[PHP] Re: MySQL Access
I had the problem a few days ago. Here's some software that makes it easy as clicking a button - http://www.convert-in.com/sql2acc.htm Be warned though, it's only free to copy table structure. It requires registration to copy data. Christian Calloway [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Can anyone suggest a strategy for importing data from MySQL to Access (it sucks I know, but I have to do it for my work). I was thinking of using a text-delimited file as an intermediate, but I am not quite sure on the logistics. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PreCaching Db into Variables Slows it down?!??
That's an expansive reply! Cheers Peter Since I had to alter the db (quite simply) to include this tweak, I thought best to do it now in dev phase (and keep it as an option), that mess around with it later when lots of data exists. It's my own code, and benchmarks show it to perform fast. However, in due course I will try the Smarty template system, and compare it to that, but from what (little) I've read on the subject, I don't know if it's best suited to my needs (although the cache system sounds nice!). You're right, it is early to be worrying about optimisation, but I tend to get a bit obsessive about it. I take the view it's best to get it at least half right during development phase, than make a mess and spend a lot longer trying to rework production code. You sound like you have some experience though, whats a decent page load time? (from start of script to end of script)? I'm aiming for sub 0.1 seconds, on IIS5 (it will be moved to RedHat for production). Thanks for you input, interesting read! Andy I bet someone would have to look at the code. Are you writing your own code or just gluing modules together? I'm using the Smarty template system which I really like, it caches templates. Personally I think you are going overboard in trying to optimize at this point. I assume that your system is working, and so you need only tweak it. But it sounds as if you are still working out what the system is. I have not done much work on High Traffic sites. One site was a skater site and big food producer was running a promo and had TV ads ... site performed fine even though it was just plain cgi scripts hitting mysql at least 5 times for just about every page (I did not write the site but I had to modify,watch it). Another site was marked as troublesome, big book publisher. They just threw hardware at it and all was well. Now Yahoo ... or Google ... that would be interesting. Why create a solution for no problem? I'd suggest looking at your templating system. Which one are you using? You didn't create your own did you? Peter -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Extracting Numbers from a string.
it doesn't use ereg, but it (should) would work: $mystring = I have $56.55 dollars, don't you know; $mystring = substr($mystring, strpos($mystring, $));//strip out after the $ sign $mystring = substr($mystring, 0, strpos($mystring, ));//keep only till first space //mystring now contains $56.55 if you want it split into two variables, of '$56', and '55' use: $a = explode(., $mystring); //$a[0'] = $56 //$a[1] = 55 (by the way, there may be functions that work better than using the substr+strpos functions, I just can't remember off the top of my head!) Of course, ereg might well work better! Jason Caldwell [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I need to extract the numbers only from a field. For example: I have an AMOUNT field and so that I can filter out any user typo's I would like to extract the numbers only. If the user enters $56.55 for example or just $56 then I would like to be able to remove the $ and the . keeping just the 56 or 5655. Can I use eregi_replace() to do this -- I've been trying but it doesn't seem to work right. Thanks. Jason -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] PreCaching Db into Variables Slows it down?!??
Grrr! Just spent ages (well, 2hours) on a precaching system for my PHP code that didn't work out! Hang on, I'll backtrack a bit... My website is using a php engine that picks at snippets of html from the database, and builds them up to form the page. A typical page may use 5 of these html snippets, each at maybe 5kb in size. I was sat thinking, looking at the debug-timer, and saw that the templates were one of the more time consuming aspects. So I said, I know, I'll save the db a bit, and at the start of the script, read all the templates that I'll need into a global variable, and call them from that. Simple, 5 db calls put into 1, and templates taken out of memory. So why, oh why, has the time taken actually increased??? Does anyone have sufficient working knowledge of PHP to give me a hint at why this has happened? Also, am I right in thinking that as the website hits increase, the db will be put under increasing pressure, so it serves off better being called only once instead of 5 times (Even though more data is taken out of it??). It's late, my eyes are blurring, and I'm annoyed. Very annoyed! Regards, Andy -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Proposal for securing PHP sessions
Ooooh, it's a lesson every day! Right, back to the drawing board :( Justin French [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... on 08/09/02 5:04 AM, M1tch ([EMAIL PROTECTED]) wrote: Why not just use IP? I created a nice system, whereby if your IP is changed (or someone is hacking your session), the session is destroyed, and the user must log in. Does not add much overhead either. large ISPs like AOL use variable IPs (your IP could change from page to page)... that's a pretty good reason to start with. if people get disconnected, they too are likely to have a new IP on most dial-up ISPs. Justin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Proposal for securing PHP sessions
Okay, having had my own solution shot and burned ;), I would love to look at yours, but unfortunately the page (well, the entire site), will not load. It could be a temporary outage with either ISP, but is there anyway you could post it here? (I perhaps flag it as large?). On my site, I'm not really bothered about most of the session data being hijacked, because a user would still not be able to be malicious (any serious function- like post article/forum message/etc) has a permission check before it's executed, that verifies the username/password. Of course, this then becomes a problem if the user has stored the password in session, as this is the sensitive part. Why oh why is AOL so terrible. I didn't like them before, but now! Gr Andy Mar Tin [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Dear all: Until I read the article PHP Session security (http://www.webkreator.com/php/configuration/php-session-security.html) I haven't noticed how insecure PHP Sessions are. Basically there're 2 problems: *) It's possible to hijack a session if you know the SID (session id) 1) If you're on a shared server (cheap webhosting) other users can get the SIDs by doing ls /tmp/sess_* (/tmp/ is defined on session.save_path on the config file, so it may be different). 2) When a user clicks on an external link, the browser sends the REFERER url and sometimes it contains the SID (if session.use_trans_sid is enabled) PHP offers a security measure: with session.referer_check it will reject SIDs comming from other referers, but the referer url can be easily forged. *) Users can read session data from the session files, which are owned by the server process (every user which has an account on the webserver can read server owned files) (If you're intrested in the subject I would recommend to read full the article: http://www.webkreator.com/php/configuration/php-session-security.html) I have developed some functions to avoid this problems. They replace the standard session functions (using session_set_save_handler), so you only have to include the file at the beggining of your script and (afaik) you're safe :) This is the idea: Apart from the session cookie, I set another one (with the same name and the string '_sec' appended). On this cookie I set a random KEY. The name of the file which contains the session data is the md5 hash of the SID and the KEY together. This turns impossible to guess the session id by looking at the filenames. To hide the data inside the file, the serialized string is crypted using the KEY as password, so nobody can see the content of your user's sessions. You can find the code here: http://www.n3rds.com.ar/files/docs/php_sessions/sess_handler.txt Im looking for suggestions to make it 100% compatible with the standard session functions, and I would like to hear some thougts about the idea Martin Sarsale [EMAIL PROTECTED] __ Do You Yahoo!? Yahoo! Finance - Get real-time stock quotes http://finance.yahoo.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Proposal for securing PHP sessions
lol, no sooner had I spoke than it sprang back into action! I now have the source you posted. Looking it over! M1tch [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Okay, having had my own solution shot and burned ;), I would love to look at yours, but unfortunately the page (well, the entire site), will not load. It could be a temporary outage with either ISP, but is there anyway you could post it here? (I perhaps flag it as large?). On my site, I'm not really bothered about most of the session data being hijacked, because a user would still not be able to be malicious (any serious function- like post article/forum message/etc) has a permission check before it's executed, that verifies the username/password. Of course, this then becomes a problem if the user has stored the password in session, as this is the sensitive part. Why oh why is AOL so terrible. I didn't like them before, but now! Gr Andy Mar Tin [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Dear all: Until I read the article PHP Session security (http://www.webkreator.com/php/configuration/php-session-security.html) I haven't noticed how insecure PHP Sessions are. Basically there're 2 problems: *) It's possible to hijack a session if you know the SID (session id) 1) If you're on a shared server (cheap webhosting) other users can get the SIDs by doing ls /tmp/sess_* (/tmp/ is defined on session.save_path on the config file, so it may be different). 2) When a user clicks on an external link, the browser sends the REFERER url and sometimes it contains the SID (if session.use_trans_sid is enabled) PHP offers a security measure: with session.referer_check it will reject SIDs comming from other referers, but the referer url can be easily forged. *) Users can read session data from the session files, which are owned by the server process (every user which has an account on the webserver can read server owned files) (If you're intrested in the subject I would recommend to read full the article: http://www.webkreator.com/php/configuration/php-session-security.html) I have developed some functions to avoid this problems. They replace the standard session functions (using session_set_save_handler), so you only have to include the file at the beggining of your script and (afaik) you're safe :) This is the idea: Apart from the session cookie, I set another one (with the same name and the string '_sec' appended). On this cookie I set a random KEY. The name of the file which contains the session data is the md5 hash of the SID and the KEY together. This turns impossible to guess the session id by looking at the filenames. To hide the data inside the file, the serialized string is crypted using the KEY as password, so nobody can see the content of your user's sessions. You can find the code here: http://www.n3rds.com.ar/files/docs/php_sessions/sess_handler.txt Im looking for suggestions to make it 100% compatible with the standard session functions, and I would like to hear some thougts about the idea Martin Sarsale [EMAIL PROTECTED] __ Do You Yahoo!? Yahoo! Finance - Get real-time stock quotes http://finance.yahoo.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Proposal for securing PHP sessions
Just out of curiosity, do you know if any part (e.g. x1.x2.x3.x4) of the IP remains static when AOL changes it? Even if it's only the first part, that's better than nothing. I'm having a headache now, because I'm already behind schedule, and this has just thrown a spanner in the works :( (but still thanks for bringing it up now, rather than at production time!) Justin French [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... on 08/09/02 5:04 AM, M1tch ([EMAIL PROTECTED]) wrote: Why not just use IP? I created a nice system, whereby if your IP is changed (or someone is hacking your session), the session is destroyed, and the user must log in. Does not add much overhead either. large ISPs like AOL use variable IPs (your IP could change from page to page)... that's a pretty good reason to start with. if people get disconnected, they too are likely to have a new IP on most dial-up ISPs. Justin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Proposal for securing PHP sessions
One thing that I did that may help. Every time a session is opened, the system insists on writing to disk on every page, whether the session is updated or not. With a lot of users, this is a bit of a system bog. So, I hold the contents of a session when 'read', in a global variable. Then, in the write function, I see if it's changed. If it has, I do the write. If it hasn't, I simply return from the function. Mar Tin [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Dear all: Until I read the article PHP Session security (http://www.webkreator.com/php/configuration/php-session-security.html) I haven't noticed how insecure PHP Sessions are. Basically there're 2 problems: *) It's possible to hijack a session if you know the SID (session id) 1) If you're on a shared server (cheap webhosting) other users can get the SIDs by doing ls /tmp/sess_* (/tmp/ is defined on session.save_path on the config file, so it may be different). 2) When a user clicks on an external link, the browser sends the REFERER url and sometimes it contains the SID (if session.use_trans_sid is enabled) PHP offers a security measure: with session.referer_check it will reject SIDs comming from other referers, but the referer url can be easily forged. *) Users can read session data from the session files, which are owned by the server process (every user which has an account on the webserver can read server owned files) (If you're intrested in the subject I would recommend to read full the article: http://www.webkreator.com/php/configuration/php-session-security.html) I have developed some functions to avoid this problems. They replace the standard session functions (using session_set_save_handler), so you only have to include the file at the beggining of your script and (afaik) you're safe :) This is the idea: Apart from the session cookie, I set another one (with the same name and the string '_sec' appended). On this cookie I set a random KEY. The name of the file which contains the session data is the md5 hash of the SID and the KEY together. This turns impossible to guess the session id by looking at the filenames. To hide the data inside the file, the serialized string is crypted using the KEY as password, so nobody can see the content of your user's sessions. You can find the code here: http://www.n3rds.com.ar/files/docs/php_sessions/sess_handler.txt Im looking for suggestions to make it 100% compatible with the standard session functions, and I would like to hear some thougts about the idea Martin Sarsale [EMAIL PROTECTED] __ Do You Yahoo!? Yahoo! Finance - Get real-time stock quotes http://finance.yahoo.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Proposal for securing PHP sessions
Why not just use IP? I created a nice system, whereby if your IP is changed (or someone is hacking your session), the session is destroyed, and the user must log in. Does not add much overhead either. Also, I built it using database (using my own session functions in savehandler), that stores the ip as well. This prevents people snooping. Still not 100% secure I imagine, but much better. Andy Mar Tin [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Dear all: Until I read the article PHP Session security (http://www.webkreator.com/php/configuration/php-session-security.html) I haven't noticed how insecure PHP Sessions are. Basically there're 2 problems: *) It's possible to hijack a session if you know the SID (session id) 1) If you're on a shared server (cheap webhosting) other users can get the SIDs by doing ls /tmp/sess_* (/tmp/ is defined on session.save_path on the config file, so it may be different). 2) When a user clicks on an external link, the browser sends the REFERER url and sometimes it contains the SID (if session.use_trans_sid is enabled) PHP offers a security measure: with session.referer_check it will reject SIDs comming from other referers, but the referer url can be easily forged. *) Users can read session data from the session files, which are owned by the server process (every user which has an account on the webserver can read server owned files) (If you're intrested in the subject I would recommend to read full the article: http://www.webkreator.com/php/configuration/php-session-security.html) I have developed some functions to avoid this problems. They replace the standard session functions (using session_set_save_handler), so you only have to include the file at the beggining of your script and (afaik) you're safe :) This is the idea: Apart from the session cookie, I set another one (with the same name and the string '_sec' appended). On this cookie I set a random KEY. The name of the file which contains the session data is the md5 hash of the SID and the KEY together. This turns impossible to guess the session id by looking at the filenames. To hide the data inside the file, the serialized string is crypted using the KEY as password, so nobody can see the content of your user's sessions. You can find the code here: http://www.n3rds.com.ar/files/docs/php_sessions/sess_handler.txt Im looking for suggestions to make it 100% compatible with the standard session functions, and I would like to hear some thougts about the idea Martin Sarsale [EMAIL PROTECTED] __ Do You Yahoo!? Yahoo! Finance - Get real-time stock quotes http://finance.yahoo.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: Proposal for securing PHP sessions
Does it change the IP address while the user is connected? I didn't think that was possible... I only use sessions to store username/password and other limited variables, it's only if they log off and back in again that's they have to log out, and separate cookies automatically handle the login there- so it's pretty seamless. Anyone know about server farms? I vaguely remember reading that you should only use the first three portions of an IP address (e.g. 123.12.123) to be sufficient for a server farm. Dave At Sinewaves.Net [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... You're going to be shutting out a lot of AOL users (bah! who needs em! ;p) if you do that, as AOL changes a user's IP address about as often as you read the word the... Dave -Original Message- From: M1tch [mailto:[EMAIL PROTECTED]] Sent: Saturday, September 07, 2002 12:05 PM To: [EMAIL PROTECTED] Subject: [PHP] Re: Proposal for securing PHP sessions Why not just use IP? I created a nice system, whereby if your IP is changed (or someone is hacking your session), the session is destroyed, and the user must log in. Does not add much overhead either. Also, I built it using database (using my own session functions in savehandler), that stores the ip as well. This prevents people snooping. Still not 100% secure I imagine, but much better. Andy Mar Tin [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Dear all: Until I read the article PHP Session security (http://www.webkreator.com/php/configuration/php-session-security.html) I haven't noticed how insecure PHP Sessions are. Basically there're 2 problems: *) It's possible to hijack a session if you know the SID (session id) 1) If you're on a shared server (cheap webhosting) other users can get the SIDs by doing ls /tmp/sess_* (/tmp/ is defined on session.save_path on the config file, so it may be different). 2) When a user clicks on an external link, the browser sends the REFERER url and sometimes it contains the SID (if session.use_trans_sid is enabled) PHP offers a security measure: with session.referer_check it will reject SIDs comming from other referers, but the referer url can be easily forged. *) Users can read session data from the session files, which are owned by the server process (every user which has an account on the webserver can read server owned files) (If you're intrested in the subject I would recommend to read full the article: http://www.webkreator.com/php/configuration/php-session-security.html) I have developed some functions to avoid this problems. They replace the standard session functions (using session_set_save_handler), so you only have to include the file at the beggining of your script and (afaik) you're safe :) This is the idea: Apart from the session cookie, I set another one (with the same name and the string '_sec' appended). On this cookie I set a random KEY. The name of the file which contains the session data is the md5 hash of the SID and the KEY together. This turns impossible to guess the session id by looking at the filenames. To hide the data inside the file, the serialized string is crypted using the KEY as password, so nobody can see the content of your user's sessions. You can find the code here: http://www.n3rds.com.ar/files/docs/php_sessions/sess_handler.txt Im looking for suggestions to make it 100% compatible with the standard session functions, and I would like to hear some thougts about the idea Martin Sarsale [EMAIL PROTECTED] __ Do You Yahoo!? Yahoo! Finance - Get real-time stock quotes http://finance.yahoo.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
