Re: [PHP] Passwords?
On Sun, 06 Mar 2005 11:34:39 +, rory walsh [EMAIL PROTECTED] wrote: I want to create a simple as possible password script, how secure is it to have the password actually appear in the script? I only need one password so I thought that this would be more straightforward than having a file which contains the password. I am not using any database. Actually this leads me to another question, is there anyway people can view your script without having access to your server that is? Cheers, Rory. If the password is stored in between the ? and ? tags, then it shouldn't get sent to the browser unless you specifically send it there. However, there are sometimes security problems in web servers, which would mean that attackers were able to see the source of your script, and therefore the password. For example: files called .php might get processed properly, but if the attacker requests filename.PHP, it might just send him the file in plain text. Best thing is to use 'include' or 'require' to get the password from another file which doesn't sit on a part of the filesystem that's accessible over the web. Or, you could password-protect the script you're including with .htpasswd / .htaccess protection. -- AdamT Justify my text? I'm sorry, but it has no excuse. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] On Topic - Theoretical Concents of Anti-password trading/sharing solutions
Just saw this on /. and thought it might be of interest in this thread: http://www.zdnet.com.au/news/security/0,261744,39183346,00.htm http://www.caida.org/outreach/papers/2005/fingerprinting/ We introduce the area of remote physical device fingerprinting, or fingerprinting a physical device, as opposed to an operating system or class of devices, remotely, and without the fingerprinted device's known cooperation. We accomplish this goal by exploiting small, microscopic deviations in device hardware: clock skews. Our techniques do not require any modification to the fingerprinted devices. Our techniques report consistent measurements when the measurer is thousands of miles, multiple hops, and tens of milliseconds away from the fingerprinted device, and when the fingerprinted device is connected to the Internet from different locations and via different access technologies It's overkill, of course, but you can never have too much overkill -- AdamT Justify my text? I'm sorry, but it has no excuse. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Spam and this list
On Tue, 01 Mar 2005 11:11:47 -0500, bob [EMAIL PROTECTED] wrote: Well, this time it took just 11 days to get my first bit of spam from this mailing list. Do you mean the spam was from php-general@lists.php.net ? Or do you mean that you know for sure that your address was harvested from this list? I've not noticed getting any extra spam since joining, personally. Don't forget that: a) Emails you send to this list may be forwarded elsewhere, with your address included b) The email address you use for this list may have been 'brute-forced' c) Some malicious oik may have posted your address somewhere else world-readable d) You might have accidentally posted it someplace else (eg register for access to our forums, we promise not to use it for blah blah blah, please tick a box, etc, etc). -- AdamT Justify my text? I'm sorry, but it has no excuse. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] HTTP Include Error
On Mon, 28 Feb 2005 15:35:36 -0700, Suhas [EMAIL PROTECTED] wrote: Hi This issue has been discusses many times before, but no perticular solution found. Things to check when 'including' with http: i) Can the server resolve the host name? Eg - if, from the server, you run 'ping host.example.com, will it resolve this to an IP address? ii) Can the server connect to that IP address on port 80? iii) Are you marking up files and directories properly? /example.php is a file, whereas /example.php/ is a directory (note the forwardslash on the end). iv) Is the file-system case-sensitive? Might example.com/thingy/index.php be different to example.com/THINGY/Index.PHP ? This is more likely on UNIX filesystems. v) Are you trying to connect with HTTP/1.1 to a server which only understands HTTP/1.0 ? vi) Is there something in the path which might be causing the problems with php? Eg - special characters which would need to be \'escaped\'. This is a particular nuisance when connecting to IIS boxen which don't have the default domain configured, so you have to give a username in the format of DOMAIN\username. vii) You *did* plug that network cable back in, didn't you? viii) The file does actually exist, doesn't it? Try GETing the URL manually with telnet: telnet example.com 80 GET /uri/of/file.php HTTP/1.0 Host: example.com CR/LFCR/LF And see what you get back. You'll either get the page contents sent to you, or a 404 (This file isn't here), or maybe you'll get a 302 (Object has moved). A 302 looks like this in the headers: HTTP/1.0 302 Found Location: /newlocation If you look at it in a browser, you'll be taken to the new location, and probably won't notice that anything was ever wrong. If you try to 'include' from that path, it'll fail. -- AdamT Justify my text? I'm sorry, but it has no excuse. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] problem with mail() and attachment
On Sun, 27 Feb 2005 08:23:26 +0100, Stefan Sturm [EMAIL PROTECTED] wrote: Hi, I'm using the script below to send ascii files attached to mails via mail(). snip Has anybody got an idea where the problem could be? It appears that your mailserver has developed a fault and is sending all messages out two or three times. -- AdamT Justify my text? I'm sorry, but it has no excuse. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Semi-OT: Anti-password trading/sharing solutions
On Mon, 28 Feb 2005 15:42:37 -0800 (PST), Richard Lynch [EMAIL PROTECTED] wrote: I know absolutely nothing about how ProxyPass, iProtect, and PureMember work 'Pure'member seems such an odd choice of name for something used on pr0n sites. -- AdamT Justify my text? I'm sorry, but it has no excuse. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] problems with several JPEGs in GD2
I've had similar problems to that. I usually either open the image with notepad, or some Hex Editor, and see what the bits are in the file header (eg BM for Bitmap, Gif89a for GIFs, JFIF for JPEGs...) -- AdamT Justify my text? I'm sorry, but it has no excuse. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] problems with several JPEGs in GD2
On Tue, 1 Mar 2005 16:06:56 +0530, anirudh dutt [EMAIL PROTECTED] wrote: i just opened 4 jpg files...dunno about where the header is...coz i didn't find anything common at the begining of the files (so i doesn't seem to have a header at the head). Okay - so 'header' was a bad choice of word. 'Marker' would have been better: http://www.funducode.com/freec/Fileformats/format3/format3b.htm -- AdamT Justify my text? I'm sorry, but it has no excuse. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] uploading files with a single quote in the filename
On 24 Feb 2005 08:22:39 -0600, Bret Hughes [EMAIL PROTECTED] wrote: On Thu, 2005-02-24 at 01:04, Dotan Cohen wrote: that. A little javascript goes a long way in these sort of situations You don't want to do that will javascript. I, for one, surf with javascript turned off. The malicious script kiddie, I would presume, also would be very happy to send you a silly filename without letting javascript check it. Javascript and client-side HTML bounds checking can be very useful. It's a hell of a lot easier to be able to have the web browser tell the user that what they've put in is invalid, rather than have them upload their stuff, have the web server check it all over, and then send back a 'sorry, this is broken' message. Just don't rely on it for security. -- AdamT Justify my text? I'm sorry, but it has no excuse. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] list down
Your email ended up in my gmail spam box. That should tell you something. On Fri, 25 Feb 2005 16:04:24 -0800, Tyler Replogle [EMAIL PROTECTED] wrote: I think it didn't because i wasn't getting an emails for a while last night. I wanted one too becuase i didn't have the email to start a new message. -- AdamT Justify my text? I'm sorry, but it has no excuse. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Can $_SERVER['REMOTE_ADDR'] be trusted?
On Wed, 23 Feb 2005 19:17:05 -, SED [EMAIL PROTECTED] wrote: Is it possible for hackers to give a fake IP address when visiting a website running PHP? It might be difficult for a script-kiddy to spoof his IP address, but it isn't difficult for him to find an open proxy server, meaning that all traffic from said Kiddy will appear in the logs with the IP of the proxy. Or hey, perhaps one of the machines in your 'trusted' IP range will have been compromised, and could be used as a proxy. Also, don't rely on NAT'd RFC1918 addresses. Your web server won't see them (eg - your company uses the network 192.168.25.0/24, so you allow only that, but PHP only sees the external NAT'd address of the user). -- AdamT Justify my text? I'm sorry, but it has no excuse. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Maximum number of emails in mail() command
I don't know about PHP, but the maximum number of recipients per message is configurable in your mail server's SMTP MTA. Also note that if you send a message to 2,000 people at a foreign domain, their server may reject it if they have their limit set to 2,000. -- AdamT Justify my text? I'm sorry, but it has no excuse. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] create forum
On Fri, 18 Feb 2005 07:35:02 +0100, Stefan [EMAIL PROTECTED] wrote: Hi. Are there some code-examples how to build a forum with php and xml? Why yes, there are... A quick google of: http://www.justfuckinggoogleit.com/?q=forum+php+xml reveals the top result to be a page called 'PHP/XML forum' where 'You can download the source to this free, thread-oriented PHP/XML based news forum' -- AdamT Justify my text? I'm sorry, but it has no excuse. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP security
On Thu, 17 Feb 2005 20:47:28 -0600, .hG [EMAIL PROTECTED] wrote: It makes me wonder how secure in reallity it is to place your UN and Passwords on a PHP file. Best idea is to place such information in an include file, which you can call using the include() or require() statements - and place it someplace outside of the document root. Eg: /users/~yourname/public_html/ might be where www.example.com maps to on the local file system, so put your includes in /users/~yourname/somewhere_else/ Also - do not name these files with a .inc extension. If you need to signify the fact that they are to be included in other pages, call give them .inc.php extensions. So if your webserver ever has a vulnerability whereby people can read files outside the document root (eg by typing http://www.example_site.com/../includes/dbpassword.inc.php) - the file will be parsed by PHP before being sent to the browser, thus hiding any mysql connect statements or $username variable declarations. The other type of exploit you might need to guard against is one where people can trick the server into not parsing PHP files, but sending them straight to the browser as plain text. This might be done by sending unicode chars, or by putting an extra . on the end of the filename. Eg: requesting http://www.example_site.com/includes/dbpassword.inc.php. This is more of a problem if you place such files within the document root. If you don't have access to space outside of the document root, then a) rattle your hosting provider's cage a little bit and b) protect these files with .htaccess and .htpasswd files (google for it if you haven't used .htaccess before). At least this way, if somebody does try to request the files directly with their web browser, they'll be prompted for a username and password. PHP, meanwhile will still be able to read the contents. If you're running some script which does have a load of files named .inc, and you don't want to go grepping every file, and changing all instances of .inc to .inc.php, and renaming all the files - then use .htaccess files to add php as a handler for all .inc files - so any file with a .inc extension will be treated exactly the same as if it had a .php extension - ie - it will be parsed by PHP, rather than being sent to the browser as plaintext. If you're really, really, really paranoid, you can add a file to the includes directory, called, say rootpassword_backdoor.php, which, when accessed will add the remote IP address to a blacklist, which other scripts consult, and if they find it matches any sites requesting them, they ignore. My 2 bits. -- AdamT Justify my text? I'm sorry, but it has no excuse. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP security
On Fri, 18 Feb 2005 11:42:36 +, John Cage [EMAIL PROTECTED] wrote: you could also encrypt the file using one of the encoders that are out there. Some are free and some are paid for Never thought of that ;-) http://www.zend.com/store/products/zend-encoder.php?home (Commercial) http://www.ioncube.com/ (Commercial - free eval available) http://www.rssoftlab.com/phpenc.php (Commercial - free version available) -- AdamT Justify my text? I'm sorry, but it has no excuse. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] md5 passwords to db
On Thu, 17 Feb 2005 11:33:45 +0200, William Stokes [EMAIL PROTECTED] wrote: Hello, I need to make a script/form that can create username and md5 password and save the info to mysql db. You can use: http://www.php.net/md5 to make MD5 hashes from strings, or you can just the format of the database field to MD5, which IIRC will automagically store whatever's assigned to it as an MD5 hash. -- AdamT Justify my text? I'm sorry, but it has no excuse. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] [HAB] PHP or ASP.Net
On Thu, 17 Feb 2005 13:41:03 -0800, Stephen Johnson [EMAIL PROTECTED] wrote: I find it humorous that these types of debates keep coming back up -- no matter what the topic, the IT world can not seem to agree on anything. http://en.wikipedia.org/wiki/Internet_troll It happens in comp.lang.php too. And comp.os.linux.advocacy. And I've even seen people post soccer-related questions to chess forums. -- AdamT Justify my text? I'm sorry, but it has no excuse. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php