Please login or register.

Login with username, password and session length
Advanced search  

News:

Latest sNews - sNews 1.7 - with its own forums - for discussion and user mods.

Pages: 1 [2]

Author Topic: [MINI-MOD] s($variable) booster  (Read 8323 times)

Joost

  • Guest
Re: [MINI-MOD] s($variable) booster
« Reply #15 on: January 24, 2008, 06:33:51 pm »

Thanks for replying invarbrass
So isset is slow and globals are faster than static? The latter I can understand no need for a function call each time. Drawback is all the changes that have to be made file wide.
Unfortunately I do not have the tools to test speed that precise (I amusing xdebug), since there is only little difference.
Question: How do you feel about storing passwords and username in a session? Personally I don't like it. Please your thoughts on that.
Logged

invarbrass

  • Full Member
  • ***
  • Karma: 18
  • Posts: 117
    • http://snews.extremebittorrent.com
Re: [MINI-MOD] s($variable) booster
« Reply #16 on: January 24, 2008, 06:48:09 pm »

Question: How do you feel about storing passwords and username in a session? Personally I don't like it. Please your thoughts on that.

Storing user:pass in SESSION is not a good idea. On shared hosting - anyone on the server can read your session files (typically in the /tmp directory) if PHP is running as an Apache module (so the session files belong to the web user) and also when PHP is used as a CGI.

Someone browsing the session files (probably) won’t know the site the server the sessions apply to (so may not be able to use a username / password combination they found) but you may still be putting sensitive info (like credit card details) somewhere for all to see. Plus they’ve got a list of valid session IDs…

If you’re just storing passwords in the session, you can get away with this by using md5() (preferably twice) to one-way encypt the password. This doesn’t help though if you need to recover the value of a session variable.

PHP stores sessions as files in /tmp. Every session is stored in a file like sess_g35g5g54gg45wg85

Where "g35g5g54gg45wg85" is the actual SessionID. Someone could now easily spoof these sessions, because he now knows the IDs. He would even be able to read the contents of these files, because PHP very often runs as module (i.e. every executed PHP script inherits the user permissions of apache), thus you only have to write a PHP script which reads out these files.

To learn the vulnerabilites of session variables, you can read more here:
http://www.net-security.org/article.php?id=925
http://www.onlamp.com/pub/a/php/2003/04/03/php_security.html
http://shiflett.org/php-security.pdf
Logged

Joost

  • Guest
Re: [MINI-MOD] s($variable) booster
« Reply #17 on: January 25, 2008, 04:09:56 am »

It seems we read the same documentation, invarbrass.
I've changed the third line, !isset to !is_array. Hope that's better (can't test it). I will look into globals later.
 

Code: [Select]
// SITE SETTINGS - grab site settings from database
function s($variable) {
static $site_settings;
   if (!is_array($site_settings['settings'])){
   $query = 'SELECT name,value FROM '.db('prefix').'settings';
   $result = mysql_query($query);
   while ($r = mysql_fetch_array($result)) {
      $site_settings['settings'][$r['name']] = $r['value'];
      }
   }
   $value =  $site_settings['settings'][$variable];
   return $value;
}
Logged

invarbrass

  • Full Member
  • ***
  • Karma: 18
  • Posts: 117
    • http://snews.extremebittorrent.com
Re: [MINI-MOD] s($variable) booster
« Reply #18 on: January 25, 2008, 11:03:03 am »

It seems we read the same documentation, invarbrass.
I've changed the third line, !isset to !is_array. Hope that's better (can't test it). I will look into globals later.
 

Code: [Select]
// SITE SETTINGS - grab site settings from database
function s($variable) {
static $site_settings;
   if (!is_array($site_settings['settings'])){
   $query = 'SELECT name,value FROM '.db('prefix').'settings';
   $result = mysql_query($query);
   while ($r = mysql_fetch_array($result)) {
      $site_settings['settings'][$r['name']] = $r['value'];
      }
   }
   $value =  $site_settings['settings'][$variable];
   return $value;
}

Hi Joost, thanks for the code. Here is a snippet of code which you can use to measure the speed of exeution:

Code: [Select]
<?php
//  Start TIMER
//  -----------
$iter 1000;
$stimer explode' 'microtime() );
$stimer $stimer[1] + $stimer[0];
//  -----------

for ($i=0$i $iter$i++) {
  
/* ------------------------------------- */
  //  Add your PHP code here
  /* ------------------------------------- */
}

//  End TIMER
//  ---------
$etimer explode' 'microtime() );
$etimer $etimer[1] + $etimer[0];
echo 
'<p style="margin:auto; text-align:center">';
printf"Script timer: <b>%f</b> seconds.", ($etimer-$stimer) );
echo 
'</p>';


?>

Just put the code inside the loop and measure it. Repeat the same for all mods.

Another thing to remember, you should feed real data to the function you want to test. For example, if you`re testing s(), supply only the contents from the settings table as the parameter. I mean test this: s(`home_sef`) and not s('abc');
« Last Edit: January 25, 2008, 11:06:37 am by invarbrass »
Logged

Joost

  • Guest
Re: [MINI-MOD] s($variable) booster
« Reply #19 on: January 26, 2008, 04:32:03 am »

Thanks for the code invarbrass. Again I've learned something about testing tools!
!is_array. is much slower than !isset, so forget it. I could not get array_key_exists working so no way to compare.
Logged

henrich

  • Sr. Member
  • ****
  • Karma: 23
  • Posts: 381
  • Passion for quality and excellence!
    • My personal blog and portofolio
Re: [MINI-MOD] s($variable) booster
« Reply #20 on: January 31, 2008, 06:15:15 am »

Hi, i am using the ML package, this MOd is not working for me under ML package, Ghassem's MOD is working. Just telling you :)
Logged
By(e) Henrich :)
------------------------------
IT related blog

Joost

  • Guest
Re: [MINI-MOD] s($variable) booster
« Reply #21 on: January 31, 2008, 06:42:13 am »

Thanks for reporting Henrich. Any errors thrown, you can share with us?
Logged

henrich

  • Sr. Member
  • ****
  • Karma: 23
  • Posts: 381
  • Passion for quality and excellence!
    • My personal blog and portofolio
Re: [MINI-MOD] s($variable) booster
« Reply #22 on: January 31, 2008, 07:23:26 am »

If i remember well i had only a blank page.
Logged
By(e) Henrich :)
------------------------------
IT related blog

invarbrass

  • Full Member
  • ***
  • Karma: 18
  • Posts: 117
    • http://snews.extremebittorrent.com
Re: [MINI-MOD] s($variable) booster
« Reply #23 on: January 31, 2008, 07:30:19 am »

If i remember well i had only a blank page.

This mod is targetted for the single lang version. So it may not work with ML. I`ve never used the ML version, however I think you can get it working with only minor changes in code.
Logged

Keyrocks

  • Doug
  • ULTIMATE member
  • ******
  • Karma: 449
  • Posts: 6020
  • Semantically Challenged
    • snews.ca
Re: [MINI-MOD] s($variable) booster
« Reply #24 on: January 31, 2008, 06:01:46 pm »

If i remember well i had only a blank page.

Since this mod only replaces the one small function... the answer as to why it might not have worked in your ML package will be right there. I suggest you do a comparison of the script in that function. by copying all 3 version of the function into one php file - even a temporary new one. You want the default sNews 1.6 function... the ML function and Invarbrass's function... and have a look at what's different between the three.  ;)
« Last Edit: January 31, 2008, 08:55:32 pm by Keyrocks »
Logged
Do it now... later may not come.
-------------------------------------------------------------------------------------------------
sNews 1.6 MESU | sNews 1.6 MEMU

henrich

  • Sr. Member
  • ****
  • Karma: 23
  • Posts: 381
  • Passion for quality and excellence!
    • My personal blog and portofolio
Re: [MINI-MOD] s($variable) booster
« Reply #25 on: January 31, 2008, 06:33:42 pm »

Good point! Very logical  :D
Logged
By(e) Henrich :)
------------------------------
IT related blog
Pages: 1 [2]