Comments for PHP++ http://www.rhapsody.intheblackbox.com/blog when you occasionally dream of tetris Mon, 06 Sep 2010 09:42:44 +0000 http://wordpress.org/?v=2.7.1 hourly 1 Comment on Dynamically Generated Greasemonkey Scripts by Geekfish http://www.rhapsody.intheblackbox.com/blog/?p=28&cpage=1#comment-310 Geekfish Mon, 08 Feb 2010 12:40:19 +0000 http://www.rhapsody.intheblackbox.com/blog/?p=28#comment-310 @Kano I'm glad this finally helped someone :) @darasion Chrome might be trying to do the same work as Greasemonkey, but it most likely has differences in the way it treats the scripts. I'd be interested to know why it doesn't work, and will most certainly update this post if I have to time to look into it. I hope you find the solution. @Kano
I’m glad this finally helped someone :)

@darasion
Chrome might be trying to do the same work as Greasemonkey, but it most likely has differences in the way it treats the scripts. I’d be interested to know why it doesn’t work, and will most certainly update this post if I have to time to look into it.
I hope you find the solution.

]]> Comment on Dynamically Generated Greasemonkey Scripts by darasion http://www.rhapsody.intheblackbox.com/blog/?p=28&cpage=1#comment-309 darasion Mon, 08 Feb 2010 12:17:09 +0000 http://www.rhapsody.intheblackbox.com/blog/?p=28#comment-309 Does not work in google chrome. Does not work in google chrome.

]]> Comment on Juggling routines by jordan taylor http://www.rhapsody.intheblackbox.com/blog/?p=66&cpage=1#comment-304 jordan taylor Sat, 30 Jan 2010 21:19:23 +0000 http://www.rhapsody.intheblackbox.com/blog/?p=66#comment-304 thanks he is real good.... but could be much beter if all done smaller lol thnx thanks he is real good…. but could be much beter if all done smaller lol thnx

]]> Comment on Dynamically Generated Greasemonkey Scripts by Karlo http://www.rhapsody.intheblackbox.com/blog/?p=28&cpage=1#comment-284 Karlo Tue, 22 Dec 2009 13:38:36 +0000 http://www.rhapsody.intheblackbox.com/blog/?p=28#comment-284 Thanks a heap, you saved my day. That's the solution i was looking for the last days... Thanks a heap, you saved my day. That’s the solution i was looking for the last days…

]]> Comment on About by Gatoni http://www.rhapsody.intheblackbox.com/blog/?page_id=4&cpage=1#comment-157 Gatoni Wed, 25 Mar 2009 22:35:52 +0000 http://www.rhapsody.intheblackbox.com/blog/?page_id=4#comment-157 Congratulations! Nice blog! Why didn´t you tell me about it!? By the way... "Code Monkey" is not something flattering -"code monkeys" are the dudes and dudettes who write tones of simple and boring code -usually the most simple parts of a project: "The term code monkey generally refers to a computer programmer or other person who writes computer code for a living. More specifically, it refers to a person only capable of grinding out code, but unable to perform the more intellectually complex tasks of software architecture, analysis, and design. The term is thus considered mildly insulting, and is often applied to the most junior people on a programming team." You're not a code monkey, Woman! ;) Congratulations! Nice blog! Why didn´t you tell me about it!?

By the way… “Code Monkey” is not something flattering -”code monkeys” are the dudes and dudettes who write tones of simple and boring code -usually the most simple parts of a project:

“The term code monkey generally refers to a computer programmer or other person who writes computer code for a living. More specifically, it refers to a person only capable of grinding out code, but unable to perform the more intellectually complex tasks of software architecture, analysis, and design. The term is thus considered mildly insulting, and is often applied to the most junior people on a programming team.”

You’re not a code monkey, Woman! ;)

]]> Comment on To GET or to POST? Edit: Deezer.com example by dionyziz http://www.rhapsody.intheblackbox.com/blog/?p=15&cpage=1#comment-138 dionyziz Tue, 10 Feb 2009 18:22:52 +0000 http://www.rhapsody.intheblackbox.com/blog/?p=15#comment-138 It's awesome (even though I use RSS :-)) It’s awesome (even though I use RSS :-))

]]> Comment on To GET or to POST? Edit: Deezer.com example by Geekfish http://www.rhapsody.intheblackbox.com/blog/?p=15&cpage=1#comment-116 Geekfish Sat, 31 Jan 2009 11:22:02 +0000 http://www.rhapsody.intheblackbox.com/blog/?p=15#comment-116 heheh, right, it's a stupid-get-usage-issue :P Actually I never really liked email confirmation for this type of sites, it just slows you down. Especially if the mail goes to spam for some reason, or doesn't get delivered at all. Or/And if you have to put unreadable Captchas, The Deezer guys didn't answer me actually when I told them, and took them quite a while (years? :P) to "fix" this. (how do you like the new blog theme btw? ^^) heheh, right, it’s a stupid-get-usage-issue :P
Actually I never really liked email confirmation for this type of sites, it just slows you down. Especially if the mail goes to spam for some reason, or doesn’t get delivered at all. Or/And if you have to put unreadable Captchas, The Deezer guys didn’t answer me actually when I told them, and took them quite a while (years? :P) to “fix” this.

(how do you like the new blog theme btw? ^^)

]]> Comment on Non Compatible by Geekfish http://www.rhapsody.intheblackbox.com/blog/?p=22&cpage=1#comment-115 Geekfish Sat, 31 Jan 2009 10:58:01 +0000 http://www.rhapsody.intheblackbox.com/blog/?p=22#comment-115 It's because I moved the blog from the wordpress server. I'm searching for those images/videos I had, cause I'd made a whole series of them :( It’s because I moved the blog from the wordpress server. I’m searching for those images/videos I had, cause I’d made a whole series of them :(

]]> Comment on Non Compatible by dionyziz http://www.rhapsody.intheblackbox.com/blog/?p=22&cpage=1#comment-114 dionyziz Sat, 31 Jan 2009 09:56:34 +0000 http://www.rhapsody.intheblackbox.com/blog/?p=22#comment-114 404's :-( 404’s :-(

]]> Comment on To GET or to POST? Edit: Deezer.com example by dionyziz http://www.rhapsody.intheblackbox.com/blog/?p=15&cpage=1#comment-113 dionyziz Sat, 31 Jan 2009 09:53:05 +0000 http://www.rhapsody.intheblackbox.com/blog/?p=15#comment-113 The Deezer.com issue is not really a GET/POST issue. They should be using GET indeed to verify your e-mail address (as there is no other technical way of having you open POST links in e-mails). Furthermore, even if it were POST, it wouldn't have solved the problem, as one could easily craft a POST request to their page by simply incorporating a custom HTML form. The correct way of solving this would be to generate a random hash for every user account (for example a 32-character-long hex string) that would be passed as a parameter along with the e-mail address in the link. That way, if you don't get the e-mail, you won't be able to know the secret hash, and hence won't be able to fake an e-mail validation. Seems like Deezer.com has read your blog post and fixed the issue, but they fixed it wrong. The confirmation link now looks like this: http://www.deezer.com/confirm.php?email=ZGlvbnl6aXpAZ21haWwuY29t&c=1 Security through obscurity! Any geek would easily be able to find that this is a base64-encoded e-mail address; how lame. Apparently they don't realize that encrypting the e-mail address won't help them, as one can easily decrypt any kind of encryption since they're able to have access to as large a dataset they like (by making as many accounts as they like). The only way to solve this properly is through a hash. dionyziz@orion:~$ php -r "echo base64_decode( 'ZGlvbnl6aXpAZ21haWwuY29t' );" dionyziz@gmail.com So yeah. Thanks for the post! I'll also let the Deezer.com guys know about the second security issue. The Deezer.com issue is not really a GET/POST issue. They should be using GET indeed to verify your e-mail address (as there is no other technical way of having you open POST links in e-mails). Furthermore, even if it were POST, it wouldn’t have solved the problem, as one could easily craft a POST request to their page by simply incorporating a custom HTML form.

The correct way of solving this would be to generate a random hash for every user account (for example a 32-character-long hex string) that would be passed as a parameter along with the e-mail address in the link. That way, if you don’t get the e-mail, you won’t be able to know the secret hash, and hence won’t be able to fake an e-mail validation.

Seems like Deezer.com has read your blog post and fixed the issue, but they fixed it wrong. The confirmation link now looks like this:

http://www.deezer.com/confirm.php?email=ZGlvbnl6aXpAZ21haWwuY29t&c=1

Security through obscurity! Any geek would easily be able to find that this is a base64-encoded e-mail address; how lame. Apparently they don’t realize that encrypting the e-mail address won’t help them, as one can easily decrypt any kind of encryption since they’re able to have access to as large a dataset they like (by making as many accounts as they like). The only way to solve this properly is through a hash.

dionyziz@orion:~$ php -r “echo base64_decode( ‘ZGlvbnl6aXpAZ21haWwuY29t’ );”
dionyziz@gmail.com

So yeah. Thanks for the post! I’ll also let the Deezer.com guys know about the second security issue.

]]>