Jump to content

anatak

Members
  • Posts

    408
  • Joined

  • Last visited

Profile Information

  • Gender
    Not Telling
  • Location
    Japan, Fukuoka prefecture, Kitakyushu City

anatak's Achievements

Advanced Member

Advanced Member (4/5)

0

Reputation

  1. * For the record: Client-side hashing in addition to bcrypt hashing on the server does have a small benefit for the user, because it conceals their original password choice. If the same password is used on different websites, then an attacker who obtains the SHA-512 hash at least won't get free access to those other sites. But they do get access to your site. And as already explained, SHA-512 doesn't provide much protection, anyway. On the other hand, I don't tell visitors anything about an e-mail address. All I do is send a message to the address so that the owner knows if they're registered. This does not create any security risk at all. If the address is not registered, then I only tell the user exactly that: “Sorry, this e-mail address is not registered in our system. Maybe you've used a different address?” Of course this does mean that my application might occasionally send unwanted e-mails to people who have nothing to do with my site. But every registration procedure has the exact same problem: Anybody can enter an arbitrary e-mail address, and then this person will get a message about their registration. There's not much we can do about that. I think I misunderstood your original explanation.. if a user enters and email address to receive a new token to reset his password there, you don't give any feedback on the site itself. Then I understand the use of your logic. I will probably copy that. traffic of the site goes over https so I never really understood the use of hashing a password I will probably use the logic you posted in the other thread. thanks for the discussion. Not a lot of people I can talk about that in my area.
  2. yes I read the other thread and I agree with your position I have one question. How do you send the password information from the user to the server ? and is this really needed when I use HTTPS at the moment the password is hashed with sha512 and then send to the server. server side the password is salted and stored in the database. I will look into password_hash() to encrypt the password. by sending an email when the address is not in the database and explaining that it does not exist in the database, you do the same as I do but with an extra step of sending an email to an address that might not exist or is in the hands of some one with bad intention. I am sorry but I don't see the difference between your method of sending an email anyway and explaining the email address does not exit and displaying a message saying the email address does not exist. would you care to elaborate why you prefer your method ?
  3. thank you for the link I did not read it till the end but I am pretty sure it is what I was looking for but did not find it since my search terms where different. If the email does not exist the user will get the message that the inputted email is not recognized and will be asked to input his email address again and make sure that there are no mistakes. passwords and tokens are ran through sha512 and salted in the database. thanks again
  4. What would be a good way to reset a password ? I was thinking 1 user requests reset password page or after faulty login suggest reset password page 2 fill in email address 3 check if email address exists 4 if address exist insert a random key into database 5 create a password reset url with random key and send to registered email address 6 after user clicks url in mail use $_GET to retrieve random key from password reset url 7 check if url exists in database 8 let user choose new password 9 check that password strenght is valid 10 encrypt password 11 write password in db 12 confirm page that password has been changed Are there any obvious mistakes in this logic ? This application will be aimed at 70-80 years old people so it has to be as easy to use as possible. security questions and captcha's will be not really possible I am afraid. thank you very much anatak
  5. I am developing a site where all the user data is in a separate folder. The idea is to not have to access the database with the user data. The account page will include the user data from the user that is logged in. the problem however is that you can access all the user data by browsing to the right url my folder setup is now /DocumentRoot and under DocumentRoot I have public_html scripts user_data by browsing to mydomain.com/user_data/user_1/account_1.inc the user data is displayed as a regular text file. the same thing is true for the scripts folder. by placing the user_data and scripts folder outside DocumentRoot acces is denied to the user_data and scripts folder but then php can not include the needed files. Is there some way to let php access the files in the user_data and scripts folders but in such a way that you can not access the files from a browser ?
  6. I am trying to use the phpmailer class to send a mail from a webform. I will substitute my mail server name with mail.example.com I am getting these errors SERVER -> CLIENT: CLIENT -> SERVER: EHLO localhost SERVER -> CLIENT: SMTP ERROR: EHLO command failed: SMTP NOTICE: EOF caught while checking if connected SMTP connect() failed. Mailer Error: SMTP connect() failed. I am trying to connect to my server and not to localhost. I changed the /etc/php5/apache2/php.ini on a debian system to and SMTP = mail.example.com ; http://php.net/smtp-port smtp_port = 465 then restart apache with /etc/init.d/apache2 restart Here is the code //Create a new PHPMailer instance $mail = new PHPMailer(); //Tell PHPMailer to use SMTP $mail->isSMTP(); //Enable SMTP debugging // 0 = off (for production use) // 1 = client messages // 2 = client and server messages $mail->SMTPDebug = 2; //Ask for HTML-friendly debug output $mail->Debugoutput = "html"; //Set the hostname of the mail server $mail->Host = "mail.example.com"; //Set the SMTP port number - likely to be 25, 465 or 587 $mail->Port = 465; //Whether to use SMTP authentication $mail->SMTPAuth = true; // Enable encryption, "ssl" also accepted $mail->SMTPSecure = "tls"; //Username to use for SMTP authentication $mail->Username = "mailer@example.com"; //Password to use for SMTP authentication $mail->Password = "mailerpassword"; //Set who the message is to be sent from $mail->setFrom('mailer@example.com', 'Mailer do not reply'); //Set an alternative reply-to address //$mail->addReplyTo('replyto@example.com', 'First Last'); //Set who the message is to be sent to $mail->addAddress('receive@example.com', 'receive'); //Set the subject line $mail->Subject = 'PHPMailer SMTP test'; $mail->Body = 'mailer body test: '; //send the message, check for errors if (!$mail->send()) { echo "Mailer Error: " . $mail->ErrorInfo; } else { echo "Message sent!"; } any help is appreciated
  7. I am building a site where people can order something. then the order will be stored in a mysql db. I would like to track the status of the transaction. ordered or executed ordered would mean that the customer ordered something but the transaction has not been processed yet. executed would mean that the customers transaction has been executed. I wonder what is the best way to do this ? My initial idea was to have a table orders with an order date (the date / time we receive the order), and execution date (date / time we completed the order) and a boolean field to decide if the order has been executed or not. Any better designs for this ?
  8. use explode() $string = 'John|Doe|222 Thames Way|City|ON|X0X0X0|4512121214147878|/|456'; $array = explode("|", $string); http://jp2.php.net/manual/en/function.explode.php
  9. because you have to delete the file from the path on your file system instead of the url ?
  10. I am trying to make a navigation menu with ajax. I can get or the url to change when I use the link tag <a> and then I can also use back buttons in the browser OR I can get the button to be shown depressed when I use the button tag. Is there some way to have a navigation menu that - shows wich button / link you have clicked to show the active page - supports back button in the browser and - when copy pasting a link into the browser address will show the correct content I can not find a way to combine the three requirements at the moment.
  11. thank you will look into that.
  12. I read a basic ajax tutorial and could get it to work more or less. all the files that the ajax loads are .html files. The Ajax index file is also a .html file. Will it be possible to load php files with ajax ? And is is also possible to have a index.php file instead of the current index.html file ? I would like to have a login page and after logging in the site should track the session The login page will have to display a message if the user is already logged in or made a mistake in logging in (bad username / password combination) The login page would be the only php page that has to be loaded. If having to load 2 different types of pages (html and php) is not possible are there any drawbacks at renaming all the html files into php files ? thank you
  13. I wondered if there is a date variable I can use in the file name where the database will be saved. @DATABASE@ is for the name so does anybody know if there is a DATE variable that I could enter in the filename ?
  14. thank you very much. Comprehension is slowly dawning.
  15. Can someone point me to a good tutorial that explains the basic syntax of arrays ? AS I know how to use foreach($array AS $var){ } but I don't really know what the syntax is supposed to mean. => what does the => mean in ($array AS $var => $value){}? I keep running into basic problems with arrays and I am trying to understand how to manipulate arrays. the problem is that I can get things more or less working without really understanding what I am doing. thank you very much.
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.