Christian F.

Please do not double-post: http://forums.phpfreaks.com/topic/275399-help-me-with-this/

No, you don't need to compile PHP manually on Windows. If phpinfo states that openSSL is installed and activated, then it is installed and activated. There is nothing more you can do by compiling PHP manually. Basically, all you do with ./configure is to tell which modules should be enabled/disabled with PHP by default. You're not configuring the modules themselves. That said, you still haven't told us what the actual problem is, just what you think the solution is. In order for us to help you, we'll need to know why you think you have to do this. Remember, the more detail you can provide on the problem, the easier it'll be for us to help you. Check the logs for error messages, make sure that all error reporting is turned off, and so forth.

If you searched for it, you did a really poor job if you weren't able to find anything. Considering how easy it is. When it comes to how PHP handles it memory, it sounds like you need to study garbage collectors in general, and how PHP implements it in particular. Not to mention how operating systems allocate, and de-allocate, memory. You also got to learn C, so that you can hack at the PHP code, seeing as you can't change the behaviour of PHP with PHP code: You'll need to edit the source code for that. All in all, you have lots (not just a bit) to learn about security with regards to memory management, before you can go about mucking about with it. If you don't have 100% control over what you do, you are liable to actually add security flaws rather than fixing any (perceived) flaws. Also, encrypting your disk doesn't do squat against someone who breaks into your computer. What disk encryption is good for, is in case people run off with your disk (or computer) and try to gain access to it from another system (or after the computer has been shut down). If the disk is mounted on the system, and someone gains access to said system, they also (naturally enough) gain full access to the disk as well. Especially if they have root.

There are other methods in which you can dump your RAM to disk, quite easily too. Even if /dev/mem only shows 1 MB. Also, PHP is not responsible for where stuff gets saved in the RAM, that's the OS' job. A job which it does at random, to prevent attackers from targeting specific applications with the aforementioned buffer attacks. However, dumping /dev/mem requires root permissions, at which point the whole security issue becomes moot. Root trumps all. Period. Which is what people have tried to tell you. This is like trying to figure out how to lock the window in your attic, in a three story house, when you've just had a hurricane blow out all of the windows and doors in the rest of your house.

trim.

Congrats mate, well deserved!

Just noticed a little mistake in the code above. For some reason there's an extra false && which shouldn't be there, in the final constraint check. Remove it to make the special characters limitation apply.

That configure command is for configuring the build-process on a *nix system, if you're going to manually compile PHP. Not for configuring the plugin itself, which is done in php.ini. Seeing as you're neither on a *nix based system, nor wanting to compile PHP manually, you should just ignore that.

You're welcome.

Two quick answers, plus a bonus one: The star in regular expressions means "zero, or more", and the period means "any character, except newlines". Ignore the part in parentheses, as they're zero-width lookaheads, and what you need to change should become clear. Also, on a related note to the other thread, you should be removing that negative lookahead for whitespace in there. This RegExp requires alphanumerical characters, both upper and lower, but no special characters. I, personally, prefer to put a requirement on those too. Just to ensure that the entropy pool is as big as it can get. Makes it that much harder for people to come up with truly terrible passwords, even if it's not fool proof. For an example of what I use, I just posted a PHP function for password validation. The RegExp should be directly portable to JS.

Continuing my posting of security-related functions in this section, I've decided to post this one up. I've posted a basic version of the RegExp previously, to which Psycho gave me some good feedback. Thus, the current function was born: // Define the flags used for validating passwords. define ('SF_VALIDATE_PASS_LOWER', 1); define ('SF_VALIDATE_PASS_UPPER', 2); define ('SF_VALIDATE_PASS_NUMERICAL', 4); define ('SF_VALIDATE_PASS_SPECIAL', ; define ('SF_VALIDATE_PASS_ALL', 15); /** * Validates the password according to the flags and mininum length given. * * Returns true if the password matches the constraints, or false if it fails. * * Default minimum length is 8 characters, and all flags activated. * * @author Christian Fagerheim (Fagerheim Software) * @link www.fagsoft.no * @license Creative Commons Attribution-ShareAlike 3.0. http://creativecommons.org/licenses/by-sa/3.0/. * * @param string $password * @param int[optional] $minLength * @param int[optional] $flags * * @return bool */ function validatePassword ($password, $minLength = 8, $flags = SF_VALIDATE_PASS_ALL) { // Make sure we got a valid minimum length. if (!is_int ($minLength) || $minLength < 0) { trigger_error ('Minimum length must be a positive integer', E_USER_ERROR); } // Create the constraints for the password. $passReg = ''; if ($flags & SF_VALIDATE_PASS_LOWER) { $passReg .= '(?=.*[a-z])'; } if ($flags & SF_VALIDATE_PASS_UPPER) { $passReg .= '(?=.*[A-Z])'; } if ($flags & SF_VALIDATE_PASS_NUMERICAL) { $passReg .= '(?=.*\\d)'; } if (false && $flags & SF_VALIDATE_PASS_SPECIAL) { $special = preg_quote (',.;:"\'!?*(){}[]/^§|#¤%&_=<>@£$€ +-', '/'); $passReg .= "(?=.*[$special])"; } // Add the minimum length requirement. $passReg .= '.{'.$minLength.',}'; // Check that the password matches the constraints, and return a boolean. if (!preg_match ("/^$passReg\\z/u", $password)) { return false; } return $password; }

First off, standard notice: You're not stating what library you're using to connect to your MySQL database, but since AyKay mentioned the old (and no longer maintained) mysql library... You should be using either mysqli or PDO to connect to your Database, as both of them are actively developed and contains all of the new(ish) features that the old mysql library is missing. Not to mention, since it's no longer developer it is insecure, and thus is deprecated in PHP 5.5 (and onwards). Then, to your question. The difference between FILTER_VALIDATE_SPECIAL_CHARS and htmlspecialchars is listed in the manual, so I recommend following the first link and reading up on it for yourself. That said, as the two above touched upon: You don't want to be using either prior to inserting the data into the database. Escaping output should only be done immediately before sending the content to third party system, and then only escaping using the proper methods. Which means that when you add the data to the SQL query, you need to either use mysql::real_escape_string (or PDO's equivalent) or Prepared Statements. The latter is recommended, as the database takes care of the proper way to escape the output automatically. The HTML escaping methods, however, should only be used when adding data to HTML strings, or when you're echoing out content to the browser. Escaping for the wrong system, or prematurely, will corrupt the original data and cause usability issues (at the very least). If you're really unlucky, it may make the data or the whole system unusable.

That was one out of four questions filled. Plus an infraction by hijacking someone else's thread. You're not making it easy, nor very desirable to help you, you know. Why should we spend our free time to try to help you, when you're not even taking the time to read our posts (or rules) properly? We're here to help those who want to learn, not to waste our time or work for free.

No, not problematic at all. If any thing, it's desirable as it increases the entropy (available character space). Technically speaking, it is desirable to allow any printable character in a password. As for every character disallowed in a password, the time it'll take an attacker to crack the password is reduced exponentially: The entropy is defined by number of characters in a password raised to the power of available characters, after all. (Length^allowed characters, in other words.) Just to give you an example of how much difference only two disallowed characters would make, and then we only assume 95 printable characters in total (basic ASCII): php > $len1 = pow (10, 95); php > $len2 = pow (10, 93); php > echo $len1 - $len2; 9.9E+94In case you're doubting it, yes: That is 99 followed by 93(!) zeroes fewer potential password an attacker has to search. All from just removing only 2 characters from the pool. Or, in other words, you just reduced the entropy by 99%

You want the user to call a number, from his computer? If so, then this is not possible with PHP (alone). Or, at least not unless you're hosting said web site on that user's computer. The difference between PHP and those two applications you listed, is that both Outlook and Windows Dialler exists and runs on the local computer. While PHP runs on the server which serves the web page. To give the user to ability to "phone" from his browser, you'll need a third party application, most likely. Most likely something based upon Flash or Java Applets, though HTML 5 might be possible as well. The exact method to solve this one greatly depends upon how complex you need it to be, but I wouldn't be surprised if it involved setting up Asterix (or another phone server).

I recommend watching this video: Then read this article: http://www.openwall.com/articles/PHP-Users-Passwords And, finally, rewrite the login system using what you just learned to make it secure.

First of all: Welcome to PHPfreaks. Secondly, as for your tip. If I were to give two tips, they'd have to be: Make sure you read the rules, and follow them. Post your requests for help in the correct section. People tend to offer more (accurate) help if you do.

*A wild Ashe appears* You're welcome, glad we could help.

Have you tried it? If so, did it work or not?<br />We cannot give you any guarantees that the code will work, as there are way too many factors involved. Not the least of them being the existing code you have. That said, the code looks right, and should work.<br /><br />If you get errors, investigate them and try to see if you can figure out why you get them. If you've tried, and still can't figure it out, then please post them here so that we can guide you on where to look.

You're welcome, glad we could help.

I don't see any attempts to check for missing input there, at all. Nor do I see any specific questions as to what you're having a difficulty with. So I'm forced to assume that you haven't tried to solve this on your own, at all, and is just looking for people to work for free. As previously noted: This is not the correct section for that.

Seeing as FULLTEXT searches is a MySQL question, and nothing to do with PHP, I've moved this to the correct section. Also, what you have there is not a fulltext search. It's a regular "partial match" search. So before anything, I would recommend you to actually read up on fulltext searches in MySQL. That said, what is your question? I don't see one in your post, and I'm afraid I cannot read your mind. So please remember to give an accurate and full description of your issue, preferably complete with examples of what you want (and what you're getting). That way we will, hopefully, have all of the information we need to help you, straight away, instead of having to waste a lot of time asking you for every single detail (or guess at them). Thank you.

Not entirely sure this can be done with Regular Expressions, to be honest. If it is possible, then you'd probably be looking at a recursive pattern with named references and lookaheads. An extremely complex expression, in other words, which I suspect would require a lot of resources to compile. A better approach in this case would be to make a very simple tokenizer, and have it parse the strings character (group) incrementally. This is quite easily done by using mb_substr, mb_strpos and mb_strlen. Plus a loop. Using the MB functions to ensure that it doesn't break on multi-byte characters.

Actually, haku, the slashes should never make it into the database in the first place. They're only there to escape the single quotes, so that they are read as plain text by the SQL engine.

What have you tried? This section is for getting help with code that you're writing yourself, but have gotten stuck on for some reason. It's not for getting us to write the code for you, but for us to help you learn to do it yourself. If you want others to do it for you, you'll need to post in the Freelancer section. Also, be prepared that this will most likely cost you money.