NotionCommotion

Merry Christmas Store the hash in the users table? Will overwrite if user uses two PCs, but I suppose that is acceptable.

Used to be a good option, but don't know anymore as password_hash() is now available. Agree? I understand that I shouldn't ever manually salt and disable the functions salting. That being said, is there any reason to add a bit extra to the user's password (such as an internal ID and some random constant)?

Learn PHP? Or hire someone to do it for you? There might be a hire section on this forum, and if not, try odesk.

You are on the right track about setting up error displaying. Doing so is your number one troubleshooting technique. I will also add the following "just to be sure", but if you have php.ini setup right, you shouldn't need to. ini_set('display_errors', 1); error_reporting(E_ALL); As for as the following error: Notice: Undefined index: name in .../public_html/include/p-page-ask.php on line 126 You will see it references the following line of code. $questionid=qa_question_create($followanswer, $userid, qa_get_logged_in_handle(), $cookieid,$in['title'], $in['content'], $in['format'], $in['text'], qa_tags_to_tagstring($in['tags']),$in['notify'], $in['email'], $in['categoryid'], $in['extra'], $in['queued'], $in['name']); Specifically, it is describing $in['name'], and says that the array named $in doesn't have an element named "name". Right before this line, add the following. What does it display? Do you understand "ternary operators". This is just a shortcut IF/THEN statement. Make sure you understand strings. See http://php.net/manual/en/language.types.string.php. Basically, you could use single and double quotes around text, and double quote will convert PHP variables. echo('Element $in '.(isset($in['name'])?'contains':'does not contain').' element "name"'); Instead of looking specifically at $in['name'], for troubleshooting, you normally look at the whole array. Try the following. Both do the same thing, and while the first gives a bit more information, I typically like the second because it is easier to read. You will find your self doing this very often. var_dump($in['name']); echo('<pre>'.print_r($in['name'],1).'</pre>'); Lastly, when troubleshooting, add "traps" when you are confused on what you are seeing. Add script like exit('something='.$something); at different locations to make sure you are getting there and using the values that you expect. And most of all, have fun and don't get frustrated

Thanks, I wasn't thinking straight.

Any reason not to store the random token in the DB and email the hash? Not that it is any easier than doing the opposite, just curious.

SMS is an option which I didn't consider. Thank you. I noticed you recommend "secret questions" in step 4 which seem to no longer be in vogue. I agree that that one shouldn't rely on them (i.e. going from step 1 to step 4), but they likely provide additional screening, and allow a real person to get a feel when talking to them.

No to what, the technique given in the blog which I admitted in the beginning was very suspect? Or the steps I stated in my second post? If neither are correct, what are the correct steps?

I am thinking of the following. Please advise if this is adequate. User submits their email to server and requests new password. Or should they submit their username instead of their email? Server retrieves their users_id from the DB based on their email, and stores the users ID, a strong random value and the datatime in another table. Technically, this is using a GET request to change state, but I don't think there is a way around doing so. Maybe http://php.net/manual/en/function.mcrypt-encrypt.php could be used, but don't think so. Email is sent to user with link containing strong random value. User clicks link, random value is used to pull up users ID and date requested, and if date requested is within 24 hours of now, a form is presented with new password field and confirm new password field and hidden input with random value. Maybe the secret question challenge is also presented (see http://forums.phpfreaks.com/topic/293181-should-secret-questions-be-used-to-allow-password-changes/). When the form is submitted, random number is confirmed and maybe date again, and the password is changed.

Thank you requinix and kicken, Witnessing unexplained behavior always concerns me, and I am relieved to know why it does what it does.

Untested, but should be close. <?php if(isset($_POST['submit']) && ($_POST['vendor']!='') && ($_POST['item']!='')) { $sql="SELECT supplier.id AS sid, supplier.name AS SNAME, supplier.category, supplier.website, supplier.email, supplier.phone, supplier.vat, supplier.pan, supplier_location.id, supplier_location.supplier_id, supplier_location.location, supplier_products.id, supplier_products.supplier_id, supplier_products.product_id, location.loc_id, location.name AS locname, products.product_id, products.name AS pname FROM supplier INNER JOIN supplier_location ON supplier.id = supplier_location.supplier_id INNER JOIN supplier_products ON supplier.id=supplier_products.supplier_id INNER JOIN location ON supplier_location.location = location.loc_id INNER JOIN products ON supplier_products.product_id=products.product_id WHERE supplier.id=".$sup." AND supplier_products.product_id=".$product; $sql1 = mysql_query($sql) or die(mysql_error()); echo('<table> <thead> <tr> <th>Vendor ID</th> <th>Vendor</th> <th>Category</th> <th>Website</th> <th>Email</th> <th>Phone</th> <th>Products</th> <th>Locations</th> <th>VAT</th> <th>PAN</th> </tr> </thead> <tbody> '); while($row = mysql_fetch_array($sql1)) { echo("<tr> <td>{$row['sid']}</td> <td>{$row['SNAME']}</td> <td>{$row['category']}</td> <td>{$row['website']}</td> <td>{$row['email']}</td> <td>{$row['phone']}</td> <td>{$row['iname']}</td> <td>{$row['locname']}</td> <td>{$row['vat']}</td> <td>{$row['pan']}</td> </tr>"); } echo('</tbody></table>'); } else{echo('Nothing');}

I've done the "what is your mother's maiden name" or "what is your favorite football team" in the past, but have started coming to the conclusion that that using such weak information is counterproductive. I've recently came across https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet which recommends using secret question challenges. I typically feel owasp is on target, however, am not so sure on this occasion. Note that for my situation, I have the user's email. Please advise.

I came across this amazing (not) blog to allow the user to reset their password. It basically does: User submits their email to server and requests new password. Server gets their users_id from the DB based on their email, and emails them with a link which contains ?encrypt=md5(1290*3+USERS_ID). When clicked, server retrieves user where md5(90*13+USERS_ID)=$_GET['encrypt'], and display a form. I think the math is a typo. When the form is submitted, the password is changed. What is the correct way to do this?

Not sure if I understand your intent. Do you wish to display a table similar to what you show? You obviously need to close your PHP tag before displaying the table header, or echo the table header. I also think you should clean up how you echo each row (I typically echo both the array elements as well as the HTML tags, and use double quotes so that I don't need to concatenate each).

And do you agree with my theory that error_log ('Hello') is written by the SAPI Error Logger (and thus root) while error_log("Hello.", 3, "/var/log/httpd/test/validation.log") is written by PHP?

I've tried making it 777, but still couldn't write to validation.log when it was located in /var/log/httpd/test. I think I have a theory. When I use the following, PHP passes the error to the SAPI Error Logger which is running as root, and thus could write to that directory and file. Still a little hazy on what the SAPI Error Logger really is, but I expect it is some system wide process for writing to the log. error_log ('Hello'); Reference: http://php.net/manual/en/errorfunc.configuration.php#ini.error-log On the other hand, when I use the following, it is being written by php, thus even if php has permission to write to the file, php doesn't have execute permission on all the parent directories. error_log("Some validation error.", 3, "/var/log/httpd/test/validation.log"); Make sense?

Yes it is. What is the relevance?

Hello again, Looking back at outputs of "ps aux | grep httpd" and similar, it doesn't seem I am running Apache as root. I asked similar questions at http://www.linuxquestions.org/questions/linux-newbie-8/am-i-running-apache-as-the-root-user-4175528496/, and the consensus is I am not running Apache as root. Then why can I write to /var/log/httpd/test/errors.php using PHP when it is only open to root?

You have an input which is sending content as text. Later you take that content and display it as HTML. I bet nl2br will make you happy

Not everything, I am definitely capable of more But I don't necessarily agree with it being the wrong approach. Let me explain why. My expected demographics will, no matter what you or I recommend, use week passwords. They are not targets to sophisticated international threats, only non-sophisticated geographically local yahoos who may know them and could be commercial competitors. DoS is important, but credibly should they compromise their data to their local competitors, albeit by their own negligence, is more important. Given of course that you know the userames of my entire userbase. If my entire admin staff goes insane, I suppose I could increase the number of failed attempts, reset it after a longer duration of time, or outsource my admin to a mental institution. I see there as being two objectives for doing so. One is blocking a degenerate from a single IP from hacking all my users. Given my expected audience's lack of having such a big VPN or proxy, this is probably not an issue, however, considering that a sophisticated non-local threat will not target them, it probably doesn't make much sense to do so. The second objectively is preventing Billy Bob Badguy from discovering that if he logs in three times wrong to his account, he could attempt to logon to his competitor neighbor Chip Goodguy a couple of times and screw with him. The later is a bigger deal. In regards to race conditions, I understand there to be two risks: DoS and intrusion by bruit force, which as previously stated bruit force is more of a concern given my audiences use of weak passwords and priorities. The super processing power will only compromise DoS since the downstream atomic counter (nice word) ultimately dictates who is given access. Do you disagree?

Yea, it is BIG! I just went over the whole thing (however glossed over areas which I didn't think were as pertinent). Forgot if was the php.ini or the httpd.conf file that said "read and memorize every single line!" Well, maybe it wasn't that strong. Thanks for the ini scanner link. I will check it out. I agree that discussing the entire file is not realistic. I was looking for a starting point of areas I would want to better analyze and consider changing. The seven items appear to be ones I would consider doing.

Thanks again Jacques, I've been catching SQL exceptions just to log the error and exit. Don't ask me why, but I agree it doesn't make much sense. Think I started doing so after reading some stupid book or tutorial.

Thank you for your reply Jacques, I agree my class was far from perfect, and was just my initial attempt to better learn how I should use error reporting. A couple of related questions/comments: Agree that the localhost detection should go away, and I will either use a constant as you recommend or two separate php.ini files. I see where see the manual states that E_ERROR and E_STRICT aren't covered by custom error handlers, however, http://php.net/manual/en/errorfunc.examples.php seems to show an example otherwise. Please explain. log_errors will be set per the recommended php.ini file. Should I also set error_log, or should it remain blank so they go to the SAPI Error Logger? (what does this mean?) Good point about setting the appropriate HTTP status code if a custom error handler is used. Could the standard error system both log and email errors? PHP also sets a 500 status code if there's a fatal error and no prior output. Would the custom error pages supported by all modern webservers support custom error pages display a given page should a 500 status code be given by PHP? Regarding PDO automatically throwing errors or exceptions, do I want to catch them, or just let them remain uncaught (assuming I wanted the error handler to deal with them)? <?php date_default_timezone_set('America/Los_Angeles'); error_reporting(E_ALL); ini_set('display_errors', 1); function sql_error($e,$sql) { $silent=(isset($e->errorInfo[1]) && $e->errorInfo[1]==1062)?$silent:0; //Only silent duplicate key errors $error='Error in query:<br />'.$sql.'<br />'.$e->getMessage().'<br />File Name: '.$e->getFile().'<br />Line: '.$e->getLine().'<br />Time of Error: '.date("l F j, Y, G:i:s T").'<hr>'; echo($error); } require_once('../../ayb_private/dbase.php'); $sql='SELECT a FROM b'; try { $stmt=db::db()->query($sql); $a=$stmt->fetchColumn(); } catch(PDOException $e){sql_error($e,$sql);} //uncaught $stmt=db::db()->query($sql); $a=$stmt->fetchColumn();

Per line 79 of the latest php.ini file (http://git.php.net/?p=php-src.git;a=blob;f=php.ini-production;hb=HEAD), the production php.ini file is recommended for both production and development. Agree? I would like to know the “typical” recommended changes to this file for both production and development. My requirements should be assumed typical with the following qualifications: Installed using yum on Centos Apache/2.2.15 MySQL (PDO) Either a physical machine or VPS (not a shared host) Primary US market Hopefully, this provides enough description, and if you still feel it totally depends on each individual’s unique needs, please let that remain unsaid. Below is my initial assessment: Line 445: Change error_reporting to E_ALL for development only. Line 462: Change display_error to On for development only. Line 473: Change display_startup_error to On for development only. Line 568: Leave error_log blank so they go to the SAPI Error Logger (what does this mean?) Line 656: Change post_max_size if specifically needed for the application. Ideally, this would be changes in a particular script, however, I don’t think this is possible. Line 676: Should default_charset remain at “UTF-8”? Line 799: Change upload_max_filesize if specifically needed for the application. Ideally, this would be changes in a particular script, however, I don’t think this is possible. Any other recommended changes? Thank you

Thank you requinix, So, if only root can access access /var/log/httpd, and I am evidently doing so with Apache, then I must be running Apache as root, right? Guess that explains it. [root@devserver ~]# ps aux | egrep '(apache|httpd)' root 17936 0.0 0.1 404344 14592 ? Ss 13:20 0:00 /usr/sbin/httpd apache 17938 0.0 0.1 506148 18172 ? S 13:20 0:00 /usr/sbin/httpd apache 17939 0.0 0.1 502068 14096 ? S 13:20 0:00 /usr/sbin/httpd apache 17940 0.0 0.1 506932 21532 ? S 13:20 0:01 /usr/sbin/httpd apache 17941 0.0 0.1 508464 22892 ? S 13:20 0:01 /usr/sbin/httpd apache 17942 0.0 0.1 506688 18480 ? S 13:20 0:00 /usr/sbin/httpd apache 17943 0.0 0.1 501992 13764 ? S 13:20 0:03 /usr/sbin/httpd apache 17944 0.0 0.1 506536 18460 ? S 13:20 0:00 /usr/sbin/httpd apache 17945 0.0 0.1 506296 18296 ? S 13:20 0:00 /usr/sbin/httpd root 19375 0.0 0.0 101024 848 pts/0 S+ 14:20 0:00 egrep (apache|httpd) [root@devserver ~]# ps aux | grep apache2 root 19377 0.0 0.0 103252 840 pts/0 S+ 14:20 0:00 grep apache2 [root@devserver ~]# ps axo user,group,comm | grep apache apache apache httpd apache apache httpd apache apache httpd apache apache httpd apache apache httpd apache apache httpd apache apache httpd apache apache httpd [root@devserver ~]#