php-general Digest 8 Aug 2011 06:31:02 -0000 Issue 7434
Topics (messages 314415 through 314423):
Re: Login with Remember me Feature
314415 by: Andre Polykanine
314416 by: Richard Riley
314417 by: Sean Greenslade
314418 by: Andre Polykanine
314419 by: Donovan Brooke
314422 by: Alex Nikitin
Re: Intentionally generate an "Internal Server Error"
314420 by: Kirk Bailey
314421 by: Ghodmode
what's wrong with this php system
314423 by: smith jack
Administrivia:
To subscribe to the digest, e-mail:
php-general-digest-subscr...@lists.php.net
To unsubscribe from the digest, e-mail:
php-general-digest-unsubscr...@lists.php.net
To post to the list, e-mail:
php-gene...@lists.php.net
----------------------------------------------------------------------
--- Begin Message ---
Hello alekto,
I've got several notes to point out:
1. You can't do neither a header(), nor a SetCookie() after any echo on the
page. The out-of-php pieces of the page included.
2. Don't, please please don't store raw passwords in the database! Hash them,
better even adding a salt. The guy who had been writing code of our project
before me stored raw passwords, and I lost an amount of time to encrypt them
live so users wouln't notice anything happening. Please don't repeat this
mistake)
3. Don't store passwords in the cookies, they can be easily stolen. the
username is quite enough: if it is there and it is not empty, then you can
verify if such a user exists.
--
With best regards from Ukraine,
Andre
Skype: Francophile
My blog: http://oire.org/menelion (mostly in Russian)
Twitter: http://twitter.com/m_elensule
Facebook: http://facebook.com/menelion
--- End Message ---
--- Begin Message ---
Andre Polykanine <an...@oire.org> writes:
> Hello alekto,
>
> I've got several notes to point out:
> 1. You can't do neither a header(), nor a SetCookie() after any echo
> on the page. The out-of-php pieces of the page included.
Not true.
See ob_start and family.
--- End Message ---
--- Begin Message ---
On Sun, Aug 7, 2011 at 3:11 PM, Richard Riley <rile...@googlemail.com>wrote:
> Andre Polykanine <an...@oire.org> writes:
>
> > Hello alekto,
> >
> > I've got several notes to point out:
> > 1. You can't do neither a header(), nor a SetCookie() after any echo
> > on the page. The out-of-php pieces of the page included.
>
> Not true.
>
> See ob_start and family.
>
> Yes, but it is better form to make sure there is no output before your
header or setcookie commands. This makes your code more portable. Your code
will need some restructuring, though.
I did notice some other issues in your code, however. You delete the cookies
in the beginning if they are set. This is probably what was killing your
remember me function.
But on a much more serious note, this script is full of security holes.
Unhashed passwords in the DB and cookies is just asking for trouble. Plus,
if you're using sessions, you should just use the session cookie to remember
a login. It's safer than storing a password in a cookie.
--
--Zootboy
Sent from my PC.
--- End Message ---
--- Begin Message ---
Hello Richard,
RR> See ob_start and family.
Alekto doesn't use them in that code.
--
With best regards from Ukraine,
Andre
Skype: Francophile
My blog: http://oire.org/menelion (mostly in Russian)
Twitter: http://twitter.com/m_elensule
Facebook: http://facebook.com/menelion
--- End Message ---
--- Begin Message ---
alekto wrote:
Hi,
I have implemented a "remember" me feature in my login-script, but I can't get
it to function!
If I might be so bold... then you haven't implemented the feature yet,
right? ;-)
I want to make it possible for the users to stay logged in for 30 days.
This is what I got this far:
You have a logic problem... If I were you, I would write it out more
simplistically first... something like:
if session cookie
keep logged in
else, if remember me
if verifiable
set session cookie and redirect
Of course, that is not an example of exact logic to use, and is just a
method example of how you can solve your problem. As others have
suggested, I would first start reading about ob_start,ob_end_clean(which
works well before a header redirect), and ob_end_flush.
I agree about only needing to store the user ID in your cookie's
(session and rememberme) (hashed perhaps), and not the password.
My last comment would be a kind request to strip out all unnecessary
html etc.. when posting questions to the list. I usually would not take
the time to look through a mess like that. ;-)
Donovan
--
D Brooke
--- End Message ---
--- Begin Message ---
On Sun, Aug 7, 2011 at 10:03 PM, Donovan Brooke <li...@euca.us> wrote:
> alekto wrote:
>
>> Hi,
>> I have implemented a "remember" me feature in my login-script, but I can't
>> get it to function!
>>
>
>
> If I might be so bold... then you haven't implemented the feature yet,
> right? ;-)
>
>
>
> I want to make it possible for the users to stay logged in for 30 days.
>> This is what I got this far:
>>
>
>
> You have a logic problem... If I were you, I would write it out more
> simplistically first... something like:
>
> if session cookie
> keep logged in
> else, if remember me
> if verifiable
> set session cookie and redirect
>
> Of course, that is not an example of exact logic to use, and is just a
> method example of how you can solve your problem. As others have suggested,
> I would first start reading about ob_start,ob_end_clean(which
> works well before a header redirect), and ob_end_flush.
>
> I agree about only needing to store the user ID in your cookie's (session
> and rememberme) (hashed perhaps), and not the password.
>
> My last comment would be a kind request to strip out all unnecessary html
> etc.. when posting questions to the list. I usually would not take the time
> to look through a mess like that. ;-)
>
> Donovan
>
> --
> D Brooke
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
I'm going to play the third side of this thread and ask if anyone other than
me sees any clear security issues with code like that, even if username and
password were taken out of the cookie, and it was hashed in the DB, there is
still a security issue with thinking this way which in today's world should
not be an overlooked practice.
And i mean i see that the person here is a newbie, the code looks pretty
bad, but i think it's worth mentioning that looking at best security
practices for the situation is as trivial as figuring out your classes and
methods. Knowing how to prevent people like, well even me, from running sql
scripts from your website via forms, or stealing user sessions is essential
in today's web world...
You're writing some client-facing code, maybe you should look at how to
write it and keep the client secure? You could at least add session and
request tokens to make the persistent sessions at least a bit more secure,
that's of course on top of hashing passwords (with a salt), and not storing
user names and passwords in the cookie.
Also escaping doesn't work, if you don't believe me, listen to the keynote
that Dan Kaminsky gave at the last HOPE conference, he gives a good overview
of why... Please either use parameterized queries, or the awesome hack that
is base 64, don't assume that just because the function is called
mysql_real_escape_string, that it actually knows what it is doing; unicode
is a powerful weapon in the wrong hands!
Also use === for string comparison as 42 == "test"!
~Alex
--
The trouble with programmers is that you can never tell what a programmer is
doing until it’s too late. ~Seymour Cray
--- End Message ---
--- Begin Message ---
Access a non existant file. Woops!
On 8/7/2011 2:42 AM, Paul Scott wrote:
On Sun, 2011-08-07 at 07:30 +0100, Ashley Sheridan wrote:
Quickest way I know of is to mess up an .htaccess file!
Another good way to do it on shared hosts is to give a file incorrect
permissions and try and access it
--
end
Very Truly yours,
- Kirk Bailey,
Largo Florida
kniht
+-----+
| BOX |
+-----+
think
--- End Message ---
--- Begin Message ---
On Mon, Aug 8, 2011 at 11:35 AM, Kirk Bailey <kbai...@howlermonkey.net>wrote:
> Access a non existant file. Woops!
>
That's a 404, not a 500.
--- End Message ---
--- Begin Message ---
I have installed a php system on my pc, it works well, except the head
of the page is a bit strange, there is some warning information, and
occupies lot of space,
what's wrong, the error information is as follows:
Warning: Parameter 1 to Notice::onPrint() expected to be a reference,
value given in E:\site\admin.php on line 481
--- End Message ---
