[PHP] Sessions and Security Concerns
Hi, I'm just wondering whether there are any apparent security concerns I should be aware of when using sessions in my PHP scripts. I understand that sessions are tracked with an individual user via a session ID which is stored in a temporary location on the server, as well as a PHPSESSID cookie assigned to the end user's client, but the server my website is hosted on (and which I'll be developing my PHP script on) doesn't allow you to create a session ID via the URL (i.e. index.php?PHPSESSID=1234) so I *presume* only the server can generate a session ID for the end user when I call the session_start function? So do I still need to call session_regenerate_id for security purposes when an end user has entered the correct login credentials - would this be necessary since you cant set a session ID via the URL? Thanks, Ben.
[PHP] Recommended Books on Object Oriented Programming
Hi, I want to properly learn object oriented programming as I've been coding in procedural style since I started with PHP a few years ago, and want to give OOP a shot. The web isn't really a good resource to learn OOP in PHP to be honest, as a lot is outdated for PHP4's style of OOP. I've looked into OOP quite a bit and understand the concept of it, and want to take it further. Any recommendations appreciated :). Thanks, Ben.
[PHP] Inserting Associative array values into a MySQL INSERT statement?
Hi, I want to be able to create a function that acts as an insert mysql function that accepts specific parameters for the fields and the values I want to insert into those respective fields and I know I'll need to use associative arrays to complete this task when passing values to the function, but I'm not sure how to pass multiple values in an array through an insert statement? Any help greatly appreciated! Thanks.
[PHP] Object Oriented Programming question
Hi, I've been learning about object oriented programming for the past few weeks and I've understood it pretty well, but I have one question. Usually with PHP scripts I make, all the functionality for a specific page is in the actual PHP file, and I'd use PHP functions in a separate directory which would be included in whichever PHP file needs specific functions I have created. The functions would be for the specific things in my script, such as validation checks, functionality that will be used/repeated a lot throughout my script, etc. What I don't understand about OOP is what its primary purpose is for. Do I use OOP for all the functionality of my application, in separate directories, and include these specific class files and call the methods to complete specific functionality needed for whatever PHP file I'm working on, or is OOP used for specific functionality like I would with functions? Essentially what I'm asking is what is the primary purpose for OOP? Hope you understand. Thanks,
[PHP] Sessions in object oriented code
Hi, Hope I can explain this as easily as possible, basically I am using both cookies and sessions for my script, whereby the user is allowed to choose which method they want to login with. Problem for me is removing the registration form, etc., from those that are logged in. The thing is the form is in its own method in a seperate file, and its called within HTML code so obviously if I included session_start() in the seperate include file where the methods/classes are, etc., I'd get a headers already sent error. So is there a solution to this? Thanks.
Re: [PHP] Sessions in object oriented code
Hi,
I can't really understand that. Not sure if you understand my problem
properly (if I've not explained properly). Anyone can give me some solutions
please?
Thanks.
2008/10/31 Yeti [EMAIL PROTECTED]
OK I guess it's somehow like this ..
form
?php
if (isset($_POST['submit'])) {
include('sessions.php');
// include sessions.php
}
?
!-- form innerhtml --
/form
now this of course is something very bad to do and it wont work.
One way to prevent markup from being outputted is using ob_buffer() [1]
EXAMPLE:
?php
$form = FORM
form
!-- form inner xml --
/form
FORM;
ob_start();
echo $form;
$output_buffer = ob_get_contents();
ob_end_clean();
var_dump(nl2br(htmlentities($output_buffer)));
?
So what we do here is simply start the output buffer befor echoing $form.
ob_get_contents() returns the outputbuffer as it is right now.
By calling ob_end_clean() buffering is stopped and the buffer cache
released.
Still keep in mind that headers will still be sent when buffering the
output.
here is a more complex
EXAMPLE:
?php
ob_start(); // starting the output buffer
?
html
body
!-- inner xml --
{{replace_me}}
/body
/html
?php
$output_buffer = ob_get_contents();
ob_end_clean();
session_start();
$_SESSION['test'] = time();
echo str_replace('{{replace_me}}', 'pThis is the replaced string.br
/SESSION[test] was set to: '.$_SESSION['test'].'/p',
$output_buffer);
?
Now we start the output buffer at the beginning of the script and the
session at the end.
It does not matter whether we close the PHP tag after starting the
ob_buffer. ( like with ? )
As long as we do not flush_end or clean_end the output buffering
process it will continue caching the output (except headers).
So session_start should work after actually outputting markup.
Another method could be like we did above the str_replace() [2] ...
EXAMPLE:
?php
$some_number = time();
$html = HTML
html
body
pTime: $some_number/p
p{{replace_me}}/p
/body
/html
HTML;
echo str_replace('{{replace_me}}', 'This string was changed by PHP',
$html);
?
There is still plenty of other possible solutions. Keep on rocking
[1] http://in.php.net/manual/en/ref.outcontrol.php
[2] http://in.php.net/manual/en/function.str-replace.php
//A yeti
Re: [PHP] Information on Cookies
Can you explain to me the benefits of hashing/encrypting/md5'ing cookie values? I don't see how it'd stop hackers from changing cookie values? 2008/10/15 Stut [EMAIL PROTECTED] On 15 Oct 2008, at 15:23, Ben Stones wrote: I've read a few videos on cookie security and it makes sense that people can modify cookie values which is a problem I'm trying to figure out to *try* and prevent. What I'll first do is at the top of the page that validates if the cookie values is in the database, but what my next problem is they'd use usernames in the database as the vaues. Are there any preventable measures to prevent cookie forging or what not. You can encrypt or hash the cookies to prevent tampering... http://stut.net/blog/2008/07/26/sessionless-sessions-2/ -Stut -- http://stut.net/
[PHP] Information on Cookies
I've read a few videos on cookie security and it makes sense that people can modify cookie values which is a problem I'm trying to figure out to *try* and prevent. What I'll first do is at the top of the page that validates if the cookie values is in the database, but what my next problem is they'd use usernames in the database as the vaues. Are there any preventable measures to prevent cookie forging or what not. Thanks.
Re: [PHP] Information on Cookies
Makes perfect sense. I have included this security in my script - thanks to both of you for your help! Cheers! 2008/10/15 Stut [EMAIL PROTECTED] On 15 Oct 2008, at 16:04, Ben Stones wrote: Can you explain to me the benefits of hashing/encrypting/md5'ing cookie values? I don't see how it'd stop hackers from changing cookie values? You encrypt stuff with a string that you keep secret. That string is needed to decrypt the string. When hashing you would add a secret string to the value you're hashing before calculating the hash. When validating the content of the cookie you would add the secret string and then compare the calculated hash. In both cases the bad guys would need to know the secret string in order to create a valid cookie value so as long as you're not stupid enough to share it it's pretty secure. Aside from the extra CPU required for encryption the only difference between the two is that with hashing the value you're storing is stored in the cookie in plain text whereas an encrypted value is, erm, encrypted. I suggest you Google encryption and hashing as these are pretty basic concepts. -Stut 2008/10/15 Stut [EMAIL PROTECTED] On 15 Oct 2008, at 15:23, Ben Stones wrote: I've read a few videos on cookie security and it makes sense that people can modify cookie values which is a problem I'm trying to figure out to *try* and prevent. What I'll first do is at the top of the page that validates if the cookie values is in the database, but what my next problem is they'd use usernames in the database as the vaues. Are there any preventable measures to prevent cookie forging or what not. You can encrypt or hash the cookies to prevent tampering... http://stut.net/blog/2008/07/26/sessionless-sessions-2/ -- http://stut.net/
Re: [PHP] Microsoft China to Punish private windows users
via e-mail? lol - speaking of which doubt many would visit the site anyway :)... oh wait, the archive... is it indexed by Google? 2008/10/16 Ashley Sheridan [EMAIL PROTECTED] On Wed, 2008-10-15 at 16:38 -0400, Wolf wrote: This is extremely off-topic. Please don't abuse this list in an attempt to drive traffic to your blog. -Stut It *is* powered by PHP, Stut. :P True, but that's the ONLY PHP thing about it... OK, and the URL has PHP in it... ;) Wolf I think the PHP part of the URL was added by the mailing list. Short of that, I think it's just some schmuck trying to boost his/her SEO ranking. Ash www.ashleysheridan.co.uk
Re: [PHP] New to PHP
There are many places to get help when you need it, but a good place is the unofficial PHP IRC channel. Search on Google for XChat, download it, and connect to ##PHP in irc.freenode.net. Great place and it seriously has helped me once or twice. If you don't know about how to use IRC, search on Google :). The best bet to grasping PHP logic itself is finding small scripts to learn and tamper with. Go to www.hotscripts.com and find some unhelpful scripts from there that you can learn from and modify. Best way of learning PHP really :). If you are only just starting, tizag.com is a good place to learn the basics. Good luck! 2008/10/13 Gary [EMAIL PROTECTED] I am just starting to learn php, and typically I use newsgroups to suppliment the learning process. Does anyone have any sources that you would reccommend to me and is this the best NG for me to monitor?...or is there another you might suggest? Thanks Gary -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Can't use copy() to copy files
Ok, here is my code (mind it is a bit messy I was just testing to see if it
works first of without success):
if($_GET['act'] == update) {
$check_exists=file_exists($_GET['file']);
if($check_exists==1) {
if(copy($_GET['file'],$_GET['file'])) {
echo 5;
}
else {
echo $_GET['file'];
}
}
}
Obviously it doesn't echo 5, it just echo's the file name which is a sign it
isn't copying. If I change it to: copy($_GET['file'],Hello/.$_GET['file'])
it copies file, and sure enough I check the directory to find it has copied
too. This code is in a seperate directory and I have changed both that
directory, the Hello directory and the file being copied to 777 permissions
but no luck. I noticed the following in the error_log:
[14-Oct-2008 18:07:38] PHP Warning: copy(/index.php) [a
href='function.copy'function.copy/a]: failed to open stream: Permission
denied in /home/vinat/public_html/Files/test.php on line 31
Any help appreciated!
Re: [PHP] Setcookie()
Hi, My problem was a headers already sent error, which I fixed by redirecting the form POST to a seperate file instead of the same login.php. Thanks for all your help! 2008/10/13 Stut [EMAIL PROTECTED] On 12 Oct 2008, at 23:51, Micah Gersten wrote: The question is, why aren't you using a session variable instead of cookies? That's one of the greatest features of PHP. If you're able to use cookies instead of sessions, and the size of the data you're storing is fairly small, it's always better to use cookies. Sessions complicate scalability. Ben: The *only* restriction around use of setcookie is that there cannot be any *output* before it. You can have as much code as you want as long as it doesn't output anything. If your script outputs content before your business logic is done then (IMHO) it's wrong and needs to be rewritten anyway, regardless of the need to set a cookie. -Stut -- http://stut.net/ Ben Stones wrote: What I mean is I cannot use setcookie, I need to check if user credentials are correct first (which is BEFORE setcookie) and if so, set a cookie. I can't do that unless setcookie is first, but I need to check if the user credentials is correct. Furthermore I cannot use setcookie in the header as I want to display a message saying that they have successfully logged in in the correct area of my template. 2008/10/11 Per Jessen [EMAIL PROTECTED] Ben Stones wrote: I'm using cookies for my website script and upon users logging in a cookie is set. Problem for me is that the cookie doesn't work due to headers already sent. Is there anyway of fixing this because, there is no possible way of adding setcookie() to the top of the PHP file when the cookie is holding the username from the POSTed form. This must be a self imposed restriction on your side, coz' otherwise I see no problem. /Per Jessen, Zürich -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Setcookie()
Hi, I'm using cookies for my website script and upon users logging in a cookie is set. Problem for me is that the cookie doesn't work due to headers already sent. Is there anyway of fixing this because, there is no possible way of adding setcookie() to the top of the PHP file when the cookie is holding the username from the POSTed form. Any help appreciated.
Re: [PHP] Setcookie()
What I mean is I cannot use setcookie, I need to check if user credentials are correct first (which is BEFORE setcookie) and if so, set a cookie. I can't do that unless setcookie is first, but I need to check if the user credentials is correct. Furthermore I cannot use setcookie in the header as I want to display a message saying that they have successfully logged in in the correct area of my template. 2008/10/11 Per Jessen [EMAIL PROTECTED] Ben Stones wrote: I'm using cookies for my website script and upon users logging in a cookie is set. Problem for me is that the cookie doesn't work due to headers already sent. Is there anyway of fixing this because, there is no possible way of adding setcookie() to the top of the PHP file when the cookie is holding the username from the POSTed form. This must be a self imposed restriction on your side, coz' otherwise I see no problem. /Per Jessen, Zürich -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Alternative to HTTP_REFERER?
are there any alternatives to HTTP_REFERER as that only works for clicking but it won't work for referrals from redirects? Cheers
[PHP] Public in Classes
Hi, Just started with object oriented programming and glad I have come across it, just need a few things clearing up. When I make a variable or method public, does this mean that it can be used outside of classes, for instance in other classes or as well as instantiating classes? So if I made it private, it wouldn't be able to be instantiated or extended in other classes, am I right? I have never added public when I am creating methods so I presume its already set as default if you don't add it? Hope you can understand my question. Cheers.
Re: [PHP] Public in Classes
Hi,
I have this piece of code that I have created:
class userQueries {
public function numberUsers() {
$get_users=mysql_query(SELECT * FROM `users` WHERE `online`
NOW()) or exit(../includes/error.php);
}
}
class usersOnline extends userQueries {
public function usersOnline() {
echo mysql_num_rows($this-numberUsers);
}
}
How do I request specific methods in other classes? The error that comes up
is:
mysql_num_rows(): supplied argument is not a valid MySQL result resource
which is somewhat expected as $this only refers to the variables and there
are no variables called numberUsers.
Cheers!
2008/9/21 Jochem Maas [EMAIL PROTECTED]
Ben Stones schreef:
Hi,
Just started with object oriented programming and glad I have come across
it, just need a few things clearing up.
When I make a variable or method public, does this mean that it can be
used
outside of classes, for instance in other classes or as well as
instantiating classes? So if I made it private, it wouldn't be able to be
instantiated or extended in other classes, am I right?
I have never added public when I am creating methods so I presume its
already set as default if you don't add it?
Hope you can understand my question.
yes, and the answer nearly always lies in trying it out, run this
(and if/when you hit a fatal error, comment the offending line and run it
again):
?php
class Test
{
public $a = A;
protected $b = B;
private $c = C;
function tryme()
{
echo $this-a, \n;
echo $this-b, \n;
echo $this-c, \n;
echo $this-d, \n;
}
}
class TestTwo
{
function tryme()
{
echo $this-a, \n;
echo $this-b, \n;
echo $this-c, \n;
echo $this-d, \n;
}
}
$t1 = new Test;
$t2 = new TestTwo;
$t1-tryme();
echo $t1-a, \n;
echo $t1-b, \n;
echo $t1-c, \n;
echo $t1-d, \n;
$t2-tryme();
echo $t2-a, \n;
echo $t2-b, \n;
echo $t2-c, \n;
echo $t2-d, \n;
?
Cheers.
[PHP] Calling methods from others classes
Hi,
I have this piece of code that I have created:
class userQueries {
public function numberUsers() {
$get_users=mysql_query(SELECT * FROM `users` WHERE `online`
NOW()) or exit(../includes/error.php);
}
}
class usersOnline extends userQueries {
public function usersOnline() {
echo mysql_num_rows($this-numberUsers);
}
}
How do I request specific methods in other classes? The error that comes up
is:
mysql_num_rows(): supplied argument is not a valid MySQL result resource
which is somewhat expected as $this only refers to the variables and there
are no variables called numberUsers.
Cheers!
[PHP] OOP - Calling methods from classes that are inheriting?
Hi, How do I call methods from classes that are inherited? I want to add a mysql_num_rows() function to a second class that is an addon to a MySQL query in the first class. The first class will be used in several different classes for different parts of the site so I don't want to directly add the num_rows to the first class method as the query won't just be used for this function. Hope I have made myself as clear as possible! Cheers!
Re: [PHP] Re: OOP - Calling methods from classes that are inheriting?
Hi, maybe if I post below what I'm trying to do it may make more sense:
class myClass {
public function func() {
$hello = Yay!!;
}
}
class otherClass extends myClass {
public function otherFunc() {
echo parent::func();
}
}
$class=new otherClass();
echo $class-otherFunc();
Nothing outputs. Sorry I am slightly new to OOP so there may be a simple fix
for this?
2008/9/21 Lupus Michaelis [EMAIL PROTECTED][EMAIL PROTECTED]
Ben Stones a écrit :
Hope I have made myself as clear as possible!
I did'nt understand what you mean, but I guess you're seeking for the
parent keyword. Read again the PHP manual about OOP.
--
Mickaël Wolff aka Lupus Michaelis
http://lupusmic.org
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Readdir() question
Hi,
I'm going to make a small browser based file system for ease of small
updates that I make frequently on my Website. First of all I want to loop
all the files on the same directory and to tell PHP read the same directory,
I think I'd need to use the magic constant I think its called, __DIR__ such
as:
?php
$dir=opendir(__DIR__);
while($files=readdir($dir)) {
echo $files;
}
?
But I get a few errors:
*Warning*: opendir(__DIR__) [function.opendir]: failed to open dir: No error
in *C:\wamp\www\Project1\index.php* on line *2*
*Warning*: readdir(): supplied argument is not a valid Directory resource in
*C:\wamp\www\Project1\index.php* on line *3
*Any help in the right direction will be appreciated!
Cheers.
[PHP] Installation doesn't complete, Windows Vista: error - script required to complete
Hi, Others are facing the same problem and theres an official bug report here about it: http://bugs.php.net/bug.php?id=43639thanks=3 PHP hasn't fixed it since December 2007, wondering if anyone has a workaround as I cannot even uninstall it now as the same problem arises. Is there any workaround as I have Apache and MySQL all ready and setup. Cheers.
[PHP] Anything like XAMPP?
There's a bug, I believe with XAMPP where from XAMPP CP you click 'admin' under MySQL, when WinMySQLadmin comes up, the icon in the right (traffic light) is always red, and there's no option to start the service anymore... at the moment there's a Stop the Service option but it's unselectable. Are there other ready-setup environment just like XAMPP that has phpMyAdmin included, too? I know this has nothing to do with PHP individually but any help will be appreciated! Cheers!
[PHP] Setting up a password for WAMP
Hi, just installed WAMP and wondering how do I setup a root password for accessing phpMyAdmin, MySQL, etc. Couldn't find anything on the WAMP's Website how to do this. I realise this has got nothing to do with PHP specifically but any help will be appreciated!
[PHP] Basics of OOP
Hi,
The following bit of code doesn't output anything:
?php
class output {
var $text;
function outputText() {
$this-text = Hello World;
echo $this-text;
}
}
$class = new output();
$class-outputText;
?
As well as the following code:
?php
class output {
var $text=5;
function outputText() {
echo $this-text;
}
}
$class = new output();
$class-outputText;
?
Am I doing anything wrong? By the way, the preceding code is just so I
understand OOP which finally I've grasped, but am I doing anything wrong as
both codes don't output anything?
