Jump to content

Destramic

Members
  • Posts

    954
  • Joined

  • Last visited

Everything posted by Destramic

  1. Thank you...first time I've seen that...also I've seen examples without the content-disposition in line header. I'll give it whirl when I'm home and post my results Thanks again
  2. sorry i couldn't edit the message above here is the correct headers etc from my debug array [17] => Content-Type: multipart/related; boundary="60a7083d603d0f8a9d35a0776030d8e5" [18] => This is a multi-part message in MIME format. [19] => --60a7083d603d0f8a9d35a0776030d8e5 [20] => Content-Type: multipart/alternative; boundary="acabb8838a7d2b2a9ec0661d699c96bc" [21] => --acabb8838a7d2b2a9ec0661d699c96bc [22] => Content-Type: text/plain; charset="utf-8" [23] => Content-Transfer-Encoding: quoted-printable [24] => Content-Transfer-Encoding: 7bit [25] => plain email here [26] => --acabb8838a7d2b2a9ec0661d699c96bc [27] => Content-Type: text/html; charset="utf-8" [28] => Content-Transfer-Encoding: quoted-printable [29] => Content-Transfer-Encoding: 7bit [30] => <!DOCTYPE html> <head> <title>Account</title> </head> <body> <span>here is our logo</span> <img src="cid:logo" width="192" title="Logo" alt="Logo" > </body> </html> [31] => --acabb8838a7d2b2a9ec0661d699c96bc-- [32] => --60a7083d603d0f8a9d35a0776030d8e5 [33] => Content-Type: image/png; name="logo8.png" [34] => Content-Transfer-Encoding: base64 [35] => Content-ID: <logo> [36] => X-Attachment-Id: logo [37] => Content-Disposition: inline; filename="logo8.png" [38] => iVBORw0KGgoAAAANSUhEUgAAArUAAAC7CAYAAAB7NWYYAAAACXBIWXMAAAsSAAALEgHS3X78AAA.....Zb0vX7fAAAAAElFTkSuQmCC [39] => --60a7083d603d0f8a9d35a0776030d8e5-- [40] => Array ( [command] => . [response] => 250 Queued (0.192 seconds) )
  3. hey guys i'm having problems with gmail showing inline images when sending a email from my server...for some strange reason it shows as an attachment, but works prefectly for hotmail. here is what i'm getting.. hotmail gmail i can't find nothing obvious about inline image problems with gmail so i wondered if any of you guys have come across this problem and what i could do to solve it. here is my headers and boundarys set for the email... Content-Type: multipart/related; boundary="e3b811c438657c9d0f9ae45330038d29" This is a multi-part message in MIME format. --e3b811c438657c9d0f9ae45330038d29 Content-Type: multipart/alternative; boundary="23d529da6bbc0c660362bf9a39c6b994" --23d529da6bbc0c660362bf9a39c6b994 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Transfer-Encoding: 7bit plain email here --23d529da6bbc0c660362bf9a39c6b994 Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Transfer-Encoding: 7bit <!DOCTYPE html> <head> <title>Account</title> </head> <body> <span>here is our logo</span> <img src="cid:logo" width="192" title="Logo" alt="Logo"> </body> </html> --23d529da6bbc0c660362bf9a39c6b994-- Content-Type: image/png; name="logo8.png" Content-Transfer-Encoding: base64 Content-ID: <logo> X-Attachment-Id: logo Content-Disposition: inline; filename="logo8.png" iVBORw0KGgoAAAANSUhEUgAAArUAA...AgFQ9AAAAUvUAAABI1QMAACD1AZpW uZb0vX7fAAAAAElFTkSuQmCC --e3b811c438657c9d0f9ae45330038d29-- any help would be great,,,thank you
  4. ok thank you i made the changes that you said could you elaborate on this a little please jacques? thank you for your help
  5. the reason i have the extra user_permissions table was so that i was able to give extra permissions out of the given role...but after thinking on what you said i deleted the table...in fact i'm going to role with all you suggestions. note i changed names on some tables to make more sense. here is how i'm getting my permissions SELECT p.permission FROM permissions p LEFT JOIN role_permission_mappings rpm ON rpm.permission_id = p.permission_id LEFT JOIN roles r ON r.role_id = rpm.role_id LEFT JOIN user_role_mappings urm ON urm.role_id = r.role_id AND urm.user_id = 3 and my roles SELECT role FROM roles r LEFT JOIN user_role_mappings urm ON urm.role_id = r.role_id WHERE urm.user_id = 3 say when checking if a user has permission to edit news is checking permission for edit_news enough? or should i be checking if the user is admin too? if ($user->has_role('admin') && $user->has_permission_to('edit news')) { // yes! } vs if ($user->has_permission_to('edit news')) { // yes! } thank you for your help
  6. my main concern was knowing if the user is a client or employee...here is my database diagram i think im on the right track here...a user has a specific roles give to he/her but also able to give addition permissions out of the role. i'm able to detect if the user is a client by his/her role (ie. client)...and the same with an employess (ie. client_employee) and also linking the client user_id to the emplyee user account via the client_id in the users table regarding my concern of clients adding user accounts for employees, and giving that employee specific permissions, i was thinking that the client role permissions could be displayed on the employee register form...that way the client can choose specifically what permission that employee has based on his own permissions? thank you
  7. Could I get some help with this design please guys?
  8. i so over thought the whole process and the answer was right infront of me! ...sorry jacques. i can see clearly how this works now thank you for your time, patience and help
  9. ok i think i may have made some progress here after a lot of hard thinking and detemination... i read about mysql sha2() and had a little play about with it SELECT SHA2('abc', 256) > '936a185caaa266bb9cbe981e9e05cb78cd732b0b3280eb944412bb6f8f8f07af' i stored the hash into my hashed column and ran this: SELECT * FROM development.hash_test WHERE hashed = SHA2('abc', 256); which brings up the correct row....so i though if i create a hmac and save it in a row it should work also...but no i used the following and turned removed true on the raw parameter public function seal(string $message) { $hmac = hash_hmac( $this->algo, $message, $this->private_key ); return $hmac; } $hmac = new HMAC($hmac_private_key, 'sha256'); echo $seal = $hmac->seal('helloworld'); which gave me a string like so: 1b3e0c20a197aa3bd20460dedc81033cac47581e7d8e1c0ba18872a3c5bfc4de but it returns 0 rows when executing the following: SELECT * FROM development.hash_test WHERE hashed = SHA2('helloworld', 256); please tell me i'm close to what i'm trying to achieve and what it is i'm doing wrong? thank you
  10. i'm finding it really hard to keep up as most of this is going over my head...although i think i've made some progress after some reading about...also the reason i base64 encode is so thats easy to store in db as a blob here is what i got as it stands, but i'm stuck now and i'm strugging to see how this is going to work. <?php class Encryption { private $private_key; public function __construct(string $private_key) { if (!extension_loaded('libsodium')) { throw new Exception('Encryption: PHP libsodium extension not loaded.'); } $private_key = trim($private_key); if (!preg_match('/^[a-z\d+\/]{43}=$/i', $private_key)) { throw new Exception('Encryption: Unrecognized key.'); } $this->private_key = base64_decode($private_key); } public function encrypt(string $data) { $nonce = \Sodium\randombytes_buf(\Sodium\CRYPTO_AEAD_CHACHA20POLY1305_NPUBBYTES); $ciphertext = \Sodium\crypto_aead_chacha20poly1305_encrypt( $data, null, $nonce, $this->private_key ); return base64_encode($nonce) . ':' . base64_encode($ciphertext); } public function decrypt(string $ciphertext) { $ciphertext = $this->parse_ciphertext($ciphertext); list($nonce, $ciphertext) = $ciphertext; $decrypted = \Sodium\crypto_aead_chacha20poly1305_decrypt( $ciphertext, null, $nonce, $this->private_key ); if ($decrypted === false) { throw new Exception('Encryption: Decryption Failed.'); } return $decrypted; } private function parse_ciphertext(string $ciphertext) { if (!preg_match('/^(?:[a-z\d+\/]{11}=)?:[a-z\d+\/]+)(=|==)?$/i', $ciphertext)) { throw new Exception('Encryption: Unrecognized ciphertext.'); } $ciphertext = explode(':', $ciphertext); return array( base64_decode($ciphertext[0]), base64_decode($ciphertext[1]) ); } } class HMAC { private $private_key; private $algo; public function __construct(string $private_key, string $algo = 'sha512') { $private_key = trim($private_key); if (!preg_match('/^[a-z\d+\/]{43}=$/i', $private_key)) { throw new Exception('Encryption: Unrecognized key.'); } else if (!in_array(strtolower($algo), hash_algos())) { throw new Exception(sprintf('HMAC: Algo %s unsupported.', $algo)); } $this->private_key = bin2hex($private_key); $this->algo = $algo; $this->length = strlen(hash($algo, null, true)); } public function seal(string $message) { $hmac = hash_hmac( $this->algo, $message, $this->private_key, true ); return base64_encode($hmac . $message); } public function sign(string $seal) { if (!preg_match('/^(?:[a-z\d+\/]+)(=|==)?$/i', $seal)) { throw new Exception('HMAC: Unrecognized seal.'); } $seal = base64_decode($seal); $message = mb_substr($seal, $this->length, null, '8bit'); $seal = mb_substr($seal, 0, $this->length, '8bit'); $signed = hash_hmac( $this->algo, $message, $this->private_key, true ); if (!hash_equals($seal, $signed)) { throw new Exception('HMAC: Seal corrupted.'); } return true; } } $hmac_private_key = 'ZZtJVgUu2fRz+c4o6QHj6v/mAqGAgyowlUxs3xoMHuw='; $encryption_private_key = 'qB2fZkseI4ccJ45Y1/VzoHARA6Sft6IVkeS4r2Z+YYM='; $encryption = new Encryption($encryption_private_key); $email_address = $encryption->encrypt('email@test.com'); $hmac = new HMAC($hmac_private_key, 'sha256'); echo $seal = $hmac->seal($email_address); var_dump($hmac->sign($seal)); could i get some more help on this please? thank you
  11. actually my example isn't going to work...email address is encrypted and placed inside the hmac but the seal will obviously be different everytime...so there would be no way for me to compare. i'm completely lost here
  12. i'd suggest displaying errors you should be using this code and put it at the top of you php while developing ini_set('display_errors', 1); ini_set('display_startup_errors', 1); error_reporting(E_ALL); what errors are you getting? ps. please use the code tags so your code is more visible
  13. now that is smart...i wish i thought of it i had a mess about with hmac over the weekend, as i've decided to use it with the users cookies...is what i made for hmac more than suitable? here is a working example <?php class Encryption { private $private_key; public function __construct(string $private_key) { if (!extension_loaded('libsodium')) { throw new Exception('Encryption: PHP libsodium extension not loaded.'); } $private_key = trim($private_key); if (!preg_match('/^[a-z\d+\/]{43}=$/i', $private_key)) { throw new Exception('Encryption: Unrecognized key.'); } $this->private_key = base64_decode($private_key); } public function encrypt(string $data) { $nonce = \Sodium\randombytes_buf(\Sodium\CRYPTO_AEAD_CHACHA20POLY1305_NPUBBYTES); $ciphertext = \Sodium\crypto_aead_chacha20poly1305_encrypt( $data, null, $nonce, $this->private_key ); return base64_encode($nonce) . ':' . base64_encode($ciphertext); } public function decrypt(string $ciphertext) { $ciphertext = $this->parse_ciphertext($ciphertext); list($nonce, $ciphertext) = $ciphertext; $decrypted = \Sodium\crypto_aead_chacha20poly1305_decrypt( $ciphertext, null, $nonce, $this->private_key ); if ($decrypted === false) { throw new Exception('Encryption: Decryption Failed.'); } return $decrypted; } private function parse_ciphertext(string $ciphertext) { if (!preg_match('/^(?:[a-z\d+\/]{11}=)?:[a-z\d+\/]+)(=|==)?$/i', $ciphertext)) { throw new Exception('Encryption: Unrecognized ciphertext.'); } $ciphertext = explode(':', $ciphertext); return array( base64_decode($ciphertext[0]), base64_decode($ciphertext[1]) ); } } class HMAC { private $private_key; private $algo; public function __construct(string $private_key, string $algo = 'sha512') { $private_key = trim($private_key); if (!preg_match('/^[a-z\d+\/]{43}=$/i', $private_key)) { throw new Exception('Encryption: Unrecognized key.'); } else if (!in_array(strtolower($algo), hash_algos())) { throw new Exception(sprintf('HMAC: Algo %s unsupported.', $algo)); } $this->private_key = base64_decode($private_key); $this->algo = $algo; } public function seal(string $message, string $public_key) { $seal = base64_encode(hash_hmac($this->algo, $message, $this->private_key)); return base64_encode($message) . ':'. $seal . ':' . base64_encode($public_key); } public function sign(string $seal, string $public_key) { if (!preg_match('/^((?:[a-z\d+\/]+)(=|==)?)?:[a-z\d+\/]+)(=|==)??:[a-z\d+\/]+)(=|==)?$/i', $seal)) { throw new Exception('HMAC: Unrecognized seal.'); } list($message, $seal, $key) = explode(':', $seal); $message = base64_decode($message); $signed = base64_encode(hash_hmac($this->algo, $message, $this->private_key)); if ($seal == $signed && base64_decode($key) == $public_key) { return $message; } throw new Exception('HMAC: Seal corrupted.'); } } $public_key = 'ZZtJVgUu2fRz+c4o6QHj6v/mAqGAgyowlUxs3xoMHuw='; $hmac_private_key = 'DxA58JcURnz891sVXowkF6VPyanis+GvwZXWcoxwE5M='; $encryption_private_key = 'qB2fZkseI4ccJ45Y1/VzoHARA6Sft6IVkeS4r2Z+YYM='; $encryption = new Encryption($encryption_private_key); $email_address = $encryption->encrypt('email@test.com'); // q101ZtOPjW8=:b9vrNQFhpC5wWhfWDmzu2XcjBly234AASKU11AiM $hmac = new HMAC($hmac_private_key); $seal = $hmac->seal($email_address, $public_key); // TWZIaTVxdjdrd1E9OjRvNlE3b05UcFA5SVB1QkR4cEZTZGpUSElFMDd2ai9mRzhwYUd4VmE=:Nzk5NzhhMzgzYjQ0ODc0MjExNDcxMjg1OWVkMmNlY2EwMmE4ZDVlM2E3ZmM5NWJkZTFmZjMwMTkyOTZiOWNjZjZjMjk5NWQzOGJmZTE2MTRkMTAyMzg2NTZmYTg0OWQwYjBhNjAxYTZhYTg5YTI1ZTY2MWRiN2MzZDk4MzU3MTc=:Wlp0SlZnVXUyZlJ6K2M0bzZRSGo2di9tQXFHQWd5b3dsVXhzM3hvTUh1dz0= $email_address = $hmac->sign($seal, $public_key); // q101ZtOPjW8=:b9vrNQFhpC5wWhfWDmzu2XcjBly234AASKU11AiM echo $encryption->decrypt($email_address); // email@test.com thank you jacques for your patience and help on this matter
  14. hey guys im currently using libsodium to encrypt users data which is stored in a database...my concern is when a user registers an account on my website, i want to check that the email provided is not already registered to another account, but the problem is that the email address stored in the database is encrypted...so how do i check? i have perviouslt been suggested to store the email as: a separate HMAC ECB mode no encryption as long as the e-mail addresses are kept away from the web frontend but even when using HMAC the email can easily be viewed, MySQL's ECB mode i've read so many bad things about regarding it having so many security issue etc...and the email having no encrption could mean that if my database every got attacked its all there in black and white. here is my encryption class: <?php namespace Encryption; use Exception; class Encryption { private $private_key; public function __construct(sting $private_key) { if (!extension_loaded('libsodium')) { throw new Exception('Encryption: PHP libsodium extension not loaded.'); } $private_key = trim($private_key); if (!preg_match('/^[a-z\d+\/]{43}=$/i', $private_key)) { throw new Exception('Encryption: Unrecognized key.'); } $this->private_key = base64_decode($private_key); } public function encrypt(string $data) { $nonce = \Sodium\randombytes_buf(\Sodium\CRYPTO_AEAD_CHACHA20POLY1305_NPUBBYTES); $ciphertext = \Sodium\crypto_aead_chacha20poly1305_encrypt( $data, null, $nonce, $this->private_key ); return base64_encode($nonce) . ':' . base64_encode($ciphertext); } public function decrypt(string $ciphertext) { $ciphertext = $this->parse_ciphertext($ciphertext); list($nonce, $ciphertext) = $ciphertext; $decrypted = \Sodium\crypto_aead_chacha20poly1305_decrypt( $ciphertext, null, $nonce, $this->private_key ); if (!$decrypted) { throw new Exception('Encryption: Decryption Failed.'); } return $decrypted; } private function parse_ciphertext(string $ciphertext) { $ciphertext = trim($ciphertext); if (!preg_match('/^(?:[a-z\d+\/]{11}=)?:[a-z\d+\/]+)(=|==)?$/i', $ciphertext)) { throw new Exception('Encryption: Unrecognized ciphertext.'); } $ciphertext = explode(':', $ciphertext); return array( base64_decode($ciphertext[0]), base64_decode($ciphertext[1]) ); } } it just seems like i've taken one step forward in being secure, but taking 2 steps back when it comes to processing simple scripts such as verifying email isn't registered. retrieving account by email address etc. i know the answer isn't going to be a simple as SELECT username FROM user WHERE email_address = 'whatever@gmail.com' but there must be a logical way to check encrypted email address with a string. any other thoughts on this please guys? thank you for your time
  15. use forward slashes insead of backslashes D:/xampp/htdocs/xampp/kicken/.dirindex.php you want to check file exists and that the file is readable if (!file_exists($path) && !is_readable($path)){ die('Cannot access '.$path); } you using is_dir() which is checking if the $path is a directory...which it isn't, so that is why you are seening an error message
  16. sorry jacques i didn't explain myself very well...yes the username will be used as the users identifier, but what i'm trying to get at here is that i don't really want people to create multiple account. this would be me checking for username availablity aswell as ensuring that the user isin't trying to register another account with the same email address...life would so much simpler if encryptions were cross compatiable i just don't see a simple way of checking this...
  17. i have no plans to go down the ECB mode route, or to use email address as a login credential either, why go half hearted with security but sorry jacques you've lost me a little here are we talking about all new registration beening put into a seperate table from the users? and a possible cron job running every hour or so doing a check? before actually creating a user and sending a activation token? thank you
  18. hey guys i'm currently creating role and permission for my users which looks like this: users ------------------------ user_id role_id ------------------------ user_permissions ------------------------ user_permission_id name ------------------------ user_roles ------------------------ user_role_id name ------------------------ user_role_permissions ------------------------ user_role_permission_id role_id permission_id ------------------------ a role can be created and permissions are added to that role, giviing user access to certian pages. the problem i face is that my website has 4 types of users admin (me) general public clients clients employees (client employees) all 4 will see different content. here is my problem and what i want to achieve is for my clients to be able to add users (employees) which are linked to thier account as well as giving them certian permission for instance if i had Walmart as a client, they'd have a client role...now if they wanted to add a user (employees) linked to thier account what is the best way to do this? i could have 3 extra tables clients ------------ client_id user_id name ------------ client_users ------------ client_user_id client_id user_id ------------ client_user_premissions ------------ client_user_permissions user_id permission_id ------------ i link a client to a user account....and link a client user to a client and user also the client can pass over certian permission via the client_user_permission any ideas on design pattern would be appreciated as i've never done nothing like this when it comes to users creating users thank you
  19. benanamen has shown you perfectly what to do: try this <!DOCTYPE html> <html> <head> <title></title> </head> <body> <?php if ($_SERVER['REQUEST_METHOD'] == 'POST'){ echo 'well done you have submitted the form'; } else { ?> <form action="<?= $_SERVER['SCRIPT_NAME'] ?>" method="post"> <input type="text" name="name" /> <input type="submit" name="submit" value="submit"/> </form> <?php } ?> </body> </html>
  20. 1. its not a valid html document 2. why echo html when there is no need? <div> <form id = 'form1' action='#' method='post' > <select name='room' id='room'> <?php if(isset($displayed)) echo "<option selected>".$displayed."</option>"; $i = 0; while($i < count($rooms)) { $room = $rooms[$i]; if($room === $displayed)echo ""; else echo "<option value = ".$room." > ".$room." </option>"; $i++; } ?> </select> <noscript><input type='submit' value='Submit'></noscript> </form> </div> 3. i don't really understand you question, i can only guess your looking for something like http://twig.sensiolabs.org/ you could also put $(document).ready(function(){ $('#room').change(function(){ $(this).parent('form').submit(); }); }); into a .js file and include as a script like your jquery if($room === $displayed)echo ""; just seems unnecessary something like this would make more sence while($i < count($rooms)) { $room = $rooms[$i]; if($room !== $displayed) echo "<option value = ".$room." > ".$room." </option>"; $i++; } and try and make your code presentable? <?php print_r($_POST); $rooms = array(1, 2, 3, 4); $displayed = 2; ?> <script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/1.3.2/jquery.js"></script> <script type="text/javascript"> $(document).ready(function(){ $('#room').change(function(){ $(this).parent('form').submit(); }); }); </script> <div> <form id = 'form1' action='#' method='post' > <select name='room' id='room'> <?php if(isset($displayed)) echo "<option selected>".$displayed."</option>"; $i = 0; while($i < count($rooms)) { $room = $rooms[$i]; if($room !== $displayed) echo "<option value = ".$room." > ".$room." </option>"; $i++; } ?> </select> <noscript><input type='submit' value='Submit'></noscript> </form> </div>
  21. i know this thread is answered now, but one thing did pop into my head which i have been meaning to ask. in the scenario that every email address is encrypted, how do you check that an email address isn't already registered with an account? the only method i can think of is to loop all the email address, where they are decrypted and compared...just seems a bit long winded and probably a bit heavy on cpu and memory, depending on user count (i will post a new thread if needed, sorry) thank you
  22. Guess I won't be using an email address as a login credential. Thank you for great explanations
  23. I'd try to use phpmailer instead of php's mail function. https://github.com/PHPMailer/PHPMailer Or why not allow the contact data to be inserted into a db table?...atleast that way you know your going to receive it
  24. I suppose you need to cover all angles...im just put off with the catcha for my site at the moment as I believe it could scare people away. I do like the invisible field method though. @requinix you mentioned wait until bots become problem...just wonder how I would know that bots were registering on my site? thank you
  25. Thank you for clearing that up...what confused me also in my thinking is that you see companies like Facebook, PayPal etc using email address as a username. Would you need to select all users, decrypt email address and compare to select row? Or would there be a simpler approach? thank you
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.