leesiulung

I'm working on a shared hosting environment where it appears error messages are not displayed. Is there a way to enable this through code? I do not have access to the control panel or anything of that nature. All I got is a username, password and ftp address. Help would be appreciated as this is frustrating... not knowing what is wrong.

I just went with the lingo of prozente, but yes HTTP commands are irrelevant of the communication medium. Hence it can go over mutliple packets or whatever you are using including morse code. if rigged you computer to respond to that. I was attempting to refer to the fact that only one message goes either way (ignoring packet transmission etc) gets sent out on each page fetch. Meaning the client crafts all the HTTP commands and sends that in one go to the webserver, once the webserver receives the message it returns the requested data (message) in one go to the client. Next request is unaware of previous requests and there is no multiple exchanges of message between client and server in one http session. I hope that is clear enough. I'm not a hacker wannabe although I have played around with various exploits and had some fun with that. However, I have and will not conduct any illegal computer activity. With that said, I think any serious programmer should spend time understanding at least two things: - software engineering (or design in general) - good programming practices - security A lot of terrible programming occurs because of lack of any or all of the above points. Beginning PHP programmers like myself probably produce very unsecure code due to the nature of PHP as a language and how it is designed. It surprises me that people aren't more interrested in security issues in using sessions as just about any site I visit this days use session cookies or at least cookies. It seems like at this point the only way to prevent the session cookie from leaking is forcing the visitor to surf over https... Howver, that is not what large sites like amazon.com or ebay.com does it... also it would seem that the people designing the http specs would have thought of this blaringly obvious issue.

I did not know that the Session ID was created from the time and then hashed with MD5. It is unlikely, but possible that two surfers access the site on the exact same time down to the millisecond ending up with identical session names, unless the server is the one creating the session id. Since the session id is sent with every page request and that there is only one packet (with the HTTP request information) sent when each page is requested the whole site has to be surfed on over a SSL connection. Is there any way around this? Someway to manage this? To clarify during any http request, there is only two packets that go back and forth i.e. the request packet and the response packet. Is this correct? There is no server request for additional information during http connection? Thanks guys, this is clarifying a lot of things though.

I'm not sure I follow you on that. How can I force all HTTP request to go through https? Does that mean that the whole site has to be surfed through https? I'm actually not sure how the cookie exchange process occurs between server and client. My guess is it goes as follows: Client: Request a page Server: if session_start() is on script page, request session id from client client: sends a session id if it has one, otherwise send some default message Server: sends the requested page based on session id Can anyone confirm that? If so, I will be able to make sure all pages that has session_start() force using https. I really appreciates all the help I have been getting so far. I just want to get to the bottom of this... It is an important topic.

How do one check that the tmp folder is not accessible via a shared folder? That is also fairly unlikely and limited to exploit due to one has to come across a shared folder with tmp folder storing session ids. Interresting thought,... never thought of that. That is exactly what my concern is. I have SSL enable on the site, but how can I limit the session cookie to only be sent over SSL connection instead of forcing the user to surf the site over SSL at all times. My guess is that the server only request the session id when session_start() is on the PHP script page being requested by client....

Let us assume I don't pass the session id in the URL. It is still possible to sniff the session id when it is being sent by the browser on each request unless is on a secured connection. I guess I'm looking for someone that can explain how cookies are sent i.e. how the handshaking happens between client browser and server. Concerned about (although somewhat unlikely) sessions ids being sniffed while sent over http.

How do one prevent session id's from leaking? My guess is use session_start() on secured connections (https) only, but the truth is I'm not sure. Anyone venture to fill me in on this? Anyone working with login/logout type sites should pay attention to this.

This probably won't work, but worth a shot. Try setting all your zones to HIGH and setting the browser to block cookies by using the slider. I don't remember how this is done in IE6, but probably similar to IE7.

Well in my quest for shopping carts I ran across osCommerce. Main this thing seems to have everything one would need and best of all it is FREE! Only concern is that it does not seem SEO friendly. That is a major issue for me. Have anyone used this and can give some input? Good or Bad.... SEO or NOT.... I'm considering using it for my "fun project" of opening a small e-commerce store. I intended to write the thing myself, probably in a long weekend or two since my needs are modest. However, I'm seriously considering osCommerce instead. I can probably get it up in probably a day.

thanks verdicius. However, I'm still not clear on what happens with a persistent connection. At what point does it free its resources? It would have been better if they had the database server manage the connection pool instead....

Reading the online manual about mysql_pconnect() and mysql_close() I have a problem understanding how one can close a persistent connection? Do one even need to? Do most people use mysql_connect() or mysql_pconnect (persistent)? The environment is just shared hosting with GoDaddy.... Also, the anomality with the reference counter and close() is very bad. More info mentioned in the comments of mysql_close() documentation.

What settings and browser did you use? For instance in IE I had to specifically set to reject all cookies and not just the zones (in fact I don't think the zones matter, but I did it anyhow). That is expensive at $250 per year. How easy is the integration process? I'm concerned I spend more time figuring out how to integrate and tweak the cart than actually just building myself. Then again it might have lots more features that I need but did not think of ahead of time.

Ok, so it took a while for me to test this session cookie out and I apologize. Anyhow, the results are in and my browser rejected the session cookie. Testing procedure: 1. Set all security zones on browser to High on IE7 (yes, I like IE and no I'm not a MS fanboy) 2. Set browser to reject all cookies 3. Use the following code: filename: setsession.php <?php session_start(); $_SESSION['session_exist'] = 'SESSION SET'; echo '<a href="checksession.php">check sessison</a>'; ?> filename: checksession.php <?php session_start(); if(isset($_SESSION['session_exist'])) { echo 'Session is SET: ' . $_SESSION['session_exist']; } else { echo 'Session is NOT set'; } ?> Note, that when I tested this on a server running locally on my computer it accepted the session cookie. However, when tested online with server on the internet it rejected the session cookie. I'm not sure why it would accept the cookie on a local instance although it shouldn't even considering it is most likely from a trusted source. However, I haven't bothered to look into this. [attachment deleted by admin]

I tested this a long time ago with ColdFusion and setting the browser to reject all cookies. At the time it never found the session. To solve this issue I had to set the session, redirect the page immediately afterward and then check if I could find the session data on the redirected page. If session data was not found, cookies was turned off.... I don't know if this has changed since then, since browsers do different things and implement non-standard things all the time. I will give it another whirl to see what happens and report back.

I might have not been clear or specific enough in my language so please excuse me. Unfortunately, English is not my mother tongue. Anhyhow, I do understand that session data is different from session cookies. What I'm saying is that session data is tied to the session cookie. The first time a session is established between a browser and a server, the server sends a "session cookie" to the client browser that gets stored for the duration of the session. Upon each request of a web page from there on by the browser, the session cookie information is forwarded to the server. That is how the server recognizes the client browser. So without the user accepting that session cookie there is as far as I know or can think of right now, how the server will be able to track what request belongs to what session data. Cookies can also store all the data without storing information in sessions, in which case the data is transmitted to the server on every request. So in essence sessions and cookies accomplish the same thing with minimal difference yet much higher exposure to security risk.

Session variables are almost no different than Cookies other than the data/state you want to save is stored on the server as opposed to the client. In order for the server to identify what data/state belongs to who on the internet, the server sends a cookie (even for a session) to keep track of it. So in essence, using session variables require the user to accept cookies. So what I meant with "keeping track of" is essentially how do I know which session is attached to which user surfing my pages unless cookies are accepted.... See the problem. I'm trying to figure out reasons for or against each choice. My needs are pretty simple, but would like to give the site the opportunity to evolve with a little forethought. The cart is probably the most complicated task next to security. All of that said, I like the response I'm getting to this. Although there seems to be many threads about shopping carts.

Don't really know how to cache queries, does mysql do this automatically or do I have to setup something different? Please help! I'm not as familiar with MySQL/PHP, but most databases I encounter, can do stored procedures. In some languages you can also specify to cache the query, for ColdFusion that is with cachedwithin attribute and for Java/JSP you can use PreparedStatements. Perhaps, somebody else can shed some light on how to do this in PHP/MySQL. I'm sure they have an equivalent or do some Google searches. Hope this helps...

How do you recommend keeping track of user without cookies? Hidden input tags? Session ID's in URL? I'm not sure I see how is it more secure that way?

I finally decided to build my next site in PHP after a lenghty debate with other forum members about some of the shortcommings of PHP. That is for another discussion, but came to the conclusion that it needs a lot of improvement, but had its advantages. I frequently run into PHP sites that needs some work done so I might as well learn it better. Anyhow, my new site will have a shopping cart and I was wondering the following: 1. Which one? Commercial vs. Custom Made! 2. If custom made any suggestions for things to think about before coding? An examples is what to do if browsers do not accepting cookies. 3. If commercial shopping cart, any suggestions and why? 4. Any suggestions on how to implement this a shopping cart? Currently I'm thinking either implement it using session variables with fall back session id in URL or hidden input tags. Using hidden input tags, of course poses the problem of having to POST to the next page everytime the user navigates to another page. That is a tricky problem. Is there an easier way to do this?

I agree that the PHP documentation is an invaluable source. Without a resource like that I would not even bother to use the language. Looking at the source code is a nice option, but rarely would I want to if ever. It is rarely efficient unless I'm hunting down a bug. I haven't seen these recommendations, but look forward to seeing them. Hopefully, these are not just recommendations by the user comments that frequently is outdated or just plain wrong only to be corrected by someone else below. I must admit that I did not see that there were pages grouped liked that. However, there were no indication on the php.net pages that things were grouped like that. It would have been preferable if they were grouped like packages in Java or header files like C/C++. However, I'm relieved to see that. On the other side, there is no way to look at a function and see that it belongs to a group of other functions from my experience. For instance, debugging some PHP code I found a function print_r(). How in the heck am I suppose to know from the function name that it prints out variables in human readable form unless I read the documentation. How about print_var or something.... I agree that it is the programmers responsibility to ensure correct type, but as we all know humans are not very good at ensuring anything. There is always some smartass moron that makes a lot of mistakes and will break this rule. On the other hand not type checking also means that there is the risk that I myself make mistakes because I wasn't thinking clearly, just tired or plain stupid that day. Type checking is a must! I'm more and more realizing that PHP seem to work with many technologies and seem to have a lot of features supporting different things like image creation etc... Because PHP is so versatile that it was used in ways not though of at the time. This is an example of things that aren't thought out. One should not introduce new things into a language without thinking it through. The introduction of shortcuts and further expanding the syntax can easily confuse programmers to do incorrect things. For instance a programmer might see it used in sample code and adopt it in an incorrect manner. to me allowing <? ?> suggested that it was ok to use, and never did it occur to me that it might give me issues with XML. However, the gain is 4 characters that I don't have to type every now and then.... hardly seems worth introducing into the language. The syntax for array is wierd in the sense that it allows array declarations as follows: $a = array ('a' => 'apple', 'b' => 'banana', 'c' => array ('x', 'y', 'z')); That is not a standard syntax, since it resembles a function array(), yet it has an operator resemblin larger or greater than but does not perform the same task. If memory serves me right another one I remember seeing is where one can grab the keys and the values into two temporary variables for looping. The bottom line is I find PHP almost like C++ not very well thought out. Although it does have its benefits that I more and more appreciate, yet I still find it needs a lot of improvement. Guess I have to live with it.

Honestly, I do not have much experience with PHP or any of the IDE's, but frequently use Dreamweaver 8 (as part of my job) and Eclipse with phpEclipse plug-in (at home). I use Eclipse since I do a lot of development in Java and Eclipse is great for that. It also supports C/C++ and ColdFusion with plug-ins. Best of all, it is FREE and cross platform. I would as well like to see what others recommend though...

I must agree with KeeB, hands down option 1. A smart database will cache your query and it will only be costly the first time the query is called. In addition, you can set the field in a session. The cost should be negligable. Do not try to optimize the database with fancy tricks unless you know it will have a significant performance gain. Let the database do what it is intended to do. Optimize only if needed....

In my experience, rarely do I have to rework any code when a major version upgrade occurs. I have coded in ColdFusion, JSP, C/C++, Java, ASM, VB and even some ASP. The only exception was when Java used the keyword enum to define enumerations. I had picked up this variable name from somebody elses code and had compatibility problems with JDK 1.5. However, the keyword enum apparently was reserved and I never noticed it. As I looked at it, it reminds me of an Apache configuration file and I might have evoked memories of configuring Apache. I still think it is long and most of it as of right now means nothing to me. The problem here is that a language should enforce good programming practices (i.e Java) and if not should at least have a implemented some idea to why those things make sense (i.e C/C++). Problem with PHP so far is it neither enforce good programming nor gives you an idea of why it is there. For instance why allow <? ?> and then later realize that it has issues with XML files or the wierd array syntaxes. Unfortunately, it looks like I might have to live with PHP as it is seems to be the dominant language for web scripting. Perhaps, someone can point me to an article on good programming practices for PHP.

Oddly enough my ;always_populate_raw_post_data = On is commented out in my php.ini residing in C:\Windows folder is commented out, yet it works.

You are a genius!!! The data is right there.... Thank you so much!!!