logs archiveIRC Archive / Freenode / #php / 2015 / July / 28 / 1
sorabji
theskillwithin2: no, you should install browscap
__adrian
runinsquares, I am not "on" your website. I am looking at it.
theskillwithin2
oh sh*t
sorabji
or don't use it if you don't need it
theskillwithin2
yum install browscap?
runinsquares
a brute force program is in the eyes of the server, the same thing as clicking submit on a form?
__adrian
yes
completely
so, you have options:
sorabji
theskillwithin2: not entirely sure
__adrian
1) use tokens. give every form you serve a unique, random code. only accept that code ONCE.
         

definity
Hi
__adrian
2) do rate limiting. if the same user tries to log in less than {x} seconds since their last attempt, ignore it.
definity
How can I make a statement so that it is possible to select the table? I have used prepared statements but that didnt work. What other ways are there?
runinsquares
does the brute forcing program mimic a page refresh or not then?
__adrian
depends on the program.
tokens will be very helpful. rate limiting will be very helpful.
cquilty
__adrian: Except I'm using PHP and looking at the PHP documentation for the DOM stuff where that option exists.
__adrian
no. it is not a php question. it is a DOM question.
runinsquares
definity, what are you trying to do? prepared statements hold the SQL query, are you after specific SQL info like SHOW TABLES / DESCRIBE table_name?
__adrian
this is like saying php has to explain how SELECT statements work because PDO allows you to use them
runinsquares
if a brute force program mimics a refresh i can't see the token being a secure method to prevent the brute force
__adrian
because a brute force program tyupically won't ask for a new form each time. that's too slow. it will use a template and submit the same form thousands of times.
runinsquares
i mean you could take it one step further and use a captcha, that would mess it up for them
definity
runinsquares: Something like: 'SELECT * FROM $table'
runinsquares
definity, $table would be what your prepared statements interpret, "SELECT * FROM table_name" is your SQL query
whoever
if(strpos(strtoupper($this->json_last_error_msg()),"NO ERRORS") === true) is that the correct syntax to check to see that the a string contains another ? ie the string should contain NO_ERRORS
verumequals
I have a design question and need some advice for it. I have a brand class, which has several social media collection object, where I can do $brand->getSocialMedia()->get('facebook'). Now Facebook is one of the classes which has several functionalities of course, it can get the brand's fanpage and events etc. But I created a \SocialMedia\PlatformInterface so I could create GooglePlus, Instagram
etc classes from it. My question is, I have a lot of technically the same things like getId, getName etc, so I could create an abstract class for those functions. Then I am left with the more specialised functionality. If Facebook were to extend the abstract class, and instagram too, should I hard code their ids for database in their respective classes? It's not like they're changing IDs (I need
them in the DB of course to see if a Brand has a specific SocialMedia) and I can't have duplicate Facebook entities either.
which has several social media = which has a social media
whoever
verumequals: db it
runinsquares
definity, $table_name = 'foo'; $pdo = new PDO(/*stuff*/); $stmt = $pdo->prepare("SELECT * FROM :table"); $stmt->bindValue(":table", $table_name, PDO::PARAM_STR); $stmt->execute(); while ($row = $stmt->fetch(PDO::FETCH_ASSOC) {}
definity, something like that. look up PDO tutorial
__adrian, so you prefer token or timeout?
__adrian, s/timeout/limits
verumequals
whoever: so I should create a factory, that looks at the specific ID and/or name and then creates the Facebook or Instagram objects
am I right?
at least this sounds logical to me lol
Alphos
runinsquares table names are part of the DDL, you can't use parameters for them
         

definity
runinsquares: Thanks for the help but i found this in the end, never thought of doing this before. http://stackoverflow.com/questions/182287/can-php-pdo-statements-accept-the-table-name-as-parameter
__adrian
runinsquares you don't have to pick between them :)
runinsquares
Alphos, oh, fair enough, i actually haven't used PDO since starting up again, just read the documentation of it
Alphos, thanks for letting me know that!
Alphos
definity you shouldn't have to be able to change the table name. it's part of how your database is structured, it's not something that should have to change
whoever
verumequals: yes
runinsquares
__adrian, so would you store a timestamp at last login attempt in the login table?
Alphos
definity : imagine saying about your own skeleton "oh, maybe i'll use a femur instead of a collarbone here" : it just doesn't make sense
runinsquares
Alphos, $table="foo"; $pdo->prepare("SELECT * FROM {$table}"); would that work? imagine it's inside a method
Alphos, or would the best way around be to create an object for each new db table?
Alphos
runinsquares it doesn't matter where it is, php will interpolate $table in the string before it's passed as an argument to PDO::prepare(), which will never see it being a variable
__adrian
runinsquares store the info somewhere.
Alphos
best way certainly would be to create an object for each table, since they'd represent different things each time
runinsquares
noted
ty
__adrian
even 1 second is plenty of wait time. a real user would never notice (getting and reading the response from the previous attempt takes up half of that time, and then they have to re-type things). but it makes a brute-force attack completely ineffective.
runinsquares
__adrian, $_SESSION secure for last_attempt?
alternatively if (!password_verified) { sleep(1); }
__adrian
if you're requiring sessions already, then sure
NO, sleep() makes no sense
Alphos
not really : if the attacker is smart, he'll make his attempts without saving cookies, which means your sessions will be moot
runinsquares
Alphos, what i thought
so storing in db is the safest way?
__adrian
Alphos: therefore, if you REQUIRE sessions, then you'll defeat the attack
Alphos
__adrian : unless he then provides random session ids
__adrian
or rather, you'll turn it into a mild DOS attack
Alphos
that's what fail2ban is for
__adrian
:)
Alphos
base principle of management, which is also true for server management : delegate.
__adrian
Alphos: this assume you accept login attempts without an established session.
start the session when you serve the form, and set the token.
if there's no session cookie with the login request, it's bad.
runinsquares, if you're NOT already using session for this, then no. use the db.
cquilty
preg_match('some[0-9]+pattern', $extremely_big_string); // If "some45pattern" appears near the beginning of the $extremely_big_string, will that go super fast?
As compared to it appearing in the middle or toward the end?
sorabji
cquilty: benchmark and find out ?
cquilty
Benchmarking is hard.
sorabji
it's not
what are you using regex for though?
you've been mucking with DOM for days now
__adrian
maybe regex will go faster!
sorabji
it might actually.
but it's not the right tool for parsing xml
degva
Hello guys, I've got a question. Is it possible to add query parameters to a URL and POST fields at the same time?
sorabji
wat
Naktibalda
degva: yes
degva
like, curl_init('www.web.com/api?this=sdfsdg') and then send CURLOPT_POSTFIELDS
Naktibalda, so, then the api (in this case) would do something like "$_GET" and "$_POST" at the same time, right?
GET and POST variables*
Naktibalda
yes
degva
Naktibalda, thank you :)
morfin
guys
runinsquares
__adrian, why do you say that? isn't it actually easier to add a token to the $_SESSION and outright reject >=3 attempts within 10 mins or something?
instead of querying the db
__adrian
runinsquares, if you are already using the session to track your issued tokens, then use the session.
if not, then use the DB.
runinsquares, basically, wherever you're saving tokens, store a timestamp with them.
then you can make sure that they were issued more than {time} ago.
like, token.time > {min} && token.time < {max}
elephaant
does anyone know wheter php-fpm allows multiple connections by default or if it's something you config?
« prev 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 next »