php-general Digest 8 Aug 2011 06:31:02 -0000 Issue 7434
php-general Digest 8 Aug 2011 06:31:02 - Issue 7434 Topics (messages 314415 through 314423): Re: Login with Remember me Feature 314415 by: Andre Polykanine 314416 by: Richard Riley 314417 by: Sean Greenslade 314418 by: Andre Polykanine 314419 by: Donovan Brooke 314422 by: Alex Nikitin Re: Intentionally generate an Internal Server Error 314420 by: Kirk Bailey 314421 by: Ghodmode what's wrong with this php system 314423 by: smith jack Administrivia: To subscribe to the digest, e-mail: php-general-digest-subscr...@lists.php.net To unsubscribe from the digest, e-mail: php-general-digest-unsubscr...@lists.php.net To post to the list, e-mail: php-gene...@lists.php.net -- ---BeginMessage--- Hello alekto, I've got several notes to point out: 1. You can't do neither a header(), nor a SetCookie() after any echo on the page. The out-of-php pieces of the page included. 2. Don't, please please don't store raw passwords in the database! Hash them, better even adding a salt. The guy who had been writing code of our project before me stored raw passwords, and I lost an amount of time to encrypt them live so users wouln't notice anything happening. Please don't repeat this mistake) 3. Don't store passwords in the cookies, they can be easily stolen. the username is quite enough: if it is there and it is not empty, then you can verify if such a user exists. -- With best regards from Ukraine, Andre Skype: Francophile My blog: http://oire.org/menelion (mostly in Russian) Twitter: http://twitter.com/m_elensule Facebook: http://facebook.com/menelion ---End Message--- ---BeginMessage--- Andre Polykanine an...@oire.org writes: Hello alekto, I've got several notes to point out: 1. You can't do neither a header(), nor a SetCookie() after any echo on the page. The out-of-php pieces of the page included. Not true. See ob_start and family. ---End Message--- ---BeginMessage--- On Sun, Aug 7, 2011 at 3:11 PM, Richard Riley rile...@googlemail.comwrote: Andre Polykanine an...@oire.org writes: Hello alekto, I've got several notes to point out: 1. You can't do neither a header(), nor a SetCookie() after any echo on the page. The out-of-php pieces of the page included. Not true. See ob_start and family. Yes, but it is better form to make sure there is no output before your header or setcookie commands. This makes your code more portable. Your code will need some restructuring, though. I did notice some other issues in your code, however. You delete the cookies in the beginning if they are set. This is probably what was killing your remember me function. But on a much more serious note, this script is full of security holes. Unhashed passwords in the DB and cookies is just asking for trouble. Plus, if you're using sessions, you should just use the session cookie to remember a login. It's safer than storing a password in a cookie. -- --Zootboy Sent from my PC. ---End Message--- ---BeginMessage--- Hello Richard, RR See ob_start and family. Alekto doesn't use them in that code. -- With best regards from Ukraine, Andre Skype: Francophile My blog: http://oire.org/menelion (mostly in Russian) Twitter: http://twitter.com/m_elensule Facebook: http://facebook.com/menelion ---End Message--- ---BeginMessage--- alekto wrote: Hi, I have implemented a remember me feature in my login-script, but I can't get it to function! If I might be so bold... then you haven't implemented the feature yet, right? ;-) I want to make it possible for the users to stay logged in for 30 days. This is what I got this far: You have a logic problem... If I were you, I would write it out more simplistically first... something like: if session cookie keep logged in else, if remember me if verifiable set session cookie and redirect Of course, that is not an example of exact logic to use, and is just a method example of how you can solve your problem. As others have suggested, I would first start reading about ob_start,ob_end_clean(which works well before a header redirect), and ob_end_flush. I agree about only needing to store the user ID in your cookie's (session and rememberme) (hashed perhaps), and not the password. My last comment would be a kind request to strip out all unnecessary html etc.. when posting questions to the list. I usually would not take the time to look through a mess like that. ;-) Donovan -- D Brooke ---End Message--- ---BeginMessage--- On Sun, Aug 7, 2011 at 10:03 PM, Donovan Brooke li...@euca.us wrote: alekto wrote: Hi, I have implemented a remember me feature in my login-script, but I can't get it to function! If I might be so bold... then you haven't implemented the feature yet, right? ;-) I want to make it possible for the users to
php-general Digest 8 Aug 2011 20:20:07 -0000 Issue 7435
php-general Digest 8 Aug 2011 20:20:07 - Issue 7435 Topics (messages 314424 through 314430): Re: what's wrong with this php system 314424 by: Sharl.Jimh.Tsin PHP Security: Best Practices 314425 by: Jen Rasmussen 314426 by: Andrew Ballard 314427 by: Jen Rasmussen 314428 by: Fredric L. Rice 314429 by: Richard Quadling A php bug or?.. 314430 by: Andre Polykanine Administrivia: To subscribe to the digest, e-mail: php-general-digest-subscr...@lists.php.net To unsubscribe from the digest, e-mail: php-general-digest-unsubscr...@lists.php.net To post to the list, e-mail: php-gene...@lists.php.net -- ---BeginMessage--- 在 2011-08-08一的 14:30 +0800,smith jack写道: I have installed a php system on my pc, it works well, except the head of the page is a bit strange, there is some warning information, and occupies lot of space, what's wrong, the error information is as follows: Warning: Parameter 1 to Notice::onPrint() expected to be a reference, value given in E:\site\admin.php on line 481 it is not matter of PHP,it is your php project's problem. or you can disable the error print in php.ini file. -- Best regards, Sharl.Jimh.Tsin (From China **Obviously Taiwan INCLUDED**) Using Gmail? Please read this important notice: http://www.fsf.org/campaigns/jstrap/gmail?10073. ---End Message--- ---BeginMessage--- Hello all, I am currently researching security best practices/methods. Can anyone offer any current resources/recommendations? My research thus far has included password hashing with salting/stretching, session hash defaults, session management authentication, and prepared statements via PDO in addition to basic PHP.ini and .htaccess server settings and properly escaping and validating input/output. On a side note, PHP versions prior to 5.3+ do not allow to set the httponly flag as a cookie parameter, is there any acceptable alternative for this? Thanks in advance, Jen Rasmussen | Web Development Manager Cetacea Sound Corp P: 763-225-8465 P Before printing this message, make sure that it's necessary. The environment is in your hands ---End Message--- ---BeginMessage--- On Mon, Aug 8, 2011 at 10:08 AM, Jen Rasmussen j...@cetaceasound.com wrote: [snip] On a side note, PHP versions prior to 5.3+ do not allow to set the httponly flag as a cookie parameter, is there any acceptable alternative for this? I believe that has been supported since 5.2.0. As for a workaround for versions before that, I found this pretty quickly through Google: http://stackoverflow.com/questions/36877/how-do-you-set-up-use-httponly-cookies-in-php Andrew ---End Message--- ---BeginMessage--- Thanks, Andrew! I am unfortunately not even running 5.2..so that helps. Jen -Original Message- From: Andrew Ballard [mailto:aball...@gmail.com] Sent: Monday, August 08, 2011 9:57 AM To: j...@cetaceasound.com Cc: php-gene...@lists.php.net Subject: Re: [PHP] PHP Security: Best Practices On Mon, Aug 8, 2011 at 10:08 AM, Jen Rasmussen j...@cetaceasound.com wrote: [snip] On a side note, PHP versions prior to 5.3+ do not allow to set the httponly flag as a cookie parameter, is there any acceptable alternative for this? I believe that has been supported since 5.2.0. As for a workaround for versions before that, I found this pretty quickly through Google: http://stackoverflow.com/questions/36877/how-do-you-set-up-use-httponly-cookies-in-php Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php ---End Message--- ---BeginMessage--- I am currently researching security best practices/methods. Can anyone offer any current resources/recommendations? That is a huge arena and the question can not be answered very well without describing what you are needing to protect. Security in debth depends upon what you are protecting and who you are protecting it from, and also entails your expenses and potential loses compared to what you are willing to pay for protecting your assets. If all you're protecting is a database from unauithorized access, improper access, or accidental sabotage, the answers for what constitute best practices are merely a matter of doing Google searches for what the typical database threats are and avoiding the pitfalls. ---End Message--- ---BeginMessage--- On 8 August 2011 15:08, Jen Rasmussen j...@cetaceasound.com wrote: Hello all, I am currently researching security best practices/methods. Can anyone offer any current resources/recommendations? My research thus far has included password hashing with salting/stretching, session hash defaults, session management authentication, and prepared statements via PDO in addition to basic PHP.ini and .htaccess server settings and properly escaping and validating input/output. Best practise can change as new
[PHP] what's wrong with this php system
I have installed a php system on my pc, it works well, except the head of the page is a bit strange, there is some warning information, and occupies lot of space, what's wrong, the error information is as follows: Warning: Parameter 1 to Notice::onPrint() expected to be a reference, value given in E:\site\admin.php on line 481 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] what's wrong with this php system
在 2011-08-08一的 14:30 +0800,smith jack写道: I have installed a php system on my pc, it works well, except the head of the page is a bit strange, there is some warning information, and occupies lot of space, what's wrong, the error information is as follows: Warning: Parameter 1 to Notice::onPrint() expected to be a reference, value given in E:\site\admin.php on line 481 it is not matter of PHP,it is your php project's problem. or you can disable the error print in php.ini file. -- Best regards, Sharl.Jimh.Tsin (From China **Obviously Taiwan INCLUDED**) Using Gmail? Please read this important notice: http://www.fsf.org/campaigns/jstrap/gmail?10073. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] PHP Security: Best Practices
Hello all, I am currently researching security best practices/methods. Can anyone offer any current resources/recommendations? My research thus far has included password hashing with salting/stretching, session hash defaults, session management authentication, and prepared statements via PDO in addition to basic PHP.ini and .htaccess server settings and properly escaping and validating input/output. On a side note, PHP versions prior to 5.3+ do not allow to set the httponly flag as a cookie parameter, is there any acceptable alternative for this? Thanks in advance, Jen Rasmussen | Web Development Manager Cetacea Sound Corp P: 763-225-8465 P Before printing this message, make sure that it's necessary. The environment is in your hands
Re: [PHP] PHP Security: Best Practices
On Mon, Aug 8, 2011 at 10:08 AM, Jen Rasmussen j...@cetaceasound.com wrote: [snip] On a side note, PHP versions prior to 5.3+ do not allow to set the httponly flag as a cookie parameter, is there any acceptable alternative for this? I believe that has been supported since 5.2.0. As for a workaround for versions before that, I found this pretty quickly through Google: http://stackoverflow.com/questions/36877/how-do-you-set-up-use-httponly-cookies-in-php Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] PHP Security: Best Practices
Thanks, Andrew! I am unfortunately not even running 5.2..so that helps. Jen -Original Message- From: Andrew Ballard [mailto:aball...@gmail.com] Sent: Monday, August 08, 2011 9:57 AM To: j...@cetaceasound.com Cc: php-general@lists.php.net Subject: Re: [PHP] PHP Security: Best Practices On Mon, Aug 8, 2011 at 10:08 AM, Jen Rasmussen j...@cetaceasound.com wrote: [snip] On a side note, PHP versions prior to 5.3+ do not allow to set the httponly flag as a cookie parameter, is there any acceptable alternative for this? I believe that has been supported since 5.2.0. As for a workaround for versions before that, I found this pretty quickly through Google: http://stackoverflow.com/questions/36877/how-do-you-set-up-use-httponly-cookies-in-php Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP Security: Best Practices
I am currently researching security best practices/methods. Can anyone offer any current resources/recommendations? That is a huge arena and the question can not be answered very well without describing what you are needing to protect. Security in debth depends upon what you are protecting and who you are protecting it from, and also entails your expenses and potential loses compared to what you are willing to pay for protecting your assets. If all you're protecting is a database from unauithorized access, improper access, or accidental sabotage, the answers for what constitute best practices are merely a matter of doing Google searches for what the typical database threats are and avoiding the pitfalls. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP Security: Best Practices
On 8 August 2011 15:08, Jen Rasmussen j...@cetaceasound.com wrote: Hello all, I am currently researching security best practices/methods. Can anyone offer any current resources/recommendations? My research thus far has included password hashing with salting/stretching, session hash defaults, session management authentication, and prepared statements via PDO in addition to basic PHP.ini and .htaccess server settings and properly escaping and validating input/output. Best practise can change as new threats and forms of attack become prominent. So. At the top of this list, I'd add This is list is subject to change. Anything you to today may well be circumvented tomorrow. But the principle of Poka-Yoke does suggest that by only allowing valid and appropriate data in to your code, you are drastically reducing the attack vectors. I work in a multi-database and multi-DB Server environment. Nearly/almost always, I use stored procedures rather than building complex queries in PHP. I only allow me and users in the development team direct access to the tables. So, for the application to alter the DB, a stored procedure is written (my apps are accounting related so maybe some flexibility has been sacrificed - but the security is very strong). I use Views either to simple result sets or to XML results depending upon the requirement - again - no access to the underlying tables. The user credentials used for connecting to the DB is different to other user details and it is forced to a specific machine. All this sort of thing is setup once and done. It makes it very difficult for anyone to be able to fake the credentials, gain access to the DB tables or inject data outside of the constraints provided by the stored procedures. -- Richard Quadling Twitter : EE : Zend : PHPDoc @RQuadling : e-e.com/M_248814.html : bit.ly/9O8vFY : bit.ly/lFnVea -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] A php bug or?..
Hi everyone, As we all know, count() returns 1 if the variable is not an array. Question is: why in the world does it this? If a variable is *notA* an array, it contains *zero* array elements. You can answer: but no, man, you can say $x=world; $y=$x{3}; // $y=l so the variable is treated or can be treated as an array. Well. If strings are treated like arrays, why count($x) doesn't return 5 instead of 1? Just asking. -- With best regards from Ukraine, Andre Skype: Francophile Blog: http://oire.org/menelion Twitter: http://twitter.com/m_elensule Facebook: http://facebook.com/menelion -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] A php bug or?..
On 9/08/2011, at 8:20 AM, Andre Polykanine wrote: Hi everyone, As we all know, count() returns 1 if the variable is not an array. Question is: why in the world does it this? If a variable is *notA* an array, it contains *zero* array elements. You can answer: but no, man, you can say $x=world; $y=$x{3}; // $y=l so the variable is treated or can be treated as an array. Well. If strings are treated like arrays, why count($x) doesn't return 5 instead of 1? Just asking. -- With best regards from Ukraine, Andre I'm assuming it has to do with the value, if not an array or object, being cast as an array. Thus, non-false equivalent values get cast into an array of size 1: ?php var_dump((array)1); var_dump((array)null); // Output array(1) { [0]= int(1) } array(0) { } --- Simon Welsh Admin of http://simon.geek.nz/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] A php bug or?..
On Mon, Aug 8, 2011 at 16:20, Andre Polykanine an...@oire.org wrote: Hi everyone, As we all know, count() returns 1 if the variable is not an array. Question is: why in the world does it this? If a variable is *notA* an array, it contains *zero* array elements. You can answer: but no, man, you can say $x=world; $y=$x{3}; // $y=l so the variable is treated or can be treated as an array. Well. If strings are treated like arrays, why count($x) doesn't return 5 instead of 1? Just asking. Using count() will return the number of items passed in the first parameter. If it's an array, each element is an item. If it's a string, the string is an item. If it's an object, logically, the items depend on what is contained in the object. However, at no time does it return the number of characters within a string --- instead, as you likely know, you'd use strlen(). -- /Daniel P. Brown Dedicated Servers, Cloud and Cloud Hybrid Solutions, VPS, Hosting (866-) 725-4321 http://www.parasane.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] A php bug or?..
Hello Daniel, DPB does it return the number of characters within a string --- instead, DPB as you likely know, you'd use strlen(). For sure. But I'm asking: why it doesn't return 0 if it is not an array? Logically: no array - no items! -- With best regards from Ukraine, Andre Skype: Francophile My blog: http://oire.org/menelion (mostly in Russian) Twitter: http://twitter.com/m_elensule Facebook: http://facebook.com/menelion -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] A php bug or?..
On 8 Aug 2011, at 21:41, Andre Polykanine wrote: DPB does it return the number of characters within a string --- instead, DPB as you likely know, you'd use strlen(). For sure. But I'm asking: why it doesn't return 0 if it is not an array? Logically: no array - no items! The manual explains what the function does - you may want to check it out cos it does the same for all the other functions too. Returns the number of elements in var. If var is not an array or an object with implemented Countable interface, 1 will be returned. There is one exception, if var is NULL, 0 will be returned. IOW, if you pass it a variable, that has one element, so it returns 1. An array may have 0 to many elements, and null, logically, has none. Rocket science this ain't! -Stuart -- Stuart Dallas 3ft9 Ltd http://3ft9.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] A php bug or?..
On Mon, Aug 8, 2011 at 16:41, Andre Polykanine an...@oire.org wrote: For sure. But I'm asking: why it doesn't return 0 if it is not an array? Logically: no array - no items! No, actually, if it's a string, it's a single item --- thus, 1. The documentation should probably reflect that as well. It wasn't always this way before, though --- in older version of PHP5 it returned 0, and in all versions of PHP4 it did as well. Also, keep in mind that a blank string still constitutes a string and will return 1, but null or nonexistent variables will still return 0. -- /Daniel P. Brown Dedicated Servers, Cloud and Cloud Hybrid Solutions, VPS, Hosting (866-) 725-4321 http://www.parasane.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] form hidden value
I'm trying to pass a hidden value with my form submission. Not sure what I am doing woring, but the value is not being passed. Query is___ $query = SELECT id, store_name FROM store_list WHERE store_type = '$type' AND id_market = '$market' ; $result = mysql_query($query) or die(report($query,__LINE__ ,__FILE__)); while($row = mysql_fetch_array($result)) { $store_name[] = $row['store_name']; $id[] = $row['id']; } sort($store_name); } Form portion is input type=hidden name=id value=?php echo '$id[]';? Any help is greatly appreciated. Thank you.
Re: [PHP] form hidden value
On Mon, Aug 8, 2011 at 17:23, Chris Stinemetz chrisstinem...@gmail.com wrote: input type=hidden name=id value=?php echo '$id[]';? You should drop the quotes around the $id[] array, and also figure out how you want to extract the element from the array. For example: ?php echo $id[0]; ? -- /Daniel P. Brown Dedicated Servers, Cloud and Cloud Hybrid Solutions, VPS, Hosting (866-) 725-4321 http://www.parasane.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] form hidden value
First: use firebug, or something like that, and check what's get written in the page's source! Second: dump $_POST/$_GET, and check, whether id is set at all Is your input field between the form and /form tags? Cheers, Tamas -Original Message- From: Chris Stinemetz [mailto:chrisstinem...@gmail.com] Sent: Monday, August 08, 2011 11:23 PM To: PHP General Subject: [PHP] form hidden value I'm trying to pass a hidden value with my form submission. Not sure what I am doing woring, but the value is not being passed. Query is___ $query = SELECT id, store_name FROM store_list WHERE store_type = '$type' AND id_market = '$market' ; $result = mysql_query($query) or die(report($query,__LINE__ ,__FILE__)); while($row = mysql_fetch_array($result)) { $store_name[] = $row['store_name']; $id[] = $row['id']; } sort($store_name); } Form portion is input type=hidden name=id value=?php echo '$id[]';? Any help is greatly appreciated. Thank you. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] pass text variables to next page
I am trying to pass text strings from on page to a next to populate the queries on the passed to page. The only way I can get the query to work is if I am able to put single ticks around the string to make it literal, but I can't seem to figure out how to do it for the following line of code. echo 'h3a href=store.php?id=' . $row['store_name'] . '' . $row['store_name'] . '/abr /h3' . $row['store_type']; When i do a dump the query and print(pre.print_r($_GET,true)./pre); I get the following respectively: SELECT store_id, store_subject FROM stores WHERE store_subject = Loma Vista 8712 Blue Ridge BlvdThe topic could not be displayed, please try again later.You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Vista 8712 Blue Ridge Blvd' at line 3 The PHP code for the query is: Array ( [id] = Loma Vista 8712 Blue Ridge Blvd ) $sql = SELECT store_id, store_subject FROM stores WHERE store_subject = . mysql_real_escape_string($_GET['id']); The query works fine When I run the command in console and place '' around Loma Vista 8712 Blue Ridge Blvd Thank you, Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] pass text variables to next page
On Aug 8, 2011, at 11:58 PM, Chris Stinemetz wrote: I am trying to pass text strings from on page to a next to populate the queries on the passed to page. The only way I can get the query to work is if I am able to put single ticks around the string to make it literal, but I can't seem to figure out how to do it for the following line of code. echo 'h3a href=store.php?id=' . $row['store_name'] . '' . $row['store_name'] . '/abr /h3' . $row['store_type']; When i do a dump the query and print(pre.print_r($_GET,true)./pre); I get the following respectively: SELECT store_id, store_subject FROM stores WHERE store_subject = Loma Vista 8712 Blue Ridge BlvdThe topic could not be displayed, please try again later.You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Vista 8712 Blue Ridge Blvd' at line 3 The PHP code for the query is: Array ( [id] = Loma Vista 8712 Blue Ridge Blvd ) $sql = SELECT store_id, store_subject FROM stores WHERE store_subject = . mysql_real_escape_string($_GET['id']); Here, you need to insert single quotes around the search value in the WHERE cause: WHERE store_subject = '.mysql_real_escape_string($_GET['id'].'); If that's hard to read like it is on my mailer, it's: SINGLEQUOTE DOUBLEQUOTE PERIOD mysql_escape_string ($_GET['id']]PERIODDOUBLEQUOTESINGLEQUOTEDOUBLEQUOTE This then surrounds the data in the search string with single quotes for the SQL query. The query works fine When I run the command in console and place '' around Loma Vista 8712 Blue Ridge Blvd Thank you, Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php