekend.
> 
> Cheers
> 

http://www.geonames.org/export/web-services.html#timezone

--- End Message ---
--- Begin Message ---
On Sat, 21 Nov 2009 09:25:16 -0800, level...@gmail.com (Haig Davis) wrote:

>Good Morning all,
>
>Having a look at the time zone functions in PHP you can enter a time zone
>city and get it's lat long. Does anybody know how you can run the function
>in reverse (or know of a similar function) i.e. get the time zone city from
>the geographic coordinates. Google maps was a thought but the functions are
>only for use in google maps which rules out my use for them.

Don't know what you mean by "Time Zone City".  IF the world were organised 
scientifically
the time zone for a given location would be given by

Time zone = GMT +  (int)Long/15

But, as Stuart has pointed out, it isn't. Melbourne, Sydney, Brisbane, Port 
Moresby,
Sakhalin & Okhosh are all on GMT +10, but treat summertime in at least two and 
probably
three different ways. Also Okhosh, Tokyo, and Adelaide all have a longitude of
approximately 140°, but are on GMT +10, +9, and +9.5. 

If you really want to know the time zone for an arbitrary latitude and 
longitude, I doubt
if you have any alternative to looking it up in an atlas.


--- End Message ---
--- Begin Message ---
Rick Pasotto wrote:
> On Fri, Nov 20, 2009 at 04:41:58PM -0600, LAMP wrote:
>> Hi,
>> I need to pull all records from the table Registrants they are NOT
>> in the table ToBeRecleared
>>
>> Registrants.Reg_ID is PK
>> ToBeRecleared.tbrc_Reg_ID is PK
>>
>> Which query is more correct?
>>
>> SELECT r.*
>> FROM registrants r
>> where r.reg_status=1 AND r.reg_id NOT IN (SELECT tbrc_reg_id FROM
>> toberecleared)
>>
>>
>> SELECT r.*
>> FROM registrants r
>> where r.reg_status=1 AND (SELECT count(*) FROM toberecleared where
>> tbrc_reg_id=r.reg_id) = 0
>>
>> I checked explain of bot queries - but can't "read" them.  :-)
> 
> SELECT t1.*
> FROM registrants t1
> LEFT JOIN ToBeRecleared t2 on t1.reg_id = t2.tbrc_reg_id
> where t2.tbrc_reg_id is NULL
> 

^^^ what rick said; the left join with where null is the "correct" one

--- End Message ---
--- Begin Message ---
Hey all,

Every site I've ever stuck a credit card into said "only click once...". I just this requirement from a client.

a.System should recognize a duplicated click, so the message in red “only click once” should be unnecessary.

Is this doable???

Has anyone on the list ever done this???
--
====================================
Skip Evans
PenguinSites.com, LLC
503 S Baldwin St, #1
Madison WI 53703
608.250.2720
http://penguinsites.com
------------------------------------
Those of you who believe in
telekinesis, raise my hand.
 -- Kurt Vonnegut

--- End Message ---

Reply via email to