On Fri, Nov 09, 2001 at 04:34:24PM +0100, Loïc wrote:
> >use an home-made session system? This is not an
> >hard thing: it would just require a mysql table.
>
> I've started to work again on this but am facing a first problem.
> Let's say only the standard user may use the session table.
> Once the user is logged into, his login/password must be
> stored into this session table and the standard user must be
> able to get them, you know the standard user I've just removed
> every priv. on the "Password" column from the "mysql.user" table in order to
> improve security..... :(
mmm, if you can't look at the password column field, how can you check
if the password is correct ? I don't get the point here :)
> >it would just require a mysql table.
> >(id, session_id, username, db, passwd, ip, expiration, timestamp)
>
> Hum why:
> - id and session_id?
mmm, forget id, it's just a standard field in all my tables
(using mysql classes to access the data).
> - db (no very usefull without hostname and table name at least)?
was just a 2 min draft... with db I meant the db number from
$cfgServers[1], $cfgServers[2], etc...
> - expiration and timestamp?
expiration: to allow automatic deletion of session after a
defined time limit
timestamp: for admin information, to see last action
Olivier, from the first snowy day of the winter :)
--
_________________________________________________________________
Olivier Mueller - om(a)8304.ch - PGPkeyID: 0E84D2EA - Switzerland
qmail projects: http://omail.omnis.ch - http://webmail.omnis.ch
Hi,
Looking at the stats for 2.2.1, there were 17300 downloads of a .php version and 3300 for a .php3
version. I presume that it means PHP4 is well deployed.
I think we could *add* another auth mecanism for PHP4 servers: session-based. I use it in all my
other LAMP-based projects (did not try it with WAMP) and my users have no problems.
Instead of
$cfgServers[1]['adv_auth']
we could have
$cfgServers[1]['auth']
with the possible choices:
'config':
the username/password are in the config file (old advanced=false)
'http'
http authentication (old advanced=true)
(still use stduser?)
'session'
session-based, customized login panel, session id propagated by URL
(still use stduser?)
Marc
Hey guys,
Just an odd request, some while ago, I recall seeing phpMyAdmin mentioned
on a news site somewhere. Do you know where?
Thanks in advance.
--
Robin Hugh Johnson
"Robbat2"
QTOD: "I used to be an idealist, but I got mugged by reality."
E-Mail : robbat2(a)orbis-terrarum.net
ICQ# : 30269588 or 41961639
Home Page : http://www.orbis-terrarum.net
Time Zone : Pacific Daylight (GMT - 8)
-----BEGIN GEEK CODE-----
geekcode.comebb.org/ungeek
GCS/M/IT d-(+) s+:- a--- C++++
U++++ L++++ P--(+) W++ K++ PS+
N++ w--- O E---- M-(+) V-- Y++
PE++ PGP++ t-- 5 X+ R tv- b+++
D++ G++ e(*) h! r-- !y+
------END GEEK CODE------
-----PGP INFO-{---
Key ID:0x7E20DFA1
FingerPrint:
5447C73A 30FB144C 89521B69 2D6A615E 7E20DFA1
---}-PGP INFO-----
Hi Armel & all!
>phpMyAdmin 2.2.1 is in production on free.fr (french
>provider, free hosting, etc.).
Great :) Do you know if Online.fr also use PMA 2.2.1?
To all: what about to roll a 2.2.2-rc1 during the week-end?
Because an important security improvement has been commited
since 2.2.1: "stduser" no long need to have the "select" priv. on the
"password" column of the "mysql.user" table.
Loïc
______________________________________________________________________________
ifrance.com, l'email gratuit le plus complet de l'Internet !
vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP...
http://www.ifrance.com/_reloc/email.emailif
Hi Robin & List!
>I recall seeing phpMyAdmin mentioned on a news site
>somewhere
Maybe the php foundry page from SourceForge?
Loïc
______________________________________________________________________________
ifrance.com, l'email gratuit le plus complet de l'Internet !
vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP...
http://www.ifrance.com/_reloc/email.emailif
Hi Robin & List!
>Could we possibly get around this by setting/unsetting the
>register_globals in the config.inc.php3 ?
Yep we may but we also need to set/unset "track_vars" in this
case (if possible ie php < 4.0.3).
Nevertheless we will then face an other other problem: the
secure solution is to set "register_globals" to "off", "track_vars"
to "on" and to use "session_register($HTTP_SESSION_VARS['my_var'])"... as
soon as php < 4.1.0 because since those bugs
will be fixed in 4.1.0 we must use "session_register('my_var')"
with this version.
Else we may set "register_globals" to "on" but this is far less
secure :(
>We would still need the stduser account to get the database
>list. SHOW GRANTS does not show databases that everybody
>has access to. It only shows databases where explict rights
>have been granted to the user.
Right :(
Loïc
______________________________________________________________________________
ifrance.com, l'email gratuit le plus complet de l'Internet !
vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP...
http://www.ifrance.com/_reloc/email.emailif
Hi List!
Ok for session but as to me they are still quite buggy :(
For example, with "track_vars" set:
1. Just try to set register_globals to "off" (it's the
recomended value) and you'll face a really annoying bug that
exists from php 4.0.1-pl1 to the current 4.0.6 version (it seems
to be fixed in the current cvs for the 4.1.0 version) :
$HTTP_SESSION_VARS is not updated when you use
session_register('my_var')!
2. No set register_globals to "on" and you will see that
$HTTP_SESSION_VARS is not more updated (while it should
because "track_vars" is on).
See also php bug reports #5329, #11861, #12600.... and users notes at this
url: http://www.php.net/manual/en/ref.session.php
In a few words it means it will be very hard to know "which" session data to
use.
>'session'
>session-based, customized login panel, session id propagated by URL
>(still use stduser?)
Hum, how can we skip "stduser" ? The problem is not related to session
IMHO but to the MySQL version: if 3.23.4+ we may skip "stduser" since
the "SHOW GRANTS" MySQL statement is usable, else there is no better
way than "stduser" to get the user privileges.
Loïc
______________________________________________________________________________
ifrance.com, l'email gratuit le plus complet de l'Internet !
vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP...
http://www.ifrance.com/_reloc/email.emailif
Hi again!
I need some help/opinions on bug #474943.
Thanks,
Loïc
______________________________________________________________________________
ifrance.com, l'email gratuit le plus complet de l'Internet !
vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP...
http://www.ifrance.com/_reloc/email.emailif
Hello. Just got the SourceForge newsletter, and this part is
quite interesting... :-)
---------------------------------
A) CURRENT SOURCEFORGE.NET SITE STATISTICS
Number of Projects: 28,697
Number of Registered Users: 282,350
Page Views: 1,701,023 ( 24 hour period on 10/30/01)
Files downloaded 300,495 (24 hour period on 10/30/01)
E-mails from mail server: 627,195 (24 hour period on 10/30/01)
Top Projects on this date include:
100.000% phpMyAdmin
99.9848% Firewall Builder
99.9695% PCGen
99.9543% SourceForge
99.9390% Miranda ICQ Client
99.9238% The Open For Business Project
99.9086% Python
99.8933% PostNuke Content Management System
99.8781% AWStats
99.8628% MiKTeX
99.8476% Gaim
99.8323% net-snmp
99.8171% jboss.org
99.8019% HSQL Database Engine
99.7866% TOra
99.7714% Compiere ERP & CRM Business Solution
99.7561% phpAdsNew
99.7409% Back Orifice 2000
99.7257% AFPL Ghostscript
99.7104% Tcl
The top project (statistically) on this date is phpMyAdmin. What is
phpMyAdmin? phpMyAdmin is a tool written in the PHP programming
language (available on a large number of web servers today), which
is designed to assist you in the administration of MySQL databases
via the WWW. Well-designed, stable and suitable both for new
MySQL users and seasoned database administrators. phpMyAdmin is
available under the GNU General Public License.
phpMyAdmin is one of nearly 30,000 Open Source software development
projects hosted on SourceForge.net. Additional information regarding
this project may be found at:
http://sf.net/projects/phpmyadmin
Additional information regarding other SourceForge.net-hosted projects
may be found on the SourceForge.net site, located at:
http://sf.net
---------------------------------
Well, I guess it's not necessary to make any further comment... :-)
This is just some more good publicity about PMA sent to only 282,350 users :)
Cheers,
Olivier
--
_________________________________________________________________
Olivier Mueller - om(a)8304.ch - PGPkeyID: 0E84D2EA - Switzerland
qmail projects: http://omail.omnis.ch - http://webmail.omnis.ch