| |
| |
| |
|
Page: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
Comments:
<0> http://pastebin.com/735413
<0> nasty little bug, i think.
<0> stomps all over the original array.
<1> bullrage: It's better to store a seperate hash (in the session and in the user database) that you renew on every login, and match against that.
<2> Now you've lost me :D
<3> fgrhty: okay... I had enough fun... Now stop PM-ing me and go away.
<4> any thoughts on what is considered better coding practice when using variables in the querystring? some_variable vs. someVariable
<3> \o/
<5> O.o
<1> thirdLibr: That really doesn't matter, it depends on what you use as a code convention, as long as you're being consistent.
<4> true
<1> bullrage: And what is $set_session_user = $validate_user; supposed to do?
<4> just wanted to see what you gurus like to do
<3> xshad: http://pastebin.com/735418
<1> thirdLibr: Usually when you work at a company there is a code convention document that you need to stick to.
<2> HolyGoat: sends the username to the next session page where it is checked against the database
<5> haha :)
<5> you're evil :)
<2> (I'm new HolyGoat, all suggestions and improvements are welcome)
<3> xshad: More than you know :)
<1> bullrage: OK. I just don't see any usernames p***ed to a session.
<4> HolyGoat: i'm apparently the entire IT dept. so i need to make one
<1> bullrage: Being new is fine. Just know that security is a very touchy subject.
<4> i used to do some_var but after doing some .net work i realized most m$ programmers prefer the someVar notation
<6> BullRage, may i suggest using Pear::Auth
<6> it's already premade, no reinventing the wheel and possibly makeing security mistakes
<2> settings ?success=true doesn't work by the way, it just takes me back to the login screen
<1> thirdLibr: Well, if no one needs to read it, it doesn't make a lot of sense to create a document like that, just make sure you are being consistent.
<1> thirdLibr: It's true, code conventions usually come from whichever language gets used. In ruby (well especially rails) cl*** names are in CamelCase, while functions_and_variables_are_underscored
<3> bullrage: Funny enough, there was a thedailywtf.com entry like that... you added a ?authorized=true and *bingo* Instant access :)
<1> bullrage: Then register_globals isn't on. But your code is not safe when it comes to portability.
<2> HolyGoat: The weird thing is, both the Local and Global entry on phpinfo() reports that it is on :S
<1> bullrage: Remember to _always_ set variables before using them. Not only is that a good and clear programming practice, it's also more secure and diminishes undefined behaviour, which results in faster bug shooting.
<1> bullrage: As long as the if-statement returns false, p***ing success should work. I don't know your environment, but I do have some common sense.
<2> Ah, I had a typo. The success=true does log on. What's the best way around that?
<1> bullrage: Initialize $success to false before ***igning true to it
<1> bullrage: So on top of your script: $success = false;
<2> HolyGoat: Done that, thanks :)
<1> bullrage: Always be paranoid, especially when it comes to security.
<1> (but even when it doesn't)
<2> Just need to get around the Injection. What were you saying about no usernames being p***ed to a session?
<1> bullrage: Handling SQL quoting is a bit tricky. Here's a convenient function that will handle the escaping correctly for you. function quote($value) { if(get_magic_quotes_gpc()) { $value = stripslashes($value); } return mysql_real_escape_string($value); }
<1> bullrage: I think I mentioned that you should not store p***words in sessions, not even hashed ones.
<1> (like you're going to be doing, I figure from your code)
<2> (HolyGoat) bullrage: It's better to store a seperate hash (in the session and in the user database) that you renew on every login, and match against that.
<1> Exactly.
<2> HolyGoat: I should just match the username and generate a random hash for each member and store it in the database, and match that hash to them instead of the p***word?
<7> bullrage: sha1( uniqid() . microtime() ) for example
<7> bullrage: for a remembered login...
<1> bullrage: Correct. And upon each login, you reset the hash, to make it more secure.
<2> Ah, tha seems easy enough.
<7> HolyGoat: I was actually thinking that such identifiers (including session id) should rotate every request, but that might be a little paranoid
<7> (then again, I never said I wasn't)
<1> bullrage: You also want to think about XSS attacks, even though it's not relevant for the code you're presenting. Always use strip_tags() and escape data when outputting.
<8> !+xss
<9> [XSS - Cross site scripting] NEVER accept user input without some type of filtering . See: http://en.wikipedia.org/wiki/XSS and http://www.technicalinfo.net/papers/CSS.html
<1> AcidReign: Per requrest seems a little senseless though, chances are low that a login will be cracked _while_ the script is executing :)
<1> (yes requrest is a new word :p )
<1> caffinated: Well or some regex or make sure you escape _everything_ that comes out.
<8> HolyGoat definition?
<2> I've jotted down a lot of the things you've suggested, so I'll take a look. Thank You
<10> strip_tags() is a bad practice. it causes results which confuse users.
<1> Jymmm: "HolyGoat trying to type 'request'"
<10> instead, use htmlentities() on output you intend to present to the user.
<10> this will take care of html/javascript injection while not confusing users.
<1> caffinated: Only if you explicitly allow HTML. I've always thought that it is unnatural for a user to be able to insert HTML in a request, unless explicitly stated that he can.
<11> is there anything, other than not compiling with sockets, that would prevent fsockopen from working?
<1> \Dj\Krit\: How exactly is it not working?
<7> HolyGoat: not hte login, but the session id or remembered login id could be sniffed
<10> HolyGoat: I normally won't allow HTML either, unless it's a WYSIWYG editor of some kind. there are other forms of notation one can use
<11> HolyGoat: it's not that mine isnt working, i'm just trying to figure out why it might not a clients machine when i release my script to the m***es
<11> just trying to anticipate issues
<10> Jymmm: you can shake your head all you want too by the way. I'm not new at this.
<8> caffinated ?! WTH? <1> Jymmm: "HolyGoat trying to type 'request'"
<1> \Dj\Krit\: Firewalls might block the request, but that doesn't really equal "not working"
<2> caffinated: So whenever outputting something to the browser which uses HTML code, use htmlentities()?
<1> bullrage: Not only when it uses HTML code, _always_ do it.
<10> bullrage: no, whenever outputting something to the browser which you don't want to be interpreted as html code.
<2> like?
<10> you don't seriously need examples, do you?
<2> no, I'm messing ;p
<1> alright, I'm going to take a shower and drink a lot of beer, day off tomorrow :)
<2> Thanks for the help HolyGoat
<8> HolyGoat : Just don't shower with the beer, or it's recycled counterpart.
<8> Mmmmmmmmmm.... beer marinated bbq goat!
<3> lol
<1> heheh
<1> they're called golden showers
<1> Ok I have to stop right there
<2> caffinated: Wouldn't htmlspecialchars be sufficient?
<3> HolyGoat: you better :)
<10> bullrage: did you read the manual about it?
<2> yes, and I read the comments at the bottom
<10> then you shouldn't have to ask me
<2> one of the comments for htmlentities: 'Please, don't use htmlentities to avoid XSS! Htmlspecialchars is enough!'
<2> Ah I understand now, nevermind.
<12> is it possible to have 2 sessions at once? What happens if there is already a session running and I start a new one?
<6> with session_start()?
<12> yes
<6> it just uses the same session
<12> ok
<6> one session per client
<12> thanks
<10> Cyno: generally you can't because a single cookie or query string variable is used to store the session id
<10> you could probably hack your way around it but it is not worth it
<6> and generally you wouldn't need to
<10> agreed
<12> well i just dont know if there already is a session
<12> so i didnt know if i needed session_start() or not
<10> using session_start() multiple times doesn't hurt anything
<12> ok thanks
<10> you should be doing it at least once at the top of every session-enabled page
<6> yeah, you won't be able to read $_SESSION variables without using session_start() on the page
<13> hi everyone
<6> hello
<10> well, unless you have session.auto_start enabled
<10> but that has it's own problems
<12> I don't know if i do or not
<6> yeah thats true, but i wouldn't consider that good practice
<12> and this one page is made up of 3 pages
<6> unless the entire server was using session 100% of the time
<10> doesn't really matter if it's on or off. call session_start() anyway.
<12> it is phpbb
<2> is it safer to use $_SESSION[''] than just $sessionvariable?
<12> but it is working now with adding session_start() in there
<8> phpbb is a big security exploit
<12> thanks for the help :)
<10> bullrage: if you can help it, don't use registered globals
<10> bullrage: always use the arrays
<14> bullrage: Yes, always use $_SESSION.
<2> Thanks.
<10> bullrage: if you code properly it's not an issue to use the latter, but it is less compatible
<15> http://pastebin.com/735473 This is the index to my website. The first php huge *** block gets information from PHPbb, the second php block gets information from settings (this is for a blog type thing) .... I think this is improper php syntax and was wondering how to make it right
<10> !tell WCX about g10
<15> can I tell you this has nothing to do with other scripts
<15> it just how you retrieve information
<15> syntax.... that what wrong
<16> can someone help me set up my vps, i have a few question
<8> !+g10
<9> Guideline #10) We don't support script(s). We help you *write* PHP, not recommend or download and install/hack/modify/adapt/use pre-written scripts
<17> space html char ?
<15> I would think php would be able to fetch things twice... but maybe I am wrong about this
<18> I receive Fatal error: Cl*** 'SvgDocument' not found in D:\X_Site\project02\prog\cl***es\svg\Example.php on line 9
<5> and?
<8> WCX: You've been told twice... we dont support scripts here. Please respect the guidelines and dont make us have to repeat over and over again. Try #phpbb if you must.
<18> and seem to be ok : include(SVGBASE."SvgDocument.php"); // Create an instance of SvgDocument. All other objects will be added to this// instance for printing.// Set the height and width of the viewport.$svg = new SvgDocument("400", "200"); $svg->printElement();
<13> SVGBASE don't have a $ ?
<15> jymm, fine... i won't ask about php syntax here
<18> svgbase is declared corectly as : define("SVGBASE", "http://".$_SERVER["HTTP_HOST"]."/prog/cl***es/svg/";);
Return to
#php
or
Go to some related
logs:
zmd refresh slow
#perl
RHEL 4 DVD iso
optiplex gx1 sound ubuntu
#openzaurus
gentoo qmail scanner 4.3.0
startx nslu
#osdev
Kooldock twinview
#ldap
|
|