RE: [PHP] IIS, PHP and HTML
On Wed, 2010-06-23 at 17:34 -0700, Tommy Pham wrote: > > -Original Message- > > From: Ashley Sheridan [mailto:a...@ashleysheridan.co.uk] > > Sent: Wednesday, June 23, 2010 4:47 PM > > To: Phillip Baker > > Cc: PHP General List > > Subject: Re: [PHP] IIS, PHP and HTML > > > > On Wed, 2010-06-23 at 16:26 -0600, Phillip Baker wrote: > > > > > Greetings All, > > > > > > I am at a new Gig. > > > So this is the existing setup so changing it at least in the short > > > term is not an option. > > > > > > We are in an IIS shop. > > > We have a bunch of files that are html, and in need of php > functionality. > > > And that would be a BUNCH of files. > > > > > > I am interested in setting if I can set up IIS to use the php > > > interpreter on HTML files. > > > And then just start using the html files as php. > > > > > > There are just so many html files I would prefer to not do 301 > > > redirects, not header redirects and blot the server with empty files > (nearly > > empty). > > > My preference is to use the existing files. > > > > > > Is there a way to make this happen? > > > Are there any pitfalls in making this happen that I will need to be > > > aware of? > > > > > > Blessed Be > > > > > > Phillip > > > > > > Yes, you just configure IIS to treat the .html extension the same as it > > does .php. > > > > Several things to note though. You can't control this on a site-by-site > basis as > > far as I remember, so if you set this, it's for the whole server. Any > plain html > > pages will be delivered more slowly. > > > > Correction, IIS7.5 (Win08r2) and IIS7 (Win08) can set it at per > path/site/server depending on your needs. Set it via 'handler mappings' > accordingly. I don't remember IIS 6 and older since it's been a couple of > years I've dealt with IIS 6. > > Regards, > Tommy > > > Second, PHP code isn't inserted into HTML, rather it's the other way > around. > > This distinction is important when you are outputting content other than > > HTML from PHP code, or when you are using the header() function. > > > > Although IIS wouldn't be my server of choice, I think the one thing you > may > > find lacking is Apaches .htaccess files. IIS can emulate most of the > behaviour > > of this with plugins though, but I believe they tend to cost. > > > > Thanks, > > Ash > > http://www.ashleysheridan.co.uk > > > > > Ah, that's good for Phillip then. I've not used IIS for over a year now, and the version I used was very old (cheap company didn't see the need to update anything, ever!) Thanks, Ash http://www.ashleysheridan.co.uk
RE: [PHP] IIS, PHP and HTML
> -Original Message- > From: Ashley Sheridan [mailto:a...@ashleysheridan.co.uk] > Sent: Wednesday, June 23, 2010 4:47 PM > To: Phillip Baker > Cc: PHP General List > Subject: Re: [PHP] IIS, PHP and HTML > > On Wed, 2010-06-23 at 16:26 -0600, Phillip Baker wrote: > > > Greetings All, > > > > I am at a new Gig. > > So this is the existing setup so changing it at least in the short > > term is not an option. > > > > We are in an IIS shop. > > We have a bunch of files that are html, and in need of php functionality. > > And that would be a BUNCH of files. > > > > I am interested in setting if I can set up IIS to use the php > > interpreter on HTML files. > > And then just start using the html files as php. > > > > There are just so many html files I would prefer to not do 301 > > redirects, not header redirects and blot the server with empty files (nearly > empty). > > My preference is to use the existing files. > > > > Is there a way to make this happen? > > Are there any pitfalls in making this happen that I will need to be > > aware of? > > > > Blessed Be > > > > Phillip > > > Yes, you just configure IIS to treat the .html extension the same as it > does .php. > > Several things to note though. You can't control this on a site-by-site basis as > far as I remember, so if you set this, it's for the whole server. Any plain html > pages will be delivered more slowly. > Correction, IIS7.5 (Win08r2) and IIS7 (Win08) can set it at per path/site/server depending on your needs. Set it via 'handler mappings' accordingly. I don't remember IIS 6 and older since it's been a couple of years I've dealt with IIS 6. Regards, Tommy > Second, PHP code isn't inserted into HTML, rather it's the other way around. > This distinction is important when you are outputting content other than > HTML from PHP code, or when you are using the header() function. > > Although IIS wouldn't be my server of choice, I think the one thing you may > find lacking is Apaches .htaccess files. IIS can emulate most of the behaviour > of this with plugins though, but I believe they tend to cost. > > Thanks, > Ash > http://www.ashleysheridan.co.uk > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] IIS, PHP and HTML
On Wed, 2010-06-23 at 16:26 -0600, Phillip Baker wrote: > Greetings All, > > I am at a new Gig. > So this is the existing setup so changing it at least in the short term is > not an option. > > We are in an IIS shop. > We have a bunch of files that are html, and in need of php functionality. > And that would be a BUNCH of files. > > I am interested in setting if I can set up IIS to use the php interpreter on > HTML files. > And then just start using the html files as php. > > There are just so many html files I would prefer to not do 301 redirects, > not header redirects and blot the server with empty files (nearly empty). > My preference is to use the existing files. > > Is there a way to make this happen? > Are there any pitfalls in making this happen that I will need to be aware > of? > > Blessed Be > > Phillip Yes, you just configure IIS to treat the .html extension the same as it does .php. Several things to note though. You can't control this on a site-by-site basis as far as I remember, so if you set this, it's for the whole server. Any plain html pages will be delivered more slowly. Second, PHP code isn't inserted into HTML, rather it's the other way around. This distinction is important when you are outputting content other than HTML from PHP code, or when you are using the header() function. Although IIS wouldn't be my server of choice, I think the one thing you may find lacking is Apaches .htaccess files. IIS can emulate most of the behaviour of this with plugins though, but I believe they tend to cost. Thanks, Ash http://www.ashleysheridan.co.uk
[PHP] IIS, PHP and HTML
Greetings All, I am at a new Gig. So this is the existing setup so changing it at least in the short term is not an option. We are in an IIS shop. We have a bunch of files that are html, and in need of php functionality. And that would be a BUNCH of files. I am interested in setting if I can set up IIS to use the php interpreter on HTML files. And then just start using the html files as php. There are just so many html files I would prefer to not do 301 redirects, not header redirects and blot the server with empty files (nearly empty). My preference is to use the existing files. Is there a way to make this happen? Are there any pitfalls in making this happen that I will need to be aware of? Blessed Be Phillip
RE: [PHP] Problem with ssh2_connect
Do you have lexneter installed. I think that could be the problem. 2010/6/23 Radek Krejča > > Make sure that What is lexneter please? Radek -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to store encrypted data and how to store the key?
On Wed, Jun 23, 2010 at 12:43 PM, Peter Lind wrote: > I'm just wondering if this is a correct understanding: > 1. plaintext data arrives on the web frontend. or over SSL > 2. It's sent to the app server SSL or non-SSL - your choice > 3. It's encrypted and sent to the DB server encrypted or not encrypted - your choice > Where does the data go after step 3? Does encrypted data go back out > to the app server? In which case, what's to stop me from exploiting > the web-server and then sending *bad data/commands* to the app server? > > But maybe I'm taking this too far: are you only looking at security in > terms of storage? I.e. is this merely a question of avoiding dumps of > the data? It is mainly about how to stop an exploited machine (even shell access) from accessing the data by simply looking at a PHP config file. This solves that by reducing the risk with the only WAN-accessable touchpoint (web servers, or well, technically the load balancer even) which is only accessable via HTTP or HTTPS. Feeding bad commands is always a risk, no matter what - but you could figure out how to setup an IDS system or something to only accept POST/GET without exploitable characters or anything. Suhosin type things come to mind. But again - the only way to get data would be if you craft something and use SQL injection or something to get the data out. You couldn't exploit code to download a trojan or something because the application server cannot talk to the Internet. I think it is a compartmentalized setup that would solve my original question... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to store encrypted data and how to store the key?
On 23 June 2010 20:55, Michael Shadle wrote: > I talked with a friend who actually had this implemented before and > banks had signed off on it after reviewing it. > > load balancer (irrelevant to the security piece) > > web server(s) - only accepts traffic to port 80/443. can only forward > requests on to the app server, one direction. > > app server(s) - processes the PHP/etc. has access to the > encryption/decryption keys. can only send established packets back to > the webserver, and traffic to the db. cannot connect outbound to the > net. > > db server(s) - stores the data. choose how you want to encrypt. they > did not encrypt data at rest in their setup, the bank would have > 'preferred' it but was not willing to buy the license for the > encryption plugin. however, the app tier could handle the > encryption/decryption. > > all machines were only accessable via VPN, not the WAN. > > due to that, assuming physical access is not an issue: > > if the webserver got exploited, it could only talk to the app server > using http. it has no access to the encryption key, nor the database. > only one direction of communication. if the app server somehow got > exploited (someone somehow got a trojan installed) it can't > communicate outbound, so unless they figured some creative way to make > the app server expose information through the open port only for the > webserver, it's useless. and to install the trojan, typically people > fetch remote files - well, the app tier can't communicate outbound. > > it's pretty damn secure for a web app. you could theoretically pair > the app server and db server on the same box - you could probably make > that work too. depends on how large you need to scale and the > architecture required. > > anyway... anyone have any comments or holes to poke in this theory? > I'm just wondering if this is a correct understanding: 1. plaintext data arrives on the web frontend. 2. It's sent to the app server 3. It's encrypted and sent to the DB server Where does the data go after step 3? Does encrypted data go back out to the app server? In which case, what's to stop me from exploiting the web-server and then sending *bad data/commands* to the app server? But maybe I'm taking this too far: are you only looking at security in terms of storage? I.e. is this merely a question of avoiding dumps of the data? Regards Peter -- WWW: http://plphp.dk / http://plind.dk LinkedIn: http://www.linkedin.com/in/plind BeWelcome/Couchsurfing: Fake51 Twitter: http://twitter.com/kafe15 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to store encrypted data and how to store the key?
I talked with a friend who actually had this implemented before and banks had signed off on it after reviewing it. load balancer (irrelevant to the security piece) web server(s) - only accepts traffic to port 80/443. can only forward requests on to the app server, one direction. app server(s) - processes the PHP/etc. has access to the encryption/decryption keys. can only send established packets back to the webserver, and traffic to the db. cannot connect outbound to the net. db server(s) - stores the data. choose how you want to encrypt. they did not encrypt data at rest in their setup, the bank would have 'preferred' it but was not willing to buy the license for the encryption plugin. however, the app tier could handle the encryption/decryption. all machines were only accessable via VPN, not the WAN. due to that, assuming physical access is not an issue: if the webserver got exploited, it could only talk to the app server using http. it has no access to the encryption key, nor the database. only one direction of communication. if the app server somehow got exploited (someone somehow got a trojan installed) it can't communicate outbound, so unless they figured some creative way to make the app server expose information through the open port only for the webserver, it's useless. and to install the trojan, typically people fetch remote files - well, the app tier can't communicate outbound. it's pretty damn secure for a web app. you could theoretically pair the app server and db server on the same box - you could probably make that work too. depends on how large you need to scale and the architecture required. anyway... anyone have any comments or holes to poke in this theory? On Wed, Jun 23, 2010 at 12:55 AM, Tommy Pham wrote: >> -Original Message- >> From: Peter Lind [mailto:peter.e.l...@gmail.com] >> Sent: Wednesday, June 23, 2010 12:22 AM >> To: Michael Shadle >> Cc: PHP-General >> Subject: Re: [PHP] How to store encrypted data and how to store the key? >> >> On 23 June 2010 09:11, Michael Shadle wrote: >> > This is somewhat related to the whole PCI/credit card discussion a >> > couple weeks back. The consensus was basically "leave it to other >> > people" - however, what if YOU are the other person? >> > >> > I wonder if anyone has some BKMs to share about encrypting data in a >> > web application. A lot of people take the most obvious approach, but >> > it's fundamentally flawed, that is: >> > >> > I take data from the user, I encrypt it (using PHP crypto, or MySQL >> > crypto, etc.) and a key stored in my config file, and put it into the >> > database. Then when I want to get it back, I just use decrypt + the >> > key in my config file. The issue there? If you server is compromised >> > and the database is accessable, they'll have the key to decrypt the >> > data right off the server. They can pull down copies of everything or >> > even write their own script ON the server itself to extract the data. >> > >> > This has been one thing that I have not really been able to figure out >> > yet. You could separate the servers, and figure out some very hard way >> > for them to communicate, but when it comes down to it, the webserver >> > needs to access the data. For example, the webserver could be behind a >> > fully firewalled setup that only allows MySQL traffic. However, the >> > webserver has to access the data still. >> > >> > I assume the only solution is somehow storing the key in a third >> > place, so the accessor has to get the key somehow before accessing the >> > encrypted data. But again - how to automatically allow access for only >> > the webapp? I thought of per-user keys, but that isn't an appropriate >> > solution for something that needs to be encrypted using the same key. >> > >> > Has anyone had to implement anything like this? Is there a good >> > whitepaper on something like this? Especially relating to HIPAA >> > requirements. PCI would be nice too, but I'm sure once this major >> > "unknown" in my mind is addressed, the general concepts are common, >> > probably just differences in levels of firewalling, cryptography >> > strength, physical access to the machines, etc. >> > >> > Please keep this on topic - this is about the people who DO have to >> > address this issue, not something about "just offload it to other >> > guys" - that's an obvious choice already, and not one that is allowed >> > depending on the job. >> > >> >> I haven't had to implement a scheme like this but for an app I'm working on >> we've been considering the same issues in order to keep member data safe. >> I would say your best bet is to keep the decryption key in memory while the > > This is something I'm very interested in hearing more about since our other > discussion about PHP & threads and how some list members prefer the 'share > nothing' approach. That said, how would you access the memory for every > individual sessions that need that decrypting code/key when nothing is >
RE: [PHP] In what scenario an extension of a class is useful?
Priceless. Could also be extended applied to babies too. ;-p object babies extends mammal ( function eat (milk $food) ) ROFL. > -Original Message- > From: Rene Veerman [mailto:rene7...@gmail.com] > Sent: Tuesday, June 22, 2010 11:58 PM > > object mammal ( > function eat (mixed $food) > function shit () > function sleep() > ) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Problem with ssh2_connect
Do you have lexneter installed. I think that could be the problem. 2010/6/23 Radek Krejča > > > >Make sure that > > > > the key file exists by that name in the location you're > > specifying (hint: use a full path). > Its in ssh2_auth_public..., yes, I am using full path there. > > it is the right key for that server. > Yes, I use it with ssh command from line on the same computer. > > the permissions on the file are very strict (chmod 0400 > ssh-rsa). > My private key has 0400 > > > > > > > I got error message immediately after $connection = ssh2_connect(' > test.starnet.cz', 22, array('hostkey'=>'ssh-rsa'), $methods);, so > $connection is invalid resource for other function. > > I have rsa keys, but if I use ssh-dss (hostkey), Its without warning - but > I cant connect with keys. > > Radek > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- A Brandon_R Production
Re: [PHP] Invoice Software
On Jun 23, 2010, at 11:24 AM, Bastien Koert wrote: > On Wed, Jun 23, 2010 at 10:01 AM, Daniel P. Brown > wrote: >> On Wed, Jun 23, 2010 at 09:52, Floyd Resler wrote: >>> Now that I'm finally landing some freelance PHP work, I am in need of some >>> software that I can add clients, enter estimates, keep track of hours, and >>> create invoices with. I'd like it to be Web-based. I could write my own, >>> of course, but why do it if it's already done?! Does anyone know of such a >>> package? >> >>Tons. I'd personally start by checking SourceForge, finding >> something that matches closely what you're trying to do, and then >> modifying it to match entirely. >> >> -- >> >> UNADVERTISED DEDICATED SERVER SPECIALS >> SAME-DAY SETUP >> Just ask me what we're offering today! >> daniel.br...@parasane.net || danbr...@php.net >> http://www.parasane.net/ || http://www.pilotpig.net/ >> >> -- >> PHP General Mailing List (http://www.php.net/) >> To unsubscribe, visit: http://www.php.net/unsub.php >> >> > > freshbooks.com also handles that if you want to use a service > > -- > > Bastien > Fresbooks is perfect! Thanks! Floyd -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] $_SERVER['REMOTE_ADDR'] and sql injection
On Wed, Jun 23, 2010 at 11:09 AM, Ashley Sheridan wrote: > Out of interest, how does PHP calculate the IP number, as it was my > understanding of IP numbers that they can't be negative. > > For example, my IP address is 89.243.156.135 > The four parts as binary: > 01011001 > 0011 > 10011100 > 1111 > > From there, I thought that the binary values were concatenated as if they > were a string, and then the decimal value worked out from that, giving, in my > case, a value of 1509137543. > > How is it possible that PHP can produce negative values from this method? > Does it do something else entirely, or is this a case of the integer value > overflowing into negative values? (which might explain why the value > correctly converts back) > > If so, what would be the best method to get the correct value, as abs() > obviously isn't it! > > Thanks, > Ash > http://www.ashleysheridan.co.uk > > It has to do with the storage of the value as a 4-byte integer, as Bob mentioned. The best way I know of in PHP involves either sprintf dechex, or pack/unpack. If you use pack/unpack, just be careful with the endian-ness of the format you choose: I'm not sure how any of these are best passed along to various databases, though. I believe something like this should work, as long as the column defined with a type that will hold the positive value, such as BIGINT (or, perhaps INT(10) UNSIGNED in MySQL, though I think I remember having issues with that type). $sql = sprintf('INSERT INTO `mytable` (`ip_address`) VALUES (%u)', ip2long($ip)); I do most of my development with SQL Server, so I often just pass the value as a 4-byte integer (or sometimes even in dotted notation) to a stored procedure and then let T-SQL do the work. Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Warning messages on web page.
On Wed, 2010-06-23 at 16:22 +0100, Ashley Sheridan wrote: > On Wed, 2010-06-23 at 16:14 +0100, Mike Davies wrote: > If you haven't in your code, then make sure you define $thumbsarray as > an array before you attempt to use it in the loop. This will have no > effect where rows are returned, but it will ensure an empty array > exists if your code expects it and there is no data in the database to > populate it. > > Thanks, > Ash > http://www.ashleysheridan.co.uk > > > Thanks Ash and to everyone else. I added : $thumbsarray=array() above the first instance and the warning no longer appears. Hopefully nothing else will be affected. Many thanks for all your time. regards, Mike -- Mike Davies Integra Web Design, Rhynie, By Huntly, AB54 4LS 01464 861535www.integrawebdesign.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re:
Please DO NOT click on the following link. It should have been sent in a previous email. Seems like someone has hijacked my email and is sending this to all my contacts. Thanks, Navid On Wed, Jun 23, 2010 at 7:38 AM, Navid Yar wrote: > http://saq9.grkhworld.com/ > > > > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] $_SERVER['REMOTE_ADDR'] and sql injection
From: Ashley Sheridan > Out of interest, how does PHP calculate the IP number, as it was my > understanding of IP numbers that they can't be negative. > > For example, my IP address is 89.243.156.135 > The four parts as binary: > 01011001 > 0011 > 10011100 > 1111 > > >From there, I thought that the binary values were concatenated as if > they were a string, and then the decimal value worked out from that, > giving, in my case, a value of 1509137543. > > How is it possible that PHP can produce negative values from this > method? Does it do something else entirely, or is this a case of the > integer value overflowing into negative values? (which might explain why > the value correctly converts back) When stored as a four byte integer, the high bit becomes the sign flag. So if the first byte is 128 or higher, it would be converted into a negative number. This is a common issue when the size of numbers exceed the storage space allotted. It's well understood in tightly typed languages, but often missed in the more loosely typed languages like Perl and PHP. Bob McConnell -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Warning messages on web page.
On Wed, Jun 23, 2010 at 11:14, Mike Davies wrote: >> > Nothing is returned for SELECT query as there is nothing in the table as > yet. Perhaps this is the problem. Typically all projects would have an > associated thumb image but all news items may not. Perhaps a thumb image > is necessary to stop this warning? Should I change the code to allow for > there being no thumb image, if so can you suggest how I might modify it? With no rows returned, there's no array. The while() loop doesn't even trigger there. You could either add some dummy data, populate the rows, or adjust the code like so: -- UNADVERTISED DEDICATED SERVER SPECIALS SAME-DAY SETUP Just ask me what we're offering today! daniel.br...@parasane.net || danbr...@php.net http://www.parasane.net/ || http://www.pilotpig.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Invoice Software
On Wed, Jun 23, 2010 at 10:01 AM, Daniel P. Brown wrote: > On Wed, Jun 23, 2010 at 09:52, Floyd Resler wrote: >> Now that I'm finally landing some freelance PHP work, I am in need of some >> software that I can add clients, enter estimates, keep track of hours, and >> create invoices with. I'd like it to be Web-based. I could write my own, >> of course, but why do it if it's already done?! Does anyone know of such a >> package? > > Tons. I'd personally start by checking SourceForge, finding > something that matches closely what you're trying to do, and then > modifying it to match entirely. > > -- > > UNADVERTISED DEDICATED SERVER SPECIALS > SAME-DAY SETUP > Just ask me what we're offering today! > daniel.br...@parasane.net || danbr...@php.net > http://www.parasane.net/ || http://www.pilotpig.net/ > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > freshbooks.com also handles that if you want to use a service -- Bastien Cat, the other other white meat -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Warning messages on web page.
On Wed, 2010-06-23 at 16:14 +0100, Mike Davies wrote: > On Wed, 2010-06-23 at 09:09 -0400, Daniel Brown wrote: > > Hold everything, Mike! > > > > On Wed, Jun 23, 2010 at 05:18, Mike Davies > > wrote: > > [snip!] > > > > > > > > mysql_select_db($database_general, $general); > > > $query_details = "SELECT * FROM news WHERE news_id = '$_GET[id]'"; > > > > /** > > * Above line is placed here so that we can be easily, > > * deliberately, and permanently destroyed. Of course, > > * I suppose we *could* avoid that by sanitizing the input. > > * Perhaps mysql_real_escape_string() or something > > */ > > > > > $details = mysql_query($query_details, $general) or die(mysql_error()); > > > $row_details = mysql_fetch_assoc($details); > > > $totalRows_details = mysql_num_rows($details); > > > > > > mysql_select_db($database_general, $general); > > > > // You don't need to reconnect to the database between queries. > > // Since you're using the same here as above, the same link is fine. > > > > > $query_thumbs = "SELECT * FROM news_thumbs"; > > > $thumbs = mysql_query($query_thumbs, $general) or die(mysql_error()); > > > > // You don't need to tell mysql_query() which database to use every time > > // either, when using the same database for queries. > > > > > $totalRows_thumbs = mysql_num_rows($thumbs); > > > > // Doesn't look like you use this --- at least in this code > > snippet. Necessary? > > > > > $i = 1; > > > > // I'd lose the above line as well. You'll see why in a second > > > > /** REPLACE THIS: > > > while ($row_thumbs = mysql_fetch_assoc($thumbs)){ > > > $thumbsarray[$i] = $row_thumbs; > > > $i++; > > > } > > **/ > > > > // WITH THIS: > > while($row_thumbs = mysql_fetch_assoc($thumbs)) { > > $thumbsarray[] = $row_thumbs; > > } > > > > > //print_r($thumbsarray); > > > ?> > > > > > > > This is exactly the same as the code which is working for the 'projects' > > > pages. > > > > Okay. On the database to which you're connecting, use phpMyAdmin, > > the MySQL CLI, or something other than this and run the following > > query: > > > > SELECT * FROM news_thumbs; > > > > Is anything returned? > > > Nothing is returned for SELECT query as there is nothing in the table as > yet. Perhaps this is the problem. Typically all projects would have an > associated thumb image but all news items may not. Perhaps a thumb image > is necessary to stop this warning? Should I change the code to allow for > there being no thumb image, if so can you suggest how I might modify it? > > Thanks to everyone who has responded, it has been most useful. > > regards, > Mike > -- > Mike Davies > Integra Web Design, Rhynie, By Huntly, AB54 4LS > 01464 861535www.integrawebdesign.co.uk > > If you haven't in your code, then make sure you define $thumbsarray as an array before you attempt to use it in the loop. This will have no effect where rows are returned, but it will ensure an empty array exists if your code expects it and there is no data in the database to populate it. Thanks, Ash http://www.ashleysheridan.co.uk
Re: [PHP] Warning messages on web page.
On Wed, 2010-06-23 at 09:09 -0400, Daniel Brown wrote: > Hold everything, Mike! > > On Wed, Jun 23, 2010 at 05:18, Mike Davies > wrote: > [snip!] > > > > > mysql_select_db($database_general, $general); > > $query_details = "SELECT * FROM news WHERE news_id = '$_GET[id]'"; > > /** > * Above line is placed here so that we can be easily, > * deliberately, and permanently destroyed. Of course, > * I suppose we *could* avoid that by sanitizing the input. > * Perhaps mysql_real_escape_string() or something > */ > > > $details = mysql_query($query_details, $general) or die(mysql_error()); > > $row_details = mysql_fetch_assoc($details); > > $totalRows_details = mysql_num_rows($details); > > > > mysql_select_db($database_general, $general); > > // You don't need to reconnect to the database between queries. > // Since you're using the same here as above, the same link is fine. > > > $query_thumbs = "SELECT * FROM news_thumbs"; > > $thumbs = mysql_query($query_thumbs, $general) or die(mysql_error()); > > // You don't need to tell mysql_query() which database to use every time > // either, when using the same database for queries. > > > $totalRows_thumbs = mysql_num_rows($thumbs); > > // Doesn't look like you use this --- at least in this code > snippet. Necessary? > > > $i = 1; > > // I'd lose the above line as well. You'll see why in a second > > /** REPLACE THIS: > > while ($row_thumbs = mysql_fetch_assoc($thumbs)){ > > $thumbsarray[$i] = $row_thumbs; > > $i++; > > } > **/ > > // WITH THIS: > while($row_thumbs = mysql_fetch_assoc($thumbs)) { > $thumbsarray[] = $row_thumbs; > } > > > //print_r($thumbsarray); > > ?> > > > > This is exactly the same as the code which is working for the 'projects' > > pages. > > Okay. On the database to which you're connecting, use phpMyAdmin, > the MySQL CLI, or something other than this and run the following > query: > > SELECT * FROM news_thumbs; > > Is anything returned? > Nothing is returned for SELECT query as there is nothing in the table as yet. Perhaps this is the problem. Typically all projects would have an associated thumb image but all news items may not. Perhaps a thumb image is necessary to stop this warning? Should I change the code to allow for there being no thumb image, if so can you suggest how I might modify it? Thanks to everyone who has responded, it has been most useful. regards, Mike -- Mike Davies Integra Web Design, Rhynie, By Huntly, AB54 4LS 01464 861535www.integrawebdesign.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] $_SERVER['REMOTE_ADDR'] and sql injection
On Wed, 2010-06-23 at 10:58 -0400, Andrew Ballard wrote: > On Wed, Jun 23, 2010 at 10:39 AM, Ashley Sheridan > wrote: > > > > On Wed, 2010-06-23 at 10:35 -0400, Andrew Ballard wrote: > > > > On Wed, Jun 23, 2010 at 6:01 AM, Ashley Sheridan > > wrote: > > > That's what I'd use. You may also have to wrap it inside an abs() call > > > to ensure it's a positive number, as some IP addresses equate to > > > negative with ip2long(). > > > > NO NO NO NO NO > > > > > > > $x = ip2long('192.168.0.1'); > > var_dump($x); > > // int(-1062731775) > > > > var_dump(long2ip($x)); > > // string(11) "192.168.0.1" > > > > var_dump(long2ip(abs($x))); > > // string(13) "63.87.255.255" > > > > ?> > > > > Andrew > > > > Someone had better tell all the makers of the ip2country databases then, > > because there's not a negative number in sight! > > > > Thanks, > > Ash > > http://www.ashleysheridan.co.uk > > > > > > You might choose to store an 8-byte integer rather than a 4-byte > integer to prevent negative numbers, but abs() won't do that. Usually > when I store IPv4 addresses in a database, I store them as BINARY(4) > so that I can compare ranges without worrying about either handling > negative numbers or using 8 bytes of storage to deal with addresses > above 127.255.255.255. I have also seen people present a case for > storing each octet in a separate TINYINT column. > > Andrew > Out of interest, how does PHP calculate the IP number, as it was my understanding of IP numbers that they can't be negative. For example, my IP address is 89.243.156.135 The four parts as binary: 01011001 0011 10011100 1111 >From there, I thought that the binary values were concatenated as if they were a string, and then the decimal value worked out from that, giving, in my case, a value of 1509137543. How is it possible that PHP can produce negative values from this method? Does it do something else entirely, or is this a case of the integer value overflowing into negative values? (which might explain why the value correctly converts back) If so, what would be the best method to get the correct value, as abs() obviously isn't it! Thanks, Ash http://www.ashleysheridan.co.uk
Re: [PHP] $_SERVER['REMOTE_ADDR'] and sql injection
On Wed, Jun 23, 2010 at 10:39 AM, Ashley Sheridan wrote: > > On Wed, 2010-06-23 at 10:35 -0400, Andrew Ballard wrote: > > On Wed, Jun 23, 2010 at 6:01 AM, Ashley Sheridan > wrote: > > That's what I'd use. You may also have to wrap it inside an abs() call > > to ensure it's a positive number, as some IP addresses equate to > > negative with ip2long(). > > NO NO NO NO NO > > > $x = ip2long('192.168.0.1'); > var_dump($x); > // int(-1062731775) > > var_dump(long2ip($x)); > // string(11) "192.168.0.1" > > var_dump(long2ip(abs($x))); > // string(13) "63.87.255.255" > > ?> > > Andrew > > Someone had better tell all the makers of the ip2country databases then, > because there's not a negative number in sight! > > Thanks, > Ash > http://www.ashleysheridan.co.uk > > You might choose to store an 8-byte integer rather than a 4-byte integer to prevent negative numbers, but abs() won't do that. Usually when I store IPv4 addresses in a database, I store them as BINARY(4) so that I can compare ranges without worrying about either handling negative numbers or using 8 bytes of storage to deal with addresses above 127.255.255.255. I have also seen people present a case for storing each octet in a separate TINYINT column. Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Invoice Software
freshbooks.com On 2010-06-23, at 11:44 AM, Paul M Foster wrote: > On Wed, Jun 23, 2010 at 09:52:21AM -0400, Floyd Resler wrote: > >> Now that I'm finally landing some freelance PHP work, I am in need of some >> software that I can add clients, enter estimates, keep track of hours, and >> create invoices with. I'd like it to be Web-based. I could write my own, >> of course, but why do it if it's already done?! Does anyone know of such a >> package? >> > > Let me know if you don't find what you need. I've built such a system > over the last few years, used internally by my company. As it's for our > use internally, I'd have to package it up for your use. But it'd be free > and FOSS-licensed. (But check what's available first, because packaging > it up for you would take some work.) > > Paul > > -- > Paul M. Foster > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Invoice Software
On Wed, Jun 23, 2010 at 09:52:21AM -0400, Floyd Resler wrote: > Now that I'm finally landing some freelance PHP work, I am in need of some > software that I can add clients, enter estimates, keep track of hours, and > create invoices with. I'd like it to be Web-based. I could write my own, of > course, but why do it if it's already done?! Does anyone know of such a > package? > Let me know if you don't find what you need. I've built such a system over the last few years, used internally by my company. As it's for our use internally, I'd have to package it up for your use. But it'd be free and FOSS-licensed. (But check what's available first, because packaging it up for you would take some work.) Paul -- Paul M. Foster -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] $_SERVER['REMOTE_ADDR'] and sql injection
On Wed, 2010-06-23 at 10:35 -0400, Andrew Ballard wrote: > On Wed, Jun 23, 2010 at 6:01 AM, Ashley Sheridan > wrote: > > That's what I'd use. You may also have to wrap it inside an abs() call > > to ensure it's a positive number, as some IP addresses equate to > > negative with ip2long(). > > NO NO NO NO NO > > > $x = ip2long('192.168.0.1'); > var_dump($x); > // int(-1062731775) > > var_dump(long2ip($x)); > // string(11) "192.168.0.1" > > var_dump(long2ip(abs($x))); > // string(13) "63.87.255.255" > > ?> > > Andrew > Someone had better tell all the makers of the ip2country databases then, because there's not a negative number in sight! Thanks, Ash http://www.ashleysheridan.co.uk
Re: [PHP] $_SERVER['REMOTE_ADDR'] and sql injection
On Wed, Jun 23, 2010 at 6:01 AM, Ashley Sheridan wrote: > That's what I'd use. You may also have to wrap it inside an abs() call > to ensure it's a positive number, as some IP addresses equate to > negative with ip2long(). NO NO NO NO NO Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Problem with ssh2_connect
> >Make sure that > > the key file exists by that name in the location you're > specifying (hint: use a full path). Its in ssh2_auth_public..., yes, I am using full path there. > it is the right key for that server. Yes, I use it with ssh command from line on the same computer. > the permissions on the file are very strict (chmod 0400 ssh-rsa). My private key has 0400 > > > I got error message immediately after $connection = > ssh2_connect('test.starnet.cz', 22, array('hostkey'=>'ssh-rsa'), $methods);, > so $connection is invalid resource for other function. I have rsa keys, but if I use ssh-dss (hostkey), Its without warning - but I cant connect with keys. Radek -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Invoice Software
On Wed, Jun 23, 2010 at 09:52, Floyd Resler wrote: > Now that I'm finally landing some freelance PHP work, I am in need of some > software that I can add clients, enter estimates, keep track of hours, and > create invoices with. I'd like it to be Web-based. I could write my own, of > course, but why do it if it's already done?! Does anyone know of such a > package? Tons. I'd personally start by checking SourceForge, finding something that matches closely what you're trying to do, and then modifying it to match entirely. -- UNADVERTISED DEDICATED SERVER SPECIALS SAME-DAY SETUP Just ask me what we're offering today! daniel.br...@parasane.net || danbr...@php.net http://www.parasane.net/ || http://www.pilotpig.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Problem with ssh2_connect
2010/6/23 Radek Krejča : > > Make sure that > > the key file exists by that name in the location you're > specifying (hint: use a full path). > it is the right key for that server. > the permissions on the file are very strict (chmod 0400 ssh-rsa). > > > I got error message immediately after $connection = > ssh2_connect('test.starnet.cz', 22, array('hostkey'=>'ssh-rsa'), $methods);, > so $connection is invalid resource for other function. Right point being? Your connection instantiation includes the key file denotation. Did you check the things I mentioned? -- UNADVERTISED DEDICATED SERVER SPECIALS SAME-DAY SETUP Just ask me what we're offering today! daniel.br...@parasane.net || danbr...@php.net http://www.parasane.net/ || http://www.pilotpig.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Problem with ssh2_connect
Make sure that the key file exists by that name in the location you're specifying (hint: use a full path). it is the right key for that server. the permissions on the file are very strict (chmod 0400 ssh-rsa). I got error message immediately after $connection = ssh2_connect('test.starnet.cz', 22, array('hostkey'=>'ssh-rsa'), $methods);, so $connection is invalid resource for other function. Radek -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Invoice Software
Now that I'm finally landing some freelance PHP work, I am in need of some software that I can add clients, enter estimates, keep track of hours, and create invoices with. I'd like it to be Web-based. I could write my own, of course, but why do it if it's already done?! Does anyone know of such a package? Thanks! Floyd -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to store encrypted data and how to store the key?
On Wed, Jun 23, 2010 at 6:09 AM, Peter Lind wrote: > On 23 June 2010 10:09, Michael Shadle wrote: >> On Wed, Jun 23, 2010 at 12:55 AM, Tommy Pham wrote: >> I haven't had to implement a scheme like this but for an app I'm working on we've been considering the same issues in order to keep member data safe. I would say your best bet is to keep the decryption key in memory while the >>> >>> This is something I'm very interested in hearing more about since our other >>> discussion about PHP & threads and how some list members prefer the 'share >>> nothing' approach. That said, how would you access the memory for every >>> individual sessions that need that decrypting code/key when nothing is >>> shared? (I'm assuming that this would be purely in PHP :) >> >> +1. each server stores it locally in APC, or you have to mess with >> memcached, and since it is plaintext, encrypt that too? :p >> >> I -always- design for 'shared nothing' so this is a necessary >> discussion too, if "in memory" is the idea. >> > > In memory means that any of the php processes spawned by the server > would have access to it. Encrypting it in memory really doesn't help > you, as the php process would then decrypt it, bringing you back to > square one: you just mimic the decrypting behaviour of a working php > process to get the plaintext key. > Shared nothing also doesn't help you - that just multiplies the > amount of places the key is placed because you're still facing the > same issue: the scripts need access to the key. You could possibly > devise an authentication scheme by which a script could authenticate > itself to a server that would then hand out the key ... but that's > susceptible to other attacks as well. So I'd probably stick the key in > memory, possibly memcached. I'd encrypt it but nothing special, just > making sure that you cannot get the plaintext from memcached without > digging through working php files to figure out how you decrypt it. > Then I'd monitor the solution to see if anything *weird* was going on, > wiping memcache if something strange comes up. > As should be obvious, this doesn't solve the problems. Your number > one priority is blocking access to the server. Number two is making > sure that noone can use the data *if* they get access but without > working scripts. If someone roots the server with everything up and > running, there's really very little you can do. > > This is getting offtopic, though, if memory serves. I believe PCI has > some strict requirements on how security should be implemented. You'll > have to follow those and not other schemes that may be more or less > secure. > > Regards > Peter > > -- > > WWW: http://plphp.dk / http://plind.dk > LinkedIn: http://www.linkedin.com/in/plind > BeWelcome/Couchsurfing: Fake51 > Twitter: http://twitter.com/kafe15 > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > Here are a couple of things which may help http://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet#Rule_-_Under_PCI_DSS_requirement_3.2C_you_must_protect_cardholder_data http://www.issociate.de/board/post/247319/Encryption_Key_Storage.html The biggest issue with it on web servers is simply time. If the key is too hard to get to, or unavailable due to a machine failure, then you are going to have pissed off customers/clients who won't be able to do much. The best solution is to store the CC data on a DB that is not web facing. That removes the need for the web app to hold the encryption key. You can store a hashed value, with the last 4 digits of the card and expiry on the web facing DB for any transaction processing verification. But those transactions should then move into a queue inside the secured network that is not web facing. This secured network can then take the data from the queue, find the appropriate record in the secured DB, unencrypt it and process it as normal transaction. Get back the verification of successful transaction and then queue that back into the web facing system for messaging the user. -- Bastien Cat, the other other white meat -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] FW: Problem with ssh2_connect
> Have you tried opening the connection from the command line with OpenSSL > or similar tools? Do you know those credentials will actually work? Yes, It is my key (now I am testing), but I got this message before I run ssh2_auth_public... Radek -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] FW: Problem with ssh2_connect
From: Radek Krejca > I am trying connect to freebsd. I have php 5.3.2 installed. I have to connect > using public keys, but without succes. Function ssh2_connect throws me > following error (then I have invalid resource for function ssh2_auth_pubkey_file)... > > PHP Warning: ssh2_connect(): Error starting up SSH connection(-5): Unable > to exchange encryption keys in /usr/home/radek/pokus.php on line 14 ... > I got the same error without using methods variable. Have you tried opening the connection from the command line with OpenSSL or similar tools? Do you know those credentials will actually work? Bob McConnell -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Problem with ssh2_connect
2010/6/23 Radek Krejča : > > PHP Warning: ssh2_connect(): Error starting up SSH connection(-5): Unable to > exchange encryption keys in /usr/home/radek/pokus.php on line 14 Make sure that the key file exists by that name in the location you're specifying (hint: use a full path). it is the right key for that server. the permissions on the file are very strict (chmod 0400 ssh-rsa). -- UNADVERTISED DEDICATED SERVER SPECIALS SAME-DAY SETUP Just ask me what we're offering today! daniel.br...@parasane.net || danbr...@php.net http://www.parasane.net/ || http://www.pilotpig.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] FW: Problem with ssh2_connect
Hello, I am trying connect to freebsd. I have php 5.3.2 installed. I have to connect using public keys, but without succes. Function ssh2_connect throws me following error (then I have invalid resource for function ssh2_auth_pubkey_file)... PHP Warning: ssh2_connect(): Error starting up SSH connection(-5): Unable to exchange encryption keys in /usr/home/radek/pokus.php on line 14 Warning: ssh2_connect(): Error starting up SSH connection(-5): Unable to exchange encryption keys in /usr/home/radek/pokus.php on line 14 PHP Warning: ssh2_connect(): Unable to connect to test.starnet.cz in /usr/home/darius/pokus_nat.php on line 14 Warning: ssh2_connect(): Unable to connect to test.starnet.cz in /usr/home/radek/pokus.php on line 14 Here is code: 'diffie-hellman-group1-sha1', 'hostkey' => 'ssh-dss', 'client_to_server' => array( 'crypt' => '3des-cbc', 'mac' => 'hmac-md5', 'comp' => 'none'), 'server_to_client' => array( 'crypt' => '3des-cbc', 'mac' => 'hmac-md5', 'comp' => 'none')); $connection = ssh2_connect('test.starnet.cz', 22, array('hostkey'=>'ssh-rsa'), $methods); ?> I got the same error without using methods variable. Thank you for advice. Radek -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Problem with ssh2_connect
Hello, I am trying connect to freebsd. I have php 5.3.2 installed. I have to connect using public keys, but without succes. Function ssh2_connect throws me following error (then I have invalid resource for function ssh2_auth_pubkey_file)... PHP Warning: ssh2_connect(): Error starting up SSH connection(-5): Unable to exchange encryption keys in /usr/home/radek/pokus.php on line 14 Warning: ssh2_connect(): Error starting up SSH connection(-5): Unable to exchange encryption keys in /usr/home/radek/pokus.php on line 14 PHP Warning: ssh2_connect(): Unable to connect to test.starnet.cz in /usr/home/darius/pokus_nat.php on line 14 Warning: ssh2_connect(): Unable to connect to test.starnet.cz in /usr/home/radek/pokus.php on line 14 Here is code: 'diffie-hellman-group1-sha1', 'hostkey' => 'ssh-dss', 'client_to_server' => array( 'crypt' => '3des-cbc', 'mac' => 'hmac-md5', 'comp' => 'none'), 'server_to_client' => array( 'crypt' => '3des-cbc', 'mac' => 'hmac-md5', 'comp' => 'none')); $connection = ssh2_connect('test.starnet.cz', 22, array('hostkey'=>'ssh-rsa'), $methods); ?> I got the same error without using methods variable. Thank you for advice. Radek -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Warning messages on web page.
Hold everything, Mike! On Wed, Jun 23, 2010 at 05:18, Mike Davies wrote: [snip!] > > mysql_select_db($database_general, $general); > $query_details = "SELECT * FROM news WHERE news_id = '$_GET[id]'"; /** * Above line is placed here so that we can be easily, * deliberately, and permanently destroyed. Of course, * I suppose we *could* avoid that by sanitizing the input. * Perhaps mysql_real_escape_string() or something */ > $details = mysql_query($query_details, $general) or die(mysql_error()); > $row_details = mysql_fetch_assoc($details); > $totalRows_details = mysql_num_rows($details); > > mysql_select_db($database_general, $general); // You don't need to reconnect to the database between queries. // Since you're using the same here as above, the same link is fine. > $query_thumbs = "SELECT * FROM news_thumbs"; > $thumbs = mysql_query($query_thumbs, $general) or die(mysql_error()); // You don't need to tell mysql_query() which database to use every time // either, when using the same database for queries. > $totalRows_thumbs = mysql_num_rows($thumbs); // Doesn't look like you use this --- at least in this code snippet. Necessary? > $i = 1; // I'd lose the above line as well. You'll see why in a second /** REPLACE THIS: > while ($row_thumbs = mysql_fetch_assoc($thumbs)){ > $thumbsarray[$i] = $row_thumbs; > $i++; > } **/ // WITH THIS: while($row_thumbs = mysql_fetch_assoc($thumbs)) { $thumbsarray[] = $row_thumbs; } > //print_r($thumbsarray); > ?> > This is exactly the same as the code which is working for the 'projects' > pages. Okay. On the database to which you're connecting, use phpMyAdmin, the MySQL CLI, or something other than this and run the following query: SELECT * FROM news_thumbs; Is anything returned? -- UNADVERTISED DEDICATED SERVER SPECIALS SAME-DAY SETUP Just ask me what we're offering today! daniel.br...@parasane.net || danbr...@php.net http://www.parasane.net/ || http://www.pilotpig.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Warning messages on web page.
On Wed, 2010-06-23 at 15:55 +0530, Shreyas Agasthya wrote: > Mike, > > Little weird. I executed the same lines of code against my sample database > and did not got any warning. You might want to send the code for projects > and news to do any comparison? > *[I will silently wait for the PHP demi-gods (the Ashleys, the Pauls et al) > at hover their vigilant eyes on your lines .:) ]* > > Regards, > Shreyas > > On Wed, Jun 23, 2010 at 2:48 PM, Mike Davies > wrote: > > > > > The only earlier reference to $thumbsarray is in the first lines of the > > file : > > > > > mysql_select_db($database_general, $general); > > $query_details = "SELECT * FROM news WHERE news_id = '$_GET[id]'"; > > $details = mysql_query($query_details, $general) or die(mysql_error()); > > $row_details = mysql_fetch_assoc($details); > > $totalRows_details = mysql_num_rows($details); > > > > mysql_select_db($database_general, $general); > > $query_thumbs = "SELECT * FROM news_thumbs"; > > $thumbs = mysql_query($query_thumbs, $general) or die(mysql_error()); > > $totalRows_thumbs = mysql_num_rows($thumbs); > > $i = 1; > > while ($row_thumbs = mysql_fetch_assoc($thumbs)){ > > $thumbsarray[$i] = $row_thumbs; > > $i++; > > } > > > > //print_r($thumbsarray); > > ?> > > > > This is exactly the same as the code which is working for the 'projects' > > pages. > > > > Mike > > > > -- > > Mike Davies > > Integra Web Design, Rhynie, By Huntly, AB54 4LS > > 01464 861535www.integrawebdesign.co.uk > > > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > > If you didn't get any warnings on your test machine, it might just be because of a different error reporting being set up. As for the local test, did it work as expected? If so, and the code hasn't changed, then it might be the actual tables in the database. If there are no rows returned where you expected some, and the code expects rows as an array, then it could be the cause of the problem. Thanks, Ash http://www.ashleysheridan.co.uk
Re: [PHP] Warning messages on web page.
Mike, Little weird. I executed the same lines of code against my sample database and did not got any warning. You might want to send the code for projects and news to do any comparison? *[I will silently wait for the PHP demi-gods (the Ashleys, the Pauls et al) at hover their vigilant eyes on your lines .:) ]* Regards, Shreyas On Wed, Jun 23, 2010 at 2:48 PM, Mike Davies wrote: > > The only earlier reference to $thumbsarray is in the first lines of the > file : > > mysql_select_db($database_general, $general); > $query_details = "SELECT * FROM news WHERE news_id = '$_GET[id]'"; > $details = mysql_query($query_details, $general) or die(mysql_error()); > $row_details = mysql_fetch_assoc($details); > $totalRows_details = mysql_num_rows($details); > > mysql_select_db($database_general, $general); > $query_thumbs = "SELECT * FROM news_thumbs"; > $thumbs = mysql_query($query_thumbs, $general) or die(mysql_error()); > $totalRows_thumbs = mysql_num_rows($thumbs); > $i = 1; > while ($row_thumbs = mysql_fetch_assoc($thumbs)){ > $thumbsarray[$i] = $row_thumbs; > $i++; > } > > //print_r($thumbsarray); > ?> > > This is exactly the same as the code which is working for the 'projects' > pages. > > Mike > > -- > Mike Davies > Integra Web Design, Rhynie, By Huntly, AB54 4LS > 01464 861535www.integrawebdesign.co.uk > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- Regards, Shreyas Agasthya
Re: [PHP] How to store encrypted data and how to store the key?
On 23 June 2010 10:09, Michael Shadle wrote: > On Wed, Jun 23, 2010 at 12:55 AM, Tommy Pham wrote: > >>> I haven't had to implement a scheme like this but for an app I'm working on >>> we've been considering the same issues in order to keep member data safe. >>> I would say your best bet is to keep the decryption key in memory while the >> >> This is something I'm very interested in hearing more about since our other >> discussion about PHP & threads and how some list members prefer the 'share >> nothing' approach. That said, how would you access the memory for every >> individual sessions that need that decrypting code/key when nothing is >> shared? (I'm assuming that this would be purely in PHP :) > > +1. each server stores it locally in APC, or you have to mess with > memcached, and since it is plaintext, encrypt that too? :p > > I -always- design for 'shared nothing' so this is a necessary > discussion too, if "in memory" is the idea. > In memory means that any of the php processes spawned by the server would have access to it. Encrypting it in memory really doesn't help you, as the php process would then decrypt it, bringing you back to square one: you just mimic the decrypting behaviour of a working php process to get the plaintext key. Shared nothing also doesn't help you - that just multiplies the amount of places the key is placed because you're still facing the same issue: the scripts need access to the key. You could possibly devise an authentication scheme by which a script could authenticate itself to a server that would then hand out the key ... but that's susceptible to other attacks as well. So I'd probably stick the key in memory, possibly memcached. I'd encrypt it but nothing special, just making sure that you cannot get the plaintext from memcached without digging through working php files to figure out how you decrypt it. Then I'd monitor the solution to see if anything *weird* was going on, wiping memcache if something strange comes up. As should be obvious, this doesn't solve the problems. Your number one priority is blocking access to the server. Number two is making sure that noone can use the data *if* they get access but without working scripts. If someone roots the server with everything up and running, there's really very little you can do. This is getting offtopic, though, if memory serves. I believe PCI has some strict requirements on how security should be implemented. You'll have to follow those and not other schemes that may be more or less secure. Regards Peter -- WWW: http://plphp.dk / http://plind.dk LinkedIn: http://www.linkedin.com/in/plind BeWelcome/Couchsurfing: Fake51 Twitter: http://twitter.com/kafe15 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] $_SERVER['REMOTE_ADDR'] and sql injection
On Wed, 2010-06-23 at 12:21 +0300, Tanel Tammik wrote: > "Michael Shadle" wrote in message > news:aanlktildd_gdnlffpuwdx5acwwk45jbu4i6ybbmgj...@mail.gmail.com... > > On Wed, Jun 23, 2010 at 12:06 AM, Rene Veerman wrote: > >> unlikely. it's a apache delivered ip address.. very little chance of > >> insert vulnerabilities, imho. > > > > still, the overhead for a db escape is better than your site being > > trashed. > > > > also, you could look at converting the IP to an INT(10) (at least for > > IPv4) and save > > > > ip in string - 123.456.789.123 - up to 15 bytes - varchar(15) > > ip in integer format - 4 bytes - int(10) > > > > I've done this on a variety of projects. Arjen even mentions it back in > > 2005: > > > > http://arjen-lentz.livejournal.com/44290.html > > > > It does make things a bit harder to read, and at one point I did get > > different results when calculating it in PHP vs. MySQL (I forget when > > and how, and haven't seen the issue again) but if you're looking for > > IP ranges it can come in handy too - integer math is much cleaner than > > IP address math :) > > how do i convert it? with ip2long() or in sql with INET_ATON()? > > Br Tanel > > > That's what I'd use. You may also have to wrap it inside an abs() call to ensure it's a positive number, as some IP addresses equate to negative with ip2long(). The benefit of converting it to a number I've found is that searching can become much faster as it's easier to perform a simple number comparison search to find if a given IP address is within a range than perform more complex string queries to determine if an IP address is within a range. You will, as well, benefit from a smaller table, as it uses far less space to store a number than a string of up to 15 characters. Also, if you're looking to use one of the ip2country type databases to determine the rough geographical location of your visitors, they use the IP number system. Thanks, Ash http://www.ashleysheridan.co.uk
Re: [PHP] Question about logins and locking
On 23 June 2010 07:44, Tommy Pham wrote: >> -Original Message- >> From: James Colannino [mailto:ja...@colannino.org] >> Sent: Tuesday, June 22, 2010 10:06 PM >> To: PHP-General List >> Subject: Re: [PHP] Question about logins and locking >> >> Tommy Pham wrote: >> >> > 1) Set an encrypted (to prevent hijacking and eavesdropping) cookie to >> > expire when browser closes >> > 2) Have a table in the DB backend to keep track if the user is logged >> > in or not and when was the last time the validated user access your >> > site (this gets updated when the user visit a link on your site by >> > checking the cookie and the DB entry of the session ID) >> > 3) Set your session timeout accordingly to you security requirement >> > 4) Have a javascript on a timeout to self-logoff should the user is >> > AFK longer than your session timeout. >> > >> > If another user or if the same user tries to login with a different >> > browser, you can check the status of the user. If the user is logged >> > in, you can deny it after the authentication. Should the user closes >> > the browser without having to logoff, you can check when was the last >> > time the user accessed your site and see if it's been longer than your >> session timeout. >> > For security purposes, you can optionally send a courtesy email >> > notifying that the user didn't logout properly since last accessed. >> > This way, you can track whether if the user's system is compromised in >> > some way or not. It all depends on what kind of application, service, >> > user level access, and the strict security you require. >> >> Thanks Tommy. That was very helpful, and some of it is similar to how I > was >> thinking of doing it. >> >> James >> > > Forgot 1 more thing, if you really want to be strict about security, you can > set a very highly secured permanent cookie on the user's system on the first > initial login. You can send them a confirmation code, that it's really who > they say they are, to the email address. Then the user will need to submit > that confirmation code along with the current password as part of the > initial logon process. So if a hijacker or eaves dropper try to logon with > your user's info on another system, a new confirmation code would be sent to > your user's email address. Your user would then know their identity has be > stolen. Setting this up will entail slight modification to your app and DB > design but will have better overall security. Again, evaluate your needs > and services ;) > > Regards, > Tommy > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > There is a project dealing with creating a secure login for a web site. It is being developed multi-lingually and across multiple languages (PHP, VB.net, etc.). Take a look at https://code.google.com/p/loginsystem-rd/ -- - Richard Quadling "Standing on the shoulders of some very clever giants!" EE : http://www.experts-exchange.com/M_248814.html EE4Free : http://www.experts-exchange.com/becomeAnExpert.jsp Zend Certified Engineer : http://zend.com/zce.php?c=ZEND002498&r=213474731 ZOPA : http://uk.zopa.com/member/RQuadling -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Stripping Characters
On 23 June 2010 01:03, Rick Dwyer wrote: > $find = '/[^a-z0-9]/i'; Replace that with ... $find = '/[^a-z0-9]++/i'; And now you only need ... $new_string = trim(preg_replace($find, $replace, $old_string)); -- - Richard Quadling "Standing on the shoulders of some very clever giants!" EE : http://www.experts-exchange.com/M_248814.html EE4Free : http://www.experts-exchange.com/becomeAnExpert.jsp Zend Certified Engineer : http://zend.com/zce.php?c=ZEND002498&r=213474731 ZOPA : http://uk.zopa.com/member/RQuadling -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] $_SERVER['REMOTE_ADDR'] and sql injection
"Michael Shadle" wrote in message news:aanlktildd_gdnlffpuwdx5acwwk45jbu4i6ybbmgj...@mail.gmail.com... > On Wed, Jun 23, 2010 at 12:06 AM, Rene Veerman wrote: >> unlikely. it's a apache delivered ip address.. very little chance of >> insert vulnerabilities, imho. > > still, the overhead for a db escape is better than your site being > trashed. > > also, you could look at converting the IP to an INT(10) (at least for > IPv4) and save > > ip in string - 123.456.789.123 - up to 15 bytes - varchar(15) > ip in integer format - 4 bytes - int(10) > > I've done this on a variety of projects. Arjen even mentions it back in > 2005: > > http://arjen-lentz.livejournal.com/44290.html > > It does make things a bit harder to read, and at one point I did get > different results when calculating it in PHP vs. MySQL (I forget when > and how, and haven't seen the issue again) but if you're looking for > IP ranges it can come in handy too - integer math is much cleaner than > IP address math :) how do i convert it? with ip2long() or in sql with INET_ATON()? Br Tanel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Warning messages on web page.
On Tue, 2010-06-22 at 10:41 -0400, Daniel P. Brown wrote: > On Tue, Jun 22, 2010 at 10:17, Mike Davies > wrote: > [snip!] > > > > Warning: reset() [function.reset]: Passed variable is not an array or > > object in /home/b23aadf/public_html/news/details.php on line 72 > [snip!] > > > > Is anyone able to help resolve this? If you let me know what further > > information you require I can provide it. > > Note the first error (quoted herein). That tells you that the > variable ($thumbsarray) is not actually an array. How is it being > instantiated and defined? > The only earlier reference to $thumbsarray is in the first lines of the file : This is exactly the same as the code which is working for the 'projects' pages. Mike -- Mike Davies Integra Web Design, Rhynie, By Huntly, AB54 4LS 01464 861535www.integrawebdesign.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] $_SERVER['REMOTE_ADDR'] and sql injection
> -Original Message- > From: Michael Shadle [mailto:mike...@gmail.com] > Sent: Wednesday, June 23, 2010 1:07 AM > To: Tommy Pham > Cc: php-general@lists.php.net > Subject: Re: [PHP] $_SERVER['REMOTE_ADDR'] and sql injection > > On Wed, Jun 23, 2010 at 1:01 AM, Tommy Pham > wrote: > > > If you're going to implement this, then it's better to implement the > conversion in the backend DB (via SP or UDF). So you can always use MySQL > query browser or the command line to run queries or other methods > depending on your access to the DB, especially if you need to find that > malicious IP address quickly ;) > > -1 for complicating mysql setups :) Just an afterthought scenario: You got a skilled hacker using multiple (compromised) systems or spoofing multiple IPs. This would naturally and easily bypass your firewall. The web server(s) are overloaded with the phony requests. What are you going to do to get the source of the problem and how are you going to analyze the problem? Are you going to have some kind of reporting on your app, which is already being overloaded with w/ phony requests? Or are you going to access the DB directly to analyze the access logs and compare the incoming requests to analyze the IPs and/or requested URLs? Thus, I see 2 choices: "-1 for complicating mysql setups" (-1 for complicating the app+code - which is not very useful at this point) + face to palm for not being able to get IP address(es) quickly enough ... tough call :) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] $_SERVER['REMOTE_ADDR'] and sql injection
> -Original Message- > From: Michael Shadle [mailto:mike...@gmail.com] > Sent: Wednesday, June 23, 2010 1:20 AM > To: Tommy Pham > Cc: php-general@lists.php.net > Subject: Re: [PHP] $_SERVER['REMOTE_ADDR'] and sql injection > > On Wed, Jun 23, 2010 at 1:12 AM, Tommy Pham > wrote: > > > Then I presume that your firewall, servers, and application is test proven > 'bulletproof'? :-P > > a) no such thing > b) pretty damn solid, yes > > and the reason? because i don't overcomplicate things. > > "a simple stack is a happy stack" > > :) I agree that bulletproof is no such thing but in all my IT experiences through 2 decades, whatever I'm responsible for whether servers (hardware & software) and/or networks, they have never been compromised or taken down :) because I can track down the source of the problem and deal with it before it has a chance to escalate ;) It's all about finding that IP quickly and dealing with it even faster. Regards, Tommy -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] $_SERVER['REMOTE_ADDR'] and sql injection
On Wed, Jun 23, 2010 at 1:12 AM, Tommy Pham wrote: > Then I presume that your firewall, servers, and application is test proven > 'bulletproof'? :-P a) no such thing b) pretty damn solid, yes and the reason? because i don't overcomplicate things. "a simple stack is a happy stack" :) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] $_SERVER['REMOTE_ADDR'] and sql injection
> -Original Message- > From: Michael Shadle [mailto:mike...@gmail.com] > Sent: Wednesday, June 23, 2010 1:07 AM > To: Tommy Pham > Cc: php-general@lists.php.net > Subject: Re: [PHP] $_SERVER['REMOTE_ADDR'] and sql injection > > On Wed, Jun 23, 2010 at 1:01 AM, Tommy Pham > wrote: > > > If you're going to implement this, then it's better to implement the > conversion in the backend DB (via SP or UDF). So you can always use MySQL > query browser or the command line to run queries or other methods > depending on your access to the DB, especially if you need to find that > malicious IP address quickly ;) > > -1 for complicating mysql setups :) Then I presume that your firewall, servers, and application is test proven 'bulletproof'? :-P Regards, Tommy -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to store encrypted data and how to store the key?
On Wed, Jun 23, 2010 at 12:55 AM, Tommy Pham wrote: >> I haven't had to implement a scheme like this but for an app I'm working on >> we've been considering the same issues in order to keep member data safe. >> I would say your best bet is to keep the decryption key in memory while the > > This is something I'm very interested in hearing more about since our other > discussion about PHP & threads and how some list members prefer the 'share > nothing' approach. That said, how would you access the memory for every > individual sessions that need that decrypting code/key when nothing is > shared? (I'm assuming that this would be purely in PHP :) +1. each server stores it locally in APC, or you have to mess with memcached, and since it is plaintext, encrypt that too? :p I -always- design for 'shared nothing' so this is a necessary discussion too, if "in memory" is the idea. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] $_SERVER['REMOTE_ADDR'] and sql injection
On Wed, Jun 23, 2010 at 1:01 AM, Tommy Pham wrote: > If you're going to implement this, then it's better to implement the > conversion in the backend DB (via SP or UDF). So you can always use MySQL > query browser or the command line to run queries or other methods depending > on your access to the DB, especially if you need to find that malicious IP > address quickly ;) -1 for complicating mysql setups :) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] $_SERVER['REMOTE_ADDR'] and sql injection
> -Original Message- > From: Michael Shadle [mailto:mike...@gmail.com] > Sent: Wednesday, June 23, 2010 12:17 AM > To: Rene Veerman > Cc: Tanel Tammik; php-general@lists.php.net > Subject: Re: [PHP] $_SERVER['REMOTE_ADDR'] and sql injection > > On Wed, Jun 23, 2010 at 12:06 AM, Rene Veerman > wrote: > > unlikely. it's a apache delivered ip address.. very little chance of > > insert vulnerabilities, imho. > > still, the overhead for a db escape is better than your site being trashed. > > also, you could look at converting the IP to an INT(10) (at least for > IPv4) and save > > ip in string - 123.456.789.123 - up to 15 bytes - varchar(15) ip in integer > format > - 4 bytes - int(10) > If you're going to implement this, then it's better to implement the conversion in the backend DB (via SP or UDF). So you can always use MySQL query browser or the command line to run queries or other methods depending on your access to the DB, especially if you need to find that malicious IP address quickly ;) Regards, Tommy > I've done this on a variety of projects. Arjen even mentions it back in 2005: > > http://arjen-lentz.livejournal.com/44290.html > > It does make things a bit harder to read, and at one point I did get different > results when calculating it in PHP vs. MySQL (I forget when and how, and > haven't seen the issue again) but if you're looking for IP ranges it can come > in > handy too - integer math is much cleaner than IP address math :) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] How to store encrypted data and how to store the key?
> -Original Message- > From: Peter Lind [mailto:peter.e.l...@gmail.com] > Sent: Wednesday, June 23, 2010 12:22 AM > To: Michael Shadle > Cc: PHP-General > Subject: Re: [PHP] How to store encrypted data and how to store the key? > > On 23 June 2010 09:11, Michael Shadle wrote: > > This is somewhat related to the whole PCI/credit card discussion a > > couple weeks back. The consensus was basically "leave it to other > > people" - however, what if YOU are the other person? > > > > I wonder if anyone has some BKMs to share about encrypting data in a > > web application. A lot of people take the most obvious approach, but > > it's fundamentally flawed, that is: > > > > I take data from the user, I encrypt it (using PHP crypto, or MySQL > > crypto, etc.) and a key stored in my config file, and put it into the > > database. Then when I want to get it back, I just use decrypt + the > > key in my config file. The issue there? If you server is compromised > > and the database is accessable, they'll have the key to decrypt the > > data right off the server. They can pull down copies of everything or > > even write their own script ON the server itself to extract the data. > > > > This has been one thing that I have not really been able to figure out > > yet. You could separate the servers, and figure out some very hard way > > for them to communicate, but when it comes down to it, the webserver > > needs to access the data. For example, the webserver could be behind a > > fully firewalled setup that only allows MySQL traffic. However, the > > webserver has to access the data still. > > > > I assume the only solution is somehow storing the key in a third > > place, so the accessor has to get the key somehow before accessing the > > encrypted data. But again - how to automatically allow access for only > > the webapp? I thought of per-user keys, but that isn't an appropriate > > solution for something that needs to be encrypted using the same key. > > > > Has anyone had to implement anything like this? Is there a good > > whitepaper on something like this? Especially relating to HIPAA > > requirements. PCI would be nice too, but I'm sure once this major > > "unknown" in my mind is addressed, the general concepts are common, > > probably just differences in levels of firewalling, cryptography > > strength, physical access to the machines, etc. > > > > Please keep this on topic - this is about the people who DO have to > > address this issue, not something about "just offload it to other > > guys" - that's an obvious choice already, and not one that is allowed > > depending on the job. > > > > I haven't had to implement a scheme like this but for an app I'm working on > we've been considering the same issues in order to keep member data safe. > I would say your best bet is to keep the decryption key in memory while the This is something I'm very interested in hearing more about since our other discussion about PHP & threads and how some list members prefer the 'share nothing' approach. That said, how would you access the memory for every individual sessions that need that decrypting code/key when nothing is shared? (I'm assuming that this would be purely in PHP :) Regards, Tommy > app is running. Initialize it by hand whenever the server is started - don't > store it on the disk. Yes, your server won't be able to start up the app on > it's > own but that's the security in the design, not a flaw. If you want automatic > access for the web-app you've compromised security (anyone compromising > the server has automatic access as well). > You're essentially looking at the old problem: if it runs it can be broken. > You > can only try to make it as hard as possible but there's nothing foolproof. > > Regards > Peter > > -- > > WWW: http://plphp.dk / http://plind.dk > LinkedIn: http://www.linkedin.com/in/plind > BeWelcome/Couchsurfing: Fake51 > Twitter: http://twitter.com/kafe15 > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to store encrypted data and how to store the key?
On Wed, Jun 23, 2010 at 12:21 AM, Peter Lind wrote: > I haven't had to implement a scheme like this but for an app I'm > working on we've been considering the same issues in order to keep > member data safe. I would say your best bet is to keep the decryption > key in memory while the app is running. Initialize it by hand whenever > the server is started - don't store it on the disk. Yes, your server > won't be able to start up the app on it's own but that's the security > in the design, not a flaw. If you want automatic access for the > web-app you've compromised security (anyone compromising the server > has automatic access as well). That's something I've thought about before. Storing MySQL on an encrypted partition using cryptoloop or something. However, every time the server boots - someone has to manually unlock the partition (unless some sort of physical key is present, then another dimension is introduced) However, that would solve the data being encrypted at rest, more or less. The issue of how to use the data in the web application is still not addressed this way :( -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to store encrypted data and how to store the key?
On 23 June 2010 09:11, Michael Shadle wrote: > This is somewhat related to the whole PCI/credit card discussion a > couple weeks back. The consensus was basically "leave it to other > people" - however, what if YOU are the other person? > > I wonder if anyone has some BKMs to share about encrypting data in a > web application. A lot of people take the most obvious approach, but > it's fundamentally flawed, that is: > > I take data from the user, I encrypt it (using PHP crypto, or MySQL > crypto, etc.) and a key stored in my config file, and put it into the > database. Then when I want to get it back, I just use decrypt + the > key in my config file. The issue there? If you server is compromised > and the database is accessable, they'll have the key to decrypt the > data right off the server. They can pull down copies of everything or > even write their own script ON the server itself to extract the data. > > This has been one thing that I have not really been able to figure out > yet. You could separate the servers, and figure out some very hard way > for them to communicate, but when it comes down to it, the webserver > needs to access the data. For example, the webserver could be behind a > fully firewalled setup that only allows MySQL traffic. However, the > webserver has to access the data still. > > I assume the only solution is somehow storing the key in a third > place, so the accessor has to get the key somehow before accessing the > encrypted data. But again - how to automatically allow access for only > the webapp? I thought of per-user keys, but that isn't an appropriate > solution for something that needs to be encrypted using the same key. > > Has anyone had to implement anything like this? Is there a good > whitepaper on something like this? Especially relating to HIPAA > requirements. PCI would be nice too, but I'm sure once this major > "unknown" in my mind is addressed, the general concepts are common, > probably just differences in levels of firewalling, cryptography > strength, physical access to the machines, etc. > > Please keep this on topic - this is about the people who DO have to > address this issue, not something about "just offload it to other > guys" - that's an obvious choice already, and not one that is allowed > depending on the job. > I haven't had to implement a scheme like this but for an app I'm working on we've been considering the same issues in order to keep member data safe. I would say your best bet is to keep the decryption key in memory while the app is running. Initialize it by hand whenever the server is started - don't store it on the disk. Yes, your server won't be able to start up the app on it's own but that's the security in the design, not a flaw. If you want automatic access for the web-app you've compromised security (anyone compromising the server has automatic access as well). You're essentially looking at the old problem: if it runs it can be broken. You can only try to make it as hard as possible but there's nothing foolproof. Regards Peter -- WWW: http://plphp.dk / http://plind.dk LinkedIn: http://www.linkedin.com/in/plind BeWelcome/Couchsurfing: Fake51 Twitter: http://twitter.com/kafe15 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] $_SERVER['REMOTE_ADDR'] and sql injection
On Wed, Jun 23, 2010 at 12:06 AM, Rene Veerman wrote: > unlikely. it's a apache delivered ip address.. very little chance of > insert vulnerabilities, imho. still, the overhead for a db escape is better than your site being trashed. also, you could look at converting the IP to an INT(10) (at least for IPv4) and save ip in string - 123.456.789.123 - up to 15 bytes - varchar(15) ip in integer format - 4 bytes - int(10) I've done this on a variety of projects. Arjen even mentions it back in 2005: http://arjen-lentz.livejournal.com/44290.html It does make things a bit harder to read, and at one point I did get different results when calculating it in PHP vs. MySQL (I forget when and how, and haven't seen the issue again) but if you're looking for IP ranges it can come in handy too - integer math is much cleaner than IP address math :) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] $_SERVER['REMOTE_ADDR'] and sql injection
I was wondering, if there is a chance to manipulate the data this variable holds? Br Tanel "Rene Veerman" wrote in message news:aanlktikwldeucxkru-4ni4pet5lq_5cc_vstnwrtx...@mail.gmail.com... > unlikely. it's a apache delivered ip address.. very little chance of > insert vulnerabilities, imho. > > On Wed, Jun 23, 2010 at 8:53 AM, Tanel Tammik wrote: >> Hi, >> >> is there a vulnerability with using $_SERVER['REMOTE_ADDR'] in sql >> queries? >> >> Br >> Tanel >> >> >> >> -- >> PHP General Mailing List (http://www.php.net/) >> To unsubscribe, visit: http://www.php.net/unsub.php >> >> > > > > -- > - > Greetings from Rene7705, > > My free open source webcomponents: > http://code.google.com/u/rene7705/ > http://mediabeez.ws/downloads (and demos) > > My music (i'm DJ firesnake) > http://mediabeez.ws/music > > http://www.facebook.com/rene7705 > - -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] How to store encrypted data and how to store the key?
This is somewhat related to the whole PCI/credit card discussion a couple weeks back. The consensus was basically "leave it to other people" - however, what if YOU are the other person? I wonder if anyone has some BKMs to share about encrypting data in a web application. A lot of people take the most obvious approach, but it's fundamentally flawed, that is: I take data from the user, I encrypt it (using PHP crypto, or MySQL crypto, etc.) and a key stored in my config file, and put it into the database. Then when I want to get it back, I just use decrypt + the key in my config file. The issue there? If you server is compromised and the database is accessable, they'll have the key to decrypt the data right off the server. They can pull down copies of everything or even write their own script ON the server itself to extract the data. This has been one thing that I have not really been able to figure out yet. You could separate the servers, and figure out some very hard way for them to communicate, but when it comes down to it, the webserver needs to access the data. For example, the webserver could be behind a fully firewalled setup that only allows MySQL traffic. However, the webserver has to access the data still. I assume the only solution is somehow storing the key in a third place, so the accessor has to get the key somehow before accessing the encrypted data. But again - how to automatically allow access for only the webapp? I thought of per-user keys, but that isn't an appropriate solution for something that needs to be encrypted using the same key. Has anyone had to implement anything like this? Is there a good whitepaper on something like this? Especially relating to HIPAA requirements. PCI would be nice too, but I'm sure once this major "unknown" in my mind is addressed, the general concepts are common, probably just differences in levels of firewalling, cryptography strength, physical access to the machines, etc. Please keep this on topic - this is about the people who DO have to address this issue, not something about "just offload it to other guys" - that's an obvious choice already, and not one that is allowed depending on the job. Thanks :) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] $_SERVER['REMOTE_ADDR'] and sql injection
unlikely. it's a apache delivered ip address.. very little chance of insert vulnerabilities, imho. On Wed, Jun 23, 2010 at 8:53 AM, Tanel Tammik wrote: > Hi, > > is there a vulnerability with using $_SERVER['REMOTE_ADDR'] in sql queries? > > Br > Tanel > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- - Greetings from Rene7705, My free open source webcomponents: http://code.google.com/u/rene7705/ http://mediabeez.ws/downloads (and demos) My music (i'm DJ firesnake) http://mediabeez.ws/music http://www.facebook.com/rene7705 - -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] $_SERVER['REMOTE_ADDR'] and sql injection
On Wed, Jun 23, 2010 at 2:53 AM, Tanel Tammik wrote: > Hi, > > is there a vulnerability with using $_SERVER['REMOTE_ADDR'] in sql queries? > > Br > Tanel > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > As long as you treat it with the same caution that you do general form input (e.g., proper validation, escaping for mysql or using prepared statements, etc.), you'll be fine ;) Adam -- Nephtali: PHP web framework that functions beautifully http://nephtaliproject.com
Re: [PHP] $_SERVER['REMOTE_ADDR'] and sql injection
There's a vulnerability in using anything from the user in SQL queries. Escape it :) On 23/06/2010, at 6:53 PM, Tanel Tammik wrote: > Hi, > > is there a vulnerability with using $_SERVER['REMOTE_ADDR'] in sql queries? > > Br > Tanel > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > --- Simon Welsh Admin of http://simon.geek.nz/ Who said Microsoft never created a bug-free program? The blue screen never, ever crashes! http://www.thinkgeek.com/brain/gimme.cgi?wid=81d520e5e -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] $_SERVER['REMOTE_ADDR'] and sql injection
On 23 June 2010 08:53, Tanel Tammik wrote: > Hi, > > is there a vulnerability with using $_SERVER['REMOTE_ADDR'] in sql queries? > With any and all input to sql queries: escape the input. Then you don't have to ask the question. Regards Peter -- WWW: http://plphp.dk / http://plind.dk LinkedIn: http://www.linkedin.com/in/plind BeWelcome/Couchsurfing: Fake51 Twitter: http://twitter.com/kafe15 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php