Jump to content

jodunno

Members
  • Content Count

    33
  • Joined

  • Last visited

  • Days Won

    1

jodunno last won the day on April 9

jodunno had the most liked content!

Community Reputation

2 Neutral

About jodunno

  • Rank
    Member

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. hello goofy hand avatar person, i'm thinking of making a boot icon 'cause i like to play kick ball. lol the manual page that i am looking at does not contain the words "one" can't rely on empty if a 0 or '0' is possible. I see that a zero or a '0' is considered to be empty. https://www.php.net/manual/en/function.empty.php Returns FALSE if var exists and has a non-empty, non-zero value. Otherwise returns TRUE. The following values are considered to be empty: <ul> <li>"" (an empty string)</li> <li>0 (0 as an integer)</li> <li>0.0 (0 as a float)</li> <li>"0" (0 as a string)</li> <li>NULL</li> <li>FALSE</li> <li>array() (an empty array)</li> </ul> Example #1 A simple empty() / isset() comparison. <?php $var = 0; // Evaluates to true because $var is empty if (empty($var)) { echo '$var is either 0, empty, or not set at all'; } // Evaluates as true because $var is set if (isset($var)) { echo '$var is set even though it is empty'; } ?> pay attention to the statement "the following examples are considered to be empty", I don't see the semantics that imply "one can't rely on empty." as far as i can see, the zero is supposed to be considered empty. Is there a second manual?
  2. Thank you for your time, mac_gyver. I actually found the problem with my code: i always test things to be sure that they work and work correctly. I just typed 0 and the honeypot check didn't fail. for some reason a zero gets by an empty test. When i am tired, i really struggle to grasp things. I didn't notice at the time that a zero is not an integer in this case it is a string. I was testing for empty or zero but it still didn't work. Now i understand the matter. I know that any value means a bot is present but a zero seems to be ignored as no value. I don't know why but if i test empty or == '0' then i am able to detect the honeypot. Thank you for helping.
  3. Hello, i am reading about bots and forms and using hidden input fields. I read that bots can be programmed to ignore hidden fields, so i made a text input named email and i use css to display none. i am having trouble detecting the email input. i've tried if (!empty($_POST['email'])) { echo 'test'; exit; } but i see 'test' on submission. if i add value="0" i still see test displayed. if i add text then i still see test displayed. why is this not working? also, a zero seems to bypass empty(). i'm not able to understand why this is failing.
  4. Hello everyone, I've recently asked a question about forms and Requinix mentioned PRG method of processing forms. The PRG idea solves my refresh and back button document expired problems but i notice something new: when i refresh a page or use the browser back button - then return to the PRG process - repeat a refresh or back button action - i notice that i can traverse the cache history as many times as my prg approach redirects me. I feel like i am not implementing this PRG method correctly, or is this correct? Here is the form process if it helps solve the problem: i have a login form which contains a CSRF token. when i submit the form i specify an action as /prg/ which submits the data to index.php in the prg folder. After processing the data, prg index.php redirects to the root (because you are logged in). One problem is that i have a logo on the login page that allows you to return to the root (localhost index page). When the form is not submitted or it contaiuns incorrect login data or the logo is clicked to return to homepage, then the history seems to repeat itself. I've read that people recommend to use a header 303 See Other but the result is the same. Basiclly, if i am implementing a prg correctly, then the question becomes how can i instruct a browser to ignore the redirect as if the cache contains only the index page? i cannot find prg examples that involve a csrf token and other links on the protected page (prg/index.php protected because you need a form submission with a csrf token and it only processes data then redirects.) I don't see this happening in professional sites like Google or Microsoft etc. what am i doing wrong?
  5. so i have kept the headers but i've implemented a header redirect to avoid the history. All is good with refresh, back and forward. i think that PRG is really the solution, so thank you, once again, requinix.
  6. PDO is nice and easy. Here is an example using a login: <?php $database = 'database_name'; $host = '127.0.0.1'; $user = 'database_user_name'; $pass = 'database_user_password'; $attributes = array( PDO::ATTR_EMULATE_PREPARES => false, PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION, PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC ); $dbh = new PDO("mysql:host=$host; dbname=$database; charset=utf8mb4", $user, $pass, $attributes); $query = 'SELECT username, password FROM users WHERE username = :PHusername'; $stmt = $dbh->prepare($query); $stmt->execute(array(':PHusername' => $username)); $result = $stmt->fetch(); $userField = $result['username']; $passField = $result['password']; $userOutput = htmlentities($userField, ENT_QUOTES, 'UTF-8'); $stmt->closeCursor(); $stmt = null; $dbh = null; ?> the placeholder (:PHusername) prevents the input from being executed directly in the query. You will assign this placeholder a real value during execution, in my example a $username variable representing the input named username from a login form. Also notice the double quotes in the PDO handler, which allow the values of the variable to be executed with this connection ($host, $database).
  7. Hello and Thank you for the kind message, cyberRobot. I hope that you are having a pleasant day. I didn't look at the form before but i see now a button instead of an input and required is assigned an empty value. The form needs to be corrected: <form method="post" action="send_mail.php"> <input type="email" name="Email" placeholder="Enter your email..." required /> <input class="btn1 btn" type="submit" name="submit" value="Send Mail" /> </form>
  8. Hello and i hope that you are having a pleasant day, for one thing, you specify your location to be Croatia. Thus, i imagine that you want to handle languages with characters outside of ascii. Hence, utf-8 and PHP htmlentities instead of htmlspecialchars. input is just input. input is not dangerous until it is placed in an executable state. so if you accept a username, then display that username to a screen (output), then the username must be escaped. If you execute a query to a database, then you need to use PDO and not execute the input directly in the query (so OR 1 is not executed). If you are sending mail, then you must be certain that CC is not input or it will be executed. So, the best practice is to validate input first and foremost. Then use PDO prepared statements with emulates prepared set to false for any query against a db with this input. Then, if you plan to output the data, use htmlentities and html_entity_decode respectively to clean the code from execution. I do not filter input but i also do not output any input. I don't have a forum or any type of app that requires me to do so. I am building a member based login website but i have no desire to show your screen name for any purpose. I don't need to say Good morning, user when i can just say Good morning. I do show your screen name at a change screen name form but i use htmlentities and html_entity_decode to clean the name and i do not place the name in any name specific html tags or attributes. i see that someone else has posted a reply. I agree that you should be using PDO.
  9. Hello, ie11 and recent version of FF show cache document expired messages (which is normal). I searched Google for this problem and found a nice article with explanations: http://shiflett.org/articles/how-to-avoid-page-has-expired-warnings i guess the browser is simply following instructions, thus, i need to hide the page from the history.
  10. okay, so i've created some mock files for testing. The heirarchy is simple: htdocs contains index.php and a directory named login with an index.php. above the root (../) is a directory named lockbox which contains functions.php and loginpage.php i tested this and it also shows no connection and bo error. where or why do you think an error should be shown? i really think that this is because i delete the token. I have no idea what to put in the file that instructs the browser to return to the index page (other than a header relocate). As one should know, you should not leave these tokens available for reuse. It is very easy to reuse the token on the same network with a spoofed ip and wireshark. This i know for sure, so let's not debate good security practice. I really need to know of a method that instructs the browser that the page is now inaccessible, so return to the index page instead. I have no idea how to do this. Perhaps it is as simple as restructuring my if block to only check for post, then use a second if block to check for hash_equals. I don't see how this makes a difference because i think that it is evident that it is an http request-response/cache issue. I don't know how to fix it. How can i still process these forms and handle the tokens without the connection being lost? htdocs = index.php <?php session_start(); require dirname(__FILE__) . '/../lockbox/functions.php'; $LoginPageToken = createCSRFtoken(); $_SESSION['LoginPageToken'] = $LoginPageToken; header('Content-Type: text/html; charset=utf-8'); header('Expires: Sat, 01 Jan 1991 05:00:00 GMT'); header('Cache-Control: no-cache, no-store, must-revalidate'); header('Cache-Control: post-check=0, pre-check=0', false); header('Pragma: no-cache'); ?> <!DOCTYPE html> <html> <head> <title></title> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta http-equiv="x-ua-compatible" content="IE=edge" /> <meta http-equiv="Content-Security-Policy" content="script-src 'self'; worker-src 'none'; connect-src 'self'; style-src 'self'; img-src 'self'; media-src 'self'; font-src 'none'; plugin-types 'none'; frame-src 'none'; child-src 'none'; object-src 'none'" /> <meta name="viewport" content="width=device-width, initial-scale=1, minimum-scale=0.5, maximum-scale=2" /> <meta http-equiv="window-target" content="_top" /> <meta http-equiv="X-Permitted-Cross-Domain-Policies" content="none" /> </head> <body> <div><div> <ul> <li><form autocomplete="off" accept-charset="UTF-8" method="post" action="/login/"><input type="hidden" name="LoginPageToken" value="<?php echo $LoginPageToken; ?>" /><input type="submit" name="LoginPage" value="Login" /></form></li> </ul> </div></div> </div> </body></html> htdocs /login/ index.php <?php session_start(); if ($_SERVER['REQUEST_METHOD'] == 'POST' && !empty(isset($_POST['LoginPageToken'])) && !empty(isset($_SESSION['LoginPageToken']))) { if (hash_equals($_SESSION['LoginPageToken'], $_POST['LoginPageToken'])) { unset($_SESSION['LoginPageToken']); header('Content-Type: text/html; charset=utf-8'); header('Expires: Sat, 01 Jan 1991 05:00:00 GMT'); header('Cache-Control: no-cache, no-store, must-revalidate'); header('Cache-Control: post-check=0, pre-check=0', false); header('Pragma: no-cache'); require dirname(__FILE__) . '/../../lockbox/loginpage.php'; exit; } else { header('Location: /'); exit; } } header('Location: /'); exit; ?> ../lockbox/ functions.php <?php function createCSRFtoken() { $unique = session_id() . bin2hex(random_bytes(32)); $Key1 = base64_encode(random_bytes(64)); $Key2 = base64_encode(random_bytes(64)); $preToken = hash_hmac('sha3-512', $unique, $Key1, TRUE); $Token = hash_hmac('sha3-512', $preToken, $Key2); return $Token; } ?> ../lockbox/ loginpage.php <?php require dirname(__FILE__) . '/../lockbox/functions.php'; $LoginToken = $_SESSION['LoginToken'] = NULL; $LoginToken = createCSRFtoken(); $_SESSION['LoginToken'] = $LoginToken; header('Content-Type: text/html; charset=utf-8'); header('Expires: Sat, 01 Jan 1991 05:00:00 GMT'); header('Cache-Control: no-cache, no-store, must-revalidate'); header('Cache-Control: post-check=0, pre-check=0', false); header('Pragma: no-cache'); ?> <!DOCTYPE html> <html> <head> <title></title> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta http-equiv="x-ua-compatible" content="IE=edge" /> <meta http-equiv="Content-Security-Policy" content="script-src 'self'; worker-src 'none'; connect-src 'self'; style-src 'self'; img-src 'self'; media-src 'self'; font-src 'none'; plugin-types 'none'; frame-src 'none'; child-src 'none'; object-src 'none'" /> <meta name="viewport" content="width=device-width, initial-scale=1, minimum-scale=0.5, maximum-scale=2" /> <meta http-equiv="window-target" content="_top" /> <meta http-equiv="X-Permitted-Cross-Domain-Policies" content="none" /> </head> <body> <form autocomplete="off" accept-charset="UTF-8" method="post" action=""><input type="hidden" name="LoginToken" value="<?php echo $LoginToken; ?>" /> <div> <div>Login</div> <div><div class="browserContainer"> <di><input type="text" name="username" placeholder="Username" required /></div> <div><input type="password" name="password" placeholder="Password" required /></div> <div><input type="submit" value="Login" /></div> </div></div> </div></form> </body> </html> i really don't know how this is not a common problem amongst newbies. Certainly, someone should have a resolution. I find it strange to have to post this code for the problem to be understood. Simply install the files into xampp. load index.php, then click the login button. at the loginpage.php: click the back button then the forward button. Connection broken at the forward to loginpage.php. I think that something must be placed in this file to prevent the connection breaking. When we click back then forward: what is really happening? is the form being resubmitted? or is the browser checking the cache? i use no cache headers, so i am confused as to why this is happening. Perhaps someone can offer a resolution.
  11. one more tip for newbies: i forgot to mention that double quotes also take longer to execute because php checks for variables, so when you want to optimize your code, then switch to single quotes.
  12. Good morning, i will try to start working on the form files but i have an appointment today, so i must leave soon. I will be back later today with some code. Meantime, i noticed some code in your post earlier: $return = "/"; } // redirect header("Location: " . $return); exit; I recently learned that double quotes allow variables to be executed, so you don't need to concatenate a variable. $return = "/"; } // redirect header("Location: $return"); exit; I now prefer to code php with single quotes for security purposes. I certainly do not want to make a mistake and enter a variable into double quotes. I've allready done that, which is why i know that it will be executed. okay, i will start working on the files... edit: after my discovery, i understood why the double quotes are used in a pdo connection (to execute the variables). I really wonder how many books and tutorials mention this fact. No wonder i am struggling with forms. programming appears to be a serius trade secret protectionism market. noone wants to tell anyone how to accomplish something without money. however, i also read a recent study that hired programmers for money to see if they write secure code or not. 99% of the results were insecure code that appears to have been taken from the web, such as github. I find it intresting that authors want us to pay for books that leave out tons of important info. I remember all of the books i read in the 90s about c++ were all about console apps. i wanted to make windows with buttons. not a single book mentioned one word: win32api. Unbelieveable waste of time and money! Anyway, if anyone is a newbie, like me, then remember that doublke quotes will execute a variable.
  13. i just copied and pasted headers from a google result instead of typing. my code is on my other computer and i didn't want to restart it. sorry. I didn't see the 'on' in that code. I don't type the expiration with on in the header. i am in Europe and it is after midnight. I need to sleep soon so tht i can get up at six am. i've only slept five hours a day now for a week. I am getting very tired mentally. I tried in firefox and i still get a blank page but firefox says that the document has expired and is no longer in the cache. a try again button just refreshes the page and i get my index.php to show. However, i went crazy in both edge and firefox pressing back/forward back/forward then back,back,back,back and the last back was looking for google.com in both browsers. This is strange. It seems as though the connection to xampp is lost and my browsers look for an ethernet or wireless connection. Maybe this doesn't happen on a live server? if i can find some time tomorrow, i will write a simple form and form process page to mock my design. Then maybe you can try the files in xampp to see what happens when you use the back/forward buttons. Be warned, i am cuckoo about security so i use an sha3-512 csrf token. I refuse to go lower. I'm just saying that alot of people cry boo-hoos that it is overkill but i'm not changing it. So when i post my code just ignore it please. I like my tokens powerful. I'll be back tomorrow... Goodnight and i hope that you have a happy, productive, safe and pleasant evening.
  14. i'm not mad or anything. I hope that you don't think i am being rude. I am very tired today and i am fighting a sinus infection while i am healing from surgery. All is good. I guess that i worried that you think i am stupid or something. sorry if you are offended. I mean no harm. I'm happy to be your friend.
  15. I don't consider this problem to be a coding error. I think that this has something to do with one of the following concepts (and i know not enough to deduce which one is a culprit): I use headers to control the cache: header("Expires: on, 01 Jan 1991 00:00:00 GMT"); header("Cache-Control: no-store, no-cache, must-revalidate"); header("Cache-Control: post-check=0, pre-check=0", false); header("Pragma: no-cache"); I check if the request method is post and my form field is set, then inside this if block is another if block checking for token ttl match, then another if block with hash_equals to check the CSRF token then unset the session variable and form token, then unset the $_POST key value to eliminate reentering the page. I assume that if server request method is post is not true beause we use the back button or forward button, so i also assume that the header redirect will be used. Maybe i assume wrong and the back/forward button resubmits to the page but it is now empty, so the page breaks? I must be doing something wrong which is causing the browsers to not load a page. My goal is to prevent someone from accessing this form without using my form with a token, a token ttl and correct data. I guess that the mission is accomplished but since i am not an experienced or very good programmer, then i wonder if something is wrong with the way i am addressing form handling. I was hoping that someone would be able to pinpoint a cause of this seemingly lost connection.
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.