php-general Digest 28 Jul 2011 09:13:21 -0000 Issue 7419
php-general Digest 28 Jul 2011 09:13:21 - Issue 7419
Topics (messages 314219 through 314225):
Re: Membership site
314219 by: Ashley Sheridan
314222 by: Negin Nickparsa
314224 by: Ashley Sheridan
314225 by: John Black
PayPal IPN
314220 by: Jason Pruim
314221 by: Daniel Brown
314223 by: John Black
Administrivia:
To subscribe to the digest, e-mail:
php-general-digest-subscr...@lists.php.net
To unsubscribe from the digest, e-mail:
php-general-digest-unsubscr...@lists.php.net
To post to the list, e-mail:
php-gene...@lists.php.net
--
---BeginMessage---
On Wed, 2011-07-27 at 14:01 -0700, wil prim wrote:
Hello, I am just starting out with PHP and I have just created a database
named Members with a table named Persons. There are 5 fields
(id,firstname, lastname, username, password) . The form I created is a sign
up form and the values entered into the form are inserted into the table
Persons, now my question is how do I create a secure log in system with
this new database? Thanks in advance! :)
Well, first, as a measure of security, make sure that you don't store
the plain text password in the DB. Something like an md5($password .
$email . $name) offers a rudimentary protection. For something a little
meatier, try sha1(). Storing it this way means that even if someone
gained access to your DB, they don't actually have the passwords, as
people often reuse passwords on different sites.
As to the login, you would accept the username and password combo, and
then hash or encrypt the password with the salt again, and compare with
the entry in the DB. It's typical to have a counter of incorrect logins
as well. More than 3 in a row causes the login for that username to lock
for a specific period of time. To achieve this, you would need to add a
couple of fields to your Persons table, `attempts`(tinyint)
`lock_time`(datetime).
When you attempt to log someone in with the username and password
(encrypted, hashed, whatever) you also check to see if the lock_time is
not some time in the future. If it is, then you don't allow them access.
If the password was wrong, then increment the attempts field by 1. If
this field gets incremented to a specific value (say 3 for example) then
you set the lock_time field to some date in the future, the wait period.
When a user logs in successfully, set the attempts counter to 0 again so
it's ready for the next login attempt to the account. This just ensures
that people aren't accidentally locked out indefinitely!
This is all just a rough sketch out of how I'd go about it, but it
should be enough logic for you to put some code together. It's no more
complex than a couple of queries and a few if statements. It may help
you to flowchart the whole thing out to get the logic clear in your
mind.
--
Thanks,
Ash
http://www.ashleysheridan.co.uk
---End Message---
---BeginMessage---
http://www.php.net/manual/en/security.database.sql-injection.php
http://www.php.net/manual/en/security.database.storage.php
---End Message---
---BeginMessage---
wil prim wilp...@me.com wrote:
Ok so I have the md5() taken care of and now i have also attempted to
create a login form plus a check login form that will try and match the
hashed value of the input with a field in the data base and if
successful it will echo 'You are now logged in' or else it will echo
'couldnt connect'. However when I try to log in with my newly created
username and password it echos 'couldnt connect'. Here is the code for
the form:
form method=post action=check_login.php
span style=font-size: 14pt;
Username: input type=text name=logginname /br/br/
Password: input type=password name=loginpassword /br/br/
input type=submit value=login /
/form
AND HERE IS THE check_login.php:
?php
include_once connect_mysql.php;
$result=mysql_query(SELECT * FROM Members);
$row=mysql_fetch_array($result);
$loginusername=$_POST['logginname'];
$loginpass=$_POST['logginpassword'];
$hash_loggin_username=md5($loginusername);
$hash_loggin_password=md5($loginpass);
if ($hash_loggin_username==$row['username']
$hash_loggin_password==$row['password'])
{
echo 'You are now logged in!';
}
else
{
echo 'couldnt connect';
}
?
In this code Members is the table and Persons is the database.
On Jul 27, 2011, at 02:28 PM, wil prim wilp...@me.com wrote:
Thanks for that! I'll try and put some code together and I'll reply
if I need some more help. ;)
Sent from my iPhone
On Jul 27, 2011, at 2:18 PM, Ashley Sheridan
a...@ashleysheridan.co.uk wrote:
On Wed, 2011-07-27 at 14:01 -0700, wil prim wrote:
Hello, I am just starting out with PHP and I have just created a
database named Members with a table named Persons. There are 5
fields (id,firstname, lastname, username, password) . The form I
created is
Re: [PHP] Membership site
http://www.php.net/manual/en/security.database.sql-injection.php http://www.php.net/manual/en/security.database.storage.php
Re: [PHP] PayPal IPN
On 28.07.2011 03:58, Jason Pruim wrote: Hey everyone, So I know this is related pretty strictly to paypal... But I also know that you all most likely use it :) So with that said... Has anyone successfully setup the IPN with paypal? I'm trying to figure out to get it up and working... Hi Jason, I might be able to help you with that. I don't have IPN integrated into my site yet but I have a script running which is inserting the transaction values into my db. It also sends out e-mails since I am testing how my existing subscriptions are handled so I don't run into any surprises when I turn on automation. You need to import the .sql into your mysql db and edit the settings at the top of the ipn file. Then rename the ipn file to something nobody should be able to guess and tell PayPal about it ... let me know if you run into trouble... http://www.sendspace.com/file/77iofs md5: 09f3f92050264c370ada7944555373ce PayPal IPN.zip Good luck -- John -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Membership site
wil prim wilp...@me.com wrote:
Ok so I have the md5() taken care of and now i have also attempted to
create a login form plus a check login form that will try and match the
hashed value of the input with a field in the data base and if
successful it will echo 'You are now logged in' or else it will echo
'couldnt connect'. However when I try to log in with my newly created
username and password it echos 'couldnt connect'. Here is the code for
the form:
form method=post action=check_login.php
span style=font-size: 14pt;
Username: input type=text name=logginname /br/br/
Password: input type=password name=loginpassword /br/br/
input type=submit value=login /
/form
AND HERE IS THE check_login.php:
?php
include_once connect_mysql.php;
$result=mysql_query(SELECT * FROM Members);
$row=mysql_fetch_array($result);
$loginusername=$_POST['logginname'];
$loginpass=$_POST['logginpassword'];
$hash_loggin_username=md5($loginusername);
$hash_loggin_password=md5($loginpass);
if ($hash_loggin_username==$row['username']
$hash_loggin_password==$row['password'])
{
echo 'You are now logged in!';
}
else
{
echo 'couldnt connect';
}
?
In this code Members is the table and Persons is the database.
On Jul 27, 2011, at 02:28 PM, wil prim wilp...@me.com wrote:
Thanks for that! I'll try and put some code together and I'll reply
if I need some more help. ;)
Sent from my iPhone
On Jul 27, 2011, at 2:18 PM, Ashley Sheridan
a...@ashleysheridan.co.uk wrote:
On Wed, 2011-07-27 at 14:01 -0700, wil prim wrote:
Hello, I am just starting out with PHP and I have just created a
database named Members with a table named Persons. There are 5
fields (id,firstname, lastname, username, password) . The form I
created is a sign up form and the values entered into the form are
inserted into the table Persons, now my question is how do I create a
secure log in system with this new database? Thanks in advance! :)
Well, first, as a measure of security, make sure that you don't
store
the plain text password in the DB. Something like an md5($password
.
$email . $name) offers a rudimentary protection. For something a
little
meatier, try sha1(). Storing it this way means that even if someone
gained access to your DB, they don't actually have the passwords,
as
people often reuse passwords on different sites.
As to the login, you would accept the username and password combo,
and
then hash or encrypt the password with the salt again, and compare
with
the entry in the DB. It's typical to have a counter of incorrect
logins
as well. More than 3 in a row causes the login for that username to
lock
for a specific period of time. To achieve this, you would need to
add a
couple of fields to your Persons table, `attempts`(tinyint)
`lock_time`(datetime).
When you attempt to log someone in with the username and password
(encrypted, hashed, whatever) you also check to see if the
lock_time is
not some time in the future. If it is, then you don't allow them
access.
If the password was wrong, then increment the attempts field by 1.
If
this field gets incremented to a specific value (say 3 for example)
then
you set the lock_time field to some date in the future, the wait
period.
When a user logs in successfully, set the attempts counter to 0
again so
it's ready for the next login attempt to the account. This just
ensures
that people aren't accidentally locked out indefinitely!
This is all just a rough sketch out of how I'd go about it, but it
should be enough logic for you to put some code together. It's no
more
complex than a couple of queries and a few if statements. It may
help
you to flowchart the whole thing out to get the logic clear in your
mind.
--
Thanks,
Ash
http://www.ashleysheridan.co.uk
On Jul 27, 2011, at 02:18 PM, Ashley Sheridan
a...@ashleysheridan.co.uk wrote:
On Wed, 2011-07-27 at 14:01 -0700, wil prim wrote:
Hello, I am just starting out with PHP and I have just created a
database named Members with a table named Persons. There are 5
fields (id,firstname, lastname, username, password) . The form I
created is a sign up form and the values entered into the form are
inserted into the table Persons, now my question is how do I create a
secure log in system with this new database? Thanks in advance! :)
Well, first, as a measure of security, make sure that you don't store
the plain text password in the DB. Something like an md5($password .
$email . $name) offers a rudimentary protection. For something a
little
meatier, try sha1(). Storing it this way means that even if someone
gained access to your DB, they don't actually have the passwords, as
people often reuse passwords on different sites.
As to the login, you would accept the username and password combo,
and
then hash or encrypt the password with the salt again, and compare
with
the entry in the DB.
Re: [PHP] Membership site
I would like to add some info about storing the password hash in the
database.
I recently tested how quickly one can brute force a simple md5('foo')
hash with a modern GPU. The results have been truly eye opening
I have been able to break hundreds of hashes with my ATI 6870 in a
couple of days. Even with passwords in the 8 char length range ... and
even salted ones.
The problem is that md5 is optimized for speed. Which is nice if you
want to hash a file but it offers an attacker the option to brute force
your password.
The solution is to hash multiple times and if possible using a different
hashing algorithm.
http://php.net/crypt can help you here.
I wrote a new password class for my own projects which will use crypt()
with sha512, sha256, blowfish if available or fall back to a 3000 round
md5().
This approach makes it impractical to bruteforce the hash because every
single test will have to run md5() 3000 times before it can validate a
single hash.
This also adds a delay to the login process but the hash is only checked
once
The code is released under the BSD license so you may use it in a
commercial application as well. The zip contains the class file and two
sample pages demonstrating how to use the class.
Here is a download link, let me know if you like it or have any questions.
http://www.2shared.com/file/kocAJ2HO/class_password.html
md5: 4ee41496a9d1bc147e5025699e2b764e class_password.zip
--
John
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Membership site
On 28.07.2011 11:13, John Black wrote:
This approach makes it impractical to bruteforce the hash because every
single test will have to run md5() 3000 times before it can validate a
single hash.
--
John
I am sorry, I made a mistake here, 3000 times is not enough for this.
The actual code for the md5 portion looks like this:
$this-hash_rounds['md5'] = 3000;
for( $x=0 ; $x $this-hash_rounds['md5'] ; ++$x)
{
$hash = md5($salt.md5($salt.$hash).md5($hash.$salt));
}
--
John
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Membership site
Just as a word of caution to everyone on this list, mcrypt version of
blowfish (which is implemented by php) (in linux) has an 8bit bug in it, and
thus should not be used for hashing passwords even as backup. Basically if
you use a character such as say a British pound in your password, blowfish
with php will generate, a wrong hash and allow for some extensive
collisions. For example a hash for ac followed by a pound or euro or any
of those extended chars (that are present on European keyboards and such)
and a hash for just that char, would be the same! If you want I can show you
with some demo code. But until fixed, don't use blowfish with php on linux
at least, if you can.
On Jul 28, 2011 5:14 AM, John Black s...@network-technologies.org wrote:
I would like to add some info about storing the password hash in the
database.
I recently tested how quickly one can brute force a simple md5('foo')
hash with a modern GPU. The results have been truly eye opening
I have been able to break hundreds of hashes with my ATI 6870 in a
couple of days. Even with passwords in the 8 char length range ... and
even salted ones.
The problem is that md5 is optimized for speed. Which is nice if you
want to hash a file but it offers an attacker the option to brute force
your password.
The solution is to hash multiple times and if possible using a different
hashing algorithm.
http://php.net/crypt can help you here.
I wrote a new password class for my own projects which will use crypt()
with sha512, sha256, blowfish if available or fall back to a 3000 round
md5().
This approach makes it impractical to bruteforce the hash because every
single test will have to run md5() 3000 times before it can validate a
single hash.
This also adds a delay to the login process but the hash is only checked
once
The code is released under the BSD license so you may use it in a
commercial application as well. The zip contains the class file and two
sample pages demonstrating how to use the class.
Here is a download link, let me know if you like it or have any questions.
http://www.2shared.com/file/kocAJ2HO/class_password.html
md5: 4ee41496a9d1bc147e5025699e2b764e class_password.zip
--
John
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Membership site
On 28.07.2011 12:53, Alex Nikitin wrote: Just as a word of caution to everyone on this list, mcrypt version of blowfish (which is implemented by php) (in linux) has an 8bit bug in it, and thus should not be used for hashing passwords even as backup. Basically if you use a character such as say a British pound in your password, blowfish with php will generate, a wrong hash and allow for some extensive collisions. For example a hash for ac followed by a pound or euro or any of those extended chars (that are present on European keyboards and such) and a hash for just that char, would be the same! If you want I can show you with some demo code. But until fixed, don't use blowfish with php on linux at least, if you can. Very interesting, thanks for the heads up. So if you use the class change $this-hash_supported = 'sha256|sha512|blowfish|md5'; to $this-hash_supported = 'sha256|sha512|md5'; So blowfish can not be used. Problem: Using salt: Vi4mT5vCge5SWQRH7onIlo hash this: ac€ $2a$08$Vi4mT5vCge5SWQRH7onIleRMijSY4OVXS8.4diEKLENMF5Dd7HcjC hash this: € $2a$08$Vi4mT5vCge5SWQRH7onIleRMijSY4OVXS8.4diEKLENMF5Dd7HcjC hash this: ac£ $2a$08$Vi4mT5vCge5SWQRH7onIle.3A9uIUxgFol/7HjY04C.oWQVa2nvw. hash this: £ $2a$08$Vi4mT5vCge5SWQRH7onIle.3A9uIUxgFol/7HjY04C.oWQVa2nvw. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Path question.
I have a few scripts that use ../location/file Is this interpreted differently on some systems? Thanks. -- Paul Halliday http://www.squertproject.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Path question.
On 07/28/2011 05:43 PM, Paul Halliday wrote: I have a few scripts that use ../location/file Is this interpreted differently on some systems? Thanks. I have no idea about it, but I generally use realpath() to avoid any such problems. Windows may have, because it uses backward slashes instead of forward which are used in *nix (incl mac) -- Regards, Nilesh Govindarajan @nileshgr on twitter/identica -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Path question.
On 28 July 2011 18:06, Nilesh Govindarajan cont...@nileshgr.com wrote: On 07/28/2011 05:43 PM, Paul Halliday wrote: I have a few scripts that use ../location/file Is this interpreted differently on some systems? Thanks. Use __DIR__.../location/file otherwise files using these script can not be moved across folders. I have no idea about it, but I generally use realpath() to avoid any such problems. Windows may have, because it uses backward slashes instead of forward which are used in *nix (incl mac) -- Regards, Nilesh Govindarajan @nileshgr on twitter/identica -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Path question.
Yes, can be. There is a predefined variable DIRECTORY_SEPARATOR, which you
can use:
on index.php let's say
define('DS',DIRECTORY_SEPARATOR');
define('MY_APP_ROOT',dirname(realpath(__FILE__)));
define('LIB_DIR',MY_APP_ROOT.DSDS.location.DS.file);
Cheers,
Tamas
-Original Message-
From: Paul Halliday [mailto:paul.halli...@gmail.com]
Sent: Thursday, July 28, 2011 2:14 PM
To: PHP-General
Subject: [PHP] Path question.
I have a few scripts that use ../location/file
Is this interpreted differently on some systems?
Thanks.
--
Paul Halliday
http://www.squertproject.org/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Path question.
On 28 July 2011 13:36, Nilesh Govindarajan cont...@nileshgr.com wrote: On 07/28/2011 05:43 PM, Paul Halliday wrote: I have a few scripts that use ../location/file Is this interpreted differently on some systems? Thanks. I have no idea about it, but I generally use realpath() to avoid any such problems. Windows may have, because it uses backward slashes instead of forward which are used in *nix (incl mac) For PHP on Windows, the / is fine. Obviously, if you are going to be calling OS based tools from PHP, you'll need to realpath() or use \\ or DIRECTORY_SEPARATOR. -- Richard Quadling Twitter : EE : Zend : PHPDoc @RQuadling : e-e.com/M_248814.html : bit.ly/9O8vFY : bit.ly/lFnVea -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] I can't execute pf commands
Hi
I use php5.3 on freebsd
I also use pf ( packet filter) on it.
I need to execute pfctl in php script. But I couldn't execute . I don't get
any errors about that.
Shell commands is allowed in php.ini My
My script is below,
shell_exec('pfctl -s nat');
exec('pfctl -s nat');
If I execute another command like this ; it works
shell_exec('ls -l /var/tmp') ;
What can the problem be ?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] I can't execute pf commands
did you try it in shell? or just You tried it in PHP?
Re: [PHP] Re: I can't execute pf commands
If you want to execute shell commands as root theres another solution too
try this:
shell_exec('sudo -u root ls -l /var/tmp')
but the solution Of shawn is better then it will not needed to set it again
in another commands
Re: [PHP] Re: I can't execute pf commands
also by gcc you can use code it and run the gcc in shell I like this one: setfacl -m u:wwwrun:rw the path that you would like for permissions you can set it for the folders you have then run this compiler it will make an executable file you can give a name to them by -o 'r' and 'w' are for read and write also you can have 'x' for execute permission now you can use this executable file on any new computer just run it and it will make permissions I don't know in your Os you have wwwrun or not I have it in Suse *wwwrun is used for doing things permission-wise but Apache doesn't need to login with it. Again, this keeps it safe from attackers.* * * * *
[PHP] PHP 5.3.7RC4 Released for Testing
The fourth and hopefully final release candidate of 5.3.7 was just released for testing and can be downloaded here: https://downloads.php.net/ilia/php-5.3.7RC4.tar.bz2 (md5sum: 143ae4c3c5df93e2a9efae532cb51790) https://downloads.php.net/ilia/php-5.3.7RC4.tar.gz (md5sum: 8543604a0f171424c73ccaff5061f7ba) The Windows binaries are available at: http://windows.php.net/qa/ There were a few important fixes made since RC3 and this new RC is designed to validate that these fixes have not introduced any regressions. The intent is that this is the final release candidate before the final release, which if all goes well will follow in 2 weeks. PHP 5.3.7 is focused on improving the stability and security. To ensure that the release is solid, please test this RC against your code base and report any problems that you encounter. To find out what was changed since the last release please refer to the NEWS file found within the archive or on http://svn.php.net/viewvc/php/php-src/tags/php_5_3_7RC4/NEWS?revision=HEADview=markup Windows users please mind that we don't provide VS6 builds anymore since PHP 5.3.6. Ilia Alshanetsky -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: I can't execute pf commands
On 07/28/2011 11:09 AM, Bulent Malik wrote:
Hi
I use php5.3 on freebsd
I also use pf ( packet filter) on it.
I need to execute pfctl in php script. But I couldn't execute . I don't get
any errors about that.
Shell commands is allowed in php.ini My
My script is below,
shell_exec('pfctl -s nat');
exec('pfctl -s nat');
If I execute another command like this ; it works
shell_exec('ls -l /var/tmp') ;
What can the problem be ?
pfctl probably requires root privileges, so you can either set the suid
on it or I would set it up in sudoers to allow the apache user to
execute it without a password.
--
Thanks!
-Shawn
http://www.spidean.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] I can't execute pf commands
did you try it in shell? or just You tried it in PHP? Yeah, I tried it on shell and it works on it. Also if I execute it as command line, it works ; php test.php But when I try it on www ( internet explorer, firefox, chrome ..) it doesn't work.
RE: [PHP] I can't execute pf commands
Bulent Malik bma...@ihlas.net.tr wrote: did you try it in shell? or just You tried it in PHP? Yeah, I tried it on shell and it works on it. Also if I execute it as command line, it works ; php test.php But when I try it on www ( internet explorer, firefox, chrome ..) it doesn't work. Sounds like it might need you to specify the full paths to the commands/apps you're using in the shell call. Your user might have the right path environment variable specified, but its unlikely the Apache user will have. This user is usually called something like apache or www2. Thanks, Ash http://www.ashleysheridan.co.uk -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: RE: [PHP] I can't execute pf commands
Answer to your problem is in your pop Apache module configuration. I would suggest to look how different your cli php.ini file is in comparison to your Apache php module php.ini file Also I would not follow the suggestion of adding Apache user to sudoers. It's quite high risk move in security-wise Arthur Moczulski On 28 Jul 2011 19:16, Bulent Malik bma...@ihlas.net.tr wrote: did you try it in shell? or just You tried it in PHP? Yeah, I tried it on shell and it works on it. Also if I execute it as command line, it works ; php test.php But when I try it on www ( internet explorer, firefox, chrome ..) it doesn't work.
Re: [PHP] I can't execute pf commands
On 07/28/2011 01:22 PM, Arthur Moczulski wrote: Answer to your problem is in your pop Apache module configuration. I would suggest to look how different your cli php.ini file is in comparison to your Apache php module php.ini file No Also I would not follow the suggestion of adding Apache user to sudoers. It's quite high risk move in security-wise Good luck getting it to work another way. -- Thanks! -Shawn http://www.spidean.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] I can't execute pf commands
Arthur would you please explain it in more details?
Re: [PHP] I can't execute pf commands
Bulint clear private data or cookies maybe your browser stores something and can't act for this clear them and then try and tell us the result 2011/7/28 Bulent Malik bma...@ihlas.net.tr ** did you try it in shell? or just You tried it in PHP? Yeah, I tried it on shell and it works on it. Also if I execute it as command line, it works ; php test.php But when I try it on www ( internet explorer, firefox, chrome ..) it doesn't work.
Re: [PHP] I can't execute pf commands
another point: I think you tried it in shell as a root but in browser it can't execute it as a root again I agree with Shawn it is from permission try the command that I told you I mean edit the command and then run it in browser
