Jump to content


  • Posts

  • Joined

  • Last visited

  • Days Won


Everything posted by Zane

  1. You have to send the parameters with the send() function request.open("POST", "urlpost.php", true); request.send(params);
  2. The extension doesn't even have to be .php either. You could have myfile.notphp instead. It's arbitrary. All you have to do is edit the webserver configuration. <FilesMatch ".+\.ph(ar|p|tml)|.+\.notphp$"> SetHandler application/x-httpd-php </FilesMatch> Obscurity only really draws attention though. I mean, if you're a spy trying to blend in, you're not gonna wear a hat saying "not a spy", hopefully. http://mysite.com/index.notphp
  3. It's been over 10 years since I messed with Authorize.net API. I first used it to allow people to make single secure payments from a web page of mine to a bank account. That's it. Back then, they didn't have all of this fancy new stuff. Therefore, i really don't have any valuable comparisons to give. Also, I do not consider myself to be anything close to an expert (or even intermediate) level of creating secure systems. I ran a mail server about 6 years ago and that was a total nightmare. Literally, as soon as the server went live, it was plagued with bots and whatever else that started using my SMTP server as an open relay and my IP became blacklisted pretty quickly for spam. I google ad nauseum for how to secure this and how to secure that and what the best practices were, but I was in way over my head with absolutely no budget for anything to help me out. After 4 years of trying to maintain a mail server that successfully sent and received mail with no issues (though, there were still issues), I finally was able to convince my boss to switch to a Google Business account and let them handle all of that guff. Mail servers are an absolute nightmare that I wouldn't wish upon my worst enemy. I mean, installing SSL certificates is easier than maintaining a mail server. Anyway, this topic has nothing to do with mail servers. You know, I've never tried to even perform a breach in my life. I've never even tried to breach myself. It's an exhausting realm of web development that I avoid like the plague. Really, what is secure? Unless you're a Fortune 1000 company or something, I doubt you're going to have a hoard of people trying to hack your site; don't flatter yourself. I was a web developer and ran probably the least secure site, in my opinion, but the audience for that site was so minuscule compared to that of large corporations. It's about the same concept as viruses. Most people running a *nix system do not really need to worry about viruses because *nix systems do not take up much of the market share for personal computers. However, Windows is always being probed and poked and molested because it has a gigantic user-base. In any case, Authorize.net seems to have improved pretty much everything they had when I messed with it over a decade ago. Most, if not everything, of what I utilized is gone or deprecated. I mean, I would trust it. At the end of the day, though, the most secure you'll ever be able to make your system is if you cut it off from the net. If it's not on the internet, you really have nothing to worry about. If you're not connected to the internet, you're not going to get any viruses anytime soon. I know that's not an answer, but it's a hard truth to accept. Online banking is really awesome in my opinion, but I know that at any particular time, something could go awry and cause my life hell.
  4. The would remove any risk unless both your database and Authorize.net's database were breached. Fundamentally, yes. It's that easy. How you go about it though is up to you. Authorize.net provides sample PHP scripts for sending and receiving the data. It may look intimidating, but you're essentially just creating a JSON object and sending it to Authorize.net, from which you'll receive a response. In your own database, all you'd need is your usual fields, and then you could add come columns that link it with Authorize.net's customer profile. So, there's you typical user table user_id user_name user_pass You could then add a column for the customer profile id that's generated from Authorize.net user_id user_name user_pass user_authorize_id As for the payment profile, you'd store them in their own table, called say... payment_profiles. It would contain profile_id profile_authorize_id user_id Some people roll their own form of sending data, some people use the official code provided https://github.com/AuthorizeNet/sample-code-php/blob/master/CustomerProfiles/get-customer-profile.php This way, you don't have to hash anything or maintain anything PII related. You'll be able to login to Authorize.net as well and create reports of your customers with Customer Information Manager. ** This is all assuming that you're only using Authorize.net to handle your transactions. If you have other merchants, like Paypal, then you'll need to check out what they have to offer as well.
  5. If you are using Authorize.net, then you can setup Customer Payment Profiles, using their API. You can then store (or relegate) the customer payment profile id to your users table in your database. Then, you don't have to worry about storing credit cards info anywhere. https://developer.authorize.net/api/reference/index.html#customer-profiles-get-customer-payment-profile Maintaining reconciliation with Authorize.net customer profiles and your own database/table of users can allow you to do what you're attempting to do. Using the API, you can send a request for the current users list of payment profiles. If there are more than two profiles, then you can write in whatever logic you want in your PHP script, for instance, aborting the chance of a transaction from the user, showing them an error message. Everything you need and more is available in their API.
  6. Could you explain the scenario a bit more? Only two accounts per cardholder. So, a single user can purchase cards, and these are credit cards? It's not so clear what your idea is. Please elaborate. Or maybe, it's a user cannot add more than two cards to their account.
  7. Something like this could get your started <?php $filepaths = array(); $filepaths[] = "/path/to/file/bob-villa-bvilla35"; $filepaths[] = "/path/to/file/jim-bob-dinosaur64"; $filepaths[] = "/path/to/file/abe-lincoln-alinkler"; $filepaths[] = "/path/to/file/michael-jordan-ncairman"; $filepaths[] = "/path/to/file/bart-simpson-eatmyshorts"; $s = "air"; $regex = "#\/path\/to\/file\/([^$]+)#"; $userregex = "#^\w+-\w+-(.*".$s.".*)$#"; $userKey = array_filter($filepaths, function($e) use ($s,$regex,$userregex){ $userString = preg_match($regex, $e, $m); $user = preg_match($userregex, $m[1], $o); if(count($o)) return strpos($o[1],$s)+1; }); $key = key($userKey); echo "The key is: " . $key . "<br>" . $filepaths[$key]; ?> That would give you
  8. There's no black and white way of answering this. You pick your method for security (hashing, encrypting, obfuscating, etc, all of the above) and basically cross your fingers; keep an eye out in your logs for intrusions/breaches. It's a full time job in itself. Lately, large corporations have been breached and they most likely have a team to handle security, yet the corporations were breached anyway. Experian, Capital One, Adobe, Equifax, and on and on. These are corporations that maintain tens of millions of very very sensitive PII. There will always be someone (even multiple people) out there that can breach a security setup if they so please. So, to ask what the "best" method is, is just.. so gray of an area to get into that I can't really explain it. Also, for the record, you should just not store credit card information, like ever. That's a big liability to take on, a lot of responsibility. There are online merchant providers that can handle that kind of stuff, like Authorize.net. Let someone else host that stuff. If I were in your shoes, I wouldn't be dabbling and experimenting with security on a production level for things like credit cards, SSNs, etc... If you're wanting to get a firm grasp on the intrinsic minuscule details and drawbacks, create a "secure" environment, and try to hack it yourself. It's the only real way that you're going to get such a grasp that you seek on cryptography. Just like learning a new language (spoken or programming), you need complete immersion to catch on quickly. Otherwise, you may spend a decade or two just asking questions on online forums until you believe you're satisfied with what you know. Anyway, as requinix has said, just use password_hash(), use salts, use "random" numbers. The idea is to take some piece of data, and run it through an irreversible algorithm that creates the hash. Then, to verify data, push the input through the same algorithm to see if it results in the same hash.
  9. I don't think requinix could have put it any better. Unless you're doing a master thesis on this stuff, there's really no point in asking such questions. There isn't so much one that is "better" than the other, they're just tools. It's up to the developer/engineer to use them as they see fit. MD5 has its bad rap, but perhaps someone needs it for whatever reason. If I asked you what the best hammer to use for 2019, then you would get a myriad of answers and opinions.
  10. So, if I'm understanding correctly, you have this HTML <p>This is my question 1,</p><p>This is my question 2,</p><p>This is my question 3,</p><p>This is my question 4,</p> And you want to turn it into this? Array ( [0] => "This is my question 1" [0] => "This is my question 2" [0] => "This is my question 3" [0] => "This is my question 4" ) If that's the case, then you can just load it into a DOMDocument, something like this. $dom = new DOMDocument; $dom->loadHTML("<p>This is my question 1,</p><p>This is my question 2,</p><p>This is my question 3,</p><p>This is my question 4,</p>"); $paragraphs = $dom->getElementsByTagName('p'); $paragraph_values = array(); foreach ($paragraphs as $p) { $paragraph_values[] = $p->nodeValue }
  11. @Chrisj What have you tried so far. It sounds like you're just grasping for an understanding of how to do what you're wanting to do with no knowledge of how to use the guidance given to you. It's as if you're asking us how to fly a rocket-ship, yet you have no rocket-ship at all. Or, how do I use a book binder without even owning one. There's no substance anymore to your questions. What is hashing? Hashing is when you take an object (a string, an array, a file, etc) and run it through an algorithm that returns a 32 character garbled string of "random" letters and numbers. It's irreversible. Well, there are ways of speculating what the hash came from, but that's an entirely different realm -- security. Anyway, try something first and then come back telling us what you've tried. At that point you should be able to ask a clearer and less broad question.
  12. The viewer make have taken off their glasses or been stabbed in the eyes. Perhaps the cat walked in front of the computer screen.
  13. Define "no longer being watched". The video ending is pretty clear, but not being watched could be a number of things. No longer in window scroll view Video has been stopped Video has been paused How are you streaming this mp4? Though an HTML5 player? Or, do you have a specialized library for outputting the video to a specific third-party video player? Or, perhaps a own roll-your-own version of a video player? In any case, these events should be available from the video player itself. PHP is just going to grab the mp4 and output it for the video player to use.
  14. You have any Firefox plugins installed maybe? That could be a culprit.
  15. //Generate the link $normalText = "this is just your average string with words and stuff"; $hashedText = md5($normalText); fopen($hashedTest, 'w'); echo "<a href='validate.php?video={$hashedText}'>Link to the video</a> This generates a file named 06d5f7c7c17f15f1b28374b16c64e38d, and a link to validate.php?video=06d5f7c7c17f15f1b28374b16c64e38d Then, on validate.php, you'd use the concept I put in my last post.
  16. You can use this regex to match internationally, even Japanese. /([\w -'\p{L}]+)/
  17. Wherever you generate your link to the video at, you'll need to add a hash to a database. The generated link should pass a GET parameter with the hash. http://mymp4.com?validate.php?video=40f677a45113eb829e345d278b8d1d31 Then, access your database and look for that hash. If it exists, delete it and output the video using the code that's already been provided in this post. That's probably the most minimalist way that I can think of. You could just skip the database altogether and store the hash in a txt file that's not publicly accessible. Same concept. Here's an example. In this case, the hash is the name of the file. A video will download the first time, but when you try to access it again with the same link, it fails. <?php $v = $_GET['video'] ?? null; if(file_exists($v)) { unlink($v); header('Content-type: application/mp4'); header('Content-Disposition: inline; filename=video.mp4'); readfile("./mytestvideoo.mp4"); } else http_response_code(404); This isn't secure whatsoever, so I wouldn't just copy and paste this. People could essentially just type in the name of one of your files and it would be deleted.
  18. This should do it. <?php $text = <<<T Our final Beaver Fever Friday of the year was yesterday. What a show. It's always nice to get to know these seniors over their careers. Here are the interviews if you missed them: Christa Benson - Track <a href="http:///beaverradionetwork.com/audio/1011/brnpodcasts/BFF2019/ChristaBenson.mp3">Christa Benson - Track</a><br /><br /> Cody Cook - MGolf <a href="http:///beaverradionetwork.com/audio/1011/brnpodcasts/BFF2019/CodyCook.mp3">Cody Cook - MGolf</a><br /><br /> T; $text = preg_replace("/<a.+href=(\"|')([^\"']+)(\"|').+<\/a>/", "<audio controls> <source src=\"\\2\" type=\"audio/mpeg\"> </audio>", $text); echo $text; ?>
  19. /^(.+),\W?([A-Z]{2})\W?(\d{5})$/g
  20. Well, then, if that's the case, you can use regular expressions to extract the value from the alt tags of the image tags. /<img.*alt=["|']([^"']+)["|']/gm https://regex101.com/r/26vszE/1 Though, that regex won't work right if the filename has an apostrophe or double quotes. Anyway, that's what I'd use to extract all of the image filenames in the alt tags of incoming HTML. Storing the incoming HTML in a BLOB column shouldn't be an issue. Store it encoded and decode it when you take it out. Not hash it. Hashing is another thing altogether.
  21. The more you reply with details the more it makes me understand that you're trying to extract the images from incoming HTML. Am I correct on this?
  22. What you do is maintain a normalized database. In other words, have a table for anything that you'd consider to be an important chunk of data. For instance, attachments. Ideally, you'd have an attachments table in your database. Within this table, you want to put as much about each attachment as you can, as columns (table fields), with the ultimate goal being to have only one single unique row per attachment. One attachment cannot be another. Here's a rundown of what I think you're looking at for a table schema. id - you need a primary unique identifier for every attachment email - Which email is this an attachment of? You'd put an id in here that correlates to a specific email in another table called "emails". image - Again, images are a good example of another good chunk of data. So, put an id of an image from another table called "images". This way you don't restrict images just to attachments. Images lives matter too. You could store everything about every image on your site in this table. You can even give it a label to use for whatever reason you'd need a name for the image that isn't the filename. filename - Obviously, this would just be a string containing the filename, and the filename only. You might decide to change your URL structure one day, or reorganize folders, so just keep the filename. That's probably the most fundamental minimum schema you'd have. Then, you have the emails and the images to store in their own separate tables. Again, bare minimum: Emails Table id - primary unique identifier for the email. user_id - Assuming you have a user management system set up, I'm willing to bet there is a unique identifier for every user. There's another table worth creating! destination_address - What is the email address this message was sent to? body - What is the message body of this email? sent - Is this message sent? Blink once for yes and zero times for no -- That's binary. send_date - When was this message sent? Use a UNIX timestamp so you can output the date precisely as you want to. Now, and in the future when you make decisions about change and stuff. For something like the "body" of an email, it's probably one of the few times it'd actually be logical to store HTML (that is encoded). It's not likely you're going to change the way an email looks that has been sent. For example, say you're on a mailing list for some site -- Site A. If, for whatever reason, Site A decides to change their mailing list format that is sent out, you'd still be able to look at older emails from the mailing list and see what they've changed. Then, when all the proper SQL queries have been executed by a server side language, such as PHP, you can use that same language (PHP) to dynamically generate HTML. Need a dropdown showing a list of all users? Create a function that'll generate a <select> tag with <option> tags for each user. Then, you just slap that sucker in whatever HTML you have set up and pretty it up with CSS. <div id="attachments"> <div id="attachment_{$attachment_id}"> <a href="{$attachment_filename}"><img src="somefolder/images/{$image_filename}" /></a> </div> </div> Where {$variable} is one of your PHP variables that contains the data you need. Look up Database Normalization on Google. Get a feel for how data should be treated. This is a decent article on it.
  23. I don't understand from your code: Which part contains the image tag? Or, do you just have a column for filenames or something and want to create a relative URL for it?
  24. Welcome to the forums, Sheen! If you'e going to be working with POSs, be prepared to learn to interact with APIs, which means you're going to need to also grasp Object Oriented Programming.
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.