logs archiveIRC Archive / Freenode / #php / 2015 / October / 12 / 1
Batch
is get to send and post to receive Alphos ?
makes sense to me
foo
NiLon: gotcha, thanks. To make sure I understand, how is it worth it? eg. it shows that whoever reads this code that a variable may or may not exist? Anything else?
Alphos
$_ENV comes from the OS environment, $_SERVER comes from the webserver (and parts of the request, including the IP address of the user), and $_SESSION comes from php (however it usually holds data that pertains to the user, sometimes even coming from the user, like a user name)
NiLon
Light_ reverse proxy for example
Alphos
Batch no, all of them are for receiving
they just don't relate to the same parts of the request
glowdemon1
is it a good idea to route URLS with using mod_rewrite?
Alphos
$_GET has "pieces" from the url (everything after the first ? in the url is a GET param), whereas $_POST has "pieces" from the content of POST (or PUT) requests (everything after the double newline)
NiLon
foo it does take control over the variable that you didn't have earlier
glowdemon1
What if I have folders in my filepath, will it clash with these?
         

Batch
i see
Alphos
glowdemon1 it will clash if you don't know how you're using mod_rewrite
NiLon
foo also it's kind of silly to use variables that are not declared in the first place
Alphos
glowdemon1 but to answer your question, yes, it is a good idea to route URLs using mod_rewrite
foo
NiLon: well, I'm only concerned if it equals something. If it doesn't exist, then it doesn't equal what I want, so why does it matter? (Not trying to be defensive, only trying to understand the reasoning to do this)
NiLon
foo you could make a typo on variable name and then your equal check fails but you never catch that if you suppress the error of it not existing
so isset() offers you safe way to check if it exists without causing an error
foo
NiLon: Interesting, I can see that case. Thank you for explaining. Anything else come to mind by any chance?
NiLon
and if you are checking if common variable exists you are most likely doing something wrong
foo
NiLon: yeah, it would only be variables that may or may not exist
Batch
oke now i think i get it
GET is for more like working with html
url, html
ah nvm
something like that possibly
NiLon
not HTML but HTTP
HTTP is content agnostic (to the most part) and so is php
Batch
HTTP!
that is the sh*t what i was guessing at
i will kill that person who made the webcourse
NiLon
it's generally linked to HTML and used with urls so I can understand why it says so
YamakasY
hi guys
NiLon
but I think every php developer should understand how http works if they ever want to shine :p
YamakasY
I have some HTML string but I can't var_dump, print_r or var_export it... I get a string back on var_dump but that's a bout it :(
foo
NiLon: Anyway, if this is best practice, I'll do it. I assume it is because a PHP notice is given if I don't do this
NiLon
YamakasY so what are you trying to do extacly?
Batch
awesome NiLon
NiLon
foo I see every error as flaw in a code even if it's just notice
         

fffuuuL
YamakasY: <pre> your html </pre>
foo
NiLon: thank you, I suppose the notice is there for a reason, so if I trusted the language and the notices I'd heed the notices. :)
Zeranoe
How should I handle LDAP user credentials since they need to be sent during the bind in plaintext? I would like to avoid having the user logging in every time to authenticate with LDAP, and I won't save the password to a cookie.
YamakasY
fffuuuL: did that, same
NiLon: dump out output that are in a $var
NiLon
foo yes, it's there for very good reason :p
Alphos
YamakasY header( 'Content-type: text/plain' ); var_dump($var); exit;
YamakasY
Alphos: will try, just a sec
Alphos: thanks I can work with that :P
NiLon
Zeranoe I don't really know anything about LDAP but you could generate somekind id for the user and validate against that
fffuuuL
YamakasY: you could use Kint Debugger instead without special headers or anything
YamakasY
fffuuuL: heh lol, I just found that one indeed, bt thought let me ask here for a oneliner :)
NiLon
Zeranoe I assume you know about the sessions already right?
fffuuuL
YamakasY: https://raveren.github.io/kint/
YamakasY
next taks is to upgrade this freaking script form cakephp 1.3 to.. 2.0 or so :)
I hope that works
Zeranoe
NiLon: The password would still have to be stored somewhere?
dafr
Zeranoe once the user is logged in you don't need the password until you want to reauthenticate him
NiLon
Zeranoe I don't know about requirements of LDAP so I can't really answer for that. But it's rather bad system if it requires it.
dafr
just store the current authentication status to the users session
lpopov
NiLon
I guess you need to be authed in to access the data in the ldap server so I don't know how that part works out
Zeranoe
dafr: Again, the password needs to be stored somewhere so you can bind. You could do a user session as authentication, but you still need to send the password to LDAP to auth
dafr
Zeranoe if the user has to authenticate himself you need the password that's true
but that's true for all authentication systems (sometimes it's an token but the idea is the same)
NiLon
"Simple BIND and SASL PLAIN can send the user's DN and password in plaintext, so the connections utilizing either Simple or SASL PLAIN should be encrypted using Transport Layer Security (TLS)." from wikipedia
Zeranoe
So I have a DB that stores the encrypted password. After a successful login, it grants a session cookie to the user and checks against it next time. If it's a match, deencrypt the password and send it to the bind?
dafr
Zeranoe workflow should look like this: access protected resource" -> forward to login page -> enter username / password -> authenticate against ldap -> store result in session -> ask session if user is authenticated or not
you don't want to store the password.. not in plaintext and not encrypted
you just don't need it
NiLon
Zeranoe if there is somekind challenge type of authentication for ldap, use that instead
Zeranoe
dafr: the whole goal of this is to allow the users to not to need log in every time, by using cookies
dafr
i don't want to be offending but do you understand the concept of sessions?
NiLon
dafr but the ldap server requires the password for each bind
Zeranoe
dafr: I do, but you don't seem to understand the LDAP authentication flow
dafr
Zeranoe: i've implemented ldap authentication a couple of times
Zeranoe
dafr: You need the password stored somewhere if you aren't prompting the user to enter their password every time (like a cookie)
dafr
Zeranoe what exactly do you mean by "everytime"?
on every request? on every visit?
Zeranoe
Between different bind sessions
Everything is fine until you close the bind
NiLon
Zeranoe I think the best way might be storing the encrypted password into database and key to decrypt into session or so
dafr
he doesn't wanna store the password
NiLon
he needs to
Zeranoe
dafr: I suggested that, you told me not to store it?
dafr
i meant "you should not store the password" :)
and i still wouldn't do it
NiLon
what other options are there?
Zeranoe
dafr: so you'd just make the user enter the password every time they visit
dafr
he only needs the password the moment he wants to reauthenticate the user ... and at this point in time it's a good idea to ask the user again
NiLon
so that could be each page load?
not very practical
dafr
get the users credentials, authenticate against ldap, generate a random token, persist the random token in the database (and connect it to the user), put the same token into a cookie, validate cookie token against database token
NiLon
but how you connect to ldap server again without the password?
dafr
why do you *need* to connect to ldap again?
NiLon
to read/write data?
if you are just checking that user has correct password for the server then sure, that method works fine
but if you actually need to keep accessing the server then you *need* to store the password for what I've seen
voodooKobra
huh
dafr
that's what i thought.. didn't know he has to work with the ldap server on every "visit"
most of the time ldap is used for authentication only
« prev 1 2 3 4 5 6 7 8 9 10 11 12 13 next »