php-general Digest 29 Jul 2013 16:50:06 -0000 Issue 8313
php-general Digest 29 Jul 2013 16:50:06 - Issue 8313 Topics (messages 321731 through 321739): Re: POST action 321731 by: Larry Garfield 321732 by: Jim Giner 321733 by: Ashley Sheridan 321734 by: Jim Giner 321735 by: Robert Cummings 321736 by: Robert Cummings 321737 by: Larry Garfield 321738 by: Paul M Foster 321739 by: Larry Garfield Administrivia: To subscribe to the digest, e-mail: php-general-digest-subscr...@lists.php.net To unsubscribe from the digest, e-mail: php-general-digest-unsubscr...@lists.php.net To post to the list, e-mail: php-gene...@lists.php.net -- ---BeginMessage--- On 07/28/2013 12:14 PM, iccsi wrote: form action=action.php method=post pYour name: input type=text name=name //p pYour age: input type=text name=age //p pinput type=submit //p /formIn the PHP tutorial manual, it says that we can have post action to the form itself just like above coding.I would like to know in the real projects, can we have action to the same PHP file, since that we only need have one filebut not 2 files foe POST request,Your help and information is great appreciated,regards,Iccsi, Real projects to all kinds of things. Which is best depends on who you ask. :-) I would argue that there's 3 good approaches, both of which are viable: 1) Define your form abstractly via an API, and have the API detect the presence of POST request and then process the form after it's built. That means you do submit back to the same URL. (Drupal 7 and earlier do this.) 2) Put 2 separate request handlers / controllers at the same path, one for GET and one for POST. So you submit back to the same URL but an entirely different piece of code responds to it. (This requires a good routing system that can differentiate between GET and POST.) 3) Every form is defined as its own object somewhere with a unique ID. All forms post to the same URL but include the form ID. Code at that URL looks up the form object by ID and maps the submitted data to it to know what to do with it. Note that in all 3 cases you're defining a form via an API of some kind. You are not writing form tags yourself. Don't do that. Ever. I promise you that you will have a security hole or six if you do. Use a good form handling API for building forms. That's what good Real projects do. There are a lot out there. Most fullstack frameworks or CMSes have one built in (I know Drupal and Code Ignighter do, although they're quite different), and there are reasonably stand-alone components available in both Symfony2 Components and Zend Framework. Please don't write your own. There are too many good ones (and even more bad ones, of course) already out there that have been security hardened. --Larry Garfield ---End Message--- ---BeginMessage--- On 7/28/2013 1:26 PM, Larry Garfield wrote: On 07/28/2013 12:14 PM, iccsi wrote: form action=action.php method=post pYour name: input type=text name=name //p pYour age: input type=text name=age //p pinput type=submit //p /formIn the PHP tutorial manual, it says that we can have post action to the form itself just like above coding.I would like to know in the real projects, can we have action to the same PHP file, since that we only need have one filebut not 2 files foe POST request,Your help and information is great appreciated,regards,Iccsi, Real projects to all kinds of things. Which is best depends on who you ask. :-) I would argue that there's 3 good approaches, both of which are viable: 1) Define your form abstractly via an API, and have the API detect the presence of POST request and then process the form after it's built. That means you do submit back to the same URL. (Drupal 7 and earlier do this.) 2) Put 2 separate request handlers / controllers at the same path, one for GET and one for POST. So you submit back to the same URL but an entirely different piece of code responds to it. (This requires a good routing system that can differentiate between GET and POST.) 3) Every form is defined as its own object somewhere with a unique ID. All forms post to the same URL but include the form ID. Code at that URL looks up the form object by ID and maps the submitted data to it to know what to do with it. Note that in all 3 cases you're defining a form via an API of some kind. You are not writing form tags yourself. Don't do that. Ever. I promise you that you will have a security hole or six if you do. Use a good form handling API for building forms. That's what good Real projects do. There are a lot out there. Most fullstack frameworks or CMSes have one built in (I know Drupal and Code Ignighter do, although they're quite different), and there are reasonably stand-alone components available in both Symfony2 Components and Zend Framework. Please don't write your own. There are too many
Re: [PHP] POST action
On 7/28/13 9:23 PM, Paul M Foster wrote: On Sun, Jul 28, 2013 at 08:46:06PM -0500, Larry Garfield wrote: On 07/28/2013 12:38 PM, Ashley Sheridan wrote: On Sun, 2013-07-28 at 13:37 -0400, Jim Giner wrote: Never write your own form? I'm guilty - oh, so guilty. What exactly is a 'security hardened' form? - All forms need a valid CSRF token to avoid CSRF attacks. This needs to be matched between the submitted form and server-maintained state. Do all of your forms have that? Every single one? (A GET lookup form like a search box doesn't need it, but anything with POST does, I'd argue.) Yes. I wrote a bless class just for this purpose, which I use on all form pages. - Do you have a select element? Do you have error handling for when someone submits a value for that wasn't one of the option elements? Yes, since I realize that what comes back to me may bear no resemblence to what I coded in HTML. Thus, I always check for allowed SELECT values. - Your text input field has a max length of 20. Does your code return an error when the user enters a string of 100 characters? Yes. Same answer. Putting a max length of 20 in the HTML works okay, but the user could still submit something much longer if they are attempting to hack the page. Thus I always check for max characters on the return. - Are you checking for weird edge-case-y character encoding issues? (Some versions of some browsers can be hacked by sending UTF-7 instead of UTF-8 for certain parts of the request. I don't fully understand that stuff myself, either.) No I don't check for this. - You have a number field (HTML5). Does your PHP code handle someone submitting a string anyway? I don't use HTML5 tags like this, since they are not universally supported. However, I check that numbers look like numbers on return and strings look like strings on return. PHP has built-in functions for this. All this is part of my validation class. - Are you checking all of those correctly every single time you write a form? Except as noted above. This is all home-grown, using native PHP functions designed to do these things, and classes I've written. I carefully examine each field when writing the POST-handling code with the idea in mind that no matter what the HTML says, the return value must conform to what *I* think it should be. No MVC framework written by others (though I do conform to MVC paradigm). Paul Then you're not writing your own form tags from the sound of it; you're writing your own Form API. Still an improvements. :-) Now, let's talk about form accessibility... --Larry Garfield -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] OpenLDAP password policy response
Hello,
I'm trying to pull the password policy response message from ldap_bind()
method: password is expiring, password expired etc.
While checking the packet content from OpenLDAP after ldap_bind()
request, with Wireshark, there is a control hooked to the ldap_bind()
response, were the message code and message text about password
expiration is, but I can't manage to parse that message from response.
I set the password policy request server control before the bind with
ldap_set_option().
Any workaround or what am I doing wrong?
pre
?php
$address = 'x.x.x.x';
$dn = 'eduPersonPrincipalName=ex@ex,ou=People,ou=Users,dc=exa,dc=com';
$password = 'secret';
if($link = ldap_connect($address))
{
ldap_set_option($link, LDAP_OPT_PROTOCOL_VERSION, 3);
$ppolicy_control = array(oid =
1.3.6.1.4.1.42.2.27.8.5.1,iscritical = true);
if(!ldap_set_option($link,LDAP_OPT_SERVER_CONTROLS,array($ppolicy_control)))
{
echo SERVER_CONTROLS not set\n;
}
if(ldap_bind($link, $dn, $password))
{
if($result = ldap_search($link, $dn, '(|(uid=ex))'))
{
$return = ldap_parse_result($link, $result, $errcode,
$matcheddn, $errormsg, $ldapreferrals);
var_dump($return);
var_dump($errcode);
var_dump($matcheddn);
var_dump($errormsg);
var_dump($ldapreferrals);
}
}
else
{
echo 'Not Bound';
}
}
ldap_unbind($link);
?
/pre
--
REGARDS,
Andrius Kulbis
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] POST action
On Mon, Jul 29, 2013 at 11:50:01AM -0500, Larry Garfield wrote: On 7/28/13 9:23 PM, Paul M Foster wrote: On Sun, Jul 28, 2013 at 08:46:06PM -0500, Larry Garfield wrote: [snip] Except as noted above. This is all home-grown, using native PHP functions designed to do these things, and classes I've written. I carefully examine each field when writing the POST-handling code with the idea in mind that no matter what the HTML says, the return value must conform to what *I* think it should be. No MVC framework written by others (though I do conform to MVC paradigm). Paul Then you're not writing your own form tags from the sound of it; you're writing your own Form API. Still an improvements. :-) No, I'm writing the form tags as well. I write the whole thing, soup to nuts. But as I'm writing the back end validation stuff, I realize that what I wrote in the HTML doesn't matter when it comes to hackers and script kiddies. So I use my bless and validation libraries to tackle form responses. That's the point I'm making. I understand what you're saying about using someone else's framework so you can make sure that tested code is being used to ensure against hacking attempts. But your pronouncement was so thunderous that I had to provide the exception. If you hang around here and read a book or two on security, you can write your own code that handles this stuff. Particularly if you have an example like CodeIgniter to use, to see how it's done. (There are times when I *don't* write the HTML. My wife the designer does. But I still go in and modify it to provide the validation bits which she can't do. She uses Dreamweaver, so a lot of the time, she doesn't even know what the raw HTML looks like.) Paul -- Paul M. Foster http://noferblatz.com http://quillandmouse.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
