php-general Digest 8 Aug 2011 06:31:02 -0000 Issue 7434
php-general Digest 8 Aug 2011 06:31:02 - Issue 7434 Topics (messages 314415 through 314423): Re: Login with Remember me Feature 314415 by: Andre Polykanine 314416 by: Richard Riley 314417 by: Sean Greenslade 314418 by: Andre Polykanine 314419 by: Donovan Brooke 314422 by: Alex Nikitin Re: Intentionally generate an Internal Server Error 314420 by: Kirk Bailey 314421 by: Ghodmode what's wrong with this php system 314423 by: smith jack Administrivia: To subscribe to the digest, e-mail: php-general-digest-subscr...@lists.php.net To unsubscribe from the digest, e-mail: php-general-digest-unsubscr...@lists.php.net To post to the list, e-mail: php-gene...@lists.php.net -- ---BeginMessage--- Hello alekto, I've got several notes to point out: 1. You can't do neither a header(), nor a SetCookie() after any echo on the page. The out-of-php pieces of the page included. 2. Don't, please please don't store raw passwords in the database! Hash them, better even adding a salt. The guy who had been writing code of our project before me stored raw passwords, and I lost an amount of time to encrypt them live so users wouln't notice anything happening. Please don't repeat this mistake) 3. Don't store passwords in the cookies, they can be easily stolen. the username is quite enough: if it is there and it is not empty, then you can verify if such a user exists. -- With best regards from Ukraine, Andre Skype: Francophile My blog: http://oire.org/menelion (mostly in Russian) Twitter: http://twitter.com/m_elensule Facebook: http://facebook.com/menelion ---End Message--- ---BeginMessage--- Andre Polykanine an...@oire.org writes: Hello alekto, I've got several notes to point out: 1. You can't do neither a header(), nor a SetCookie() after any echo on the page. The out-of-php pieces of the page included. Not true. See ob_start and family. ---End Message--- ---BeginMessage--- On Sun, Aug 7, 2011 at 3:11 PM, Richard Riley rile...@googlemail.comwrote: Andre Polykanine an...@oire.org writes: Hello alekto, I've got several notes to point out: 1. You can't do neither a header(), nor a SetCookie() after any echo on the page. The out-of-php pieces of the page included. Not true. See ob_start and family. Yes, but it is better form to make sure there is no output before your header or setcookie commands. This makes your code more portable. Your code will need some restructuring, though. I did notice some other issues in your code, however. You delete the cookies in the beginning if they are set. This is probably what was killing your remember me function. But on a much more serious note, this script is full of security holes. Unhashed passwords in the DB and cookies is just asking for trouble. Plus, if you're using sessions, you should just use the session cookie to remember a login. It's safer than storing a password in a cookie. -- --Zootboy Sent from my PC. ---End Message--- ---BeginMessage--- Hello Richard, RR See ob_start and family. Alekto doesn't use them in that code. -- With best regards from Ukraine, Andre Skype: Francophile My blog: http://oire.org/menelion (mostly in Russian) Twitter: http://twitter.com/m_elensule Facebook: http://facebook.com/menelion ---End Message--- ---BeginMessage--- alekto wrote: Hi, I have implemented a remember me feature in my login-script, but I can't get it to function! If I might be so bold... then you haven't implemented the feature yet, right? ;-) I want to make it possible for the users to stay logged in for 30 days. This is what I got this far: You have a logic problem... If I were you, I would write it out more simplistically first... something like: if session cookie keep logged in else, if remember me if verifiable set session cookie and redirect Of course, that is not an example of exact logic to use, and is just a method example of how you can solve your problem. As others have suggested, I would first start reading about ob_start,ob_end_clean(which works well before a header redirect), and ob_end_flush. I agree about only needing to store the user ID in your cookie's (session and rememberme) (hashed perhaps), and not the password. My last comment would be a kind request to strip out all unnecessary html etc.. when posting questions to the list. I usually would not take the time to look through a mess like that. ;-) Donovan -- D Brooke ---End Message--- ---BeginMessage--- On Sun, Aug 7, 2011 at 10:03 PM, Donovan Brooke li...@euca.us wrote: alekto wrote: Hi, I have implemented a remember me feature in my login-script, but I can't get it to function! If I might be so bold... then you haven't implemented the feature yet, right? ;-) I want to make it possible for the users to
php-general Digest 8 Aug 2011 20:20:07 -0000 Issue 7435
php-general Digest 8 Aug 2011 20:20:07 - Issue 7435 Topics (messages 314424 through 314430): Re: what's wrong with this php system 314424 by: Sharl.Jimh.Tsin PHP Security: Best Practices 314425 by: Jen Rasmussen 314426 by: Andrew Ballard 314427 by: Jen Rasmussen 314428 by: Fredric L. Rice 314429 by: Richard Quadling A php bug or?.. 314430 by: Andre Polykanine Administrivia: To subscribe to the digest, e-mail: php-general-digest-subscr...@lists.php.net To unsubscribe from the digest, e-mail: php-general-digest-unsubscr...@lists.php.net To post to the list, e-mail: php-gene...@lists.php.net -- ---BeginMessage--- 在 2011-08-08一的 14:30 +0800,smith jack写道: I have installed a php system on my pc, it works well, except the head of the page is a bit strange, there is some warning information, and occupies lot of space, what's wrong, the error information is as follows: Warning: Parameter 1 to Notice::onPrint() expected to be a reference, value given in E:\site\admin.php on line 481 it is not matter of PHP,it is your php project's problem. or you can disable the error print in php.ini file. -- Best regards, Sharl.Jimh.Tsin (From China **Obviously Taiwan INCLUDED**) Using Gmail? Please read this important notice: http://www.fsf.org/campaigns/jstrap/gmail?10073. ---End Message--- ---BeginMessage--- Hello all, I am currently researching security best practices/methods. Can anyone offer any current resources/recommendations? My research thus far has included password hashing with salting/stretching, session hash defaults, session management authentication, and prepared statements via PDO in addition to basic PHP.ini and .htaccess server settings and properly escaping and validating input/output. On a side note, PHP versions prior to 5.3+ do not allow to set the httponly flag as a cookie parameter, is there any acceptable alternative for this? Thanks in advance, Jen Rasmussen | Web Development Manager Cetacea Sound Corp P: 763-225-8465 P Before printing this message, make sure that it's necessary. The environment is in your hands ---End Message--- ---BeginMessage--- On Mon, Aug 8, 2011 at 10:08 AM, Jen Rasmussen j...@cetaceasound.com wrote: [snip] On a side note, PHP versions prior to 5.3+ do not allow to set the httponly flag as a cookie parameter, is there any acceptable alternative for this? I believe that has been supported since 5.2.0. As for a workaround for versions before that, I found this pretty quickly through Google: http://stackoverflow.com/questions/36877/how-do-you-set-up-use-httponly-cookies-in-php Andrew ---End Message--- ---BeginMessage--- Thanks, Andrew! I am unfortunately not even running 5.2..so that helps. Jen -Original Message- From: Andrew Ballard [mailto:aball...@gmail.com] Sent: Monday, August 08, 2011 9:57 AM To: j...@cetaceasound.com Cc: php-gene...@lists.php.net Subject: Re: [PHP] PHP Security: Best Practices On Mon, Aug 8, 2011 at 10:08 AM, Jen Rasmussen j...@cetaceasound.com wrote: [snip] On a side note, PHP versions prior to 5.3+ do not allow to set the httponly flag as a cookie parameter, is there any acceptable alternative for this? I believe that has been supported since 5.2.0. As for a workaround for versions before that, I found this pretty quickly through Google: http://stackoverflow.com/questions/36877/how-do-you-set-up-use-httponly-cookies-in-php Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php ---End Message--- ---BeginMessage--- I am currently researching security best practices/methods. Can anyone offer any current resources/recommendations? That is a huge arena and the question can not be answered very well without describing what you are needing to protect. Security in debth depends upon what you are protecting and who you are protecting it from, and also entails your expenses and potential loses compared to what you are willing to pay for protecting your assets. If all you're protecting is a database from unauithorized access, improper access, or accidental sabotage, the answers for what constitute best practices are merely a matter of doing Google searches for what the typical database threats are and avoiding the pitfalls. ---End Message--- ---BeginMessage--- On 8 August 2011 15:08, Jen Rasmussen j...@cetaceasound.com wrote: Hello all, I am currently researching security best practices/methods. Can anyone offer any current resources/recommendations? My research thus far has included password hashing with salting/stretching, session hash defaults, session management authentication, and prepared statements via PDO in addition to basic PHP.ini and .htaccess server settings and properly escaping and validating input/output. Best practise can change as new