php-general-digest-helplists.php.net
Date: Thu Nov 23 2006 - 00:27:32 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

php-general Digest 23 Nov 2006 06:27:32 -0000 Issue 4475

Topics (messages 245057 through 245077):

Re: Coding Standards Document
        245057 by: Børge Holen

Re: security question
        245058 by: Richard Lynch
        245070 by: Jon Anderson
        245073 by: Sumeet
        245074 by: Sumeet
        245075 by: Robert Cummings
        245076 by: Larry Garfield

Re: what settings I have to use in php 5.1.2?
        245059 by: Richard Lynch
        245063 by: Jochem Maas
        245066 by: afan.afan.net

Re: Encoding
        245060 by: Richard Lynch
        245071 by: Nuno Vaz Oliveira

Re: backing up a database
        245061 by: Richard Lynch

Re: problem using imagejpeg function all
        245062 by: Richard Lynch

Re: Little script that might help against some email-/webcrawlers
        245064 by: Jonesy

Re: Powered by?
        245065 by: Richard Lynch
        245069 by: Paul Novitski

Programmatic POST
        245067 by: Gabe
        245068 by: Brad Fuller
        245072 by: Manuel Lemos
        245077 by: Vincent DUPONT

Administrivia:

To subscribe to the digest, e-mail:
        php-general-digest-subscribelists.php.net

To unsubscribe from the digest, e-mail:
        php-general-digest-unsubscribelists.php.net

To post to the list, e-mail:
        php-generallists.php.net

----------------------------------------------------------------------

attached mail follows:

On Wednesday 22 November 2006 16:31, tedd wrote:
> At 7:14 PM -0500 11/21/06, Robert Cummings wrote:
> >On Tue, 2006-11-21 at 16:19 -0500, tedd wrote:
> >> It seems that every time I ask a security question, I find that I'm
> >> currently practicing the answers to avoid the pit-falls.
> >
> >Except that one time when his site got defaced... that was news ;) ;)
> >
> >Cheers,
> >Rob.
>
> Rob:
>
> Good point, but that was a problem my host had and not something that
> was my fault. It seems that everyone who hosted with that company had
> every file that even contained the word" index" replaced. I keep a
> redirect index in every folder, so I had well over 200 indexes to
> replace -- joy, joy.
>
> Since then, that host has not answered any of my emails, but I can't
> complain too much because I use very inexpensive hosts for my test
> sites.
>
> You see, I'm at the other end of the spectrum than you guys. You can
> afford high-priced host, but I can't -- you probably can't guess as
> to how cheap I can buy hosting -- it's unbelievable.

Everyone can setup a cheapass old pentium to use as a testhost.
These crappy hostings sites never put in any finecrafted unix tools nor any
ssh support.
Anyway, point is: Its free

>
> However, when it comes to providing a client with a host, that's a
> different matter and it's their cost,not mine -- for I can (and do)
> work with much less.
>
> Cheers,
>
> tedd
> --
> -------
> http://sperling.com http://ancientstones.com http://earthstones.com

--
---
Børge
Kennel Arivene
http://www.arivene.net
---

attached mail follows:

On Wed, November 22, 2006 11:20 am, Alain Roger wrote:
> Now that i finished the client side of the web application i would
> like to
> improve the security of my administration side of this web
> application.
> My web hoster support a shared SSL protocol, however i would like to
> do more
> than simply use the SSL...

I think the amazing thing is that you just used "simply" and "SSL" in
the same sentence... :-)

SSL is a VERY safe way to ensure that the data traveling from the
browser to the server, and data going back from server to browser, is
secure in transit.

SSL is pretty much the armored truck ploughing its way through the
Internet, shedding bullets like a duck sheds water.

> I've heard that cookies and sessions can be easily hacked...so what do
> you
> use to secure your web page.
> which methods ?

With SSL in place, you have reduced your vulnerabilities to,
essentially, the "endpoints" of the communication:
  who has access to the browser/client
  who has access to the webhost/server

The sentence "cookies can be easily hacked" is true in the sense that
anybody who can get ahold of your laptop/desktop can add cookie files.

Or, if they can run a virus on it, they can install any cookie files
they like, for any site.

There is very very very little you can do to secure the computers of
your users, even your admin users. Probably your best bet is to
EDUCATE those users, as early and often as you can, about safe
computer practices.

You should also be very careful to use sensible things in your Cookies
-- Actually, with PHP, you should send JUST ONE cookie for your entire
site, and track everything else you need in your $_SESSION data.

Okay, if you've installed some "forum" software or something, maybe
integrating its authentication into your main login is a Bad Idea, so
you can have "extra" cookies for the forum. Though most forum
software comes with its own whole new set of Security issues. :-(

The sessions getting hacked generally mostly boils down to the session
getting hijacked by a compromised client/browser (see above), or
somebody who already can login to the webhost/server -- at which point
the sesssion itself is a tiny part of a much bigger problem, which is
the whole SERVER is compromised.

My best advice would be to use *ONE* session_start() in a single
include file, probably the same way you are doing your DB connection,
and let PHP experts worry about the mechanics of sending a "good"
cookie.

You may want to use http://session_set_cookie_params to require the
your SSL cookie ONLY go through SSL, though.

You then "only" need to focus on the parts of the process that you
scripted in PHP.

Your authentication, for example, should be simple and straightforward
enough that you can sit down and test it in an afternoon and be
absolutely certain that you can't manage to get "through" to anything
you shouldn't, without a valid username/password.

Other things to consider:
Educate users about what is or isn't a Good Password.
Attempt to steer users away from using Bad Passwords.

Read this site over and over until you internalize it:
http://phpsec.org/

And, just a general note, not directed at the question/post/Alain:

Security is not something one can just slap on to the site after one
finishes it -- It has to be a living breathing process that is in
symbiosis with the life-cycle of the project.

--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some starving artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?

attached mail follows:

Alain Roger wrote:
> I've heard that cookies and sessions can be easily hacked...so what do
> you
> use to secure your web page.
> which methods ?
If you want to be secure, don't trust anything. Cookies are easily
modified by a user, so never store anything sensitive in there without
masking it well. Personally, I don't like $_SESSION either, 'cause it
doesn't work across clustered servers by default, and isn't usually
terribly secure on a shared web host.

I tend to use hashed data in the cookie for anything that needs to be
semi-secure, and store everything sensitive in a database, one-way
hashed wherever possible.

jon

attached mail follows:

dear richard,

yours was an amazing reply... simple and true ....and well written...

where did u learn all the stuff?... ;-)

anyway. is there a step by step process for checking if your site is
secure?... i know you would say to get a hacker or something... but as a
programmer, i would like to know (some) more info...

i use GET instead of POST for most of the forms... even in a shopping
cart or admin panel... do u think that is risky?

one the biggest threat is sql injections and now xml injections... but
can u give some more info... like what commands do i need to use and
what part of the website do i need to check?...

what is penetration and black box testing for a php website....?

is there any software for this kind of testing... some part of the
process can be automated... like grabbing all the links or urls and
purposely bombarding them with sql statements.

if i do the same from a professional, what should be a average cost for
testing a website for security?...

also
> Security is not something one can just slap on to the site after one
> finishes it -- It has to be a living breathing process that is in
> symbiosis with the life-cycle of the project.
>

that is a beautiful statement...

thanks a lot...

sumeet

Richard Lynch wrote:
> On Wed, November 22, 2006 11:20 am, Alain Roger wrote:
>> Now that i finished the client side of the web application i would
>> like to
>> improve the security of my administration side of this web
>> application.
>> My web hoster support a shared SSL protocol, however i would like to
>> do more
>> than simply use the SSL...
>
> I think the amazing thing is that you just used "simply" and "SSL" in
> the same sentence... :-)
>
> SSL is a VERY safe way to ensure that the data traveling from the
> browser to the server, and data going back from server to browser, is
> secure in transit.
>
> SSL is pretty much the armored truck ploughing its way through the
> Internet, shedding bullets like a duck sheds water.
>
>
> Security is not something one can just slap on to the site after one
> finishes it -- It has to be a living breathing process that is in
> symbiosis with the life-cycle of the project.
>

--
Thanking You

Sumeet Shroff
http://www.prateeksha.com
Web Designers and PHP / Mysql Ecommerce Development, Mumbai India

attached mail follows:

Western, Matthew wrote:
>
>> where did u learn all the stuff?... ;-)
> Maybe reading the manual?

thanks matthew,

maybe we should all refer to forum and google, and stop posting in this
forum.... can u please start first...

thanks anyway...man....i needed some silly sarcastic comments to get
past my day.

--
Thanking You

Sumeet Shroff
http://www.prateeksha.com
Web Designers and PHP / Mysql Ecommerce Development, Mumbai India

attached mail follows:

On Thu, 2006-11-23 at 09:56 +0530, Sumeet wrote:
> Western, Matthew wrote:
> >
> >> where did u learn all the stuff?... ;-)
> > Maybe reading the manual?
>
> thanks matthew,
>
> maybe we should all refer to forum and google

Teach a man to fish...

Cheers,
Rob.
--
.------------------------------------------------------------.
| InterJinn Application Framework - http://www.interjinn.com |
:------------------------------------------------------------:
| An application and templating framework for PHP. Boasting |
| a powerful, scalable system for accessing system services |
| such as forms, properties, sessions, and caches. InterJinn |
| also provides an extremely flexible architecture for |
| creating re-usable components quickly and easily. |
`------------------------------------------------------------'

attached mail follows:

On Wednesday 22 November 2006 22:38, Robert Cummings wrote:

> > maybe we should all refer to forum and google
>
> Teach a man to fish...

And you lose your monopoly on fisheries.

--
Larry Garfield AIM: LOLG42
larrygarfieldtech.com ICQ: 6817012

"If nature has made any one thing less susceptible than all others of
exclusive property, it is the action of the thinking power called an idea,
which an individual may exclusively possess as long as he keeps it to
himself; but the moment it is divulged, it forces itself into the possession
of every one, and the receiver cannot dispossess himself of it." -- Thomas
Jefferson

attached mail follows:

On Wed, November 22, 2006 11:10 am, afanafan.net wrote:
> the company I work for moves our web server to other hosting company
> (dedicated server). we use php 5.1.2, apache 2.2, mysql 5.0.18, and I
> wonder what else I have to change in php.ini settings?
>
> register_globals is Off
> magic_quotes_gpc is Off
>
> what else you recomand to do?

It depends on what the application does or doesn't do.

If it never ever sends out email, get rid of the sendmail stuff in
php.ini, so there's no chance of a silly mistake leading to sending
bulk email.

If you never need to use PHP to read content from a URL, turn off
allow_url_fopen.

Moving to a dedicated server is great for performance/features, but if
you're inexperienced as a sysadmin, you might want to consider hiring
a local sysadmin to help out.

And, of course, there are a TON of things you can (and I should) read
about sysadmin work, security, and more security. Finding the time to
DO that, however, can be problematic.

I personally work very very very hard to be sure that I have to admin
a minimum number of boxes with very limited functionality, and foist
off any generalized sysadmin work to a shared host, for precisely the
reason that I *know* my limitations in being a sysadmin. :-)

--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some starving artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?

attached mail follows:

afanafan.net wrote:
> hi!
>
> the company I work for moves our web server to other hosting company
> (dedicated server). we use php 5.1.2, apache 2.2, mysql 5.0.18, and I
> wonder what else I have to change in php.ini settings?
>
> register_globals is Off
> magic_quotes_gpc is Off
>
> what else you recomand to do?

r2 turn off ALL the garbage disposers.

and have a look at php.ini-recommended (or whatever it's
called exactly)

>
> thanks.
>
> -afan
>

attached mail follows:

> afanafan.net wrote:
>> hi!
>>
>> the company I work for moves our web server to other hosting company
>> (dedicated server). we use php 5.1.2, apache 2.2, mysql 5.0.18, and I
>> wonder what else I have to change in php.ini settings?
>>
>> register_globals is Off
>> magic_quotes_gpc is Off
>>
>> what else you recomand to do?
>
> r2 turn off ALL the garbage disposers.
what do you mean?

> and have a look at php.ini-recommended (or whatever it's
> called exactly)

Thanks Jochem!

>
>>
>> thanks.
>>
>> -afan
>>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

attached mail follows:

On Wed, November 22, 2006 9:15 am, João Cândido de Souza Neto wrote:
> I am facing a trouble in my system in which i am not able to show
> ISO-8859-1
> encoding data. When i tried to use the follow meta tag it works in
> firefox
> but still not working in IE.
>
> <meta http-equiv="Content-Type" content="text/html;
> charset=ISO-8859-1">
>
> In firefox it shows: REMÉDIO PARA O GADO
>
> In IE it shows: REM?IOS PARA O GADO

IE looks at the META tag, which you have.
FF looks at the HTTP headers, which you probably do not have:
<?php
  //this should be your very first line:
  header("Content-type: text/html; charset=ISO-8859-1");
?>

It seems to me that you would want UTF-8 or some other charset, not
ISO-8859-1, to get the accent...

So IE is actually doing what you asked, and FF is "guessing" you
really wanted that accented E and using UTF-8, I think.

I'm NOT Unicode-savvy, really, but this is my best guess.

--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some starving artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?

attached mail follows:

Hi

I'm working on a site and I'm using the same encoding you
use and everything displays ok both in Firefox 1.5/2.0
and IE 6.

The only difference is that I have the ISO in small letters
and the tag terminator like this:

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

I can display João, Mão, Mãe, õ, and everything else
(todos os acentos e caracteres portugueses)

So, I think that the problem is not in the code because I
only use the meta and never use the header...

Hope this helps...

(Se precisares de alguma coisa em Português diz...
Mas sou novato no PHP)

attached mail follows:

On Wed, November 22, 2006 3:53 am, Ross wrote:
> I have a database and it needs to get backed up on a daily basis. Is
> there a
> class that allows me to create a backup and then save it as a .sql or
> excel
> or both to a folder of her choice?

I personally would not involve PHP in this process, in general, as the
existing database backup software for almost any database will be more
efficient and have less overhead than piping any of it through PHP...

So just create a cron job in a shell to do:
mysql_dump > backup_path_here

Of course, if one has no shell access, you're kinda stuck using PHP to
run the http://php.net/exec to do that, and then some kind of hinky
way to pretend to run cron... Finding a new webhost is my usual
solution to that :-)

--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some starving artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?

attached mail follows:

On Tue, November 21, 2006 10:31 pm, Tom wrote:
> I’m trying to use the imagejpeg function call in a php script and
> I
> can’t quite seem to get it working properly.

Can you clarify "working properly" into something a bit more concrete?

Right now, we're left guessing from the most likely scenario, that you
are seeing the:
yoya%#(*&H*(Y#T...
on your screen, because you've commented out the "header" line to tell
the browser to expect an image, all the way up through "the aliens
attack and put me to sleep every time I reload" :-)

> Would I need to have T1Lib support in order for this it work?

No.

Only if you wanted to use the T1 font/string functions within GD would
you need the T1Lib support.

> As a quick example, here is some code I’ve been playing around with
> that I
> found somewhere.
>
> <?php
> $image = imagecreate(200, 200);
> $colorRed = imagecolorallocate($image, 255, 0, 0);
> imagefill($image, 0, 0, $colorRed);

ImageFill might not do what you want with a new raw JPEG...

I mean, what color are all the pixels to start with?...

I would suggest that this is more suitable:
imagerectangle($image, 0, 0, 199, 199, $colorRed);

> //send image
> //header("Content-type: image/jpeg");

If you took this out for testing/debugging, that's great, but you have
to put it back in for the browser to know that it's a JPEG and not
HTML.

> imagejpeg($image);

> Should make a red square.

What did it actually make?

--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some starving artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?

attached mail follows:

On Mon, 20 Nov 2006 13:37:29 +0000, Brynjar Guðnason wrote:

> I saw a clever solution to this once.
>
> There was a line of names: name1, name2, name3 etc.
> And then at the end stood all these are at someurl.com.
>
> That is the best way, I think.

If they're all in the same domain, I guess.

See my .sig for another tactic -- which I also employ on web pages.

Jonesy
--
  Marvin L Jones | jonz | W3DHJ | linux
   38.24N 104.55W | config.com | Jonesy | OS/2
    *** Killfiling google posts: <http//jonz.net/ng.htm>

attached mail follows:

On Tue, November 21, 2006 6:21 pm, Robert Cummings wrote:
> Personally, if the customer pays me money to make a site, I don't put
> dirty little ego fluffers on their pages... I put them in the HTML
> comments or meta tags *heheh*.

Frequently, by the time the Customer and the Designer have finished
destroying a perfectly good site with a lot of cruft that makes zero
sense, I don't even WANT my name on the damn thing.
:-)

I think it would be appropriate to negotiate for reasonable
attribution before you build the site, but not to slap it in there at
the end, nor ask for it upon delivery.

--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some starving artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?

attached mail follows:

At 11/21/2006 03:02 PM, pub wrote:
>Is it appropriate to ask your client to add "Powered by your company"
>to the sites you design and maintain?
>And when you see "Powered by" does it mean designed by or maintained
>by or both?

'Powered by' sounds like an engine or a fuel, so I imagine it to mean
that the site utilizes is driven by a software package you wrote or
runs on hardware you manage, both on an ongoing basis. For me it
strongly implies that the agency credited for powering the site is
not the one that designed or created it; otherwise they'd say so.

'Designed by' implies to me just graphic design. Since I'm primarily
a programmer, most of my work is either implementing another agency's
graphic design or, when my partner and I do all the work, both design
and implementation. If this is a credit on page footers, brevity is golden.

I generally just say 'Website by' and allow that ambiguity to fill
the available space. It works by itself and also in conjunciton with
a separate 'Design by' credit.

Regards,
Paul

attached mail follows:

I'm looking to write a function that will receive the contents of a web
form, do some data manipulation, then pass on the manipulated data to
another URL via POST. Is there a built-in function in PHP that I can
use to send the data to another URL via POST without a user having to
click submit on a form?

attached mail follows:

> -----Original Message-----
> From: Gabe [mailto:ydnahg-news4432mailblocks.com]
> Sent: Wednesday, November 22, 2006 3:08 PM
> To: php-generallists.php.net
> Subject: [PHP] Programmatic POST
>
> I'm looking to write a function that will receive the contents of a web
> form, do some data manipulation, then pass on the manipulated data to
> another URL via POST. Is there a built-in function in PHP that I can
> use to send the data to another URL via POST without a user having to
> click submit on a form?

Yep. There are several.

I prefer to use cURL.

http://www.php.net/curl

-B

attached mail follows:

Hello,

on 11/22/2006 06:07 PM Gabe said the following:
> I'm looking to write a function that will receive the contents of a web
> form, do some data manipulation, then pass on the manipulated data to
> another URL via POST. Is there a built-in function in PHP that I can
> use to send the data to another URL via POST without a user having to
> click submit on a form?

You may want to use this HTTP client class. It can emulate form
submission via HTTP POST, and if necessary it can collect cookies,
handle redirection, access SSL pages, etc...

http://www.phpclasses.org/httpclient

--

Regards,
Manuel Lemos

Metastorage - Data object relational mapping layer generator
http://www.metastorage.net/

PHP Classes - Free ready to use OOP components written in PHP
http://www.phpclasses.org/

attached mail follows:

in PHP5, you could have a look at objects HTTPRequest and HTTPResponse.
I never used them yet, though...

vincent

-----Original Message-----
From: Brad Fuller [mailto:bfullercpacampaigns.com]
Sent: Wed 22/11/2006 21:25
To: php-generallists.php.net
Subject: RE: [PHP] Programmatic POST
 
> -----Original Message-----
> From: Gabe [mailto:ydnahg-news4432mailblocks.com]
> Sent: Wednesday, November 22, 2006 3:08 PM
> To: php-generallists.php.net
> Subject: [PHP] Programmatic POST
>
> I'm looking to write a function that will receive the contents of a web
> form, do some data manipulation, then pass on the manipulated data to
> another URL via POST. Is there a built-in function in PHP that I can
> use to send the data to another URL via POST without a user having to
> click submit on a form?

Yep. There are several.

I prefer to use cURL.

http://www.php.net/curl

-B

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]