NotionCommotion

I guess I always viewed the tree upside down and didn't even realize it. / /var/ /var/www/ /var/www/html/someAccessibleDirectory/ /var/www/someDirectoryUndertheRoot/

Please elaborate. When I said "under", I mean beneath and and not in the document root.

Not critical enough for me to want to buy one And if I did use a firewall, why not software such as iptables?.

Keep on coding, but just don't write a banking app until you know more. Typically, files not meant for public viewing are kept under the HTML root, or within it but protected using the webserver (apache, etc). I don't see any reason to go the later path, and would put them under the root. Regardless, you use your application to restrict access to the download function, and either use PHP's readfile() or Apache's (assuming you are using apache) X-Sendfile module to download them. You need to be careful to prevent the user from accessing files which you do not wish them to. For instance, look at this line. What if I used the URL which made filename equal to ../../yourpasswords? Not ideal $path = '/home1/Mathone/TESTS/'. $_GET['filename'];

I've never done so, but am certain it has to do with Apache (or equal) and probable mod_rewrite.

Thanks Jacques. I feel that if HTTPS is not used, then the IP addition to the message adds protection, but why not just use HTTPS and not deal with the problems.

In regards to storing the hash of of the password on the other server, I suppose it could be hardcoded into some configuration file, right? And, not the same password (and associated hash) for both directions? Just read up on HMAC and was excited to use it. Oh well, will do so next time. Just curious, would one ever include the IP of the server in the message so that the password would only work from a given IP? Proxies and the like will probably be an issue, so likely not a good idea. Yea, it is a bit hackish, but I just need to get it down quick, and could later improve. I've decided on going away with my ugly passing data from one PHP instance to another via a session, and will either pass it as an argument (assuming it is not too much data), or maybe better yet have the script respond but continue to execute by sending the appropriate headers.

My goals are: Prevent any access to the fax server except from the webserver application. A user will interact with the webserver, and the webserver application will assure the user is authorized. Prevent the ability to download files from the webserver except by the faxserver (or by other parts of the webserver application, but let's ignore this as it is not relevant). I planned on using HTTPS after I get some basic concept working. I never used HTTPS with CURL, and didn't know if I would have challenges. Also, while I've implemented HTTPS with self signed certificates between a browser client and a webserver, I've never done so between two servers and didn't know the challenges. Yes, HTTPS would prevent eavesdropping, but how would it protect against some just sending a HTTPS request to the faxserver and sending an unauthorized fax, or sending a HTTPS request to the webserver and downloading a file? Unless, should I just include a plan text password in the POST, and use HTTPS so that it can't be viewed? And if I use HTTPS, is even HMAC required? Also, not necessarily security related, but any advice or constructive criticism about the other parts of my implementation would be appreciated.

Is there a chance you are overwriting the value of $_SESSION['kamail']? Also, same URL right? Not doing anything fancy with session IDs, right?

I have two servers: WebServer and FaxServer. WebServer needs to send a fax. Is my approach shown below fairly secure? Before sending a fax, ServerWeb needs to store a record in a table representing the message, and I am using a pseudo random value for the PK which is generated as 2147483648+mt_rand(-2147483647,2147483647). WebServer then generates a hash equal to hash('sha256',$pk.'secretCodeWhichOnlyWebServerAndFaxServerKnow'). WebServer then sends curl request to FaxServer using POST which includes $pk, the hash, the fax number, some text to include in the fax, and an optional array of document to include (array(array('id'=>321,'name')=>'fileName.pdf')). FaxServer verifies that the hash is correct given $pk, that the minimum information has been received, and that the fax number is a valid phone number, and quickly responds to WebServer by echoing 0 or 1 so the code in the WebServer could continue and inform the user. If all looks okay, a new instance of PHP is started. if(missingInformation) {echo(0);} else { session_start(); $_SESSION['_xfr']=$_POST; exec('/usr/bin/php -q /path/to/send_fax.php '.session_id().' >/dev/null &'); echo(1); } New instance of PHP send_fax.php then does the following: session_id($argv[1]);//Set by parent session_start(); $data=$_SESSION['_xfr']; $doc_list=null; foreach ($data['documents'] AS $doc) { if(ctype_alnum($doc['id'])) { $file='/some/tmp/directory/'.$doc['id']; if(!file_exists($file)) { $url='http://machine.WebServer.com/index.php?task=displayDocument&id='.$doc['id'].'&x='.hash('sha256','displayDocument'.$doc['id'].'secretCodeWhichOnlyWebServerAndFaxServerKnow'); $cmd='wget -O '.$file.' '.escapeshellarg($url); exec($cmd); } $doc_list.=' '.$file; } exit('invalid document'); } //Send the fax... //Send another CURL request to the WebServer similar to the wget giving the fax status. exit; When WebServer receives the wget request for a document, it confirms the hash and sends the document to the FaxServer using X-Sendfile. When WebServer receives the CURL request regarding status, it updates the database for the applicable message. Seem reasonably secure?

A little off topic, but do you recommend src="http://yoursite.com/js/your_footer_script.js" or src="/js/your_footer_script.js"? If the first, please explain why. Also, I don't think I ever used endif, but always wrap my if statements with curly brackets. What are the advantages of one syntax over the other?

Make the JavaScript a separate file, and use PHP to modify your HTML and include the link.

Hey Requinx, Maybe I still need a bit more... As I see it, there are three (and probable more) general type of errors Syntax errors, compile errors, or what ever they should be called. For example, unbalanced quotes such as echo(bla'), unexpect text such as bla bla bla, etc. Errors thrown by something other than a class. For example, $x=someNonExistingFunction(123);, class foo extends notExistingClass bar {}, require('non_existing_file.bla'); Errors (or exceptions) thrown by a class. For example, $stmt=$conn->prepare('SELECT invalidColumn FROM myTable WHERE x=? AND y=?');, $stmt->execute('onlyOneArrayElement');, etc. Why should exceptions be dealt with more harshly, and errors be allowed to continue without killing the code?

deja vu! A couple of posts were deleted by someone, and where almost identical.

Convenience is not always bad. I would be throwing an exception when a serious error occurs which doesn't natively throw an exception. The exception handler could be designed to deal with different errors appropriately. That being said, is it a kludge? Well, I suppose it is, and won't be going down this path. Thank you for calling a spade a spade.

Hi Barand, Your code is what I posted in my original post.

Thanks. I like your approach more.

Why not? I am sure you are right, but I can't think of a good reason not to and it does add some flexibility.

I recently had a need to check several arrays, and if an index wasn't set, set a variable to a given value. The code was such that I couldn't perform the isset check all at once. I then thought "wouldn't it be great if I could try the script, and catch the error or warning". Searching a bit, I came across the following script. I am a little nervous, however, that there might be negative consequences of doing so. Thoughts? set_error_handler(function($errno, $errstr, $errfile, $errline, array $errcontext) { // error was suppressed with the @-operator if (0 === error_reporting()) { return false; } throw new ErrorException($errstr, 0, $errno, $errfile, $errline); }); try { dns_get_record(); } catch (ErrorException $e) { // ... }

I have a string that looks like /index.php?g1=111&g2=222&g3=333. How can I obtain the value of g1 (i.e. 111)? It does not represent the current state of the server thus I cannot just use $_GET. It also is not necessarily the first item. The script below appears to work, however, http://php.net/manual/en/function.parse-url.php states It appears that my string is a URI and not a URL, but I might be wrong. How should this be accomplished <?php $str='/index.php?g1=111&g2=222&g3=333'; $array=parse_url($str); parse_str($array['query'],$get); echo("<p>{$get['g1']}</p>"); ?>

Just for fun, I tested Jacques claim about looking up a SHA-512 hash on Google. Scary! If I wasn't already a believer, I am now.

Always start off looking at the total $_GET variable and not the individual elements. Use one of the following: var_dump($_GET); print_r($_GET); echo('<pre>'.print_r($_GET,1).'</pre>'); //Better for humans to read Evidently, your URL is not well formed. Look into urlencode().

Thanks QuickOldCar, Wasn't really looking to optimize my.cnf, but just better understand how it is organized. I would have expected http://dev.mysql.com/doc/refman/5.5/en/option-files.html to describe it, but it doesn't really do so.

What? You never smile

I see my previous response even did an encoding faux pas. Typed UTF-8 followed by a parenthesis, and it displayed a strange smiley face.