phplib-users Mailing List for PHPLIB (Page 36)
Brought to you by:
nhruby,
richardarcher
Menu
▾
▴
phplib-users — A list for users of phplib to talk / discuss phplib
You can subscribe to this list here.
| 2001 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
(106) |
Sep
(99) |
Oct
(44) |
Nov
(97) |
Dec
(60) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2002 |
Jan
(56) |
Feb
(81) |
Mar
(134) |
Apr
(69) |
May
(106) |
Jun
(122) |
Jul
(98) |
Aug
(52) |
Sep
(184) |
Oct
(219) |
Nov
(102) |
Dec
(106) |
| 2003 |
Jan
(88) |
Feb
(37) |
Mar
(46) |
Apr
(51) |
May
(30) |
Jun
(17) |
Jul
(45) |
Aug
(19) |
Sep
(5) |
Oct
(4) |
Nov
(12) |
Dec
(7) |
| 2004 |
Jan
(11) |
Feb
(7) |
Mar
|
Apr
(15) |
May
(17) |
Jun
(13) |
Jul
(5) |
Aug
|
Sep
(8) |
Oct
(6) |
Nov
(21) |
Dec
(13) |
| 2005 |
Jan
(4) |
Feb
(3) |
Mar
(7) |
Apr
(7) |
May
|
Jun
(11) |
Jul
(7) |
Aug
|
Sep
|
Oct
|
Nov
(7) |
Dec
|
| 2006 |
Jan
(3) |
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
(2) |
Jul
(1) |
Aug
|
Sep
|
Oct
(9) |
Nov
|
Dec
(5) |
| 2007 |
Jan
(15) |
Feb
(2) |
Mar
|
Apr
|
May
|
Jun
|
Jul
(9) |
Aug
|
Sep
(2) |
Oct
|
Nov
|
Dec
|
| 2008 |
Jan
|
Feb
|
Mar
|
Apr
(12) |
May
|
Jun
(3) |
Jul
(1) |
Aug
(19) |
Sep
(2) |
Oct
|
Nov
|
Dec
(6) |
| 2009 |
Jan
(1) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(6) |
|
From: Marko K. <M.K...@os...> - 2002-10-28 14:07:54
|
Hi Joe, Richard, Tarique, etc, I used different versions of the phplib4.dev snapshots without problems, but since I was told to set session.use_trans_sid=0 in my php.ini I am unable to use non-cookie mode: get-mode. Why is this so, I heard that this was done to avoid setting sids via simple get parameters, or something like that... Or some problems with php itself, different behaviour of diffrent versions of php and therefore this seems to be the only safe way to make it right... Don't remember. Could somebody update my knowledge about this issue, please! Is there a way to enable get-mode in the future again, or should we only rely on cookies? In principle I tend to disable cookies on all my browsers, but this is now impossible with my app. If there's no safe way NOT to use cookies for phplib applications, it looks like I can skip all my $sess->purl's from the code and devote myself simply to cookies, which makes it easier to write the code often, but forces my users to enable cookies, at least for my app. ??? Marko |
|
From: Joe S. <jo...@be...> - 2002-10-25 20:07:49
|
On Fri, Oct 25, 2002 at 08:58:34PM +0200, Giancarlo wrote: > > references to "again" to something like "action". > > "authcmd" would be fine too. > > > > Again has no context in this use except that some example scripts > > attempted to use it for a variable. > > > > There was something else, but I've forgot for now. Oh well. > My only point in this - the word "authcmd" would be better than using the word "again" for a variable name. No other changes in this regard. Joe > The reason why I didn't add a precise check on 'logout', but > instead used to fall into 'logout' when anything passed was not reg/log, is > to comply with the actual behaviour of logon_if: if *anything true* is passed > it will log you out and splash the form. So it was for a backwd compatibility > again with existing login_ifs > > G |
|
From: Giancarlo <gia...@na...> - 2002-10-25 19:06:27
|
Il 17:04, venerd=EC 25 ottobre 2002, Rob Hutton ha scritto:
> I'm trying to protect from someone going to the registration form and
> trying names and logins until they get one. The login for only allows =
five
> tries before the account is locked.=20
But if you used a session counter....and increase it each time you enter=20
validatelogin...
> The registration form, however does
> not have this restriction as it is not designed to log someone in. But
Instead of blocking the form, block the function, as I said above
> with the current layout of auth (without a real control structure) ther=
e is
> no way to prevent auth_validatelogin from excecuting unless I put in a
> hidden field and test for it. Which is very ugly in my mind...
..........
# we have a authcommand
if array_key_exists($this->urlaction, $_GET) {
switch ((sring) $_GET[$this->urlaction]) {
case 'reg':
auth_handleregister();
case 'log':
auth_handlelogin();
case 'logout':
auth_handlelogout();
}
}
..........
What I want to say is that a start function shoukd never be extended. So =
if=20
someone wants to adapt phplib auth features to, let's say, accept xmlrpc =
data=20
for 'remote logins' he has no choiche but rewrite start, if the nature a=
nd v=20
of the input fields get tested in there.
start is ready to accept an default action, you know, as start(action=3D=
'log')
so the kind of input provided, and its vaue, could be tested well before=20
(page.inc) instead of after (validatelogin/doregister).
But I wouldn't tie start to a particular HTTP_.._VARS, so people will nev=
er=20
need to extend it.
To me, being this well related to 'what kind of page we are dealing with'=
(if=20
are them pages! they could well be XML data posted/returned one day) I,'d=
=20
manage thet action log/reg in page inc, and call=20
auth->start(log/reg/whatever) from page inc.
Againg I didn't go so far for backward compatibility, because as it is no=
w it=20
can still be dropped in place in most phplib (almost_standard) implementa=
tions
Gian=20
|
|
From: Giancarlo <gia...@na...> - 2002-10-25 19:06:20
|
> references to "again" to something like "action". > "authcmd" would be fine too. > > Again has no context in this use except that some example scripts > attempted to use it for a variable. > > There was something else, but I've forgot for now. Oh well. The reason why I didn't add a precise check on 'logout', but instead used to fall into 'logout' when anything passed was not reg/log, is to comply with the actual behaviour of logon_if: if *anything true* is passed it will log you out and splash the form. So it was for a backwd compatibility again with existing login_ifs G |
|
From: Chris J. <ch...@ch...> - 2002-10-25 16:32:33
|
On Fri, Oct 25, 2002 at 08:22:39AM -0500, Joe Stewart wrote:
> There is an existing need for this type cleanup as Rob notes. A specific
> example is if you use a preauth cookie. With the current auth class there
> is no place to clear the cookie on logout, so unless it's cleared, you'll
> log right back in upon logout. You currently have to provide the logout
> functionality outside of the aut class or override auth->logout().
>
> Joe
Yeah, that makes sense. In fact, probably all the login and logout stuff
should be completely orthogonal to allow custom pre- and post-processing at
each step. That is, PHPLIB probably ought to provide easy to use hooks to do
those things when a developer needs them, instead of requiring them to
override lots of primary classes with custom solutions.
--
..chris
|
|
From: Rob H. <rob...@ws...> - 2002-10-25 15:01:30
|
I'm trying to protect from someone going to the registration form and trying names and logins until they get one. The login for only allows five tries before the account is locked. The registration form, however does not have this restriction as it is not designed to log someone in. But with the current layout of auth (without a real control structure) there is no way to prevent auth_validatelogin from excecuting unless I put in a hidden field and test for it. Which is very ugly in my mind... > -----Original Message----- > From: php...@li... > [mailto:php...@li...]On Behalf Of Joe > Stewart > Sent: Friday, October 25, 2002 9:33 AM > To: Phplib-Users > Subject: Re: [Phplib-users] Registration Question > > > On Thu, Oct 24, 2002 at 10:42:14PM -0400, Rob Hutton wrote: > > It looks to me with the default setup that is you are using > login_if to |
|
From: Joe S. <jo...@be...> - 2002-10-25 13:36:29
|
On Thu, Oct 24, 2002 at 10:42:14PM -0400, Rob Hutton wrote:
> It looks to me with the default setup that is you are using login_if to
> register and the person types an existing login name and password, then it
> will silently authenticate them. This is not a good thing when the purpose
> of auth is protection.
Under your scenario couldn't they just enter the valid info on the login
form?
> Is there any way to force the person to enter something unique when
> registering besides moding auth_doregister above auth_validatelogin? I was
> thinking maybe setting a hidden form variable and checking for its existence
> in auth_validatelogin and returning false if it existed.
>
You can validate however you want in do_register. If you don't want to
log them in immediately after registering - don't.
In Kristian's example do_register:
## If user is present and password matches, silently log
## the user in.
if ($this->db->f("password") == $pass1) {
$this->auth["perm"] = $this->db->f("perms");
return $this->db->f("user_id");
}
Joe
> Thoughts, comments. I am trying to do something for the examples so I want
> it to be the way it was meant to work...
>
> Rob Hutton
> Web Safe
> www.wsafe.com
|
|
From: Rob H. <rob...@ws...> - 2002-10-25 13:33:48
|
Well, now you're going to get me on a soapbox. I think with a major release, backward compatability is important, but not essential. But that's up to the powers that be. That said, I think the variable tested for should be something like "authcmd=" and should handle the auth stuff. As part of the auth start()preferably. Then login_if goes away. start() tests $HTTP_SERVER_VARS["QUERY_STRING"] for the authcmd variable and runs whatever the command is if it is there. If it is not, then it does the other auth stuff. Simple. Pretty. > -----Original Message----- > From: php...@li... > [mailto:php...@li...]On Behalf Of Joe > Stewart > Sent: Friday, October 25, 2002 9:23 AM > To: Phplib-Users > Subject: Re: [Phplib-users] Login_if changes for logouts > > > On Thu, Oct 24, 2002 at 10:42:13PM -0400, Rob Hutton wrote: > > Gian - > > I moved the logout to the same handler as the login stuff and > created a > > function called auth_logoutform() which is called the same way > as the login > > form is with the same empty function definition. This is to > allow me to do > > session cleanup, display a notice to the user, etc. that may > need to occur > > after you log out... > > > > Shouldn't logout() trigger a auth_postauth() function instead? > > It shouldn't be tied to the use of login_if(). > > There is an existing need for this type cleanup as Rob notes. A specific > example is if you use a preauth cookie. With the current auth > class there > is no place to clear the cookie on logout, so unless it's cleared, you'll > log right back in upon logout. You currently have to provide the logout > functionality outside of the aut class or override auth->logout(). > > Joe > > > > ------------------------------------------------------- > This sf.net email is sponsored by: Influence the future > of Java(TM) technology. Join the Java Community > Process(SM) (JCP(SM)) program now. > http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0004en > _______________________________________________ > Phplib-users mailing list > Php...@li... > https://lists.sourceforge.net/lists/listinfo/phplib-users > > |
|
From: Joe S. <jo...@be...> - 2002-10-25 13:26:07
|
On Thu, Oct 24, 2002 at 10:42:13PM -0400, Rob Hutton wrote: > Gian - > I moved the logout to the same handler as the login stuff and created a > function called auth_logoutform() which is called the same way as the login > form is with the same empty function definition. This is to allow me to do > session cleanup, display a notice to the user, etc. that may need to occur > after you log out... > Shouldn't logout() trigger a auth_postauth() function instead? It shouldn't be tied to the use of login_if(). There is an existing need for this type cleanup as Rob notes. A specific example is if you use a preauth cookie. With the current auth class there is no place to clear the cookie on logout, so unless it's cleared, you'll log right back in upon logout. You currently have to provide the logout functionality outside of the aut class or override auth->logout(). Joe |
|
From: <alt...@ya...> - 2002-10-25 12:40:21
|
It looks to me with the default setup that is you > are using login_if to > register and the person types an existing login name > and password, then it > will silently authenticate them. This is not a good > thing when the purpose > of auth is protection. This is true. There is a solution, but is not backwd compatible with existing phplib installations. In the form (login/register) add an hidden field, eg: <input name=req_action value=reg> or value=log then on top of your auth_validatelogin, if HTTP_POST_VATS[req_action] != "log" return false same in auth_doregister: if (req_action != "reg") return false. We thought to add this, but didn't because of bckwd compatibility Gian > Is there any way to force the person to enter > something unique when > registering besides moding auth_doregister above > auth_validatelogin? I was > thinking maybe setting a hidden form variable and > checking for its existence > in auth_validatelogin and returning false if it > existed. > > Thoughts, comments. I am trying to do something for > the examples so I want > it to be the way it was meant to work... > > Rob Hutton > Web Safe > www.wsafe.com > > ********************************************************************** > > Introducing Symantec Client Security - Integrated > Anti-Virus, > Firewall, and Intrusion Detection for the Client. > > Learn more: > http://enterprisesecurity.symantec.com/symes238.cfm?JID=2&PID=11624271 > > > > > ------------------------------------------------------- > This sf.net email is sponsored by: Influence the > future > of Java(TM) technology. Join the Java Community > Process(SM) (JCP(SM)) program now. > http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0003en > _______________________________________________ > Phplib-users mailing list > Php...@li... > https://lists.sourceforge.net/lists/listinfo/phplib-users > > ______________________________________________________________________ Mio Yahoo!: personalizza Yahoo! come piace a te http://it.yahoo.com/mail_it/foot/?http://it.my.yahoo.com/ |
|
From: Rob H. <rob...@ws...> - 2002-10-25 02:39:20
|
It looks to me with the default setup that is you are using login_if to register and the person types an existing login name and password, then it will silently authenticate them. This is not a good thing when the purpose of auth is protection. Is there any way to force the person to enter something unique when registering besides moding auth_doregister above auth_validatelogin? I was thinking maybe setting a hidden form variable and checking for its existence in auth_validatelogin and returning false if it existed. Thoughts, comments. I am trying to do something for the examples so I want it to be the way it was meant to work... Rob Hutton Web Safe www.wsafe.com ********************************************************************** Introducing Symantec Client Security - Integrated Anti-Virus, Firewall, and Intrusion Detection for the Client. Learn more: http://enterprisesecurity.symantec.com/symes238.cfm?JID=2&PID=11624271 |
|
From: Rob H. <rob...@ws...> - 2002-10-25 02:39:19
|
Gian -
I moved the logout to the same handler as the login stuff and created a
function called auth_logoutform() which is called the same way as the login
form is with the same empty function definition. This is to allow me to do
session cleanup, display a notice to the user, etc. that may need to occur
after you log out...
if (! $this->start()) {
# See what form
if ( ($t == "reg") || ($t == "log") || ($t == 'logout')) ### you
can use auth->login_if("log") or "reg"
$m=$t;
else
$m=$this->mode; ## or default
switch ($m) {
case "log":
$this->auth_loginform();
break;
case "reg":
$this->auth_registerform();
break;
case "logout":
$this->logout();
$this->auth_logoutform();
break;
}
$sess->freeze();
exit;
}
Rob Hutton
Web Safe
www.wsafe.com
**********************************************************************
Introducing Symantec Client Security - Integrated Anti-Virus,
Firewall, and Intrusion Detection for the Client.
Learn more:
http://enterprisesecurity.symantec.com/symes238.cfm?JID=2&PID=11624271
|
|
From: Brian P. <bp...@ct...> - 2002-10-24 21:04:04
|
Technically you could use either, but for security reasons it is recommended that you put it outside your document root (which means /var/www/ would be a better choice). The important part is that you either have to add the directory (for example /var/www/phplib) to your PHP Include directory (in your php.ini file) or you have to manually include your /var/www/phplib/prepend.php3 file in each page of your project. I prefer to include it manually so that I don't have the overhead of PHPLIb being included in non-phplib related pages. This works well for me since all my projects include a config file anyway (which in turn includes PHPLib). -----Original Message----- From: Docume [mailto:do...@ly...] Sent: Thursday, October 24, 2002 3:54 PM To: php...@li... Subject: [Phplib-users] Confused with the phplib installation I can't understand where to install phplib the correct directory is /var/www or /var/www/html? I am using RH 7.3 and the DocumentRoot for apache is /var/www/html What path should I use? ------------------------------------------------------- This sf.net email is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0003en _______________________________________________ Phplib-users mailing list Php...@li... https://lists.sourceforge.net/lists/listinfo/phplib-users |
|
From: Docume <do...@ly...> - 2002-10-24 20:52:22
|
I can't understand where to install phplib the correct directory is /var/www or /var/www/html? I am using RH 7.3 and the DocumentRoot for apache is /var/www/html What path should I use? |
|
From: Layne W. <la...@if...> - 2002-10-24 12:54:07
|
> I was looking the documentation, only few things, and some > other docs I > found using google talking about how to install and configure > phplib into > a linux box, and now, I don't know what guides should I use > to install it > inot my box, so the question is... Can someone explain me the > steps to > install phplib into a linux box, exactly it is a rh 7.3? I am very > interesting on how to configure and install phplib in a secure way. 1. Place it in a directory that is outside of Apache's document root. 2. Include the classes you want into your scripts. The docs suggest /usr/local, but I prefer /var/www - keeps my web-related files together. Layne Weathers Ifworld Inc. |
|
From: Docume <do...@ly...> - 2002-10-23 22:12:24
|
I was looking the documentation, only few things, and some other docs I found using google talking about how to install and configure phplib into a linux box, and now, I don't know what guides should I use to install it inot my box, so the question is... Can someone explain me the steps to install phplib into a linux box, exactly it is a rh 7.3? I am very interesting on how to configure and install phplib in a secure way. Thanks in advanced. |
|
From: Dr T. S. <ta...@sa...> - 2002-10-22 06:30:53
|
On Mon, 21 Oct 2002, Daniel Bondurant wrote: auth_preauth() can be your friend if you can pass the username password and use the same database for authentication Tarique > Is there anyway to login from one non-phplib site to a phplib site. > I know the username and password, and can pass them no problem, however, I am getting hung up with the session. Since no session has been created, phplib won't authenticate the login and force the login screen. > > Is there anyway to bypass the login screen (I guess by not checking for a valid session) if I know the username and password of the incomming user? > > thank > - daniel > > > > ------------------------------------------------------- > This sf.net emial is sponsored by: Influence the future > of Java(TM) technology. Join the Java Community > Process(SM) (JCP(SM)) program now. > http://ad.doubleclick.net/clk;4699841;7576298;k?http://www.sun.com/javavote > _______________________________________________ > Phplib-users mailing list > Php...@li... > https://lists.sourceforge.net/lists/listinfo/phplib-users > -- ============================================================= PHP Applications for E-Biz: http://www.sanisoft.com Indian PHP User Group: http://groups.yahoo.com/group/in-phpug ============================================================= |
|
From: Rob H. <rob...@ws...> - 2002-10-22 00:46:48
|
OK, Thanks. Not enough sleep this week. Maybe that would be a good thing to move into local.inc. Gian? Thanks, Rob Hutton Web Safe www.wsafe.com > -----Original Message----- > From: Layne Weathers [mailto:la...@if...] > Sent: Monday, October 21, 2002 8:34 PM > To: rob...@ws...; 'Phplib-Users' > Subject: RE: [Phplib-users] Using session cookies > > > > I have lifetime in the session set to 0, so that session > > should be using > > cookies. But there still seems to be a lifetime on the > > cookies. If I leave > > a window open, say for 15 minutes, then refresh, my login is no longer > > valid. Is this expected behavior? > > There is a separate timeout for auth that is set in local.inc. > > Layne Weathers > Ifworld Inc. > > > |
|
From: Rob H. <rob...@ws...> - 2002-10-22 00:44:51
|
In your local, create an auth_preauth() in local.inc that does whatever you want and returns a valid uid. > -----Original Message----- > From: php...@li... > [mailto:php...@li...]On Behalf Of Daniel > Bondurant > Sent: Monday, October 21, 2002 8:06 PM > To: Phplib-Users > Subject: [Phplib-users] login from other sites > > > Is there anyway to login from one non-phplib site to a phplib site. > I know the username and password, and can pass them no problem, > however, I am getting hung up with the session. Since no session > has been created, phplib won't authenticate the login and force > the login screen. > > Is there anyway to bypass the login screen (I guess by not > checking for a valid session) if I know the username and password > of the incomming user? > > thank > - daniel > > > > ------------------------------------------------------- > This sf.net emial is sponsored by: Influence the future > of Java(TM) technology. Join the Java Community > Process(SM) (JCP(SM)) program now. > http://ad.doubleclick.net/clk;4699841;7576298;k?http://www.sun.com > /javavote > _______________________________________________ > Phplib-users mailing list > Php...@li... > https://lists.sourceforge.net/lists/listinfo/phplib-users > |
|
From: Layne W. <la...@if...> - 2002-10-22 00:18:57
|
> I have lifetime in the session set to 0, so that session > should be using > cookies. But there still seems to be a lifetime on the > cookies. If I leave > a window open, say for 15 minutes, then refresh, my login is no longer > valid. Is this expected behavior? There is a separate timeout for auth that is set in local.inc. Layne Weathers Ifworld Inc. |
|
From: Daniel B. <bo...@io...> - 2002-10-22 00:06:52
|
Is there anyway to login from one non-phplib site to a phplib site. I know the username and password, and can pass them no problem, however, = I am getting hung up with the session. Since no session has been = created, phplib won't authenticate the login and force the login screen. = Is there anyway to bypass the login screen (I guess by not checking for = a valid session) if I know the username and password of the incomming = user? =20 thank - daniel |
|
From: Rob H. <rob...@ws...> - 2002-10-22 00:03:40
|
nextid is meant to replace the auto_increment functions in dbs where it either does not exist, or is hard to access. It is meant as an equalizer. There is a table, whose name is settable, that holds a list of names and values. NextID simply locks the record, increments the value by one, then unlocks it. It is a fairly sexy solution to one of those obnoxious problems that you run into when trying to write portable apps. In the setup scripts, one of them has sql to set up the table. Thanks, Rob Hutton Web Safe www.wsafe.com > -----Original Message----- > From: php...@li... > [mailto:php...@li...]On Behalf Of Aric Caley > Sent: Monday, October 21, 2002 7:51 PM > To: Phplib-Users > Subject: [Phplib-users] db->nextid() > > > I just happened across this function. > > I'm assuming that this is meant as an alternative to an auto increment > field? Or to generating a random and hopefully unique number? > > I'm rewriting a project that uses a lot of MD5() calls to get > unique numbers > for things like categories and such. I thought to myself why not just use > auto increment in the database. I had read that the MD5 > technique was being > used specificaly to reduce possible colisions when inserting new records > over using auto increment. Is this nextid() function meant to solve the > same problem? Because I rather like it as opposed to MD5 which returns a > big long ugly string... > _______________________________________________ > Phplib-users mailing list > Php...@li... > https://lists.sourceforge.net/lists/listinfo/phplib-users > |
|
From: Aric C. <gre...@pe...> - 2002-10-21 23:51:22
|
I just happened across this function. I'm assuming that this is meant as an alternative to an auto increment field? Or to generating a random and hopefully unique number? I'm rewriting a project that uses a lot of MD5() calls to get unique numbers for things like categories and such. I thought to myself why not just use auto increment in the database. I had read that the MD5 technique was being used specificaly to reduce possible colisions when inserting new records over using auto increment. Is this nextid() function meant to solve the same problem? Because I rather like it as opposed to MD5 which returns a big long ugly string... |
|
From: Rob H. <rob...@ws...> - 2002-10-21 23:44:39
|
I have lifetime in the session set to 0, so that session should be using cookies. But there still seems to be a lifetime on the cookies. If I leave a window open, say for 15 minutes, then refresh, my login is no longer valid. Is this expected behavior? Rob Hutton Web Safe www.wsafe.com |
|
From: Giancarlo <gia...@na...> - 2002-10-21 19:34:40
|
> then after the regex I get > > url?param1=something&¶m2=something .. > so can the regex be added to remove duplicate && after the first or remove > the ? if there are no other parameters? I am really no good at regexp. If you say it's so it seems I'd have to fix a couple more ereg_replace around. I never learnt regexp ;-). But I can't try to fix that now Gian |
17 messages has been excluded from this view by a project administrator.
