Destramic

my main concern was knowing if the user is a client or employee...here is my database diagram i think im on the right track here...a user has a specific roles give to he/her but also able to give addition permissions out of the role. i'm able to detect if the user is a client by his/her role (ie. client)...and the same with an employess (ie. client_employee) and also linking the client user_id to the emplyee user account via the client_id in the users table regarding my concern of clients adding user accounts for employees, and giving that employee specific permissions, i was thinking that the client role permissions could be displayed on the employee register form...that way the client can choose specifically what permission that employee has based on his own permissions? thank you

Could I get some help with this design please guys?

i so over thought the whole process and the answer was right infront of me! ...sorry jacques. i can see clearly how this works now thank you for your time, patience and help

ok i think i may have made some progress here after a lot of hard thinking and detemination... i read about mysql sha2() and had a little play about with it SELECT SHA2('abc', 256) > '936a185caaa266bb9cbe981e9e05cb78cd732b0b3280eb944412bb6f8f8f07af' i stored the hash into my hashed column and ran this: SELECT * FROM development.hash_test WHERE hashed = SHA2('abc', 256); which brings up the correct row....so i though if i create a hmac and save it in a row it should work also...but no i used the following and turned removed true on the raw parameter public function seal(string $message) { $hmac = hash_hmac( $this->algo, $message, $this->private_key ); return $hmac; } $hmac = new HMAC($hmac_private_key, 'sha256'); echo $seal = $hmac->seal('helloworld'); which gave me a string like so: 1b3e0c20a197aa3bd20460dedc81033cac47581e7d8e1c0ba18872a3c5bfc4de but it returns 0 rows when executing the following: SELECT * FROM development.hash_test WHERE hashed = SHA2('helloworld', 256); please tell me i'm close to what i'm trying to achieve and what it is i'm doing wrong? thank you

i'm finding it really hard to keep up as most of this is going over my head...although i think i've made some progress after some reading about...also the reason i base64 encode is so thats easy to store in db as a blob here is what i got as it stands, but i'm stuck now and i'm strugging to see how this is going to work. <?php class Encryption { private $private_key; public function __construct(string $private_key) { if (!extension_loaded('libsodium')) { throw new Exception('Encryption: PHP libsodium extension not loaded.'); } $private_key = trim($private_key); if (!preg_match('/^[a-z\d+\/]{43}=$/i', $private_key)) { throw new Exception('Encryption: Unrecognized key.'); } $this->private_key = base64_decode($private_key); } public function encrypt(string $data) { $nonce = \Sodium\randombytes_buf(\Sodium\CRYPTO_AEAD_CHACHA20POLY1305_NPUBBYTES); $ciphertext = \Sodium\crypto_aead_chacha20poly1305_encrypt( $data, null, $nonce, $this->private_key ); return base64_encode($nonce) . ':' . base64_encode($ciphertext); } public function decrypt(string $ciphertext) { $ciphertext = $this->parse_ciphertext($ciphertext); list($nonce, $ciphertext) = $ciphertext; $decrypted = \Sodium\crypto_aead_chacha20poly1305_decrypt( $ciphertext, null, $nonce, $this->private_key ); if ($decrypted === false) { throw new Exception('Encryption: Decryption Failed.'); } return $decrypted; } private function parse_ciphertext(string $ciphertext) { if (!preg_match('/^(?:[a-z\d+\/]{11}=)?:[a-z\d+\/]+)(=|==)?$/i', $ciphertext)) { throw new Exception('Encryption: Unrecognized ciphertext.'); } $ciphertext = explode(':', $ciphertext); return array( base64_decode($ciphertext[0]), base64_decode($ciphertext[1]) ); } } class HMAC { private $private_key; private $algo; public function __construct(string $private_key, string $algo = 'sha512') { $private_key = trim($private_key); if (!preg_match('/^[a-z\d+\/]{43}=$/i', $private_key)) { throw new Exception('Encryption: Unrecognized key.'); } else if (!in_array(strtolower($algo), hash_algos())) { throw new Exception(sprintf('HMAC: Algo %s unsupported.', $algo)); } $this->private_key = bin2hex($private_key); $this->algo = $algo; $this->length = strlen(hash($algo, null, true)); } public function seal(string $message) { $hmac = hash_hmac( $this->algo, $message, $this->private_key, true ); return base64_encode($hmac . $message); } public function sign(string $seal) { if (!preg_match('/^(?:[a-z\d+\/]+)(=|==)?$/i', $seal)) { throw new Exception('HMAC: Unrecognized seal.'); } $seal = base64_decode($seal); $message = mb_substr($seal, $this->length, null, '8bit'); $seal = mb_substr($seal, 0, $this->length, '8bit'); $signed = hash_hmac( $this->algo, $message, $this->private_key, true ); if (!hash_equals($seal, $signed)) { throw new Exception('HMAC: Seal corrupted.'); } return true; } } $hmac_private_key = 'ZZtJVgUu2fRz+c4o6QHj6v/mAqGAgyowlUxs3xoMHuw='; $encryption_private_key = 'qB2fZkseI4ccJ45Y1/VzoHARA6Sft6IVkeS4r2Z+YYM='; $encryption = new Encryption($encryption_private_key); $email_address = $encryption->encrypt('email@test.com'); $hmac = new HMAC($hmac_private_key, 'sha256'); echo $seal = $hmac->seal($email_address); var_dump($hmac->sign($seal)); could i get some more help on this please? thank you

actually my example isn't going to work...email address is encrypted and placed inside the hmac but the seal will obviously be different everytime...so there would be no way for me to compare. i'm completely lost here

i'd suggest displaying errors you should be using this code and put it at the top of you php while developing ini_set('display_errors', 1); ini_set('display_startup_errors', 1); error_reporting(E_ALL); what errors are you getting? ps. please use the code tags so your code is more visible

now that is smart...i wish i thought of it i had a mess about with hmac over the weekend, as i've decided to use it with the users cookies...is what i made for hmac more than suitable? here is a working example <?php class Encryption { private $private_key; public function __construct(string $private_key) { if (!extension_loaded('libsodium')) { throw new Exception('Encryption: PHP libsodium extension not loaded.'); } $private_key = trim($private_key); if (!preg_match('/^[a-z\d+\/]{43}=$/i', $private_key)) { throw new Exception('Encryption: Unrecognized key.'); } $this->private_key = base64_decode($private_key); } public function encrypt(string $data) { $nonce = \Sodium\randombytes_buf(\Sodium\CRYPTO_AEAD_CHACHA20POLY1305_NPUBBYTES); $ciphertext = \Sodium\crypto_aead_chacha20poly1305_encrypt( $data, null, $nonce, $this->private_key ); return base64_encode($nonce) . ':' . base64_encode($ciphertext); } public function decrypt(string $ciphertext) { $ciphertext = $this->parse_ciphertext($ciphertext); list($nonce, $ciphertext) = $ciphertext; $decrypted = \Sodium\crypto_aead_chacha20poly1305_decrypt( $ciphertext, null, $nonce, $this->private_key ); if ($decrypted === false) { throw new Exception('Encryption: Decryption Failed.'); } return $decrypted; } private function parse_ciphertext(string $ciphertext) { if (!preg_match('/^(?:[a-z\d+\/]{11}=)?:[a-z\d+\/]+)(=|==)?$/i', $ciphertext)) { throw new Exception('Encryption: Unrecognized ciphertext.'); } $ciphertext = explode(':', $ciphertext); return array( base64_decode($ciphertext[0]), base64_decode($ciphertext[1]) ); } } class HMAC { private $private_key; private $algo; public function __construct(string $private_key, string $algo = 'sha512') { $private_key = trim($private_key); if (!preg_match('/^[a-z\d+\/]{43}=$/i', $private_key)) { throw new Exception('Encryption: Unrecognized key.'); } else if (!in_array(strtolower($algo), hash_algos())) { throw new Exception(sprintf('HMAC: Algo %s unsupported.', $algo)); } $this->private_key = base64_decode($private_key); $this->algo = $algo; } public function seal(string $message, string $public_key) { $seal = base64_encode(hash_hmac($this->algo, $message, $this->private_key)); return base64_encode($message) . ':'. $seal . ':' . base64_encode($public_key); } public function sign(string $seal, string $public_key) { if (!preg_match('/^((?:[a-z\d+\/]+)(=|==)?)?:[a-z\d+\/]+)(=|==)??:[a-z\d+\/]+)(=|==)?$/i', $seal)) { throw new Exception('HMAC: Unrecognized seal.'); } list($message, $seal, $key) = explode(':', $seal); $message = base64_decode($message); $signed = base64_encode(hash_hmac($this->algo, $message, $this->private_key)); if ($seal == $signed && base64_decode($key) == $public_key) { return $message; } throw new Exception('HMAC: Seal corrupted.'); } } $public_key = 'ZZtJVgUu2fRz+c4o6QHj6v/mAqGAgyowlUxs3xoMHuw='; $hmac_private_key = 'DxA58JcURnz891sVXowkF6VPyanis+GvwZXWcoxwE5M='; $encryption_private_key = 'qB2fZkseI4ccJ45Y1/VzoHARA6Sft6IVkeS4r2Z+YYM='; $encryption = new Encryption($encryption_private_key); $email_address = $encryption->encrypt('email@test.com'); // q101ZtOPjW8=:b9vrNQFhpC5wWhfWDmzu2XcjBly234AASKU11AiM $hmac = new HMAC($hmac_private_key); $seal = $hmac->seal($email_address, $public_key); // TWZIaTVxdjdrd1E9OjRvNlE3b05UcFA5SVB1QkR4cEZTZGpUSElFMDd2ai9mRzhwYUd4VmE=:Nzk5NzhhMzgzYjQ0ODc0MjExNDcxMjg1OWVkMmNlY2EwMmE4ZDVlM2E3ZmM5NWJkZTFmZjMwMTkyOTZiOWNjZjZjMjk5NWQzOGJmZTE2MTRkMTAyMzg2NTZmYTg0OWQwYjBhNjAxYTZhYTg5YTI1ZTY2MWRiN2MzZDk4MzU3MTc=:Wlp0SlZnVXUyZlJ6K2M0bzZRSGo2di9tQXFHQWd5b3dsVXhzM3hvTUh1dz0= $email_address = $hmac->sign($seal, $public_key); // q101ZtOPjW8=:b9vrNQFhpC5wWhfWDmzu2XcjBly234AASKU11AiM echo $encryption->decrypt($email_address); // email@test.com thank you jacques for your patience and help on this matter

hey guys im currently using libsodium to encrypt users data which is stored in a database...my concern is when a user registers an account on my website, i want to check that the email provided is not already registered to another account, but the problem is that the email address stored in the database is encrypted...so how do i check? i have perviouslt been suggested to store the email as: a separate HMAC ECB mode no encryption as long as the e-mail addresses are kept away from the web frontend but even when using HMAC the email can easily be viewed, MySQL's ECB mode i've read so many bad things about regarding it having so many security issue etc...and the email having no encrption could mean that if my database every got attacked its all there in black and white. here is my encryption class: <?php namespace Encryption; use Exception; class Encryption { private $private_key; public function __construct(sting $private_key) { if (!extension_loaded('libsodium')) { throw new Exception('Encryption: PHP libsodium extension not loaded.'); } $private_key = trim($private_key); if (!preg_match('/^[a-z\d+\/]{43}=$/i', $private_key)) { throw new Exception('Encryption: Unrecognized key.'); } $this->private_key = base64_decode($private_key); } public function encrypt(string $data) { $nonce = \Sodium\randombytes_buf(\Sodium\CRYPTO_AEAD_CHACHA20POLY1305_NPUBBYTES); $ciphertext = \Sodium\crypto_aead_chacha20poly1305_encrypt( $data, null, $nonce, $this->private_key ); return base64_encode($nonce) . ':' . base64_encode($ciphertext); } public function decrypt(string $ciphertext) { $ciphertext = $this->parse_ciphertext($ciphertext); list($nonce, $ciphertext) = $ciphertext; $decrypted = \Sodium\crypto_aead_chacha20poly1305_decrypt( $ciphertext, null, $nonce, $this->private_key ); if (!$decrypted) { throw new Exception('Encryption: Decryption Failed.'); } return $decrypted; } private function parse_ciphertext(string $ciphertext) { $ciphertext = trim($ciphertext); if (!preg_match('/^(?:[a-z\d+\/]{11}=)?:[a-z\d+\/]+)(=|==)?$/i', $ciphertext)) { throw new Exception('Encryption: Unrecognized ciphertext.'); } $ciphertext = explode(':', $ciphertext); return array( base64_decode($ciphertext[0]), base64_decode($ciphertext[1]) ); } } it just seems like i've taken one step forward in being secure, but taking 2 steps back when it comes to processing simple scripts such as verifying email isn't registered. retrieving account by email address etc. i know the answer isn't going to be a simple as SELECT username FROM user WHERE email_address = 'whatever@gmail.com' but there must be a logical way to check encrypted email address with a string. any other thoughts on this please guys? thank you for your time

use forward slashes insead of backslashes D:/xampp/htdocs/xampp/kicken/.dirindex.php you want to check file exists and that the file is readable if (!file_exists($path) && !is_readable($path)){ die('Cannot access '.$path); } you using is_dir() which is checking if the $path is a directory...which it isn't, so that is why you are seening an error message

sorry jacques i didn't explain myself very well...yes the username will be used as the users identifier, but what i'm trying to get at here is that i don't really want people to create multiple account. this would be me checking for username availablity aswell as ensuring that the user isin't trying to register another account with the same email address...life would so much simpler if encryptions were cross compatiable i just don't see a simple way of checking this...

i have no plans to go down the ECB mode route, or to use email address as a login credential either, why go half hearted with security but sorry jacques you've lost me a little here are we talking about all new registration beening put into a seperate table from the users? and a possible cron job running every hour or so doing a check? before actually creating a user and sending a activation token? thank you

hey guys i'm currently creating role and permission for my users which looks like this: users ------------------------ user_id role_id ------------------------ user_permissions ------------------------ user_permission_id name ------------------------ user_roles ------------------------ user_role_id name ------------------------ user_role_permissions ------------------------ user_role_permission_id role_id permission_id ------------------------ a role can be created and permissions are added to that role, giviing user access to certian pages. the problem i face is that my website has 4 types of users admin (me) general public clients clients employees (client employees) all 4 will see different content. here is my problem and what i want to achieve is for my clients to be able to add users (employees) which are linked to thier account as well as giving them certian permission for instance if i had Walmart as a client, they'd have a client role...now if they wanted to add a user (employees) linked to thier account what is the best way to do this? i could have 3 extra tables clients ------------ client_id user_id name ------------ client_users ------------ client_user_id client_id user_id ------------ client_user_premissions ------------ client_user_permissions user_id permission_id ------------ i link a client to a user account....and link a client user to a client and user also the client can pass over certian permission via the client_user_permission any ideas on design pattern would be appreciated as i've never done nothing like this when it comes to users creating users thank you

benanamen has shown you perfectly what to do: try this <!DOCTYPE html> <html> <head> <title></title> </head> <body> <?php if ($_SERVER['REQUEST_METHOD'] == 'POST'){ echo 'well done you have submitted the form'; } else { ?> <form action="<?= $_SERVER['SCRIPT_NAME'] ?>" method="post"> <input type="text" name="name" /> <input type="submit" name="submit" value="submit"/> </form> <?php } ?> </body> </html>

1. its not a valid html document 2. why echo html when there is no need? <div> <form id = 'form1' action='#' method='post' > <select name='room' id='room'> <?php if(isset($displayed)) echo "<option selected>".$displayed."</option>"; $i = 0; while($i < count($rooms)) { $room = $rooms[$i]; if($room === $displayed)echo ""; else echo "<option value = ".$room." > ".$room." </option>"; $i++; } ?> </select> <noscript><input type='submit' value='Submit'></noscript> </form> </div> 3. i don't really understand you question, i can only guess your looking for something like http://twig.sensiolabs.org/ you could also put $(document).ready(function(){ $('#room').change(function(){ $(this).parent('form').submit(); }); }); into a .js file and include as a script like your jquery if($room === $displayed)echo ""; just seems unnecessary something like this would make more sence while($i < count($rooms)) { $room = $rooms[$i]; if($room !== $displayed) echo "<option value = ".$room." > ".$room." </option>"; $i++; } and try and make your code presentable? <?php print_r($_POST); $rooms = array(1, 2, 3, 4); $displayed = 2; ?> <script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/1.3.2/jquery.js"></script> <script type="text/javascript"> $(document).ready(function(){ $('#room').change(function(){ $(this).parent('form').submit(); }); }); </script> <div> <form id = 'form1' action='#' method='post' > <select name='room' id='room'> <?php if(isset($displayed)) echo "<option selected>".$displayed."</option>"; $i = 0; while($i < count($rooms)) { $room = $rooms[$i]; if($room !== $displayed) echo "<option value = ".$room." > ".$room." </option>"; $i++; } ?> </select> <noscript><input type='submit' value='Submit'></noscript> </form> </div>

i know this thread is answered now, but one thing did pop into my head which i have been meaning to ask. in the scenario that every email address is encrypted, how do you check that an email address isn't already registered with an account? the only method i can think of is to loop all the email address, where they are decrypted and compared...just seems a bit long winded and probably a bit heavy on cpu and memory, depending on user count (i will post a new thread if needed, sorry) thank you

Guess I won't be using an email address as a login credential. Thank you for great explanations

I'd try to use phpmailer instead of php's mail function. https://github.com/PHPMailer/PHPMailer Or why not allow the contact data to be inserted into a db table?...atleast that way you know your going to receive it

I suppose you need to cover all angles...im just put off with the catcha for my site at the moment as I believe it could scare people away. I do like the invisible field method though. @requinix you mentioned wait until bots become problem...just wonder how I would know that bots were registering on my site? thank you

Thank you for clearing that up...what confused me also in my thinking is that you see companies like Facebook, PayPal etc using email address as a username. Would you need to select all users, decrypt email address and compare to select row? Or would there be a simpler approach? thank you

hey guys, i want to encrypt email address and passwords (after password_hash) but this then makes things very awkward when it comes to login...if your asking a user to put username/email address and he provides an email address (which is encyrpted in db)...how on earth do get user's row? the only answer i can think of is not to encrypt email address', but i'd say its sensitive data and needs to be just a little boggled with this, if someone can please shine some light. thank you.

ofcourse they will see a hidden link...thats one of the bots job to seach for href's...the bot will find it...and if bad bot he will try to open link?

it appears the bundle sent from comodo was put together wrong. i had to put my domain cert with my intermediate certificates in order and finally convert to .pem not going to lie, it was tough but it worked thanks for the good advise requinix

hey guys im getting an nginx error message when trying to use ssl on my server: i've added the following to my nginx config: ssl_certificate ssl/domain.ca-bundle; ssl_certificate_key ssl/domain.key; domain.ca-bundle - my certificate bundle sent to me from comodo domain.key - my private key generated with my RSA key i've search the net, and i read that the i need to remove passphrase from key openssl rsa -in domain.key -out newkey.pem but that didnt work either any help would be appreciated as i'm truly stuck now. thank you

sorry requinix...a user register form for instance...a bad bot could fill out form and insert numerous rows...this is my concern as i have nothing in place yet to capture bad bots doing this. is a bot capture as seen in the link above a good enough idea...or what is the best solution please? thank you