Finally - PHP has NoIndex on phpinfo output
June 4th, 2008 by Aaron
Security Issue?
A big issue with PHP security had been the developers creating a php info page and not removing it from a production site. As you may know, phpinfo() will dump a ton of useful information (for the developer - as well as the cracker) to the screen:
View CodePHP | |
1 | phpinfo(); |
I can’t imagine how many versions of that are out on various servers…
Actually, let’s take a look with this google query…
More than a million returns (granted they’re not all phpinfo() calls… but it gives you a good idea…)
There is Hope
With the release of 5.2.1 of PHP, phpinfo() now outputs the following meta tag:
View CodeHTML | |
1 | <meta name="ROBOTS" content="NOINDEX,NOFOLLOW,NOARCHIVE" /> |
This will slowly but surely stop compliant robots (see: google, yahoo… not crackerMcCrackenstein.com) from archiving these… yes!
PHP Script Configuration Class with Logic built in
June 2nd, 2008 by Aaron
Sometimes we have static configuration options, such as the name of the company or the location of a particular partner’s website. Other times, there are more dynamic configuration options - such as the current location’s URL or database connection credentials.
For this article, I wanted to build on my previous article here, and make a config class that could still get all of this information from a static method, while making decisions to create accurate config options.
Continue reading PHP Script Configuration Class with Logic built in
PHP Script Configuration Options - Class Constants or MySQL
May 31st, 2008 by Aaron
I’m trying to figure out the best way to do configuration options for my newest PHP scripts that I’m working on. My requirements are simple:
1) You cannot change the config option once it is loaded
2) The options are easy to modify quickly
3) Must call a method to get values, no matter if they’re available globally or not (this is just in case I want to change the logic in the future)
Non-Requirements:
1) Does not need to make dynamic configuration options or choose configuration options based on logic (IE, one mysql credential for LIVE vs another for development)
with this in mind, lets figure out what may work best:
Continue reading PHP Script Configuration Options - Class Constants or MySQL
PHP application plugins - force the interface
May 27th, 2008 by Aaron
The other day I was experimenting with some PHP plugin scripts and trying to develop my own robust plugin system. I started thinking: how can I guarantee that a 3rd party developer sticks to my plugin standards?
Well the obvious answer is an interface. But, I wanted to make sure that their plugin actually implemented it.
Enter instanceof
I had previously only thought of instanceof as a way to verify if an object was of a specific type of class - but this can be extended to interfaces. let’s check out my test code here:
View CodePHP | |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 | interface pluginInterface { public function update(); } class thirdPartyPlugin implements pluginInterface { public function __construct() { print 'constructed'; } public function update() { print 'update ran'; } } $a = new thirdPartyPlugin(); if ($a instanceof pluginInterface) { print 'is good'; } else { print 'discard me.'; } |
The first section is the plugin interface. For our example, I’m making a very simple interface: all plugins must have a method called update().
Next, we have the third party plugin which implements pluginInterface. It has the update method - as well as any other methods.
Finally, our plugin loader will make a new instance of the plugin, and then verify its of the type of pluginInterface. This makes sure that we’ve loaded this interface with our third party plugin. In this code, if you were to remove ‘implements pluginInterface’ from thirdPartyPlugin, the ‘instanceof’ will fail and print ‘discard me’.
Make the parameters in the Interface more exacting
So, let’s say that every single update() method should do something to the object ‘testObject’. With this modified code, I make sure that the update() method of the 3rd party plugin expects its first parameter to be testObject. If you do not match up the exact type of object in the declaration as the interface, it will fail. (note: the object’s variable name does NOT need to match)
see code:
View CodePHP | |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 | interface pluginInterface { public function update(testObject $tO); } class thirdPartyPlugin implements pluginInterface { public function __construct() { print 'constructed'; } public function update(testObject $object) { print 'update ran'; } } class testObject {} |
Can this help with security?
Sure! Think about this: you install a 3rd party plugin, but you don’t have time to review all of its code line by line. Ok - so this malicious 3rd party plugin now wants to access your database connection and drop all of your records. It expects to pass in the database connection to its update function… so it defines the function as this:
View CodePHP | |
1 | public function update(testObject $object, $dbConnection) |
Well, sure enough, this will fail as well - you must match EXACTLY to the interface.
Note: I’m not advocating that this is your only security measure in your application. There are other ways for 3rd party plugins to take advantage of your system - but as a responsible developer, you should make multiple layers of security.
XDebug’s settings reminded me - no output to the browser if sending headers
May 20th, 2008 by Aaron
So, I admit it - I’ve become lazy. Well, in all fairness, the programmer before me at “the triangle” was also lazy. And after messing with XDebug and setting output_buffering to off and implicit flush to on… I was reminded of our laziness.
Because of these changes, some of the spaces that we had in our code are now sending output directly to the browser (even though we have an output handler…). For example, this is bad code:
View CodePHP | |
1 2 3 4 5 | /** and some more fun here**/ ?> <?php /** start second block of code **/ |
I know it is bad - you know it is bad… *sigh*. But because of this, I’m not able to use Xdebug’s debugging feature on my ‘triangle’ code. I’d have to put through a project to REMOVE SPACES. Hah.
XDebug and Eclipse PDT on Windows - From Start to Finish
May 20th, 2008 by Aaron
XDebug and Eclipse PDT on Windows - From Start to Finish
With our recent upgrade to php at “the triangle,” I felt it was time to start working on using a debugging and code profiling tool. When I say felt like it was time… I meant our PHP version finally supported it. *sigh*. Anyway, from start to finish, this is what I did in order to get Xdebug to integrate into my current eclipse PDT - as well as investigate the other features of xdebug. I tried to detail all of the mistakes I made as well as what I figured out. Let’s go:
Continue reading XDebug and Eclipse PDT on Windows - From Start to Finish
Timetracker Timeclock
May 12th, 2008 by Aaron
The 102 Degrees Timeclock software package is a very simple interface for keeping track of time. Instead of purchasing a timeclock, you could resurrect an old laptop and run this software on it. With a very simple clean interface, even beginning computer users will feel comfortable. The timeclock has .csv generation for reporting - which can easily be opened in Microsoft Excel. The entire interface is web based.
The software requires PHP5 with MySQL.
You can download it here:
timetracker - timeclock 0.1
Installation Instructions
After you upload the contents of the zip file to the root of your website (in future releases, I’ll make it be available to any folder..), you can visit your website’s domain. This will launch the install script.
The script will ask for MySQL credentials. You need to have a hostname, user and password, and a database for the software to write to.
Finally, after you submit it and receive a successful message, delete the install.php file.
Then, visit your domain again, and you’re good to go - or follow the directions on the screen to set up your users.
Which Fires First? Error Handler or Shutdown Function
April 24th, 2008 by Aaron
I was working on writing a shutdown function for a PHP 4 script and noticed some odd behavior when I was getting errors (no way! I program and get errors? Who knew!?) At any rate, when I would handle my error with my custom function, I noticed the shutdown function was still executing after the error function. (Or when it was a Fatal error, the error was shown to the screen but the shutdown function was still ran…)
This got me to thinking about handling error redirection pages and sending messages on fatal errors in PHP4 (you’ll remember that a fatal error won’t execute the error handler, and therefore most of our custom code to make a nice ‘message’ won’t execute). But anyway, I digress.
I’m using PHP5.2 - this is the code I used to test:
View CodePHP | |
1 2 3 4 5 6 7 8 9 10 11 | <?php function error_function() { print 'error function'; } function shutdown_function() { print 'shutdown function'; } set_error_handler('error_function'); register_shutdown_function('shutdown_function'); print 1/0; ?> |
So, as you can tell, the error handler happens FIRST and then the shutdown function
SimplePHPMailer
April 24th, 2008 by Aaron
There are a very small amount of really easy to implement PHP mailer scripts in the wild. They usually try to pump so many features into them that it becomes difficult to implement or too large of a file. For those looking for just a quick drop-in solution - that you DON’T need to know PHP to use - SimplePHPMailer was developed. All that is needed is to drop the php file into the same area as your form, open it up, and read the instructions. There are some straight forward configuration options with very easy to understand comments. Download it for your next quick project.
PHP Shared Host - Session File Browser Script
April 24th, 2008 by Aaron
PHP stores its session information into flat files unencrypted by default. In shared hosting situations, this can be a big security issue. This script allows easy access to the attributes of these files as well as decoding of the values stored in them. This script can also be used to audit the security of your current configuration. If other users’ session information is available, your information is not secure either!
Subscribe