Re: [PHP] how to not show login info in the url ...what am I looking for?
At 10:12 AM -0500 12/10/08, APseudoUtopia wrote: On Wed, Dec 10, 2008 at 10:03 AM, tedd [EMAIL PROTECTED] wrote: In my mind, hacking a site (without doing damage) is a good introduction to a client. *Ahem*You mean 'cracking'? :-P *Ahem*... You mean to stick your tongue out at me? That's one definitions of using :-P You see, there's all sorts of definitions for everything. When I say Hack a site I mean to do something to get the site to provide an unintended result as expected by the author. Much like using CSS Hacks to get browsers to do something that was not intended by the original designers. On the other hand, my understanding of cracking means to crack some type of encryption. Thus, the reason why I did not say cracking the site instead of hacking the site. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] how to not show login info in the url ...what am I looking for?
On 11 Dec 2008, at 16:05, tedd wrote: At 10:12 AM -0500 12/10/08, APseudoUtopia wrote: On Wed, Dec 10, 2008 at 10:03 AM, tedd [EMAIL PROTECTED] wrote: In my mind, hacking a site (without doing damage) is a good introduction to a client. *Ahem*You mean 'cracking'? :-P *Ahem*... You mean to stick your tongue out at me? That's one definitions of using :-P You see, there's all sorts of definitions for everything. When I say Hack a site I mean to do something to get the site to provide an unintended result as expected by the author. Much like using CSS Hacks to get browsers to do something that was not intended by the original designers. On the other hand, my understanding of cracking means to crack some type of encryption. Thus, the reason why I did not say cracking the site instead of hacking the site. Hacking: Getting something to do something it was not designed to do. Cracking: Getting something to do something it was specifically designed to prevent. IMHO. -Stut -- http://stut.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] how to not show login info in the url ...what am I looking for?
On Thu, 2008-12-11 at 11:05 -0500, tedd wrote: At 10:12 AM -0500 12/10/08, APseudoUtopia wrote: On Wed, Dec 10, 2008 at 10:03 AM, tedd [EMAIL PROTECTED] wrote: In my mind, hacking a site (without doing damage) is a good introduction to a client. *Ahem*You mean 'cracking'? :-P *Ahem*... You mean to stick your tongue out at me? That's one definitions of using :-P You see, there's all sorts of definitions for everything. When I say Hack a site I mean to do something to get the site to provide an unintended result as expected by the author. Much like using CSS Hacks to get browsers to do something that was not intended by the original designers. On the other hand, my understanding of cracking means to crack some type of encryption. Thus, the reason why I did not say cracking the site instead of hacking the site. Cracking is not just about encryption. It's about bypassing any kind of measure put in place to prevent someone from doing something. Hacking on the other hand does not embody this principle, although hacking may be employed to achieve cracking. Just because pop culture is completely ignorant to the difference, doesn't mean you as a member of the community need to jump on board and bleat like a sheep. If you intend to misuse hacker, then you should at least provide more detail such as white-, grey-, or black-hat. Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] how to not show login info in the url ...what am I looking for?
At 11:23 AM -0500 12/11/08, Robert Cummings wrote: On Thu, 2008-12-11 at 11:05 -0500, tedd wrote: When I say Hack a site I mean to do something to get the site to provide an unintended result as expected by the author. Much like using CSS Hacks to get browsers to do something that was not intended by the original designers. On the other hand, my understanding of cracking means to crack some type of encryption. Thus, the reason why I did not say cracking the site instead of hacking the site. Cracking is not just about encryption. It's about bypassing any kind of measure put in place to prevent someone from doing something. Hacking on the other hand does not embody this principle, although hacking may be employed to achieve cracking. Just because pop culture is completely ignorant to the difference, doesn't mean you as a member of the community need to jump on board and bleat like a sheep. If you intend to misuse hacker, then you should at least provide more detail such as white-, grey-, or black-hat. Cheers, Rob. Okay, I shall adjust my fracking terminology. :-) Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] how to not show login info in the url ...what am I looking for?
On Fri, Dec 12, 2008 at 7:03 AM, tedd tedd.sperl...@gmail.com wrote: At 11:23 AM -0500 12/11/08, Robert Cummings wrote: On Thu, 2008-12-11 at 11:05 -0500, tedd wrote: When I say Hack a site I mean to do something to get the site to provide an unintended result as expected by the author. Much like using CSS Hacks to get browsers to do something that was not intended by the original designers. On the other hand, my understanding of cracking means to crack some type of encryption. Thus, the reason why I did not say cracking the site instead of hacking the site. Cracking is not just about encryption. It's about bypassing any kind of measure put in place to prevent someone from doing something. Hacking on the other hand does not embody this principle, although hacking may be employed to achieve cracking. Just because pop culture is completely ignorant to the difference, doesn't mean you as a member of the community need to jump on board and bleat like a sheep. If you intend to misuse hacker, then you should at least provide more detail such as white-, grey-, or black-hat. Cheers, Rob. Okay, I shall adjust my fracking terminology. :-) Cheers, tedd Cracking to me is when someone uses an already existing hack to use it for their own gain in a malicious way to someone else. Hacking is finding new security holes or problems with some software to fix the security holes, or just for fun without causing any demage or revealing sensitive information. A hacker to me, is an admirable person, who can find new security issues. A cracker to me, is someone exploiting hacks already in existence.
Re: [PHP] how to not show login info in the url ...what am I looking for?
On Fri, 2008-12-12 at 10:59 +1300, German Geek wrote: On Fri, Dec 12, 2008 at 7:03 AM, tedd tedd.sperl...@gmail.com wrote: At 11:23 AM -0500 12/11/08, Robert Cummings wrote: On Thu, 2008-12-11 at 11:05 -0500, tedd wrote: When I say Hack a site I mean to do something to get the site to provide an unintended result as expected by the author. Much like using CSS Hacks to get browsers to do something that was not intended by the original designers. On the other hand, my understanding of cracking means to crack some type of encryption. Thus, the reason why I did not say cracking the site instead of hacking the site. Cracking is not just about encryption. It's about bypassing any kind of measure put in place to prevent someone from doing something. Hacking on the other hand does not embody this principle, although hacking may be employed to achieve cracking. Just because pop culture is completely ignorant to the difference, doesn't mean you as a member of the community need to jump on board and bleat like a sheep. If you intend to misuse hacker, then you should at least provide more detail such as white-, grey-, or black-hat. Cheers, Rob. Okay, I shall adjust my fracking terminology. :-) Cheers, tedd Cracking to me is when someone uses an already existing hack to use it for their own gain in a malicious way to someone else. Hacking is finding new security holes or problems with some software to fix the security holes, or just for fun without causing any demage or revealing sensitive information. A hacker to me, is an admirable person, who can find new security issues. A cracker to me, is someone exploiting hacks already in existence. I tend to agree with these definitions: http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci212220,00.html The hacker is generally considered to be someone knowledgeable about a specific aspect of computers and uses that. This can obviously be used for good or ill. Cracker is generally a non-hacker (IMHO) that uses the works of hackers to break into things. The general media has this a bit messed up, and a hacker to them is typically someone who breaks into systems with malicious intent. Of course, the other meanings: hacker: someone who chops down trees cracker: something you pull at xmas (can be of the female persuasion ;) ) Ash www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] how to not show login info in the url ...what am I looking for?
At 9:52 PM + 12/9/08, Ashley Sheridan wrote: Thanks guys and gals! You shouldn't be passing info like that over the URL; use sessions instead. I saw a shopping cart system once that passed the price of items over the URL, and when I found out and alerted them, we won the contract for a rebuild and then got accused of hacking by their previous web guys (who incidentally built the system!) Ash Ash: Even if you did hack the site, all that means is that site was hack-able and thus should have been fixed anyway. In my mind, hacking a site (without doing damage) is a good introduction to a client. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] how to not show login info in the url ...what am I looking for?
On Wed, Dec 10, 2008 at 10:03 AM, tedd [EMAIL PROTECTED] wrote: At 9:52 PM + 12/9/08, Ashley Sheridan wrote: Thanks guys and gals! You shouldn't be passing info like that over the URL; use sessions instead. I saw a shopping cart system once that passed the price of items over the URL, and when I found out and alerted them, we won the contract for a rebuild and then got accused of hacking by their previous web guys (who incidentally built the system!) Ash Ash: Even if you did hack the site, all that means is that site was hack-able and thus should have been fixed anyway. In my mind, hacking a site (without doing damage) is a good introduction to a client. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com *Ahem*You mean 'cracking'? :-P -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] how to not show login info in the url ...what am I looking for?
-Original Message- From: APseudoUtopia [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 10, 2008 9:12 AM To: tedd Cc: [EMAIL PROTECTED]; PHP General Subject: Re: [PHP] how to not show login info in the url ...what am I looking for? On Wed, Dec 10, 2008 at 10:03 AM, tedd [EMAIL PROTECTED] wrote: At 9:52 PM + 12/9/08, Ashley Sheridan wrote: You shouldn't be passing info like that over the URL; use sessions instead. I saw a shopping cart system once that passed the price of items over the URL, and when I found out and alerted them, we won the contract for a rebuild and then got accused of hacking by their previous web guys (who incidentally built the system!) Ash: Even if you did hack the site, all that means is that site was hack- able and thus should have been fixed anyway. In my mind, hacking a site (without doing damage) is a good introduction to a client. *Ahem*You mean 'cracking'? :-P IMHO... Cracking: breaking encryption/obfuscation methods in order to gain unauthorized access to information. I cracked the admin's password using a brute force algorithm. Hacking: circumvent or leverage security flaws in order to gain unauthorized access to information. For example - I hacked into the Gibson by re-routing their logon routine. (No, that doesn't make any sense. Maybe it's straight out of the movie Hackers.) I realize that people have been using cracker as a malicious form of hacker, and that a hacker is not malicious; but that is stupid. Cracking started out dealing with cryptography in my experience, and that's how I will continue to identify it. Think about it--people were safe crackers (discovering the combination to safety deposit boxes) before there were computers in existence. My 2c, // Todd
RE: [PHP] how to not show login info in the url ...what am I looking for?
On Wed, 2008-12-10 at 09:58 -0600, Boyd, Todd M. wrote: -Original Message- From: APseudoUtopia [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 10, 2008 9:12 AM To: tedd Cc: [EMAIL PROTECTED]; PHP General Subject: Re: [PHP] how to not show login info in the url ...what am I looking for? On Wed, Dec 10, 2008 at 10:03 AM, tedd [EMAIL PROTECTED] wrote: At 9:52 PM + 12/9/08, Ashley Sheridan wrote: You shouldn't be passing info like that over the URL; use sessions instead. I saw a shopping cart system once that passed the price of items over the URL, and when I found out and alerted them, we won the contract for a rebuild and then got accused of hacking by their previous web guys (who incidentally built the system!) Ash: Even if you did hack the site, all that means is that site was hack- able and thus should have been fixed anyway. In my mind, hacking a site (without doing damage) is a good introduction to a client. *Ahem*You mean 'cracking'? :-P IMHO... Cracking: breaking encryption/obfuscation methods in order to gain unauthorized access to information. I cracked the admin's password using a brute force algorithm. Hacking: circumvent or leverage security flaws in order to gain unauthorized access to information. For example - I hacked into the Gibson by re-routing their logon routine. (No, that doesn't make any sense. Maybe it's straight out of the movie Hackers.) I realize that people have been using cracker as a malicious form of hacker, and that a hacker is not malicious; but that is stupid. Cracking started out dealing with cryptography in my experience, and that's how I will continue to identify it. Think about it--people were safe crackers (discovering the combination to safety deposit boxes) before there were computers in existence. My 2c, // Todd I wouldn't really have called it either. When someone mentions hacking, I think back to that wonderful old film with Angelina Jolie before she went all weird! I think it can make a good impression, as it shows you at least know more than the last developers they used, and knowledge ain't a bad thing. Ash www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] how to not show login info in the url ...what am I looking for?
Please keep the discussion on the list, or offer me a contract. On 10 Dec 2008, at 14:29, Terion Miller wrote: On Tue, Dec 9, 2008 at 4:03 PM, Stut [EMAIL PROTECTED] wrote: On 9 Dec 2008, at 21:54, Terion Miller wrote: On Tue, Dec 9, 2008 at 3:49 PM, Stut [EMAIL PROTECTED] wrote: On 9 Dec 2008, at 21:41, Terion Miller wrote: So I have this login information passing parameters in the url to the next page (this is on a intranet app) which I thought was no big deal until a wise crack graphics guy decided to hack it because he could by changing the ?adminID= until he got one that worked...he didn't do anything except alert my boss so now I have to hide this info how does one do this? Once again I am not a programmer just inherited the joband the code... Here is the login page code: ?php if (isset($_POST['UserName'])) {$UserName = $_POST['UserName'];} else {$UserName = '';} if (isset($_POST['Password'])) {$Password = $_POST['Password'];} else {$Password = '';} $msg = ''; if (!empty($UserName)) { $sql = SELECT * FROM admin WHERE UserName='$UserName' and Password='$Password'; $result = mysql_query ($sql); $row = mysql_fetch_object ($result); If (mysql_num_rows($result) 0) { $_SESSION['AdminLogin'] = OK; header (Location: Main.php?AdminID=. $row-AdminID); } else { $msg = Invalid Login; } } ? No need to pass AdminID in the URL at all. Store that ID in the AdminLogin session variable instead of OK and you can get it from there on every subsequent page. -Stut -- http://stut.net/ How do I do thatI see where...but not getting how: If (mysql_num_rows($result) 0) { $_SESSION['AdminLogin'] = AdminID; //thats where is said ok before header (Location: Main.php?AdminID=. $row-AdminID); not sure what to do here? } else { $msg = Invalid Login; } Nope. If (mysql_num_rows($result) 0) { $_SESSION['AdminLogin'] = $row-AdminID; header (Location: Main.php); } else { $msg = Invalid Login; } But you then need to edit Main.php to change where it gets the AdminID value from. Chances are it's coming from $_GET['AdminID'], and simply needs changing to $_SESSION['AdminLogin'], but you need to make sure session_start() has been called before you try to use it. Worth noting that securing PHP scripts is not something that should be approached lightly. If you really don't know what you're doing you could make it even less secure than it already is, or at the very least break it so it no longer does what it's supposed to. Posting snippets of code for us to fix as and when you have problems is not the way to do it and is fairly likely to lead to more serious problems in the long run. If you need a PHP developer... hire one! -Stut -- http://stut.net/ Ok here is the main.php page and from what little I know and can tell the fact that he (last coder) is passing the adminID in the url is not at all needed..right? It seems to be using sessions already... ?php include(inc/dbconn_open.php); if (empty($_SESSION['AdminLogin']) OR $_SESSION['AdminLogin'] 'OK' ){ header (Location: LogOut.php); } if (isset($_GET['AdminID']) !empty($_GET['AdminID'])){ $AdminID = $_GET['AdminID']; } else { header (Location: LogOut.php); } ? html head meta http-equiv=Content-Type content=text/html; charset=iso-8859-1 titleWork Order System - Administrative Section/title /head frameset cols=200,* frameborder=NO border=0 framespacing=0 frame src=Menu.php?AdminID=?php echo $AdminID; ? name=leftFrame scrolling=auto noresize frame src=Welcome.php?AdminID=?php echo $AdminID; ? name=mainFrame /frameset noframesbody /body/noframes /html That script doesn't use it except to pass it through to Menu.php and Welcome.php. -Stut -- http://stut.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] how to not show login info in the url ...what am I looking for?
So I have this login information passing parameters in the url to the next page (this is on a intranet app) which I thought was no big deal until a wise crack graphics guy decided to hack it because he could by changing the ?adminID= until he got one that worked...he didn't do anything except alert my boss so now I have to hide this info how does one do this? Once again I am not a programmer just inherited the joband the code... Here is the login page code: ?php if (isset($_POST['UserName'])) {$UserName = $_POST['UserName'];} else {$UserName = '';} if (isset($_POST['Password'])) {$Password = $_POST['Password'];} else {$Password = '';} $msg = ''; if (!empty($UserName)) { $sql = SELECT * FROM admin WHERE UserName='$UserName' and Password='$Password'; $result = mysql_query ($sql); $row = mysql_fetch_object ($result); If (mysql_num_rows($result) 0) { $_SESSION['AdminLogin'] = OK; header (Location: Main.php?AdminID=. $row-AdminID); } else { $msg = Invalid Login; } } ? HTML HEAD TITLEWork Order System - Administrative Section/TITLE LINK REL=STYLESHEET HREF=inc/style.css script language=JavaScript !-- function leftTrim(sString) { while (sString.substring(0,1) == ' ') { sString = sString.substring(1, sString.length); } return sString; } function chkData1(objForm) { objForm.UserName.value = leftTrim(objForm.UserName.value); if (objForm.UserName.value.length == 0) { alert(Please enter your User Name.); objForm.Email.focus(); return false; } objForm.Password.value = leftTrim(objForm.Password.value); if (objForm.Password.value.length == 0) { alert(Please enter a your Password.); objForm.Password.focus(); objForm.Password.select(); return false; } return true; } //-- /script /HEAD BODY LEFTMARGIN=0 TOPMARGIN=0 MARGINWIDTH=0 MARGINHEIGHT=0 TABLE WIDTH=780 BORDER=0 CELLSPACING=0 CELLPADDING=0 TR TDnbsp;/TD /TR TR TD ALIGN=CENTERBWork Order System - Administrative Section/BBRBR/TD /TR TR TD ?php If (!empty($msg)){ echo div class=\cl_Error\. $msg ./div; } ? form name=form1 method=post action=Index.php onSubmit=return chkData1(this) TABLE WIDTH=300 BORDER=0 CELLSPACING=0 CELLPADDING=2 ALIGN=center bgcolor=#CC TR TD HEIGHT=22div class=admin_MainUsername:/div/TD TD HEIGHT=22 INPUT TYPE=text NAME=UserName/TD /TR TR TDdiv class=admin_MainPassword:/div/TD TDINPUT TYPE=password NAME=Password/TD /TR TR TD colspan=2 align=centerINPUT TYPE=submit VALUE=Login /TD /TR /TABLE /form BR Thanks guys and gals!
Re: [PHP] how to not show login info in the url ...what am I looking for?
On Tue, 2008-12-09 at 15:41 -0600, Terion Miller wrote: So I have this login information passing parameters in the url to the next page (this is on a intranet app) which I thought was no big deal until a wise crack graphics guy decided to hack it because he could by changing the ?adminID= until he got one that worked...he didn't do anything except alert my boss so now I have to hide this info how does one do this? Once again I am not a programmer just inherited the joband the code... Here is the login page code: ?php if (isset($_POST['UserName'])) {$UserName = $_POST['UserName'];} else {$UserName = '';} if (isset($_POST['Password'])) {$Password = $_POST['Password'];} else {$Password = '';} $msg = ''; if (!empty($UserName)) { $sql = SELECT * FROM admin WHERE UserName='$UserName' and Password='$Password'; $result = mysql_query ($sql); $row = mysql_fetch_object ($result); If (mysql_num_rows($result) 0) { $_SESSION['AdminLogin'] = OK; header (Location: Main.php?AdminID=. $row-AdminID); } else { $msg = Invalid Login; } } ? HTML HEAD TITLEWork Order System - Administrative Section/TITLE LINK REL=STYLESHEET HREF=inc/style.css script language=JavaScript !-- function leftTrim(sString) { while (sString.substring(0,1) == ' ') { sString = sString.substring(1, sString.length); } return sString; } function chkData1(objForm) { objForm.UserName.value = leftTrim(objForm.UserName.value); if (objForm.UserName.value.length == 0) { alert(Please enter your User Name.); objForm.Email.focus(); return false; } objForm.Password.value = leftTrim(objForm.Password.value); if (objForm.Password.value.length == 0) { alert(Please enter a your Password.); objForm.Password.focus(); objForm.Password.select(); return false; } return true; } //-- /script /HEAD BODY LEFTMARGIN=0 TOPMARGIN=0 MARGINWIDTH=0 MARGINHEIGHT=0 TABLE WIDTH=780 BORDER=0 CELLSPACING=0 CELLPADDING=0 TR TDnbsp;/TD /TR TR TD ALIGN=CENTERBWork Order System - Administrative Section/BBRBR/TD /TR TR TD ?php If (!empty($msg)){ echo div class=\cl_Error\. $msg ./div; } ? form name=form1 method=post action=Index.php onSubmit=return chkData1(this) TABLE WIDTH=300 BORDER=0 CELLSPACING=0 CELLPADDING=2 ALIGN=center bgcolor=#CC TR TD HEIGHT=22div class=admin_MainUsername:/div/TD TD HEIGHT=22 INPUT TYPE=text NAME=UserName/TD /TR TR TDdiv class=admin_MainPassword:/div/TD TDINPUT TYPE=password NAME=Password/TD /TR TR TD colspan=2 align=centerINPUT TYPE=submit VALUE=Login /TD /TR /TABLE /form BR Thanks guys and gals! You shouldn't be passing info like that over the URL; use sessions instead. I saw a shopping cart system once that passed the price of items over the URL, and when I found out and alerted them, we won the contract for a rebuild and then got accused of hacking by their previous web guys (who incidentally built the system!) Ash www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] how to not show login info in the url ...what am I looking for?
On 9 Dec 2008, at 21:41, Terion Miller wrote: So I have this login information passing parameters in the url to the next page (this is on a intranet app) which I thought was no big deal until a wise crack graphics guy decided to hack it because he could by changing the ?adminID= until he got one that worked...he didn't do anything except alert my boss so now I have to hide this info how does one do this? Once again I am not a programmer just inherited the joband the code... Here is the login page code: ?php if (isset($_POST['UserName'])) {$UserName = $_POST['UserName'];} else {$UserName = '';} if (isset($_POST['Password'])) {$Password = $_POST['Password'];} else {$Password = '';} $msg = ''; if (!empty($UserName)) { $sql = SELECT * FROM admin WHERE UserName='$UserName' and Password='$Password'; $result = mysql_query ($sql); $row = mysql_fetch_object ($result); If (mysql_num_rows($result) 0) { $_SESSION['AdminLogin'] = OK; header (Location: Main.php?AdminID=. $row-AdminID); } else { $msg = Invalid Login; } } ? No need to pass AdminID in the URL at all. Store that ID in the AdminLogin session variable instead of OK and you can get it from there on every subsequent page. -Stut -- http://stut.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php