php-general Digest 7 Jan 2008 00:31:40 -0000 Issue 5220

[php-general-digest-help]

php-general Digest 7 Jan 2008 00:31:40 - Issue 5220

Topics (messages 266823 through 266827):

Re: How to secure Flash Video? [Solved?]
266823 by: Miles Thompson

Re: client time zone?
266824 by: Ólafur Waage
266827 by: jekillen

Re: First stupid post of the year. [SOLVED]
266825 by: tedd

Re: DOMDocument-getElementById() isn't working
266826 by: Colin Guthrie

Administrivia:

To subscribe to the digest, e-mail:
[EMAIL PROTECTED]

To unsubscribe from the digest, e-mail:
[EMAIL PROTECTED]

To post to the list, e-mail:
[EMAIL PROTECTED]


--
---BeginMessage---
Tedd,

As Casey noted, there's no totally secure methodolgy, but your's is close
enough - everything is wrapped in the Flash movie, so even if the movie is
sent on to someone else, that someone has to be approved.

We've been doing something similar for several years now, validating against
a database and when validation succeeds, issuing a key stored in the
database and as a Flash (ach, can't remember the name, but Flash's
equivalent of a cookie.)

As for people wanting total security - unplug everything and go split
wood. Most security breaches are internal, and usually all that's necessary
is to keep honest people from straying down  the wrong path.

Cheers - Miles

On Jan 5, 2008 1:16 AM, tedd [EMAIL PROTECTED] wrote:

 Hi gang:

 Here's my logic, so what's wrong with it?

 My sole concern here is to protect a Video from being stolen and/or
 being viewed remotely while allowing approved users to view it.

 It is a fact that anything you present to a user is theirs. There's
 no stopping them from downloading a Video if they have permission to
 do so. In fact, that's exactly what they do when they view a Video --
 they can't view it in their browser unless their browser has it.

 Now, I have investigated several ways to protect videos and prevent
 caching. Some methods are very complex -- but complexity does not
 always guarantee security. Complexity is more likely to present
 problems in its application. Sometimes the simplest method is best.

 The simplest protection method I can think of can be done by using
 Flash Video Actionscript in concert with php/mysql.

 It's a simple matter to have the Video run the following prior to
 displaying:

 theXML.load(http://example.com/security.php)

 That's similar to a javascript onload function.

 Upon loading the Video, the Video will run the script security.php
 which in-turn will check to see if an approved user is attempting to
 view the Video. This done by simply checking a user-id session
 variable in the script that delivers the Video.

 If that session variable (user-id ) is empty, then the security.php
 returns nothing.

 If that session session is not empty, then the script will check the
 user-id against the database to see if the user has permission to
 view the Video. If the user does not have permission, then the
 security.php script returns nothing.

 If everything checks, then the security.php script will return a key
 and the Video will check that key against an internal key -- if a
 match is made, then the video plays.

 Now, please note that this will also prohibit the user, even after
 paying for the Video, from downloading the Video for future plays
 because the Video will always check for a key.

 Even if the user downloads the Video and takes the Video to a remote
 player, the Video will still try to run the security script seeking a
 key. If the security script is not there, then it fails.  Even if the
 user figures out that the Video requires a key, the still user has no
 way to determine what that internal key is.

 So, I think this will work. What say all of you? Where have I screwed up?

 And, please no one liners that solve the entire mess and make me look
 like a fool.

 Cheers,

  tedd

 --
 ---
 http://sperling.com  http://ancientstones.com  http://earthstones.com

 --
 PHP General Mailing List (http://www.php.net/)
 To unsubscribe, visit: http://www.php.net/unsub.php


---End Message---
---BeginMessage---
To get the clients time offset you'll need to use javascript and
date.getTimezoneOffset()

But this idea has a problem. It is that you can never trust that the
clients time is actually correct. You can get the closest to it by
using the server time and offsetting that with the javascript offset
value. But you'll never know if the client has the wrong timezone and
you'll have to deal with timezones that don't have daylight savings
like for instance Iceland :)

- Ólafur Waage

2008/1/6, Per Jessen [EMAIL PROTECTED]:
 jekillen wrote:

  Hello;
  I am running a server that is using UTC and I want to be able to
  convert to clients local time in some display presentations.
  Is this indicated by $_SERVER[REQUEST_TIME]?

 Is there such a value at all?

  If not, is there a way to get the requesting host's
  time zone so I can offset the 

Re: [PHP] client time zone?

[Per Jessen]

jekillen wrote:

 Hello;
 I am running a server that is using UTC and I want to be able to
 convert to clients local time in some display presentations.
 Is this indicated by $_SERVER[REQUEST_TIME]?

Is there such a value at all?  

 If not, is there a way to get the requesting host's
 time zone so I can offset the servers clock value correctly?

I think you'll need to use javascript.


/Per Jessen, Zürich

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] How to secure Flash Video? [Solved?]

[Miles Thompson]

Tedd,

As Casey noted, there's no totally secure methodolgy, but your's is close
enough - everything is wrapped in the Flash movie, so even if the movie is
sent on to someone else, that someone has to be approved.

We've been doing something similar for several years now, validating against
a database and when validation succeeds, issuing a key stored in the
database and as a Flash (ach, can't remember the name, but Flash's
equivalent of a cookie.)

As for people wanting total security - unplug everything and go split
wood. Most security breaches are internal, and usually all that's necessary
is to keep honest people from straying down  the wrong path.

Cheers - Miles

On Jan 5, 2008 1:16 AM, tedd [EMAIL PROTECTED] wrote:

 Hi gang:

 Here's my logic, so what's wrong with it?

 My sole concern here is to protect a Video from being stolen and/or
 being viewed remotely while allowing approved users to view it.

 It is a fact that anything you present to a user is theirs. There's
 no stopping them from downloading a Video if they have permission to
 do so. In fact, that's exactly what they do when they view a Video --
 they can't view it in their browser unless their browser has it.

 Now, I have investigated several ways to protect videos and prevent
 caching. Some methods are very complex -- but complexity does not
 always guarantee security. Complexity is more likely to present
 problems in its application. Sometimes the simplest method is best.

 The simplest protection method I can think of can be done by using
 Flash Video Actionscript in concert with php/mysql.

 It's a simple matter to have the Video run the following prior to
 displaying:

 theXML.load(http://example.com/security.php)

 That's similar to a javascript onload function.

 Upon loading the Video, the Video will run the script security.php
 which in-turn will check to see if an approved user is attempting to
 view the Video. This done by simply checking a user-id session
 variable in the script that delivers the Video.

 If that session variable (user-id ) is empty, then the security.php
 returns nothing.

 If that session session is not empty, then the script will check the
 user-id against the database to see if the user has permission to
 view the Video. If the user does not have permission, then the
 security.php script returns nothing.

 If everything checks, then the security.php script will return a key
 and the Video will check that key against an internal key -- if a
 match is made, then the video plays.

 Now, please note that this will also prohibit the user, even after
 paying for the Video, from downloading the Video for future plays
 because the Video will always check for a key.

 Even if the user downloads the Video and takes the Video to a remote
 player, the Video will still try to run the security script seeking a
 key. If the security script is not there, then it fails.  Even if the
 user figures out that the Video requires a key, the still user has no
 way to determine what that internal key is.

 So, I think this will work. What say all of you? Where have I screwed up?

 And, please no one liners that solve the entire mess and make me look
 like a fool.

 Cheers,

  tedd

 --
 ---
 http://sperling.com  http://ancientstones.com  http://earthstones.com

 --
 PHP General Mailing List (http://www.php.net/)
 To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] client time zone?

[Ólafur Waage]

To get the clients time offset you'll need to use javascript and
date.getTimezoneOffset()

But this idea has a problem. It is that you can never trust that the
clients time is actually correct. You can get the closest to it by
using the server time and offsetting that with the javascript offset
value. But you'll never know if the client has the wrong timezone and
you'll have to deal with timezones that don't have daylight savings
like for instance Iceland :)

- Ólafur Waage

2008/1/6, Per Jessen [EMAIL PROTECTED]:
 jekillen wrote:

  Hello;
  I am running a server that is using UTC and I want to be able to
  convert to clients local time in some display presentations.
  Is this indicated by $_SERVER[REQUEST_TIME]?

 Is there such a value at all?

  If not, is there a way to get the requesting host's
  time zone so I can offset the servers clock value correctly?

 I think you'll need to use javascript.


 /Per Jessen, Zürich

 --
 PHP General Mailing List (http://www.php.net/)
 To unsubscribe, visit: http://www.php.net/unsub.php



--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] First stupid post of the year. [SOLVED]

[tedd]

At 11:04 PM +0100 1/5/08, Nisse Engström wrote:


   The page encoding is determined by the HTTP
`Content-Type:´ header. Period. A meta element
may provide hints to a browser if the HTTP header
is missing (eg. when saving a page to disc). In the
presence of a `Content-Type:´ header, the meta
element should be completely ignored.


So, if one uses this --

?php header('Content-Type: text/css; charset=UTF-8'); ?

-- preceding everything else on a web page, and 
also saves that page using UTF-8 encoding, then 
it's certain that the page will be recognized as 
UTF-8 across all modern browsers?




  And lastly, what's the best encoding to set your

 browser? I have clients who are all over the
 place with special windoze characters that appear
 like garbage in my browser.


   Set it to detect automatically, with a preference
for cp1252 (or windows-1252) which covers a lot of
western characters. cp1252 also has the nice property
of being compatible with ISO-8859-1, except that it
has some extra real characters where 8859-1 has control
characters.


Interesting that my browser (Safari) doesn't even 
offer that choice, at least under that name. It 
does offer ISO Latin, Mac OS Roman, UTF-8, and 34 
other language-specific text encodings -- but not 
1252.


Besides, while I know that the majority of 
Internet users are windows challenged, I can't 
bring myself to follow -- I'll stick with UTF-8. 
:-)


Side note: Hopefully some day soon, M$ will stop 
treating the global user as a 
second-class-citizen in using PUNYCODE instead of 
displaying characters (code-points) as intended 
by the IDNS. I think the homographic attack 
concern is basically a red herring that could be 
easily solved (if it was really a problem) by 
simply color coding mixed charset urls. Would 
work for me.


I find it interesting that Safari doesn't show 
PUNYCODE and the majority of Apple's profits came 
from other than US sources last year -- perhaps 
this is a result of end-user sensitivity. It's 
nice to know that when everything else fails, 
money always seems to work. :-)


In any event, thank again for your thoughts.

Cheers,

tedd

--
---
http://sperling.com  http://ancientstones.com  http://earthstones.com

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Re: DOMDocument-getElementById() isn't working

[Colin Guthrie]

Christoph Boget wrote:
 Getting the elements by tag name, while iterating through the list I see
 that one of the nodes has an id of 'custom'.  However, when I try to get the
 element directly using getElementById(), it doesn't return the node
 properly.  Am I doing something wrong?

A common problem. See here:
http://wiki.flux-cms.org/display/BLOG/GetElementById+Pitfalls

Probably easiest to use XPath. Otherwise you have to slightly modify
your HTML...

e.g. replace your getElementById with:
$xp = new DomXPath($oDOMDocument);
$oCustomNode = $xp-query(//[EMAIL PROTECTED] = 'custom'])-item(0);

 Also, as an aside, one thing that I found odd is that count( $aLayoutNodes )
 shows as 1 even though more are found.  Huh?

That's because $aLayoutNodes is not an array. It is a DOMNodeList
object. That means it implements the Iterator interface which means it
works with foreach, but not with e.g. count(). Use $aLayoutNodes-length
to see how many nodes there are in the list (i.e. use that as a direct
replacement for count($aLayoutNodes))

(also if the a prefix is meant to identify the var as an array I'd
probably change it to the o prefix you seem to use for objects...)

Col

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] client time zone?

[jekillen]

On Jan 6, 2008, at 8:04 AM, Ólafur Waage wrote:


To get the clients time offset you'll need to use javascript and
date.getTimezoneOffset()

But this idea has a problem. It is that you can never trust that the
clients time is actually correct. You can get the closest to it by
using the server time and offsetting that with the javascript offset
value. But you'll never know if the client has the wrong timezone and
you'll have to deal with timezones that don't have daylight savings
like for instance Iceland :)

- Ólafur Waage

2008/1/6, Per Jessen [EMAIL PROTECTED]:

Thanks for the info.
I can live with this, I think. The javascript can give me
a good enough value for what is important. I am tracking
registered user use and can compare relative values to
see if there is a radical change, indicating that someone
may have managed to spoof a restricted connection.
That, in addition to the source of the requests can give
me an indication of problems. As far as the display is
concerned, I can have a help item that informs the user
that if the time displayed is not right for their location,
they may have their time zone set wrong, or in the case
you suggested, they may be in a time zone that does
not use daylight savings time, or some other difference.
Jeff K


jekillen wrote:


Hello;
I am running a server that is using UTC and I want to be able to
convert to clients local time in some display presentations.
Is this indicated by $_SERVER[REQUEST_TIME]?


Is there such a value at all?


If not, is there a way to get the requesting host's
time zone so I can offset the servers clock value correctly?


I think you'll need to use javascript.


/Per Jessen, Zürich

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Re: website tree

[Breno]

Alain Roger escreveu:

Hi,

let's imaging we have the following thing :

www.mywebsite.com/company/index.php
www.mywebsite.com/company/profile.php
www.mywebsite.com/services/index.php

how can i detect in which address am i ?

for example how to retrieve www.mywebsite.com/services or
www.mywebsite.com/company



There are many methods like using the $_SERVER variable (auto generated)

$_SERVER['REQUEST_URI'] or $_SERVER['SCRIPT_NAME']

Try this and tell us :)

Breno

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Re: login and read ad email

[Manuel Lemos]

Hello,

on 01/05/2008 07:06 PM Yui Hiroaki said the following:
 HI!
 
 I try to login and read ad email in server.
 Does any one know how to do this?
 Below does not run correctly.
 
 Regards,
 Yui
 
 p.s
 I try to see pop3 email.
 I can not find the example!

As I mentioned before POP3 is more complex than that. You are just
authenticating. You need to list the messages in the mailbox and
retrieve them.

I suggest that you use this popular PHP POP3 client class.


It works so elegantly that you can even access messages in your mailbox
as if they were files, with a single line like this:

$message = file_get_contents('pop3://user:[EMAIL PROTECTED]/1');

This gets you the whole message with headers into the $message variable.

If you want to analyze the message to extract the relevant information,
you can use the MIME parser class and with just a few more lines it will
 tell you if it is a text message, HTML message, extract any
attachments, etc.

http://www.phpclasses.org/mimeparser


-- 

Regards,
Manuel Lemos

PHP professionals looking for PHP jobs
http://www.phpclasses.org/professionals/

PHP Classes - Free ready to use OOP components written in PHP
http://www.phpclasses.org/

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php