[nycphp-talk] New Start for D'base and ASP.Net
rinaldy roy
rinaldy_roy at yahoo.com
Mon Aug 22 20:33:51 EDT 2005
Please advise how to start to exercise with Database for ASP.Net. What is the best tutorial Web for that purpose? Tx for your all guys
Rinaldy RM
talk-request at lists.nyphp.org wrote:
Send talk mailing list submissions to
talk at lists.nyphp.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.nyphp.org/mailman/listinfo/talk
or, via email, send a message with subject or body 'help' to
talk-request at lists.nyphp.org
You can reach the person managing the list at
talk-owner at lists.nyphp.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of talk digest..."
Today's Topics:
1. MD5 + Flash (-sry Boston)
2. Re: MD5 + Flash (Hans Zaunere)
3. OWASP 9/29 Save The Date (Thomas Brennan)
4. Re: Session basics (Billy Pilgrim)
5. Re: MD5 + Flash (csnyder)
----------------------------------------------------------------------
Message: 1
Date: Sun, 21 Aug 2005 13:23:30 -0500
From: "-sry Boston"
Subject: [nycphp-talk] MD5 + Flash
To: talk at lists.nyphp.org
Message-ID:
Content-Type: text/plain; format=flowed
Hiya,
If you're over on WWWAC you've already seen this but I'm asking here
from another slant. I have no idea what I can or can't do withOUT
having to create/manage a mySQL db...my server will let me do this
easily enough but it's been over a year since I've thought of PHP or
mySQL and I don't want to get so distracted by the programming
mindset that I forget what I was doing in the first place (trying to
do some marketing).
Below is the process I'm trying to implement - step 5 is where I'm
fuzzy...I know I could definitely have the URL come back to a
PHP page that looks up the string in a db (and a very simple one,
I'm sure, since it's just a list) but I'd rather just have the URL come
back to the Flash file and do the checking from within the .swf,
with ActionScript - is that easier or harder? Since you guys all love
PHP and probably only half of you even like AS, I know it's a biased
answer I'll get :-) but try to be objective and not play favorites
on the languages here.
What I want to do:
(1) user gives me email address
(2) with a PHP script (free from http://www.allhype.co.uk/tools/md5/
and a very nice script actually!!) I MD5 their email address
(3) I send user a message (to validate the address works) that has
their MD5'd address as a link for them to come back and get what
they want
(4) user clicks unique query string in the email I've sent them
(4) I validate the string .....how/from where is the ??? :)
(5) if valid, give them the Flash file; if not, give them an error message
Any help much appreciated!
-sry
Sarah R. Yoffa
http://books.sarahryoffa.com/
books at sarahryoffa.com
*********************
Look for the exciting release of the newly-edited
THE PHOENIX SHALL RISE AGAIN
Coming to online booksellers - New Year's 2006.
*********************
_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
------------------------------
Message: 2
Date: Sun, 21 Aug 2005 17:45:41 -0400
From: "Hans Zaunere"
Subject: Re: [nycphp-talk] MD5 + Flash
To: "'NYPHP Talk'"
Message-ID: <0MKp2t-1E6xdN3S4E-0001Lu at mrelay.perfora.net>
Content-Type: text/plain; charset="us-ascii"
talk-bounces at lists.nyphp.org wrote on Sunday, August 21, 2005 2:24 PM:
> Hiya,
>
> If you're over on WWWAC you've already seen this but I'm asking here
> from another slant. I have no idea what I can or can't do withOUT
> having to create/manage a mySQL db...my server will let me do this
> easily enough but it's been over a year since I've thought of PHP or
> mySQL and I don't want to get so distracted by the programming
> mindset that I forget what I was doing in the first place (trying to
> do some marketing).
>
> Below is the process I'm trying to implement - step 5 is where I'm
> fuzzy...I know I could definitely have the URL come back to a
> PHP page that looks up the string in a db (and a very simple one,
> I'm sure, since it's just a list) but I'd rather just have
> the URL come
> back to the Flash file and do the checking from within the .swf,
> with ActionScript - is that easier or harder? Since you guys all love
> PHP and probably only half of you even like AS, I know it's a biased
> answer I'll get :-) but try to be objective and not play favorites on
> the languages here.
>
> What I want to do:
>
> (1) user gives me email address
>
> (2) with a PHP script (free from http://www.allhype.co.uk/tools/md5/
> and a very nice script actually!!) I MD5 their email address
>
> (3) I send user a message (to validate the address works) that has
> their MD5'd address as a link for them to come back and get what they
> want
>
> (4) user clicks unique query string in the email I've sent them
>
> (4) I validate the string .....how/from where is the ??? :)
>
> (5) if valid, give them the Flash file; if not, give them an
> error message
You could do all of this with just Flash, etc. assuming Flash has MD5, as
I'm sure it does, but you'll be limited. If you want to track who has
downloaded what files, the browser they're using, etc. you won't be able to
do so without a DB.
There's also a security concern here. There's no way to know that the email
address you've gotten originally, is the same as the one that's coming from
the link. Since you're not storing anything anywhere, you have no way to
keep persistent data. If I know that you're checking that an MD5 matches
the MD5 of the email address, I can pass you any MD5 I want, and it'll
validate.
H
------------------------------
Message: 3
Date: Sun, 21 Aug 2005 20:16:17 -0400
From: "Thomas Brennan"
Subject: [nycphp-talk] OWASP 9/29 Save The Date
To:
Message-ID:
<1DA2AD8042527B4199C09042CFC0A94D18794B at jinx.datasafeservices.net>
Content-Type: text/plain; charset="US-ASCII"
I would like to provide you with advanced notice and extend a special
invite for you to join us at the next Open Web Application Security
Meeting (OWASP) NJ Chapter meeting. The next event will be held at
September 29th at ABN AMRO in Jersey City (across from the path station)
- full details, speakers and RSVP information is located at the chapter
website online:
http://www.owasp.org/local/nnj.html
Currently on the September Agenda:
SPEAKER - OWASP - Topic: Review of OWASP Security Guide v2.0.1 Released
at BlackHat
SPEAKER - eEye Digital Security - Topic: Worm / Vulnerability Management
SPEAKER - Application Security - Topic: Database Attacks
SPEAKER - NitroSecurity - Topic: Analysis of Network Attacks
** You are encouraged to forward this email to others that you believe
would benefit from this non-profit, educational peer-to-peer networking
opportunity -- RSVP is required due to building security requirements
see: http://www.owasp.org/local/nnj.html for details.
At our November meeting we are looking forward to having NYPHP/Hans
Zaunere speak concerning PHP Security Issues
Enjoy the rest of your summer!
Thomas Brennan, CISSP, CFSO, MCSA, C|EH
DATA SAFE SERVICES
"Because Security is NOT the default"
831-B Route 10 East, Whippany NJ 07981
Tel: 973-795-1046 | Fax: 973-428-0293
Web: www.datasafeservices.com
------------------------------
Message: 4
Date: Sun, 21 Aug 2005 22:48:19 -0400
From: Billy Pilgrim
Subject: Re: [nycphp-talk] Session basics
To: NYPHP Talk
Message-ID: <6ee3253b050821194874c5ddf0 at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
On 8/19/05, Chris Shiflett wrote:
> Aaron Fischer wrote:
> > If the session has expired such as in browser close or timeout, the
> > bookmarked page won't be a liability as the session id in the URL won't
> > find a matching session id on the server.
>
> The server doesn't know when the browser is closed, so that part's not
> right. It is true that a session timeout (on the server side) offers
> some protection against this type of accidental hijacking.
A bookmarked session id might not result in a hijacked session, but
it's not a good idea have session ids exposed and kept around like
that.
Consider another example: Someone is logged into a newspaper site and
sees an interesing article. The user copies the url (with session id)
and pastes it in an email to a friend. If the friend receives the
email quickly and the server has a long timeout, accidential session
hijacking could occur.
The primary reason to have a session id in the url is if the browser
doesn't support cookies, right?
------------------------------
Message: 5
Date: Mon, 22 Aug 2005 08:35:30 -0400
From: csnyder
Subject: Re: [nycphp-talk] MD5 + Flash
To: NYPHP Talk
Message-ID:
Content-Type: text/plain; charset=ISO-8859-1
On 8/21/05, -sry Boston wrote:
> What I want to do:
>
> (1) user gives me email address
>
> (2) with a PHP script (free from http://www.allhype.co.uk/tools/md5/
> and a very nice script actually!!) I MD5 their email address
>
> (3) I send user a message (to validate the address works) that has
> their MD5'd address as a link for them to come back and get what
> they want
>
> (4) user clicks unique query string in the email I've sent them
>
> (4) I validate the string .....how/from where is the ??? :)
>
> (5) if valid, give them the Flash file; if not, give them an error message
>
> Any help much appreciated!
I think you have the purpose of the MD5 hash confused. In this case,
you want it to be an *unguessable* token that the user can bring back
to you to prove that they got they got your validation message, and
that they own the mailbox associated with the provided email address.
In other words, it should be random. If it's just the hash of their
email address, then an impersonator could easily generate the right
token and validate an address that isn't their own (as Hans pointed
out).
You will need some sort of DB -- MySQL or flat file or otherwise -- to
store the email address and the random token in the same record, so
that when the user clicks the link with the token in it, you can look
up the email and mark it valid.
--
Chris Snyder
http://chxo.com/
------------------------------
_______________________________________________
talk mailing list
talk at lists.nyphp.org
http://lists.nyphp.org/mailman/listinfo/talk
End of talk Digest, Vol 27, Issue 50
************************************
---------------------------------
Start your day with Yahoo! - make it your home page
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20050822/94e8d763/attachment.html>
More information about the talk
mailing list