|
I would really avoid using just a simple token as part of the URL like https://example.com/auth.php?token=abc123 The reason is because often GET parameters are logged and between that request and the server there are lots of places that token could be logged (since even over an HTTPS connection the URL is obviously plaintext). If you have to do authentication over a single link, I'd look into OAuth (though it's not very friendly), or making the request come as a POST request (over HTTPS of course) so the token is encrypted and not logged.
|
#
?
Jan 17, 2015 14:19
|
|
|
|
| # ? Jun 4, 2024 15:21 |
|
|
Yeah I can change it to pass the token in the post
|
|
#
?
Jan 17, 2015 14:47
|
|
|
musclecoder posted:The reason is because often GET parameters are logged and between that request and the server there are lots of places that token could be logged (since even over an HTTPS connection the URL is obviously plaintext) I think I'm just reading this incorrectly, but I want to make sure my understanding is correct; The URL and GET parameters are encrypted over an SSL (HTTPS) connection, so to anything between your client and the server, nothing can be read. However, GET parameters will most likely be logged on the server by something like Varnish or Apache or whatever. This is where your sensitive information might end up getting stored, which is a bad thing. Is that right? Regardless I agree with the point about using OAuth, or using POST to avoid the logging issue.
|
|
#
?
Jan 18, 2015 03:56
|
|
|
Well, the URL and query string parameters aren't secure in an HTTPS request. Hence, you can see https://example.com/auth.php?token=abc123. And that URL can be logged anywhere between the client and server. So yes, Apache logs, Varnish logs, router logs, ISP logs, anywhere those packets hop with that information can be logged. With an HTTPS session, the POST data is encrypted so even if it were logged it would be meaningless.
|
|
#
?
Jan 18, 2015 06:37
|
|
|
musclecoder posted:Well, the URL and query string parameters aren't secure in an HTTPS request. This is incorrect. HTTPS encrypts the entire HTTP connection, headers as well as the payload. The only thing an outside observer can see is things transmitted at a lower level - the IP:port number addresses at each end of the connection, the approximate amount of data sent in each direction, etc. There are a bunch of reasons not to put the token as a URL parameter, but "people might sniff it even over https" isn't really one of them.
|
|
#
?
Jan 18, 2015 08:40
|
|
|
Jabor posted:This is incorrect. HTTPS encrypts the entire HTTP connection, headers as well as the payload. The only thing an outside observer can see is things transmitted at a lower level - the IP:port number addresses at each end of the connection, the approximate amount of data sent in each direction, etc. Hostname of the site you're trying to access too
|
|
#
?
Jan 18, 2015 08:50
|
|
|
Jabor posted:This is incorrect. HTTPS encrypts the entire HTTP connection, headers as well as the payload. The only thing an outside observer can see is things transmitted at a lower level - the IP:port number addresses at each end of the connection, the approximate amount of data sent in each direction, etc. Not if the payload is part of the URL, which in a GET request, it is. I know the headers and POST parameters are encrypted, but obviously the GET parameters aren't (GET requests can't have a payload body either).
|
|
#
?
Jan 18, 2015 15:57
|
|
|
musclecoder posted:Not if the payload is part of the URL, which in a GET request, it is. I know the headers and POST parameters are encrypted, but obviously the GET parameters aren't (GET requests can't have a payload body either). GET is part of header. It's encrypted (at least the /path/x?y=69 is, not the Hostname). You do a CONNECT first, pass host/handshake, then pass GET/POST encrypted
|
|
#
?
Jan 18, 2015 17:20
|
|
|
musclecoder posted:Not if the payload is part of the URL, which in a GET request, it is. I know the headers and POST parameters are encrypted, but obviously the GET parameters aren't (GET requests can't have a payload body either). e;fb on this during preview, but ... No, the entire HTTP request is encrypted per the spec. The client initiates SSL connection first, and then sends the HTTP request. The server, of course, will have the decrypted request and will probably log the URI any query parameters. And the HTTP specification does not explicitly prohibit GET request from sending a body, but it is not specifically supported either. It's just understand that applications should behave as good citizens and respect GET semantics.
|
|
#
?
Jan 18, 2015 17:28
|
|
|
I'm trying to update an old rear end php/mysql application of mine. Anyone have any suggestions for handling deployment to various environments? Any suggested tools? I have my apache web server with the main domain and a test environment. Do I need to write a script that ssh's onto the remote server, clones the repo and moves those files into the proper location?
|
|
#
?
Jan 18, 2015 18:27
|
|
|
Doh004 posted:I'm trying to update an old rear end php/mysql application of mine. Anyone have any suggestions for handling deployment to various environments? Any suggested tools? I have my apache web server with the main domain and a test environment. I'd just use Capistrano. A PHP-based alternative I've used before is Deployer if you'd rather not add Ruby deps to your repo, but personally I'd go with Capistrano as its well maintained, widely used etc.
|
|
#
?
Jan 18, 2015 18:35
|
|
|
spacebard posted:e;fb on this during preview, but ... Got it, I stand corrected then. Thanks for the heads up, spacebard and Biowarfare and v1nce. Doh004 posted:I'm trying to update an old rear end php/mysql application of mine. Anyone have any suggestions for handling deployment to various environments? Any suggested tools? I have my apache web server with the main domain and a test environment. That's actually something I do know about! Yes, use Capistrano. I wrote a whole book on the subject - https://leftnode.org/posts/expert-php-deployments.html (though it could probably use some updates).
|
|
#
?
Jan 19, 2015 00:30
|
|
|
Heskie posted:I'd just use Capistrano. Capistrano was perfect, thanks! Barring some stupid server related configurations, I got it working so I can easily deploy to my test environment. This project is 6 years old and I just now put it into git. Previously it was just in my dropbox account. Oh boy. musclecoder posted:That's actually something I do know about! Yes, use Capistrano. I wrote a whole book on the subject - https://leftnode.org/posts/expert-php-deployments.html (though it could probably use some updates). Awesome! Bookmarked and thank you 
|
|
#
?
Jan 19, 2015 03:31
|
|
|
musclecoder posted:That's actually something I do know about! Yes, use Capistrano. I wrote a whole book on the subject - https://leftnode.org/posts/expert-php-deployments.html (though it could probably use some updates). It's a good book. I read it and now I have a beastly setup where I can do atomic deploys with one command.
|
|
#
?
Jan 19, 2015 16:03
|
|
|
Jabor posted:There are a bunch of reasons not to put the token as a URL parameter, but "people might sniff it even over https" isn't really one of them. Another one is that it shouldn't be so easy for somebody to compromise their session simply by copying and pasting a link.
|
|
#
?
Jan 20, 2015 23:46
|
|
|
fletcher posted:Another one is that it shouldn't be so easy for somebody to compromise their session simply by copying and pasting a link. Do they not hash any part of user agent or a few IP octets or whatever as part of the session?
|
|
#
?
Jan 20, 2015 23:49
|
|
|
Biowarfare posted:Do they not hash any part of user agent or a few IP octets or whatever as part of the session? Both of those can be spoofed, no? User agent can of course, I'm not positive about the IP address though.
|
|
#
?
Jan 21, 2015 00:05
|
|
|
fletcher posted:Both of those can be spoofed, no? User agent can of course, I'm not positive about the IP address though.
|
|
#
?
Jan 21, 2015 00:07
|
|
|
Biowarfare posted:The point is more that if someone "accidentally" links their session ID across, when someone else clicks it initially or accesses it, it will destroy the session and log out all of the account's sessions with a notice, or ignore their "login"; if you are getting cookies or urls stolen via XSS you have larger problems That's assume the other person clicking on it isn't clever and malicious. If they are, maybe they know to spoof the user agent and IP before attempting to hijack the session.
|
|
#
?
Jan 21, 2015 00:10
|
|
|
musclecoder posted:That's actually something I do know about! Yes, use Capistrano. I wrote a whole book on the subject - https://leftnode.org/posts/expert-php-deployments.html (though it could probably use some updates). I meant to quote this before. I love this book/tutorial and I'm pushing hard to get this kind of setup for our multi-server deployment which is currently managed by hand by one guy. You say it could use some updates - If they're significant (and not just nit-pick version differences) i'd be happy to read them as a foot-note update to the post. Any more information on "stuff to look out for" is always useful.
|
|
#
?
Jan 22, 2015 02:00
|
|
|
v1nce posted:I meant to quote this before. I love this book/tutorial and I'm pushing hard to get this kind of setup for our multi-server deployment which is currently managed by hand by one guy. Thanks Peanut and the Gang and v1nce. Two big updates I want to issue is updating to Capistrano 3 (and providing a lot more information on deployments, database rollbacks, build process, etc) and using an automated server management tool (I'm learning Chef so it would most likely be it). Those have been the two biggest requests. I'll post in this thread when I eventually get around to making them.
|
|
#
?
Jan 22, 2015 04:07
|
|
|
Outside of using an ORM, are there any best practices for loading complex objects from the front-end into their schemas in the back-end? My current situation is this: customers provide me with CSV invoice data that I need to load into a particular database schema. A simple version of it is the following:code:code:
|
|
#
?
Jan 22, 2015 07:10
|
|
|
IT BEGINS posted:Outside of using an ORM, are there any best practices for loading complex objects from the front-end into their schemas in the back-end? My current situation is this: customers provide me with CSV invoice data that I need to load into a particular database schema. A simple version of it is the following: [...] Is there a particular library that could help me work with this kind of stuff? Should I be using an ORM (I may not be able to use an ORM)? Unless each of those invoice line items are already objects in your system, then an ORM is not immediately helpful here. You might still want them to be data objects, if they aren't. Look up the Data Mapper pattern. Doctrine is an implementation. Heavyweight, but well regarded. I've enjoyed my time with Spot, but it causes the data objects to break the SRP and it's still immature. Defining and using relationships is distinctly weird. Avoid ActiveRecord-based ORMs and any ORM that uses static methods.
|
|
#
?
Jan 22, 2015 09:29
|
|
|
Help! I'm trying to work out proper dependency injection. Does the following seem logical in any way, or is it one step too many, not enough, etc?? I don't know anymore...php:<?
// App.php
class App
{
public function __construct(PDO $pdo)
{
// create db handle
$this->db = $pdo;
// etc...
}
// more general App methods/properties, etc...
public function butts()
{
// stuff ...
return $this->db->somePDOfunc($whatevs);
}
}
// Derp.php
Class Derp
{
public function __construct(App $app)
{
$this->app = $app;
}
// methods using App's stuff via $this->app...
// ex.
public function derp($blah)
{
if ($blah == true) {
return $this->app->butts();
}
}
}
// SomeScript.php
// define $dsn, $db_user, $db_pass, $db_opts
$PDO = new PDO($dsn, $db_user, $db_pass, $db_opts);
$App = new App($PDO);
$Derp = new Derp($App);
var_dump($Derp->app->derp());
?>
|
|
#
?
Jan 22, 2015 23:09
|
|
|
Yeah, that looks about accurate. You're passing the classes the things they depend on (PDO, App) via the constructors, which is basic dependency injection. One of the keys to DI is looking at your class and seeing if you can use it just by itself, provided you pass in the things it needs. You normally do this because then you can actually unit test your code. If you take DI to the Nth degree, you'll be passing in Factories/Services that can produce other types of classes, meaning you don't use new ClassName() unless you're in a factory class. You don't have any kind of service manager, which isn't the end of the world for code this basic; right at the end you're just thowing together your classes in the order they need to be, which is basically the just of the service manager, and something that might happen by configuration in frameworks like Symfony. There's a few stand-alone DI classes out there, but they're not exactly "simple" implementations: http://pimple.sensiolabs.org/ http://php-di.org/ There's arguments out there about pros/cons of using getter/setter functions for DI, too. A basic rule of thumb is this; if your class needs a dependency in order for it to work at all, it should be passed into the constructor. If it's an optional dependency, use a public setter. If you decide to use a getter to access your dependency rather than just a protected/private member, that's entirely up to personal taste. Personally, I avoid this method because people tend to make getters public and then that encourages DI to be broken further down the track. Here's a quick example to echo your own: php:<?
class UserController
{
/** @var EmailService */
protected $emailService;
/** @var RenderService */
protected $renderService;
/** @var UserService */
protected $userService;
/**
* @param EmailService $emailService
* @param RenderService $renderService
* @param UserService $userService
*/
public function __construct(EmailService $emailService, RenderService $renderService, UserService $userService)
{
$this->emailService = $emailService;
$this->renderService= $renderService;
$this->userService= $userService;
}
/**
* @param string $name
* @param string $email
* @return RenderThingie
*/
public function createUserAction($name, $email)
{
$user = $this->userService->addUser($name, $email);
$this->emailContainer->sendWelcomeEmail($user);
$renderer = $renderService->getHtmlRenderer();
$renderer->setParameter('user', $user);
return $renderer;
}
}
class UserService
{
/** @var PDO */
protected $pdo;
/**
* @param PDO $pdo
*/
public function __construct(PDO $pdo)
{
$this->pdo= $pdo;
}
/**
* @param string $name
* @param string $email
*/
public function addUser($name, $email)
{
// Build a user class
$user = new User();
$user->setName($name);
$user->setEmail($email);
// TODO: PDO save
// $this->pdo->doAThing($user);
return $user;
}
}
// Without a DI container
// TODO: Email and Render services etc
$pdo = new PDO();
$userService = new UserService($pdo);
$controller = new UserController($emailService, $renderService, $userService);
// With a DI container (TODO: DI configuration elsewhere)
// The main point is, you don't have to sort out the dependency chain where you're calling your service.
$controller = $container->get('controller.user');
$output = $controller->addUser('jeff', 'jeff@example.com');
$output->render();
?>
|
|
#
?
Jan 23, 2015 01:53
|
|
|
McGlockenshire posted:Unless each of those invoice line items are already objects in your system, then an ORM is not immediately helpful here. Thanks. I've been looking at Doctrine to see how it builds object graphs but it's a bit more complex than I need it to be. Spot looks like it will be very helpful, at the very least to get a better understanding of things. I'm surprised that I'm not able to find many resources on creating object graphs. I imagined it would be a problem that's been tackled quite often. 
|
|
#
?
Jan 23, 2015 05:51
|
|
|
v1nce posted:Yeah, that looks about accurate. You're passing the classes the things they depend on (PDO, App) via the constructors, which is basic dependency injection. Thanks, that helped. While I basically understand the concept and why, the things I've read on DI always seemed to add more layers pretty quickly. That has been the struggle for me.
|
|
#
?
Jan 23, 2015 18:38
|
|
|
I have a Dev out for a couple weeks with some family issues so I am tackling some of our website bugs to help the web team while they are crunching on a project. Now I am not a PHP guy. I tend to live in Microsoft land. So anyway this is blowing my mind: code:code:code:Let's var_dump that $var: Var_dump posted:string 'undefined' (length=9) The value of the get data is literally a string with the value 'undefined'? Let's go check out what the gently caress it is that's calling this. code:Why the hell is my GET data set to a string with the value undefined and not actually a null string? Edit: Another dev is suggesting I try: code:Edit2: Yup that works. Still makes no sense why == 'undefined' works. gently caress web development. gently caress loosely typed languages.  itskage fucked around with this message at 16:50 on Jan 28, 2015 |
|
#
?
Jan 28, 2015 16:42
|
|
|
itskage posted:I have a Dev out for a couple weeks with some family issues so I am tackling some of our website bugs to help the web team while they are crunching on a project. If x is undefined in javascript, it will be converted to the string 'undefined' when it's added to the data variable. Everything is working as intended.  But for real, code:
|
|
#
?
Jan 28, 2015 16:51
|
|
|
code:quote:Notice: Undefined index: value in /root/1.php on line 2 It's not a php thing from what I can see?
|
|
#
?
Jan 28, 2015 17:54
|
|
|
Since you're looking for a GET request, the value should get appended to your site's URL once you submit the form. Mogomra covered things pretty well.
|
|
#
?
Jan 28, 2015 18:39
|
|
|
Mogomra posted:If x is undefined in javascript, it will be converted to the string 'undefined' when it's added to the data variable. Everything is working as intended. Using your suggestion works pretty well. Thanks a lot.
|
|
#
?
Jan 28, 2015 18:49
|
|
|
This is more of an architecture question than a PHP one but... I'm working on a giant form made in CodeIgniter that has very distinct steps that are enabled for only certain users after the 'stage' has been reached. Right now the code is a huge mess so I've been thinking of refactoring, as it has a lot of bugs too. Example of current code in the 'form' controller. It's basically this repeated 15 times. Each one is a separate form inside the same page. php:<?
if($orden['suborders'][$key]['stage'] == 'design'): // stage
if(!in_array('assignation',$this->body_files)) $this->body_files[] = 'assignation';
if($this->ion_auth->in_group(4) || $this->ion_auth->in_group(14) || $this->ion_auth->in_group(15)): // Check user group
$this->body_vars['analyst_design']['enabled_'.$key] = ($orden['suborders'][$key]['analyst_design']['id'] == $this->ion_auth->user()->row()->id) ? true : false; // Enable form for certain users
endif;
if(!in_array('analyst',$this->body_files))
$this->body_files[] = 'analyst'; // Add form stage to view array if it hasn't been added by a previous stage.
endif;
if($orden['suborders'][$key]['stage'] == 'respuesta'): // stage
if(!in_array('assignation',$this->body_files)) $this->body_files[] = 'assignation';
if(!in_array('analyst',$this->body_files))
$this->body_files[] = 'analyst';
if(!in_array('analyst-assignation',$this->body_files)) $this->body_files[] = 'analyst-assignation';
if(!in_array('assignation-boss',$this->body_files)) $this->body_files[] = 'assignation-boss';
$this->body_files[] = 'analyst-recommendation';
if($orden['suborders'][$key]['measurement-incharge']):
if(!in_array('measurement-quality',$this->body_files)) $this->body_files[] = 'measurement-quality';
endif;
if(!in_array('factilibity-connection',$this->body_files)) $this->body_files[] = 'factilibity-connection';
if($orden['requirement_wifi']):
if(!in_array('project_wifi',$this->body_files)) $this->body_files[] = 'project_wifi';
endif;
if(!in_array('authorization',$this->body_files)) $this->body_files[] = 'authorization';
$this->body_vars['responsibles'] = $this->ordenes_model->get_all_involved($id);
if($this->ion_auth->in_group(17)):
$this->body_vars['preimplementation_enable'][$key] = true;
endif;
endif;
?>What would be the best way to organize this mess?
|
|
#
?
Jan 29, 2015 18:55
|
|
|
Background (from General programming thread): I have a RateBeer API key and I'm trying to get Brewery and Beer information from the site. From their API Doc, the key can be used to access information via HTTP (http://www.ratebeer.com/json/ratebeerapi.asp) What gets returned is a JSON object such as below: code:code:Also, when I try doing a large amount in a loop, I get a gateway timeout. Is there a way to output each one to a file and set up a new session each time? Trying to get file_get_response() working, but I get a 'Failed to Open Stream' error. code:
|
|
#
?
Jan 29, 2015 19:27
|
|
|
This is really ugly and I'm sure there's a better way, but this works:code:
|
|
#
?
Jan 29, 2015 20:52
|
|
|
Does this work on your machine?php:<?php var_dump(file_get_contents("http://www.ratebeer.com/json/bff.asp?k=tTmwRTWT-W7tpBhtL&bd=2598"));
|
|
#
?
Jan 29, 2015 20:53
|
|
|
gmq posted:This is more of an architecture question than a PHP one but... Biggest problem here is not so much the logic, but the messy layout. I reduced some redundancy and am judicous with whitespace to make it less cluttered: php:<?
protected function addToBody($keys)
{
if(!is_array($keys)) $keys = [$keys];
foreach($keys as $key)
{
if (!in_array($key, $this->body_files))
{
$this->body_files[] = key;
}
}
}
$suborder = $orden['suborders'][$key];
if($suborder['stage'] == 'design')
{
$this->addToBody('assignation');
// Enable form for certain users
if ($this->ion_auth->in_group(4) || $this->ion_auth->in_group(14) || $this->ion_auth->in_group(15))
{
$analyst_design_id = $orden['suborders'][$key]['analyst_design']['id'];
$ion_auth_user_id = $this->ion_auth->user()->row()->id;
$this->body_vars['analyst_design']['enabled_' . $key] = $analyst_design_id == $ion_auth_user_id;
}
$this->addToBody('analyst');
}
if($suborder['stage'] == 'respuesta')
{
$this->addToBody([
'assignation',
'analyst',
'analyst-assignation',
'assignation-boss',
]);
$this->body_files[] = 'analyst-recommendation';
if ($suborder['measurement-incharge'])
{
$this->addToBody('measurement-quality');
}
$this->addToBody('factilibity-connection');
if ($orden['requirement_wifi'])
{
$this->addToBody('project_wifi');
}
$this->addToBody('authorization');
$this->body_vars['responsibles'] = $this->ordenes_model->get_all_involved($id);
if ($this->ion_auth->in_group(17))
{
$this->body_vars['preimplementation_enable'][$key] = true;
}
}
?>karms fucked around with this message at 21:00 on Jan 29, 2015 |
|
#
?
Jan 29, 2015 20:56
|
|
|
itskage posted:
|
|
#
?
Jan 30, 2015 13:26
|
|
|
revmoo posted:This is really ugly and I'm sure there's a better way, but this works: When I put this into a loop (seen below) I'm getting a Fatal error: Maximum execution time of 30 seconds exceeded error. Also, it looks like it's overwriting the same line. How would I go about going to a new line each time, then appending each iteration to the file instead of over what existed? code:
|
|
#
?
Jan 30, 2015 21:30
|
|
|
|
| # ? Jun 4, 2024 15:21 |
|
|
You want to use pagination or something where you havecode:You'd also want to use 'a' in the fopen if using the same file.
|
|
#
?
Jan 31, 2015 18:13
|
|
