ajoo

Hi all ! I used the following script to send a test mail which works fine. <?php require_once('PHPMailer-master/class.phpmailer.php'); require_once('PHPMailer-master/PHPMailerAutoload.php'); define('USER', 'mymail@gmail.com'); // GMail username define('PWD', 'myPassword'); // GMail password $to = 'mee@gmail.com'; $from = 'mymail@gmail.com'; $from_name = 'Ajoo'; $subject = 'Test Message'; $body = 'This is PHP Mailer in Action'; smtpmailer($to, $from, $from_name, $subject, $body); function smtpmailer($to, $from, $from_name, $subject, $body) { global $error; $mail = new PHPMailer(); // create a new object $mail->IsSMTP(); // enable SMTP $mail->SMTPDebug = 0; // debugging: 1 = errors and messages, 2 = messages only $mail->SMTPAuth = true; // authentication enabled $mail->SMTPSecure = 'ssl'; // secure transfer enabled REQUIRED for GMail $mail->Host = 'smtp.gmail.com'; $mail->Port = 465; $mail->Username = USER; $mail->Password = PWD; $mail->SetFrom($from, $from_name); $mail->Subject = $subject; $mail->Body = $body; $mail->AddAddress($to); if(!$mail->Send()) { $error = 'Mail error: '.$mail->ErrorInfo; echo 'Mail error'; return false; } else { echo 'Message Sent'; $error = 'Message sent!'; return true; } } ?> I just want to know if this is secure enough. It was pointed out in a previous mail that the php mail() function was not secure by itself and the variables were vulnerable to various mail injections. So is this safe now just by virtue of the fact that it's using a library and that takes care of the security ? Or Do we need to take some precautions here too. Thanks all !

Thank you Sir !

Hi Guru Jacques, Would this be the correct equivalent ? $mailcode = bin2hex(random_bytes(16)); // Use this to send as a token in the email $s = hash('sha256', $mailcode, true); // Store this hash in the DB for the comparison later. if the above is OK, then I would like to ask what is the need to hash the token before storing it in the DB ? Thank !

Thank you Guru Jacques!! for those inputs. I'll look into them and revert soon with the changes. Thanks !!

Hi Kicken, Would this be the right way to do it and is this good enuff from the security standpoint. $user = 'Jack'; $mailcode = bin2hex(random_bytes(16)); $s = hash_hmac('sha256', $mailcode, $user, true); $s = base64_encode($s); And then use $s as the secure token. Thanks loads.

Thanks for the clarifications once again.

Hi Kicken, Thanks for the reply. The token is being used only to mark the account active. There is no autologin after that. Just a message on a page welcoming the user and a button to redirect to the login page. $mc = md5($_SERVER['REMOTE_ADDR'].microtime().rand(1,100000)); is this method of creating a random token good enough ? I am using the email to check if it's a valid email matching one in the database before I go ahead and actually activate the account but I could do that with the token as well I guess. So maybe I can remove the email in that case as suggested by you. Thanks again.

Hi all, I am using the following code snippet to send a mail on registration for the purpose of account verification by the user. <?php $user = 'Jack'; $pass = 'You may pass'; // a random string to be checked against intself stored in the DB $mc = md5($_SERVER['REMOTE_ADDR'].microtime().rand(1,100000)); function send_mail($from,$to,$subject,$body) { $headers = ''; $headers .= "From: $from\n"; $headers .= "Reply-to: $from\n"; $headers .= "Return-Path: $from\n"; $headers .= "Message-ID: <" . md5(uniqid(time())) . "@" . $_SERVER['SERVER_NAME'] . ">\n"; $headers .= "MIME-Version: 1.0\n"; $headers .= "Date: " . date('r', time()) . "\n"; if(mail($to,$subject,$body,$headers)=== true) return true; else return false; } if(send_mail( 'mymail@gmail.com', 'their@gmail.com', 'Register your Account.' "Click on this link http://www.yoursite.com/registeracc.php?email='their@gmail.com'&mc=".$mc." to activate your account" ) === true) echo "Success"; else echo "Failed"; ?> I would like to know if this is Ok or is there a better and more secure way to do it? Are there any security concerns that should be taken into account here? Thanks all !

Hi Requinix, Thanks for your inputs. I was able to manage it. Thanks !

Hi Requinix, Thanks for that reply. Yes that's happening due to Input[type=submit]. The triangular bit of the arrow disappears. It is retained with button[type=submit] but the arrow is distorted. Please check the new update to the link : https://jsfiddle.net/ajoo/hm11o3oh/9/ . Is it not possible to use the Input[type=submit] without distorting the button? To see the initial button with <a = href='' .. > this link : https://jsfiddle.net/ajoo/hm11o3oh/1/ I mean I need this button to send post values to the page. Thanks.

Hi Requinix, Thanks for the reply and sorry for the delay. I have been struggling with this for quite sometime. I actually need to submit php values using the button, just like a regular button. I have been trying out this on a fiddle and here is the link to it : https://jsfiddle.net/ajoo/hm11o3oh/3/ The triangular part of the button breaks and the button loses its shape. Kindly have a look at the fiddle and guide. Thanks !

I have the following piece of code give me a beautiful button that I want to use in a form. <div class='lbk'><a href='' class='btn_lft'>&nbsp Left</a></div> On pressing the button I want to send some post data back to the page which is where I am totally stumped and can't figure how I can do it with this button. It would be very simple to send it using a basically a simple submit button. But then I won't get the arrow button that looks so neat. Please can someone help me figure this out if it is possible. I do not wish to use Ajax etc. Thanks all.

Thanks again Jacques !I request you again to kindly take some time out to answer my query on your mail.

Hi Kicken and Guru Jacques, Thanks for the inputs. My SERVER API shows as Apache 2.0 Handler on my production server. I tried but could not find the file that holds the ProxyErrorOverride directive. Please enlighten. Thanks loads.

Thanks Kicken for the response, I will look it up & revert if I have any further query.

Hi, Just one last thing, 1. What's the mechanics of sending this page on a local server running apache. Should the page be created in the fata_error_handler.php itself or should it be created separately and redirected to it. OR is there a directive in one of the config files on the server that points to some error page by default so that there is no need to make any error page as well. By the way I am using the Amazon aws servers and the server uses Amazon Linux. I am not aware Hmmm I am not aware of this? Where can I find out about it? Kindly take some time out to revert to a query that I had sent on your personal messenger on phpfreaks. Thanks again very much.

Hi Jacques, Thanks you very much. I had sent you a query on your personal messenger too. Kindly revert at your convenience. Thanks loads !!!

Hi Jacques, Thanks for the last reply and I have been trying out that code snippet to understand exceptions. From This : try { $con = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME); $query = "Select ID, UserLogin from test where SNo = ?"; $stmt = $con->prepare($query); $stmt->bind_param('i',$sno); if($stmt->execute()) { // throw new exception("HAHAH"); $stmt->bind_result($ID,$user); $stmt->store_result(); $stmt->fetch(); echo " WOW "; } }catch(mysqli_sql_exception $e){ echo $e->myMessage." NO GO"; } I observed that only $con = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME); $query = "Select ID, UserLogin from test where SNo = ?"; $stmt = $con->prepare($query); $stmt->bind_param('i',$sno); if($stmt->execute()) this part of the code produced mysqli_sql_exceptions type exceptions. Even there the bind_param produced the error if I created a mismatch in the number of parameters. The rest of the lines $stmt->bind_result($ID,$user); $stmt->store_result(); $stmt->fetch(); did not produce any mysqli_sql_exceptions type exceptions even though it gave warnings, with display_errors directive turned on, when i deliberately added an extra parameter in bind_result or added a parameter to store_result(). I gather from this that the last 3 lines of code above would not generate an exception of type mysqli_sql_exceptions which are generated only by the other set of initial lines of code ( till and including $STMT->execute() ) and I guess those are the lines that would actually throw the true kind of mysqli_sql_exceptions that are caused by query failure due to whatever reason. Others commands simply manipulate the retrieved data. Is that correct ? Thank you very much.

Hi Guru Jacques, I have another and related question on this & that is that is on extending the Exceptions class. So suppose it is wished to capture only the database related exceptions and we are using mysqli prepared statements in code which is predominantly procedural then if we subclass like class DBExceptions extends Exceptions then how can this (extending of the Exceptions class as DBExceptions) be used to catch the mysqli related exceptions in the following code where a function LC($link) is called in a try catch block and any DBExceptions are caught in the catch block. try { $verify = LC($link); $vu = true; }catch(DBException $e){ // do whatever on catching the DBException } function LC($con) { if(isset($_SESSION['id'],$_SESSION['user_id'],$_SESSION['usr'],$_SESSION['login_string'])) { $id = $_SESSION['id']; $user_id = $_SESSION['user_id']; $username = $_SESSION['usr']; $login_string = $_SESSION['login_string']; $user_browser = $_SERVER['HTTP_USER_AGENT']; $ip = $_SERVER['REMOTE_ADDR']; $query = "SELECT salt FROM loginstatus WHERE id = ? && status = 'ABA' LIMIT 1"; $stmt = $con->prepare($query); $stmt->bind_param('i',$id); $stmt->execute() $stmt->bind_result($salt); $stmt->fetch() $LC = crypt($user_browser.$id.$ip, $salt); if(isset($_SESSION['login_string']) && $_SESSION['login_string'] == $LC) { $stat = "Logged in !!"; return true; } }else return false; } Once again what I am trying to ask is that assuming the function LC() can throw any kind of exception including DBException how will the catch block know which exception is the one that is in the category of DBExceptions and catch that only? If I extend the Exceptions class as I have done above, then would I also be obliged to write some error / exception log function or would php continue to do that by itself? I wish to do the bare minimum, as advised by you and leave all the error / exception handling to php. I just want to make sure that if the exception / error is database related then the program is terminated with an appropriate friendly message on a nice page to the end user. P.S. I know the function is using a few things like HTTP_USER_AGENT & REMOTE_ADDR which you advise against but kindly overlook them since I am using this code as an example in support of my question. Thanks loads.

Hi Jacques, Thanks for being so patient with me. Disabling display_errors and display_startup_errors worked exactly as you suggested. It generates an error 500 message which is caught by the error_handler and displays the custom message. It is also handling exceptions as you suggested by you. Disabling the two error messages and experimenting with errors and exceptions has given me a better insight into them. I don't profess that I know it all but still I feel that quite a few of my doubts have been cleared. WIll revert back with any more questions or queries if I have them. Thanks a lot.

Hi Jacques, Thanks for the reply. Yes I am using Apache and the xampp stack. The php version that I have installed is 5.6.8. I just tried your code example in the article titled "The mystery of errors and exceptions". I deliberately inserted a parse error and got the error on the screen Parse error: syntax error, unexpected ')' in D:\xampp\htdocs\xampp\magics\index.php on line 3 If the production environment was set then it would have suppressed this message as well and would have shown a blank screen. Instead, all I want is to be able to show a simple message on a nice html page saying that an error has occurred and will be resolved soon, without divulging any technical details to the user. Since I also want to display a similar message for any run-time exceptions that may occur,do I also need to set an exceptions handler? I have used try - catch blocks around code that access the database and I want to catch database related exceptions in the catch block and retry a few times as also explained in one of your replies. I have used mysqli for the database. For any other run-time errors I simply want the exception handler to display a user friendly message before terminating the problem. Can errors and exceptions be handled using a common handler or should a simple one be written for exceptions too using a set_exception_handler function? I re-iterate that I do not wish to handle errors or exceptions any more than displaying a user friendly message to user, nor do i wish to generate any logs which the server does for us as you have already explained. I want these to be as simple as possible. Sorry if I am taking a long time understanding these. Just want to be doubly sure. Thanks again very much.

HI, Would you be kind enough to explain the usage of the following two functions functions : 1. exception_handler($e) 2. set_exception_handler('exception_handler') I think they are analogous to the two functions register_shutdown_function('handle_fatal_errors') & handle_fatal_errors() Do we need to use just one set ? In case we use the exceptions_handler then what modifications would be required as has been explained for the errors' functions in your article? ( i.e. to say how would we set the auto_prepend_file directive and the fatal_error_handler.php code) Thanks loads

Hi Guru Jacques, Really good to receive a reply from you. Your link seems to be a treasure on exceptions. I'll go through and revert with any questions. Thank you very much.

Hi All, I have touched upon exceptions earlier. However I am still not sure if I am handling them correctly. try { ... ... ... }catch(Exception $e){ if($prod === true) // In production mode { header("Location: exceptions/errors.php") exit(); } if($dev === true) // In development mode { echo $e->getMessage(); // & if needed log the errors / exceptions into a file. exit(); } } I would like to ask if using the function header() to load the errors.php page is a good and safe practice. Or is there a better way to load the errors.php. If I load the errors page as in the snippet, do I also have to log the errors myself in some files or is php going to do that in any case. Any improvements or suggestions are welcome. Thanks all ! P.S. Googling exceptions gives loads of information but seldom does it touch the issue of loading an errors page when an exception occurs.

Hi Jacques1 and Psycho. Thank you both for the inputs. Jacques1 really good to see you back after a long break !! Psycho thanks for that example. That should solve it for sure. Thanks again to both of you Gurus.