| |
| |
| |
|
Page: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
Comments:
<0> no replacement
<0> and if it fails, goto a failure state
<0> most frameworks have these kinda validation patterns built into em
<1> StormTide: Yeah. Like I said, I'm literally just making a wrapper from one hostname, profiles.domain.tld, to another, because the profile viewer goes by userID, instead of username. ;)
<2> With PHP safe mode turned on (no system or exec calls), how do I delete all files in a directory than are over an hour old?
<3> http://www.php-mag.net/magphpde/magphpde_news/psecom,id,25543,nodeid,5.html
<4> dampja1: If you have access to filemtime it gives you the last time a file was modified
<4> dampja1: then just use unlink on the old files
<1> b1n0ry: Oh, and BTW, your example, CUT the alphanumeric chars. Not everything but. :)
<3> Psi-Jack: sorry, should have been a ^ after the [
<2> thanks
<4> yup
<2> oh - how do I get an array of all files in a directory?
<3> Psi-Jack: [^0-9a-z\-_]
<4> dampja1: there's a chance that your provider has those functions disabled too
<4> dampja1: http://www.php.net/opendir There's an example there about looping through a directory
<2> thanks
<4> dampja1: make sure you filter out '.' and '..'
<4> yup
<2> ds-: wouldn't that be funny
<2> it doesn't have to recurse - just all the files in that directory
<5> Hey, I am having an issue with forms and p***word fields... anyone around that I could discuss this with? ( tried #html but nobody has been able to help)
<3> php compilers... heh... another example of driving a nail with the butt of a screwdriver
<2> b1n0ry: or driving a screw with the butt of a screwdriver ;)
<3> Haoshiro: is it php related?
<6> Haoshiro- you might try actually asking a question/describing a problem
<5> Basically, I have a form for editing a user profile and it has a P***word field in it. Any time the profile is saved, regardless of whether or not the p***word was changed, web browsers popup a prompt asking if it should 'Change the Save P***word'; is there a way to avoid this behavior?
<3> Haoshiro: no, p***word fields are detected by some browsers and their behavior is browser-controlled.
<6> Probably not easily
<6> What he said
<5> that's what I was afraid of
<5> it just seems like i've seen other apps that did not have this issue :\
<3> Haoshiro: that would be like writing a web app that clears someone's browser cache for them.
<7> I am looking at setting up an intranet right now. Is there any way to authenticate a user with php based on user info from a Windows Domain Server?
<4> Haoshiro: Google "firefox p***word autosave" (no quotes). I know you can turn that behaviour off, but I don't remember and I don't feel like looking it up.
<4> I have no clue about IE though
<5> ds-: thanks, i thought i had seen something
<3> ds-: i'm sure IE has some vulnerability that could be exploited :)
<4> usually :P
<2> Smoked1: Yes - on the IIS server make sure it's SSL and then turn on basic authentication
<6> b1n0ry- but what does that have to do with what we were talking about?
<5> in fact, I'm wondering if this is also because i also have a Username field... perhaps if that wasn't their there would be nothing to ***ociate the p***word too.... */me thinks*
<4> My common answer to this statement "I am having problems with IE?" is "Oh, you mean you opened it?"
<5> *there
<5> ds-: sure... but sadly we still have to support it. ie7 does nothing to help that either. we won't be rid of IE6 support for a Long while :)
<7> dampja1: I am running it on a UNIX box.
<4> but that doesn't mean I can't make fun of it :D
<8> hello
<3> Dragnslcr: since IE's p***word caching feature is a component of the browser and thus controlled exclusively by the browser, one would have to employ some form of browser vulnerability that, in Microsoft's words "would allow a hacker to gain access to the computer" in order to disable it.
<3> Dragnslcr: and it seems like there is always someone finding a vulnerability like that in IE somewhere.
<8> I want to create a 'remember me' login on my website. But how do I know which user is requesting my website? (i cant just make a cookie containing the username for security reasons I suppose)
<6> Oh, I thought you were just making a general statement
<5> b1n0ry: well, such parameters as "autocomplete=off" do exist to tell browser how to behave...
<6> spuds- you'd have to set the username/p***word in a cookie
<9> Pollita: php-5.1.2/ext/standard/string.c:3072: error: conflicting types for `php_str_to_str_ex' is an error i'm getting, but the line is PHPAPI char\n*php_str_to_str_ex(char *haystack, int length, \nchar *needle, int needle_len, char *str, int str_len, int *_new_length, int case_sensitivity, int replace_limit, int *replace_count)\n{ (this one here)
<8> Dragnslcr, but anyone that captures that cookie can see the p***word ?
<9> ..how?
<3> spuds: you would formulate a cookie with some sort of identifying information. not necessarily the p***word. perhaps a randomly-generated key that could be used in conjunction with the username and matched to the database later.
<6> spuds- yup, as can anyone that captures them typing their username/p***word into a form
<8> Dragnslcr, true.
<3> spuds: and you wouldn't store the plaintext p***word anyway, you would store an encrypted hashed p***word in the cookie.
<6> You could store a hash of the p***word
<8> Dragnslcr, b1n0ry: I thought I could just make the browser save the session id for later reference.
<10> MD5 is ***NOT*** encryption
<6> Which would at least prevent someone from seeing the original p***word
<3> Jymmm: i didn't say it was :)
<10> b1n0ry ou would store an encrypted hashed p***word
<6> Basically, there's no way to make a "remember me" system completely secure
<3> Jymmm: actually, that was just a possible suggestion. not what i would do.
<11> just a hashed p***word would be as secure as any unix system
<10> b1n0ry I know you didnt say it directly, but ppl get confused already
<6> Whatever you store as a cookie, anyone else can copy that cookie, no matter what it contains
<12> is it possible for imagecolorsforindex() to get cmyk values instead of rgb values?
<8> Why can't I just make the server remember the session id and keep the variables on the server. Wouldn't that be much easier ?
<3> Jymmm: and thus my inclusion of the word "encrypted" hashed p***word
<10> b1n0ry less the word 'encrypted'
<8> like session_start(); session_remeber(sessionid);
<6> spuds- sure, but that still wouldn't prevent someone from stealing the session id
<3> Jymmm: i understand why you are saying, which is why i said "encrypted" not just "hashed"
<3> spuds: and when someone comes along and p***es a fabricated session id via the URL, what would happen?
<6> Depends on how you define "encryption"
<10> b1n0ry: encryption, implies decryptions as well. the wording is wrong and way too easily confused.
<13> if i have /A/Foo.php /B/Foo.php /C/Foo.php /test/index.php
<6> A hash can be described as "one-way encryption"
<8> b1n0ry, so the way it is, is more secure ?
<10> !+md5
<14> MD5 is a message digest (one-way hash), typically used to create digital signatures and for preventing p***words from being stored in plain text. IT IS NOT ENCRYPTION. See also: SHA1 and http://www.cryptography.com/cnews/hash.html Hint: if(md5($User_entered_p***word) == $stored_user_p***word){}.
<13> and have a function inside index.php that imports/includes /A/bob.php or /B/bob.php
<15> and also used to fingerprint data
<10> Dragnslcr: not encryption, cryptography maybe.
<10> infralite what do you think 'digital signatures' means?
<13> depending if /A/Foo.php or /B/Foo.php calls it
<15> Jymmm: yeah, i was adding to you
<3> spuds: personally, i wouldn't store anything related to the p***word in a cookie. but that's me. if you are going to, use something non-reversible such as a hashing algorithm to store it and match that in your database.
<6> The general use of "encryption" implies two-way, but I think the "technical" definition includes one-way
<15> Jymmm: like files, texts, music etc too
<16> man im so tired
<6> Like I said, depends on which definition of encryption you use
<16> md5 and sha have been broken
<16> fwiw
<6> I always use the word to mean two-way
<15> winmutt: not *broken*
<6> You can't "break" a hash
<3> Encryption: "The process of coding data so that a specific code or key is required to restore the original data." <-- by definition, encryption is reversible.
<15> but there are collisions
<16> yes
<10> winmutt HUGE difference between broken and collision
<6> You can never reliably get the original data back from a hash
<16> its not that there are collisions but that they can be generated fairly easily
<3> winmutt: wouldn't that depend on how many characters are in the hash and which hashing algorithm is used?
<16> md5 is within 2^64th permutations
<16> i didnt see a number on sha
<15> the data / time tradeoff system helps most short hashes to be solved quickly and easily, but it's nothing more than a different form of bruteforce
<16> lets just say they arent perfect
<16> :)
<17> big different between finding collisions and finding a collision for a particular hash
<16> Xyphoid: how?
<6> Which is of course why you use salts. Even if you find a collision in one system, you probably won't get the same collision in another system
<3> winmutt: do the math, a hex code encryption of 32-bits in length would generate 32^16 possible hex combinations. That's 1.2e+24 distinct serial runs before the first collision. thus, the chances of randomly generating a collision in any reasonable amount of time is highly unlikely.
<3> of course, "luck" is a hacker's best friend.
<17> win: a collision lets you build two files that hash the same. that's a useful attack against some hash uses. but it's not useful against *most* hash uses.
<17> the thing is that you need to use the files you have a collision for. however, starting with a hash and finding collisions for *that* hash is much harder
<18> b1n0ry: Luck and maybe 3 SMP cray's :)
<3> Stormchaser: lol, isn't a gigaflop like a billion floating-point operations per second?
<18> b1n0ry: so?
<4> that's what I need for valgrind
<3> even a system that can process at 13 gigaflops would require 9.3e+13 seconds to generate all possible md5 hash values.
<19> I've got another question... how can I populate an array using values coming from MySQL in a where statement?
<19> where ($row = mysql_fetch_array($query))
<18> b1n0ry: Google for DES cracker
<19> the method I have, only ***igns the last record. I ***ume I'm overwriting the array each time
<20> (Ab)using md5 collisions: http://www.cits.rub.de/MD5Collisions/
<21> Hey all. Has anyone done a connection to an quickbooks RDS server from PHP on linux?
<3> Stormchaser: heheh, they mentioned a good idea... roll out the system as part of some m***ive distributed computing project.
<17> et: nice example.
<22> FenixRF: where??
<19> where what?
<18> b1n0ry: But of course :)
<22> FenixRF: what is a where statement?
<22> FenixRF: do you mean while?
<19> yeah
<19> my brain is fried
<19> sheesh
<19> hehe
<4> screw md5 just use rot13, it's secure enough :/
<16> b1n0ry: did i know say it was possible in 2^64? thats a bit less than 1.2e+24
<16> s/know/not
<23> i need a help
<22> FenixRF: $arr[] = $row;
<17> we swapped out our rot13 implementations with rot39
<16> NiDhiBeY: me too, know a good shrink?
Return to
#php
or
Go to some related
logs:
#linux
editing the url list in cpan
dos2unix debian stable
precompiled sis190
pydoc SyntaxError: invalid syntax
Cannot find package task-bootstrap
bcm4309 driver for latitude D505
apt dist-upgrade forbidden error
#centos
festival + british female + Ubuntu
|
|