STORING DATA WITH PHP — FLAT FILE OR DATABASE?

RELATED BOOK

PHP 5 For Dummies

By Janet Valade

Many applications require the long-term storage of information. In PHP scripts, you can make information available within sessions — periods of time that users spend at your Web site — by using methods such as PHP session functions and by submitting forms. However, eventually you need to store information for use tomorrow or next week. You can store it in a cookie that you set to last after the session is ended, but the information is vulnerable. It’s not under your control. The user can delete or change the information at any time or can refuse to accept the cookie. To be available and stable, the information needs to be stored somewhere secure, where no one can access or tamper with it. The information needs to be stored on the server.

ADVERTISING

Information can be stored on the server in flat files or in databases. Flat files are text files stored in the computer file system. Humans can read flat files by using the operating system commands that display files, such as cat in Linux and Unix. You can access and edit these files by using any text file editor, such as Notepad or vi. The information in the flat file is stored as strings, and the PHP script that retrieves the data needs to know how the data is stored. For example, to retrieve a customer name from a file, the PHP script needs to know that the customer name is stored in the first 20 characters of every line.

Using a database for data storage requires you to install and learn to use database software, such as MySQL or Oracle. The data is stored in files created by the database software and can only be accessed by the database software. Databases can store very complex information that you can retrieve easily. You don’t need to know how the data is stored, just how to interact with the database software. For example, to retrieve a customer name, the PHP script needs to know only how to tell the database software that it wants the customer name, using a standard communication language called SQL. The database software handles the storage and delivers the data, without the script needing to know exactly where or how the customer name is stored.

Flat files have some advantages over databases:

• Available and versatile: You can create and save data in any operating system’s file system. You don’t need to install any extra software. Additionally, text data stored in flat files can be read by a variety of software programs, such as word processors or spreadsheets.

• Easy to use: You don’t need to do any extra preparation, such as install database software, design a database, create a database, and so on. Just create the file and store the data with statements in your PHP script.

• Smaller: Flat files store data by using less disk space than databases.

A flat file is quick and easy and takes less space than a database. It is ideal for storing small amounts of information quickly, such as a simple list or small piece of information. Flat files are particularly useful for making information available to other software, such as an editing program or a spreadsheet. Flat files can be looked at by anyone with access to the computer directory where they are stored, so they are useful when information needs to be made available to other people.

Databases have some advantages as well:

• Security: A database provides a security layer of its own, in addition to the security provided by the operating system. A database protects the data from outside intrusion better than a flat file.

• Accessibility of data: You can store data in a database by using a very complex data structure, specifying data types and relationships among the data. The organization of the data makes it easy to search the data and retrieve what you need.

• Ability to handle multiple users: When many users store or access data in a single file, such as a file containing names and addresses, a database ensures that users take their turn with the file to avoid overwriting each other’s data.

Databases require more start-up effort and use more space than a flat file, but are much more suitable for handling complex information. The database handles the internal organization of the data, making data retrieval much simpler. A database provides more security, making it more suitable for sensitive, private information. Databases can more easily and efficiently handle high traffic when many users may try to access the data almost simultaneously.

In PHP 5, SQLite, an extension for data storage that combines the main advantages of flat files and databases, is included by default. SQLite stores the data in a flat file, so you don’t need to install database software, but you store data using SQL, the standard database communication language. SQLite is a quick option for storing and retrieving small amounts of data in a flat file using SQL. SQLite is not a good option for really huge, complicated databases.

Forgotten password cheatsheet

URL SOURCE : https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Forgot_Password_Cheat_Sheet.md

Introduction

This article provides a simple model to follow when implementing a forgot password web application feature.

The Problem

There is no industry standard for implementing a Forgot Password feature. The result is that you see applications forcing users to jump through myriad hoops involving emails, special URLs, temporary passwords, personal security questions, and so on. In the end you have to reset it to a new value.

Steps

Step 1) Gather Identity Data or Security Questions

The first page of a secure Forgot Password feature asks the user for multiple pieces of hard data that should have been previously collected (generally when the user first registers).

Steps for this are detailed in the identity section the Choosing and Using Security Questions Cheat Sheet here.

At a minimum, you should have collected some data that will allow you to send the password reset information to some out-of-band side-channel, such as a (possibly different) email address or an SMS text number, etc. to be used in Step 3.

Step 2) Verify Security Questions

After the form on Step 1 is submitted, the application verifies that each piece of data is correct for the given username. If anything is incorrect, or if the username is not recognized, the second page displays a generic error message such as Sorry, invalid data.

If all submitted data is correct, Step 2 should display at least two of the user’s pre-established personal security questions, along with input fields for the answers. It’s important that the answer fields are part of a single HTML form.

Do not provide a drop-down list for the user to select the questions he wants to answer. Avoid sending the username as a parameter (hidden or otherwise) when the form on this page is submitted. The username should be stored in the server-side session where it can be retrieved as needed.

Because users' security questions / answers generally contains much less entropy than a well-chosen password (how many likely answers are there to the typical What's your favorite sports team? or In what city where you born? security questions anyway?), make sure you limit the number of guesses attempted and if some threshold is exceeded for that user (say 3 to 5), lock out the user's account for some reasonable duration (say at least 5 minutes) and then challenge the user with some form of challenge token per standard multi-factor workflow; see #3, below) to mitigate attempts by hackers to guess the questions and reset the user's password. It is not unreasonable to think that a user's email account may have already been compromised, so tokens that do not involve email, such as SMS or a mobile soft-token, are best.

Step 3) Send a Token Over a Side-Channel

After step 2, lock out the user's account immediately. Then SMS or utilize some other multi-factor token challenge with a randomly-generated code having 8 or more characters.

This introduces an out-of-band communication channel and adds defense-in-depth as it is another barrier for a hacker to overcome. If the bad guy has somehow managed to successfully get past steps 1 and 2, he is unlikely to have compromised the side-channel. It is also a good idea to have the random code which your system generates to only have a limited validity period, say no more than 20 minutes or so. That way if the user doesn't get around to checking their email and their email account is later compromised, the random token used to reset the password would no longer be valid if the user never reset their password and the reset password token was discovered by an attacker.

Of course, by all means, once a user's password has been reset, the randomly-generated token should no longer be valid.

Step 4) Allow user to change password in the existing session

Step 4 requires input of the code sent in step 3 in the existing session where the challenge questions were answered in step 2, and allows the user to reset his password. Display a simple HTML form with one input field for the code, one for the new password, and one to confirm the new password. Verify the correct code is provided and be sure to enforce all password complexity requirements that exist in other areas of the application.

As before, avoid sending the username as a parameter when the form is submitted. Finally, it's critical to have a check to prevent a user from accessing this last step without first completing steps 1 and 2 correctly. Otherwise, a forced browsingattack may be possible. Ensure the user changes their password and does not simply surf to another page in the application.

The reset must be performed before any other operations can be performed by the user.

Step 5) Logging

It is important to keep audit records when password change requests were submitted. This includes whether or not security questions were answered, when reset messages were sent to users and when users utilize them. It is especially important to log failed attempts to answer security questions and failed attempted use of expired tokens. This data can be used to detect abuse and malicious behavior. Data such as time, IP address, and browser information can be used to spot trends of suspicious use.

Other Considerations

• Whenever a successful password reset occurs, all other sessions should be invalidated. Note the current session is already authenticated and does not require a login prompt.
• Strength of questions used for reset should vary based on the nature of the credential. Administrator credentials should have a higher requirement.
• The ideal implementation should rotate the questions asked in order to avoid automation.

Authors and Primary Editors

Dave Ferguson - gmdavef@gmail.com

Jim Manico - jim@owasp.org

Kevin Wall - kevin.w.wall@gmail.com

James McGovern - james.mcgovern@hp.com

Wesley Philip - wphilip@ca.ibm.com

Marketing in the #FakeNews Era: New Rules for a New Reality of Tribalism, Activism and Loss of Trust.

 Marketing in the #FakeNews Era: New Rules for a New Reality of Tribalism, Activism and Loss of Trust. 

Typically, executives believe they face a binary choice: put their head in the sand, or go way out on a limb and declare a highly controversial point of view destined to offend half the country. There are in fact a range of choices for brands that I define in what I call the Brand Risk-Relevance Curve. This diagram represents a series of postures that incur increased likelihood of of resonating with consumers who agree the brand’s opinion and also increased risk of blowback from those who disagree.

Brand Risk-Relevance CurvePETER HORST

The most conservative posture is what I call Values. While there is no single correct choice for all brands, every organization should at least embrace this step. In this mode, the brand chooses not to publicly articulate a point of view, but does go through the introspective process of defining its values and beliefs and instilling them in the organization. Having done this, the company can act with a common moral compass and be ready to act swiftly if events beyond their control force them to take a public stand. Organizations often retreat to the head in the sand posture, whereby they don't even define their own values and just hope this all goes away. This leaves the brand vulnerable to being caught unprepared when crisis hits and risks enduring reputational damage--just ask the NFL.

A more proactive choice is Purpose. We are by now very familiar with the notion of brands embracing a higher purpose, such as Dove and real beauty, or Always and confidence in young girls. Purpose tends to be positive, laudable and generally uncontroversial. Consumers are unlikely to storm the gates of Unilever with pitchforks on behalf of Fake Beauty.

A bolder step is what I call Issues, where a brand wades into a topic that is inherently more tension-filled, more current and more likely to generate strong feelings—but without taking one side or another on the issue. Examples include Heineken addressing society’s lack of civil dialogue or Frito-Lay focusing on suicide in LGBTQ teens.

The most provocative and risk-filled posture is Position, where a brand stakes out a clear argument For or Against with the certainty that many will strongly oppose their point of view. This is IBM supporting the “Dreamers” during the DACA debate and McKinsey exiting its contract with ICE in protest of the Trump administration’s immigration policies.

When it comes to assessing the wisdom or folly of Gillette’s ad, let’s begin by asking whether they had brand permission to engage in the issue. As a man’s product and with a long-standing tagline of “The best a man can get,” I believe there is sufficient relevance for them to acknowledge and addressing issues of masculine behavior.

The question comes down to how they address the issues—and this where the Risk-Relevance curve is helpful. I would argue that Gillette adopted a Position when it created the boogeyman of smirking, enabling, boorish men to set up their call for better behavior. With the foil of the offending man, Gillette declared themselves opposed to his transgressions. It was this portrait of the villain that in fact generated the furious backlash—and thereby caused so many to miss the valid and valuable point the brand was trying to make. Even the most energetic detractors didn’t disagree with the overall desire for positive male role models.

Contrast Gillette’s choice with Always opting for an Issues posture in its stirring and much-praised campaign that highlighted the way in which young girls lose confidence in their teens. Always focused on the problem without dramatizing a villain to oppose—there were no demoralizing teachers or disheartening parents to root against. I don’t believe this brought a loss of clarity or visceral power, but rather focused on the positive aspects of their message and eliminated elements that could distract from the big point by inviting peripheral debate.

Gillette might have achieved all of their desired impact without the negative blowback by centering on Position. This is not an argument for “de-fanging” Gillette’s thesis or watering down their intent. Rather, I believe Gillette’s example illustrates the potential impacts that come with the nuanced choices brands must make when touching on the big issues of the day. Nike’s choice of Position in the Kaepernick ad was integral to the brand equity it was seeking to stoke with its urban youth target. IBM’s choice of Position in the DACA debate was definitionally central. But Heineken made a powerful call for civil dialogue with an Issues posture and I believe Gillette would have been well-served to do the same.

Peter Horst is a Fortune 500 CMO and Founder of CMO Inc., a marketing consultancy. 

SourceURL:https://www.forbes.com/sites/peterhorst/2019/01/18/gillettes-controversial-toxic-masculinity-ad-and-the-opportunity-it-missed/#62a3c12a5506

Living the 10 Commandments

Source URL:https://lifehopeandtruth.com/bible/10-commandments/the-ten-commandments/living-the-10-commandments/

Living the 10 Commandments—or Just Obeying Them?

by Rick Avent

God gave us laws to live by—especially the 10 Commandments. But have you thought about the values they represent? Are you living the values behind the laws?

Why do we have laws? Instead of all the speed limit laws, why not just say, “Drive safely”? Would that be enough? Would it work?

From a religious perspective, why do we need the 10 Commandments? Why not just summarize them by saying, “Love God and love your neighbor”?

Summaries can be appealing, yet in society as well as some religions, the making (or changing) of laws seems to have no end. Why?

Spiritual growth

To understand biblical law, we must begin by understanding the concept of spiritual education and growth. Throughout the Bible, we are admonished to grow spiritually. Peter concludes his second epistle with this challenge: “But grow in the grace and knowledge of our Lord and Savior Jesus Christ” (2 Peter 3:18).

Human attitudes toward God’s law run the gamut. One way to view spiritual growth is as a four-stage process that shows one’s change in approach to God’s law:

1. Anarchy and lawlessness: For many, this is the starting point, where there is little understanding of God’s laws or desire to obey them.
2. Blind obedience: This is the point where we come to realize that God has laws that should be obeyed, but we lack understanding of why and how to fully fulfill the law.
3. Informed compliance: This is the stage where we come to a basic understanding of the law and commit ourselves to obeying. (This is often the point where we seek baptism.)
4. Value-based living: This is the final and lifelong growth stage where we live not only the letter of the law, but the values behind the law.

Perhaps the greatest difficulty is making the transition from stage three to stage four. Jesus made this clear when He admonished the scribes and Pharisees: “Woe to you, scribes and Pharisees, hypocrites! For you pay tithe of mint and anise and cummin, and have neglected the weightier matters of the law: justice and mercy and faith. These you ought to have done, without leaving the others undone” (Matthew 23:23).

Here Jesus drew a line between informed compliance (just obeying the letter of the law) and value-based living (additionally, living the values of the law). Many never make it to this fourth stage, which may partly explain why Jesus said, “For many are called, but few are chosen” (Matthew 22:14).

What is the role of law in spiritual growth?

From a religious perspective, the reason for God’s law is clear. The law shows what is right and wrong in God’s sight. It shows what produces good results and what leads to death. God’s law defines sin (1 John 3:4).

And there is another reason for law. Meditating on the letter of the law can help us learn the underlying values—the spirit of the law. The law represents the desires and values of God.

When I think of the relationship between laws and values, I am reminded of a summer job I had when I was in college. I worked at a large shipyard known for building all types of vessels, from atomic submarines to aircraft carriers.

To ensure quality work, there were myriad work rules, standards and procedures (the laws). But the values were expressed very eloquently by an inscription on a statue of the founder, located at the main entrance to the yard where the majority of the workers passed daily. The inscription read: “We will build good ships, at a profit if we can, at a loss if we must, but we will build good ships.”

Was there a flaw in the law—or the people?

The problem is that laws cannot cover every possibility. Consider the U.S. income tax laws. According to an article in the April 15, 2015, Washington Examiner, the tax code has grown from around 26,000 pages in 1984 to over 74,000 now. Why this incredible growth? It is, in part, an attempt to cover every possible loophole or situation that might occur.

And that is the problem with laws—they cannot be written to cover every situation. Take something as simple as the speed limit law of 70 miles per hour on many open highways. While this is perhaps a safe speed in clear weather, what about in rainy weather? What about during a snowstorm? Under such conditions the value of “drive safely” overrides any speed limit.

Notice how God recognizes this problem. “For if the first covenant had been faultless, then no place would have been sought for a second. Because finding fault with them, He says: ‘Behold, the days are coming, says the LORD, when I will make a new covenant with the house of Israel and with the house of Judah’” (Hebrews 8:7-8, emphasis added throughout).

The fault in the law was not the law itself but the people, who did not see the law as a statement of values but, rather, simply as a set of rules. They didn’t obey them, and they certainly didn’t live their spiritual values.

Verse 10 shows God’s remedy: “For this is the covenant that I will make with the house of Israel after those days, says the LORD: I will put My laws in their mind and write them on their hearts; and I will be their God, and they shall be My people.”

A gift from God—the gift of the Holy Spirit—is needed to understand the values of the law.

The values expressed by the 10 Commandments

The value of love defines all the commandments. But what about each specific commandment? Are there specific values behind each?Have you ever examined the values expressed by the 10 Commandments? Jesus expressed the overall values clearly when He was asked about which commandment is the greatest. Christ said, “‘You shall love the LORD your God with all your heart, with all your soul, and with all your mind.’ This is the first and great commandment. And the second is like it: ‘You shall love your neighbor as yourself’” (Matthew 22:37-39).

The value of love defines all the commandments. But what about each specific commandment? Are there specific values behind each? Here are some of the values I associate with each commandment, and you can likely come up with different ones and perhaps many more. Some of these are obvious, but others are less so:

1. Do not worship other gods. No one but God is worthy of our worship. When God was freeing the ancient Israelites from slavery, six times He sent Moses with this message to Pharaoh: “Let My people go, that they may serve Me” (Exodus 7:16; 8:1, 20; 9:1; 10:3). Also, at the end of the temptation of Jesus by Satan: “Then Jesus said to him, ‘Away with you, Satan! For it is written, “You shall worship the LORD your God, and Him only you shall serve”’” (Matthew 4:10). Jesus Christ came to serve, and He wants us to learn to serve too (Matthew 20:26-28). A key value I see underlying the First Commandment is service to God.

2. Do not worship idols. No physical image can capture the greatness of the Almighty. Paul expressed a value behind this commandment. “Professing to be wise, they became fools, and changed the glory of the incorruptible God into an image made like corruptible man—and birds and four-footed animals and creeping things” (Romans 1:22-23). I see God telling us don’t be foolish.

3. Don’t take God’s name in vain. This commandment teaches respect for God.

4. Remember the Sabbath and keep it holy. “Surely My Sabbaths you shall keep, for it is a sign between Me and you throughout your generations, that you may know that I am the LORD who sanctifies you” (Exodus 31:13). A value here is sanctification—to be set apart for sacred duty. Do you know what duty God is calling you for?

5. Honor parents. This commandment directly expresses a value: honor. In a broader sense it suggests the value of respect for others, especially family.

6. Don’t murder. Every human life has value. To me, considering Jesus’ commentary in Matthew 5:21-26, this commandment teaches reconciliation and faith in God.

7. Don’t commit adultery. Faithfulness.

8. Don’t steal. This respect for the property of others demonstrates God’s value of justice.

9. Don’t lie. Truth and honesty.

10. Don’t covet. By being content with what we have and not desiring what belongs to others, we learn the values of generosity and unselfishness.

What did Jesus teach?

Just as the Word of God (Jesus Christ before His human birth) appeared on Mount Sinai to give the 10 Commandments to His called-out people, so did Jesus speak from a mountain to His called-out disciples at the beginning of His ministry.

This teaching is now referred to as “The Sermon on the Mount.” In expounding on God’s law, Jesus taught values such as humility, empathy, meekness, seeking righteousness, mercy, purity, peacemaking and enduring persecution with joy, for both righteousness and for Christ’s sake (see Mathew 5:1-12).

As you read the four Gospels, it is clear that Jesus emphasized values. Not in place of the law, but as a complement to the law—the spiritual mind-set necessary to fully obey the intent of God’s law. As He specifically said: “Do not think that I came to destroy the Law or the Prophets. I did not come to destroy but to fulfill” (Matthew 5:17).

What about you? Are you just living the letter of the law? Or are you moving on to live the values of God’s laws as well?