I have been working on this for months. I have let this consume all of my free time since it's conception. I have a retarded amount of finished, stable code... I would say that at this point I have accomplished so much that I can easily call this a WIP without anyone being skeptical as to whether it will ever be finished. At this point, if I was to stop, it would result in me chalking the last 3 months of my life up to a complete waste of time writing almost 10,000 lines of unfinished code. I'm not willing to chalk any of my life up to being a waste of anything.
All that being said, I believe I am at a point where I can start sharing the product of my efforts. No, there is nothing to download and that's not really what I mean. What I mean by share (at this point) is to lay it down right here as features get completed and allow everyone to see concrete progress, as well as allow others to include their opinions/knowledge on the various workings of my CMS.
So, what is actually finished:
1) post /reply to /edit / delete text articles
2) upload ANYTHING/ edit its information/ display it or a link to it (depending on what it is)
3) simple editor with a bbcode system and some fancy javascript features
4) recent media display
5) pagination
6) ranks
7) media library (unfinished but close)
8_) views
9) sign in/out/up
10) full and complete database install script (including user permissions)
11) mod rewritten urls to path style
12) complete site/database destroy script (mostly to make my life easier while testing)
13) many things (completed and not) already displayed with css & html
That's about the gist for the major stuff. It doesn't sound like a lot until you realize all that I had to do in order to make that stuff happen. Let's just take ranks for example. Below is a little flow chart on all the stuff necessary to just allow someone to increment a rank counter.
1) a user database
2) a rank database
3) sign-up / log-in ability
4) the ability to post something rankable (so a media database)
5) all the SQL that manages the above
6) is the user logged in
7) did the user already vote
8_) if 6&7 are yes and no - store rank in rank database to record the users vote
9) increment the media rank_totals (and rank_up columns if an up vote)
10) increment the user rank_totals (and rank_up columns if an up vote)
All of that crap just to add 1 to a count. I assure you it only gets more ridiculous if we start to look at the other stuff. My gameplan is to finish the media library functionality and tie it into the media center, then I need to make my video editor (not exactly what you think it is) and my playlist editor. This will put me in a position where all of the core client-side functionality of the site is complete.
From there I will move on to creating the definitive sitephyre media player. This will basically wrap up the entire project from a "for bluntz" standpoint. However, that will just begin the project from a "by me" standpoint.
I will then move on to really complicated shit
1) cache'd pages
2) style/theme builder
3) page builder
4) never-ending templates
5) adding massive config vars to the config table and their "switch" to the pages
6) implementing oembed
7) implementing ffmpeg (watch out youTube I know how you did all this shit)
That's starting to sound like a lot, right? Nope. I mean, yes it is a lot, but ALL of this crap is setting the stage for me to bring all of this to yet another level. We aren't gonna discuss that right now.
Anyway, just like parsing delimiters (which is not dead) I intend to let this thread serve as my progress thread as well as a place for me to "talk out loud" til this project is 100% finished, which will actually be never. Understand, I am a programmer. Actually I am a bad ass programmer. This current idea will allow me to work on one project for the rest of my life while still giving me ample room to develop across multiple platforms and in many directons. If you notice, one of my completions above says "upload ANYTHING.." This is not gonna be a youTube clone or even a respectful nod. I intend to turn this into an entire software company of sorts. This is just the "foundation" for me to expose "my lifes work".
Anyhoo, I'll be posting images and stuff in the near future. When I get to "bluntz complete" I'll post even better than that.
-
Sitephyre WIP thread
Last edited by MadGypsy; 04-04-2013, 01:27 AM. -
solved
Code:$hashToStoreInDb = password_hash($password, PASSWORD_BCRYPT, ["cost" => 11]); $isPasswordCorrect = password_verify($password, $existingHashFromDb);
That cost will actually double the milliseconds from (default) 10 to 20. Making brute force attacks painfully slow. Add to that a: "you have 3 tries to get your password right" function and now you have all but eliminated a brute force attack possibility.
The end.
also: I already had a "speedy session" function that doesn't allow you to do anything that would be measured in milliseconds. Brute force attacks were already handled in that regard.Last edited by MadGypsy; 04-11-2013, 07:10 AM. -
Actually, I'm going to sleep in 20 minutes and that's how long it will take me to explain this. For those of you that don't know anything about any of this, I will get you up to speed.
AJAX stands for Asynchronous Javascript and XML. It's purpose is to primarily retrieve information without leaving the page. Basically, you make an AJAX request to a remote PHP file, the php runs and returns whatever data you told it to to the AJAX request and with a request handler you can then spit that info onto the page without leaving it. There are other things you can do with AJAX requests but I find this is the most common and it is exactly the functionality that I need to fake.
Now let me explain what my page actually does and I will follow it up with my "fake an AJAX request" solution.
My media center is "one" page. On that page (via tabs) I need to be able to have:
1) edit basic info - lets say you upload an image, this is where you would describe it, add a title, tags, etc
2) video editor - this is where you will be able to take "screenshots" that will act as the thumbs for your video as well as some other simple video related things (like annotations)
3) playlist editor - this is exactly what it says create/add/delete from/to playlists
you should be able to toggle between any of those without leaving the page. If you know how to program for the web, You are already thinking iframe - bare with me, it isn't that simple.
Now on the right of the page is your entire library (paginated and tabbed by type). You should be able to click ANY element of your library and it:
1) automatically opens in the currently active editor
2) knows that it does not belong in an editor and adjusts - imagine video editor is active and you click an image. Those don't go together and I hate telling the user:
ERROR 500: I am too lazy to make this work better for you
I have (hopefully) brought those that don't understand web programming up to speed, as-well-as brought everyone up to speed on the current challenge. Now I will explain the solution.
First of all, an iframe is correct. There is no other non-AJAX way to switch between these editors without leaving the page. So, the editors reside in an iframe. However, this still leaves the library which is not in the iframe and how do I
a) determine the active editor
b) tell the editor to open the correct piece of media
c) determine if that media is compatible
Let's start with a. The trick is a remote php file that delegates what editor will be shown. For instance, instead of targeting the iframe with video_editor.php. I target the iframe with remote_delegate.php?e=video_editor. This would happen when you click the tab that would bring up that editor. remote-delegate.php sets a bunch of session vars if isset($_GET['e']) resolves to true.
That solves 1/3 of the problem. Now we know what the active editor is, but our library was created before that decision was made, so how do I make a link that was already made, understand that it needs to go to a certain editor?
The answer is actually pretty simple. The answer is remote_delegate.php. But this time we set a new $_GET remote_delegate.php?m={MEDIA NAME}. WE target the iframe yet again with remote_delegate.php but this time we are GETTING instead of SETTING.
if isset($_GET['m']) resolves to true, then the databse is retapped for the info corresponding to that piece of media and it is injected into a list of all open media. The active editor is then refreshed with the new open media list and your library selection becomes the active list selection.
Voila' absolutely fake AJAX requests that do not utilize javascript at all.
Edit: I forgot about the library element/compatibility part, this is super easy. I will explain it in example code
That is rudimentary. Technically it would be an array of extensions (cause 'flv' isn't the only supported one) and it would look more like thisCode:if($_SESSION['active_editor'] == 'video' && $extension != 'flv') { //switch to a compatible editor }
Code:$exts = array('flv','mp4','etc'); if($_SESSION['active_editor'] == 'video' && !in_array($extension, $exts)) { //switch to a compatible editor }Last edited by MadGypsy; 04-10-2013, 10:37 PM.Leave a comment:
-
Right now I am focused on getting the actual features complete. For me to go back even in the very end and make my passwords more secure is:
I mean, we are literally talking about 2 very small spots of code - sign up and sign in, and whatever I do in the sign-up spot just needs to be done "backwards" in the sign in spot.Originally posted by TeaMonster
When the time comes for me to be concerned with this, I will study encryption to death and probably go way overboard (as usual). Right now, password encryption is the least of my worries.
The web works by refreshing everything all the time. I have a portion of my CMS that I don't want to refresh, well, ever. I want it to run like an app as opposed to a web page. That doesn't sound like a big deal until I add in this other stipulation - it has to work without AJAX requests.
Why? you may ask. The answer is simple. I do not build programs that can break. This means that the only things I can ever be guaranteed will be supported are HTML and PHP. I can't even be guaranteed that someone will have CSS on in their browser.
This means that everything has to be considered from the perspective of having nothing to work with, yet making everything work. I then build on top of that foundation with the bells and whistles.
So, will I use AJAX for my "app" page? Sure, I just can't rely on that to be what makes the page work, cause all it takes is someone to have javascript turned off and it wont work.
That being said, how do I intend to fake AJAX with nothing but html and php? The short answer is - I don't know (which is a lie to stop you from asking me all these questions I'm pretending you asked). The long answer is - too long.Leave a comment:
-
I recommend whatever can't be brute-force cracked via GPU,hee hee
25 GPUs brute force 348 billion hashes per second to crack your passwords
PHDays ? Positive Hack Days. Forgot Your Password? Hash Hacking at PHDays 2012
Last edited by Mindf!3ldzX; 04-10-2013, 07:29 PM.Leave a comment:
-
@Spike - I like that. I'm going to work on that concept a bit and see if more can be accomplished with it.Leave a comment:
-
DONT! I'm not a noob but I certainly don't know everything. Especially in a situation where I am isolating myself from standards and re-inventing the wheel, it can be expected that I am going to make a mistake or use something that is dated. Your input is VALID and I respect it. I am aware of just about every kind of encryption available for php and I will be taking your advice and reconsidering how I encrypt my data. Thank you.Sorry. Honestly, I feel a bit like an ass
@==
I actually do use absolutely equal (===). When I write little examples I don't go to a lot of trouble to make every little nuance identical to my code.
aside: I'm a "brutal truth" type of individual. Honestly I think I get some sick satisfaction from telling people truths that suck. However, when the tables are turned and the truth is something that sucks for me, I tend to make an example of the situation and instead of crying about it or giving up...I just fix it.
That being said - your blatant honesty was well received. Telling me "everything is going to be OK" is the last thing I want to hear. Especially if it is bullshit.Last edited by MadGypsy; 04-04-2013, 03:37 PM.Leave a comment:
-
sha1(password + accountname + specialmagicvaluepreferablyrandomlygenerated) == "plaintextvalue"
oh, and hash it with some random different string each time they connect.
including the accountname in the hash means that if someone hacks your server, they can't just see people X, Y, Z all have the same password (and if they hacked a different server, they might already have Y's password and you don't want to let them know that its equal to X's password...)
including the specialmagicvaluepreferablyrandomlygenerated value means that they can't use rainbow tables (you can probably just run some weird pseudo random number generator on the account name just to come up with some random string that you know isn't going to be found elsewhere, or meh, hard code it to your domain name or whatever). If they want to find that user's origional password, they're going to have to do a lot more work to find it. This basically ensures that other sites are never going to have the same hash for the same user account so one compromised site (not specifically yours) doesn't leave others open to attack.
Hashing it on the wire with a server-supplied magic cookie ensures that a mitm attacker cannot just reply the same password back to your server, because it changes for each login/whatever.
and yes, md5 has been cracked. use sha1 or better.
The great thing about standards is not just that there are so many to choose from, but also that other people have already found the bugs in their implementation and the standards they have created from that implementation ensure that compatible implementations will not suffer from the same mistakes as the standard's creator.
Or in other words, you can learn a lot from standards, even if you don't implement them.
Anyway, its a satisfying feeling to be able to say 'its all my work', just make sure you're aware of certain best practises even if you don't aim for compatibility/standards.Leave a comment:
-
Yes, I was in fact asking about how you store the authentication details in the database.
MD5 is broken. Horribly so. You should be using something modern like SHA1 (salted, for heaven's sake) or better yet bcrypt. At the very least use SHA1 with salts. Unsalted MD5 is so broken you could store the passwords themselves unhashed with no security loss in comparison. Salted MD5 is just a fun little room heating for the aspiring cracker.
If you are writing new software in 2013 and you are using MD5 to hash passwords then you should take a step back, re-evaluate your competence about security and realise that you probably should check out what the other hip web programmers are up to.
Sorry.
Honestly, I feel a bit like an ass but this is important and I cannot let someone do something like this without saying anything.
Btw, be aware that == is kind of a weird operator in PHP and you usually want to use === instead.Leave a comment:
-
I want to thank you guys for your interest and feedback. It puts extra fire in me to give it my all and create something unique and excellent.Leave a comment:
-
Let me give you an example of "standard" vs my method:
Most sites you sign in and if you are (ex) a mod - YOU ARE A MOD. In other words you have the ability to mod on every page. That is stupid to me.
My method - if you sign-in and you are a mod - you are nothing but a user (like everyone else) until you are on a mod page that users have no access to. There aren't a bunch of mod/admin things programmed into user pages, this means a user could never even see them by accident, cause they aren't there.
Now, you may say, if you are a user even if you are a mod how do you get to the mod pages. That's a good question and you have to understand something. No individual has personal permissions. There are 5 static user permission types (guest,user.mod.admin,owner) and those types build upon one another.
For instance, if you had ONLY Mod permissions you wouldn't be able to even read the database. I stated this elsewhere on Quakeone but database read is a guest level permission. An (ex) Mod inherits all the permissions equal to and below mod. I guess what Im trying to say is as your level goes up you are allowed more permissions and none of those permission levels have overlapping permissions. Each one is a set of new liberties.
So, back to the question - everyone is given a level number. THAT is the key. Your level number determines what functionality will appear for you and level is constantly being compared and checked as you navigate from page to page. So, you get to a mod page by having a sufficient level. All this level does is add to your navigation menu. If you want to do mod stuff their is a page for that and you will be vetted upon opening it.
Im rambling so I'm gonna try to tie this up.
Everything is based on least necessary permissions. If you are a mod watching a video, you are a mod utilizing guest privileges to do so. Even the OWNER is viewing media as a guest, cause that is the least necessary permission to complete that action.
I hope that wasn't too confusing. Its hard fr me to type this cause I don't think about this in the term of words. I think of a bunch of boxes and lines of various colors and my brain understands what it all means.Leave a comment:
-
1) @chip - no doubt, I will take you up on all of that
2) @Mom - don't judge me entirely by some bad days I was having, bro.
3) @spirit - not in a cookie
*
4) @sylux - thanks
*My current system makes your password basically irrelevant. An identity is created for you and whatever you think your info is is basically ignored (past sign-in). That data also expires and is recreated anew constantly. I doubt you are asking me how I store passwords in the database, but if you are the answer is standard MD5 with a
if(md5(password) == user_pass){ yadda yadda
not every possible standard was ignored, simple things like a password don't need to be revolutionized. When I said I didn't use standards I was referring more to things like prepared statements and other such core programming.
@Mom - my logo is me being as cheesy as possible. The dragon tail finishes the S and the entire right side of the quake logo is a P
SitePhyre
I know that's dumb. I was goofing off with a "Sitephyre Quake Edition" (LOL) and that's what I drew, Also sitephyre is actually just one word, so basically it doesn't make any sense no matter how you look at it.Last edited by MadGypsy; 04-04-2013, 12:20 PM.Leave a comment:
Leave a comment: