From jhise at ledcity.net Sat May 1 00:21:33 2010 From: jhise at ledcity.net (Jeremy Hise) Date: Sat, 1 May 2010 00:21:33 -0400 Subject: [nycphp-talk] PHP Dynamic GET Variables , Do they exist? In-Reply-To: <4BDB66B1.7080300@covenantedesign.com> References: <4BDB66B1.7080300@covenantedesign.com> Message-ID: <582f6a3f98a15cd4a6706015cdcdcb02.squirrel@webmail.ledcity.net> I did your example, followed by: Test (my test page is called test.php) And it worked. The first thing I would do would be: print(nl2br(print_r($_GET, true))); And see what is actually stored in the $_GET array. > Anthony Wlodarski wrote: >> I don't think it is the version of PHP you are using for example from >> my box: >> >> anthony at anthony-desktop:~$ php -v >> PHP 5.2.10-2ubuntu6.4 with Suhosin-Patch 0.9.7 (cli) (built: Jan 6 >> 2010 22:41:56) >> Copyright (c) 1997-2009 The PHP Group >> Zend Engine v2.2.0, Copyright (c) 1998-2009 Zend Technologies >> anthony at anthony-desktop:~$ php -a >> Interactive shell >> >> php > $_GET['abc'] = 'def'; >> php > $dynamic_vars['a']['b'] = 'abc'; >> php > echo $_GET[$dynamic_vars['a']['b']]; >> def >> php > if(isset($_GET[$dynamic_vars['a']['b']])) { >> php { echo $_GET[$dynamic_vars['a']['b']]; >> php { } >> def >> >> As you can see I am on 5.2.10-2. >> >> -Anthony >> ------------------------------------------------------------------------ >> *From:* CED >> *To:* NYPHP Talk >> *Sent:* Fri, April 30, 2010 8:32:24 PM >> *Subject:* Re: [nycphp-talk] PHP Dynamic GET Variables , Do they exist? >> >> Chris Snyder wrote: >> > On Fri, Apr 30, 2010 at 7:24 PM, CED > > wrote: >> > >> >> > >> //GIVEN a page that is called with: >> >> // $_GET['abc'] = 'def'; >> >> //CODED with: >> >> $dynamic_vars['a']['b'] = 'abc'; >> >> >> >> // NO WORKY >> >> echo $_GET[ $dynamic_vars['a']['b'] ] ; >> >> >> >> // NO WORKY >> >> >> >> if(isset($_GET[ $dynamic_vars['a']['b'] ])){ >> >> echo $_GET[ $dynamic_vars['a']['b'] ] ; >> >> } >> >> ?> >> >> >> >> What am I doing wrong? >> >> (this is obviously for demonstration purposes only, the actually >> variables >> >> have need for being stored in the manner that they are) >> >> >> >> -Ed >> >> >> > >> > Sample code works for me, php 5.3.2. >> > ______________ From consult at covenantedesign.com Sat May 1 09:08:31 2010 From: consult at covenantedesign.com (CED) Date: Sat, 01 May 2010 09:08:31 -0400 Subject: [nycphp-talk] PHP Dynamic GET Variables , Do they exist? In-Reply-To: <582f6a3f98a15cd4a6706015cdcdcb02.squirrel@webmail.ledcity.net> References: <4BDB66B1.7080300@covenantedesign.com> <582f6a3f98a15cd4a6706015cdcdcb02.squirrel@webmail.ledcity.net> Message-ID: <4BDC27CF.9070709@covenantedesign.com> Jeremy Hise wrote: > I did your example, followed by: > > Test > > (my test page is called test.php) > > And it worked. > > The first thing I would do would be: > > print(nl2br(print_r($_GET, true))); > > And see what is actually stored in the $_GET array. > > > > > >> Anthony Wlodarski wrote: >> >>> I don't think it is the version of PHP you are using for example from >>> my box: >>> >>> anthony at anthony-desktop:~$ php -v >>> PHP 5.2.10-2ubuntu6.4 with Suhosin-Patch 0.9.7 (cli) (built: Jan 6 >>> 2010 22:41:56) >>> Copyright (c) 1997-2009 The PHP Group >>> Zend Engine v2.2.0, Copyright (c) 1998-2009 Zend Technologies >>> anthony at anthony-desktop:~$ php -a >>> Interactive shell >>> >>> php > $_GET['abc'] = 'def'; >>> php > $dynamic_vars['a']['b'] = 'abc'; >>> php > echo $_GET[$dynamic_vars['a']['b']]; >>> def >>> php > if(isset($_GET[$dynamic_vars['a']['b']])) { >>> php { echo $_GET[$dynamic_vars['a']['b']]; >>> php { } >>> def >>> >>> As you can see I am on 5.2.10-2. >>> >>> -Anthony >>> ------------------------------------------------------------------------ >>> *From:* CED >>> *To:* NYPHP Talk >>> *Sent:* Fri, April 30, 2010 8:32:24 PM >>> *Subject:* Re: [nycphp-talk] PHP Dynamic GET Variables , Do they exist? >>> >>> Chris Snyder wrote: >>> >>>> On Fri, Apr 30, 2010 at 7:24 PM, CED >>> >>> > wrote: >>> >>>>> >>>> //GIVEN a page that is called with: >>>>> // $_GET['abc'] = 'def'; >>>>> //CODED with: >>>>> $dynamic_vars['a']['b'] = 'abc'; >>>>> >>>>> // NO WORKY >>>>> echo $_GET[ $dynamic_vars['a']['b'] ] ; >>>>> >>>>> // NO WORKY >>>>> >>>>> if(isset($_GET[ $dynamic_vars['a']['b'] ])){ >>>>> echo $_GET[ $dynamic_vars['a']['b'] ] ; >>>>> } >>>>> ?> >>>>> >>>>> What am I doing wrong? >>>>> (this is obviously for demonstration purposes only, the actually >>>>> >>> variables >>> >>>>> have need for being stored in the manner that they are) >>>>> >>>>> -Ed >>>>> >>>>> >>>> Sample code works for me, php 5.3.2. >>>> ______________ >>>> > > _______________________________________________ > New York PHP Users Group Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > http://www.nyphp.org/Show-Participation > > > > That was it, the posting page wasn't passing any variables (it parses an few inifiles)... thanks for the PHP101 refresher guys. --

995 Maple Hill Road Castleton, New York 12033 518-331-5061 Consult at CovenanteDesign.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From yitzchak.schaffer at gmx.com Sat May 1 22:51:40 2010 From: yitzchak.schaffer at gmx.com (Yitzchak Schaffer) Date: Sat, 01 May 2010 22:51:40 -0400 Subject: [nycphp-talk] Deploying PHP Applications In-Reply-To: References:

Message-ID: <4BDCE8BC.101@gmx.com> > On Apr 29, 2010, at 1:35 PM, Jason Salsiccia wrote: >> If your doc root is /var/www/html, have html be a symlink to current code. >> /var/www/html -> /var/www/tag_XXXX Perhaps this is obvious to many here, but I discovered this works wonders for vendor libraries like symfony - point the app's require statement to '/usr/local/lib/symfony-1.4', and symlink /usr/local/lib/symfony-1.4 -> /usr/local/lib/symfony-1.4.4 That way you can download the new release of symfony (say 1.4.5), and just change the symlink & delete the old libraries. I don't remember what I was doing before, but it was a mess compared to this. -- Yitzchak Schaffer Systems Manager Touro College Libraries 33 West 23rd Street New York, NY 10010 Tel (212) 463-0400 x5230 Fax (212) 627-3197 Email yitzchak.schaffer at tourolib.org Access Problems? Contact systems.library at touro.edu From kkrutoi at gmail.com Sun May 2 00:56:16 2010 From: kkrutoi at gmail.com (Konstantin K) Date: Sun, 2 May 2010 00:56:16 -0400 Subject: [nycphp-talk] Deploying PHP Applications In-Reply-To: <4BDCE8BC.101@gmx.com> References:

<4BDCE8BC.101@gmx.com> Message-ID: This is why sys admins use stow from gnu On Saturday, May 1, 2010, Yitzchak Schaffer wrote: > > On Apr 29, 2010, at 1:35 PM, Jason Salsiccia wrote: > > If your doc root is /var/www/html, have html be a symlink to current code. > /var/www/html -> /var/www/tag_XXXX > > > Perhaps this is obvious to many here, but I discovered this works wonders for vendor libraries like symfony - point the app's require statement to '/usr/local/lib/symfony-1.4', and symlink > /usr/local/lib/symfony-1.4 -> /usr/local/lib/symfony-1.4.4 > > That way you can download the new release of symfony (say 1.4.5), and just change the symlink & delete the old libraries. ?I don't remember what I was doing before, but it was a mess compared to this. > > -- > Yitzchak Schaffer > Systems Manager > Touro College Libraries > 33 West 23rd Street > New York, NY 10010 > Tel (212) 463-0400 x5230 > Fax (212) 627-3197 > Email yitzchak.schaffer at tourolib.org > > Access Problems? Contact systems.library at touro.edu > _______________________________________________ > New York PHP Users Group Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > http://www.nyphp.org/Show-Participation > From leam at reuel.net Sun May 2 06:53:22 2010 From: leam at reuel.net (Leam Hall) Date: Sun, 02 May 2010 06:53:22 -0400 Subject: [nycphp-talk] Deploying PHP Applications In-Reply-To: References:

<4BDCE8BC.101@gmx.com> Message-ID: <4BDD59A2.7070303@reuel.net> Actually, we use "ln -s". :) Leam Konstantin K wrote: > This is why sys admins use stow from gnu > > On Saturday, May 1, 2010, Yitzchak Schaffer wrote: >> On Apr 29, 2010, at 1:35 PM, Jason Salsiccia wrote: >> >> If your doc root is /var/www/html, have html be a symlink to current code. >> /var/www/html -> /var/www/tag_XXXX >> >> >> Perhaps this is obvious to many here, but I discovered this works wonders for vendor libraries like symfony - point the app's require statement to '/usr/local/lib/symfony-1.4', and symlink >> /usr/local/lib/symfony-1.4 -> /usr/local/lib/symfony-1.4.4 >> >> That way you can download the new release of symfony (say 1.4.5), and just change the symlink & delete the old libraries. I don't remember what I was doing before, but it was a mess compared to this. >> >> -- >> Yitzchak Schaffer >> Systems Manager >> Touro College Libraries >> 33 West 23rd Street >> New York, NY 10010 >> Tel (212) 463-0400 x5230 >> Fax (212) 627-3197 >> Email yitzchak.schaffer at tourolib.org >> >> Access Problems? Contact systems.library at touro.edu >> _______________________________________________ >> New York PHP Users Group Community Talk Mailing List >> http://lists.nyphp.org/mailman/listinfo/talk >> >> http://www.nyphp.org/Show-Participation >> > _______________________________________________ > New York PHP Users Group Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > http://www.nyphp.org/Show-Participation > From parthatr at gmail.com Sun May 2 08:55:43 2010 From: parthatr at gmail.com (Partha Sarathy) Date: Sun, 2 May 2010 18:25:43 +0530 Subject: [nycphp-talk] Plagiarism Checker in PHP Message-ID: Hi Friends, I am developing blogger website using PHP & MySQL. And, I would like add the feature of Plagiarism Checker. If any one posted an article in my website, that article must be unique and original. Could you please tell / suggest me how to develop Plagiarism Checker feature or send some useful articles / free APIs and so on. Expecting your positive reply ...... Thanks in advance. -- T.R.Parthasarathy +919884117406 ?You have to grow from the inside out. None can teach you, none can make you spiritual. There is no other teacher but your own soul.? - Swami Vivekananda -------------- next part -------------- An HTML attachment was scrubbed... URL: From lists at zaunere.com Sun May 2 13:58:31 2010 From: lists at zaunere.com (Hans Zaunere) Date: Sun, 2 May 2010 13:58:31 -0400 Subject: [nycphp-talk] Plagiarism Checker in PHP In-Reply-To: References: Message-ID: <00aa01caea21$138cdee0$3aa69ca0$@com> > Hi Friends, Hi, > I am developing blogger website using PHP & MySQL. And, I would like > add the feature of Plagiarism Checker. > > If any one posted an article in my website, that article must be unique > and original. > > Could you please tell / suggest me how to develop Plagiarism Checker > feature or send some useful articles / free APIs and so on. Hmm, I think there is a recursion problem here - if we tell you, then you'd be plagiarizing our solution :) > Expecting your positive reply ...... Seriously though, unless I'm missing something, I can't see how this would be possible. I suppose you could use techniques such as comparing the number of similar words between articles, but that's not really exact, and likely to have incorrect results. Plus, you're looking to do this plagiarism check across the whole Internet? Even humans, who read different articles, have a hard time determining if something is actually plagiarized or not - I think doing it automatically is nearly impossible. H From mutazmusa at gmail.com Sun May 2 14:40:06 2010 From: mutazmusa at gmail.com (Mutaz Musa) Date: Sun, 2 May 2010 14:40:06 -0400 Subject: [nycphp-talk] Plagiarism Checker in PHP In-Reply-To: <00aa01caea21$138cdee0$3aa69ca0$@com> References: <00aa01caea21$138cdee0$3aa69ca0$@com> Message-ID: Actually turnitin.com, a website where students turn in schoolwork, checks for plagiarism and from what I understand does a pretty good job. They compare both student-to-student and student-to-literature. I'm not sure how they pull it off, probably a proprietary algorithm that tries to match student submissions against their database of content where no match = no plagiarism. It seems like a mammoth task though. Turnitin.com actually crawls academic journals, books, etc. to populate their database. If you're interested only in comparing submissions to your site against one another that may be more manageable. If on the other hand you want to compare against online/print content in general then that will prove a real challenge. Finally, if you have the money maybe you can register with turnitin.com - although my impression is that their primarily for universities/colleges. http://turnitin.com/static/index.html Best, Mutaz On Sun, May 2, 2010 at 1:58 PM, Hans Zaunere wrote: > > Hi Friends, > > Hi, > > > I am developing blogger website using PHP & MySQL. And, I would like > > add the feature of Plagiarism Checker. > > > > If any one posted an article in my website, that article must be unique > > and original. > > > > Could you please tell / suggest me how to develop Plagiarism Checker > > feature or send some useful articles / free APIs and so on. > > Hmm, I think there is a recursion problem here - if we tell you, then you'd > be plagiarizing our solution :) > > > Expecting your positive reply ...... > > Seriously though, unless I'm missing something, I can't see how this would > be possible. I suppose you could use techniques such as comparing the > number of similar words between articles, but that's not really exact, and > likely to have incorrect results. Plus, you're looking to do this > plagiarism check across the whole Internet? > > Even humans, who read different articles, have a hard time determining if > something is actually plagiarized or not - I think doing it automatically > is > nearly impossible. > > H > > > _______________________________________________ > New York PHP Users Group Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > http://www.nyphp.org/Show-Participation > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mutazmusa at gmail.com Sun May 2 14:42:05 2010 From: mutazmusa at gmail.com (Mutaz Musa) Date: Sun, 2 May 2010 14:42:05 -0400 Subject: [nycphp-talk] Plagiarism Checker in PHP In-Reply-To: References: <00aa01caea21$138cdee0$3aa69ca0$@com> Message-ID: Also, sorry for the double post but check out http://www.ithenticate.com/ On Sun, May 2, 2010 at 2:40 PM, Mutaz Musa wrote: > Actually turnitin.com, a website where students turn in schoolwork, checks > for plagiarism and from what I understand does a pretty good job. They > compare both student-to-student and student-to-literature. I'm not sure how > they pull it off, probably a proprietary algorithm that tries to match > student submissions against their database of content where no match = no > plagiarism. It seems like a mammoth task though. Turnitin.com actually > crawls academic journals, books, etc. to populate their database. > > If you're interested only in comparing submissions to your site against one > another that may be more manageable. If on the other hand you want to > compare against online/print content in general then that will prove a real > challenge. Finally, if you have the money maybe you can register with > turnitin.com - although my impression is that their primarily for > universities/colleges. > > http://turnitin.com/static/index.html > > Best, > Mutaz > > > On Sun, May 2, 2010 at 1:58 PM, Hans Zaunere wrote: > >> > Hi Friends, >> >> Hi, >> >> > I am developing blogger website using PHP & MySQL. And, I would like >> > add the feature of Plagiarism Checker. >> > >> > If any one posted an article in my website, that article must be unique >> > and original. >> > >> > Could you please tell / suggest me how to develop Plagiarism Checker >> > feature or send some useful articles / free APIs and so on. >> >> Hmm, I think there is a recursion problem here - if we tell you, then >> you'd >> be plagiarizing our solution :) >> >> > Expecting your positive reply ...... >> >> Seriously though, unless I'm missing something, I can't see how this would >> be possible. I suppose you could use techniques such as comparing the >> number of similar words between articles, but that's not really exact, and >> likely to have incorrect results. Plus, you're looking to do this >> plagiarism check across the whole Internet? >> >> Even humans, who read different articles, have a hard time determining if >> something is actually plagiarized or not - I think doing it automatically >> is >> nearly impossible. >> >> H >> >> >> _______________________________________________ >> New York PHP Users Group Community Talk Mailing List >> http://lists.nyphp.org/mailman/listinfo/talk >> >> http://www.nyphp.org/Show-Participation >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From zippy1981 at gmail.com Sun May 2 16:43:19 2010 From: zippy1981 at gmail.com (Justin Dearing) Date: Sun, 2 May 2010 16:43:19 -0400 Subject: [nycphp-talk] Plagiarism Checker in PHP In-Reply-To: <00aa01caea21$138cdee0$3aa69ca0$@com> References: <00aa01caea21$138cdee0$3aa69ca0$@com> Message-ID: On Sun, May 2, 2010 at 1:58 PM, Hans Zaunere wrote: > > Hi Friends, > > Hi, > > > Could you please tell / suggest me how to develop Plagiarism Checker > > feature or send some useful articles / free APIs and so on. > > > Seriously though, unless I'm missing something, I can't see how this would > be possible. I suppose you could use techniques such as comparing the > number of similar words between articles, but that's not really exact, and > likely to have incorrect results. Plus, you're looking to do this > plagiarism check across the whole Internet? > > My understanding is many CS professors do this for programming homework. They are looking for exact matches. Apparently that catches a lot of people. I think chopping up an article into an array of sentences, and throwing a few into google would be a good approach. Submit 25% of the sentences to google as exact phrase matches. Throw the first 10 result urls into an array for each. Sort the urls and see how many are the same. Justin -------------- next part -------------- An HTML attachment was scrubbed... URL: From cmerlo at ncc.edu Sun May 2 18:51:49 2010 From: cmerlo at ncc.edu (Christopher R. Merlo) Date: Sun, 2 May 2010 18:51:49 -0400 Subject: [nycphp-talk] Plagiarism Checker in PHP In-Reply-To: References: <00aa01caea21$138cdee0$3aa69ca0$@com> Message-ID: On Sunday, May 2, 2010, Justin Dearing wrote: > > My understanding is many CS professors do this for programming homework. They are looking for exact matches. Apparently that catches a lot of people. Actually, checking for exact matches won't catch the students who change nothing but identifiers. But there's a really cool free tool provided by someone at UC Berkeley called Moss that does some sort of lexical analysis, along with pattern matching, that has helped me catch lots of unscrupulous programming students. (Yes, lots. The rare downside of teaching at a community college.) > I think chopping up an article into an array of sentences, and throwing a few into google would be a good approach. And that's more or less what I do when I suspect plagiarism in a written assignment. I don't (yet) do this in any automated way; only when it seems obvious I should. Don't forget to surround the sentence with quotes for Google to reduce the amount of false positives. -c From leam.hall.ctr at usmc.mil Mon May 3 07:38:02 2010 From: leam.hall.ctr at usmc.mil (Hall CTR Leam) Date: Mon, 3 May 2010 07:38:02 -0400 Subject: [nycphp-talk] Password security for SQLite based pages? Message-ID: <06A7A82C48A99643B8B77C99946AFECB02F1C955@mcusquanez02v.mcdsus.mcds.usmc.mil> Morning all! I'm looking to not use MySQL for some web pages, but to instead try SQLite. There's nothing in the database that would need to be protected from reading, and it's a small site that doesn't need a full blown database. However, I'd like to limit access to updating. Would it be enough just to have a web page that you had to log in via .htaccess? Is there a better way? Thanks! Leam -------------------------------------------- Leam Hall UNIX Systems Administrator Contractor for Smartronix ( CMMI Level 3 ISO 9001:2000 FS 91000 ) Com: 229.639.6028 Email: Leam.Hall.ctr at usmc.mil -------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5206 bytes Desc: not available URL: From zippy1981 at gmail.com Mon May 3 07:39:34 2010 From: zippy1981 at gmail.com (Justin Dearing) Date: Mon, 3 May 2010 07:39:34 -0400 Subject: [nycphp-talk] Password security for SQLite based pages? In-Reply-To: <06A7A82C48A99643B8B77C99946AFECB02F1C955@mcusquanez02v.mcdsus.mcds.usmc.mil> References: <06A7A82C48A99643B8B77C99946AFECB02F1C955@mcusquanez02v.mcdsus.mcds.usmc.mil> Message-ID: Why not just store the SQLite file somewhere outside of the webroot? Justin On Mon, May 3, 2010 at 7:38 AM, Hall CTR Leam wrote: > Morning all! > > I'm looking to not use MySQL for some web pages, but to instead try SQLite. > There's nothing in the database that would need to be protected from > reading, and it's a small site that doesn't need a full blown database. > However, I'd like to limit access to updating. Would it be enough just to > have a web page that you had to log in via .htaccess? Is there a better way? > > Thanks! > > Leam > > > -------------------------------------------- > Leam Hall > UNIX Systems Administrator > Contractor for Smartronix ( CMMI Level 3 ISO 9001:2000 FS 91000 ) > Com: 229.639.6028 > Email: Leam.Hall.ctr at usmc.mil > -------------------------------------------- > > _______________________________________________ > New York PHP Users Group Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > http://www.nyphp.org/Show-Participation > -------------- next part -------------- An HTML attachment was scrubbed... URL: From leam.hall.ctr at usmc.mil Mon May 3 07:55:38 2010 From: leam.hall.ctr at usmc.mil (Hall CTR Leam) Date: Mon, 3 May 2010 07:55:38 -0400 Subject: [nycphp-talk] Password security for SQLite based pages? In-Reply-To: References: <06A7A82C48A99643B8B77C99946AFECB02F1C955@mcusquanez02v.mcdsus.mcds.usmc.mil> Message-ID: <06A7A82C48A99643B8B77C99946AFECB02F1C956@mcusquanez02v.mcdsus.mcds.usmc.mil> Justin, Sorry, I guess I didn't communicate my question well. Accidently forgot to bring the extra cup of coffee with me... I'd like a page that would let a limited number of people edit data. That's what needs protection, the page that writes and edits data. Everyone can see the data, though putting it outside the webroot is a good idea in it's own right. So in the document root we'd have a page "edit_database.php". That's what needs protecting, I think. Make more sense? Thanks! Leam -----Original Message----- From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On Behalf Of Justin Dearing Sent: Monday, May 03, 2010 7:40 To: NYPHP Talk Subject: Re: [nycphp-talk] Password security for SQLite based pages? Why not just store the SQLite file somewhere outside of the webroot? Justin On Mon, May 3, 2010 at 7:38 AM, Hall CTR Leam wrote: Morning all! I'm looking to not use MySQL for some web pages, but to instead try SQLite. There's nothing in the database that would need to be protected from reading, and it's a small site that doesn't need a full blown database. However, I'd like to limit access to updating. Would it be enough just to have a web page that you had to log in via .htaccess? Is there a better way? Thanks! Leam -------------------------------------------- Leam Hall UNIX Systems Administrator Contractor for Smartronix ( CMMI Level 3 ISO 9001:2000 FS 91000 ) Com: 229.639.6028 Email: Leam.Hall.ctr at usmc.mil -------------------------------------------- _______________________________________________ New York PHP Users Group Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk http://www.nyphp.org/Show-Participation -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5206 bytes Desc: not available URL: From mitch.pirtle at gmail.com Mon May 3 08:12:31 2010 From: mitch.pirtle at gmail.com (Mitch Pirtle) Date: Mon, 3 May 2010 08:12:31 -0400 Subject: [nycphp-talk] Password security for SQLite based pages? In-Reply-To: <06A7A82C48A99643B8B77C99946AFECB02F1C956@mcusquanez02v.mcdsus.mcds.usmc.mil> References: <06A7A82C48A99643B8B77C99946AFECB02F1C955@mcusquanez02v.mcdsus.mcds.usmc.mil> <06A7A82C48A99643B8B77C99946AFECB02F1C956@mcusquanez02v.mcdsus.mcds.usmc.mil> Message-ID: I'd store login/password info in SQLite as well - and you could use something simple like PEAR::Auth. http://pear.php.net/package/Auth/ Just an idea. -- Mitch On Mon, May 3, 2010 at 7:55 AM, Hall CTR Leam wrote: > Justin, > > Sorry, I guess I didn't communicate my question well. Accidently forgot to bring the extra cup of coffee with me... > > I'd like a page that would let a limited number of people edit data. That's what needs protection, the page that writes and edits data. Everyone can see the data, though putting it outside the webroot is a good idea in it's own right. > > So in the document root we'd have a page "edit_database.php". That's what needs protecting, I think. > > Make more sense? > > Thanks! > > Leam > > > > -----Original Message----- > From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On Behalf Of Justin Dearing > Sent: Monday, May 03, 2010 7:40 > To: NYPHP Talk > Subject: Re: [nycphp-talk] Password security for SQLite based pages? > > Why not just store the SQLite file somewhere outside of the webroot? > > Justin > > > On Mon, May 3, 2010 at 7:38 AM, Hall CTR Leam wrote: > > > ? ? ? ?Morning all! > > ? ? ? ?I'm looking to not use MySQL for some web pages, but to instead try SQLite. There's nothing in the database that would need to be protected from reading, and it's a small site that doesn't need a full blown database. However, I'd like to limit access to updating. Would it be enough just to have a web page that you had to log in via .htaccess? Is there a better way? > > ? ? ? ?Thanks! > > ? ? ? ?Leam > > > ? ? ? ?-------------------------------------------- > ? ? ? ?Leam Hall > ? ? ? ?UNIX Systems Administrator > ? ? ? ?Contractor for Smartronix ?( CMMI Level 3 ISO 9001:2000 FS 91000 ) > ? ? ? ?Com: ? 229.639.6028 > ? ? ? ?Email: Leam.Hall.ctr at usmc.mil > ? ? ? ?-------------------------------------------- > > ? ? ? ?_______________________________________________ > ? ? ? ?New York PHP Users Group Community Talk Mailing List > ? ? ? ?http://lists.nyphp.org/mailman/listinfo/talk > > ? ? ? ?http://www.nyphp.org/Show-Participation > > > > > _______________________________________________ > New York PHP Users Group Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > http://www.nyphp.org/Show-Participation > From parthatr at gmail.com Mon May 3 08:26:02 2010 From: parthatr at gmail.com (Partha Sarathy) Date: Mon, 3 May 2010 17:56:02 +0530 Subject: [nycphp-talk] talk Digest, Vol 43, Issue 4 In-Reply-To: References: Message-ID: Hi Friends, Thanks for your replies. Please have a look of the following sites http://www.copyscpe.com and http://www.articlechecker.com/. The above sites are ensured that the posted article is unique and original. The above sites are search in search engines (like google, yahoo and so on) I wish to develop the same. Please let me know the steps how to develop in php / api or so on. On Mon, May 3, 2010 at 5:08 PM, wrote: > Send talk mailing list submissions to > talk at lists.nyphp.org > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.nyphp.org/mailman/listinfo/talk > or, via email, send a message with subject or body 'help' to > talk-request at lists.nyphp.org > > You can reach the person managing the list at > talk-owner at lists.nyphp.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of talk digest..." > > > Today's Topics: > > 1. Re: Plagiarism Checker in PHP (Hans Zaunere) > 2. Re: Plagiarism Checker in PHP (Mutaz Musa) > 3. Re: Plagiarism Checker in PHP (Mutaz Musa) > 4. Re: Plagiarism Checker in PHP (Justin Dearing) > 5. Re: Plagiarism Checker in PHP (Christopher R. Merlo) > 6. Password security for SQLite based pages? (Hall CTR Leam) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Sun, 2 May 2010 13:58:31 -0400 > From: "Hans Zaunere" > To: "'NYPHP Talk'" > Subject: Re: [nycphp-talk] Plagiarism Checker in PHP > Message-ID: <00aa01caea21$138cdee0$3aa69ca0$@com> > Content-Type: text/plain; charset="us-ascii" > > > Hi Friends, > > Hi, > > > I am developing blogger website using PHP & MySQL. And, I would like > > add the feature of Plagiarism Checker. > > > > If any one posted an article in my website, that article must be unique > > and original. > > > > Could you please tell / suggest me how to develop Plagiarism Checker > > feature or send some useful articles / free APIs and so on. > > Hmm, I think there is a recursion problem here - if we tell you, then you'd > be plagiarizing our solution :) > > > Expecting your positive reply ...... > > Seriously though, unless I'm missing something, I can't see how this would > be possible. I suppose you could use techniques such as comparing the > number of similar words between articles, but that's not really exact, and > likely to have incorrect results. Plus, you're looking to do this > plagiarism check across the whole Internet? > > Even humans, who read different articles, have a hard time determining if > something is actually plagiarized or not - I think doing it automatically > is > nearly impossible. > > H > > > > > ------------------------------ > > Message: 2 > Date: Sun, 2 May 2010 14:40:06 -0400 > From: Mutaz Musa > To: NYPHP Talk > Subject: Re: [nycphp-talk] Plagiarism Checker in PHP > Message-ID: > > Content-Type: text/plain; charset="iso-8859-1" > > Actually turnitin.com, a website where students turn in schoolwork, checks > for plagiarism and from what I understand does a pretty good job. They > compare both student-to-student and student-to-literature. I'm not sure how > they pull it off, probably a proprietary algorithm that tries to match > student submissions against their database of content where no match = no > plagiarism. It seems like a mammoth task though. Turnitin.com actually > crawls academic journals, books, etc. to populate their database. > > If you're interested only in comparing submissions to your site against one > another that may be more manageable. If on the other hand you want to > compare against online/print content in general then that will prove a real > challenge. Finally, if you have the money maybe you can register with > turnitin.com - although my impression is that their primarily for > universities/colleges. > > http://turnitin.com/static/index.html > > Best, > Mutaz > > On Sun, May 2, 2010 at 1:58 PM, Hans Zaunere wrote: > > > > Hi Friends, > > > > Hi, > > > > > I am developing blogger website using PHP & MySQL. And, I would like > > > add the feature of Plagiarism Checker. > > > > > > If any one posted an article in my website, that article must be unique > > > and original. > > > > > > Could you please tell / suggest me how to develop Plagiarism Checker > > > feature or send some useful articles / free APIs and so on. > > > > Hmm, I think there is a recursion problem here - if we tell you, then > you'd > > be plagiarizing our solution :) > > > > > Expecting your positive reply ...... > > > > Seriously though, unless I'm missing something, I can't see how this > would > > be possible. I suppose you could use techniques such as comparing the > > number of similar words between articles, but that's not really exact, > and > > likely to have incorrect results. Plus, you're looking to do this > > plagiarism check across the whole Internet? > > > > Even humans, who read different articles, have a hard time determining if > > something is actually plagiarized or not - I think doing it automatically > > is > > nearly impossible. > > > > H > > > > > > _______________________________________________ > > New York PHP Users Group Community Talk Mailing List > > http://lists.nyphp.org/mailman/listinfo/talk > > > > http://www.nyphp.org/Show-Participation > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > http://lists.nyphp.org/pipermail/talk/attachments/20100502/7cd7f7c2/attachment-0001.html > > > > ------------------------------ > > Message: 3 > Date: Sun, 2 May 2010 14:42:05 -0400 > From: Mutaz Musa > To: NYPHP Talk > Subject: Re: [nycphp-talk] Plagiarism Checker in PHP > Message-ID: > > Content-Type: text/plain; charset="iso-8859-1" > > Also, sorry for the double post but check out http://www.ithenticate.com/ > > On Sun, May 2, 2010 at 2:40 PM, Mutaz Musa wrote: > > > Actually turnitin.com, a website where students turn in schoolwork, > checks > > for plagiarism and from what I understand does a pretty good job. They > > compare both student-to-student and student-to-literature. I'm not sure > how > > they pull it off, probably a proprietary algorithm that tries to match > > student submissions against their database of content where no match = no > > plagiarism. It seems like a mammoth task though. Turnitin.com actually > > crawls academic journals, books, etc. to populate their database. > > > > If you're interested only in comparing submissions to your site against > one > > another that may be more manageable. If on the other hand you want to > > compare against online/print content in general then that will prove a > real > > challenge. Finally, if you have the money maybe you can register with > > turnitin.com - although my impression is that their primarily for > > universities/colleges. > > > > http://turnitin.com/static/index.html > > > > Best, > > Mutaz > > > > > > On Sun, May 2, 2010 at 1:58 PM, Hans Zaunere wrote: > > > >> > Hi Friends, > >> > >> Hi, > >> > >> > I am developing blogger website using PHP & MySQL. And, I would like > >> > add the feature of Plagiarism Checker. > >> > > >> > If any one posted an article in my website, that article must be > unique > >> > and original. > >> > > >> > Could you please tell / suggest me how to develop Plagiarism Checker > >> > feature or send some useful articles / free APIs and so on. > >> > >> Hmm, I think there is a recursion problem here - if we tell you, then > >> you'd > >> be plagiarizing our solution :) > >> > >> > Expecting your positive reply ...... > >> > >> Seriously though, unless I'm missing something, I can't see how this > would > >> be possible. I suppose you could use techniques such as comparing the > >> number of similar words between articles, but that's not really exact, > and > >> likely to have incorrect results. Plus, you're looking to do this > >> plagiarism check across the whole Internet? > >> > >> Even humans, who read different articles, have a hard time determining > if > >> something is actually plagiarized or not - I think doing it > automatically > >> is > >> nearly impossible. > >> > >> H > >> > >> > >> _______________________________________________ > >> New York PHP Users Group Community Talk Mailing List > >> http://lists.nyphp.org/mailman/listinfo/talk > >> > >> http://www.nyphp.org/Show-Participation > >> > > > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > http://lists.nyphp.org/pipermail/talk/attachments/20100502/53705f9d/attachment-0001.html > > > > ------------------------------ > > Message: 4 > Date: Sun, 2 May 2010 16:43:19 -0400 > From: Justin Dearing > To: NYPHP Talk > Subject: Re: [nycphp-talk] Plagiarism Checker in PHP > Message-ID: > > Content-Type: text/plain; charset="iso-8859-1" > > On Sun, May 2, 2010 at 1:58 PM, Hans Zaunere wrote: > > > > Hi Friends, > > > > Hi, > > > > > Could you please tell / suggest me how to develop Plagiarism Checker > > > feature or send some useful articles / free APIs and so on. > > > > > > Seriously though, unless I'm missing something, I can't see how this > would > > be possible. I suppose you could use techniques such as comparing the > > number of similar words between articles, but that's not really exact, > and > > likely to have incorrect results. Plus, you're looking to do this > > plagiarism check across the whole Internet? > > > > My understanding is many CS professors do this for programming homework. > They are looking for exact matches. Apparently that catches a lot of > people. > > I think chopping up an article into an array of sentences, and throwing a > few into google would be a good approach. Submit 25% of the sentences to > google as exact phrase matches. Throw the first 10 result urls into an > array > for each. Sort the urls and see how many are the same. > > Justin > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > http://lists.nyphp.org/pipermail/talk/attachments/20100502/9dda592a/attachment-0001.html > > > > ------------------------------ > > Message: 5 > Date: Sun, 2 May 2010 18:51:49 -0400 > From: "Christopher R. Merlo" > To: NYPHP Talk > Subject: Re: [nycphp-talk] Plagiarism Checker in PHP > Message-ID: > > Content-Type: text/plain; charset=ISO-8859-1 > > On Sunday, May 2, 2010, Justin Dearing wrote: > > > > My understanding is many CS professors do this for programming homework. > They are looking for exact matches. Apparently that catches a lot of people. > > Actually, checking for exact matches won't catch the students who > change nothing but identifiers. But there's a really cool free tool > provided by someone at UC Berkeley called Moss that does some sort of > lexical analysis, along with pattern matching, that has helped me > catch lots of unscrupulous programming students. (Yes, lots. The rare > downside of teaching at a community college.) > > > I think chopping up an article into an array of sentences, and throwing a > few into google would be a good approach. > > And that's more or less what I do when I suspect plagiarism in a > written assignment. I don't (yet) do this in any automated way; only > when it seems obvious I should. Don't forget to surround the sentence > with quotes for Google to reduce the amount of false positives. > -c > > > ------------------------------ > > Message: 6 > Date: Mon, 3 May 2010 07:38:02 -0400 > From: "Hall CTR Leam" > To: > Subject: [nycphp-talk] Password security for SQLite based pages? > Message-ID: > < > 06A7A82C48A99643B8B77C99946AFECB02F1C955 at mcusquanez02v.mcdsus.mcds.usmc.mil > > > > Content-Type: text/plain; charset="us-ascii" > > Morning all! > > I'm looking to not use MySQL for some web pages, but to instead try SQLite. > There's nothing in the database that would need to be protected from > reading, and it's a small site that doesn't need a full blown database. > However, I'd like to limit access to updating. Would it be enough just to > have a web page that you had to log in via .htaccess? Is there a better way? > > Thanks! > > Leam > > > -------------------------------------------- > Leam Hall > UNIX Systems Administrator > Contractor for Smartronix ( CMMI Level 3 ISO 9001:2000 FS 91000 ) > Com: 229.639.6028 > Email: Leam.Hall.ctr at usmc.mil > -------------------------------------------- > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: smime.p7s > Type: application/x-pkcs7-signature > Size: 5206 bytes > Desc: not available > URL: < > http://lists.nyphp.org/pipermail/talk/attachments/20100503/f261fa34/attachment.bin > > > > ------------------------------ > > _______________________________________________ > talk mailing list > talk at lists.nyphp.org > http://lists.nyphp.org/mailman/listinfo/talk > > End of talk Digest, Vol 43, Issue 4 > *********************************** > -- T.R.Parthasarathy +919884117406 ?You have to grow from the inside out. None can teach you, none can make you spiritual. There is no other teacher but your own soul.? - Swami Vivekananda -------------- next part -------------- An HTML attachment was scrubbed... URL: From AKuhn at hersheypa.com Mon May 3 10:01:59 2010 From: AKuhn at hersheypa.com (AKuhn at hersheypa.com) Date: Mon, 3 May 2010 10:01:59 -0400 Subject: [nycphp-talk] AUTO: is out of the office. (returning 05/10/2010) Message-ID: I am out of the office until 05/10/2010. I will respond to your message when I return. Note: This is an automated response to your message "[nycphp-talk] Password security for SQLite based pages?" sent on 5/3/2010 7:38:02 AM. This is the only notification you will receive while this person is away. All electronic transmissions and attachments thereto, in any form whatsoever, shall remain at all times the property of Hershey Entertainment & Resorts Company. The information contained in or attached to this electronic transmission constitutes confidential information. Any unauthorized disclosure, copying, distribution or dissemination of this information, is strictly prohibited. -------------- next part -------------- An HTML attachment was scrubbed... URL: From papillion at gmail.com Thu May 6 11:36:20 2010 From: papillion at gmail.com (Anthony Papillion) Date: Thu, 6 May 2010 10:36:20 -0500 Subject: [nycphp-talk] What's a good way to handle this? Message-ID: Hello Everyone, As some of you may know, during last years Presidential protests in Iran, I developed a distributed, multi-level, Twitter proxy service called TweetFree. For the first time in almost a year, I'm revisiting the code in an effort to update it and make it more useful for people outside of Iran but still in oppressive cultures. The system has several components: a Windows Mobile, iPhone, Android, and Blackberry application that connects to a TweetFree Relay server, the TweetFree Relay Server itself, and the main TweetFree Network Servers. How this all works together is unimportant so I won't bore you with the details. Now, the TweetFree Network Servers maintain a network block list. So every time the Relay Servers send a post, the Network Server checks to make sure the client that the relay is posting for isn't blocked from the network. If it is, it says no and the relay tells the client that it couldn't post its message. The problem with this, of course, is that you might have thousands of Relay Servers hitting the Network Servers (as happened during the Iranian election) and each of those requests have to be processed. That puts a bit of a load on the server that I'd like to alleviate. So my thought is to maintain a blacklist of client keys on the Network Servers and have the Relay Servers download this list every few minutes. Then, clients could be blocked at the RELAY level instead of at the Network level and less load would be put on the Network Servers (of which there are only about 10). My problem is that I'm not sure how to protect this list. The list is a simple text file that contains client keys. No identifying information, but client keys nonetheless. If it's a .txt file then the contents are viewable publicly which *could* pose a security risk in highly volatile environments. If I name it with the .php extension, it's handled like a PHP file and, thus, the text in it can't be read. What is the best way to handle this? I need to protect the users privacy while still reducing network load. Any ideas? Thanks! Anthony Papillion -------------- next part -------------- An HTML attachment was scrubbed... URL: From david at davidmintz.org Thu May 6 11:46:03 2010 From: david at davidmintz.org (David Mintz) Date: Thu, 6 May 2010 11:46:03 -0400 Subject: [nycphp-talk] utf-8, iso-8859-1... Message-ID: I don't really have a good understanding of issues around character sets, encoding, what have you, though I am starting to work on it. My problem involves a MySQL database and accented characters such as those you find in Spanish and French. My web server sends a "content-type: text/html; charset=iso-8859-1" header and my docs have an equivalent meta tag. My mysql's config says default-character-set = latin1 character_set_server = latin1 collation_server = latin1_general_ci and my data tables "SHOW CREATE" typically look like CREATE TABLE `people` ( `id` smallint(5) unsigned NOT NULL AUTO_INCREMENT, `lastname` varchar(40) COLLATE latin1_general_ci NOT NULL, `firstname` varchar(40) COLLATE latin1_general_ci NOT NULL, /* etc */ ) ENGINE=MyISAM AUTO_INCREMENT=546 DEFAULT CHARSET=latin1 COLLATE=latin1_general_ci So what's the problem? Generally there is none. Characters like ? and ? render correctly. The snag I am hitting now is writing a regular expression to whitelist the characters I can accept in proper names. I would think that the regex /^[-a-zA-Z\xC0-\xFF ']+$/ would test for anything that isn't a "letter" in most western european languages, or a space, or an apostrophe. But it is returning true (meaning yes there is an illegal character) in the name Barcel?, where false is what I would like to hear. Would this regex work if the data were utf-8? Should I consider converting everything and working in utf-8, and if so, how painful is it to convert a MySQL database? My initial research suggests that it isn't painless. -- Support real health care reform: http://phimg.org/ -- David Mintz http://davidmintz.org/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From lester.bleong at gmail.com Thu May 6 11:49:23 2010 From: lester.bleong at gmail.com (Lester Leong) Date: Thu, 6 May 2010 11:49:23 -0400 Subject: [nycphp-talk] What's a good way to handle this? In-Reply-To: References: Message-ID: Hey Anthony, Not sure if I'm missing something but if attackers can get their hands on a .txt, they can get their hands on a .php and extracting the hard coded list would be a trivial issue. If you're shifting load to the relay level perhaps you could try two-way encryption, since the extra overhead may not make much of a difference. Lester On Thu, May 6, 2010 at 11:36 AM, Anthony Papillion wrote: > Hello Everyone, > > As some of you may know, during last years Presidential protests in Iran, I > developed a distributed, multi-level, Twitter proxy service called > TweetFree. For the first time in almost a year, I'm revisiting the code in > an effort to update it and make it more useful for people outside of Iran > but still in oppressive cultures. > > The system has several components: a Windows Mobile, iPhone, Android, and > Blackberry application that connects to a TweetFree Relay server, the > TweetFree Relay Server itself, and the main TweetFree Network Servers. How > this all works together is unimportant so I won't bore you with the details. > > Now, the TweetFree Network Servers maintain a network block list. So every > time the Relay Servers send a post, the Network Server checks to make sure > the client that the relay is posting for isn't blocked from the network. If > it is, it says no and the relay tells the client that it couldn't post its > message. The problem with this, of course, is that you might have thousands > of Relay Servers hitting the Network Servers (as happened during the Iranian > election) and each of those requests have to be processed. That puts a bit > of a load on the server that I'd like to alleviate. > > So my thought is to maintain a blacklist of client keys on the Network > Servers and have the Relay Servers download this list every few minutes. > Then, clients could be blocked at the RELAY level instead of at the Network > level and less load would be put on the Network Servers (of which there are > only about 10). > > My problem is that I'm not sure how to protect this list. The list is a > simple text file that contains client keys. No identifying information, but > client keys nonetheless. If it's a .txt file then the contents are viewable > publicly which *could* pose a security risk in highly volatile environments. > If I name it with the .php extension, it's handled like a PHP file and, > thus, the text in it can't be read. > > What is the best way to handle this? I need to protect the users privacy > while still reducing network load. > > Any ideas? > > Thanks! > Anthony Papillion > > _______________________________________________ > New York PHP Users Group Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > http://www.nyphp.org/Show-Participation > -------------- next part -------------- An HTML attachment was scrubbed... URL: From papillion at gmail.com Thu May 6 11:52:58 2010 From: papillion at gmail.com (Anthony Papillion) Date: Thu, 6 May 2010 10:52:58 -0500 Subject: [nycphp-talk] What's a good way to handle this? In-Reply-To: References: Message-ID: Hi Lester, Thanks for the input. Encrypt isn't something I'd thought of. Good point. Thanks! Anthony On Thu, May 6, 2010 at 10:49 AM, Lester Leong wrote: > > Hey Anthony, > > Not sure if I'm missing something but if attackers can get their hands on a .txt, they can get their hands on a .php and extracting the hard coded list would be a trivial issue. > > If you're shifting load to the relay level perhaps you could try two-way encryption, since the extra overhead may not make much of a difference. > > Lester From chsnyder at gmail.com Thu May 6 11:56:09 2010 From: chsnyder at gmail.com (Chris Snyder) Date: Thu, 6 May 2010 11:56:09 -0400 Subject: [nycphp-talk] utf-8, iso-8859-1... In-Reply-To: References: Message-ID: On Thu, May 6, 2010 at 11:46 AM, David Mintz wrote: > Would this regex work if the data were utf-8? Should I consider converting > everything and working in utf-8, and if so, how painful is it to convert a > MySQL database? My initial research suggests that it isn't painless. > Full-stack utf-8 is worth the pain of conversion. It makes a whole class of issues disappear and gives you the ability to accept anything the world is going to throw at you. Many php functions are not unicode aware (and php6 will be release right after perl6) but in practice those issues are much easier to deal with than trying to limit your data to iso-8859-1. From oneofthosed3afmutes at yahoo.com Thu May 6 12:26:10 2010 From: oneofthosed3afmutes at yahoo.com (Anthony Wlodarski) Date: Thu, 6 May 2010 09:26:10 -0700 (PDT) Subject: [nycphp-talk] utf-8, iso-8859-1... In-Reply-To: References: Message-ID: <550842.1872.qm@web114314.mail.gq1.yahoo.com> I second, full UTF-8 is awesome down the line for internationalization. First see if MySQL even supports UTF-8 on your system, execute: "SHOW CHARACTER SET;" and utf8 should appear in the list. Then "ALTER TABLE tbl_name CONVERT TO CHARACTER SET charset_name COLLATION collation_name;". Since I have not done this myself I can't verify that it will rebuild indexes on the table, I don't think it should but might want to look into that as rebuilding indexes on a large table could be time consuming. ________________________________ From: Chris Snyder To: NYPHP Talk Sent: Thu, May 6, 2010 11:56:09 AM Subject: Re: [nycphp-talk] utf-8, iso-8859-1... On Thu, May 6, 2010 at 11:46 AM, David Mintz wrote: > Would this regex work if the data were utf-8? Should I consider converting > everything and working in utf-8, and if so, how painful is it to convert a > MySQL database? My initial research suggests that it isn't painless. > Full-stack utf-8 is worth the pain of conversion. It makes a whole class of issues disappear and gives you the ability to accept anything the world is going to throw at you. Many php functions are not unicode aware (and php6 will be release right after perl6) but in practice those issues are much easier to deal with than trying to limit your data to iso-8859-1. _______________________________________________ New York PHP Users Group Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk http://www.nyphp.org/Show-Participation -------------- next part -------------- An HTML attachment was scrubbed... URL: From chsnyder at gmail.com Thu May 6 12:59:31 2010 From: chsnyder at gmail.com (Chris Snyder) Date: Thu, 6 May 2010 12:59:31 -0400 Subject: [nycphp-talk] utf-8, iso-8859-1... In-Reply-To: <550842.1872.qm@web114314.mail.gq1.yahoo.com> References: <550842.1872.qm@web114314.mail.gq1.yahoo.com> Message-ID: On Thu, May 6, 2010 at 12:26 PM, Anthony Wlodarski wrote: > I second, full UTF-8 is awesome down the line for internationalization. > ?First see if MySQL even supports UTF-8 on your system, execute: "SHOW > CHARACTER SET;" and utf8 should appear in the list. ?Then "ALTER TABLE > tbl_name CONVERT TO CHARACTER SET charset_name COLLATION collation_name;". > ?Since I have not done this myself I can't verify that it will rebuild > indexes on the table, I don't think it should but might want to look into > that as rebuilding indexes on a large table could be time consuming. Dirty secret - MySQL latin-1 tables will happily store and retrieve utf-8 data. They won't sort it correctly, though I believe they will sort it consistently. So even if your MySQL was compiled without unicode support, you can put utf-8 in and get utf-8 out. Of course, if you're going to take the trouble to convert, you should do it right. From monalisa20042006 at gmail.com Thu May 6 13:09:07 2010 From: monalisa20042006 at gmail.com (Mona Borham) Date: Thu, 6 May 2010 20:09:07 +0300 Subject: [nycphp-talk] utf-8, iso-8859-1... In-Reply-To: References: <550842.1872.qm@web114314.mail.gq1.yahoo.com> Message-ID: Well sometimes also you should changes the page encoding to UTF-8 which I can't modify as I know except through DreamWeaver and I wanted to know if there is a shortcut for this process rather than opening all the project files and modify the page properties. If anyone has idea please provide us with it. Thanks, Mona On Thu, May 6, 2010 at 7:59 PM, Chris Snyder wrote: > On Thu, May 6, 2010 at 12:26 PM, Anthony Wlodarski > wrote: > > I second, full UTF-8 is awesome down the line for internationalization. > > First see if MySQL even supports UTF-8 on your system, execute: "SHOW > > CHARACTER SET;" and utf8 should appear in the list. Then "ALTER TABLE > > tbl_name CONVERT TO CHARACTER SET charset_name COLLATION > collation_name;". > > Since I have not done this myself I can't verify that it will rebuild > > indexes on the table, I don't think it should but might want to look into > > that as rebuilding indexes on a large table could be time consuming. > > Dirty secret - MySQL latin-1 tables will happily store and retrieve > utf-8 data. They won't sort it correctly, though I believe they will > sort it consistently. > > So even if your MySQL was compiled without unicode support, you can > put utf-8 in and get utf-8 out. > > Of course, if you're going to take the trouble to convert, you should > do it right. > _______________________________________________ > New York PHP Users Group Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > http://www.nyphp.org/Show-Participation > -------------- next part -------------- An HTML attachment was scrubbed... URL: From papillion at gmail.com Thu May 6 13:15:46 2010 From: papillion at gmail.com (Anthony Papillion) Date: Thu, 6 May 2010 12:15:46 -0500 Subject: [nycphp-talk] Thoughts on encryption Message-ID: So I've used encryption on a personal level and even on the server through SSL but I've not done much more in PHP than using either the MD5() or SHA1() functions on passwords. I tend to be a very paranoid type with user information and I'm constantly thinking about weaknesses in systems and how they could be exploited. My initial encryption method was to either md5 or SHA1 passwords, and stick them in the database. While I know it's difficult to 'reverse the sausage machine' on these encrypted strings, it's not impossible. An attacker could determine an MD5 or SHA1 password through a simple dictionary attack. So, in essence, the encryption is useless. My current method is to concatenate the username+password+username and then either MD5 or SHA1 that and store that as the password in the database. But, really, is this anymore secure to a sophisticated, thinking attacker? Certainly, if I could think of it, they could, and it would again be trivial to write a script to execute a simple dictionary attack and figure out the password. I also know there are many other encryption methods out there but, isn't it true that *all* of them are compromisable by that simple manner or am I missing something critical here? Perhaps the only way to mitigate the risk is to institute a 3 strikes policy (which pisses users off but is secure) and to them change the users password to some absolutely random 50 digit gobbledygook string of characters. Am I being overly paranoid here or are these valid concerns? Am I simply missing something? Thanks! Anthony Blog: www.cajuntechie.com Facebook: www.facebook.com/cajuntechie Twitter: www.twitter.com/cajuntechie From paul at devonianfarm.com Thu May 6 13:26:02 2010 From: paul at devonianfarm.com (Paul A Houle) Date: Thu, 06 May 2010 13:26:02 -0400 Subject: [nycphp-talk] utf-8, iso-8859-1... In-Reply-To: References: <550842.1872.qm@web114314.mail.gq1.yahoo.com> Message-ID: <4BE2FBAA.4020903@devonianfarm.com> Chris Snyder wrote: > Dirty secret - MySQL latin-1 tables will happily store and retrieve > utf-8 data. They won't sort it correctly, though I believe they will > sort it consistently. > > So even if your MySQL was compiled without unicode support, you can > put utf-8 in and get utf-8 out. > > Of course, if you're going to take the trouble to convert, you should > do it right. > In fact, this is a dirty secret about PHP and the "Unix Way"; to a large extent, systems that are 8-bit clean will process UTF-8 data correctly without modifications... Except when they don't. Unfortunately, that's also the case with Perl, Java, .NET and other systems that have complex "Unicode Support"; Unicode support is such a complicated thing that it's inevitably implemented with errors in those systems, and often, you're really screwed in those systems because you're not seeing the raw bytestream. I remember a system where a choice of language and database were made because the systems "supported unicode" according to the documentation, but practically all kinds of strange transformations were going on behind our backs... One day I actually looked at the database in the SQL monitor and found the whole thing was double-encoded. There's also the issue that there really is no "Unicode Sort Order" that entirely makes sense. For instance, languages such as German and Swedish sort the same characters in a different order. I'm currently working on a system that is predominantly English but contains many named entity names with latinoid characters: the sort order for "English" might well sort the Polish "Dark L" (the l with a line through it) after Z, but poles sort "Dark L" after "Clear L" and most en-speakers will expect that too, since we commonly squash Dark L -> Clear L in words like "Stanislaw." Japanese people sort named entities phonetically, which means you need to keep a furigana (phonetic) representation side by side with the conventional kanji representation... In this age of statistical language translation, I think kanji -> furigana translation could be largely automated, but there are always 'words' that can't be read phonetically out of context, like "read" The "real" character encoding that you find web documents in is most closely described as a random mix of ISO-latin-1 and UTF-8 characters interspersed at random, no matter what the charset of a document officially is. There are just too many cases where characters come in through form fields and other sources that aren't well controlled. Yes, ~you~ should publish good clean UTF-8, but if you're scraping on a large scale you'll find lots of crazy stuff that doesn't quite match what's in the books... And it's helpful to look at the byte stream in those cases. From chsnyder at gmail.com Thu May 6 13:42:25 2010 From: chsnyder at gmail.com (Chris Snyder) Date: Thu, 6 May 2010 13:42:25 -0400 Subject: [nycphp-talk] utf-8, iso-8859-1... In-Reply-To: <4BE2FBAA.4020903@devonianfarm.com> References: <550842.1872.qm@web114314.mail.gq1.yahoo.com> <4BE2FBAA.4020903@devonianfarm.com> Message-ID: On Thu, May 6, 2010 at 1:26 PM, Paul A Houle wrote: > ? There's also the issue that there really is no "Unicode Sort Order" that > entirely makes sense. ?For instance, ?languages such as German and Swedish > sort the same characters in a different order. ?I'm currently working on a > system that is predominantly English but contains many named entity names > with latinoid characters: ?the sort order for "English" might well sort the > Polish "Dark L" (the l with a line through it) after Z, ?but poles sort > "Dark L" after "Clear L" and most en-speakers will expect that too, ?since > we commonly squash Dark L -> Clear L in words like "Stanislaw." ?Japanese > people sort named entities phonetically, ?which means you need to keep a > furigana (phonetic) representation side by side with the conventional kanji > representation... ?In this age of statistical language translation, ?I think > kanji -> furigana translation could be largely automated, ?but there are > always 'words' that can't be read phonetically out of context Oh great, locale-specific sorting. To what extent are there unix tools to help you deal with that? When it comes to internationalization, it's always something. At least with utf-8 the encoding can be consistent if you control the inputs (ie, you're not scraping or accepting mishmash from other systems). From edwardpotter at gmail.com Thu May 6 13:56:45 2010 From: edwardpotter at gmail.com (Edward Potter) Date: Thu, 6 May 2010 13:56:45 -0400 Subject: [nycphp-talk] utf-8, iso-8859-1... In-Reply-To: References: <550842.1872.qm@web114314.mail.gq1.yahoo.com> Message-ID: I highly recommend u scale up from Dreamweaver, and use an editor, TextMate is probably the best, but zillions out there. Yes I know it works fine, but you will never move to Guru status with DW. Just my 2 rupee's. The leap is pretty painless. Grasshopper! => Guru => God => Grasshopper! Dreamweaver => TextMate => vi => e On Thu, May 6, 2010 at 1:09 PM, Mona Borham wrote: > Well sometimes also you should changes the page encoding to UTF-8 which I > can't modify as I know except through DreamWeaver and I wanted to know if > there is a shortcut for this process rather than opening all the project > files and modify the page properties. If anyone has idea please provide us > with it. > > Thanks, > Mona > > > > On Thu, May 6, 2010 at 7:59 PM, Chris Snyder wrote: > >> On Thu, May 6, 2010 at 12:26 PM, Anthony Wlodarski >> wrote: >> > I second, full UTF-8 is awesome down the line for internationalization. >> > First see if MySQL even supports UTF-8 on your system, execute: "SHOW >> > CHARACTER SET;" and utf8 should appear in the list. Then "ALTER TABLE >> > tbl_name CONVERT TO CHARACTER SET charset_name COLLATION >> collation_name;". >> > Since I have not done this myself I can't verify that it will rebuild >> > indexes on the table, I don't think it should but might want to look >> into >> > that as rebuilding indexes on a large table could be time consuming. >> >> Dirty secret - MySQL latin-1 tables will happily store and retrieve >> utf-8 data. They won't sort it correctly, though I believe they will >> sort it consistently. >> >> So even if your MySQL was compiled without unicode support, you can >> put utf-8 in and get utf-8 out. >> >> Of course, if you're going to take the trouble to convert, you should >> do it right. >> _______________________________________________ >> New York PHP Users Group Community Talk Mailing List >> http://lists.nyphp.org/mailman/listinfo/talk >> >> http://www.nyphp.org/Show-Participation >> > > > _______________________________________________ > New York PHP Users Group Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > http://www.nyphp.org/Show-Participation > -- IM/iChat: ejpusa Links: http://del.icio.us/ejpusa Follow me: http://www.twitter.com/ejpusa Karma: http://www.coderswithconscience.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From edwardpotter at gmail.com Thu May 6 14:01:30 2010 From: edwardpotter at gmail.com (Edward Potter) Date: Thu, 6 May 2010 14:01:30 -0400 Subject: [nycphp-talk] utf-8, iso-8859-1... In-Reply-To: References: <550842.1872.qm@web114314.mail.gq1.yahoo.com> Message-ID: woops sorry that's ed. precursor to vi. http://en.wikipedia.org/wiki/Vi On Thu, May 6, 2010 at 1:56 PM, Edward Potter wrote: > I highly recommend u scale up from Dreamweaver, and use an editor, TextMate > is probably the best, but zillions out there. Yes I know it works fine, but > you will never move to Guru status with DW. Just my 2 rupee's. The leap is > pretty painless. > > Grasshopper! => Guru => God => Grasshopper! > Dreamweaver => TextMate => vi => e > > > > On Thu, May 6, 2010 at 1:09 PM, Mona Borham wrote: > >> Well sometimes also you should changes the page encoding to UTF-8 which I >> can't modify as I know except through DreamWeaver and I wanted to know if >> there is a shortcut for this process rather than opening all the project >> files and modify the page properties. If anyone has idea please provide us >> with it. >> >> Thanks, >> Mona >> >> >> >> On Thu, May 6, 2010 at 7:59 PM, Chris Snyder wrote: >> >>> On Thu, May 6, 2010 at 12:26 PM, Anthony Wlodarski >>> wrote: >>> > I second, full UTF-8 is awesome down the line for internationalization. >>> > First see if MySQL even supports UTF-8 on your system, execute: "SHOW >>> > CHARACTER SET;" and utf8 should appear in the list. Then "ALTER TABLE >>> > tbl_name CONVERT TO CHARACTER SET charset_name COLLATION >>> collation_name;". >>> > Since I have not done this myself I can't verify that it will rebuild >>> > indexes on the table, I don't think it should but might want to look >>> into >>> > that as rebuilding indexes on a large table could be time consuming. >>> >>> Dirty secret - MySQL latin-1 tables will happily store and retrieve >>> utf-8 data. They won't sort it correctly, though I believe they will >>> sort it consistently. >>> >>> So even if your MySQL was compiled without unicode support, you can >>> put utf-8 in and get utf-8 out. >>> >>> Of course, if you're going to take the trouble to convert, you should >>> do it right. >>> _______________________________________________ >>> New York PHP Users Group Community Talk Mailing List >>> http://lists.nyphp.org/mailman/listinfo/talk >>> >>> http://www.nyphp.org/Show-Participation >>> >> >> >> _______________________________________________ >> New York PHP Users Group Community Talk Mailing List >> http://lists.nyphp.org/mailman/listinfo/talk >> >> http://www.nyphp.org/Show-Participation >> > > > > -- > IM/iChat: ejpusa > Links: http://del.icio.us/ejpusa > Follow me: http://www.twitter.com/ejpusa > Karma: http://www.coderswithconscience.com > -- IM/iChat: ejpusa Links: http://del.icio.us/ejpusa Follow me: http://www.twitter.com/ejpusa Karma: http://www.coderswithconscience.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From jcampbell1 at gmail.com Thu May 6 14:08:24 2010 From: jcampbell1 at gmail.com (John Campbell) Date: Thu, 6 May 2010 14:08:24 -0400 Subject: [nycphp-talk] Thoughts on encryption In-Reply-To: References: Message-ID: On Thu, May 6, 2010 at 1:15 PM, Anthony Papillion wrote: > An attacker could determine an MD5 or SHA1 password through a simple > dictionary attack. So, in essence, the encryption is useless. Yes, current CUDA setups can calculate a billion SHA1's per second. Dictionary attacks against salted hashes are pretty easy these days. > My current method is to concatenate the username+password+username and > then either MD5 or SHA1 that and store that as the password in the > database. This doesn't do very much. It is little more than a weak salt. > But, really, is this anymore secure to a sophisticated, > thinking attacker? Use bcrypt. It is tunable so can make it so each hash check takes .1 seconds. This makes a dictionary attack a huge pain in the ass, but your login page will still be plenty responsive. > Perhaps the only way > to mitigate the risk is to institute a 3 strikes policy (which pisses > users off but is secure) This is a DoS nightmare. I can trash your system by trying to sign in as every user incorrectly 3 times. It is also completely orthogonal to the hash choice. Hashing is so the attacker can't get the passwords if the database is compromised. > and to them change the users password to some > absolutely random 50 digit gobbledygook string of characters. This is fine if you don't want people to use your system. -John C. From chsnyder at gmail.com Thu May 6 14:08:29 2010 From: chsnyder at gmail.com (Chris Snyder) Date: Thu, 6 May 2010 14:08:29 -0400 Subject: [nycphp-talk] Thoughts on encryption In-Reply-To: References: Message-ID: On Thu, May 6, 2010 at 1:15 PM, Anthony Papillion wrote: > So I've used encryption on a personal level and even on the server > through SSL but I've not done much more in PHP than using either the > MD5() or SHA1() functions on passwords. I tend to be a very paranoid > type with user information and I'm constantly thinking about > weaknesses in systems and how they could be exploited. > > My initial encryption method was to either md5 or SHA1 passwords, and > stick them in the database. While I know it's difficult to 'reverse > the sausage machine' on these encrypted strings, it's not impossible. > An attacker could determine an MD5 or SHA1 password through a simple > dictionary attack. So, in essence, the encryption is useless. > > My current method is to concatenate the username+password+username and > then either MD5 or SHA1 that and store that as the password in the > database. But, really, is this anymore secure to a sophisticated, > thinking attacker? Certainly, if I could think of it, they could, and > it would again be trivial to write a script to execute a simple > dictionary attack and figure out the password. > > I also know there are many other encryption methods out there but, > isn't it true that *all* of them are compromisable by that simple > manner or am I missing something critical here? Perhaps the only way > to mitigate the risk is to institute a 3 strikes policy (which pisses > users off but is secure) and to them change the users password to some > absolutely random 50 digit gobbledygook string of characters. > > Am I being overly paranoid here or are these valid concerns? ?Am I > simply missing something? > > Thanks! > Anthony > Standard practice is to use add a salt before hashing the password so that dictionary attacks don't work. The salt could be the userid, the creation time of the record, or some other variable piece of information that the system will always be able to find when authenticating the user. The salt should ideally be unique to your system. So your sha( $username . $password ) approach is fine, though sha( $createdtime . $password ) would be even better -- the user might use the same username and password in other systems, which would make the hash identical, and could make the password easier to guess. If you're designing the system now, sha-256 is probably a good idea. md5 and sha-1 are considered broken in some circles, though not so much that you would force an upgrade to an existing system. Always use a one-way hash. Always use a variable salt that is unique to your system. You are not being overly paranoid. ;-) From nick.ilyin at gmail.com Thu May 6 14:14:22 2010 From: nick.ilyin at gmail.com (Nicholas Ilyin) Date: Thu, 6 May 2010 14:14:22 -0400 Subject: [nycphp-talk] Thoughts on encryption In-Reply-To: References: Message-ID: Hi Anthony, In theory, no hashing function will ever be free from brute force attacks, but this is a matter of how long one is willing to perform a brute force attack to find the variable (a password) in a one-way hashing function. In practice, some hashing functions have clear security flaws while others are not yet known to have any. In your example it is best to stay away from MD5 as there are serious security issues with it. SHA-1 is still a safe hashing function to use. You may find papers on the internet that state that there was progress in finding collisions or algorithmic strategies in significantly reducing the security of SHA-1, but I am yet to see a solution that does not require astronomical computation to render SHA-1 insecure. However, appending any plaintext to your password and hashing that, such as SHA(username+password+username) is useless from a mathematical standpoint as the username is actually known to a potential hacker. The way that hash functions work would mean that adding any additional bits which are known will not increase the security of your resulting hash. When you mention that "all are comprimisable by that simple manner" I have to disagree. Although you are correct in saying that a brute force attack is possible, a good encryption/hashing function will require so many computations that even super computers would need to run for years to actually break your encryption. Here are some recommendations that will increase the security of your passwords: 1. Use a password strength checker which would not allow dictionary words to be used for passwords. This eliminates a dictionary attack and requires brute force. 2. Require long passwords, such as over 10 characters. Each character is 8 bits of information which can significantly reduce the chance of a collision with a brute force attack. 3. Prevent automated attacks by locking down the account after 3 attempts or so. Computation is on orders faster than a lockout time of 10 minutes which will render any brute force attack completely useless in this case. 4. Never allow an open connection on your DB server to the world, even if you have 30 character passwords to access your SQL server. You should tightly lockdown any and all access to your SQL server so that there is very minimal access (such as from a web server). Hope this helps, Nick On Thu, May 6, 2010 at 1:15 PM, Anthony Papillion wrote: > So I've used encryption on a personal level and even on the server > through SSL but I've not done much more in PHP than using either the > MD5() or SHA1() functions on passwords. I tend to be a very paranoid > type with user information and I'm constantly thinking about > weaknesses in systems and how they could be exploited. > > My initial encryption method was to either md5 or SHA1 passwords, and > stick them in the database. While I know it's difficult to 'reverse > the sausage machine' on these encrypted strings, it's not impossible. > An attacker could determine an MD5 or SHA1 password through a simple > dictionary attack. So, in essence, the encryption is useless. > > My current method is to concatenate the username+password+username and > then either MD5 or SHA1 that and store that as the password in the > database. But, really, is this anymore secure to a sophisticated, > thinking attacker? Certainly, if I could think of it, they could, and > it would again be trivial to write a script to execute a simple > dictionary attack and figure out the password. > > I also know there are many other encryption methods out there but, > isn't it true that *all* of them are compromisable by that simple > manner or am I missing something critical here? Perhaps the only way > to mitigate the risk is to institute a 3 strikes policy (which pisses > users off but is secure) and to them change the users password to some > absolutely random 50 digit gobbledygook string of characters. > > Am I being overly paranoid here or are these valid concerns? Am I > simply missing something? > > Thanks! > Anthony > > Blog: www.cajuntechie.com > Facebook: www.facebook.com/cajuntechie > Twitter: www.twitter.com/cajuntechie > _______________________________________________ > New York PHP Users Group Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > http://www.nyphp.org/Show-Participation > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sequethin at gmail.com Thu May 6 14:15:45 2010 From: sequethin at gmail.com (Sequethin) Date: Thu, 06 May 2010 14:15:45 -0400 Subject: [nycphp-talk] Thoughts on encryption In-Reply-To: References: Message-ID: <1273169745.2295.154.camel@mikeh-ubuntu> Just happened to see this in my RSS feed from phpdeveloper.org... http://www.webreference.com/programming/php/encryption_1/ Maybe relevant... --Mike H From chsnyder at gmail.com Thu May 6 14:16:51 2010 From: chsnyder at gmail.com (Chris Snyder) Date: Thu, 6 May 2010 14:16:51 -0400 Subject: [nycphp-talk] Thoughts on encryption In-Reply-To: References: Message-ID: On Thu, May 6, 2010 at 2:08 PM, John Campbell wrote: > Use bcrypt. ?It is tunable so can make it so each hash check takes .1 > seconds. ?This makes a dictionary attack a huge pain in the ass, but > your login page will still be plenty responsive. > This is excellent advice. You can also make your login routine require a valid session cookie and sleep() for a second or two, though that ties up a server process. I believe the mod_security apache extension will also identify and prevent brute-force attacks without DOSing your clumsy, forgetful users. From chsnyder at gmail.com Thu May 6 14:21:29 2010 From: chsnyder at gmail.com (Chris Snyder) Date: Thu, 6 May 2010 14:21:29 -0400 Subject: [nycphp-talk] Thoughts on encryption In-Reply-To: References: Message-ID: On Thu, May 6, 2010 at 2:14 PM, Nicholas Ilyin wrote: > However, appending any plaintext to your password and hashing that, such as > SHA(username+password+username) is useless from a mathematical standpoint as > the username is actually known to a potential hacker. The way that hash > functions work would mean that adding any additional bits which are known > will not increase the security of your resulting hash. > The attacker would need to generate a custom set of dictionary attacks that include the username, so it's not entirely useless. If they have the password hash, they have the database and, presumably, everything else on the server. There are no secrets from that sort of attacker. From ioplex at gmail.com Thu May 6 14:25:30 2010 From: ioplex at gmail.com (Michael B Allen) Date: Thu, 6 May 2010 14:25:30 -0400 Subject: [nycphp-talk] Thoughts on encryption In-Reply-To: References: Message-ID: On Thu, May 6, 2010 at 1:15 PM, Anthony Papillion wrote: > So I've used encryption on a personal level and even on the server > through SSL but I've not done much more in PHP than using either the > MD5() or SHA1() functions on passwords. I tend to be a very paranoid > type with user information and I'm constantly thinking about > weaknesses in systems and how they could be exploited. > > My initial encryption method was to either md5 or SHA1 passwords, and > stick them in the database. While I know it's difficult to 'reverse > the sausage machine' on these encrypted strings, it's not impossible. > An attacker could determine an MD5 or SHA1 password through a simple > dictionary attack. So, in essence, the encryption is useless. > > My current method is to concatenate the username+password+username and > then either MD5 or SHA1 that and store that as the password in the > database. But, really, is this anymore secure to a sophisticated, > thinking attacker? Certainly, if I could think of it, they could, and > it would again be trivial to write a script to execute a simple > dictionary attack and figure out the password. > > I also know there are many other encryption methods out there but, > isn't it true that *all* of them are compromisable by that simple > manner or am I missing something critical here? Perhaps the only way > to mitigate the risk is to institute a 3 strikes policy (which pisses > users off but is secure) and to them change the users password to some > absolutely random 50 digit gobbledygook string of characters. > > Am I being overly paranoid here or are these valid concerns? ?Am I > simply missing something? Hi Anthony, MD5 and SHA1 password hashes are considered weak. You are correct that someone got a hold of your hashes they could use a dictionary of common passwords to devise some of your user's passwords. There are a few ways to deal with this. The simplest is to just force users to create complicated passwords. Make them use passwords that are at least 8 characters and contain at least one digit and one non-alphanumeric character. This makes a dictionary attack much less practical (but by no means impossible if you have a lot of resources). The other way is to use a hashing algorithm with a larger bitwidth. Another is to add a salt. Better still, use all of these techniques. One pedantic note: MD5 and SHA1 are not encryption algorithms. They are hashing algorithms. With encryption you take plaintext and convert it to ciphertext and then you can do the reverse and get the plaintext back. With hashing you take plaintext and convert it to a hash which is just a random bit of data but of course given the same input you always get the same output. But with a hash you cannot convert it back to plaintext. Personally I recommend that you do not invent your own hashing algorithm. It only creates an opportunity to make a mistake that can be exploited and it does not increase security anywhere near as much as increasing the bitwidth. Just use a standard hashing method so that passwords can be migrated, code is understood and can be ported, etc. I would recommend using SSHA256 which is computed as follows: 1. Convert the plaintext password to UTF-8. In PHP you can use iconv for this. 2. Generate an 8 byte random salt. In PHP you can use mt_rand for this. 3. Generate the SHA256 hash of the UTF-8 plaintext password + salt. In PHP 5 you can use hash_init('sha256'), then hash_update($utf8password) followed by hash_update($salt) and hash_final to get the hash. 4. Concatenate the hash followed by the salt, convert the result to Base64 and then prefix it with the "{SSHA256}" label to get a result that looks like: {SSHA256}1LzicRO5StQs9kSR4UvTZbgfyhiiknzwDUhKaAgXUEa1uyL/s1Pd/A== Here's an example with real values and salt used so that you can check your computations as you go: Plaintext: opensaysme Salt in Hexadecimal: B5 BB 22 FF B3 53 DD FC SHA256 Hash of Plaintext and Salt in Hexadecimal: D4 BC E2 71 13 B9 4A D4 2C F6 44 91 E1 4B D3 65 B8 1F CA 18 A2 92 7C F0 0D 48 4A 68 08 17 50 46 SSHA256 Text Representation (this is what you put in the DB): {SSHA256}1LzicRO5StQs9kSR4UvTZbgfyhiiknzwDUhKaAgXUEa1uyL/s1Pd/A== Note that even though I show the values in hex for the purpose of this message, all of the computations are done using binary which means in PHP you're going to need to write helper functions that use ord and chr quite a bit. This 256 salted password hash is standard and is understood by software like LDAP servers. Combined with complex password requirements, this would disappoint even a serious cracker. If your system does not support sha256, do SSHA128 instead using the sha128 algorithm (aka sha1) + salt. Otherwise it is computed in exactly the same way but of course it will only be 128 bits instead of 256. But at least you'll have a salt which will greatly slow down a dictionary attack. Mike -- Michael B Allen Java Active Directory Integration http://www.ioplex.com/ From vtbludgeon at gmail.com Thu May 6 15:13:59 2010 From: vtbludgeon at gmail.com (David Mintz) Date: Thu, 6 May 2010 15:13:59 -0400 Subject: [nycphp-talk] utf-8, iso-8859-1... In-Reply-To: References: <550842.1872.qm@web114314.mail.gq1.yahoo.com> Message-ID: On Thu, May 6, 2010 at 12:59 PM, Chris Snyder wrote: > On Thu, May 6, 2010 at 12:26 PM, Anthony Wlodarski > wrote: > > I second, full UTF-8 is awesome down the line for internationalization. > > First see if MySQL even supports UTF-8 on your system, execute: "SHOW > > CHARACTER SET;" and utf8 should appear in the list. Then "ALTER TABLE > > tbl_name CONVERT TO CHARACTER SET charset_name COLLATION > collation_name;". > > Since I have not done this myself I can't verify that it will rebuild > > indexes on the table, I don't think it should but might want to look into > > that as rebuilding indexes on a large table could be time consuming. > > Dirty secret - MySQL latin-1 tables will happily store and retrieve > utf-8 data. They won't sort it correctly, though I believe they will > sort it consistently. > > So even if your MySQL was compiled without unicode support, you can > put utf-8 in and get utf-8 out. > > Of course, if you're going to take the trouble to convert, you should > do it right. > ____________________ > OK, thanks. I am gonna bite the bullet and try to do it right. Should there be a "AddDefaultCharset utf-8" directive in my apache vhost config? How about php.ini -- set default charset? I imagine the latter would override the former but if you're serving ant static (non-PHP) text/html... -- Support real health care reform: http://phimg.org/ -- David Mintz http://davidmintz.org/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From rick at click-rick.net Thu May 6 20:26:43 2010 From: rick at click-rick.net (Rick Retzko) Date: Thu, 6 May 2010 20:26:43 -0400 Subject: [nycphp-talk] What's a good way to handle this? In-Reply-To: References: Message-ID: <67592B2FEA6948E2BC67B644356DE424@home> _____ From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On Behalf Of Anthony Papillion Sent: Thursday, May 06, 2010 11:36 AM To: NYPHP Talk Subject: [nycphp-talk] What's a good way to handle this? Hello Everyone, As some of you may know, during last years Presidential protests in Iran, I developed a distributed, multi-level, Twitter proxy service called TweetFree. For the first time in almost a year, I'm revisiting the code in an effort to update it and make it more useful for people outside of Iran but still in oppressive cultures. The system has several components: a Windows Mobile, iPhone, Android, and Blackberry application that connects to a TweetFree Relay server, the TweetFree Relay Server itself, and the main TweetFree Network Servers. How this all works together is unimportant so I won't bore you with the details. Now, the TweetFree Network Servers maintain a network block list. So every time the Relay Servers send a post, the Network Server checks to make sure the client that the relay is posting for isn't blocked from the network. If it is, it says no and the relay tells the client that it couldn't post its message. The problem with this, of course, is that you might have thousands of Relay Servers hitting the Network Servers (as happened during the Iranian election) and each of those requests have to be processed. That puts a bit of a load on the server that I'd like to alleviate. So my thought is to maintain a blacklist of client keys on the Network Servers and have the Relay Servers download this list every few minutes. Then, clients could be blocked at the RELAY level instead of at the Network level and less load would be put on the Network Servers (of which there are only about 10). My problem is that I'm not sure how to protect this list. The list is a simple text file that contains client keys. No identifying information, but client keys nonetheless. If it's a .txt file then the contents are viewable publicly which *could* pose a security risk in highly volatile environments. If I name it with the .php extension, it's handled like a PHP file and, thus, the text in it can't be read. What is the best way to handle this? I need to protect the users privacy while still reducing network load. Any ideas? Thanks! Anthony Papillion It may not be the best way, but I use AES_ENCRYPT/AES_DECRYPT($salted_value,$password) along with a salted value for all of my user-identifiable data. It is a bit more work on the SQL end of things, but keeps the data safe within the database unless a hacker could figure out both the salt expression as well as the password. -------------- next part -------------- An HTML attachment was scrubbed... URL: From edwardpotter at gmail.com Thu May 6 20:43:40 2010 From: edwardpotter at gmail.com (Edward Potter) Date: Thu, 6 May 2010 20:43:40 -0400 Subject: [nycphp-talk] What's a good way to handle this? In-Reply-To: References: Message-ID: May want to check in with these guys, Eric Raymond's group. VERY hardcore hackers. They only emerge like once a year at DEFCON or HOPE. And hack *&^% like this 24/7 the rest of the time. May be interested in what you are doing. Seems to be in the same space. >>> Welcome to NedaNet This is the resource page for NedaNet, a network of hackers formed to support the democratic revolution in Iran. Our mission is to help the Iranian people by setting up networks of proxy severs, anonymizers, and any other appropriate technologies that can enable them to communicate and organize ? a network beyond the censorship or control of the Iranian regime. http://nedanet.org/ >>> Besides encrypting, you want to be CONTINUOUSLY re-encrypting. Don't like it get stale. On Thu, May 6, 2010 at 11:36 AM, Anthony Papillion wrote: > Hello Everyone, > > As some of you may know, during last years Presidential protests in Iran, I > developed a distributed, multi-level, Twitter proxy service called > TweetFree. For the first time in almost a year, I'm revisiting the code in > an effort to update it and make it more useful for people outside of Iran > but still in oppressive cultures. > > The system has several components: a Windows Mobile, iPhone, Android, and > Blackberry application that connects to a TweetFree Relay server, the > TweetFree Relay Server itself, and the main TweetFree Network Servers. How > this all works together is unimportant so I won't bore you with the details. > > Now, the TweetFree Network Servers maintain a network block list. So every > time the Relay Servers send a post, the Network Server checks to make sure > the client that the relay is posting for isn't blocked from the network. If > it is, it says no and the relay tells the client that it couldn't post its > message. The problem with this, of course, is that you might have thousands > of Relay Servers hitting the Network Servers (as happened during the Iranian > election) and each of those requests have to be processed. That puts a bit > of a load on the server that I'd like to alleviate. > > So my thought is to maintain a blacklist of client keys on the Network > Servers and have the Relay Servers download this list every few minutes. > Then, clients could be blocked at the RELAY level instead of at the Network > level and less load would be put on the Network Servers (of which there are > only about 10). > > My problem is that I'm not sure how to protect this list. The list is a > simple text file that contains client keys. No identifying information, but > client keys nonetheless. If it's a .txt file then the contents are viewable > publicly which *could* pose a security risk in highly volatile environments. > If I name it with the .php extension, it's handled like a PHP file and, > thus, the text in it can't be read. > > What is the best way to handle this? I need to protect the users privacy > while still reducing network load. > > Any ideas? > > Thanks! > Anthony Papillion > > _______________________________________________ > New York PHP Users Group Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > http://www.nyphp.org/Show-Participation > -- IM/iChat: ejpusa Links: http://del.icio.us/ejpusa Follow me: http://www.twitter.com/ejpusa Karma: http://www.coderswithconscience.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From ben at projectskyline.com Thu May 6 20:54:03 2010 From: ben at projectskyline.com (Ben Sgro) Date: Thu, 06 May 2010 20:54:03 -0400 Subject: [nycphp-talk] Thoughts on encryption In-Reply-To: References: Message-ID: <4BE364AB.6050803@projectskyline.com> Hello, > Hi Anthony, > > MD5 and SHA1 password hashes are considered weak. You are correct that > someone got a hold of your hashes they could use a dictionary of > common passwords to devise some of your user's passwords. > It makes me laugh a little when people say MD5 or SHA1 is weak or broken. If its broken/weak then you shouldn't have much trouble getting the original text from this: 5528684eb56e246101ffcd1c783a8f7d or this: 58e231c3666adef0a18d97e3485caf33 or this: d0708105f5a85704728118925646b1ca > There are a few ways to deal with this. The simplest is to just force > users to create complicated passwords. Make them use passwords that > are at least 8 characters and contain at least one digit and one > non-alphanumeric character. This makes a dictionary attack much less > practical (but by no means impossible if you have a lot of resources). > The other way is to use a hashing algorithm with a larger bitwidth. > Another is to add a salt. Better still, use all of these techniques. > Right - so MD5 is not weak. Its the user's password choice that is weak. And a policy that enforces users meet a minimum requirement is a start to a much tougher system to crack; be it md5 hashes of passwords or private/public key implementations - they are all flawed if the password itself is easily guessed. - Ben From tedd.sperling at gmail.com Fri May 7 11:34:10 2010 From: tedd.sperling at gmail.com (tedd) Date: Fri, 7 May 2010 11:34:10 -0400 Subject: [nycphp-talk] utf-8, iso-8859-1... In-Reply-To: References: <550842.1872.qm@web114314.mail.gq1.yahoo.com> Message-ID: At 1:56 PM -0400 5/6/10, Edward Potter wrote: >I highly recommend u scale up from Dreamweaver, and use an editor, >TextMate is probably the best, but zillions out there. Yes I know >it works fine, but you will never move to Guru status with DW. Just >my 2 rupee's. The leap is pretty painless. > 1+ I'll see your 2 rupees and raise one. Those interested might try NetBeans; http://netbeans.org/downloads/ I went the Eclipse route and while it's an excellent IDE, it was a bit of an overkill for *me*. NetBeans does what I want and does it easier. I used both DW and GoLive (for IDE only, no WYSIWYG nonsense) and am currently doing a complete conversion to NetBeans. I have lot's of sites and code to move over, but it's coming along quite nicely and much easier than I thought. Cheers, tedd -- ------- http://sperling.com http://ancientstones.com http://earthstones.com From tedd.sperling at gmail.com Fri May 7 12:06:42 2010 From: tedd.sperling at gmail.com (tedd) Date: Fri, 7 May 2010 12:06:42 -0400 Subject: [nycphp-talk] Thoughts on encryption In-Reply-To: References: Message-ID: >Hi Anthony, > >MD5 and SHA1 password hashes are considered weak. You are correct that >someone got a hold of your hashes they could use a dictionary of >common passwords to devise some of your user's passwords. > >There are a few ways to deal with this. The simplest is to just force >users to create complicated passwords. Make them use passwords that >are at least 8 characters and contain at least one digit and one >non-alphanumeric character. This makes a dictionary attack much less >practical (but by no means impossible if you have a lot of resources). >The other way is to use a hashing algorithm with a larger bitwidth. >Another is to add a salt. Better still, use all of these techniques. > >One pedantic note: MD5 and SHA1 are not encryption algorithms. They >are hashing algorithms. With encryption you take plaintext and convert >it to ciphertext and then you can do the reverse and get the plaintext >back. With hashing you take plaintext and convert it to a hash which >is just a random bit of data but of course given the same input you >always get the same output. But with a hash you cannot convert it back >to plaintext. > >Personally I recommend that you do not invent your own hashing >algorithm. It only creates an opportunity to make a mistake that can >be exploited and it does not increase security anywhere near as much >as increasing the bitwidth. Just use a standard hashing method so that >passwords can be migrated, code is understood and can be ported, etc. > >I would recommend using SSHA256 which is computed as follows: > >1. Convert the plaintext password to UTF-8. In PHP you can use iconv for this. > >2. Generate an 8 byte random salt. In PHP you can use mt_rand for this. > >3. Generate the SHA256 hash of the UTF-8 plaintext password + salt. In >PHP 5 you can use hash_init('sha256'), then hash_update($utf8password) >followed by hash_update($salt) and hash_final to get the hash. > >4. Concatenate the hash followed by the salt, convert the result to >Base64 and then prefix it with the "{SSHA256}" label to get a result >that looks like: > > {SSHA256}1LzicRO5StQs9kSR4UvTZbgfyhiiknzwDUhKaAgXUEa1uyL/s1Pd/A== > >Here's an example with real values and salt used so that you can check >your computations as you go: > > Plaintext: > opensaysme > > Salt in Hexadecimal: > B5 BB 22 FF B3 53 DD FC > > SHA256 Hash of Plaintext and Salt in Hexadecimal: > D4 BC E2 71 13 B9 4A D4 2C F6 44 91 E1 4B D3 65 > B8 1F CA 18 A2 92 7C F0 0D 48 4A 68 08 17 50 46 > > SSHA256 Text Representation (this is what you put in the DB): > {SSHA256}1LzicRO5StQs9kSR4UvTZbgfyhiiknzwDUhKaAgXUEa1uyL/s1Pd/A== > >Note that even though I show the values in hex for the purpose of this >message, all of the computations are done using binary which means in >PHP you're going to need to write helper functions that use ord and >chr quite a bit. > >This 256 salted password hash is standard and is understood by >software like LDAP servers. Combined with complex password >requirements, this would disappoint even a serious cracker. > >If your system does not support sha256, do SSHA128 instead using the >sha128 algorithm (aka sha1) + salt. Otherwise it is computed in >exactly the same way but of course it will only be 128 bits instead of >256. But at least you'll have a salt which will greatly slow down a >dictionary attack. > >Mike And even more excellent advice -- my notes on this are overflowing. Cheers, tedd -- ------- http://sperling.com http://ancientstones.com http://earthstones.com From tedd.sperling at gmail.com Fri May 7 12:12:02 2010 From: tedd.sperling at gmail.com (tedd) Date: Fri, 7 May 2010 12:12:02 -0400 Subject: [nycphp-talk] Thoughts on encryption In-Reply-To: References: Message-ID: At 2:14 PM -0400 5/6/10, Nicholas Ilyin wrote: >Hi Anthony, > >In theory, no hashing function will ever be free from brute force >attacks, but this is a matter of how long one is willing to perform >a brute force attack to find the variable (a password) in a one-way >hashing function. In practice, some hashing functions have clear >security flaws while others are not yet known to have any. > >In your example it is best to stay away from MD5 as there are >serious security issues with it. > >SHA-1 is still a safe hashing function to use. You may find papers >on the internet that state that there was progress in finding >collisions or algorithmic strategies in significantly reducing the >security of SHA-1, but I am yet to see a solution that does not >require astronomical computation to render SHA-1 insecure. > >However, appending any plaintext to your password and hashing that, >such as SHA(username+password+username) is useless from a >mathematical standpoint as the username is actually known to a >potential hacker. The way that hash functions work would mean that >adding any additional bits which are known will not increase the >security of your resulting hash. > >When you mention that "all are comprimisable by that simple manner" >I have to disagree. Although you are correct in saying that a brute >force attack is possible, a good encryption/hashing function will >require so many computations that even super computers would need to >run for years to actually break your encryption. > >Here are some recommendations that will increase the security of >your passwords: > >1. Use a password strength checker which would not allow dictionary >words to be used for passwords. This eliminates a dictionary attack >and requires brute force. >2. Require long passwords, such as over 10 characters. Each >character is 8 bits of information which can significantly reduce >the chance of a collision with a brute force attack. >3. Prevent automated attacks by locking down the account after 3 >attempts or so. Computation is on orders faster than a lockout time >of 10 minutes which will render any brute force attack completely >useless in this case. >4. Never allow an open connection on your DB server to the world, >even if you have 30 character passwords to access your SQL server. >You should tightly lockdown any and all access to your SQL server so >that there is very minimal access (such as from a web server). > >Hope this helps, > >Nick Excellent advice. Saving a copy of it for my reference. Cheers, tedd -- ------- http://sperling.com http://ancientstones.com http://earthstones.com From arzala at gmail.com Fri May 7 23:47:48 2010 From: arzala at gmail.com (Anirudh Zala) Date: Sat, 8 May 2010 09:17:48 +0530 Subject: [nycphp-talk] utf-8, iso-8859-1... In-Reply-To: References: Message-ID: <201005080917.48382.arzala@gmail.com> On Thursday 06 May 2010 21:16:03 David Mintz wrote: > I don't really have a good understanding of issues around character sets, > encoding, what have you, though I am starting to work on it. > > My problem involves a MySQL database and accented characters such as those > you find in Spanish and French. My web server sends a "content-type: > text/html; charset=iso-8859-1" header and my docs have an equivalent meta > tag. My mysql's config says > > default-character-set = latin1 > character_set_server = latin1 > collation_server = latin1_general_ci Here in mysql's configuration files, you could permanently set utf-8 as default character set and collation so that for new databases/tables it will be taken automatically. At this level you have solved problem of storing and retrieving utf-8 data. > > and my data tables "SHOW CREATE" typically look like > > CREATE TABLE `people` ( > `id` smallint(5) unsigned NOT NULL AUTO_INCREMENT, > `lastname` varchar(40) COLLATE latin1_general_ci NOT NULL, > `firstname` varchar(40) COLLATE latin1_general_ci NOT NULL, > /* etc */ > ) ENGINE=MyISAM AUTO_INCREMENT=546 DEFAULT CHARSET=latin1 > COLLATE=latin1_general_ci You will need to convert existing data from latin1_* to utf8_* for consistent storage and retrieval of new and old data. > > So what's the problem? Generally there is none. Characters like ? and ? > render correctly. The snag I am hitting now is writing a regular expression > to whitelist the characters I can accept in proper names. I would think > that the regex > > /^[-a-zA-Z\xC0-\xFF ']+$/ > > would test for anything that isn't a "letter" in most western european > languages, or a space, or an apostrophe. But it is returning true (meaning > yes there is an illegal character) in the name Barcel?, where false is what > I would like to hear. Biggest problem with utf-8 data is text processing (sorting, searching, validation etc.) that is why full utf-8 support is lacking in many languages. But there extensions like mb_string, iconv and ICU which can be helpful in processing utf-8 data at satisfactory level. > > Would this regex work if the data were utf-8? Should I consider converting > everything and working in utf-8, and if so, how painful is it to convert a > MySQL database? My initial research suggests that it isn't painless. Yes, moreover you also need to change meta information in your web-pages to tell browser and server that your text is utf-8 encoded and not iso-8859... Finally your editor must be set to write you code/information in utf-8 format only. I don't think that at web server, OS and http level you need make any changes since now a days they have native support to handle utf-8 data. Thanks Anirudh Zala From edwardpotter at gmail.com Sat May 8 02:05:17 2010 From: edwardpotter at gmail.com (Edward Potter) Date: Sat, 8 May 2010 02:05:17 -0400 Subject: [nycphp-talk] Thoughts on encryption In-Reply-To: References: Message-ID: And it comes down to exactly what you are trying to protect. If someone comes down and says, I'll chop off your head if you don't give me the key, and it's the firms salary data, the odds are u just may give in. It's probably on google anyway. Remember Mata Hari was able to get top secret data (encryption keys, codes, etc) as a spy in WW1. Just because. Well she was Mata Hari. :-) >>> The idea of an exotic dancer working as a lethal double agent, using her powers of seduction to extract military secrets from her many lovers fired the popular imagination, set the legend and made Mata Hari an enduring archetype of the femme fatale . All the advice given is great. Use standard, industry approved methods, and you'll be fine for 99.99% of what you'll need to accomplish. Also try to make it to HOPE in July, the GIANT Hacker conf. It's in NYC, it's pretty cool, even in the middle of July. :-) On Fri, May 7, 2010 at 12:12 PM, tedd wrote: > At 2:14 PM -0400 5/6/10, Nicholas Ilyin wrote: > >> Hi Anthony, >> >> In theory, no hashing function will ever be free from brute force attacks, >> but this is a matter of how long one is willing to perform a brute force >> attack to find the variable (a password) in a one-way hashing function. In >> practice, some hashing functions have clear security flaws while others are >> not yet known to have any. >> >> In your example it is best to stay away from MD5 as there are serious >> security issues with it. >> >> SHA-1 is still a safe hashing function to use. You may find papers on the >> internet that state that there was progress in finding collisions or >> algorithmic strategies in significantly reducing the security of SHA-1, but >> I am yet to see a solution that does not require astronomical computation to >> render SHA-1 insecure. >> >> However, appending any plaintext to your password and hashing that, such >> as SHA(username+password+username) is useless from a mathematical standpoint >> as the username is actually known to a potential hacker. The way that hash >> functions work would mean that adding any additional bits which are known >> will not increase the security of your resulting hash. >> >> When you mention that "all are comprimisable by that simple manner" I have >> to disagree. Although you are correct in saying that a brute force attack is >> possible, a good encryption/hashing function will require so many >> computations that even super computers would need to run for years to >> actually break your encryption. >> >> Here are some recommendations that will increase the security of your >> passwords: >> >> 1. Use a password strength checker which would not allow dictionary words >> to be used for passwords. This eliminates a dictionary attack and requires >> brute force. >> 2. Require long passwords, such as over 10 characters. Each character is 8 >> bits of information which can significantly reduce the chance of a collision >> with a brute force attack. >> 3. Prevent automated attacks by locking down the account after 3 attempts >> or so. Computation is on orders faster than a lockout time of 10 minutes >> which will render any brute force attack completely useless in this case. >> 4. Never allow an open connection on your DB server to the world, even if >> you have 30 character passwords to access your SQL server. You should >> tightly lockdown any and all access to your SQL server so that there is very >> minimal access (such as from a web server). >> >> Hope this helps, >> >> Nick >> > > Excellent advice. Saving a copy of it for my reference. > > > Cheers, > > tedd > -- > ------- > http://sperling.com http://ancientstones.com http://earthstones.com > _______________________________________________ > New York PHP Users Group Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > http://www.nyphp.org/Show-Participation > -- IM/iChat: ejpusa Links: http://del.icio.us/ejpusa Follow me: http://www.twitter.com/ejpusa Karma: http://www.coderswithconscience.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From danielc at analysisandsolutions.com Mon May 10 10:21:38 2010 From: danielc at analysisandsolutions.com (Daniel Convissor) Date: Mon, 10 May 2010 10:21:38 -0400 Subject: [nycphp-talk] MAMP or XAMPP ? In-Reply-To: References: <4BD67C6E.2020202@justinhileman.info> Message-ID: <20100510142137.GA10831@panix.com> Hi Anthony: On Tue, Apr 27, 2010 at 10:11:09AM -0400, Anthony Wlodarski wrote: > Tasksel is a package > management tool for the meta packages that point to the most recent version > of the software that exists in the stack. That way you don't have to piece > together PHP5, MySQL, and Apache and their latest versions. While tasksel is very handy, one must be very careful when using it. One time when hacking around on my then new Ubuntu 9.10 server box I chose to use tasksel to uninstall the mail server. To my surprise, it also removed my MySQL install. --Dan -- T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y data intensive web and database programming http://www.AnalysisAndSolutions.com/ 4015 7th Ave #4, Brooklyn NY 11232 v: 718-854-0335 f: 718-854-0409 From justin at justinhileman.info Mon May 10 12:11:48 2010 From: justin at justinhileman.info (justin) Date: Mon, 10 May 2010 12:11:48 -0400 Subject: [nycphp-talk] MAMP or XAMPP ? In-Reply-To: References: Message-ID: On Sat, Apr 24, 2010 at 11:58 PM, Ajai Khattri wrote: > > Which is better ? > Sorry to resurrect a dying thread, but I've changed my mind. I used to use MAMP on my local box, then I switched to XAMPP... And then I needed MongoDB on my local box, and MAMP/XAMPP stopped being sufficient. But it turns out OS X does a pretty killer job of being a UNIX box all by itself. I've converted to native Apache, PHP, MySQL and Mongo -- the latter two compiled from source, courtesy of Homebrew. It takes about 10 minutes to set up, and is much awesomer (as long as you're comfortable starting/stopping apache and mysql from the command line). Writeup here: http://justinhileman.info/lamp-osx -- justin http://justinhileman.com From mitch.pirtle at gmail.com Mon May 10 16:59:05 2010 From: mitch.pirtle at gmail.com (Mitch Pirtle) Date: Mon, 10 May 2010 16:59:05 -0400 Subject: [nycphp-talk] MAMP or XAMPP ? In-Reply-To: References: Message-ID: Link tweeted. :-) -- Mitch, really thinking seriously about homebrew this time On Mon, May 10, 2010 at 12:11 PM, justin wrote: > On Sat, Apr 24, 2010 at 11:58 PM, Ajai Khattri wrote: >> >> Which is better ? >> > > > Sorry to resurrect a dying thread, but I've changed my mind. I used to > use MAMP on my local box, then I switched to XAMPP... And then I > needed MongoDB on my local box, and MAMP/XAMPP stopped being > sufficient. > > But it turns out OS X does a pretty killer job of being a UNIX box all > by itself. > > I've converted to native Apache, PHP, MySQL and Mongo -- the latter > two compiled from source, courtesy of Homebrew. > > It takes about 10 minutes to set up, and is much awesomer (as long as > you're comfortable starting/stopping apache and mysql from the command > line). > > Writeup here: > > http://justinhileman.info/lamp-osx > > > -- > justin > http://justinhileman.com > _______________________________________________ > New York PHP Users Group Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > http://www.nyphp.org/Show-Participation > From steve at sbritton.com Mon May 10 18:05:59 2010 From: steve at sbritton.com (Stephen Britton) Date: Mon, 10 May 2010 18:05:59 -0400 Subject: [nycphp-talk] MAMP or XAMPP ? In-Reply-To: References: Message-ID: Thank you Justin! I just followed your excellent instructions and I have retired MAMP. Now I'm going to stay up late with Mongo. On Mon, May 10, 2010 at 12:11 PM, justin wrote: > On Sat, Apr 24, 2010 at 11:58 PM, Ajai Khattri wrote: >> >> Which is better ? >> > > > Sorry to resurrect a dying thread, but I've changed my mind. I used to > use MAMP on my local box, then I switched to XAMPP... And then I > needed MongoDB on my local box, and MAMP/XAMPP stopped being > sufficient. > > But it turns out OS X does a pretty killer job of being a UNIX box all > by itself. > > I've converted to native Apache, PHP, MySQL and Mongo -- the latter > two compiled from source, courtesy of Homebrew. > > It takes about 10 minutes to set up, and is much awesomer (as long as > you're comfortable starting/stopping apache and mysql from the command > line). > > Writeup here: > > http://justinhileman.info/lamp-osx > > > -- > justin > http://justinhileman.com > _______________________________________________ > New York PHP Users Group Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > http://www.nyphp.org/Show-Participation > -- Stephen Britton Technology Consultant Internet / VoIP / Tech Support e-mail: sbritton at gmail.com cell phone: 914-661-0040 From justin at justinhileman.info Mon May 10 21:15:49 2010 From: justin at justinhileman.info (justin) Date: Mon, 10 May 2010 21:15:49 -0400 Subject: [nycphp-talk] MAMP or XAMPP ? In-Reply-To: References:

Message-ID: On Mon, May 10, 2010 at 4:59 PM, Mitch Pirtle wrote: > Link tweeted. :-) > > -- Mitch, really thinking seriously about homebrew this time > Thanks for the tweet! You **should** think seriously about homebrew... Just add this to the end of the list and you're set: brew install lighttpd memcached :) -- justin http://justinhileman.com From oneofthosed3afmutes at yahoo.com Mon May 10 21:48:54 2010 From: oneofthosed3afmutes at yahoo.com (Anthony Wlodarski) Date: Mon, 10 May 2010 18:48:54 -0700 (PDT) Subject: [nycphp-talk] MAMP or XAMPP ? In-Reply-To: <20100510142137.GA10831@panix.com> References: <4BD67C6E.2020202@justinhileman.info> <20100510142137.GA10831@panix.com> Message-ID: <609960.23059.qm@web114308.mail.gq1.yahoo.com> This is correct. If you ever have questions about tasksel packages as part of a task execute the following: "tasksel --task-packages mail-server". For example I used the mail-server task and it gave me a list of packages it was going to remove. dovecot-imapd procmail dovecot-common libpth20 postfix libgpgme11 libmysqlclient16 mutt ssl-cert bsd-mailx dovecot-pop3d libpq5 mysql-common As you can see it would remove mysql cli and client libraries (as with Daniel's use case) which are also shared with lamp-server. Testing you could execute "tasksel --task-packages lamp-server" and you will see the conflicting packages. As a fall back then you manually go one by one with "sudo apt-get remove". Which is still a relatively painless task. Tomorrow I am going to get on Ubuntu Launchpad and add a feature request for tasksel to consider dependencies from other tasks installed on the system and allow you to exclude or include cross referenced packages. -Anthony ________________________________ From: Daniel Convissor To: NYPHP Talk Sent: Mon, May 10, 2010 10:21:38 AM Subject: Re: [nycphp-talk] MAMP or XAMPP ? Hi Anthony: On Tue, Apr 27, 2010 at 10:11:09AM -0400, Anthony Wlodarski wrote: > Tasksel is a package > management tool for the meta packages that point to the most recent version > of the software that exists in the stack. That way you don't have to piece > together PHP5, MySQL, and Apache and their latest versions. While tasksel is very handy, one must be very careful when using it. One time when hacking around on my then new Ubuntu 9.10 server box I chose to use tasksel to uninstall the mail server. To my surprise, it also removed my MySQL install. --Dan -- T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y data intensive web and database programming http://www.AnalysisAndSolutions.com/ 4015 7th Ave #4, Brooklyn NY 11232 v: 718-854-0335 f: 718-854-0409 _______________________________________________ New York PHP Users Group Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk http://www.nyphp.org/Show-Participation -------------- next part -------------- An HTML attachment was scrubbed... URL: From danielc at analysisandsolutions.com Mon May 10 22:45:21 2010 From: danielc at analysisandsolutions.com (Daniel Convissor) Date: Mon, 10 May 2010 22:45:21 -0400 Subject: [nycphp-talk] What's a good way to handle this? In-Reply-To: References: Message-ID: <20100511024521.GA6121@panix.com> Hi Anthony: On Thu, May 06, 2010 at 10:36:20AM -0500, Anthony Papillion wrote: > > So my thought is to maintain a blacklist of client keys on the Network > Servers and have the Relay Servers download this list every few minutes. ... > My problem is that I'm not sure how to protect this list. The list could be put in an SSL protected (or similarly Apache *Auth) portion of the website which requires a username/password/key to access. Keep up the good work, --Dan -- T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y data intensive web and database programming http://www.AnalysisAndSolutions.com/ 4015 7th Ave #4, Brooklyn NY 11232 v: 718-854-0335 f: 718-854-0409 From rolan at omnistep.com Mon May 10 23:53:23 2010 From: rolan at omnistep.com (Rolan Yang) Date: Mon, 10 May 2010 23:53:23 -0400 Subject: [nycphp-talk] What's a good way to handle this? In-Reply-To: References: Message-ID: <4BE8D4B3.5080609@omnistep.com> On 5/6/2010 11:36 AM, Anthony Papillion wrote: > ... > Now, the TweetFree Network Servers maintain a network block list. So > every time the Relay Servers send a post, the Network Server checks to > make sure the client that the relay is posting for isn't blocked from > the network. If it is, it says no and the relay tells the client that > it couldn't post its message. The problem with this, of course, is > that you might have thousands of Relay Servers hitting the Network > Servers (as happened during the Iranian election) and each of those > requests have to be processed. That puts a bit of a load on the server > that I'd like to alleviate. > > So my thought is to maintain a blacklist of client keys on the Network > Servers and have the Relay Servers download this list every few > minutes. Then, clients could be blocked at the RELAY level instead of > at the Network level and less load would be put on the Network Servers > (of which there are only about 10). > > My problem is that I'm not sure how to protect this list. The list is > a simple text file that contains client keys. No identifying > information, but client keys nonetheless. If it's a .txt file then the > contents are viewable publicly which *could* pose a security risk in > highly volatile environments. If I name it with the .php extension, > it's handled like a PHP file and, thus, the text in it can't be read. > ... I would suggest mirroring the infrastructure of spam DNS Real-time Blackhole lists. The technology has already been proven and you would just be re purposing it for your own application. Rather than have the relay servers download an entire list, have them query a pool of private DNS Blacklist servers on demand and maybe even cache the data for a period of time. ~Rolan From ajai at bitblit.net Tue May 11 15:42:28 2010 From: ajai at bitblit.net (Ajai Khattri) Date: Tue, 11 May 2010 15:42:28 -0400 (EDT) Subject: [nycphp-talk] MAMP or XAMPP ? In-Reply-To: Message-ID: On Mon, 10 May 2010, justin wrote: > But it turns out OS X does a pretty killer job of being a UNIX box all > by itself. Yep - its why I think Windows sucks as a development platform compared to Mac IMHO. Building from source is definately the way to go. -- Aj. From lists at zaunere.com Fri May 14 13:30:53 2010 From: lists at zaunere.com (Hans Zaunere) Date: Fri, 14 May 2010 13:30:53 -0400 Subject: [nycphp-talk] Plagiarism Checker in PHP In-Reply-To: References: <00aa01caea21$138cdee0$3aa69ca0$@com> Message-ID: <02b101caf38b$34a4a6d0$9dedf470$@com> > Actually turnitin.com, a website where students turn in schoolwork, > checks for plagiarism and from what I understand does a pretty good > job. They compare both student-to-student and student-to-literature. > I'm not sure how they pull it off, probably a proprietary algorithm > that tries to match student submissions against their database of > content where no match = no plagiarism. It seems like a mammoth task > though. Turnitin.com actually crawls academic journals, books, etc. to > populate their database. > > If you're interested only in comparing submissions to your site against > one another that may be more manageable. If on the other hand you want > to compare against online/print content in general then that will prove > a real challenge. Finally, if you have the money maybe you can register > with turnitin.com - although my impression is that their primarily for > universities/colleges. > > http://turnitin.com/static/index.html Interesting, didn't realize stuff like this was out there... And anyway, I thought this appropriate on this thread for a Friday: http://www.techdirt.com/articles/20100514/0133339425.shtml H From edwardpotter at gmail.com Fri May 14 16:16:26 2010 From: edwardpotter at gmail.com (Edward Potter) Date: Fri, 14 May 2010 16:16:26 -0400 Subject: [nycphp-talk] Plagiarism Checker in PHP In-Reply-To: <02b101caf38b$34a4a6d0$9dedf470$@com> References: <00aa01caea21$138cdee0$3aa69ca0$@com> <02b101caf38b$34a4a6d0$9dedf470$@com> Message-ID: slight topic drift, but what the heck ... on the topic of Plagiarism . . . >>> plagiarism? i thought it was called "Mixing and Sampling" now. :-) leave it to the 17 year olds to re/define things, for the better of course! :-) >>> Author, 17, Says It?s ?Mixing,? Not PlagiarismAlthough Ms. Hegemann has apologizedfor not being more open about her sources, she has also defended herself as the representative of a different generation, one that freely mixes and matches from the whirring flood of information across new and old media, to create something new. ?There?s no such thing as originality anyway, just authenticity,? said Ms. Hegemann in a statement released by her publisher after the scandal broke. http://www.nytimes.com/2010/02/12/world/europe/12germany.html On Fri, May 14, 2010 at 1:30 PM, Hans Zaunere wrote: > > Actually turnitin.com, a website where students turn in schoolwork, > > checks for plagiarism and from what I understand does a pretty good > > job. They compare both student-to-student and student-to-literature. > > I'm not sure how they pull it off, probably a proprietary algorithm > > that tries to match student submissions against their database of > > content where no match = no plagiarism. It seems like a mammoth task > > though. Turnitin.com actually crawls academic journals, books, etc. to > > populate their database. > > > > If you're interested only in comparing submissions to your site against > > one another that may be more manageable. If on the other hand you want > > to compare against online/print content in general then that will prove > > a real challenge. Finally, if you have the money maybe you can register > > with turnitin.com - although my impression is that their primarily for > > universities/colleges. > > > > http://turnitin.com/static/index.html > > Interesting, didn't realize stuff like this was out there... > > And anyway, I thought this appropriate on this thread for a Friday: > > http://www.techdirt.com/articles/20100514/0133339425.shtml > > H > > > _______________________________________________ > New York PHP Users Group Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > http://www.nyphp.org/Show-Participation > -- IM/iChat: ejpusa Links: http://del.icio.us/ejpusa Follow me: http://www.twitter.com/ejpusa Karma: http://www.coderswithconscience.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From david at davidmintz.org Mon May 17 10:09:38 2010 From: david at davidmintz.org (David Mintz) Date: Mon, 17 May 2010 10:09:38 -0400 Subject: [nycphp-talk] Plagiarism Checker in PHP In-Reply-To: References: <00aa01caea21$138cdee0$3aa69ca0$@com> <02b101caf38b$34a4a6d0$9dedf470$@com> Message-ID: On Fri, May 14, 2010 at 4:16 PM, Edward Potter wrote: > slight topic drift, but what the heck ... on the topic of Plagiarism . . . > > >>> > > plagiarism? i thought it was called "Mixing and Sampling" now. :-) > > leave it to the 17 year olds to re/define things, for the better of course! > :-) > > >>> > Author, 17, Says It?s ?Mixing,? Not PlagiarismAlthough Ms. Hegemann has > apologizedfor not being more open about her sources, she has also defended > herself as the > representative of a different generation, one that freely mixes and matches > from the whirring flood of information across new and old media, to create > something new. ?There?s no such thing as originality anyway, just > authenticity,? said Ms. Hegemann in a statement released by her publisher > after the scandal broke. > > http://www.nytimes.com/2010/02/12/world/europe/12germany.html > > The irony is that these kids seem to think they are doing something new. The idea of authorship as a sort of sacred concept is pretty much a 19th century one. Prior to that it was like, no big deal to take a chunk of someone else's work and drop it into your own. -- Support real health care reform: http://phimg.org/ -- David Mintz http://davidmintz.org/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From brandon at challengepost.com Tue May 18 13:09:39 2010 From: brandon at challengepost.com (Brandon Kessler) Date: Tue, 18 May 2010 13:09:39 -0400 Subject: [nycphp-talk] Thomson Reuters -- The StreetApps Challenge Message-ID: <87230E9F-B8DC-4FF6-BB90-35AB73CB7ACA@challengepost.com> Hi, quick note that there's a new developer challenge from Thomson Reuters called The StreetApps Challenge -- $25,000 plus prizes to create mobile apps for financial professionals. They're looking to strengthen their developer ecosystem and are providing new access to their APIs. http://www.streetappschallenge.com/ Feel free to email us with any questions: info at challengepost.com Thanks! -------------- next part -------------- An HTML attachment was scrubbed... URL: From matt at atopia.net Sat May 22 20:45:10 2010 From: matt at atopia.net (Matt Juszczak) Date: Sat, 22 May 2010 20:45:10 -0400 (EDT) Subject: [nycphp-talk] Where to store tmp files? Where to store generated files? Message-ID: Hi all, I have a quick question. I know in an application, if you need to create tmp files, it's probably best to use PHP's temporary file functions to create unique filenames in the location defined by php.ini/the environment. Is that correct? But in the case of needing to create files and store them for longer periods of time, where do you usually store them? I don't want to create a directory inside the code base, even if it is ignored by SVN. I also don't want to create the directory inside a system location, like /var, as I'd like the application to be kept separate from the system entirely. Storing the files inside MySQL is also an option, as that would be fairly portable and not require the use of an NFS mount in the future should the application grow large. What do you guys think? -Matt From justin at justinhileman.info Sat May 22 21:20:58 2010 From: justin at justinhileman.info (justin) Date: Sat, 22 May 2010 21:20:58 -0400 Subject: [nycphp-talk] Where to store tmp files? Where to store generated files? In-Reply-To: References: Message-ID: On Sat, May 22, 2010 at 8:45 PM, Matt Juszczak wrote: > Hi all, > > I have a quick question. ?I know in an application, if you need to create > tmp files, it's probably best to use PHP's temporary file functions to > create unique filenames in the location defined by php.ini/the environment. > ?Is that correct? > Yup. When doing this, remember that the POSIX standard requires than tmp files are removed at the end of the current program execution. In the case of PHP, this means that your file may (and should) disappear after the current page request is finished. > But in the case of needing to create files and store them for longer periods > of time, where do you usually store them? ?I don't want to create a > directory inside the code base, even if it is ignored by SVN. ?I also don't > want to create the directory inside a system location, like /var, as I'd > like the application to be kept separate from the system entirely. Storing > the files inside MySQL is also an option, as that would be fairly portable > and not require the use of an NFS mount in the future should the application > grow large. > > What do you guys think? Storing files in a DB is most likely a Bad Idea. I generally store files in the filesystem and paths in the DB. When the application grows large, it's a pretty easy transition to store files in the cloud (S3) and URLs in the DB. But where do these files belong? I usually go with a directory structure something like this: myprogram myprogram/app myprogram/tmp myprogram/var myprogram/web Then point apache at `/web`, put the app code in `/app`, put tmp files in `/tmp`, and put persistent app-writable files in `/var`. Then tell your SCM to ignore the contents of `/tmp` and `/var`. -- justin From rmarscher at beaffinitive.com Sat May 22 21:34:07 2010 From: rmarscher at beaffinitive.com (Rob Marscher) Date: Sat, 22 May 2010 21:34:07 -0400 Subject: [nycphp-talk] Where to store tmp files? Where to store generated files? In-Reply-To: References: Message-ID: On May 22, 2010, at 8:45 PM, Matt Juszczak wrote: > I know in an application, if you need to create tmp files, it's > probably best to use PHP's temporary file functions to create unique > filenames in the location defined by php.ini/the environment. Is > that correct? Yes. I agree with that. > But in the case of needing to create files and store them for longer > periods of time, where do you usually store them? What kind of files are they? I push user uploaded files to Amazon S3. That scales well. But not good if you need to keep writing to the files (unless your app runs on ec2). I'm not really into storing files in mysql because I work mysql hard enough as it is. What's your reason for not storing them somewhere in your codebase and ignoring them from source control? I don't see anything wrong with that. You can always rely on those locations existing which you probably can't for any other location on the system (unless your machines are all the same). From matt at atopia.net Sat May 22 21:39:07 2010 From: matt at atopia.net (Matt Juszczak) Date: Sat, 22 May 2010 21:39:07 -0400 (EDT) Subject: [nycphp-talk] Where to store tmp files? Where to store generated files? In-Reply-To: References:

Message-ID: > What's your reason for not storing them somewhere in your codebase and > ignoring them from source control? I don't see anything wrong with that. You > can always rely on those locations existing which you probably can't for any > other location on the system (unless your machines are all the same). Different dev environments with the need to share the files. From garyamort at gmail.com Thu May 27 19:20:55 2010 From: garyamort at gmail.com (Gary Mort) Date: Thu, 27 May 2010 19:20:55 -0400 Subject: [nycphp-talk] Github for Mercurial? Message-ID: Anyone know of a website like Github for Mercurial? Specifically with the easy ability to not only clone/fork a project, but merge them back together and show them all. For example, http://github.com/mbleigh/acts-as-taggable-on is great in that I can use the network tab to see who else is hacking on this code. If the main repo is stagnant for 6 months, I can find someone who has made other updates. Branches can be merged together to take bug fixes from multiple people. You can watch the network and see latest activity. Etc. Personally, Github by itself is reason enough to choose Git except trying to get it functional on windows is such a pain that I'm inclined to go with Mercurial instead. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gatzby3jr at gmail.com Thu May 27 19:23:39 2010 From: gatzby3jr at gmail.com (Brian O'Connor) Date: Thu, 27 May 2010 19:23:39 -0400 Subject: [nycphp-talk] Github for Mercurial? In-Reply-To: References: Message-ID: Take a look at http://bitbucket.org Brian On 5/27/10, Gary Mort wrote: > Anyone know of a website like Github for Mercurial? > > Specifically with the easy ability to not only clone/fork a project, but > merge them back together and show them all. > > For example, http://github.com/mbleigh/acts-as-taggable-on is great in that > I can use the network tab to see who else is hacking on this code. If the > main repo is stagnant for 6 months, I can find someone who has made other > updates. Branches can be merged together to take bug fixes from multiple > people. You can watch the network and see latest activity. > > Etc. > > Personally, Github by itself is reason enough to choose Git except trying to > get it functional on windows is such a pain that I'm inclined to go with > Mercurial instead. > -- Sent from my mobile device Brian O'Connor From ajai at bitblit.net Thu May 27 21:08:06 2010 From: ajai at bitblit.net (Ajai Khattri) Date: Thu, 27 May 2010 21:08:06 -0400 (EDT) Subject: [nycphp-talk] Github for Mercurial? In-Reply-To: Message-ID: On Thu, 27 May 2010, Gary Mort wrote: > Anyone know of a website like Github for Mercurial? http://mercurial.selenic.com/wiki/MercurialHosting -- Aj. From zippy1981 at gmail.com Sun May 30 20:57:19 2010 From: zippy1981 at gmail.com (Justin Dearing) Date: Sun, 30 May 2010 20:57:19 -0400 Subject: [nycphp-talk] A FBJS like Ajax proxy? Message-ID: Hi, I've recently started working at an ad firm, and as such have been exposed to facebook development. One thing I discovered about facebook is there proxy for making cross domain ajax calls. Basically, the call is made server side, and the json or XML that is returned is returned through the proxy, which solves the cross domain issue. Anyway, I often have to make such proxies for the sites we do, for various reasons. My proxies are generally of the one off type, but a "one size fits all" approach such as facebook's would be nice. So I have two questions: 1. Is there a facebook like proxy for ajax calls that already exists? 2. The guy that gave the hiphip talk said "we don't open source more stuff because we don't know what people find useful" So does anyone know the right channel to make such a request. Justin -------------- next part -------------- An HTML attachment was scrubbed... URL: From garyamort at gmail.com Mon May 31 13:25:34 2010 From: garyamort at gmail.com (Gary Mort) Date: Mon, 31 May 2010 13:25:34 -0400 Subject: [nycphp-talk] A FBJS like Ajax proxy? In-Reply-To: References: Message-ID: You might want to take a look at Yahoo Pipes. Instead of defining an interface yourself, you can create a yahoo pipe for your current processes, and then access the pipe programatically using any one of a number of classes already built for pulling from yahoo pipes. On Sun, May 30, 2010 at 8:57 PM, Justin Dearing wrote: > Hi, > > I've recently started working at an ad firm, and as such have been exposed > to facebook development. One thing I discovered about facebook is there > proxy for making cross domain ajax calls. Basically, the call is made server > side, and the json or XML that is returned is returned through the proxy, > which solves the cross domain issue. > > Anyway, I often have to make such proxies for the sites we do, for various > reasons. My proxies are generally of the one off type, but a "one size fits > all" approach such as facebook's would be nice. So I have two questions: > > > > 1. Is there a facebook like proxy for ajax calls that already exists? > 2. The guy that gave the hiphip talk said "we don't open source more > stuff because we don't know what people find useful" So does anyone know the > right channel to make such a request. > > Justin > > _______________________________________________ > New York PHP Users Group Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > http://www.nyphp.org/Show-Participation > -- ---- Hudson Valley Sudbury School What GPL is for application users Our school is for students Help your children grow, change, and learn Let your child direct, control, amend Check out http://www.sudburyschool.org -------------- next part -------------- An HTML attachment was scrubbed... URL: From zippy1981 at gmail.com Mon May 31 14:01:31 2010 From: zippy1981 at gmail.com (Justin Dearing) Date: Mon, 31 May 2010 14:01:31 -0400 Subject: [nycphp-talk] A FBJS like Ajax proxy? In-Reply-To: References: Message-ID: Ok I will look at that, but can I have a yahoo pipe originate from my domain? On May 31, 2010 1:26 PM, "Gary Mort" wrote: > You might want to take a look at Yahoo Pipes. Instead of defining an > interface yourself, you can create a yahoo pipe for your current processes, > and then access the pipe programatically using any one of a number of > classes already built for pulling from yahoo pipes. > > On Sun, May 30, 2010 at 8:57 PM, Justin Dearing wrote: > >> Hi, >> >> I've recently started working at an ad firm, and as such have been exposed >> to facebook development. One thing I discovered about facebook is there >> proxy for making cross domain ajax calls. Basically, the call is made server >> side, and the json or XML that is returned is returned through the proxy, >> which solves the cross domain issue. >> >> Anyway, I often have to make such proxies for the sites we do, for various >> reasons. My proxies are generally of the one off type, but a "one size fits >> all" approach such as facebook's would be nice. So I have two questions: >> >> >> >> 1. Is there a facebook like proxy for ajax calls that already exists? >> 2. The guy that gave the hiphip talk said "we don't open source more >> stuff because we don't know what people find useful" So does anyone know the >> right channel to make such a request. >> >> Justin >> >> _______________________________________________ >> New York PHP Users Group Community Talk Mailing List >> http://lists.nyphp.org/mailman/listinfo/talk >> >> http://www.nyphp.org/Show-Participation >> > > > > -- > ---- > Hudson Valley Sudbury School > What GPL is for application users > Our school is for students > Help your children grow, change, and learn > Let your child direct, control, amend > Check out http://www.sudburyschool.org -------------- next part -------------- An HTML attachment was scrubbed... URL: From lists at zaunere.com Mon May 31 14:32:39 2010 From: lists at zaunere.com (Hans Zaunere) Date: Mon, 31 May 2010 14:32:39 -0400 Subject: [nycphp-talk] A FBJS like Ajax proxy? In-Reply-To: References: Message-ID: <00c201cb00ef$a661eb90$f325c2b0$@com> > 2. The guy that gave the hiphip talk said "we don't open source more > stuff because we don't know what people find useful" So does anyone > know the right channel to make such a request. http://www.facebook.com/macvicar H From rmarscher at beaffinitive.com Mon May 31 20:56:42 2010 From: rmarscher at beaffinitive.com (Rob Marscher) Date: Mon, 31 May 2010 20:56:42 -0400 Subject: [nycphp-talk] A FBJS like Ajax proxy? In-Reply-To: References: Message-ID: <6ED16EC5-16EF-46E2-B2F3-6EB7F2F6CC97@beaffinitive.com> > On Sun, May 30, 2010 at 8:57 PM, Justin Dearing wrote: > Anyway, I often have to make such proxies for the sites we do, for various reasons. My proxies are generally of the one off type, but a "one size fits all" approach such as facebook's would be nice. A couple more resources over at Yahoo: http://developer.yahoo.com/javascript/howto-proxy.html http://developer.yahoo.com/javascript/samples/proxy/php_proxy_simple.txt I haven't seen an open source project that already exists for this, but seems like it would be trivial to take the yahoo example and extend it to work for any site and for json output in addition to xml. Just need to be more careful for opening yourself to XSS attacks due to your open proxy or add some type of security checks in your proxy to only allow certain urls. I just saw this page for the first time: http://wiki.developers.facebook.com/index.php/FBJS_LocalProxy Sounds like they're using a javascript-flash bridge to get around cross-domain issues. -------------- next part -------------- An HTML attachment was scrubbed... URL: