php-general Digest 31 May 2013 01:36:53 -0000 Issue 8253
php-general Digest 31 May 2013 01:36:53 - Issue 8253 Topics (messages 321279 through 321284): Re: limit access to php page 321279 by: tamouse mailing lists 321280 by: Jim Giner 321282 by: Tedd Sperling 321283 by: Paul M Foster Re: need some regex help to strip out // comments but not http:// urls 321281 by: David Harkness Looking for a good working PDO and/or mysqli database class to get started with OOP 321284 by: dealTek Administrivia: To subscribe to the digest, e-mail: php-general-digest-subscr...@lists.php.net To unsubscribe from the digest, e-mail: php-general-digest-unsubscr...@lists.php.net To post to the list, e-mail: php-gene...@lists.php.net -- ---BeginMessage--- On May 30, 2013 8:10 AM, Jim Giner jim.gi...@albanyhandball.com wrote: On 5/29/2013 9:38 PM, tamouse mailing lists wrote: Okay, first off, your application *has* to have some entry point that *is* accessible to a browser; otherwise nothing will find it. Once again - I was wrong in my suggestion as Ashley has pointed out so correctly. Had to test it out this morning only to discover that I had never done quite that kind of Header redirect before. So - the include method still works, as would the single script 'controller' method. Within a php script any file is accessible (within your domain at least) and may therefore be included and execute. I want to throw in a caveat here, and that is the open_basedir directive, wbicb limits where you can include files from. On the other hand, if you must have the target script in your web-accessible tree, simply establish some kind of security handler and add logic to your page(s) to check permissions before displaying anything. This handler could be based upon session vars, cookies, db entries (my pref). Once established it can be a universal addition to any and all of your appls. My personal method is to create a db table containing an appl name, page name, and a non-unique security level (I use an integer). Then have an admin screen for creating userids for an appl with multiple recs each containing a security level for that user for that appl. Then have a signon method that validates credentials and builds a session array containing all the user's security levels. In every page that I want secured, I call a function with that script's internal pagename and appl name and confirm that the page's sec level is contained in the user's session array. I also have a master level (99) that if present gives global access for myself as administrator. There's a bit more to it, but that's my security method. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php ---End Message--- ---BeginMessage--- On 5/30/2013 10:22 AM, tamouse mailing lists wrote: So - the include method still works, as would the single script 'controller' method. Within a php script any file is accessible (within your domain at least) and may therefore be included and execute. I want to throw in a caveat here, and that is the open_basedir directive, wbicb limits where you can include files from. Once again - an additional truth provided. In my case, upon checking I see that setting was provided by my hoster and was set to null, so I was never aware of a possible restriction. ---End Message--- ---BeginMessage--- On May 29, 2013, at 11:05 PM, Paul M Foster pa...@quillandmouse.com wrote: http://sperling.com/php/authorization/log-on.php I realize this is example code. My question is, in a real application where that $_SESSION['auth'] token would be used subsequently to gain entry to other pages, what would you use instead of the simple TRUE/FALSE value? It seems that someone (with far more knowledge of hacking than I have) could rather easily hack the session value to change its value. But then again, I pretty much suck when it comes to working out how you'd hack (crack) things. Paul Paul: While the above link may be example code, it is still sound for production. Keep in mind that everything in security comes down to a true/false condition. Do you let the person in or not! Certainly there are attacks on session ids and one must deal with that. But that's the level of security we have today. I could go through all the things you need to consider in protecting your session id (e.g., not accessing your bank accounts while having coffee at StartBucks) but that would defeat the purpose of attending one of my classes on the subject. :-) If you are very concerned about security, then jump to a https protocol for those transactions; change session ids frequently; monitor the user's local environmental changes; time the session, and do a bunch of other stuff that will make it more and more difficult for your user to use your service. But for *most things* using a session id will
Re: [PHP] limit access to php page
On 30 mei 2013, at 05:05, Paul M Foster pa...@quillandmouse.com wrote: On Wed, May 29, 2013 at 08:51:47PM -0400, Tedd Sperling wrote: On May 29, 2013, at 7:11 PM, Tim Dunphy bluethu...@gmail.com wrote: Hello list, I've created an authentication page (index.php) that logs into an LDAP server, then points you to a second page that some folks are intended to use to request apache redirects from the sysadmin group (redirect.php). Everything works great so far, except if you pop the full URL of redirect.php into your browser you can hit the page regardless of the login process on index.php. How can I limit redirect.php so that it can only be reached once you login via the index page? Thank you! Tim -- GPG me!! Try this: http://sperling.com/php/authorization/log-on.php I realize this is example code. My question is, in a real application where that $_SESSION['auth'] token would be used subsequently to gain entry to other pages, what would you use instead of the simple TRUE/FALSE value? It seems that someone (with far more knowledge of hacking than I have) could rather easily hack the session value to change its value. But then again, I pretty much suck when it comes to working out how you'd hack (crack) things. Paul -- Paul M. Foster http://noferblatz.com http://quillandmouse.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php $_SESSION value are quite secure, as they are set on the server, only you can control what's inside them. What can be hacked is the authentification process or some script that sets session values. There is also a way of hijacking a session, but again: its values aren't changed by some PHP script, the session is being hijacked. Don't pass urls with the session id within them and you'll be save. Greetings. Sent from my iPhone 6 Beta [Confidential use only] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: need some regex help to strip out // comments but not http:// urls
2013/5/29 Matijn Woudt tijn...@gmail.com On Wed, May 29, 2013 at 10:51 PM, Sebastian Krebs krebs@gmail.comwrote: 2013/5/29 Matijn Woudt tijn...@gmail.com On Wed, May 29, 2013 at 6:08 PM, Sean Greenslade zootboys...@gmail.com wrote: On Wed, May 29, 2013 at 9:57 AM, Jonesy gm...@jonz.net wrote: On Tue, 28 May 2013 14:17:06 -0700, Daevid Vincent wrote: I'm adding some minification to our cache.class.php and am running into an edge case that is causing me grief. I want to remove all comments of the // variety, HOWEVER I don't want to remove URLs... KISS. To make it simple, straight-forward, and understandable next year when I have to re-read what I've written: I'd change all :// to QqQ -- or any unlikely text string. Then I'd do whatever needs to be done to the // occurances. Finally, I'd change all QqQ back to ://. Jonesy Wow. This is just a spectacularly bad suggestion. First off, this task is probably a bit beyond the capabilities of a regex. Yes, you may be able to come up with something that works 99% of the time, but this is really a job for a parser of some sort. I'm sorry I don't have any suggestions on exactly where to go with that, however I'm sure Google can be of assistance. The main problem is that regex doesn't understand context. It just blindly finds patterns. A parser understands context, and can figure out which //'s are comments and which are something else. As a bonus, it can probably understand other forms of comments like /* */, which regex would completely die on. It is possible to write a whole parser as a single regex, being it terribly long and complex. No, it isn't. It's better if you throw some smart words on the screen if you want to convince someone. Just thinking about it, it makes sense as a true regular expression can only describe a regular language, and I think all the programming languages are not regular languages. But, We have PHP PCRE with extensions like Recursive patterns[1] and Back references[2], which can describe much more than just a regular language. And I do believe it would be able to handle it. Too bad it probably takes months to complete a regular expression like this. Then you start as soon as possible, so that you not realitze, that this is wrong, when it is too late. I am not going to start explaining this again, because it becomes a waste of time. You call it smart words on the screen, I call it advice. - Matijn [1] http://php.net/manual/en/regexp.reference.recursive.php [2] http://php.net/manual/en/regexp.reference.back-references.php -- github.com/KingCrunch
[PHP] Include/Require limit?
Hi, I use the pretty large Library PHP Image Workshop (http://phpimageworkshop.com/) at my project. It is about 75,5 KB. Everything works fine but if I try to include a 15 KB file with country codes, it fails. With the other files I easily get over 100 KB inclusion size, so my question; Is there a size limitation for include? Best regards -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Include/Require limit?
Hi,it outputs a corrupt image (I think the function imagepng)Am 30.05.2013, 11:17 Uhr, schrieb Alex Pojarsky divine.ra...@gmail.com:Hey.Afaik - only in case if your PHP process instance exeeds allowed memory limit.Other then this - explain how does it fail exactly. Any error messages? Errorous behavior? On Thu, May 30, 2013 at 12:49 PM, Julian Wanke billa...@gmx.at wrote: Hi, I use the pretty large Library PHP Image Workshop (http://phpimageworkshop.com/) at my project. It is about 75,5 KB. Everything works fine but if I try to include a 15 KB file with country codes, it fails. With the other files I easily get over 100 KB inclusion size, so my question; Is there a size limitation for include? Best regards -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Erstellt mit Operas E-Mail-Modul: http://www.opera.com/mail/
[PHP] Re: Include/Require limit?
Julian Wanke wrote: Hi, I use the pretty large Library PHP Image Workshop (http://phpimageworkshop.com/) at my project. It is about 75,5 KB. Everything works fine but if I try to include a 15 KB file with country codes, it fails. With the other files I easily get over 100 KB inclusion size, so my question; Is there a size limitation for include? Best regards Do you get an error message? Try removing the header() in the image output and see what happens. -- Cheers David Robley PARANOID:Paying MORE for Surge-Protectors than Computers -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: limit access to php page
On 5/29/2013 9:38 PM, tamouse mailing lists wrote: Okay, first off, your application *has* to have some entry point that *is* accessible to a browser; otherwise nothing will find it. Once again - I was wrong in my suggestion as Ashley has pointed out so correctly. Had to test it out this morning only to discover that I had never done quite that kind of Header redirect before. So - the include method still works, as would the single script 'controller' method. Within a php script any file is accessible (within your domain at least) and may therefore be included and executed. On the other hand, if you must have the target script in your web-accessible tree, simply establish some kind of security handler and add logic to your page(s) to check permissions before displaying anything. This handler could be based upon session vars, cookies, db entries (my pref). Once established it can be a universal addition to any and all of your appls. My personal method is to create a db table containing an appl name, page name, and a non-unique security level (I use an integer). Then have an admin screen for creating userids for an appl with multiple recs each containing a security level for that user for that appl. Then have a signon method that validates credentials and builds a session array containing all the user's security levels. In every page that I want secured, I call a function with that script's internal pagename and appl name and confirm that the page's sec level is contained in the user's session array. I also have a master level (99) that if present gives global access for myself as administrator. There's a bit more to it, but that's my security method. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: limit access to php page
On May 30, 2013 8:10 AM, Jim Giner jim.gi...@albanyhandball.com wrote: On 5/29/2013 9:38 PM, tamouse mailing lists wrote: Okay, first off, your application *has* to have some entry point that *is* accessible to a browser; otherwise nothing will find it. Once again - I was wrong in my suggestion as Ashley has pointed out so correctly. Had to test it out this morning only to discover that I had never done quite that kind of Header redirect before. So - the include method still works, as would the single script 'controller' method. Within a php script any file is accessible (within your domain at least) and may therefore be included and execute. I want to throw in a caveat here, and that is the open_basedir directive, wbicb limits where you can include files from. On the other hand, if you must have the target script in your web-accessible tree, simply establish some kind of security handler and add logic to your page(s) to check permissions before displaying anything. This handler could be based upon session vars, cookies, db entries (my pref). Once established it can be a universal addition to any and all of your appls. My personal method is to create a db table containing an appl name, page name, and a non-unique security level (I use an integer). Then have an admin screen for creating userids for an appl with multiple recs each containing a security level for that user for that appl. Then have a signon method that validates credentials and builds a session array containing all the user's security levels. In every page that I want secured, I call a function with that script's internal pagename and appl name and confirm that the page's sec level is contained in the user's session array. I also have a master level (99) that if present gives global access for myself as administrator. There's a bit more to it, but that's my security method. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: limit access to php page
On 5/30/2013 10:22 AM, tamouse mailing lists wrote: So - the include method still works, as would the single script 'controller' method. Within a php script any file is accessible (within your domain at least) and may therefore be included and execute. I want to throw in a caveat here, and that is the open_basedir directive, wbicb limits where you can include files from. Once again - an additional truth provided. In my case, upon checking I see that setting was provided by my hoster and was set to null, so I was never aware of a possible restriction. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: need some regex help to strip out // comments but not http:// urls
On Wed, May 29, 2013 at 10:20 AM, Matijn Woudt tijn...@gmail.com wrote:
It is possible to write a whole parser as a single regex, being it terribly
long and complex.
While regular expressions are often used in the lexer--the part that scans
the input stream and breaks it up into meaningful tokens like
{ keyword: function }
{ operator: + }
and
{ identifier: $foo }
that form the building blocks of the language--they aren't combined into a
single expression. Instead, a lexer generator is used to build a state
machine that switches the active expressions to check based on the previous
tokens and context. Each expression recognizes a different type of token,
and many times these aren't even regular expressions.
The second stage--combining tokens based on the rules of the grammar--is
more complex and beyond the abilities of regular expressions. There are
plenty of books on the subject and tools [1] to build the pieces such as
Lex, Yacc, Flex, and Bison. Someone even asked this question on Stack
Overflow [2] a few years ago. And I'm sure if you look you can find someone
that did a masters thesis proving that regular expressions cannot handle a
context-free grammar. And finally I leave you with Jeff Atwood's article
about (not) parsing HTML with regex. [3]
Peace,
David
[1] http://dinosaur.compilertools.net/
[2]
http://stackoverflow.com/questions/3487089/are-regular-expressions-used-to-build-parsers
[3]
http://www.codinghorror.com/blog/2009/11/parsing-html-the-cthulhu-way.html
Re: [PHP] limit access to php page
On May 29, 2013, at 11:05 PM, Paul M Foster pa...@quillandmouse.com wrote: http://sperling.com/php/authorization/log-on.php I realize this is example code. My question is, in a real application where that $_SESSION['auth'] token would be used subsequently to gain entry to other pages, what would you use instead of the simple TRUE/FALSE value? It seems that someone (with far more knowledge of hacking than I have) could rather easily hack the session value to change its value. But then again, I pretty much suck when it comes to working out how you'd hack (crack) things. Paul Paul: While the above link may be example code, it is still sound for production. Keep in mind that everything in security comes down to a true/false condition. Do you let the person in or not! Certainly there are attacks on session ids and one must deal with that. But that's the level of security we have today. I could go through all the things you need to consider in protecting your session id (e.g., not accessing your bank accounts while having coffee at StartBucks) but that would defeat the purpose of attending one of my classes on the subject. :-) If you are very concerned about security, then jump to a https protocol for those transactions; change session ids frequently; monitor the user's local environmental changes; time the session, and do a bunch of other stuff that will make it more and more difficult for your user to use your service. But for *most things* using a session id will keep things relatively safe. Cheers, tedd _ tedd.sperl...@gmail.com http://sperling.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] limit access to php page
On Thu, May 30, 2013 at 12:06:02PM -0400, Tedd Sperling wrote: On May 29, 2013, at 11:05 PM, Paul M Foster pa...@quillandmouse.com wrote: http://sperling.com/php/authorization/log-on.php I realize this is example code. My question is, in a real application where that $_SESSION['auth'] token would be used subsequently to gain entry to other pages, what would you use instead of the simple TRUE/FALSE value? It seems that someone (with far more knowledge of hacking than I have) could rather easily hack the session value to change its value. But then again, I pretty much suck when it comes to working out how you'd hack (crack) things. Paul Paul: While the above link may be example code, it is still sound for production. Keep in mind that everything in security comes down to a true/false condition. Do you let the person in or not! Certainly there are attacks on session ids and one must deal with that. But that's the level of security we have today. I could go through all the things you need to consider in protecting your session id (e.g., not accessing your bank accounts while having coffee at StartBucks) but that would defeat the purpose of attending one of my classes on the subject. :-) Yep, next time I'm up at the North Pole, I'll drop in and see you. Meantime, the beach is heating up. Better go get some more ice for my margueritas. [grin] Paul -- Paul M. Foster http://noferblatz.com http://quillandmouse.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Looking for a good working PDO and/or mysqli database class to get started with OOP
Hi all, Thanks for your help... I'm looking for a very good, pre made, working PDO and/or mysqli database class (in a wrapper) - to get started with, that has all the basic needs like UPDATE - INSERT - DELETE - QUERY etc. That would be very helpful. I'm also trying to learn OOP, and creating my own class to start out is over my head, so one that is recommended here would be a good start. There are many examples on the net - The problem is that commenters often have issues with the code, and as a beginner in this area - these issues are sometimes over my head and it would be best for me if someone could recommend a good working standard model to start. Q: DOES ANYONE HAVE ANY OPINIONS ON THE ONES BELOW? - - - - - MySQLi https://github.com/ajillion/PHP-MySQLi-Database-Class http://www.phpclasses.org/package/2359-PHP-MySQL-database-wrapper-using-MySQLi-extension.html http://snipplr.com/view/22992/ Jeffrey Way... http://forrst.com/posts/Mysqli_Database_Class-hxb http://www.dotred.be/blog/database-classes-for-mysql-mysqli-and-mssql/ - - - - - PDO Jeffrey Way - some issues here in comments http://net.tutsplus.com/tutorials/php/php-database-access-are-you-doing-it-correctly/ http://www.phpclasses.org/package/7533-PHP-Access-SQL-databases-using-PDO.html http://www.doctrine-project.org/projects/dbal.html http://pear.php.net/package/MDB2 -- Thanks, Dave - DealTek deal...@gmail.com [db-3]
Re: [PHP] Looking for a good working PDO and/or mysqli database class to get started with OOP
On 13-05-30 09:36 PM, dealTek wrote: Hi all, Thanks for your help... I'm looking for a very good, pre made, working PDO and/or mysqli database class (in a wrapper) - to get started with, that has all the basic needs like UPDATE - INSERT - DELETE - QUERY etc. That would be very helpful. I'm also trying to learn OOP, and creating my own class to start out is over my head, so one that is recommended here would be a good start. Hmmm. PDO **IS** an OOP implementation. Why would you want to encapsulate it? Accessing a database requires SQL with arguments dependant on YOUR database schema. You have to do that work; there is no way around it. -- Stephen -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Looking for a good working PDO and/or mysqli database class to get started with OOP
On Thu, May 30, 2013 at 8:45 PM, Stephen stephe...@rogers.com wrote: On 13-05-30 09:36 PM, dealTek wrote: Hi all, Thanks for your help... I'm looking for a very good, pre made, working PDO and/or mysqli database class (in a wrapper) - to get started with, that has all the basic needs like UPDATE - INSERT - DELETE - QUERY etc. That would be very helpful. I'm also trying to learn OOP, and creating my own class to start out is over my head, so one that is recommended here would be a good start. Hmmm. PDO **IS** an OOP implementation. Why would you want to encapsulate it? Accessing a database requires SQL with arguments dependant on YOUR database schema. You have to do that work; there is no way around it. Sounds like the OP is asking for a pre-built CRUD interface that adapts to his tables and their relationships. It's a fair question, just one I don't have an answer to. There must be some kind of ORM for PHP? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Looking for a good working PDO and/or mysqli database class to get started with OOP
Bastien Koert On 2013-05-30, at 10:30 PM, tamouse mailing lists tamouse.li...@gmail.com wrote: On Thu, May 30, 2013 at 8:45 PM, Stephen stephe...@rogers.com wrote: On 13-05-30 09:36 PM, dealTek wrote: Hi all, Thanks for your help... I'm looking for a very good, pre made, working PDO and/or mysqli database class (in a wrapper) - to get started with, that has all the basic needs like UPDATE - INSERT - DELETE - QUERY etc. That would be very helpful. I'm also trying to learn OOP, and creating my own class to start out is over my head, so one that is recommended here would be a good start. Hmmm. PDO **IS** an OOP implementation. Why would you want to encapsulate it? Accessing a database requires SQL with arguments dependant on YOUR database schema. You have to do that work; there is no way around it. Sounds like the OP is asking for a pre-built CRUD interface that adapts to his tables and their relationships. It's a fair question, just one I don't have an answer to. There must be some kind of ORM for PHP? Propel? Eloquent? Doctrine? And others ... Bastien -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
