leesiulung
-
Posts
83 -
Joined
-
Last visited
Never
Posts posted by leesiulung
-
-
Is there any reasons any more to even consider Server Side Includes over the include()/require() functionality implemented in PHP?
Also, according to the manual:
"Files for including are first looked in include_path relative to the current working directory and then in include_path relative to the directory of current script. E.g. if your include_path is ., current working directory is /www/, you included include/a.php and there is include "b.php" in that file, b.php is first looked in /www/ and then in /www/include/. If filename begins with ./ or ../, it is looked only in include_path relative to the current working directory. "
The last sentence in quoted paragraph mentions a way to force includes to only be relative. However, what do you do if you are on a windows system... "./c:\phpincludepath" ???
-
I use the following code to redirect:
<?php header("HTTP/1.1 301 Moved Permanently"); header("Location: http://www.mydomain.com/"); exit(); ?>However, when checking the headers sent, the text after the code 301 gets chopped off. I tried different codes too...
Can anyone see anything wrong with this? I eventually solved it by using .htaccess file instead, but would like to get to the bottom of this.
-
I apologize for not seeing your post earlier, for some odd reason my browser kept displaying a cached page (even with the setting, check for changes eery time I access a page).
The problem is that the url have to have the .html extension. I realize that it adds quite a bit of overhead, but most of our pages are .php or .htm. I purposely picked .html for this as there were only two options.
However, your suggestion sounds like a trick that would work. I will give it a whirl.
-
Ok, so I have a fully working PHP installation running on Windows 2003 Server with IIS 6. This is not my choice, as it seems more common with more support for running PHP with Linux and Apache.
Anyhow, the issue is that I need 301 Redirects for specific files with the extensions in .html. However, with HTML files you can't set headers, thus I'm forced to process all .html files as php files so headers can be set using PHP.
Problem is, I tried adding the .html file extension to the "mapping" in IIS to the isapi file and it does not work. This is where I set the .php file extension for PHP processing in the past and expected a similar behavior. I made sure to select "All verbs" and checked "script engines" and "verify that file exists".
Any suggestions?
-
Do anyone know what causes this dialog message in IE?
"This page contains both secure and non-secure items.
Do you want to display the nonsecure items?"
The is loaded over SSL, but something on that page is not...
Firefox had no message at all...
-
I have used ALOT of programming languages, and ColdFusion is one i gave up, i personally this its useless,
as for turning things on an off.. erm ok so PHP is highly configureable.. how is that a bad thing!!
...
I think ColdFusion has its issues, such as extra whitespaces everywhere, but it does not promote bad programming practice. I would not recommend ColdFusion unless it was already in use. However, I still think it is a step above PHP in terms of language design.
PHP is much different than ColdFusion or JSP. In terms of scalability, PHP has an advantage, but it loses a few features that some developers miss (which is why there are efforts to create application servers for PHP).
PHP scales well because Apache scales well because the Web scales well. PHP doesn’t try to reinvent the wheel; it simply tries to fit into the existing paradigm, and this is the beauty of it.
PHP has its issues as mentioned above. In my opinion, they are far to serious to be considered for large sites. I do not know about PHP's or Apache's ability to scale nor do I know about ColdFusion ability to scale. However, from experience JSP is far the best language I have come across for scalability in terms of users. If interrested, I urge you to do some research as JSP is considerably faster than it used to be. Do not take ColdFusion built on Java as the benchmark for JSP as there are additional translations going on between CFM and Java.
I have not worked on large sites with PHP, but remember when people talked about MySpace switching from ColdFusion (I think) to PHP and it was considerably faster.
That said, I'm not sure what you mean by scalability? In terms of what, is PHP/Apache scalable?
oh an flaming is the act of sending or posting messages that are deliberately hostile and insulting, who flamed you ?
That is why I have 'more' in parentheses as it is nobody so far has been directly hostile or insulting
-
I agree that PHP is useful and powerful. Also the user support is tremendous, far beyond anything I have seen in a scripting language except for Perl back in the day. However, PHP has too many shortcomings in my opinion. Many "features" of PHP that should never have been introduced. There are also certain shortcuts/features should only be turned on if the user specifically requested it, like the alias of $_SESSION['error_msg'] and $error_msg.
I spend so much time figuring out oddities that most other languages do not have for a reason. Some of those things can be powerful, but it should not ASSUME that the user is aware of them. People aware of them will turn them on.
The lack of understanding will always make people run and hide, if you want to do as little work as possible and hate a challenge then maybe VB8 is better for you.
I program in Servlets/JSP and frequently do stuff in ColdFusion. JSP is definetly takes more work to perform the same things as in PHP, so it is not necessary the amount of work that I dislike about PHP. It is the amount of work trying to figure out the languages oddities. JSP is definetly more advanced and has a steeper learning curve, but it does not assume cr*p to the same extent as PHP.
Try using more reasonable variable names, you have millions of choices.
Keeping same variable names on each page that has same meaning and perform same function keeps code consistent and is good programming practice. That is a language feature problem, not a coding design problem.
Just because you hate it doesn't mean everyone else does. PHP is a very useful language for me. If you get fluent in it, it'll be a less of a pain for you. Trust me. PHP is powerful.
I never suggested that 'everyone else' hates PHP. Rather I was saying it promotes bad programming practices as evident that it does not require variable declaration, obscure shortcut notations, no datatype or namespaces. I have seen functions in the API that changed its return value between PHP versions... wtf. That is numero uno BAD PROGRAMMING PRACTICE in the API.
So yes, I have a lot of gripes with PHP. I am forced to however learn it as a lot of people use it.... unfortunately.
I'm actually suprised I didn't get flamed (more)....
-
Yeah, I read that posts about the headers.
I think I figured out the 'issue' as in probably one of PHP "great" features it automatically links variables in $_SESSION['varname'] with variables $varname. Thus, when I think I'm using two different variables it is actually both the same!!!
So far I have nothing good to say about PHP and my prior suspicion about it being a terrible language is confirmed. I hope the language dies, because it does nothing but breed terrible programmers with its lax syntax and lack of foretought in language design.
I appreciate your guys help and please don't take my frustration as something directed to any of you.
-
maybe a book would help!
Perhaps, although I do have an older book I use for reference.
It is just frustrating as I spend so much time trying to figure out oddities. I mean, sure I have syntax and run-time errors that are my fault. Symptoms like the one above though is not something I expect.
I assumed, and correct me if I am wrong, that all variables declared unless in session variables should be obliterated at the end of the PHP script. That is how it is in other languages I dealt with....
-
Yes, but isn't that wierd behavior.
I mean, so far my experience with PHP has been very painful. There are issues like this that drives me nuts. $#@#@!#@!$#WQ$SAF(&(*&
>
-
This is really odd behavior, but follow me with this as I'm a little baffled.
I use sessions to store information in $_SESSION. However, variables that are not in $_SESSION that I define myself is also remember between pages in the same session.
What gives?
Is $error_msg a some kind of global variable?
So, I might have two pages, let say page1.php and page2.php. They both use the variable $error_msg and session_start();
However, page2.php remembers what $error_msg contained at the end of page1.php....
-
Is there a function in PHP I can call instead? Something that removes any HTML or JavaScript. All these checks can be hard to maintain and are long....
Also, do need to reverse what mysql_real_escape_string() does when I want to retrieve the data from the DB?
-
So I got my pages up and running and right now it prevents SQL injection by using mysql_real_escape_string() on all user input. Now I do have a lot of code that relies on GET and POST variables from users. How do I scrub this for malicious input? What sort of things can malicious users do with this?
My guess is that PHP is a scripting language and isn't compiled, but rather interpreted. Thus they can pass in regular PHP code in the GET/POST variables. Is this true for PHP? I have seen code that do stuff like $$contains_variable_name which suggest this is possible.
Some older thread suggested a function called htmlentities(), but I fail to see how this is related to this or XSS attacks.
Finally, not quite related what is the opposite of mysql_real_escape_string()? Do you have to do the opposite of mysql_real_escape_string() when you display the data? Can't find any information or samples of this on PHP.net's website.
-
You can use .htaccess to do a php_ini portion to set error levels.
http://www.evolt.org/article/Make_your_PHP_code_portable/17/28117/index.html
That site might help you out.
I'm so close to being done that I might just go on without the proper error reporting. However, I will take a look at that link and mark this thread solved. Just don't ever get hosting with SBC....
Frost110, I appreciate your continued help on this. Thanks!!!
-
semicolons are also assumed!!! That is terrible
Anyhow, here is the code I used:
ini_set('display_errors', 1); error_reporting(E_ALL ^ E_NOTICE); phpinfo(); $str = 'a' 'b'; $str = 'c' . 'd' $str = 'test me!';I still got a blank page and the phpinfo() did not display. How do I set the error level? I can't find any info on error_level by searching other than error_reporting();
-
I feel like we have already answered your question. In the most general terms you've asked how can you avoid raw HTTP data from being sniffed. The answer is, you can't. The best you can do is encrypt the HTTP using public key encryption (SSL). If you don't want to encrypt the communication between the client and the server then you have to live with the fact that a determined party can hijack sessions on your site. Amazon encrypts the communication of credit card numbers via SSL. It does NOT force HTTPS on every page because the credit card number is not in the session. If the session is hijacked the hijacker has only gained access to your Amazon account information. If the hijacker wishes to make a purchase they still must enter credit card information and again submit that information via an encrypted protocol. Please explain, in light of what I've just said, what your security concern is.
Best,
Patrick
I actually tested this, by adding an item to my cart and logging in and proceed to almost checkout. Then assuming the session id is still available I went to the main page from the same browsing session. It asked me to log in again when trying to checkout. However, if there is a valid non-expired credit card on file it will allow you to re-use that card again by selecting a radio button. Not sure how amazon figured that out, other than keeping track of what pages I was on....
You ask the same question but do not seem to get a direct answer.
Let me ask you this, do you know how sessions are leaked? Do you know how they are instantiated if leaked?
The best offense to this "session" hijacking is to make sure that your sessions timeout in a timely manner like 15 minutes with no activity from the user.
Usually 15 minutes is not enough time for a hacker to grab a session id, instantiate it and run through the site using it. Have you had the session id's hijacked before? I know I never have but a way to prevent a hijacking is to have checks on sessions at the start of a page, make sure that the IP is the same as it originally was, store a version of the ip in the session. Also store some other identifiying information from the user side, maybe the browser version they were using and os version.
This way if the os version is different than you obviously have a problem. If the IP is different it may be a dialup connection, but generally is a problem and I am sure a user would rather be logged out and have to log back in instead of having information hi-jacked.
Anyhow hope that sheds some light on the situation.
In the course of research I just found this: http://forums.devnetwork.net/viewtopic.php?t=34468
It basically discuss much of the same information you gave me.
I have never had a session hijacked and the likelyhood is very small. However, I'm paranoid enough to try to find an answer. I have never tried to hijack a session myself and do not know the details. As far as I know, all one need in many cases to hijack a session is to sniff it while it is being transmitted as part of the request header or when it is first transmitted to the user from server (unless session id is user generated). Thus all you need to do is craft the right request with the cookie id...
However, a method described on wikipedia on the topic of 'session fixation' involves generating a new session id on each request, might be closer to the answer (albeit a little complicated). There seems to be no fool proof way, unless you use SSL on the whole entire site. Then SSL and client side is most likely the weakest link.
Your answer was clear and direct. Exactly what I was looking for. However, storing ip according to the thread I posted is not a good idea.
I will mark this thread solved. People wanting more information can visit that thread. If I find something new I will post back here. I appreciate all the help I received in this thread!
-
You can try this going along with what Wildteen said:
<?php ini_set('display_errors', 1); ?>http://us2.php.net/manual/en/function.ini-set.php
Not sure if this would work, but it is worth a shot. Chances are the host diabled that option.
Another option might be to create an .htaccess that does a similiar thing to ini_set.
I tried setting:
ini_set('display_errors', 'on');Did not work and so I reread your post and tried:
ini_set('display_errors', '1');Worked, and displayed unknown function errors, but does not display syntax errors of this kind:
$str = 'a' 'b'; // missing concatenate operator
$str = 'c' . 'd' // missing semicolon
This is quite frustrating.
I am telling you guys, this dude is trying to hack!!
Read is other post if you don't believe me.
This guy is plain annoying yet amusing.... I'm not going to even respond to this....
I appreciate all the posts genuinely trying to aid me, instead of accusing though! That last one almost worked.
-
I believe that he is trying to hack!!!!
I'm tired of responding to this, but NO I'm not trying to hack. However, if I wanted to, this is not the place to find such information. I'm better of finding sites that discusses and actually have sample of code and discloses vulnerabilities I can look for. Furtheremore, there are plenty of tools freely available on the net that I can use to scan bad code.
To properly prevent hacking, one must understand how these breachers occur. Yet, so far I have only asked about best coding practices to avoid being an easy victim.
It is also interresting to note that so far on this site I have seen numerous posts about programmers asking for help regarding their hacked site. From the ones I saw, at least 1 or perhaps 2 discusses SQL injection. This is such a common thing that should be taught with whatever SQL tutorial one reads.
Please refrain from making unrelated comments and speculations as it makes it hard for potentially others that might benefit from this thread to wade through and get useful information.
I appreciate everyones response so far and please help me find an answer to this!
-
Igor, I apologize. I don't think I'm being specific enough.
What I meant to say is how do one implement session handling in code (i.e. session_start()) if one want to store credit card numbers in the database. I realize there are database permissions and issues one should set for that too, but my discussion focuses on the code for handling sessions to prevent leakage.
I'm not discussing storing credit card numbers in sessions, although I don't see a problem with this unless sessions aren't stored in memory and session id is leaked somehow. I agree that it is probably not advisable to store cc# in sessions although I merit it needs some investigation.
I hope I am being clear enough.
Thanks,
-
Never store credit card number in session....it is a no no!
If you want to SSL your whole website it is not advisable for SEO reasons.
Just do a session to track customer behavior on http and you go to to submit perssonal information page do an https the session should continue....
I guess since cc# aren't stored there is no real issue as the user must enter this in on the checkout page. Worst case in a session hijack is they find address, email and phone numbers. However, I'm still curious to know how one would do implement the sessions if cc# were stored. I am willing to go out and buy a book on the topic and read it if anyone have any recommendations.
-
Okay, SSL will encrypt the data, but it still can be cracked by very professional hackers.
You have nothing to worry about this, because only very few people know the technique.
And the web standards are to secure the session with SSL....so no further questioning about how to break into the session and sniff the packets.........
....
Again, I'm not asking on how to break SSL or sniff packets over SSL connection . I'm asking how to ensure the cookie isn't sniffed when the user goes from a https to a http area. It is common for sites like amazon to only encrypt the transmission when checking out and not while browsing the site. Interresting thing is they don't ask for password when checking out if you are already logged in, but come in from a http connection. Amazon will just redirect you to https and continue the checkout process... How can I get this functionality and how can I avoid leaking session ids on http transmissions?
So you see, I'm asking how to get a functionality and security measures implemented. I'm not asking to break anything or how to sniff packets.
I do not store any credit card information and is well aware of the implications of storing credit card numbers. I said credit card processing. However, I might consider storing credit card numbers in sessions, but have not investigated potential issues with this.
With all of that said, I do appreciate your assistance so far.
-
Write error_reporting(E_ALL ^ E_NOTICE); at the first line of the page.
That should work, but it did not. I also tried:
error_reporting(E_ALL | E_NOTICE);
Still nothing being displayed. Any ideas why or any other ideas?
Thanks,
-
hmmm.... let me clarify my question.
How can I secure my site with SSL to protect the session id from being sniffed? The problem is that session ids are nothing more than a text string that can be picked up over the internet unless encrypted.
So is there a way to control the behavior of the client such as when to send and when not to send the session id to the server? I know that I need to use SSL to encrypt the session over https, but need to know how to implement the sessions properly in code.
But what are your sending over the NET? State secrets?
Just credit card information, but as mentioned before. I'm kind of paranoid, but in addition I think it is my job to secure the site properly especially if it proceses credit card numbers.
-
Actually the showing of error message is just temporarily, so I can debug it. I need to identify what line there is problem with.
I don't want to test it on my environment and then test it on the live server (that isn't really live)....
To clarify I want to see errors in my code from server i.e. missing semicolon, syntax errors or runtime errors.
header() does not seem to work correctly (read the stickey)
in PHP Coding Help
Posted
Nobody has a suggestion?
I just find it odd that I get the whole header, but parts of the header is missing. Does anyone ever check the headers to ensure it is doing the correct thing?