NYCPHP Meetup

[Michael Southwell]

This is a discussion list for the PHP language.  Because you are using ASP, 
you need a discussion list for that language.  Try http://aspadvice.com/ 
.  Good luck!

At 06:01 AM 8/26/2005, you wrote:
>  I've just started my first  HTML and MS Acces as below, but come up with 
> error:
>
>Error Type:
>Microsoft OLE DB Provider for ODBC Drivers (0x80004005)
>[Microsoft][ODBC Microsoft Access Driver] Operation must use an updateable 
>query.
>/pelanggan_tulis_2.asp, line 20
>
>Browser Type:
>Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
>
>Page:
>POST 24 bytes to /pelanggan_tulis_2.asp
>
>POST Data:
>Ipelanggan=aa&Ialamat=bb
>
><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
><html>
><head>
>  <title>CekCon</title>
></head>
><body>
><%
>ipelanggan=Request("Ipelanggan")
>ialamat=Request("Ialamat")
>' Set koneksi ke database
>Set conn=Server.Createobject( "ADODB.Connection" )
>       conn.Mode = 3 ' adModeReadWrite
>    conn.Open "DSN=pelanggan;uid=Admin;pwd=;"
>    Set rs = Server.CreateObject("ADODB.Recordset")
>    sql="INSERT INTO master_pelanggan(nama_pelanggan, alamat)"
>    sql=sql & "VALUES('"& ipelanggan &"', '"& ialamat &"')"
>    set RS=Conn.Execute(SQL)
>Response.write "data masuk"
>%>
></body>
></html>
>
>
>---------------
>How to fix it?
>
>RRY
>talk-request at lists.nyphp.org wrote:
>Send talk mailing list submissions to
>talk at lists.nyphp.org
>
>To subscribe or unsubscribe via the World Wide Web, visit
>http://lists.nyphp.org/mailman/listinfo/talk
>or, via email, send a message with subject or body 'help' to
>talk-request at lists.nyphp.org
>
>You can reach the person managing the list at
>talk-owner at lists.nyphp.org
>
>When replying, please edit your Subject line so it is more specific
>than "Re: Contents of talk digest..."
>
>
>Today's Topics:
>
>1. MD5 + Flash (-sry Boston)
>2. Re: MD5 + Flash (Hans Zaunere)
>3. OWASP 9/29 Save The Date (Thomas Brennan)
>4. Re: Session basics (Billy Pilgrim)
>5. Re: MD5 + Flash (csnyder)
>
>
>----------------------------------------------------------------------
>
>Message: 1
>Date: Sun, 21 Aug 2005 13:23:30 -0500
>From: "-sry Boston"
>Subject: [nycphp-talk] MD5 + Flash
>To: talk at lists.nyphp.org
>Message-ID:
>Content-Type: text/plain; format=flowed
>
>Hiya,
>
>If you're over on WWWAC you've already seen this but I'm asking here
>from another slant. I have no idea what I can or can't do withOUT
>having to create/manage a mySQL db...my server will let me do this
>easily enough but it's been over a year since I've thought of PHP or
>mySQL and I don't want to get so distracted by the programming
>mindset that I forget what I was doing in the first place (trying to
>do some marketing).
>
>Below is the process I'm trying to implement - step 5 is where I'm
>fuzzy...I know I could definitely have the URL come back to a
>PHP page that looks up the string in a db (and a very simple one,
>I'm sure, since it's just a list) but I'd rather just have the URL come
>back to the Flash file and do the checking from within the .swf,
>with ActionScript - is that easier or harder? Since you guys all love
>PHP and probably only half of you even like AS, I know it's a biased
>answer I'll get :-) but try to be objective and not play favorites
>on the languages here.
>
>What I want to do:
>
>(1) user gives me email address
>
>(2) with a PHP script (free from http://www.allhype.co.uk/tools/md5/
>and a very nice script actually!!) I MD5 their email address
>
>(3) I send user a message (to validate the address works) that has
>their MD5'd address as a link for them to come back and get what
>they want
>
>(4) user clicks unique query string in the email I've sent them
>
>(4) I validate the string .....how/from where is the ??? :)
>
>(5) if valid, give them the Flash file; if not, give them an error message
>
>Any help much appreciated!
>
>-sry
>Sarah R. Yoffa
>http://books.sarahryoffa.com/
>books at sarahryoffa.com
>*********************
>Look for the exciting release of the newly-edited
>THE PHOENIX SHALL RISE AGAIN
>Coming to online booksellers - New Year's 2006.
>*********************
>
>_________________________________________________________________
>Express yourself instantly with MSN Messenger! Download today - it's FREE!
>http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
>
>
>
>------------------------------
>
>Message: 2
>Date: Sun, 21 Aug 2005 17:45:41 -0400
>From: "Hans Zaunere"
>Subject: Re: [nycphp-talk] MD5 + Flash
>To: "'NYPHP Talk'"
>Message-ID: <0MKp2t-1E6xdN3S4E-0001Lu at mrelay.perfora.net>
>Content-Type: text/plain; charset="us-ascii"
>
>
>
>talk-bounces at lists.nyphp.org wrote on Sunday, August 21, 2005 2:24 PM:
> > Hiya,
> >
> > If you're over on WWWAC you've already seen this but I'm asking here
> > from another slant. I have no idea what I can or can't do withOUT
> > having to create/manage a mySQL db...my server will let me do this
> > easily enough but it's been over a year since I've thought of PHP or
> > mySQL and I don't want to get so distracted by the programming
> > mindset that I forget what I was doing in the first place (trying to
> > do some marketing).
> >
> > Below is the process I'm trying to implement - step 5 is where I'm
> > fuzzy...I know I could definitely have the URL come back to a
> > PHP page that looks up the string in a db (and a very simple one,
> > I'm sure, since it's just a list) but I'd rather just have
> > the URL come
> > back to the Flash file and do the checking from within the .swf,
> > with ActionScript - is that easier or harder? Since you guys all love
> > PHP and probably only half of you even like AS, I know it's a biased
> > answer I'll get :-) but try to be objective and not play favorites on
> > the languages here.
> >
> > What I want to do:
> >
> > (1) user gives me email address
> >
> > (2) with a PHP script (free from http://www.allhype.co.uk/tools/md5/
> > and a very nice script actually!!) I MD5 their email address
> >
> > (3) I send user a message (to validate the address works) that has
> > their MD5'd address as a link for them to come back and get what they
> > want
> >
> > (4) user clicks unique query string in the email I've sent them
> >
> > (4) I validate the string .....how/from where is the ??? :)
> >
> > (5) if valid, give them the Flash file; if not, give them an
> > error message
>
>You could do all of this with just Flash, etc. assuming Flash has MD5, as
>I'm sure it does, but you'll be limited. If you want to track who has
>downloaded what files, the browser they're using, etc. you won't be able to
>do so without a DB.
>
>There's also a security concern here. There's no way to know that the email
>address you've gotten originally, is the same as the one that's coming from
>the link. Since you're not storing anything anywhere, you have no way to
>keep persistent data. If I know that you're checking that an MD5 matches
>the MD5 of the email address, I can pass you any MD5 I want, and it'll
>validate.
>
>H
>
>
>
>------------------------------
>
>Message: 3
>Date: Sun, 21 Aug 2005 20:16:17 -0400
>From: "Thomas Brennan"
>Subject: [nycphp-talk] OWASP 9/29 Save The Date
>To:
>Message-ID:
><1DA2AD8042527B4199C09042CFC0A94D18794B at jinx.datasafeservices.net>
>Content-Type: text/plain; charset="US-ASCII"
>
>I would like to provide you with advanced notice and extend a special
>invite for you to join us at the next Open Web Application Security
>Meeting (OWASP) NJ Chapter meeting. The next event will be held at
>September 29th at ABN AMRO in Jersey City (across from the path station)
>- full details, speakers and RSVP information is located at the chapter
>website online:
>
>http://www.owasp.org/local/nnj.html
>
>Currently on the September Agenda:
>
>SPEAKER - OWASP - Topic: Review of OWASP Security Guide v2.0.1 Released
>at BlackHat
>
>SPEAKER - eEye Digital Security - Topic: Worm / Vulnerability Management
>
>
>SPEAKER - Application Security - Topic: Database Attacks
>
>SPEAKER - NitroSecurity - Topic: Analysis of Network Attacks
>
>** You are encouraged to forward this email to others that you believe
>would benefit from this non-profit, educational peer-to-peer networking
>opportunity -- RSVP is required due to building security requirements
>see: http://www.owasp.org/local/nnj.html for details.
>
>At our November meeting we are looking forward to having NYPHP/Hans
>Zaunere speak concerning PHP Security Issues
>
>Enjoy the rest of your summer!
>
>Thomas Brennan, CISSP, CFSO, MCSA, C|EH
>DATA SAFE SERVICES
>"Because Security is NOT the default"
>831-B Route 10 East, Whippany NJ 07981
>Tel: 973-795-1046 | Fax: 973-428-0293
>Web: www.datasafeservices.com
>
>
>------------------------------
>
>Message: 4
>Date: Sun, 21 Aug 2005 22:48:19 -0400
>From: Billy Pilgrim
>Subject: Re: [nycphp-talk] Session basics
>To: NYPHP Talk
>Message-ID: <6ee3253b050821194874c5ddf0 at mail.gmail.com>
>Content-Type: text/plain; charset=ISO-8859-1
>
>On 8/19/05, Chris Shiflett wrote:
> > Aaron Fischer wrote:
> > > If the session has expired such as in browser close or timeout, the
> > > bookmarked page won't be a liability as the session id in the URL won't
> > > find a matching session id on the server.
> >
> > The server doesn't know when the browser is closed, so that part's not
> > right. It is true that a session timeout (on the server side) offers
> > some protection against this type of accidental hijacking.
>
>A bookmarked session id might not result in a hijacked session, but
>it's not a good idea have session ids exposed and kept around like
>that.
>
>Consider another example: Someone is logged into a newspaper site and
>sees an interesing article. The user copies the url (with session id)
>and pastes it in an email to a friend. If the friend receives the
>email quickly and the server has a long timeout, accidential session
>hijacking could occur.
>
>The primary reason to have a session id in the url is if the browser
>doesn't support cookies, right?
>
>
>------------------------------
>
>Message: 5
>Date: Mon, 22 Aug 2005 08:35:30 -0400
>From: csnyder
>Subject: Re: [nycphp-talk] MD5 + Flash
>To: NYPHP Talk
>Message-ID:
>Content-Type: text/plain; charset=ISO-8859-1
>
>On 8/21/05, -sry Boston wrote:
>
> > What I want to do:
> >
> > (1) user gives me email address
> >
> > (2) with a PHP script (free from http://www.allhype.co.uk/tools/md5/
> > and a very nice script actually!!) I MD5 their email address
> >
> > (3) I send user a message (to validate the address works) that has
> > their MD5'd address as a link for them to come back and get what
> > they want
> >
> > (4) user clicks unique query string in the email I've sent them
> >
> > (4) I validate the string .....how/from where is the ??? :)
> >
> > (5) if valid, give them the Flash file; if not, give them an error message
> >
> > Any help much appreciated!
>
>I think you have the purpose of the MD5 hash confused. In this case,
>you want it to be an *unguessable* token that the user can bring back
>to you to prove that they got they got your validation message, and
>that they own the mailbox associated with the provided email address.
>
>In other words, it should be random. If it's just the hash of their
>email address, then an impersonator could easily generate the right
>token and validate an address that isn't their own (as Hans pointed
>out).
>
>You will need some sort of DB -- MySQL or flat file or otherwise -- to
>store the email address and the random token in the same record, so
>that when the user clicks the link with the token in it, you can look
>up the email and mark it valid.
>
>--
>Chris Snyder
>http://chxo.com/
>
>
>------------------------------
>
>_______________________________________________
>talk mailing list
>talk at lists.nyphp.org
>http://lists.nyphp.org/mailman/listinfo/talk
>
>
>End of talk Digest, Vol 27, Issue 50
>************************************
>
>
><http://us.rd.yahoo.com/evt=34442/*http://www.yahoo.com/r/hs>Start your 
>day with Yahoo! - make it your home page
>_______________________________________________
>New York PHP Talk Mailing List
>AMP Technology
>Supporting Apache, MySQL and PHP
>http://lists.nyphp.org/mailman/listinfo/talk
>http://www.nyphp.org

Michael Southwell, Vice President for Education
New York PHP
http://www.nyphp.com/training - In-depth PHP Training Courses