Jump to content


Photo

General Questions


  • Please log in to reply
8 replies to this topic

#1 Ninjakreborn

Ninjakreborn
  • Members
  • PipPipPip
  • Information Technology Specialist
  • 3,922 posts
  • Age:33

Posted 08 June 2006 - 03:00 PM

This is the time of year, where I calculate all the things in php I do not understand, and ask for help from people I trust know the answer, and have helped me this long time, I have come a Long ways towards mastering php/sql. Using mysql and other things. I have noticed I am particularly interested in 2 things, so I spent a very long time studying these, I am very good with PHP Security, and performance, now all I need to do is get better with actually working with php, and utilizing it, here are some questions I couldn't find answers to, and might allow me to step over that learning curve I have been trying to work over for so long.
If you have the answer to one I would be happy to hear an answer, anything that would help or point me in the right directions would be greatly appreciated.

1. ok I know about 3 files that I want to totally learn a bout how to use and how to control. The .htaccess, the php.ini, and the httpd.conf. I found a great tutorial here on php freaks to help me answer ALL my questions on php.ini, it explains it very well, and the php manual has some good info on that, I wanted to study that soon, but does anyone have any idea on where i can find decent/good resources on the other, I don't know where these originate, and searching for the just file extensions and related searches in google brought up nothing.

2. One specific question I had was about httpd.conf, where do I get access to this file at, studying security I ran across some information, and I am trying to make it a habbit to always(and encourage clients) to to change the Server Signatures, and Server Tokens. I want to make this a habbit but don't know where to access the file at, or how to get access to it with web hosting companies.

3. ok this is very important to me, I have run across some functions in a book, and triple cross referenced it, the best practice I see would be to do this with everything but I don't understand the process, and cna't find any good resourced on it to answer my specific questions. it's relating to incryption and decryption like this.
Encryption
<?php
    srand((double)microtime()*1000000 );
    $td = mcrypt_module_open(MCRYPT_RIJNDAEL_256, '', MCRYPT_MODE_CFB, '');
    $iv = mcrypt_create_iv(mcrypt_enc_get_iv_size($td), MCRYPT_RAND);
    $ks = mcrypt_enc_get_key_size($td);
    $key = substr(sha1('Your Secret Key Here'), 0, $ks);

    mcrypt_generic_init($td, $key, $iv);
    $ciphertext = mcrypt_generic($td, 'This is very important data');
    mcrypt_generic_deinit($td);
    mcrypt_module_close($td);

    print $iv . "\n";
    print trim($ciphertext) . "\n";
?>
descryption
<?php
    srand((double)microtime()*1000000 );
    $td = mcrypt_module_open(MCRYPT_RIJNDAEL_256, '', MCRYPT_MODE_CFB, '');
    $iv = mcrypt_create_iv(mcrypt_enc_get_iv_size($td), MCRYPT_RAND);
    $ks = mcrypt_enc_get_key_size($td);
    $key = substr(sha1('Your Secret Key Here'), 0, $ks);

    mcrypt_generic_init($td, $key, $iv);
    $ciphertext = mcrypt_generic($td, 'This is very important data');
    mcrypt_generic_deinit($td);

    mcrypt_generic_init($td, $key, $iv);
    $plaintext = mdecrypt_generic($td, $ciphertext);
    mcrypt_generic_deinit($td);
    mcrypt_module_close($td);

    print $iv . "\n";
    print trim($ciphertext) . "\n";
    print trim($plaintext) . "\n";
?>

With this I want to get in the habit of ALWAYS encrypting all data before emailing form information or entering into a database, and decrypting it, but I don't understand the how and when, do I encrypt after validation before emailing, or databasing. If so then when do I decrypt, encrypt before emailing, when it reaches the clients email address( the person I am working for) can he read it, or am I understanding this wrong. I really want to get this down, and master these if this is helpful, if it's usless for that, then what can I use it for what type of things.

4. I want to find more books, I have a few on photoshop CS2, and the JavaScript bible newest version, and PHP In a Nutshell which I am not happy with because it cut everything out from the online version that I needed. I want to find some really good books on javascript(not really, js bible is good), php, sql(mysql or others), and especially some general databasing, web site security anything, I really want to get better books, I could yes get them myself "google" it or however, but I am wanting some personal advice from people who bought specific books and recieved very good usage with them.

5. If I fclose() a file inside a script, and lock it with flock() completely, will someone be able to open the file using a url if it's live or is that a good way to prevent people from getting to a part of the site, like I could flock() a db connection page, using like 3 other pages, isn't that like triple lock to prevent people from opening it, or doing anything with it through a url. Just a general inquiry, I don't know about this, I was just wondering it was a theory.

6. This is really important to me, one thing I am trying to find out here is about opinions. What is better honestly. I use external .php files with forms, but I can do it that way, I tried doing same page, and it failed horribly, I completely sucked at it, I know that I love doing external when I am doing database connections, or whatever else, and when you click submit and it comes up with the errors, they click back the information is still there without them having to retype the data in. What I was wondering about this was what are the pro's and con's of each one from personal opinions and perspectives. I know that I prefer the external because It gives me more room to play around, I can have more fun with less distractions, and if I decide to do some huge scripts or try to get fancy, I have plenty of room to do whatever I want, I also heard some people keep db connections on another file, and include it, I tried this and didn't like it, it seemed just harder to use, I only like using 1 external file, but I wanted to learn how to do same page when doing really small contact forms, because I thought it would be a lot quicker, 5 hours fighting with a same page file, then I switched over to an external file and it worked perfectly. I don't see the point in going through the hassle.

7. The reason I don't understand classes is because it's always use as examples relating to people or real life situations, but the bad thing about that is: when I see a dog/cat class, I cna't create a dog/cat in a php function and use them, what can I do with that but print out bark, or meow, I can't make a cat materialize, and work with it and make it shit and piss, and meow with
shit()
piss()
meow()
I just don't understand how this works, how is a class utilized on a php file, what kind of things, for instacne can a class come in when doing forms, if so I mean I read all the material given to me last time I asked, I have read through tons of tutorials, and books, but when it comes to classes, I get nothing but real world explanations, once I understand the concept of how it relates to php I will have an easier time keeping up with it when referring to real world scenarious.

8. Why are there so many ways to validate form information, what in fact is the right/wrong way, or are no way's right or wrong, I don't understand this at all, I do it the way you saw earlier in other posts, I tried wildteen88's way but always get errors around the foreach statement, I tried other methods seen on here, some of them worked but didn't match my style of coding, it didn't feel good, or have fun, programming those, as compared to other ways I have tried, how do I find the right kinds for me, this has been puzzling me for quite some time.

9. Is it good to use harden php, the act of
[!--quoteo--][div class=\'quotetop\']QUOTE[/div][div class=\'quotemain\'][!--quotec--]This is a set of patches to the PHP source code that make the task of hacking your server by exploiting PHP that much harder. Hardened PHP is not an official PHP project, and so cannot be relied upon to be as stable as the core PHP release, however it is just a set of minor patches and so isn't likely to affect stability at all. [/quote]
"quoted from php in a nutshell"
Is this something I need to be aware of, study on, or try to implement on a regular basis, or should I avoid this, what is the point.

10. Is there a book out there that is
"javascript is to javascript bible, as php is to whatever the book is."
I see the js bible and it has everything, and anything I will ever want, I never will NEED another javascript book, I may get more for extra reading, but i'll never really need one. I want to find the same one in php, without it being the php.net manual. because I know not all of the functions are documented, I wanted a really good book for that, and so far haven't found anything, something in a book for when I am not working, or my wife is on the computer, and I don't feel like doing other things I can still study. I got everything from php in a nutshell I could I have reread it 4 times, on and off, and double checked sections numerous times but they stripped so much from the online version it's not even worth it.

11. ok this is about the eval function, quoting the book "php in a nutshell" as it quotes the owner(or creator) of php, as him saying
[!--quoteo--][div class=\'quotetop\']QUOTE[/div][div class=\'quotemain\'][!--quotec--]Rasmus Lerdorf "If eval() is the answer, you're almost certainly asking the wrong question."[/quote]
With me seeing that, the book also comments
[!--quoteo--][div class=\'quotetop\']QUOTE[/div][div class=\'quotemain\'][!--quotec--]That is, you should be able to achieve your goals without resorting to eval().[/quote]
With this being said it is obviously trying to tell me without an explanation about eval() being bad, ineffective, or a security issue. What is the reason for him saying those things, does anyone on here use eval() what are the positives or negatives, and why is it so severe that the owner himself would comment on it specifically like that. If it was so bad, why doesn't he just remove it from the newer versions of php instead of letting it re-enter new versions, because by what he says it's not good to use.

12. The same with register_globals, I hate them, I always keep them off, if there not off I force them off, but why didn't the creator just remove them out of 4-5 when he found out, within 2 years everyone would have upgraded there scripts.

13. Why are so many 3rd party scripts insecure as in they require register_globals on to use them, that prevents me access from most major third party scripts, I even had os Commerce, and Zen Cart tell me register_globals had to be set as on to be used, I just cna't have that, forcing me to do something new every time.

14. why is it that sometimes when I use empty it works and sometimes I have to add a ! at the beginning that confuses me.

15. Someone told me that using isset to pic up information on whether a form was submitted or not does not always work and it's better to use if ($_POST['whateverbuttoniscalled'] == "")
instead of if (isset($_POST['whateverbuttoniscalled']));
is this true or was he just a dumbass, that needed to re-learn php, the reason I ask is because this is the way I learnt and he criticized me for it, also he disagreed that register_globals being on was not a security issue, I went past him to his boss, and talked him into changing the server's anyway. Where does he get those kind of ideas(sorry partially ranting, and raving::And no I amnot a girl I am a guy, I just get pissed something:::')

16. Is there a consideration for release of php6, a release date, beta release date, does anyone here know anything that we might be able to expect from new releases.

17. Is mysql 5 good enough for me to be able to utilize affectively, safely, and securely without too big of an issue.

18. Is it better to use Pear Db: when connecting to mysql, is it more or less secure, if so is it part of the core language, or do I have to compile certain extensions.

Thanks for all the help I greatly appreciate it.

------

Business Website: http://www.infotechnologist.biz

Personal Website: http://www.joyelpuryear.com

Blog Site: http://www.realmofwriting.com
Services: Web development, application development, mobile development, and custom development. All services listed on my website.


#2 wisewood

wisewood
  • Members
  • PipPipPip
  • Advanced Member
  • 226 posts
  • LocationRotherham, England

Posted 08 June 2006 - 03:22 PM

This should not really be in the php help forum.
wisewood: proven fact, I am both wise, and wooden.

#3 ober

ober
  • Staff Alumni
  • Advanced Member
  • 5,337 posts
  • LocationEast Coast, USA

Posted 08 June 2006 - 04:07 PM

Agreed... moved to misc.

1) htaccess should be easy to find info on. php.ini is pretty well documented... download and install PHP and just read through the document. httpd.conf is part of Apache. Repeat previous process.

2) yeah... already answered that.

3) don't know... don't care to dig into it right now.

4) I've bought a few books, but most of my learning has come from practice and online materials. I can't really give you a good book recommendation, but there are a few in a pinned topic in this board.

5/6) don't feel like getting into

7) I use classes for things that functions cannot handle. If you're ever going to create a page that uses a function for a lot of things, that's where a class is going to come in handy. Think of classes as very complicated functions and I think you'll start to come up with ideas. I use a class for my database functions, for a very detailed page that I use that does a lot of computation on the same thing over and over... etc. I got to the point of using classes when I was trying to create a function and I was sick of passing variables back and forth constantly.

8) Form validation can be a complete nightmare and there are plenty of ways to do it. None of them are fun to my knowledge.

9) As long as you or your server admin are keeping PHP up to date, you shouldn't really worry about this. You should definately take care to implement your own security measures in your code, however.

10) See the book listing in the pinned topic.

11) It's not removed because of backward-compatibility. I don't use eval and I don't recommend anyone using it. STFW if you want a better explanation of why it's bad.

12) Again, backwards-compatibility. You can't force the world to upgrade, especially when software has been produced by people that may not even support it anymore.

13) They were written before the switch (aka they're old).

14) empty() is also another function I avoid. There are better and more secure ways to check your data.

15) I think I probably told you that. Using isset and checking for empty variables are completely different.

16) No, PHP5 is still in it's infancy... I'm not aware of another version in the works.

17) yes.

18) You must have the Pear library installed and working. See the PEAR thread in misc if you have any questions.

Info: PHP Manual


#4 Ninjakreborn

Ninjakreborn
  • Members
  • PipPipPip
  • Information Technology Specialist
  • 3,922 posts
  • Age:33

Posted 08 June 2006 - 04:33 PM

I appreciate the help so far, any other advice, would be helpful as well, I was thinking that about isset, honestly ober, what do you recommend I use for now.
isset
or = ""
from now on, Is one more secure than the other, should I try and alternate, which do you normally use.
The other thing I wanted to say was sorry, from now on, with larger question sets I will put them in misc.

------

Business Website: http://www.infotechnologist.biz

Personal Website: http://www.joyelpuryear.com

Blog Site: http://www.realmofwriting.com
Services: Web development, application development, mobile development, and custom development. All services listed on my website.


#5 wildteen88

wildteen88
  • Staff Alumni
  • Advanced Member
  • 10,482 posts
  • LocationUK, Bournemouth

Posted 08 June 2006 - 04:35 PM

2 - about accessing the httpd.conf file most web hosts dont allow access to this file unless your client is on a dedicated server. You should use httaccess for what you want to do, if the web host allows the use of htaccess, not all do.

12 - The problem with webhosts is they insist on allowing backward compatibily which means very few hosts will make the move to PHP5 or switch of register_globals, there are still hosts out there running PHP3! and the majority of web hosts use PHP4.

14 - isset and empty are completly different. isset checks the instance of the variable, it does not check the value of the variable. empty on the otherhand checks the value of the variable and not the instance of the variable.

16 - yes there is going to be a new version of PHP6 but it wont be available until 2008 most likely. PHP6 will basically be a recode just like PHP5 was, Also register globals will be a thing of the past.



#6 ober

ober
  • Staff Alumni
  • Advanced Member
  • 5,337 posts
  • LocationEast Coast, USA

Posted 08 June 2006 - 04:53 PM

isset vs. == "" are 2 entirely different things... I thought I made that clear. isset checks to see if the variable has been created at all. checking to see if it is equal to an empty string just does exactly that.

Do you see the difference??

Info: PHP Manual


#7 Ninjakreborn

Ninjakreborn
  • Members
  • PipPipPip
  • Information Technology Specialist
  • 3,922 posts
  • Age:33

Posted 08 June 2006 - 05:14 PM

Yes now I do, so I should rely on isset when I am checking something like 2 different submit buttons on the same form, and I should use = "" when it is just checking one right.
Thanks for all the help so far, I really appreciate it.

------

Business Website: http://www.infotechnologist.biz

Personal Website: http://www.joyelpuryear.com

Blog Site: http://www.realmofwriting.com
Services: Web development, application development, mobile development, and custom development. All services listed on my website.


#8 ober

ober
  • Staff Alumni
  • Advanced Member
  • 5,337 posts
  • LocationEast Coast, USA

Posted 08 June 2006 - 07:07 PM

You're right on the first part... but you use =="" to see if a field is empty or not.

Info: PHP Manual


#9 Ninjakreborn

Ninjakreborn
  • Members
  • PipPipPip
  • Information Technology Specialist
  • 3,922 posts
  • Age:33

Posted 08 June 2006 - 07:10 PM

ok that was a typo, atleast I know what to use now, thanks for all the help

------

Business Website: http://www.infotechnologist.biz

Personal Website: http://www.joyelpuryear.com

Blog Site: http://www.realmofwriting.com
Services: Web development, application development, mobile development, and custom development. All services listed on my website.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users