logs archiveIRC Archive / Freenode / #php / 2015 / June / 29 / 1
BeeAdmin
yes
the problem is that Im not sure about security
__adrian
so, pick a car, buy it, and THEN we can talk about how
because then, there is something to talk about'
BeeAdmin
im in the process of recoding right now
__adrian
find a goal. we can talk about how to accomplish it.
BeeAdmin
i already made a php directory before and im improving on it
__adrian
meantime, https://www.owasp.org/index.php/OWASP_Cheat_Sheet_Series
BeeAdmin
__adrian: my goal? make my app secure
__adrian
overview.---^
asteele
too broad
         

__adrian
that is not a goal
ProNoob13
It's a dream.
__adrian
that's like saying "i want to be a millionaire" when someone asks what you're going to be when you grow up
asteele
'I have a form that allows .pdf and .doc file uploads up to 5mb in size, what security risks should i be aware of'
BeeAdmin
okay thats kind of convoluted
okay let me reiterate
asteele
now you have direction
__adrian
"i want to allow people to upload images"
BeeAdmin
i have a website that responds to posts from a remove C# native app, what security risks should i be aware of
__adrian
etc.
BeeAdmin
i dont want to allow people to upload images
__adrian
"remote app"?
BeeAdmin
the application is 100% https as it handles logins via the oauth server php library
__adrian
make sure it's the app.
BeeAdmin
__adrian, an executable with gui
__adrian
yes
asteele
depending on what all is happening, it should be sent with some type of authentication, so your app can verify the request came from C# server, is the first step probably
BeeAdmin
it is returnign a json web token
and verifying the identity via a mysql datbase
asteele
C# sends a JWT with the post request?
BeeAdmin
so authentification is done
__adrian
"returning"? which is making the request, the app, or your php script?
         

BeeAdmin
i also have my own certificate for ssl
the app is making the request
__adrian
and you can (and do) authenticate that it really is the app?
BeeAdmin
ever heard of oauth
it does just that
alluringme
http://pastebin.com/PrGqVDHB < any idea how I can get that q3 query removed? Maybe how to set a trigger that does the same as this?
BeeAdmin
__adrian
BeeAdmin, i am gathering info, not grilling you. just say "yes"
UniOn
Does anyone have a regex to retrieve all JavaScript URLS from a HTML page with PHP?
__adrian
after you authenticate the app, then make sure the request makes sense.
BeeAdmin
__adrian, that was not narcistic, it was just a question
__adrian
ok
BeeAdmin
but there is a request
for the token first
__adrian
if you authenticate that the request does indeed come from the app, then cool.
BeeAdmin
yep
__adrian
after that, make sure the request makes sense.
BeeAdmin
how so
__adrian
then respond. that's it.
you should know what info you expect in the request.
UniOn
<script src="THIS"></script>
Need anything in between the src tag
__adrian
make sure the info you get conforms to those expectations.
BeeAdmin
oke
__adrian
Uni0n, !+pcre vs dom
php-bot
Uni0n, We don't recommend using regular expressions to parse HTML or XML. It's best to use a parser designed to do this instead like http://php.net/DOM also see http://stackoverflow.com/a/702222/1878262 for reasons why a regex will result in many failures. HTML/XML is wild/faulty and difficult to handle with regex.
skinux
How truly popular is PhpStorm? Also, how many devs use PhpStorm EAP??
laszlof
!+ides
:(
tw2113
you typo'd laszlof
UniOn
__adrian: Thanks, do you happen to have any examples about how to parse all the JavaScript urls included in a HTML document with a DOM parser?
tw2113
maybe
i thought you meant ideas
laszlof
no, bot doesnt like me enough yet
tw2113
i use PHPStorm whenever I can
but i haven't been on an EAP since 8 came out
laszlof
Questions about specific IDEs and IDE discussion in general usually degrades rapidly due to personal preference. It is not a valid topic for ##php.
ProNoob13
UniOn: Why are you trying to do so, if I can ask?
UniOn
ProNoob13: A friend of mine has a traffic exchange website, and he wants me to make a simple function that checks if a website (including all the JavaScripts on that page) have alerts
Trying to fiddle around with the dom parser now, but not getting anywhere really :p
So help would be appreciated
YamakasY
is there a way in zf2 to use mail templates with a commandline job ?
ProNoob13
UniOn: You can use http://php.net/manual/en/domdocument.getelementsbytagname.php to get all script-elements. You could then loop through them and try to find the alerts.
Happy_the_Exceed
UniOn, that's called the "src attribute".
Not tag
UniOn
ProNoob13: Just tried, but that only shows everything in between the script tags
oh wait
my bad
err, no, it's now showing the modernizr-2.6.1.min.js file
doesn't show the urls between the src attribute
ProNoob13
You can use http://php.net/manual/en/domelement.getattribute.php for that if I'm not mistaken.
laszlof
why not just run it through a website validator?
YamakasY
can I include a php in a $mail_body = ?
ProNoob13
YamakasY: Short answer: No, you can't.
laszlof
YamakasY: you mean like, include() a file?
djam90
If I am looping through 10000 database records in PHP foreach, say $customers as $customer, should I "unset $customer" at the end of each loop iterattion ?
YamakasY
laszlof: yap
laszlof: I need some template in there
runinsquares
djam90, foreach ($records_array as $key => $value) { if($foo=='bar') {/*stuff*/} }
djam90, key, value and any variable inside the foreach is going to overwrite itself
djam90
runinsquares, oh I see
makes sense!
laszlof
YamakasY: is it actually PHP, or just text/html?
runinsquares
$foo = ['foo','bar','baz','blob']; foreach ($foo as $key => $value) { echo "Key: {$key}; Value: {$value};<br>"; }
djam90, try it
YamakasY
laszlof: it's a html in a whatever.ext
laszlof
YamakasY: just use file_get_contents()
« prev 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 next »