Session Start: Tue Oct 17 11:59:33 2000
*** Now talking in #netsurprise
*** Topic is 'WEBMASTERS ONLY!!!! Welcome to the Adult NetSurprise Chatroom!'
*** Set by CrEaToR on Thu Oct 12 18:10:48
-SurpriseBot- Welcome - Net Surprise IRC - thud.net channel #netsurprise
<TW> TD!
<TDavid> hello there :)
*** LaughingEyes has quit IRC (Connection reset by peer)
<TDavid> busybusybusybusy ... anybody else? hehe :)
<TDavid> test 123
<TW> test
<TDavid> tw, i've got your deal on the list for today or tomorow, btw :)
<TW> ahhh :)
* TW scream WAAAAAAAAAAAAAAAAAAAKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKEEEEEEEEEEEEEEEEEEEEEEEE UUUUUUUUUUUUUUUUUUUUUPPPPPPPPPPPPPP!
*** CrEaToR sets mode: +o TDavid
*** CrEaToR changes topic to 'Right Now: Tech Chat with TDavid! Ask Questions about Programming and the PHP Course! Welcome to the Adult Netsurprise Chatroom!'
<CrEaToR> hiya TD =)
<TDavid> hi creator :)
<TDavid> let's see what's on the docket for today ... regular expressions 
<TDavid> so let's determine ways to regularly express ourselves
<TDavid> and environment variables in PHP
<TDavid> $HTTP_REFERER = <-- the page url the surfer came from
<TDavid> $REMOTE_ADDR = <-- the IP address of the surfer
<TDavid> this is the course url we are discussing, btw:
<TDavid> http://www.adultnetsurprise.com/learning_center/php/php_week_7.html
<TDavid> a somewhat complete list of environment variables available to you in php is here:
<TDavid> http://www.php-scripts.com/php_diary/environment_variables.html
<TDavid> if you have questions about what each of these environment variables do, feel free to ask
*** tia has joined #netsurprise
<TDavid> but the best way IMHO is to simply output them to your browser and see
<TDavid> another common one besides $HTTP_REFERER and $REMOTE_ADDR is $HTTP_USER_AGENT
<TDavid> that helps to tell you what type of browser the surfer is using
<TDavid> it contains the name and version of the surfer's browser ... you can see this in use on the Netsurprise messageboard near the tagline
*** sharkysr has joined #netsurprise
<TDavid> as you might have seen that some manipulation of environment variables can take place, so using them as a sole method of determining a surfer's identity is fallable
<sharkysr> Howdy everyone.  Thought I'd pop in for a few minutes 
*** Buzzard has joined #netsurprise
<TDavid> as with any other type of security scheme you will want to use multiple independent checks to ensure the best security
<CrEaToR> hiya sharkysr, buzzard, we are having Tech Chat
<TDavid> hi tia buzzard and sharkysr :)
<tia> hey :)
<CrEaToR> oops...hey tia
<TDavid> example: we check to see that the person submitting a url ... 
<Buzzard> hey there 
<TDavid> 1. does the URL look like a valid url?
<TDavid> 2. is the person submitting a form from a valid location (domain/page url)
*** TW has quit IRC (Connection reset by peer)
*** Jaggi has quit IRC (QUIT: User exited)
<TDavid> just checking the ip or domain, again, can be fallable so it is important to check for multiple issues. Most hackers aren't wise enough to work through multiple checkpoints because many people simply don't do the work to check for things like this
*** Buzzard has quit IRC (QUIT: User exited)
<TDavid> so if you make sure all your form input "looks like" it is supposed to then you are ahead of the game
<TDavid> that is the concept behind this week's course which is environment variables and regular expressions
*** CrEaToR is now known as CrEaToR-aWaY
*** WillyB has joined #netsurprise
<TDavid> you can use these two tools to make sure that what you are getting is "clean" and not tampered
<TDavid> for example, hackers will submit a form to your script from their website and attempt to breakdown your scripts
<TDavid> if you pass items to a database or the shell directly this can be a HUGE security hole
<TDavid> so if you listen to nothing else I say during this 16 week course, listen to this: never never NEVER pass unchecked data to a database or shell
<TDavid> now let's look at a few ways to protect a form
<TDavid> any questions thus far?
<sharkysr> nope
<TDavid> <?
<TDavid> $mydomain = "http://www.php-scripts.com/";
<TDavid> if(eregi("$mydomain", $HTTP_REFERER)) { 
<TDavid> ?>
*** patrik_garrent has joined #netsurprise
*** patrik_garrent has quit IRC (QUIT: User exited)
<TDavid> now if you look at the code above there is a structural problem that may not be obvious at first
*** patrik_garrent has joined #netsurprise
<TDavid> we are checking to see if the surfer is coming from $mydomain ... which is php-scripts.com
<WillyB> they can change the mydomain variable in their script?
<TDavid> no
<WillyB> then I don't know
<sharkysr> not if it is PHP
<TDavid> but that is a good point, if we didn't assign $mydomain they COULD, couldn't they?
<sharkysr> the www could be a problem
<TDavid> scriptname.php?mydomain=http://www.hackerdomain.com/
<WillyB> right
<TDavid> but since we assigned mydomain in the script that ploy is foiled
<TDavid> however what about the "www"
<WillyB> ok
<TDavid> how many people omit the "www"
<WillyB> I do half the time
<TDavid> if they came from simply "php-scripts.com" the regular expression would fail
<TDavid> yet we want to allow the surfer to come from the comain php-scripts.com OR www.php-scripts.com
<TDavid> so we need to tweak this regular expression a bit
<TDavid> a couple of different ways to use a logical OR here
<TDavid> we could simply make two urls
<sharkysr> Damn, I actually got one right... LOL
<TDavid>  $mydomain = "http://www.php-scripts.com/"; $mydomain2 = "http://php-scripts.com/";
<TDavid> if(eregi("$mydomain|$mydomain2", $HTTP_REFERER)) {
<TDavid> the pipe | means or inside a regular expression so now we are saying if they come from either of those two preset domains they are ok :)
<TDavid> but as i've said before it is a good idea to practice eliminating redundancy whenever possible. the http:// part is redundant in the code above
<patrik_garrent> hi
<TDavid> hi patrik
<TDavid> if(eregi("http://$mydomain|$mydomain2", $HTTP_REFERER)) {
<TDavid> so now you can remove that part
<patrik_garrent> ça va
<TDavid> but we can also go with just one url and check for the www - any ideas how?
<sharkysr> Does spacing inside of the regular expression have a bearing on it's outcome TD?
<TDavid> yes
<TDavid> every character has an outcome
<TDavid> so if we left a space between / and $mydomain we'd be saying there needs to be a space there
<sharkysr> if(eregi("http://$mydomain|www.$mydomain", $HTTP_REFERER)) {
<sharkysr> would that work?
<WillyB> no
<WillyB> i don't think
<TDavid> yes
<TDavid> i think it might
<TDavid> but there is a slightly better way to form that expression using only one variable
<WillyB> it would put the http:// in the www part too?
<TDavid> better to look at it like this:
<TDavid>  if(eregi("(http://)($mydomain|www.$mydomain)", $HTTP_REFERER)) {
<TDavid> notice the parenthesis trapping in the components of the match
<TDavid> that is useful for keeping reg exp clearer
*** tia has quit IRC (QUIT: User exited)
<sharkysr> That does make more sense.
<TDavid> but let's rewrite so that we only use one variable
<WillyB> that would put http://  in front of the $mydomain or www.$mydomain then
<TDavid> yes
<sharkysr> But you really don't need them around the http:// part do you?
<TDavid> no you don't
<TDavid> i just did that for illustration
<TDavid> any ideas how to do it with just one variable?
<sharkysr> if(eregi("http://(|www.)$mydomain", $HTTP_REFERER)) {
<TDavid> close, but nope, the period unescaped is a wildcard
<TDavid> for any character
<TDavid> except new line
*** TW has joined #netsurprise
<sharkysr> if(eregi("http://(|www\.)$mydomain", $HTTP_REFERER)) {
<WillyB> if(erigi(http://+$mydomain)
<WillyB> if(erigi(http://+$mydomain, $HTTP_REFERER)
<WillyB> if(erigi(http://+.\..$mydomain, $HTTP_REFERER)
<TDavid> sharkysr you are correct
<sharkysr> Those damn pesky excape characters.... LOL
<TDavid> http://(|\ <--- is nothing OR
*** SurpriseBot sets mode: +o TW
<WillyB> OK
<TW> Patrik are you a webmaster?
<TDavid> yeah the escape characters can be tricky at times
*** patrik_garrent was kicked by TDavid (hmmm, i think you are looking for love in the wrong place)
*** erika has quit IRC (Connection reset by peer)
<WillyB> if(eregi(http://+.\..$mydomain, $HTTP_REFERER) wouldn't work for it without someting infront of it
<TW> lol gave him the benefit of answering :)
<WillyB> i think i see
<WillyB> hehehe TW
<TDavid> the + means one or more characters
<TDavid> in that expression http://+ you'd be saying to have one or more / 
<TDavid> so the http:///////// would match :0
<TDavid> you could use
<TDavid> http:(/{2}) to force 2 and ONLY 2 /
<TDavid> you can do the same with the t
<WillyB> ic
<TDavid> h(t{2})p:(/{2})
<TDavid> looks like greek but really is pretty easy once you know the codes
<sharkysr> That is more work then just putting in what you want
<WillyB> that is more complicated than sharkysr's answer! hehehe
<TDavid> yeah, and unnecessary unless you exactly want to make sure of a certain pattern 
<TDavid> for instance a phone number
<TDavid> area code is 3 digits
<TDavid> regexp [[:digit]{3}]
<TDavid> or maybe a zip code
<sharkysr> Right TD, in specific circumstances like that it would make alot of sense.
<WillyB> ok, now a qestion.. if you were at TDscripts.com for example and typed in the url, which happened to be on your server, would it make the referer be your server as well?
*** Chris has joined #netsurprise
<TDavid> reg exp: ^([0-9]{5})(-[0-9]{4})?$
<TDavid> 5 digits followed by a dash - followed by 4 digits and must end with a digit
<TDavid> and must start with a digit
*** floppy has joined #netsurprise
<TDavid> no willyb, any type-in url is going to be ""
<floppy> hello everyone;))
<TDavid> an empty string
<TDavid> hi floppy
<TDavid> bookmarkers usually show up that way too
*** patrik has joined #netsurprise
*** TW has quit IRC (Connection reset by peer)
<sharkysr> You can use the [0-9] and [:digit] interchangably?  And is the : a required part of the digit?
<sharkysr> hey floppy
<TDavid> [[:digit:]] yes
<WillyB> ok, great! my lesson will work then :)
<TDavid> i like digit because it makes it easier to follow a long string, but it is one of those "whatever you are more comfortable with" things
<sharkysr> Now you used two : that time... which is correct?
<TDavid> two is correct
<sharkysr> OK.
<TDavid>  regexp [[:digit:]{3}]
<TDavid> they are repeated in this week's course material as well
<TDavid> you have other options like [:alpha:] [:lower:] [:upper:] etc
<WillyB> is [[:alpha:]] the same as [[:lower:]] ?
<TDavid> for me anytime I can write out a word like OR or AND instead of using || or && I am making the code more readable
<TDavid> same for regexp
<TDavid> no, [:lower:] requires lowercase only
<WillyB> in the course material it says you can subsitute both with [a-z]
<TDavid> yes
<TDavid> because upper would be [A-Z]
<sharkysr> can alpha be upper and lower
<TDavid> yes, any alphabetical letter
<TDavid> regexp:  ([:alpha:]{3}[:lower])
<TDavid> regexp:  ([:alpha:]{3}[:lower:])
<TDavid> requires three alphabetical letters the case doesn't matter
<sharkysr> first three letters any case followed by lower case only?
<TDavid> yup
<TDavid> what if you wanted to force to be 3 lowercase letters followed by 3 upper case letters?
*** Lady-EXXXstasy has quit IRC (Ping Timeout)
<sharkysr> regexp:  ([:lower:]{3}[:upper:]{3})
*** erika has joined #netsurprise
<TDavid> exactly
<TDavid> what if you wanted to require at least 3 uppercase letters followed by at least 3 but not more than 6 lowercase letters?
<sharkysr> Good Question TD...
*** TW has joined #netsurprise
<TDavid> any guesses?
<TDavid> what if you wanted to require at least 3 uppercase letters followed by at least 3 but not more than 6 lowercase letters?
<sharkysr> I'm thinking...  and that may take awhile...
<TDavid> regexp:  ([:upper:]{3}[:lower:]{3,6})  <--- here, it is easier than it sounds
<TDavid> if you separate by a , in the { } the second number is the max range
<TDavid> if you leave just the , then infinity is selected to match
<sharkysr> But you said at least 3 upper case, not exactly 3
<TDavid> ahh, you caught that! hehe
<sharkysr> shouldn't there be a , after the 3 with nothing after that
<sharkysr>  regexp:  ([:upper:]{3,}[:lower:]{3,6})  <--- here, it is easier than it sounds
<sharkysr> Or does it work that way?
<TDavid> space is optional
<TDavid> in that case
<TDavid> you can make it do two separate statements too
<sharkysr> I don't quite understand your reply TD
<TDavid> [:lower:][:lower:][:lower:]{,} <-- would be at least 3 but more 
<TDavid> which part sharkysr?
<TDavid> you don't need a space after the comma no
<TDavid> well i doublechecked my reference manual and it shows the space there
<sharkysr> no I wasn't asking about the space, that is why I put up the example using{3,}.  would that give you at least 3, with no upper limit?
<TDavid> so i may stand corrected on this
<TDavid> yes,
<TDavid> 3 with no upper limit is {3, }
<TDavid> no, that would give you EXACTLY 3 with no upper limit
<TDavid> it was a trick question, sorry
<TDavid> but it is the type of thing you will experience sooner or later when trying to construct a regular expression
<sharkysr> It says with one integer and a comma.   says nothing about needing a space there TD..
<TDavid> i don't think the space is needed, i just doublechecked my book to be sure and it shows with a space so like i said originally i believe it is optional
<TDavid> won't hurt either way
*** WillyB is now known as willyB_afk
<willyB_afk> sorry, I want to log this though.. I have to deal with some crap here at the moment
<TDavid> so if want at least 3 we might need to use 2 instances of [:lower:]
<TDavid> [:lower:]{3}[:lower:]{,6}
<TDavid> like that
<TDavid> hmm maybe 2 there for the first one
<TDavid> [:lower:]{2}[:lower:]{,6}
<TDavid> hehe
<TDavid> that will force at least 3 and exactly 6
<TDavid> it can become a bit confusing dealing with reg exp, can't it? :)
<sharkysr> Without a doubt on that one TD.... haha
<TDavid> the easiest way is to break down reg expressions in parts
<TDavid> take them a section at a time instead of trying to chomp down the whole match at once
<TDavid> it is easier to make them that way
<TDavid> any other questions on regular expressions or environment variables? :) Going to wrap this up for now ... but again on Friday we'll be reviewing this
*** Chris has quit IRC (QUIT: User exited)
<TDavid> as i mentioned in the course material, there have been BOOKS written on regular expressions so to give it a one lesson treatment is taking a very brief review of them
<sharkysr> (^[:digit:]{3}\-[:digit:]{3}\-[:digit:]{4}$)
<sharkysr> TD, would this work for a phone number?
<TDavid> don't need the \- in front of the dash
<sharkysr> OK, thought it might try to subtract it or something...
<TDavid> but otherwise i think you have it :)
<TDavid> it's not that bad, is it? hehe :)
<TDavid> even so there is a good reason we waited until week 7 to get into these instead of week 1 or 2 hehe :)
<sharkysr> Not really..   Just makes you think
<TDavid> kind of a necessity from here forward though :)
<sharkysr> You would have probably blown alot of folks out of the water with this in week 1 or 2
<TDavid> alrighty i'll catch you guys over in scriptschool if you want to chat further ... take care all and hope to see you all at Friday's radio program 1:30pm PST preshow starts ... :))
<floppy> The biggest problem I see is rembering what everything stands for and what it does ;)
*** CrEaToR-aWaY is now known as CrEaToR
<CrEaToR> bye 
<CrEaToR> TD
<CrEaToR> thanx =)
* TDavid logs off
Session Close: Tue Oct 17 13:15:22 2000