|
Golbez posted:Oh, well yeah, that would seem to me to be bad form. Especially if it's something easily deciphered like that, "Hm this form key is always the SHA1 of my session ID!" It doesn't stop a logged in user from doing anything, it prevents CSRF. That is the only thing it does since the session variable is not known to a 3rd party. It simply helps prevent this from happening: Glory of Arioch posted:A CSRF (cross-site request forgery) is an attack that lets third-party sites run commands on behalf of a user on your site. DarkLotus fucked around with this message at 21:20 on Oct 31, 2012 |
#
?
Oct 31, 2012 21:13
|
|
|
|
| # ? May 28, 2024 20:45 |
|
|
The way my bank handles it, for example, is that it generates single-use keys for all actions. So, I assume, they store the "next action" key on the user's session, and attach the key into every link and form possible. If the passed key doesn't match the one in the session, then they reject the request and log the user out. On every successful request, they generate a new "next action" key. The problem with this (like many of you will probably have realized already), is that you can't use the back-button or refresh. For a bank, that's not too bad - they provide 'safe' back and refresh buttons in the page, and I'm sure that I'm not going to accidentally trigger off multiple transactions by hitting back or refresh. The other problem is that you can't have two browser windows open without having two separate sessions.
|
|
#
?
Oct 31, 2012 21:17
|
|
|
Cross posting, since I could not initially find the thread. http://forums.somethingawful.com/showthread.php?threadid=2779598&pagenumber=230#post409145797
|
|
#
?
Nov 1, 2012 21:13
|
|
|
Ryvannis posted:Cross posting, since I could not initially find the thread. Your Joomla code looks, well, like Joomla. You are doing a select *, rather than which fields, and no order; loadObjectList() works like mysql_fetch_array(), so I'm a bit confused what your issue is. Have you done a var_dump($jintrows) to see what's in there?
|
|
#
?
Nov 1, 2012 21:37
|
|
|
bobthecheese posted:The way my bank handles it, for example, is that it generates single-use keys for all actions. So, I assume, they store the "next action" key on the user's session, and attach the key into every link and form possible. If the passed key doesn't match the one in the session, then they reject the request and log the user out. On every successful request, they generate a new "next action" key. You can get around this by only checking the "next request" key on actions that would reliably need it. Alternatively, store a different key, that would expire after some amount of time (10 minutes?), and if that expires, then log them out. Breaking the open-in-new-tab and such features is a terrible design flaw.
|
|
#
?
Nov 1, 2012 22:07
|
|
|
I'll do a cross post too since I didn't get an answer in the Wordpress thread: --- Anybody encounter any recent WP security problems? I've got a friend's site that keeps getting exploited. I've got his WP at 3.4.2, and have removed all plugins, and poo poo still goes wrong. Basically every night someone gets in and changes the mysql database account's password (and does nothing else). I was looking at the logs and I'm seeing two vectors for attacks: 1. xmlrpc in wordpress, with several hits for things like: code:2. Checking for the presence of cPanel (Godaddy, it's there, latest version) e.g.: code:
|
|
#
?
Nov 2, 2012 21:19
|
|
|
Judging from the fact that they're crawling only xmlrpc endpoints for various products in default locations, chances are that they're probing for some of the really, really old bugs in various xmlrpc libraries instead of just targetting Wordpress itself. You might want to look up fail2ban.
|
|
#
?
Nov 2, 2012 21:39
|
|
|
Huh, weird that I finally got some movement on this just when you replied. He finally gave me shell access instead of just the logs/cpanel and I noticed this suspiciioooooous directory:code:
|
|
#
?
Nov 2, 2012 23:02
|
|
|
I have a client who wants a PHP site with a framework that I have to choose. I usually don't use a framework and just custom-build every site differently, but this time the client demands that a framework(any framework of my choice) be used. The OP seems to have the major ones listed, but I haven't seen Yii in there. I'm currently leaning towards Yii after researching all the major ones (CodeIgniter, Symfony, CakePHP, etc). It seems to boast pretty good performance numbers and it looks pretty decent. There is an issue though, the site I'm building will require RESTful web services. I really wanted to find a framework that has this out of the box with XML/JSON support and without too much hassle. At first I was heavily leaning towards CodeIgniter but it doesn't seem to have it (though I did see XML-RPC classes in there... a bit of a dated technology don't you think?). Yii appears to only support SOAP web services out of the box, but I read on their forums that you can just define a custom controller to work with JSON or whatever. The other catch is that this is a very time-sensitive project and needs to get done within a deadline. I don't want to spend weeks learning a complicated framework that does everything plus the kitchen sink. The site itself will not be doing any rocket surgery, mostly simple CRUD database operations with some calendar scheduling, reporting/analytics, social media tie-ins, and administrative tasks. I guess my question is, which framework(s) should I be looking at to get this done?
|
|
#
?
Nov 2, 2012 23:29
|
|
|
Scaramouche posted:Huh, weird that I finally got some movement on this just when you replied. He finally gave me shell access instead of just the logs/cpanel and I noticed this suspiciioooooous directory: Your server has been compromised. There's no way of telling what was changed or what they managed to get access to. Shut it down, nuke everything, restore from backup, apply patches.
|
|
#
?
Nov 3, 2012 00:45
|
|
|
Okita posted:I have a client who wants a PHP site with a framework that I have to choose. I usually don't use a framework and just custom-build every site differently, but this time the client demands that a framework(any framework of my choice) be used. The OP seems to have the major ones listed, but I haven't seen Yii in there. I'm currently leaning towards Yii after researching all the major ones (CodeIgniter, Symfony, CakePHP, etc). It seems to boast pretty good performance numbers and it looks pretty decent. Take a look at http://laravel.com/ It's a RESTful framework and gaining a lot of popularity. However, you need at least PHP 5.3
|
|
#
?
Nov 3, 2012 00:47
|
|
|
IT Guy posted:Take a look at http://laravel.com/ Thanks, I dug into Laravel and I'm strongly considering it for this project. I'd be interested to see how it compares performance-wise to the other frameworks.
|
|
#
?
Nov 4, 2012 22:17
|
|
|
Okita posted:Thanks, I dug into Laravel and I'm strongly considering it for this project. I'd be interested to see how it compares performance-wise to the other frameworks. From the benchmarks I've seen (too lazy to look them up right now), laravel performs quite well. It's not the fastest, but it's usually around the 70-80% fastest range of the major players. IT Guy fucked around with this message at 22:44 on Nov 4, 2012 |
|
#
?
Nov 4, 2012 22:30
|
|
|
I'm unsure what the best way to do this but how would I go about sorting a group of 10 integers into 2 near equal groups of 5? My current solution is where I sort by descending and then alternate putting the integers in each group but surely there must be a better method?
|
|
#
?
Nov 5, 2012 01:55
|
|
|
Dyrejb posted:I'm unsure what the best way to do this but how would I go about sorting a group of 10 integers into 2 near equal groups of 5? My current solution is where I sort by descending and then alternate putting the integers in each group but surely there must be a better method? What do you mean by "near equal"? Can you give an example of the sort of input and output you expect?
|
|
#
?
Nov 5, 2012 02:00
|
|
|
Dyrejb posted:I'm unsure what the best way to do this but how would I go about sorting a group of 10 integers into 2 near equal groups of 5? My current solution is where I sort by descending and then alternate putting the integers in each group but surely there must be a better method? This question is kind of vague. It's going to be difficult for anyone to answer because it's not really clear what "near equal" means, in terms of sets-with-multiplicity of 5 integers. There are three routes you could go (that I can see). The first is to just come up with some kind of heuristic for separating out the numbers into two groups. A good heuristic might be one that "seems to" generally give more or less the sort of output you expect. The second approach is this: The number of ways of partitioning a 10-element set into two 5-element subsets is 252, which is not a very big number at all. It is therefore feasible, given a function that returns the "badness" of a given partition, to calculate the partition which has the least "badness". If you know that you are always going to be dealing with sets of size 10, then this will work fine, provided you can indeed write a function that calculates the badness of a partition. If you might later have to apply your solution to, say, partitioning a set of size 1000 into two 500-element subsets, then this solution is not going to work very well because the number of ways of doing that is on the order of 10 to the power 299. On the other hand, perhaps there exists an efficient algorithm that can be proven to always partition the 10-element set into two 5-element subsets in a way that minimises badness. But without knowing what you mean by "near equal" who can say whether there is.
|
|
#
?
Nov 5, 2012 02:13
|
|
|
Basically I have 10 players who all have a rating assigned to them. I want to sort the players into 2 groups so that each groups rating is as similar as possible. Example of the data I will pull with their Name and Rating. Alanis - 100 Benedict - 120 Corbyn - 185 Derren - 155 Elsie - 140 Florentine - 130 Graeme - 170 Harrington - 130 Idris - 110 Jaqueline - 190 The total rating adds up to 1430 so ideally, I want to split those players into groups where each groups total rating adds up to 715. If I sort by Rating in descending order and then alternate adding them to each group I'd end up with Group 1's rating being 740 and Group 2's rating being 690. Sorry for the vagueness, it looks like the second approach is what I should be using. Cheers.
|
|
#
?
Nov 5, 2012 02:27
|
|
|
Instead of alternating, instead try adding the current member to the list that has the lowest total, and to a random one in the event of a tie. Example code: php:<?php $scores = array( 'Alanis' => 100, 'Benedict' => 120, 'Corbyn' => 185, 'Derren' => 155, 'Elsie' => 140, 'Florentine' => 130, 'Graeme' => 170, 'Harrington' => 130, 'Idris' => 110, 'Jaqueline' => 190 ); arsort($scores); print_r($scores); $teams = array( 1 => array(), array() ); foreach($scores as $name => $score) { $team_one = (array_sum($teams[1]) < array_sum($teams[2])); $team_two = (array_sum($teams[1]) > array_sum($teams[2])); if($team_one) $teams[1][$name] = $score; elseif($team_two) $teams[2][$name] = $score; else $teams[mt_rand(1,2)][$name] = $score; } print_r($teams); echo "\n"; echo array_sum($teams[1]), "\n"; echo array_sum($teams[2]), "\n"; code:
|
|
#
?
Nov 5, 2012 02:38
|
|
|
Ryvannis posted:Cross posting, since I could not initially find the thread. Not an answer to your question, but I suggest you look into using the Fabrik extension when doing any sort of database stuff when you're working with Jooma. You can shoot me a PM if you have any questions about it. Orbis Tertius fucked around with this message at 03:09 on Nov 5, 2012 |
|
#
?
Nov 5, 2012 02:42
|
|
|
What can you guys recommend for a good book to learn PHP? I'm not an absolute beginner (I've posted in here before), but I need a resource to supply me with a solid and thorough understanding. I've looked at online guides, but I feel a book will be the most up to date and comprehensive. A few things I'm wanting/not wanting: -I don't want long-winded explanations of EVERY SINGLE obscure built-in function. A more practical overview approach would be better. -I'd like it to do a good job teaching how to incorporate PHP with JavaScript. -I need the book to have good exercises that actually help me learn what I read. Exercises that actually make me use my head rather than just copy the code from the page. -Obviously, I need up-to-date best practices (eg. using mysqli instead of mysql, etc. What do you all suggest?
|
|
#
?
Nov 6, 2012 04:59
|
|
|
Using PDO instead of mysql
|
|
#
?
Nov 6, 2012 08:24
|
|
|
caiman posted:What can you guys recommend for a good book to learn PHP? I'm not an absolute beginner (I've posted in here before), but I need a resource to supply me with a solid and thorough understanding. I've looked at online guides, but I feel a book will be the most up to date and comprehensive. A few things I'm wanting/not wanting: Start with this: PHP & MySQL: Novice to Ninja, 5th Edition Then read these: PHP Master: Write Cutting-edge Code PHP Objects, Patterns and Practice Then this: https://github.com/php-fig/fig-standards/tree/master/accepted Then this: http://www.phptherightway.com/ None of these touch on JavaScript like you wanted though.
|
|
#
?
Nov 6, 2012 13:47
|
|
|
IT Guy posted:Start with this: PHP & MySQL: Novice to Ninja, 5th Edition Purchased. Thanks!
|
|
#
?
Nov 6, 2012 16:47
|
|
|
caiman posted:Purchased. Thanks! No problem. The book does a good job of explaining SQL injection and how to escape your output as well and he uses best practices such as using PDO.
|
|
#
?
Nov 6, 2012 17:37
|
|
|
Is there a simple PHP script that would allow users to upload and download a text file from a web page? Preferably it would save a second timestamped copy as a running archive to prevent vandalism. We want to add in "asynchronous multiplayer" to Kerbal Space Program now that they're adding in docking. forum discussion here Basically it would 1a) allow user to download ("check out") *.sfs (text) file by doing a simple download by pushing a button 1b) give user a 4 hr cookie or auth of some sort to access the upload page to save the new file back to the web for others to check out 2) lock out other users' download for 4 hours, or until "safe" flag is triggered by user uploading ("check in") a new file 3) save a backup copy of each new save file in a separate folder with a timestamp*.sfs file name. ...sort of like a really simple web-based SVN system Actually if I could just get the file submit with *.sfs suffix check I could probably figure out the rest. This seems really simple and I bet a php guru has already written half of this in their head by the time they've read this. Any help? 
|
|
#
?
Nov 6, 2012 17:39
|
|
|
Hadlock posted:Actually if I could just get the file submit with *.sfs suffix check I could probably figure out the rest. This seems really simple and I bet a php guru has already written half of this in their head by the time they've read this. Any help? Honestly, if this is how far along you are, you need a lot more help. There are tons of things to take into account, such as if file regex's properly but is a different mime type (.php.sfs), how webserver is setup to serve files, et al. There are tons of error-prone examples. You really should speak with whomever is managing the services and get a bit more time under your belt with basic webserver configuration so you can keep yourself from getting hosed on something trivial.
|
|
#
?
Nov 9, 2012 20:56
|
|
|
http://pastebin.com/5aiWDTDv Change username/password to something less dumb. It saves every uploaded file in a folder called 'files', but you can change it easily if you want. This is what you can do: 1) log in 2) either a) download the current sfs file to look at, or b) upload a new one directly without checking out first, or c) check it out so no-one else is able to upload a new one for 4 hours (time can be changes) 3c) upload a new one in the download folder (defaults to 'files') 4) that's it. karms fucked around with this message at 23:21 on Nov 9, 2012 |
|
#
?
Nov 9, 2012 23:15
|
|
|
For those of you wondering which framework you should be using, if you are able to guarantee your server will have PHP 5.3 then you should almost certainly be using Laravel - it's super amazing.
|
|
#
?
Nov 10, 2012 09:49
|
|
|
Here's a good tutorial on beginning Laravel. https://www.youtube.com/watch?v=m5Jmh9JKnyQ
|
|
#
?
Nov 10, 2012 21:55
|
|
|
Gnack posted:For those of you wondering which framework you should be using, if you are able to guarantee your server will have PHP 5.3 then you should almost certainly be using Laravel - it's super amazing. Would it be good for migrating from a mature but poorly-written corporate project? I am so insecure about this because I don't want to make a decision we'll regret in three years.
|
|
#
?
Nov 12, 2012 18:46
|
|
|
Golbez posted:Would it be good for migrating from a mature but poorly-written corporate project? I am so insecure about this because I don't want to make a decision we'll regret in three years. It's PHP. You'll regret something in 3 years anyway. Actually, that applies to most corporate systems, but PHP does tend to increase the regrets. Don't spend too much time worrying about regrets, and spend time worrying about how to implement code standards instead. So long as everything is consistent, then the other regrets don't really matter so much.
|
|
#
?
Nov 12, 2012 21:03
|
|
|
Hey everyone. I'm trying to work through this issue in a really small project. It takes a person's ID number (noted as CWID) and then looks up all the events he or she has attended. It then lists the events along with the club name of the associated events. I have 2 tables: clubsName and attendance. I'm having trouble creating a match between the clubsName and attendance table. Both have clubID, but they're in different tables. Should I be doing some kind of triple join or some wizardry with arrays? Here's a picture representation of what I'm talking about. And what I hope to accomplish: code:Fluue fucked around with this message at 02:25 on Nov 13, 2012 |
|
#
?
Nov 13, 2012 01:25
|
|
|
I don't see a person ID any any of those tables so how are you supposed to know what events they attended?
|
|
#
?
Nov 13, 2012 02:10
|
|
|
Mister Chief posted:I don't see a person ID any any of those tables so how are you supposed to know what events they attended? Sorry, forgot to mention that the CWID is the person ID. I'll add that now.
|
|
#
?
Nov 13, 2012 02:25
|
|
|
code:
|
|
#
?
Nov 13, 2012 02:59
|
|
|
code:This will join all tables together at their appropriate places so you can put whatever you like in the select part of the statement.
|
|
#
?
Nov 13, 2012 05:51
|
|
|
I have a magic number that will be used across multiple pages and classes, but only in a particular module of the site. My predecessor and others have told me to only use constants if they are truly site-wide, but why not use them if they're module-wide?
|
|
#
?
Nov 13, 2012 16:10
|
|
|
Golbez posted:I have a magic number that will be used across multiple pages and classes, but only in a particular module of the site. My predecessor and others have told me to only use constants if they are truly site-wide, but why not use them if they're module-wide? define() creates constants that are global to the entire application. You should only use them if they are meant to be globally accessible. If your module is ever loaded elsewhere, the constant will be as well, and will be available to the entire app. PHP also has the const keyword, which allows you to define constants scoped to a class or namespace. If this is module-wide, this is probably what you want.
|
|
#
?
Nov 13, 2012 16:22
|
|
|
Null Set posted:define() creates constants that are global to the entire application. You should only use them if they are meant to be globally accessible. If your module is ever loaded elsewhere, the constant will be as well, and will be available to the entire app. Right now the controller is not in a class though, it's functional, but things within it are classes and this needs to be available to all of those. This part of the site wouldn't be loaded by other code.
|
|
#
?
Nov 13, 2012 16:56
|
|
|
|
| # ? May 28, 2024 20:45 |
|
|
Golbez posted:Right now the controller is not in a class though, it's functional, but things within it are classes and this needs to be available to all of those. This part of the site wouldn't be loaded by other code. Are you on 5.3+? Define a namespace for the module, and set up your constants within that. Then load the containing file and call the constant where necessary. Something like: php:<? namespace MyModule; const MY_CONSTANT = 'butts'; ?> php:<? $value = foo($bar, \MyModule\MY_CONSTANT) ?>
|
|
#
?
Nov 13, 2012 17:03
|
|