Destramic
-
Posts
969 -
Joined
-
Last visited
Posts posted by Destramic
-
-
i'd suggest displaying errors
you should be using this code and put it at the top of you php while developing
ini_set('display_errors', 1); ini_set('display_startup_errors', 1); error_reporting(E_ALL);what errors are you getting?
ps. please use the code tags so your code is more visible
-
now that is smart...i wish i thought of it
i had a mess about with hmac over the weekend, as i've decided to use it with the users cookies...is what i made for hmac more than suitable?
here is a working example
<?php class Encryption { private $private_key; public function __construct(string $private_key) { if (!extension_loaded('libsodium')) { throw new Exception('Encryption: PHP libsodium extension not loaded.'); } $private_key = trim($private_key); if (!preg_match('/^[a-z\d+\/]{43}=$/i', $private_key)) { throw new Exception('Encryption: Unrecognized key.'); } $this->private_key = base64_decode($private_key); } public function encrypt(string $data) { $nonce = \Sodium\randombytes_buf(\Sodium\CRYPTO_AEAD_CHACHA20POLY1305_NPUBBYTES); $ciphertext = \Sodium\crypto_aead_chacha20poly1305_encrypt( $data, null, $nonce, $this->private_key ); return base64_encode($nonce) . ':' . base64_encode($ciphertext); } public function decrypt(string $ciphertext) { $ciphertext = $this->parse_ciphertext($ciphertext); list($nonce, $ciphertext) = $ciphertext; $decrypted = \Sodium\crypto_aead_chacha20poly1305_decrypt( $ciphertext, null, $nonce, $this->private_key ); if ($decrypted === false) { throw new Exception('Encryption: Decryption Failed.'); } return $decrypted; } private function parse_ciphertext(string $ciphertext) { if (!preg_match('/^(?:[a-z\d+\/]{11}=)?:[a-z\d+\/]+)(=|==)?$/i', $ciphertext)) { throw new Exception('Encryption: Unrecognized ciphertext.'); } $ciphertext = explode(':', $ciphertext); return array( base64_decode($ciphertext[0]), base64_decode($ciphertext[1]) ); } } class HMAC { private $private_key; private $algo; public function __construct(string $private_key, string $algo = 'sha512') { $private_key = trim($private_key); if (!preg_match('/^[a-z\d+\/]{43}=$/i', $private_key)) { throw new Exception('Encryption: Unrecognized key.'); } else if (!in_array(strtolower($algo), hash_algos())) { throw new Exception(sprintf('HMAC: Algo %s unsupported.', $algo)); } $this->private_key = base64_decode($private_key); $this->algo = $algo; } public function seal(string $message, string $public_key) { $seal = base64_encode(hash_hmac($this->algo, $message, $this->private_key)); return base64_encode($message) . ':'. $seal . ':' . base64_encode($public_key); } public function sign(string $seal, string $public_key) { if (!preg_match('/^((?:[a-z\d+\/]+)(=|==)?)?:[a-z\d+\/]+)(=|==)??:[a-z\d+\/]+)(=|==)?$/i', $seal)) { throw new Exception('HMAC: Unrecognized seal.'); } list($message, $seal, $key) = explode(':', $seal); $message = base64_decode($message); $signed = base64_encode(hash_hmac($this->algo, $message, $this->private_key)); if ($seal == $signed && base64_decode($key) == $public_key) { return $message; } throw new Exception('HMAC: Seal corrupted.'); } } $public_key = 'ZZtJVgUu2fRz+c4o6QHj6v/mAqGAgyowlUxs3xoMHuw='; $hmac_private_key = 'DxA58JcURnz891sVXowkF6VPyanis+GvwZXWcoxwE5M='; $encryption_private_key = 'qB2fZkseI4ccJ45Y1/VzoHARA6Sft6IVkeS4r2Z+YYM='; $encryption = new Encryption($encryption_private_key); $email_address = $encryption->encrypt('[email protected]'); // q101ZtOPjW8=:b9vrNQFhpC5wWhfWDmzu2XcjBly234AASKU11AiM $hmac = new HMAC($hmac_private_key); $seal = $hmac->seal($email_address, $public_key); // TWZIaTVxdjdrd1E9OjRvNlE3b05UcFA5SVB1QkR4cEZTZGpUSElFMDd2ai9mRzhwYUd4VmE=:Nzk5NzhhMzgzYjQ0ODc0MjExNDcxMjg1OWVkMmNlY2EwMmE4ZDVlM2E3ZmM5NWJkZTFmZjMwMTkyOTZiOWNjZjZjMjk5NWQzOGJmZTE2MTRkMTAyMzg2NTZmYTg0OWQwYjBhNjAxYTZhYTg5YTI1ZTY2MWRiN2MzZDk4MzU3MTc=:Wlp0SlZnVXUyZlJ6K2M0bzZRSGo2di9tQXFHQWd5b3dsVXhzM3hvTUh1dz0= $email_address = $hmac->sign($seal, $public_key); // q101ZtOPjW8=:b9vrNQFhpC5wWhfWDmzu2XcjBly234AASKU11AiM echo $encryption->decrypt($email_address); // [email protected]thank you jacques for your patience and help on this matter
-
hey guys im currently using libsodium to encrypt users data which is stored in a database...my concern is when a user registers an account on my website, i want to check that the email provided is not already registered to another account, but the problem is that the email address stored in the database is encrypted...so how do i check?
i have perviouslt been suggested to store the email as:
- a separate HMAC
- ECB mode
- no encryption as long as the e-mail addresses are kept away from the web frontend
but even when using HMAC the email can easily be viewed, MySQL's ECB mode i've read so many bad things about regarding it having so many security issue etc...and the email having no encrption could mean that if my database every got attacked its all there in black and white.
here is my encryption class:
<?php namespace Encryption; use Exception; class Encryption { private $private_key; public function __construct(sting $private_key) { if (!extension_loaded('libsodium')) { throw new Exception('Encryption: PHP libsodium extension not loaded.'); } $private_key = trim($private_key); if (!preg_match('/^[a-z\d+\/]{43}=$/i', $private_key)) { throw new Exception('Encryption: Unrecognized key.'); } $this->private_key = base64_decode($private_key); } public function encrypt(string $data) { $nonce = \Sodium\randombytes_buf(\Sodium\CRYPTO_AEAD_CHACHA20POLY1305_NPUBBYTES); $ciphertext = \Sodium\crypto_aead_chacha20poly1305_encrypt( $data, null, $nonce, $this->private_key ); return base64_encode($nonce) . ':' . base64_encode($ciphertext); } public function decrypt(string $ciphertext) { $ciphertext = $this->parse_ciphertext($ciphertext); list($nonce, $ciphertext) = $ciphertext; $decrypted = \Sodium\crypto_aead_chacha20poly1305_decrypt( $ciphertext, null, $nonce, $this->private_key ); if (!$decrypted) { throw new Exception('Encryption: Decryption Failed.'); } return $decrypted; } private function parse_ciphertext(string $ciphertext) { $ciphertext = trim($ciphertext); if (!preg_match('/^(?:[a-z\d+\/]{11}=)?:[a-z\d+\/]+)(=|==)?$/i', $ciphertext)) { throw new Exception('Encryption: Unrecognized ciphertext.'); } $ciphertext = explode(':', $ciphertext); return array( base64_decode($ciphertext[0]), base64_decode($ciphertext[1]) ); } }it just seems like i've taken one step forward in being secure, but taking 2 steps back when it comes to processing simple scripts such as verifying email isn't registered. retrieving account by email address etc.
i know the answer isn't going to be a simple as
SELECT username FROM user WHERE email_address = '[email protected]'
but there must be a logical way to check encrypted email address with a string.
any other thoughts on this please guys?
thank you for your time
-
use forward slashes insead of backslashes
D:/xampp/htdocs/xampp/kicken/.dirindex.php
you want to check file exists and that the file is readable
if (!file_exists($path) && !is_readable($path)){ die('Cannot access '.$path); }you using is_dir() which is checking if the $path is a directory...which it isn't, so that is why you are seening an error message
-
sorry jacques i didn't explain myself very well...yes the username will be used as the users identifier, but what i'm trying to get at here is that i don't really want people to create multiple account.
this would be me checking for username availablity aswell as ensuring that the user isin't trying to register another account with the same email address...life would so much simpler if encryptions were cross compatiable
i just don't see a simple way of checking this...
-
i have no plans to go down the ECB mode route, or to use email address as a login credential either, why go half hearted with security
but sorry jacques you've lost me a little here
block all new registrations while the check is in progress
are we talking about all new registration beening put into a seperate table from the users? and a possible cron job running every hour or so doing a check? before actually creating a user and sending a activation token?
thank you
-
hey guys i'm currently creating role and permission for my users which looks like this:
users ------------------------ user_id role_id ------------------------ user_permissions ------------------------ user_permission_id name ------------------------ user_roles ------------------------ user_role_id name ------------------------ user_role_permissions ------------------------ user_role_permission_id role_id permission_id ------------------------
a role can be created and permissions are added to that role, giviing user access to certian pages.
the problem i face is that my website has 4 types of users
admin (me)
general public
clients
clients employees (client employees)
all 4 will see different content.
here is my problem and what i want to achieve is for my clients to be able to add users (employees) which are linked to thier account as well as giving them certian permission
for instance if i had Walmart as a client, they'd have a client role...now if they wanted to add a user (employees) linked to thier account what is the best way to do this?
i could have 3 extra tables
clients ------------ client_id user_id name ------------ client_users ------------ client_user_id client_id user_id ------------ client_user_premissions ------------ client_user_permissions user_id permission_id ------------
i link a client to a user account....and link a client user to a client and user
also the client can pass over certian permission via the client_user_permission
any ideas on design pattern would be appreciated as i've never done nothing like this when it comes to users creating users
thank you
-
benanamen has shown you perfectly what to do:
<?php if ($_SERVER['REQUEST_METHOD'] == 'POST'){ // process form } ?> <!DOCTYPE html> <html> <head> <title></title> </head> <body> <form action="<?= $_SERVER['SCRIPT_NAME'] ?>" method="post"> <!-- FORM HERE --> </form> </body> </html>try this
<!DOCTYPE html> <html> <head> <title></title> </head> <body> <?php if ($_SERVER['REQUEST_METHOD'] == 'POST'){ echo 'well done you have submitted the form'; } else { ?> <form action="<?= $_SERVER['SCRIPT_NAME'] ?>" method="post"> <input type="text" name="name" /> <input type="submit" name="submit" value="submit"/> </form> <?php } ?> </body> </html> -
1. its not a valid html document
2. why echo html when there is no need?
<div> <form id = 'form1' action='#' method='post' > <select name='room' id='room'> <?php if(isset($displayed)) echo "<option selected>".$displayed."</option>"; $i = 0; while($i < count($rooms)) { $room = $rooms[$i]; if($room === $displayed)echo ""; else echo "<option value = ".$room." > ".$room." </option>"; $i++; } ?> </select> <noscript><input type='submit' value='Submit'></noscript> </form> </div>3. i don't really understand you question, i can only guess your looking for something like http://twig.sensiolabs.org/
you could also put
$(document).ready(function(){ $('#room').change(function(){ $(this).parent('form').submit(); }); });into a .js file and include as a script like your jquery
if($room === $displayed)echo "";
just seems unnecessary
something like this would make more sence
while($i < count($rooms)) { $room = $rooms[$i]; if($room !== $displayed) echo "<option value = ".$room." > ".$room." </option>"; $i++; }and try and make your code presentable?
<?php print_r($_POST); $rooms = array(1, 2, 3, 4); $displayed = 2; ?> <script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/1.3.2/jquery.js"></script> <script type="text/javascript"> $(document).ready(function(){ $('#room').change(function(){ $(this).parent('form').submit(); }); }); </script> <div> <form id = 'form1' action='#' method='post' > <select name='room' id='room'> <?php if(isset($displayed)) echo "<option selected>".$displayed."</option>"; $i = 0; while($i < count($rooms)) { $room = $rooms[$i]; if($room !== $displayed) echo "<option value = ".$room." > ".$room." </option>"; $i++; } ?> </select> <noscript><input type='submit' value='Submit'></noscript> </form> </div> -
i know this thread is answered now, but one thing did pop into my head which i have been meaning to ask.
in the scenario that every email address is encrypted, how do you check that an email address isn't already registered with an account?
the only method i can think of is to loop all the email address, where they are decrypted and compared...just seems a bit long winded and probably a bit heavy on cpu and memory, depending on user count
(i will post a new thread if needed, sorry)
thank you
-
Guess I won't be using an email address as a login credential.
Thank you for great explanations
-
I'd try to use phpmailer instead of php's mail function.
https://github.com/PHPMailer/PHPMailer
Or why not allow the contact data to be inserted into a db table?...atleast that way you know your going to receive it
-
I suppose you need to cover all angles...im just put off with the catcha for my site at the moment as I believe it could scare people away.
I do like the invisible field method though.
@requinix you mentioned wait until bots become problem...just wonder how I would know that bots were registering on my site?
thank you
-
Thank you for clearing that up...what confused me also in my thinking is that you see companies like Facebook, PayPal etc using email address as a username.
Would you need to select all users, decrypt email address and compare to select row? Or would there be a simpler approach?
thank you
-
hey guys,
i want to encrypt email address and passwords (after password_hash) but this then makes things very awkward when it comes to login...if your asking a user to put username/email address and he provides an email address (which is encyrpted in db)...how on earth do get user's row?
the only answer i can think of is not to encrypt email address', but i'd say its sensitive data and needs to be
just a little boggled with this, if someone can please shine some light.
thank you.
-
Most spam bots are going to completely ignore the robots.txt file so they will never see your hidden link either.
ofcourse they will see a hidden link...thats one of the bots job to seach for href's...the bot will find it...and if bad bot he will try to open link?
-
Make sure the bundle has the certificates in the right order: nginx expects yours at the top and the rest of the chain after.
it appears the bundle sent from comodo was put together wrong.
i had to put my domain cert with my intermediate certificates in order and finally convert to .pem
not going to lie, it was tough
but it worked thanks for the good advise requinix
-
hey guys im getting an nginx error message when trying to use ssl on my server:
[emerg] 3108#6408: SSL_CTX_use_PrivateKey_file("C:\Users\Server\Desktop\host\myterms.co.uk\nginx/conf/ssl/myterms_co_uk.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)i've added the following to my nginx config:
ssl_certificate ssl/domain.ca-bundle; ssl_certificate_key ssl/domain.key;
domain.ca-bundle - my certificate bundle sent to me from comodo
domain.key - my private key generated with my RSA keyi've search the net, and i read that the i need to remove passphrase from key
openssl rsa -in domain.key -out newkey.pem
but that didnt work either
any help would be appreciated as i'm truly stuck now.
thank you -
sorry requinix...a user register form for instance...a bad bot could fill out form and insert numerous rows...this is my concern as i have nothing in place yet to capture bad bots doing this.
is a bot capture as seen in the link above a good enough idea...or what is the best solution please?
thank you
-
exactly...bad bots won't respect the robots.txt...so if they access a hidden link no visible to human the bad bot will open it.
when that link is opened, the ip and user agent is added to db, but firstly checking its not a good bot, just for good measures...so as soon as someone access' the site i can check if its a bad bot from db records and die;
i saw the idea from https://perishablepress.com/blackhole-bad-bots/
whats your thoughts?
thank you
-
when i refer to crawler i mean bad bots or have i got the wording incorrect?
adding onto what i said, i did some more looking about, and what seems to be a good example is a simple hidden link, disallow the link in my robot.txt so the good bots don't open it....and if accessed catch the bad bot?
maybe there are better alternatives
-
how effective is browscaps crawler these days please guys?
Array
(
[browser_name_regex] => ~^mozilla/5\.0 \(.*windows nt 10\.0.*rv:49\.0.*\) gecko.* firefox.*$~
[browser_name_pattern] => Mozilla/5.0 (*Windows NT 10.0*rv:49.0*) Gecko* Firefox*
[parent] => Firefox 49.0
[platform] => Win10
[comment] => Firefox 49.0
[browser] => Firefox
[browser_maker] => Mozilla Foundation
[version] => 49.0
[majorver] => 49
[device_type] => Desktop
[device_pointing_method] => mouse
[minorver] => 0
[ismobiledevice] =>
[istablet] =>
[crawler] =>
)i need to implement something to stop any crawlers inserting rows into db...hopefully browscap if it's any good...i really hate the idea of image/sum/google captures.
what would be my best method please?
thank you
-
Only move the data directory, leave the my.ini file where it is. Also only update the datadir entry to the new location. Basedir is supposed to point to where mysql is installed, ie 'C:/Program Files/MySQL/MySQL Server 5.7/'
worked a charm thank you kicken
-
i moved all the data in C:\ProgramData\MySQL\MySQL Server 5.7 to another drive
and tried to config the my.ini in C:\ProgramData\MySQL\MySQL Server 5.7 so it will read and store data from ther drive
i know it can be done but i'm obviously doing something wrong
email decryption
in PHP Coding Help
Posted
actually my example isn't going to work...email address is encrypted and placed inside the hmac but the seal will obviously be different everytime...so there would be no way for me to compare.
i'm completely lost here