KillGorack
-
Posts
74 -
Joined
-
Last visited
Posts posted by KillGorack
-
-
1 minute ago, mac_gyver said:
are you making a https request on your localhost system?
Egad! no I'm not. never thought of that. Could that be the issue?
-
Basically, it's about a login that is persistent. On the host I use it works well no errors, but on my computer, I can log in, then after a page load, it's gone.
part of a class.
session_name('__Secure-PHPSESSID'); session_set_cookie_params([ 'lifetime' => 0, 'path' => '/', 'domain' => $_SERVER['SERVER_NAME'], 'secure' => true, 'httponly' => true, 'samesite' => 'Strict', ]); session_start(); header("Content-Security-Policy: default-src 'self'"); header("strict-transport-security: max-age=31536000"); header('X-Frame-Options: sameorigin'); header("X-XSS-Protection: 1; mode=block"); header('X-Content-Type-Options: nosniff'); header("Feature-Policy: vibrate 'none'"); header("Referrer-Policy: no-referrer"); header('Access-Control-Allow-Origin: *'); header("Expect-CT: max-age=86400, enforce"); header_remove("X-Powered-By"); date_default_timezone_set($this->pdo->getSetting('timezone'));
I can re arrange the code above and it works but get some warnings.
like
"Session name cannot be changed when a session is active"
admittedly I'm kind of lost.
-
31 minutes ago, kicken said:
Alternatively, there is a jquery-ui-dist package that contains the compiled output and you can just include it like you normally would.
Thanks, that's what we needed.
-
Ok,
Site vulnerability with an older version of jquery-ui, so I update to 1.13.1 with npm. But I cannot find the js file in my node_modules folder.
What am I missing?
-
14 hours ago, KillGorack said:
It's kinda ugly but this works
SELECT GREATEST( COALESCE((SELECT acs.acs_read FROM acs WHERE acs.acs_usr = :usr AND acs.acs_app = :app), 0), COALESCE((SELECT app.ap_read FROM app WHERE app.ID = :app), 0), COALESCE((SELECT acs.acs_administer FROM acs WHERE acs.acs_usr = :usr AND acs.acs_app = 3), 0) ) AS `read`, GREATEST( COALESCE((SELECT acs.acs_modify FROM acs WHERE acs.acs_usr = :usr AND acs.acs_app = :app), 0), COALESCE((SELECT app.ap_modify FROM app WHERE app.ID = :app), 0), COALESCE((SELECT acs.acs_administer FROM acs WHERE acs.acs_usr = :usr AND acs.acs_app = 3), 0) ) AS `modify`, GREATEST( COALESCE((SELECT acs.acs_modify FROM acs WHERE acs.acs_usr = :usr AND acs.acs_app = :app), 0), COALESCE((SELECT app.ap_modify FROM app WHERE app.ID = :app), 0), COALESCE((SELECT acs.acs_administer FROM acs WHERE acs.acs_usr = :usr AND acs.acs_app = 3), 0) ) AS `admin` from acs WHERE acs.acs_usr = :usr
Typo fixing this for future reference.. apologies!
SELECT
GREATEST(
COALESCE((SELECT acs.acs_read FROM acs WHERE acs.acs_usr = :usr AND acs.acs_app = :app), 0),
COALESCE((SELECT app.ap_read FROM app WHERE app.ID = :app), 0),
COALESCE((SELECT acs.acs_administer FROM acs WHERE acs.acs_usr = :usr AND acs.acs_app = 3), 0)
) AS `read`,
GREATEST(
COALESCE((SELECT acs.acs_modify FROM acs WHERE acs.acs_usr = :usr AND acs.acs_app = :app), 0),
COALESCE((SELECT app.ap_modify FROM app WHERE app.ID = :app), 0),
COALESCE((SELECT acs.acs_administer FROM acs WHERE acs.acs_usr = :usr AND acs.acs_app = 3), 0)
) AS `modify`,
GREATEST(
COALESCE((SELECT acs.acs_administer FROM acs WHERE acs.acs_usr = :usr AND acs.acs_app = :app), 0),
COALESCE((SELECT app.ap_administer FROM app WHERE app.ID = :app), 0),
COALESCE((SELECT acs.acs_administer FROM acs WHERE acs.acs_usr = :usr AND acs.acs_app = 3), 0)
) AS `admin`
from acs
WHERE acs.acs_usr = :usr
-
It's kinda ugly but this works
SELECT GREATEST( COALESCE((SELECT acs.acs_read FROM acs WHERE acs.acs_usr = :usr AND acs.acs_app = :app), 0), COALESCE((SELECT app.ap_read FROM app WHERE app.ID = :app), 0), COALESCE((SELECT acs.acs_administer FROM acs WHERE acs.acs_usr = :usr AND acs.acs_app = 3), 0) ) AS `read`, GREATEST( COALESCE((SELECT acs.acs_modify FROM acs WHERE acs.acs_usr = :usr AND acs.acs_app = :app), 0), COALESCE((SELECT app.ap_modify FROM app WHERE app.ID = :app), 0), COALESCE((SELECT acs.acs_administer FROM acs WHERE acs.acs_usr = :usr AND acs.acs_app = 3), 0) ) AS `modify`, GREATEST( COALESCE((SELECT acs.acs_modify FROM acs WHERE acs.acs_usr = :usr AND acs.acs_app = :app), 0), COALESCE((SELECT app.ap_modify FROM app WHERE app.ID = :app), 0), COALESCE((SELECT acs.acs_administer FROM acs WHERE acs.acs_usr = :usr AND acs.acs_app = 3), 0) ) AS `admin` from acs WHERE acs.acs_usr = :usr
-
1 hour ago, gizmola said:
It's not clear at all how/what you are trying to secure.
Why do you have a separate app for "admin" purposes which requires a relation through acs? What is the purpose of admin then?
I don't have a separate app for admin purposes. Admin is just a
bitboolean variable that will let a user do administrative functions in an app.- Read; read stuff
- modify; modify stuff like record editing / deleting
- admin; administrative functions like changing how data is presented to users.
These are just
bitsboolean variables.. -
If it makes understanding it easier, here's my current solution..
$sql = "SELECT acs_read AS `read`, acs_modify AS `modify`, acs_administer AS `admin` FROM acs WHERE acs.acs_usr = :usr AND acs.acs_app = :app UNION SELECT ap_read AS `read`, ap_modify AS `modify`, ap_administer AS `admin` FROM app WHERE app.ID = :app UNION SELECT acs_administer AS `read`, acs_administer AS `modify`, acs_administer AS `admin` FROM acs WHERE acs.acs_usr = :usr AND acs.acs_app = 3"; $vars = array('app' => $kernel['app']['ID'], 'usr' => $kernel['ses']['usr']['ID']); $bits = $this->pdo->fetchdata($sql, 2, $vars); $row = array( 'read' => max(array_column($bits, 'read')), 'modify' => max(array_column($bits, 'modify')), 'admin' => max(array_column($bits, 'admin')), );
The weird part at the end where I point to app 3; Three is the permissions app. If you have the admin bit set at one there for a user.. you have access to everything..
-
Need some pointers.
User (usr), Application (app), and Permission (acs) tables.
Need an SQL to ascertain access levels for read, modify, and admin..
A record in asc is NOT guaranteed!
in the app table for example if ap_read = 1 then we need not a record in acs to read whatever is there. If however it was 0 we would need a record in asc with read = 1 for that app/usr combo
I currently open and query these three separately, and it works, but there has to be a more elegant way.
not EXACTLY normalized.. I guess. I hope the question is descriptive enough.
-
Normally I would do this..
function tableInator($data, $class = "") { $html = "<table class=\"{$class}\">\r\n"; $html .= "<thead>\r\n"; $html .= "<tr><th>".implode("</th><th>", array_keys($data[0]))."</th></th>\r\n"; $html .= "</thead>\r\n"; $html .= "<tbody>\r\n"; foreach($data as $datum){ $html .= "<tr><td>".implode("</td><td>", $datum)."</td></tr>\r\n"; } $html .= "</tbody>\r\n"; $html .= "</table>\r\n"; return $html; }
-
Hey,
No real issue below works, but I'm trying to find best practices. Is the below normal, or is there a better more concise way to do it?
private function lst($content) { $html = <<<"EOT" <table class="data clickable admin"> <thead> <tr> EOT; foreach(array_keys($content[0]) as $key){ $html .= <<<"EOT" <th>{$key}</th> EOT; } $html .= <<<"EOT" </tr> </thead> EOT; $html .= <<<"EOT" <tbody> EOT; foreach($content as $row){ $html .= <<<"EOT" <tr> EOT; foreach($row as $cell){ $html .= <<<"EOT" <td>{$cell}</td> EOT; } $html .= <<<"EOT" </tr> EOT; } $html .= <<<"EOT" </tbody> EOT; $html .= <<<"EOT" </table> EOT; return $html; }
-
1 hour ago, maxxd said:
I may have butchered it, but it works, and I can keep the classes in separate files. the simple class loader I have still works.
<?php namespace main; class kernel{ protected $qry; protected $ses; protected $app; protected $fld; protected $sql; protected $acs; private static $instance = NULL; static public function getInstance() { if (self::$instance === NULL) self::$instance = new kernel(); return self::$instance; } public function __construct( qry $qry = null, ses $ses = null, app $app = null, fld $fld = null, sql $sql = null, acs $acs = null ){ $this->qry = qry::getInstance(); $this->ses = ses::getInstance(); $this->app = app::getInstance(); $this->fld = fld::getInstance(); $this->sql = sql::getInstance(); $this->acs = acs::getInstance(); } public function buildKernel() { $kernel = array(); $kernel['qry'] = $this->qry->get(); $kernel['ses'] = $this->ses->get(); $kernel['app'] = $this->app->get(); $kernel['fld'] = $this->fld->get(); $kernel['sql'] = $this->sql->get(); $kernel['acs'] = $this->acs->get(); return $kernel; } } ?>
Output
Array ( [qry] => Query string scrubbers [ses] => Check the session variables [app] => Settings for current application [fld] => Create the field array. [sql] => Create the initial sql statement. [acs] => Ascertain access level. ) -
20 minutes ago, maxxd said:
Oh, those are freaking nice, I will do some reading.. but the facade looks to be what's needed.
Thanks, I'll come back here to let you know if I used any of it. Frustrating that I didn't come across any of those with el'goog..
-
11 hours ago, requinix said:
Sounds like you've decided on a solution. What was the problem?
Not really an issue, just trying to find best practices. In the past I've extended classes but never was successful with more than a couple together.
I'm putting together an array that kinda acts like a back bone for a dbms. Each one of these nested classes is a part of that array that would change depending on stuff like querystrrings, who's logged in or whatever. Later of course accessing one of the nested classes would be necessary.
-
Hi,
I have a need/desire to have a one to many class inheritance but other than the example below I cannot get it to work. Is this below example something that's used or should I be extending somehow, traits, use. I'm kina lost.
<?php class mainone{ function __construct(){} public function buildThing() { $thing = array(); $a = new a; $thing['a'] = $a->get(); $b = new b; $thing['b'] = $b->get(); $c = new c; $thing['c'] = $c->get(); $d = new d; $thing['d'] = $d->get(); $e = new e; $thing['e'] = $e->get(); return $thing; } } class a{ function __construct(){} function get(){return "This is the letter a";} } class b{ function __construct(){} function get(){return "This is the letter b";} } class c{ function __construct(){} function get(){return "This is the letter c";} } class d{ function __construct(){} function get(){return "This is the letter d";} } class e{ function __construct(){} function get(){return "This is the letter e";} } $foo = new mainone; echo "<pre>"; print_r($foo->buildThing()); echo "</pre>"; ?>
The above outputs;
Array ( [a] => This is the letter a [b] => This is the letter b [c] => This is the letter c [d] => This is the letter d [e] => This is the letter e ) -
Simple code but has a lot of if then statements..
can it be simplified somehow?
within a database class.
function columninfo($table, $col = NULL) { if($this->CheckTable($table)){ if($col == NULL){ $err = false; }elseif($this->Checkfield($table, $col)){ $err = false; }else{ $err = true; } if($err == false){ $stmt = $this->db->prepare('SELECT * FROM '.$table); $stmt->execute(); $numCol = $stmt->columnCount(); $rtrn = array(); for ($i = 0; $i < $numCol; $i++) { if($col == NULL || $stmt->getColumnMeta($i)['name'] == $col){ $rtrn[] = $stmt->getColumnMeta($i); } } if(count($rtrn) == 1){ $rtrn = $rtrn[0]; } return $rtrn; }else{ return false; } }else{ return false; } }
<edit>
Sorry if the second parameter is left out, just return info on all the columns. If it's supplied return for just that column.
</edit>
-
I'm good gotta use NPM, not composer.. ;0)
-
3 minutes ago, requinix said:
An egregious understatement of what Composer does is that it downloads files. If you need to reference some of those files in your application, notably Javascript or CSS or other client-side assets, then yes: you still have to code that into your application. The bit that Composer does automatically is for PHP classes, which is to create a single file you can include (again, you have to make your application do it) that will automatically pull in whatever classes the libraries provide.
To learn how to use x3dom, I suggest starting with the tutorial.
Thanks, I figured that was the case, just wanted to be sure.
I have in the past worked with x3dom similar to that tut, just wanted info on getting composer to download that as well.
From bash;
dave@dave-main:/var/www/html/PX5$ composer install Loading composer repositories with package information Updating dependencies (including require-dev) Your requirements could not be resolved to an installable set of packages. Problem 1 - The requested package components/x3dom could not be found in any version, there may be a typo in the package name. Potential causes: - A typo in the package name - The package is not available in a stable-enough version according to your minimum-stability setting see <https://getcomposer.org/doc/04-schema.md#minimum-stability> for more details. - It's a private package and you forgot to add a custom repository to find it Read <https://getcomposer.org/doc/articles/troubleshooting.md> for further common problems. -
Quick question about the dependency manager Composer with PHP. I have it installed and am pulling in a few libraries, it works pretty well as far as I can tell. I have a question that might be dumb, so I apologize in advance.
When connecting to your application it's still required to use the lines similar to the following?
<script src="vendor/components/jquery/jquery.min.js"></script> <link rel="stylesheet" href="vendor/twbs/bootstrap/dist/css/bootstrap.css" >
Also I'm trying to figure out how to install the x3dom library, but cannot get composer to do it. (https://www.x3dom.org/)
-
Securing my upload folder “upl”
The upl folder is used to store anything that is uploaded by the user for their needs that is not a part of the back end, as such all content in this folder is subject to being locked down and and supplied after checking credentials.
The upl folder has an .htaccess file that locks down all remote access.
order deny,allow deny from all
When something is needed from this directory we jump that wall with the help of apache after credentials are verified.
I think this is straight forward so far.
For images something like;
<img src=”downloader.php?app=1&id=20&type=thumb”>
For files something like;
<a href=”downloader.php?app=1&id=20&type=file&fileid=1212”>
After we check creds, we use similar to below to get data from that locked down folder.
$size = filesize($file); header ( 'Content-Description: File Transfer' ); header("Content-Type: application/force-download"); header ( 'Content-Type: application/octet-stream' ); header ( "Content-Disposition: attachment; filename=\"".basename($file)."\""); header ( 'Expires: 0' ); header ( 'Cache-Control: must-revalidate' ); header ( 'Pragma: public' ); header ( 'Content-Length: ' . filesize ( $file ) ); ob_clean(); flush(); readfile ( $file ); exit();
seems to work pretty swimmingly for the most part.
My problem is (or at lease a mild nuisance) is that it seems that these images loaded in this manner are not subject to the cache system of a browser? It looks like they reload every time a page is visited.
Is there a way around this?
-
Still not driven to conclusion;
I have TWO scenarios.
#1
session_set_cookie_params( 300, "/; SameSite=Strict", ".killgorack.com", true, true ); session_start();
- Through www.immuniweb.com it seems the stuff is set correctly on production(php 7.3.5) server.
- I get no errors on the production(php 7.3.5) server
- I stay logged in after initial form post for login on production(php 7.3.5) server
- I DO NOT stay logged in after initial form post for login on development(php 7.3.3) server (localhost)
#2
session_start(); session_set_cookie_params( 300, "/; SameSite=Strict", ".killgorack.com", true, true );
- Through www.immuniweb.com it seems the stuff is NOT setup correctly on production(php 7.3.5) server
- I get errors on the production(php 7.3.5) server
- I stay logged in after initial form post for login on production(php 7.3.5) server
- I stay logged in after initial form post for login on development(php 7.3.3) server (localhost)
-
Also I'm getting an error when I change the order as you've suggested.
Warning: session_set_cookie_params(): Cannot change session cookie parameters when session is active in C:\xampp\htdocs\portal-x\inc\ses.php on line 12
I'll fiddle with it, once I've changed the urls it seems to be working.
I'll have to add this file to gitignore, and keep a local file different than production once I have it working.
-
Yea thanks, also it's a really dumb mistake.. I don't change the URLS of the website from dev to prod..
I think these are the issue. Always 30 seconds after I post..
-
I have issues with a user being logged in and staying logged in, When logging in I create these $_SESSION variables
Array ( [usr_login] => username [usr_fname] => first [usr_lname] => last [usr_email] => email [ses_usrid] => 1 [loggdin] => Yes [loginremember] => )And after login it looks great till I refresh the page or go anywhere else on the site. All variables above are gone.
Consequently, this works with no issues on the prod server, just not on my machine.
Code I've been playing with since it started, specifically the setting of the cookie. (this code runs before anything else)
// ================================================================= // Sesssion start // ================================================================= session_set_cookie_params( 0, "/; SameSite=Strict", ".killgorack.com", true, true ); session_start(); // ================================================================= // Security stuff // ================================================================= header("strict-transport-security: max-age=31536000"); header('X-Frame-Options: sameorigin'); header("X-XSS-Protection: 1; mode=block"); header('X-Content-Type-Options: nosniff'); header("Content-Security-Policy: default-src BLA BLA BLA "); header("Feature-Policy: vibrate 'none'"); header("Referrer-Policy: no-referrer"); header("Access-Control-Allow-Origin: https://www.MYWEBSITE.com/"); header("Expect-CT: max-age=86400, enforce"); header_remove("X-Powered-By"); // =================================================================
Any ideas?
Different behavior between hosting, and local
in PHP Coding Help
Posted
Thanks, I'll do some testing with that one, and let you know.