Jump to content


  • Content Count

  • Joined

  • Last visited

Everything posted by Destramic

  1. hey guys, i want to encrypt email address and passwords (after password_hash) but this then makes things very awkward when it comes to login...if your asking a user to put username/email address and he provides an email address (which is encyrpted in db)...how on earth do get user's row? the only answer i can think of is not to encrypt email address', but i'd say its sensitive data and needs to be just a little boggled with this, if someone can please shine some light. thank you.
  2. ofcourse they will see a hidden link...thats one of the bots job to seach for href's...the bot will find it...and if bad bot he will try to open link?
  3. it appears the bundle sent from comodo was put together wrong. i had to put my domain cert with my intermediate certificates in order and finally convert to .pem not going to lie, it was tough but it worked thanks for the good advise requinix
  4. hey guys im getting an nginx error message when trying to use ssl on my server: i've added the following to my nginx config: ssl_certificate ssl/domain.ca-bundle; ssl_certificate_key ssl/domain.key; domain.ca-bundle - my certificate bundle sent to me from comodo domain.key - my private key generated with my RSA key i've search the net, and i read that the i need to remove passphrase from key openssl rsa -in domain.key -out newkey.pem but that didnt work either any help would be appreciated as i'm truly stuck now. thank you
  5. sorry requinix...a user register form for instance...a bad bot could fill out form and insert numerous rows...this is my concern as i have nothing in place yet to capture bad bots doing this. is a bot capture as seen in the link above a good enough idea...or what is the best solution please? thank you
  6. exactly...bad bots won't respect the robots.txt...so if they access a hidden link no visible to human the bad bot will open it. when that link is opened, the ip and user agent is added to db, but firstly checking its not a good bot, just for good measures...so as soon as someone access' the site i can check if its a bad bot from db records and die; i saw the idea from https://perishablepress.com/blackhole-bad-bots/ whats your thoughts? thank you
  7. when i refer to crawler i mean bad bots or have i got the wording incorrect? adding onto what i said, i did some more looking about, and what seems to be a good example is a simple hidden link, disallow the link in my robot.txt so the good bots don't open it....and if accessed catch the bad bot? maybe there are better alternatives
  8. how effective is browscaps crawler these days please guys? i need to implement something to stop any crawlers inserting rows into db...hopefully browscap if it's any good...i really hate the idea of image/sum/google captures. what would be my best method please? thank you
  9. worked a charm thank you kicken
  10. i moved all the data in C:\ProgramData\MySQL\MySQL Server 5.7 to another drive and tried to config the my.ini in C:\ProgramData\MySQL\MySQL Server 5.7 so it will read and store data from ther drive i know it can be done but i'm obviously doing something wrong
  11. hey guys i've fiddled about with my mysql datadir and i've buggered it! what have i done wrong please C:\WINDOWS\system32>net start mysql57 The service is starting or stopping. Please try again later. so my - my.ini and data folder was in C:\ProgramData\MySQL\MySQL Server 5.7 i copied all the files/folders into R:\localhost\mysql stopped mysql and edited the my.ini inside the C:\ProgramData\MySQL\MySQL Server 5.7 directory. edited: under [mysqld] basedir=R:/localhost/mysql datadir=R:/localhost/mysql/Data i have no error log and now i'm completely stuck....i'd like to kn
  12. thanks for tip...on reflection of my attemp above i can see it's very poor...i'll give phpDocumentor a look
  13. hey guys, i discovered annotation validation recently and liked how easy it is to validate general class' and form enitys...so i decided i'd write my own script...i don't normally ask for feedback, but as i jumped into the deep end creating an annotation handler, with no experience of using/writing one, i'd like to ask if i could get some general feedback please. i've read some documation on symfony2 and phpdoc but that's about it. annotation reader: reads and gathers comments left for properties and mehtods as well as namespaces <?php namespace Annotation; use Exception; us
  14. ah ok understood...well all the information you've supplied is awesome...i appreciate your time and efforts thank you jacques
  15. ok i see now so the “additional data" is used to reinforce the encryption?...should i be change the string depeding on what im encrypting. ie. if i'm encrypting users information then the user would have a private key and that would be used for my “additional data" as i put it. understood regarding throwing exception...due to the nature of the script it should just return fatal error. i've also been looking into symfony's annoations so yeah i think i'm going to writes something to validate type hinting but thank you for the brilliant feedback...much appreciated
  16. ok so my class here is good to encrypt everything really...when looking at https://paragonie.com/book/pecl-libsodium/read/09-recipes.md it makes you think you need to make a encryption and decryption class especially for cookies and passwords thank you for all the great information i'll definitly be keeping this in mind also here my class updated from your suggestions <?php namespace Encryption; use Exception; class Encryption { private $_keys_directory; private $_secret_key; private $_public_key; public function __construct($keys_directory) { $this->_keys_di
  17. replace strpos($_GET['nav'], "/") with strstr($_GET['nav'], '/') tried to tidy it up also, you may want to use require_once if (isset($_GET['nav'])) { $nav = $_GET['nav']; if (strstr($nav, '/')) { $directory = substr(str_replace('..', '', $nav), 0, strpos($nav, "/")) . "/"; $file = substr(strrchr($nav, "/"), 1); if (file_exists($directory . $file . ".php")) { require_once($directory . $file . ".php"); } else { require_once("error.php"); } } else { if (file_exists(basename($nav) . ".php")) { require_once (basena
  18. ummm when looking at https://paragonie.com/book/pecl-libsodium/read/09-recipes.md i see they encrypt and decrypt thier cookies different to how i've done my text class...also i see versions of encrypting passwords and verifying so i assumed i'd no longer need password_verfiy() and password_hash() functons...my plan was to make a session_cookie class which extends encryption_abstract same with password...so this one class is all i need for all encryptions? haha last night when looking at: <version identifier>:<Base64-encoded nonce>:<Base64-encoded ciphertext>
  19. thank you for the good information...i took what you said onboard and here is what i made class Text extends Encryption_Abstract { public function encrypt($message) { if (is_array($message)) { $message = json_encode($message); } $nonce = \Sodium\randombytes_buf(\Sodium\CRYPTO_AEAD_CHACHA20POLY1305_NPUBBYTES); $ciphertext = \Sodium\crypto_aead_chacha20poly1305_encrypt( $message, $this->additional_data(), $nonce, $this->secret_key() ); return '<' . $this->version() . '>:<' . base64_encode($nonce) . '>:<' . base64_en
  20. firstly i apologies for such a late reply on the topic as i know guys spend a lot of your time helping out us members. well i didn't realize i was open to such big attacks when using unserialize() and deserialize() thanks for the advise. regarding encyrption at some point i need to encrypt sessions, cookies, passwords and any other sessitive data added to the database, i downloaded libsodium now i'm trying to understand how it is best to use library. i have found an example just of plain text encrypting and decrypting....would this be a good example? <?php // This requires th
  21. hey guys i have some help from jacques a while back regarding aes encryption in php, which works great!...i made the encryption/decryptions compatable with nodejs, but i'd like to know how i can make it compatable with mysql also. here is what i use to encrypt $data = 'hello'; $encryption_algorithm = 'AES-128-CBC'; $master_key = 'fba05a681b7606c57d6218d4cca387f5cd4f8e0ae098cb4d9b7e'; $init_vector = openssl_random_pseudo_bytes(openssl_cipher_iv_length($encryption_algorithm)); $ciphertext = openssl_encrypt(serialize($data), $encryption_algorithm,
  22. Thanks one again for the great advice jacques Well im going to scrap the head helper nonsence and create a template engine myself...but still keep the idea of setting an array of header tags so i can call all globals
  23. sorry it should be: <php $id = "test-id"; ?> <div id="<?php echo $id; ?>">this is a test</div>
  24. sorry for the late reply i have been doing some research regarding this xss...i didn't realise a web page could be so vulnerable in so many asspects of xxs. so every string must be encoded using htmlspecialchars($string, ENT_QUOTES, 'UTF-8'); so i need to encode the attributes set in my view helper?...that would imply that the design would xxs? i'm sorry i don't understand fully how a user browsing can inject code from the following example, unless the $id is changed inside the file...how is it possible to do it via the browser? <php $id = "test-id" ?> <div id="{$id}">
  25. i found the problem which was so stiupid of me...i hate to say what i did wrong sorry! well i've never used a framework other than my own...i thought zend framrwork would be good so i read the files and manuel and based mine around that the helpers are only for the script, link, title and meta i wouldnt create helpers for every html element i use a decorator like so <?php namespace Head\View; use Exception\Exception as Exception; use HTML\Decorator_Abstract as Decorator_Abstract; use HTML\Decorator_Interface as Decorator_Interface; class Script Extends Decorator_A
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.