Fixing update error in eclipse PDT

July 9th, 2007 by Aaron

The last time I downloaded Eclipse PDT for PHP, (located at zend.com/pdt), everything was great. That is, until I wanted to run the updates. It stopped with an error and would never update my PDT. Luckily, one of the consultants from (”the triangle”) had the same issues - and he was able to tell me what was up:

Continue reading Fixing update error in eclipse PDT



Namespacing is important - even in PHP

July 7th, 2007 by Aaron

Perl, Java and xml people are very aware of what a namespace is… even wikipedia tells us they are. But, certain languages, such as PHP, don’t support namespaces yet. (However, thank you Dmitry for your proposal.) But are namespaces really important? PHP has made it this far without them, so why should you be concerned? Well, lets see:

Continue reading Namespacing is important - even in PHP


Categories: PHP

AJAX Security Research and Findings - Round 2

July 6th, 2007 by Aaron

Round 2, and the final round, is complete! The previous article here talked about my initial findings. Well, I was able to try some proofs of concepts on my javascript finding, and I put together our top level recommendations for (”the triangle”). Lets see:

First off…

Javascript Object

Well, I had talked about an issue where you could substitute the javascript object across frames. Well I tried this example. Load up javascripttest.html and click the link. Nope, no dice in IE 6 and 7, FF 1.5 and 2. Whew.

javascripttest.html

?View Code HTML
1
2
3
4
5
6
7
8
9
10
11
12
13

<html>
<body>
<script type="text/javascript">
 
    function Object() {
        this.hacked = 'test2';
    }
    document.Object = Object;
 
</script>
<iframe src="http://release.local/test.html"></iframe>
</body>
</html>

test.html

?View Code HTML
1
2
3
4
5
6
7
8
9
10
11
12
13
14

<html>
<body>
<script type="text/javascript">
    function clicker() {
        var test = {};
        var test2 = new Object();
 
        alert (test.hacked);
        alert (test2.hacked);
    }
</script>
<a href="#" onclick="clicker()">bleh</a>
</body>
</html>

Yah - not an issue with the main browsers I use. I didn’t try it on other ones though - so it might still be an issue… who knows… I was just curious.

The recommendations

I got together a few of my final recommendations (yes, very devoid of anything worthwhile, heh.) This is my own AJAX recommendations I’m going to try to follow too.

My Recommendations

Data Transfer

  • Data should be sent according to the RFC 2616 in regards to GET and POST.
  • Data sent back to the client should be in XML format always except:
    • In cases where JSON is the overall best solution, a javascript based JSON parser should be implemented. Eval() should NEVER be used.
    • Never pass direct dom or javascript commands.
    • In order to preserve separation of view and model, try not to pass any html/css pre-formatted data.
  • AJAX requests should match the security/ssl model of the page they’re on. If the page is SSL, the request must be SSL.

AJAX Processing Script Security

  • An initial token should be initialized and used in every AJAX request. The script should exit immediately if no token is present. A new token does not need to be regenerated each request.
  • Any error checking and validation should be done before the script begins actually processing or including any additional files. Due to the frequency of these requests, do not include additional files until all tests have past.
    • If a test requires an included file to validate the data, it is permissible to skip this step if an error condition already exists. In this case, the error(s) will be returned to the client without the additional validation.
  • If modifying the PHP session, program around conditions that additional asynchronous requests may be modifying the session as well.

AJAX Component Initialization

  • Generally, only two AJAX Request objects should be initialized on a page at any time. The general worker object and the immediate response object. Do not initialize the immediate response object if it is not needed.
  • All non time critical responses should be added to a cache, and then processed FIFO.
  • Time critical responses should create their own object. There shouldn€™t be a time where more than one time critical method is executing with proper planning.

User Interface

  • Always give a visual cue when an AJAX function is activated via a user action. This helps reduce confusion as to why there may be a delay.
    • Only two states are needed - the init and the end state - to provide cues. It is not necessary to change state for each response/state type.
  • Plan for remote script timeouts and display user friendly notifications.
    • If a script times out, every effort to halt the user from invoking that script again should be made. In our environment, most often a timed-out script reflects additional issues that a retry will not fix.

Miscellaneous Notes

  • Javascript Object() overwrite vulnerability existed in certain versions of IE and Firefox but was patched. There appears to still be an issue with Safari. This could be an issue with these AJAX responses. Its been tested on the browsers that we officially support and is not an issue.
  • The recommended library to use for AJAX requests and effects is scriptaculous. This library extends prototype. Yahoo UI libraries are a secondary choice at this time.

Categories: AJAXPHPsecurity

Highlighting Source Files

July 6th, 2007 by Aaron

I have been writing code snippets in this wordpress blog alot - and I wanted to possibly have the code highlighted. One of the things that happened with code highlighting plugins I’ve noticed is that the code has to be valid (I’ve posted invalid PHP because stupid wordpress kept eating it) or one type of code (I post javascript/html combinations, with ellipses and such…), and so I finally decided to not highlight my code - unless I could find a really cool code highlighting plugin. But along the way, I discovered some really cool tools that might be useful.

Continue reading Highlighting Source Files


Categories: Misc Web Design

Real world stories of a prepared statement

July 6th, 2007 by Aaron

A couple months ago, I was out in Rochester MN at IBM for a multi-day meeting about communication between the iSeries(system-i, i5, as400, whatever its called now a days) and PHP/Apache. One of the things we talked about was our use of ODBC at (”the triangle”) currently to which they asked a good question - Are we using prepared statements over odbc? Well, right now, we’re not, but I think we should. As always, its up to me to show why we should be doing this. Lets explore:

Continue reading Real world stories of a prepared statement


Categories: PHPSQL

When your linkd causes you problems, you must convertd it!

July 6th, 2007 by Aaron

For the setup I use at (”the triangle”), I have alot of filesystem links - and these are made on win32 with the linkd.exe command (the version I got is from the windows 2000 resource cd). When I start a new project, I pass into my script which directories I’d like to make and checkout code into, and which I’d rather just linkd to. Well, every once in a while a link’d folder needs to be a real folder. So, since I’m a lazy programmer, I made a script called ‘convertd’ which will unlink the folder and then make the folder. Chalk one up to efficiency by batch programming? Lets see:

Continue reading When your linkd causes you problems, you must convertd it!


Categories: scripting

Send e-mail from outlook using PHP

July 6th, 2007 by Aaron

While working on some code at (”the triangle”), I run into some issues with the mail() function. On our linux qa and production servers, we can use the mail() function no problem - but on my development platform, windowsxp, I cannot with our current configuration. Normally, you can put in the smtp server in the php.ini file, but our setup doesn’t allow this. We have an exchange server who’s relaying settings restrict it to a few IPs within our organization. Our development boxes are on the same subnet as everyone else’s, therefore using the same DHCP pool. Because of security issues, networking doesn’t want to open up the relay to that subnet block, which is smart. However, they didn’t want to give me a static IP on a different subnet or they didn’t want to do my suggestion of reserving a pool for our dev boxes (why not? grrrr…). At any rate, we do use outlook with our exchange - so why not use PHP to send it out through outlook? Lets see how:

Continue reading Send e-mail from outlook using PHP


Categories: PHPwindows

PHP Script Installer

July 6th, 2007 by Aaron

A couple weeks ago I was reading a blog posting about PHP Script installing. I don’t remember the exact context of the article (or where it was for that matter - otherwise I’d link to it!), but I had suggested someone make a php script packager - an all in one file to install a php project.

Well just to prove it was possible, I decided to code it up today. It does the job exactly as expected. Lets find out more about it:

Continue reading PHP Script Installer


Categories: PHPProjects

Unobtrusive JS to stop form submission

July 5th, 2007 by Aaron

On one of the sites at (”the triangle”), one of the programmers on my team had this strange attachment to the Yahoo User Interface libraries - but I guess that was a good thing as it taught him a good lesson - use unobtrusive javascript. Recently, I had to go through and clean up some of the code (and do a security audit), and I discovered his usage of the YUI library functions. I was particularly impressed with his usage of the onclick handler for some radio buttons we had and how he was able to send an array of their IDs to the function. Pretty sweet stuff. However, there was one area where he wasn’t following the unobtrusive paradigm. I took a quick glance at it - and fell for the same shortcoming. We were using a return function() on our form submissions.

Such good progress on separation of logic and markup, until now. Well, I wasn’t going to let this one sit. While I can’t make the changes to this code now (the site is in QA/integration), I can detail out how I would fix it… here’s how:

Continue reading Unobtrusive JS to stop form submission


Categories: javascript

Security Issue with Subversion Deployment?

July 4th, 2007 by Aaron

I use Subversion (SVN) for source control and deployment both for JEMDiary and at (”the triangle”). While working on my local copy of one of the websites, I got to thinking about the .svn folder and all of its files. The .svn folder is a local cache/db of the file changes in order to support diffs, reverts, and to give cues about file changes and the need to commit. I started poking around inside of the folder - and discovered the text-base folder. Inside of there, every one of my recently changed files were in there with an extension of .svn-base. Could this be a security issue - was I showing my code to the whole world? Lets figure this out:

Continue reading Security Issue with Subversion Deployment?


Categories: apachesvn

« Previous Entries | Next Entries »

102 Degrees Blog

Web Programming and Design by Aaron Saray


©2008 102 Degrees LLC - All Rights Reserved Home Services Products Network Blog Open Source Learning Contact