Destramic
-
Posts
960 -
Joined
-
Last visited
Posts posted by Destramic
-
-
Could I get some help with this design please guys?
-
i so over thought the whole process and the answer was right infront of me!
...sorry jacques.i can see clearly how this works now
thank you for your time, patience and help
-
ok i think i may have made some progress here after a lot of hard thinking and detemination...
i read about mysql sha2() and had a little play about with it
SELECT SHA2('abc', 256) > '936a185caaa266bb9cbe981e9e05cb78cd732b0b3280eb944412bb6f8f8f07af'i stored the hash into my hashed column and ran this:
SELECT * FROM development.hash_test WHERE hashed = SHA2('abc', 256);which brings up the correct row....so i though if i create a hmac and save it in a row it should work also...but no
i used the following and turned removed true on the raw parameter
public function seal(string $message) { $hmac = hash_hmac( $this->algo, $message, $this->private_key ); return $hmac; } $hmac = new HMAC($hmac_private_key, 'sha256'); echo $seal = $hmac->seal('helloworld');which gave me a string like so:
1b3e0c20a197aa3bd20460dedc81033cac47581e7d8e1c0ba18872a3c5bfc4de
but it returns 0 rows when executing the following:
SELECT * FROM development.hash_test WHERE hashed = SHA2('helloworld', 256);please tell me i'm close to what i'm trying to achieve and what it is i'm doing wrong?
thank you
-
i'm finding it really hard to keep up as most of this is going over my head...although i think i've made some progress after some reading about...also the reason i base64 encode is so thats easy to store in db as a blob
here is what i got as it stands, but i'm stuck now and i'm strugging to see how this is going to work.
<?php class Encryption { private $private_key; public function __construct(string $private_key) { if (!extension_loaded('libsodium')) { throw new Exception('Encryption: PHP libsodium extension not loaded.'); } $private_key = trim($private_key); if (!preg_match('/^[a-z\d+\/]{43}=$/i', $private_key)) { throw new Exception('Encryption: Unrecognized key.'); } $this->private_key = base64_decode($private_key); } public function encrypt(string $data) { $nonce = \Sodium\randombytes_buf(\Sodium\CRYPTO_AEAD_CHACHA20POLY1305_NPUBBYTES); $ciphertext = \Sodium\crypto_aead_chacha20poly1305_encrypt( $data, null, $nonce, $this->private_key ); return base64_encode($nonce) . ':' . base64_encode($ciphertext); } public function decrypt(string $ciphertext) { $ciphertext = $this->parse_ciphertext($ciphertext); list($nonce, $ciphertext) = $ciphertext; $decrypted = \Sodium\crypto_aead_chacha20poly1305_decrypt( $ciphertext, null, $nonce, $this->private_key ); if ($decrypted === false) { throw new Exception('Encryption: Decryption Failed.'); } return $decrypted; } private function parse_ciphertext(string $ciphertext) { if (!preg_match('/^(?:[a-z\d+\/]{11}=)?:[a-z\d+\/]+)(=|==)?$/i', $ciphertext)) { throw new Exception('Encryption: Unrecognized ciphertext.'); } $ciphertext = explode(':', $ciphertext); return array( base64_decode($ciphertext[0]), base64_decode($ciphertext[1]) ); } } class HMAC { private $private_key; private $algo; public function __construct(string $private_key, string $algo = 'sha512') { $private_key = trim($private_key); if (!preg_match('/^[a-z\d+\/]{43}=$/i', $private_key)) { throw new Exception('Encryption: Unrecognized key.'); } else if (!in_array(strtolower($algo), hash_algos())) { throw new Exception(sprintf('HMAC: Algo %s unsupported.', $algo)); } $this->private_key = bin2hex($private_key); $this->algo = $algo; $this->length = strlen(hash($algo, null, true)); } public function seal(string $message) { $hmac = hash_hmac( $this->algo, $message, $this->private_key, true ); return base64_encode($hmac . $message); } public function sign(string $seal) { if (!preg_match('/^(?:[a-z\d+\/]+)(=|==)?$/i', $seal)) { throw new Exception('HMAC: Unrecognized seal.'); } $seal = base64_decode($seal); $message = mb_substr($seal, $this->length, null, '8bit'); $seal = mb_substr($seal, 0, $this->length, '8bit'); $signed = hash_hmac( $this->algo, $message, $this->private_key, true ); if (!hash_equals($seal, $signed)) { throw new Exception('HMAC: Seal corrupted.'); } return true; } } $hmac_private_key = 'ZZtJVgUu2fRz+c4o6QHj6v/mAqGAgyowlUxs3xoMHuw='; $encryption_private_key = 'qB2fZkseI4ccJ45Y1/VzoHARA6Sft6IVkeS4r2Z+YYM='; $encryption = new Encryption($encryption_private_key); $email_address = $encryption->encrypt('email@test.com'); $hmac = new HMAC($hmac_private_key, 'sha256'); echo $seal = $hmac->seal($email_address); var_dump($hmac->sign($seal));could i get some more help on this please?
thank you
-
actually my example isn't going to work...email address is encrypted and placed inside the hmac but the seal will obviously be different everytime...so there would be no way for me to compare.
i'm completely lost here
-
i'd suggest displaying errors
you should be using this code and put it at the top of you php while developing
ini_set('display_errors', 1); ini_set('display_startup_errors', 1); error_reporting(E_ALL);what errors are you getting?
ps. please use the code tags so your code is more visible
-
now that is smart...i wish i thought of it
i had a mess about with hmac over the weekend, as i've decided to use it with the users cookies...is what i made for hmac more than suitable?
here is a working example
<?php class Encryption { private $private_key; public function __construct(string $private_key) { if (!extension_loaded('libsodium')) { throw new Exception('Encryption: PHP libsodium extension not loaded.'); } $private_key = trim($private_key); if (!preg_match('/^[a-z\d+\/]{43}=$/i', $private_key)) { throw new Exception('Encryption: Unrecognized key.'); } $this->private_key = base64_decode($private_key); } public function encrypt(string $data) { $nonce = \Sodium\randombytes_buf(\Sodium\CRYPTO_AEAD_CHACHA20POLY1305_NPUBBYTES); $ciphertext = \Sodium\crypto_aead_chacha20poly1305_encrypt( $data, null, $nonce, $this->private_key ); return base64_encode($nonce) . ':' . base64_encode($ciphertext); } public function decrypt(string $ciphertext) { $ciphertext = $this->parse_ciphertext($ciphertext); list($nonce, $ciphertext) = $ciphertext; $decrypted = \Sodium\crypto_aead_chacha20poly1305_decrypt( $ciphertext, null, $nonce, $this->private_key ); if ($decrypted === false) { throw new Exception('Encryption: Decryption Failed.'); } return $decrypted; } private function parse_ciphertext(string $ciphertext) { if (!preg_match('/^(?:[a-z\d+\/]{11}=)?:[a-z\d+\/]+)(=|==)?$/i', $ciphertext)) { throw new Exception('Encryption: Unrecognized ciphertext.'); } $ciphertext = explode(':', $ciphertext); return array( base64_decode($ciphertext[0]), base64_decode($ciphertext[1]) ); } } class HMAC { private $private_key; private $algo; public function __construct(string $private_key, string $algo = 'sha512') { $private_key = trim($private_key); if (!preg_match('/^[a-z\d+\/]{43}=$/i', $private_key)) { throw new Exception('Encryption: Unrecognized key.'); } else if (!in_array(strtolower($algo), hash_algos())) { throw new Exception(sprintf('HMAC: Algo %s unsupported.', $algo)); } $this->private_key = base64_decode($private_key); $this->algo = $algo; } public function seal(string $message, string $public_key) { $seal = base64_encode(hash_hmac($this->algo, $message, $this->private_key)); return base64_encode($message) . ':'. $seal . ':' . base64_encode($public_key); } public function sign(string $seal, string $public_key) { if (!preg_match('/^((?:[a-z\d+\/]+)(=|==)?)?:[a-z\d+\/]+)(=|==)??:[a-z\d+\/]+)(=|==)?$/i', $seal)) { throw new Exception('HMAC: Unrecognized seal.'); } list($message, $seal, $key) = explode(':', $seal); $message = base64_decode($message); $signed = base64_encode(hash_hmac($this->algo, $message, $this->private_key)); if ($seal == $signed && base64_decode($key) == $public_key) { return $message; } throw new Exception('HMAC: Seal corrupted.'); } } $public_key = 'ZZtJVgUu2fRz+c4o6QHj6v/mAqGAgyowlUxs3xoMHuw='; $hmac_private_key = 'DxA58JcURnz891sVXowkF6VPyanis+GvwZXWcoxwE5M='; $encryption_private_key = 'qB2fZkseI4ccJ45Y1/VzoHARA6Sft6IVkeS4r2Z+YYM='; $encryption = new Encryption($encryption_private_key); $email_address = $encryption->encrypt('email@test.com'); // q101ZtOPjW8=:b9vrNQFhpC5wWhfWDmzu2XcjBly234AASKU11AiM $hmac = new HMAC($hmac_private_key); $seal = $hmac->seal($email_address, $public_key); // TWZIaTVxdjdrd1E9OjRvNlE3b05UcFA5SVB1QkR4cEZTZGpUSElFMDd2ai9mRzhwYUd4VmE=:Nzk5NzhhMzgzYjQ0ODc0MjExNDcxMjg1OWVkMmNlY2EwMmE4ZDVlM2E3ZmM5NWJkZTFmZjMwMTkyOTZiOWNjZjZjMjk5NWQzOGJmZTE2MTRkMTAyMzg2NTZmYTg0OWQwYjBhNjAxYTZhYTg5YTI1ZTY2MWRiN2MzZDk4MzU3MTc=:Wlp0SlZnVXUyZlJ6K2M0bzZRSGo2di9tQXFHQWd5b3dsVXhzM3hvTUh1dz0= $email_address = $hmac->sign($seal, $public_key); // q101ZtOPjW8=:b9vrNQFhpC5wWhfWDmzu2XcjBly234AASKU11AiM echo $encryption->decrypt($email_address); // email@test.comthank you jacques for your patience and help on this matter
-
hey guys im currently using libsodium to encrypt users data which is stored in a database...my concern is when a user registers an account on my website, i want to check that the email provided is not already registered to another account, but the problem is that the email address stored in the database is encrypted...so how do i check?
i have perviouslt been suggested to store the email as:
- a separate HMAC
- ECB mode
- no encryption as long as the e-mail addresses are kept away from the web frontend
but even when using HMAC the email can easily be viewed, MySQL's ECB mode i've read so many bad things about regarding it having so many security issue etc...and the email having no encrption could mean that if my database every got attacked its all there in black and white.
here is my encryption class:
<?php namespace Encryption; use Exception; class Encryption { private $private_key; public function __construct(sting $private_key) { if (!extension_loaded('libsodium')) { throw new Exception('Encryption: PHP libsodium extension not loaded.'); } $private_key = trim($private_key); if (!preg_match('/^[a-z\d+\/]{43}=$/i', $private_key)) { throw new Exception('Encryption: Unrecognized key.'); } $this->private_key = base64_decode($private_key); } public function encrypt(string $data) { $nonce = \Sodium\randombytes_buf(\Sodium\CRYPTO_AEAD_CHACHA20POLY1305_NPUBBYTES); $ciphertext = \Sodium\crypto_aead_chacha20poly1305_encrypt( $data, null, $nonce, $this->private_key ); return base64_encode($nonce) . ':' . base64_encode($ciphertext); } public function decrypt(string $ciphertext) { $ciphertext = $this->parse_ciphertext($ciphertext); list($nonce, $ciphertext) = $ciphertext; $decrypted = \Sodium\crypto_aead_chacha20poly1305_decrypt( $ciphertext, null, $nonce, $this->private_key ); if (!$decrypted) { throw new Exception('Encryption: Decryption Failed.'); } return $decrypted; } private function parse_ciphertext(string $ciphertext) { $ciphertext = trim($ciphertext); if (!preg_match('/^(?:[a-z\d+\/]{11}=)?:[a-z\d+\/]+)(=|==)?$/i', $ciphertext)) { throw new Exception('Encryption: Unrecognized ciphertext.'); } $ciphertext = explode(':', $ciphertext); return array( base64_decode($ciphertext[0]), base64_decode($ciphertext[1]) ); } }it just seems like i've taken one step forward in being secure, but taking 2 steps back when it comes to processing simple scripts such as verifying email isn't registered. retrieving account by email address etc.
i know the answer isn't going to be a simple as
SELECT username FROM user WHERE email_address = 'whatever@gmail.com'
but there must be a logical way to check encrypted email address with a string.
any other thoughts on this please guys?
thank you for your time
-
use forward slashes insead of backslashes
D:/xampp/htdocs/xampp/kicken/.dirindex.php
you want to check file exists and that the file is readable
if (!file_exists($path) && !is_readable($path)){ die('Cannot access '.$path); }you using is_dir() which is checking if the $path is a directory...which it isn't, so that is why you are seening an error message
-
sorry jacques i didn't explain myself very well...yes the username will be used as the users identifier, but what i'm trying to get at here is that i don't really want people to create multiple account.
this would be me checking for username availablity aswell as ensuring that the user isin't trying to register another account with the same email address...life would so much simpler if encryptions were cross compatiable
i just don't see a simple way of checking this...
-
i have no plans to go down the ECB mode route, or to use email address as a login credential either, why go half hearted with security
but sorry jacques you've lost me a little here
block all new registrations while the check is in progress
are we talking about all new registration beening put into a seperate table from the users? and a possible cron job running every hour or so doing a check? before actually creating a user and sending a activation token?
thank you
-
hey guys i'm currently creating role and permission for my users which looks like this:
users ------------------------ user_id role_id ------------------------ user_permissions ------------------------ user_permission_id name ------------------------ user_roles ------------------------ user_role_id name ------------------------ user_role_permissions ------------------------ user_role_permission_id role_id permission_id ------------------------
a role can be created and permissions are added to that role, giviing user access to certian pages.
the problem i face is that my website has 4 types of users
admin (me)
general public
clients
clients employees (client employees)
all 4 will see different content.
here is my problem and what i want to achieve is for my clients to be able to add users (employees) which are linked to thier account as well as giving them certian permission
for instance if i had Walmart as a client, they'd have a client role...now if they wanted to add a user (employees) linked to thier account what is the best way to do this?
i could have 3 extra tables
clients ------------ client_id user_id name ------------ client_users ------------ client_user_id client_id user_id ------------ client_user_premissions ------------ client_user_permissions user_id permission_id ------------
i link a client to a user account....and link a client user to a client and user
also the client can pass over certian permission via the client_user_permission
any ideas on design pattern would be appreciated as i've never done nothing like this when it comes to users creating users
thank you
-
benanamen has shown you perfectly what to do:
<?php if ($_SERVER['REQUEST_METHOD'] == 'POST'){ // process form } ?> <!DOCTYPE html> <html> <head> <title></title> </head> <body> <form action="<?= $_SERVER['SCRIPT_NAME'] ?>" method="post"> <!-- FORM HERE --> </form> </body> </html>try this
<!DOCTYPE html> <html> <head> <title></title> </head> <body> <?php if ($_SERVER['REQUEST_METHOD'] == 'POST'){ echo 'well done you have submitted the form'; } else { ?> <form action="<?= $_SERVER['SCRIPT_NAME'] ?>" method="post"> <input type="text" name="name" /> <input type="submit" name="submit" value="submit"/> </form> <?php } ?> </body> </html> -
1. its not a valid html document
2. why echo html when there is no need?
<div> <form id = 'form1' action='#' method='post' > <select name='room' id='room'> <?php if(isset($displayed)) echo "<option selected>".$displayed."</option>"; $i = 0; while($i < count($rooms)) { $room = $rooms[$i]; if($room === $displayed)echo ""; else echo "<option value = ".$room." > ".$room." </option>"; $i++; } ?> </select> <noscript><input type='submit' value='Submit'></noscript> </form> </div>3. i don't really understand you question, i can only guess your looking for something like http://twig.sensiolabs.org/
you could also put
$(document).ready(function(){ $('#room').change(function(){ $(this).parent('form').submit(); }); });into a .js file and include as a script like your jquery
if($room === $displayed)echo "";
just seems unnecessary
something like this would make more sence
while($i < count($rooms)) { $room = $rooms[$i]; if($room !== $displayed) echo "<option value = ".$room." > ".$room." </option>"; $i++; }and try and make your code presentable?
<?php print_r($_POST); $rooms = array(1, 2, 3, 4); $displayed = 2; ?> <script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/1.3.2/jquery.js"></script> <script type="text/javascript"> $(document).ready(function(){ $('#room').change(function(){ $(this).parent('form').submit(); }); }); </script> <div> <form id = 'form1' action='#' method='post' > <select name='room' id='room'> <?php if(isset($displayed)) echo "<option selected>".$displayed."</option>"; $i = 0; while($i < count($rooms)) { $room = $rooms[$i]; if($room !== $displayed) echo "<option value = ".$room." > ".$room." </option>"; $i++; } ?> </select> <noscript><input type='submit' value='Submit'></noscript> </form> </div> -
i know this thread is answered now, but one thing did pop into my head which i have been meaning to ask.
in the scenario that every email address is encrypted, how do you check that an email address isn't already registered with an account?
the only method i can think of is to loop all the email address, where they are decrypted and compared...just seems a bit long winded and probably a bit heavy on cpu and memory, depending on user count
(i will post a new thread if needed, sorry)
thank you
-
Guess I won't be using an email address as a login credential.
Thank you for great explanations
-
I'd try to use phpmailer instead of php's mail function.
https://github.com/PHPMailer/PHPMailer
Or why not allow the contact data to be inserted into a db table?...atleast that way you know your going to receive it
-
I suppose you need to cover all angles...im just put off with the catcha for my site at the moment as I believe it could scare people away.
I do like the invisible field method though.
@requinix you mentioned wait until bots become problem...just wonder how I would know that bots were registering on my site?
thank you
-
Thank you for clearing that up...what confused me also in my thinking is that you see companies like Facebook, PayPal etc using email address as a username.
Would you need to select all users, decrypt email address and compare to select row? Or would there be a simpler approach?
thank you
-
hey guys,
i want to encrypt email address and passwords (after password_hash) but this then makes things very awkward when it comes to login...if your asking a user to put username/email address and he provides an email address (which is encyrpted in db)...how on earth do get user's row?
the only answer i can think of is not to encrypt email address', but i'd say its sensitive data and needs to be
just a little boggled with this, if someone can please shine some light.
thank you.
-
Most spam bots are going to completely ignore the robots.txt file so they will never see your hidden link either.
ofcourse they will see a hidden link...thats one of the bots job to seach for href's...the bot will find it...and if bad bot he will try to open link?
-
Make sure the bundle has the certificates in the right order: nginx expects yours at the top and the rest of the chain after.
it appears the bundle sent from comodo was put together wrong.
i had to put my domain cert with my intermediate certificates in order and finally convert to .pem
not going to lie, it was tough
but it worked thanks for the good advise requinix
-
hey guys im getting an nginx error message when trying to use ssl on my server:
[emerg] 3108#6408: SSL_CTX_use_PrivateKey_file("C:\Users\Server\Desktop\host\myterms.co.uk\nginx/conf/ssl/myterms_co_uk.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)i've added the following to my nginx config:
ssl_certificate ssl/domain.ca-bundle; ssl_certificate_key ssl/domain.key;
domain.ca-bundle - my certificate bundle sent to me from comodo
domain.key - my private key generated with my RSA keyi've search the net, and i read that the i need to remove passphrase from key
openssl rsa -in domain.key -out newkey.pem
but that didnt work either
any help would be appreciated as i'm truly stuck now.
thank you -
sorry requinix...a user register form for instance...a bad bot could fill out form and insert numerous rows...this is my concern as i have nothing in place yet to capture bad bots doing this.
is a bot capture as seen in the link above a good enough idea...or what is the best solution please?
thank you
user adding users
in MySQL Help
Posted
my main concern was knowing if the user is a client or employee...here is my database diagram
i think im on the right track here...a user has a specific roles give to he/her but also able to give addition permissions out of the role.
i'm able to detect if the user is a client by his/her role (ie. client)...and the same with an employess (ie. client_employee) and also linking the client user_id to the emplyee user account via the client_id in the users table
regarding my concern of clients adding user accounts for employees, and giving that employee specific permissions, i was thinking that the client role permissions could be displayed on the employee register form...that way the client can choose specifically what permission that employee has based on his own permissions?
thank you