php-general Digest 18 Aug 2011 09:31:46 -0000 Issue 7446

[php-general-digest-help]

php-general Digest 18 Aug 2011 09:31:46 -0000 Issue 7446

Topics (messages 314539 through 314554):

Re: (Kinda sorta) PHP related: recovering lost passwords
        314539 by: Lester Caine
        314541 by: Richard Quadling
        314543 by: Bastien
        314549 by: James Colannino
        314551 by: James Colannino

Re: Newbie question. What is the best structure of a php-app?
        314540 by: Dajka Tamás
        314542 by: Richard Quadling

Why count() returns no error when string is given ?
        314544 by: rsk82.live.com
        314545 by: Florian Lemaitre
        314546 by: Florian Lemaitre
        314547 by: rsk82.live.com
        314548 by: Florian Lemaitre

Secure vs httpOnly cookie flag: is one better?
        314550 by: Jen Rasmussen
        314552 by: Andrew Ballard
        314553 by: Jen Rasmussen

TEST ONLY
        314554 by: Anders Norrbring

Administrivia:

To subscribe to the digest, e-mail:
        php-general-digest-subscr...@lists.php.net

To unsubscribe from the digest, e-mail:
        php-general-digest-unsubscr...@lists.php.net

To post to the list, e-mail:
        php-gene...@lists.php.net


----------------------------------------------------------------------

--- Begin Message ---

James Colannino wrote:

If it matches the unencrypted version stored in the
database, you know you have the correct answer, and use it to decrypt
the user's password and send it to the email the user has setup for
their account.

All the good sites simply don't have that capability ...

Much safer rather than 'recovering' a password is to identify the user, and send them a temporary password which they have to change when they log in. This way nobody is allowed access existing passwords ;)

--
Lester Caine - G8HFL
-----------------------------
Contact - http://lsces.co.uk/wiki/?page=contact
L.S.Caine Electronic Services - http://lsces.co.uk
EnquirySolve - http://enquirysolve.com/
Model Engineers Digital Workshop - http://medw.co.uk//
Firebird - http://www.firebirdsql.org/index.php

--- End Message ---

--- Begin Message ---

On 16 August 2011 09:14, James Colannino <ja...@colannino.org> wrote:
> Hi everyone,
>
> I don't post all that often, so I hope my (mildly) off-topic question
> won't be too unwelcome...  Keep in mind that I'm still pretty new when
> it comes to security, so what I propose may or may not sound incredibly
> dumb (you have been warned! :-P)
>
> I'm working on a project in PHP, a toy framework, and would really like
> to be able to send someone their password should they ever forget it.
> The only problem is that it's best not to store the actual password in
> the database, or at least to store it unencrypted.
>
> Security-wise, how would the following scenario work out for password
> retrieval:
>
> You ask the user to setup a "security question" when they create their
> account.  You use the string value of the answer to the question as a
> cryptographic key, and encrypt the password with it.  You also generate
> a random string of characters, and encrypt it with the same key.  You
> store the encrypted password, along with both the encrypted and
> unencrypted versions of the randomly generated string, in the database.
>
> When the user goes to retrieve their password, they enter their security
> question.  The randomly generated string is then decrypted using the
> answer as the key.  If it matches the unencrypted version stored in the
> database, you know you have the correct answer, and use it to decrypt
> the user's password and send it to the email the user has setup for
> their account.
>
> James
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

Take a look at https://code.google.com/p/loginsystem-rd/

Whilst it is just a login system, the techniques here could be adapted
and probably learned from (if you are new to security).




-- 
Richard Quadling
Twitter : EE : Zend : PHPDoc
@RQuadling : e-e.com/M_248814.html : bit.ly/9O8vFY : bit.ly/lFnVea

--- End Message ---

--- Begin Message ---

On 2011-08-16, at 5:08 AM, Richard Quadling <rquadl...@gmail.com> wrote:

> On 16 August 2011 09:14, James Colannino <ja...@colannino.org> wrote:
>> Hi everyone,
>> 
>> I don't post all that often, so I hope my (mildly) off-topic question
>> won't be too unwelcome...  Keep in mind that I'm still pretty new when
>> it comes to security, so what I propose may or may not sound incredibly
>> dumb (you have been warned! :-P)
>> 
>> I'm working on a project in PHP, a toy framework, and would really like
>> to be able to send someone their password should they ever forget it.
>> The only problem is that it's best not to store the actual password in
>> the database, or at least to store it unencrypted.
>> 
>> Security-wise, how would the following scenario work out for password
>> retrieval:
>> 
>> You ask the user to setup a "security question" when they create their
>> account.  You use the string value of the answer to the question as a
>> cryptographic key, and encrypt the password with it.  You also generate
>> a random string of characters, and encrypt it with the same key.  You
>> store the encrypted password, along with both the encrypted and
>> unencrypted versions of the randomly generated string, in the database.
>> 
>> When the user goes to retrieve their password, they enter their security
>> question.  The randomly generated string is then decrypted using the
>> answer as the key.  If it matches the unencrypted version stored in the
>> database, you know you have the correct answer, and use it to decrypt
>> the user's password and send it to the email the user has setup for
>> their account.
>> 
>> James
>> 
>> --
>> PHP General Mailing List (http://www.php.net/)
>> To unsubscribe, visit: http://www.php.net/unsub.php
>> 
>> 
> 
> Take a look at https://code.google.com/p/loginsystem-rd/
> 
> Whilst it is just a login system, the techniques here could be adapted
> and probably learned from (if you are new to security).
> 
> 
> 
> 
> -- 
> Richard Quadling
> Twitter : EE : Zend : PHPDoc
> @RQuadling : e-e.com/M_248814.html : bit.ly/9O8vFY : bit.ly/lFnVea
> 
> -- 
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
> 

Never never send emails with passwords. I have a number of clients who are 
requesting that the user answer a security question and then it emails a link 
with a defined lifespan which will allow them to change the password. 

If they don't click the link in time, it expires and the process starts all 
over again. 

Bastien

--- End Message ---

--- Begin Message ---

On 08/16/11 01:30, Lester Caine wrote:

> All the good sites simply don't have that capability ...
> Much safer rather than 'recovering' a password is to identify the user,
> and send them a temporary password which they have to change when they
> log in. This way nobody is allowed access existing passwords ;)

Good point.  I think I'll go that route instead.

James

--- End Message ---

--- Begin Message ---

On 08/16/11 02:08, Richard Quadling wrote:

> Take a look at https://code.google.com/p/loginsystem-rd/
> 
> Whilst it is just a login system, the techniques here could be adapted
> and probably learned from (if you are new to security).

Ah, that looks interesting.  Thanks for the link!

James

--- End Message ---

--- Begin Message ---

Hi,

Surely there's a wiki/doc somewhere :)

But for the start:

1) plan what exactly you want to accomplish ( functionality )
2) complexity
        - if simple, just throw it in one php ( like index.php )
        - if more complex, you can separate the pages and/or use classes
3) based on 2), plan the structure ( I'm using mostly one entry point - 
index.php - with classes, templates, files included, since I like things 
separated )

Some thing you should not forget:
- whole webapp thing is event based ( client will do something - press a link - 
and the server will react ) - the connection is not maintained all the time
- PHP is server side (harder to debug), you cannot do anything on client side ( 
just push what to display ) ( JS is client side )
- you can start the session whenever you want ( it's nearly the first line of 
my app ), but you should control the access with variables, like if ( 
$_SESSION['uid'] ) or if ( $_SESSION['loggedin'] )
- most webservers interprets things between <?php ?> even if the file name ends 
with .htm or .html
- for JS and connection related things FireBug for FireFox is a good idea ( you 
can track, what's submitted, etc )

What I'm liking:

- one entry point ( index.php )
- sub-pages, are separate php/template pairs BUT are included from index.php ( 
after access verification, etc )
- nearly all the functions are put in separate classes ( like user.class.php 
for user related things - login,logout, etc )
- using a template engine is not a very bad idea ( like Smarty ), you can 
separate the real code from html, which make debugging easier - at least for me 
:)

BTW, take a look on some free stuff. You can always learn from others. There 
are some good ideas in open CMS systems, like Joomla.


Cheers,

        Tom

-----Original Message-----
From: Andreas [mailto:maps...@gmx.net] 
Sent: Tuesday, August 16, 2011 12:39 AM
To: php-gene...@lists.php.net
Subject: [PHP] Newbie question. What is the best structure of a php-app?

Hi,
I'm fairly new to PHP but not to programming as such. Currently I sat up 
XAMPP with xdebug, Netbeans and Eclipse to get a feeling.
I can write and run php-files but I am wondering how I should construct 
a more complex application that runs over several pages between a login 
and a logout.

How would I structure such an application so that it is possible to run 
it in the debugger from the beginning?
E.g. as a simple example I may build an index.html that has a menue with 
links to 3 php-files.
1)   login.php
2)   enter_data.php
3)   list_data.php
as html-links within an ul-list.

The user should at first click on login where user/password gets entered 
an a session starts.
Then the application comes back to index.html.
Now he might click 2) ...

Is it possible to run the whole application from the start on?
index.html is no php so xdebug won't process it and therefore the IDEs 
may start index.html but can't show the stage where the page is just 
waiting e.g. for a click on "login" and later branch for the other options.

Even if I write an index.php that shows the menue eventually the script 
just dumps the html that'll wait for the following clicks.
Those following steps are far more likely in need to be debugged.

Is it neccessary to debug those subpages separately even though they 
need prior steps like login.php that store some infos in a session or 
cookie that later scripts need to rely on?
Can I somehow watch what is going on from the index.html on?

Until now I just found documentation that explains the php language. 
Thats good too but I'd need to get an idea about the "web-app-thinking" 
that consist of just pages where the designer has to hope that the user 
stays within the applicationflow instead of clicking unexpectedly on the 
back-button or just jumping off to some other site if he likes to.

In contrast to this desktop-apps seem to be less demanding because I 
know where a user can navigate from a certain stage within the app and I 
could step from program start to stop with the debugger if I feel the 
need to.

Is there a tutorial that explains how to build consistent web-apps 
beyond the details of php language?


regards...

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

--- End Message ---

--- Begin Message ---

On 16 August 2011 09:53, Dajka Tamás <vi...@vipernet.hu> wrote:
> Hi,
>
> Surely there's a wiki/doc somewhere :)
>
> But for the start:
>
> 1) plan what exactly you want to accomplish ( functionality )
> 2) complexity
>        - if simple, just throw it in one php ( like index.php )
>        - if more complex, you can separate the pages and/or use classes
> 3) based on 2), plan the structure ( I'm using mostly one entry point - 
> index.php - with classes, templates, files included, since I like things 
> separated )
>
> Some thing you should not forget:
> - whole webapp thing is event based ( client will do something - press a link 
> - and the server will react ) - the connection is not maintained all the time
> - PHP is server side (harder to debug), you cannot do anything on client side 
> ( just push what to display ) ( JS is client side )
> - you can start the session whenever you want ( it's nearly the first line of 
> my app ), but you should control the access with variables, like if ( 
> $_SESSION['uid'] ) or if ( $_SESSION['loggedin'] )
> - most webservers interprets things between <?php ?> even if the file name 
> ends with .htm or .html
> - for JS and connection related things FireBug for FireFox is a good idea ( 
> you can track, what's submitted, etc )
>
> What I'm liking:
>
> - one entry point ( index.php )
> - sub-pages, are separate php/template pairs BUT are included from index.php 
> ( after access verification, etc )
> - nearly all the functions are put in separate classes ( like user.class.php 
> for user related things - login,logout, etc )
> - using a template engine is not a very bad idea ( like Smarty ), you can 
> separate the real code from html, which make debugging easier - at least for 
> me :)
>
> BTW, take a look on some free stuff. You can always learn from others. There 
> are some good ideas in open CMS systems, like Joomla.
>
>
> Cheers,
>
>        Tom
>
> -----Original Message-----
> From: Andreas [mailto:maps...@gmx.net]
> Sent: Tuesday, August 16, 2011 12:39 AM
> To: php-gene...@lists.php.net
> Subject: [PHP] Newbie question. What is the best structure of a php-app?
>
> Hi,
> I'm fairly new to PHP but not to programming as such. Currently I sat up
> XAMPP with xdebug, Netbeans and Eclipse to get a feeling.
> I can write and run php-files but I am wondering how I should construct
> a more complex application that runs over several pages between a login
> and a logout.
>
> How would I structure such an application so that it is possible to run
> it in the debugger from the beginning?
> E.g. as a simple example I may build an index.html that has a menue with
> links to 3 php-files.
> 1)   login.php
> 2)   enter_data.php
> 3)   list_data.php
> as html-links within an ul-list.
>
> The user should at first click on login where user/password gets entered
> an a session starts.
> Then the application comes back to index.html.
> Now he might click 2) ...
>
> Is it possible to run the whole application from the start on?
> index.html is no php so xdebug won't process it and therefore the IDEs
> may start index.html but can't show the stage where the page is just
> waiting e.g. for a click on "login" and later branch for the other options.
>
> Even if I write an index.php that shows the menue eventually the script
> just dumps the html that'll wait for the following clicks.
> Those following steps are far more likely in need to be debugged.
>
> Is it neccessary to debug those subpages separately even though they
> need prior steps like login.php that store some infos in a session or
> cookie that later scripts need to rely on?
> Can I somehow watch what is going on from the index.html on?
>
> Until now I just found documentation that explains the php language.
> Thats good too but I'd need to get an idea about the "web-app-thinking"
> that consist of just pages where the designer has to hope that the user
> stays within the applicationflow instead of clicking unexpectedly on the
> back-button or just jumping off to some other site if he likes to.
>
> In contrast to this desktop-apps seem to be less demanding because I
> know where a user can navigate from a certain stage within the app and I
> could step from program start to stop with the debugger if I feel the
> need to.
>
> Is there a tutorial that explains how to build consistent web-apps
> beyond the details of php language?
>
>
> regards...

I like the Zend Framework layout where the class names and file names
are created according to a standard
(http://groups.google.com/group/php-standards/web/psr-0-final-proposal?pli=1)

And by putting the codebase outside of docroot (include_path is your
friend here), you allow the framework to be used on multiple sites on
the same server.

For me, the only things I have in my docroot are statics (css, js,
images, html) and index.php (though occasional one-shot utils will
exist there).



When I develop, I have 3 versions of the site (live, test and dev).
www.site.com, test.site.com and dev.site.com

I have separate SQL Server instances (I'm on Windows and mainly
develop for MS SQL Server - though Mongo and SQLite are now both
becoming an active part of my work).

Keeping everything separate in the three environments allows you to
play to your hearts content (dev), provide a testable app (test) and
an untouched by human hand live site (www).

I also use a tools called SQL Compare and SQL Data Compare from
RedGate (they also have tools for mysql). These allow me to compare my
DB schemas and produce a changeset for the DB, both the schema and the
data.

So, when it comes to upgrading the DB, I compare dev to test and
upgrade test. I log the changeset into my version control system
allowing me to reuse the changeset on the live dbs.

If I need to make more changes to the DB. I issue a new changeset for
those changes. No need to amend the previous changeset.

Does this mean that sometimes I'm rolling back changes? Yes, but I'm
doing so in a controlled and reportable/repeatable manner. No
different to any other VCS.


I hope these points help.

Richard.

-- 
Richard Quadling
Twitter : EE : Zend : PHPDoc
@RQuadling : e-e.com/M_248814.html : bit.ly/9O8vFY : bit.ly/lFnVea

--- End Message ---

--- Begin Message ---

For example when I do:

  strlen(array(1,2,3));

php shows: Warning: strlen() expects parameter 1 to be string, array
given in...

but when I do:

  count('string');

It simply returns 1 like nothing happened. I would expect such
behavior if I write:

  count((array)'string')

but otherwise such behavior is very misleading and inconsistent.

--- End Message ---

--- Begin Message ---

Le 16/08/2011 16:29, rs...@live.com a écrit :

For example when I do:

   strlen(array(1,2,3));

php shows: Warning: strlen() expects parameter 1 to be string, array
given in...

but when I do:

   count('string');

It simply returns 1 like nothing happened. I would expect such
behavior if I write:

   count((array)'string')

but otherwise such behavior is very misleading and inconsistent.

manual : function.count.php

"Returns the number of elements in/var/. If/var/is not an array or an object with implementedCountable <http://www.php.net/manual/en/class.countable.php>interface,/1/will be returned. There is one exception, if/var/is*NULL*,/0/will be returned."
--- End Message ---

--- Begin Message ---

Le 16/08/2011 16:32, Florian Lemaitre a écrit :

Le 16/08/2011 16:29, rs...@live.com a écrit :

For example when I do:

   strlen(array(1,2,3));

php shows: Warning: strlen() expects parameter 1 to be string, array
given in...

but when I do:

   count('string');

It simply returns 1 like nothing happened. I would expect such
behavior if I write:

   count((array)'string')

but otherwise such behavior is very misleading and inconsistent.

manual : function.count.php

"Returns the number of elements in/var/. If/var/is not an array or an object with implementedCountable <http://www.php.net/manual/en/class.countable.php>interface,/1/will be returned. There is one exception, if/var/is*NULL*,/0/will be returned."

Oups...

"Returns the number of elements in var. If var is not an array or an object with implemented Countable interface, 1 will be returned. There is one exception, if var is NULL, 0 will be returned."

--- End Message ---

--- Begin Message ---

Hello Florian,

Tuesday, August 16, 2011, 4:32:39 PM, you wrote:

> manual : function.count.php

> "Returns the number of elements in/var/. If/var/is not an array or an 
> object with implementedCountable 
> <http://www.php.net/manual/en/class.countable.php>interface,/1/will be
> returned. There is one exception, if/var/is*NULL*,/0/will be returned."

Yes I know, but I wonder what is the master reason behind this line of
doing things ?

The fact that something is documented shoudn't make it automatically
right. Are there scripts where people are putting strings into count
by purpose, not by an accident ? Is this behavior having some grand
purpose behind id, or is it just a historical accident for early days
of php ?


-- 
Best regards,
 rsk82                            mailto:rs...@live.com

--- End Message ---

--- Begin Message ---

Le 16/08/2011 16:50, rs...@live.com a écrit :

Hello Florian,

Tuesday, August 16, 2011, 4:32:39 PM, you wrote:

manual : function.count.php
"Returns the number of elements in/var/. If/var/is not an array or an
object with implementedCountable
<http://www.php.net/manual/en/class.countable.php>interface,/1/will be
returned. There is one exception, if/var/is*NULL*,/0/will be returned."

Yes I know, but I wonder what is the master reason behind this line of
doing things ?

The fact that something is documented shoudn't make it automatically
right. Are there scripts where people are putting strings into count
by purpose, not by an accident ? Is this behavior having some grand
purpose behind id, or is it just a historical accident for early days
of php ?

this question has already been discussed 8 days ago in this mailing list.
You can see the archive here :
http://www.mail-archive.com/php-general@lists.php.net/msg267800.html

--- End Message ---

--- Begin Message ---

Thank you in advance for your input on my question here . 

 

I am currently running PHP 5.1.6 and would prefer to set both the secure and
httpOnly flags for a session cookie,

however, httpOnly is not added until PHP 5.2. I have found an elegant way to
set it ( courtesy of : http://www.youtube.com/watch?v=UW0UhYfs1es ) but I am
unable to set both the secure and the httpOnly flags. I realize the post is
quite old, but doh!, so is my version of PHP J

 

My guess is that if forced to choose, I should opt for secure but would
prefer to do so with any opinions you may offer in mind.

 

Thanks!! 

 

Jen 

 

--- End Message ---

--- Begin Message ---

On Tue, Aug 16, 2011 at 1:01 PM, Jen Rasmussen <j...@cetaceasound.com> wrote:
> Thank you in advance for your input on my question here .
>
>
>
> I am currently running PHP 5.1.6 and would prefer to set both the secure and
> httpOnly flags for a session cookie,
>
> however, httpOnly is not added until PHP 5.2. I have found an elegant way to
> set it ( courtesy of : http://www.youtube.com/watch?v=UW0UhYfs1es ) but I am
> unable to set both the secure and the httpOnly flags. I realize the post is
> quite old, but doh!, so is my version of PHP J
>
>
>
> My guess is that if forced to choose, I should opt for secure but would
> prefer to do so with any opinions you may offer in mind.

I don't see the relevance of the address you cited above, but if you
are referring to the workaround that I showed you last week --

http://marc.info/?l=php-general&m=131281548332245&w=2

-- you can easily extend the technique to set both flags.


header('Set-Cookie: cookie_name=value; secure; HttpOnly');


Andrew

--- End Message ---

--- Begin Message ---

Andrew,

Wow, copied and pasted in the wrong link ...no wonder it made no sense - 
WHOOPS!!
The correct link is: 
http://blog.mattmecham.com/2006/09/12/http-only-cookies-without-php-52/comment-page-1/#comment-14609

Below are the methods I WAS working with (similar to your recommendation last 
week - thank you) and expanded with the blog post above recommendations.

@setcookie( $name, $value, $expires, $path, $domain . '; HttpOnly' ); sets http 
flag but not secure (not included)
@setcookie( $name, $value, $expires, $path, $domain, TRUE ); // sets secure but 
not http (not included)
@setcookie( $name, $value, $expires, $path, $domain, TRUE . '; HttpOnly' ); // 
sets secure but not http (included)


What I've landed on in case this helps anyone else is the following:
@setcookie( $name, $value, $expires, $path, $domain . 'secure; HttpOnly' ); // 
this sets both http flag and secure

What made it work was using the word secure rather than a Boolean value and 
putting it within the quotes along with HttpOnly. 

Thanks!
Jen



-----Original Message-----
From: Andrew Ballard [mailto:aball...@gmail.com] 
Sent: Tuesday, August 16, 2011 1:06 PM
To: j...@cetaceasound.com
Cc: php-gene...@lists.php.net
Subject: Re: [PHP] Secure vs httpOnly cookie flag: is one better?

I don't see the relevance of the address you cited above, but if you
are referring to the workaround that I showed you last week --

http://marc.info/?l=php-general&m=131281548332245&w=2

-- you can easily extend the technique to set both flags.


header('Set-Cookie: cookie_name=value; secure; HttpOnly');


Andrew

--- End Message ---

--- Begin Message --- Sorry, but I've had e-mail problems with lists, so this is just a test. Please just disregard it.
--- End Message ---