Demonstrating Password Manager Almost Vulnerability in FireFox
July 28th, 2007 by Aaron
The “security guys” have been talking about the problems with FireFox’s password manager and I got curious. It turns out that javascript can access saved passwords in your password manager simply by creating a login form and capturing the input field’s contents. While this isn’t necessarily a vulnerability in FireFox, it does suck! The biggest attack vector is websites that allow user submitted content that have script injection holes. Basically, if a third party can create a form and insert some javascript on the page, they will be ‘acting’ to the browser as if they’re a legitimate part of the site. Lets check out a proof of concept:
Continue reading Demonstrating Password Manager Almost Vulnerability in FireFox
Is it better to write your ‘for’ loops backwards in PHP?
July 27th, 2007 by Aaron
After listening to a javascript internals optimization talk, I wanted to see how these concepts could relate to PHP. The biggest thing that stuck out to me was the order of the for loops in javascript. According to the talk, loops written backwards (or using the deincrement operator instead of the increment one…) was a lot faster. They said comparing a value to zero was faster than comparing a value to another value. With the backward loop, you were always comparing to zero. I decided to try these tests on php:
Continue reading Is it better to write your ‘for’ loops backwards in PHP?
The Perils of the AT in PHP
July 27th, 2007 by Aaron
A lot of weird things have been happening ever since we introduced a new error handler at (”the triangle”). First of all, it took down our whole site for a good portion of time (oops!), then it created a large project for us to review our code. Turns out a lot of the errors were just weird little things that we ignored. However, there were a few times where the @ operator (http://us3.php.net/manual/en/language.operators.errorcontrol.php) was a huge problem. I, for once, don’t think that the @ operator should ever be used again. Let me detail out what it does and why I don’t think we should use it:
Continue reading The Perils of the AT in PHP
Force Log Messages using Tortoise SVN
July 25th, 2007 by Aaron
Everyone knows that standard SVN has its list of 6 or 8 standard hooks - but what if you’re 1) lazy, 2) busy, 3) don’t have access to the SVN server? Using one of the popular win32 shell integrated svn clients, TortoiseSVN, we can still force commit log messages easily:
Continue reading Force Log Messages using Tortoise SVN
How to use PHP to generate downloadable content
July 22nd, 2007 by Aaron
I was looking at some code I had written about 3 years ago - how sad! I was creating a PDF of my resume using PHP to grab my qualifications out of a database. Unfortunately, I never researched into the header php command, so I made my job harder. Instead of writing it with a php file, I made a php file, and renamed it as a .pdf file. I modified my .htaccess file to process that one particular file as a php script. This way, the file executed as php but was mime/typed as the pdf.
Instead, I should have done it the smart way - with the proper use of the header command.
View CodePHP | |
1 2 | header('Content-type: application/pdf'); header('Content-Disposition: attachment; filename="filename.pdf"'); |
Of course, check out and read the entire header manual page for more.
Symbolic Linking in Windows?
July 21st, 2007 by Aaron
Be careful! Those of you who are trying to emulate a symbolic link in windows have probably come across the Windows Resource Kit tool linkd.exe. This creates junction points on the file system. However, before you have to find out the hard way, here’s my reminder… junction points are more akin to hardlinks than symbolic links: if you delete a junction point, it deletes the target as well!
Master the ‘Run As’ option in Eclipse PDT with PHP
July 21st, 2007 by Aaron
Most of my development in Eclipse PDT with the results tested outside of it - using firefox. PDT has a few options in the Run… menu:
- PHP Script
- PHP Webpage
- Web Browser
So, lets take some time to look into how each one of these works, what are their configurations and what could be the benefit of using one above the other.
Continue reading Master the ‘Run As’ option in Eclipse PDT with PHP
When is a PHP array not an array?
July 21st, 2007 by Aaron
Arrays, return variables, expressions, OH MY! I recently learned a lesson about array functions in PHP not returning what I thought they would. I had a function that returned the value of array_shift()… and then used it in another function. Unfortunately, this generated a strict error and was causing some issues… As usual, I put together a proof of concept. Lets check out the code example, the error, and then why:
Continue reading When is a PHP array not an array?
A reminder about triggering errors not in the USER level
July 21st, 2007 by Aaron
I had a function in some of my code that I wanted to trigger a notice error on certain occasions. Unfortunately, it kept halting my script with a Warning instead. Unfortunately, the error handler at that particular block of code was not properly capturing the error string. It runs out that I was triggering an E_NOTICE instead of an E_USER_NOTICE error… (if I would have reviewed the trigger_error manual page, I wouldn’t have made this mistake… silly, lazy developer). Just to make sure that I fully understood this issue and hopefully wouldn’t make the same mistake again, I made a quick proof of concept:
Continue reading A reminder about triggering errors not in the USER level
PHP developer’s shortcut for optimizing mysql
July 21st, 2007 by Aaron
PHP developers, raise your hand if you run an explain on each MySQL statement you write and use in your apps! Anyone? Ok… 1… 2… thats it? Yah, I tend to forget that too, but luckily PHP allows us to cheat. Thanks PHP!
The ini directive mysql.trace_mode will generate errors on unoptimized mysql queries (ie, table scans, etc) . Combined with my new error monitoring eclipse tool, this has been saving me tons of time. It won’t solve your issue or run an explain, but it will tell you if mysql is reporting an issue with your query. Of course, you’d NEVER turn this on for production. heh.
Subscribe