19 Jan 10 Website Security Scan

Websites get hacked every day, customers details taken, and it’s usually REALLY EASY to do. As a security consultant,  I often get a call after a Google search turns up with my details as the guy to contact when this happens.

Shameless plug: Why not contact me BEFORE this happens for a FREE basic web scan.

Shameless plug over, why not consider some of the things that can be done to help prevent a website breach..
(more…)

Tags: Apache, backups, code, cookie, cross site scripting, htaccess, LAMP, logs, mod_security, MySQL, PHP, php security, rate limit, restrict limit, Security Consultant, session, sniffing, sql injection, website security scan, xss

15 Jan 10 Embedded Linux Programmer

As an embedded linux programmer, I’ve had the opportunity to work on a number of different platforms, MIPS being one of my favorites.

There are a few general limitations that you’ll find. You have limited CPU power available, you have very little RAM available, and for more advanced operations and optimizations, your CPU will generally have a limited function set.

The usual good programming practices apply, but are of much greater importance. Specifically, don’t allocate memory that you don’t need, and dont put the CPU under undue stress with unnecessary or badly optimized loops. Taking C syntax and some pseudo code;
(more…)

Tags: assembler, embedded, loop, mips, optimize, x86

14 Jan 10 PHP Security

As a PHP programmer, there are a couple of things you can do quickly and easily to increase the security of your PHP code installation.

Look into PHP’s “safe mode” feature, ESPECIALLY if you’re running a webserver that takes the general public can upload scripts to. Here you’ll find a list of the functions disabled or restricted by safe mode. It is not strictly PHP’s job to restrict these types of functions, however unless you really know what you’re doing, the list of functions restricted by safemode is a good starting point for building secure applications. These are generally functions that allow file and directory manipulation, and socket manipulation. If it’s not possible within your environment to disable them all, disable as many of these functions as possible.

Although not that common, if I’m writing an application that heavily relies on functions that manipulate directories or sockets, I’ll prefer to create a C daemon or similar to handle this side of things and simply use PHP to communicate with it. (more…)

Tags: cross site scripting, directory, error reporting, magic quotes, MySQL, mysql_real_escape_string, PHP, php security, safe mode, socket, sql injection, xss

17 Dec 09 PHP Programmer – Logical Operators

PHP allows the use of boolean operators.

AND, OR, XOR and NOT. We can combine NOT with AND and OR to form the NAND and NOR operators respectively.

$a = ($b and $c); will return TRUE if both $b AND $c are TRUE, otherwise, it will return FALSE. This can also be specified as $a = ($b && $c)

$a = ($b or $c); will return TRUE if $b OR $c are TRUE, otherwise, it will return FALSE. This can also be specified as $a = ($b || $c);

$a = ($b xor $c); will return TRUE if $b OR $c are TRUE, but not if they are both TRUE, otherwise, it will return FALSE.

$a = (! $b); will return TRUE if $b is NOT TRUE.

$a = (!($b && $c)); will form NAND (NOT + AND)
$a = (!$b || $c)); will form NOR (NOT+AND);
(more…)

Tags: and, bool, boolean, logic, logical operators, nand, nor, or, PHP, php programmer, xor

14 Dec 09 PHP Programmer – Numeric Shorthand

PHP 4 and 5 offer a few shorthand methods for basic numeric operations:

$n = $n + 1; can be specified as $n++;
$n = $n – 1; can be specified as $n–;
$n = $n + 10; can be specified as $n += 10;
$n = $n – 10; can be specified as $n -= 10;

On the subject of shorthand, also check out the PHP Ternary Operator

Tags: PHP, php programmer

03 Dec 09 PHP Programmer – Reading from files

Here I’ll give some file reading examples. There’s a few different ways to do this. I’m going to focus on plain text files only, as opposed to binary files.

If you just want to read the contents of a file into a string variable, then the easiest thing to do is use $mystring = file_get_contents(”/home/adam/myfile”);

For more control over what you’re doing, or if you want to do anything more than reading a file into a string, you’ll need to use the fopen, fread and fclose functions.

To read everything in one go:
(more…)

Tags: fclose, filesize, file_get_contents, fopen, fread, PHP, php programmer, strpos, substr

24 Nov 09 PHP Programmer – strlen, count and substr

PHP Developer – strlen, count, and substr

The strlen function retuns the length, i.e. number of characters in a string:  int strlen(string s)

count will get the number of elements in an array:  int count(array a)

substr will return a “subset” of a string, string substr(string s, int start, [int len]);
<?php
$s = “test string”;
echo “String length is: ” . strlen($s);
?>

Will return:  String length is: 11

Why would you care how long a string is? Well, for many reasons, one being that you might wish to iterate through each character of a string to perform a certain conditional check or operation on each character. Alternatively, you might want to check that a certain string is not over a given size, and if so, shorten it. Here’s a common example that shows these three common functions together:

<?php
$myarray = Array("This is a very long string", "short string", "some text", "some more text to be shortened");
define(MAXLEN, 20); //maximum permitted string length
$num = count($myarray); //Get the number of elements in the array
for ($ctr = 0; $ctr < $num; $ctr++)
{
    if (strlen($myarray[$ctr]) > MAXLEN)
    {
        echo substr($myarray[$ctr], 0, (MAXLEN - 3)) . "...\n";
    } else {
        echo $myarray[$ctr] . "\n";
    }
}
?>

The above will output:
This is a very lo…
short string
some text
some more text to…

This could be used in an instance where we only want to show a predefined “taster”, i.e. replacing … with “(more)” or similar. Alternatively, ensuring that text does not overflow a “<div>” element in a particular instance

Tags: count, PHP, php programmer, strlen, substr

20 Nov 09 PHP Programmer – strpos, finding the position of a word in a string

In PHP, we can use strpos to find the position of a character or string within another string:

int strpos  ( string $haystack  , mixed $needle  [, int $offset = 0  ] )

For example:

<?php
$mystr = “this is a test string”;
$pos = strpos($mystr, “test”);
echo “Position: ” . $pos;
?>

Returns:  Position: 10

We can just as easily use strpos to test for whether or not a given string is found in a larger string:

if (strpos($mystr, “test”))
{ … }

However, that may in some cases unexpectedly fail:

if (strpos($mystr, “this”))
{ … }

This will return 0, as “this” is at the beginning of the string and therefore at position 0, causing the condition to fail. The correct usage is:

if (strpos($mystr, “this”) === false) { … } OR  if (strpos($mystr, “this”) !== false) { … } noting the usage of “===” or “!==” meaning an absolute evaluation. As of PHP 4, “==” means “equal to” and “===” means “identical to”.

Tags: PHP, php programmer, strpos

18 Nov 09 PHP Developer – Serialize

PHP has two ver useful functions, serialize and unserialize.

serialize() generates a string based storable representation of any variable type that you like. Take a complex variable:
(more…)

Tags: array, object, PHP, PHP Developer, serialize

15 Nov 09 PHP Developer – Loops in General

There are 3 types of loop in PHP:

while (condition)
{ code_goes_here; }

do
{ code_goes_here; }
while (condition);

for(expr1, expr2, expr3)
{ code_goes_here; }

In terms of the ‘for’ loop above, ‘expr1′ being the starting expression, i.e. $i=0. expr2 being the condition that must be satisfied to keep the loop running, i.e. $i < 100. expr3 being the expression evaluated each time the loop runs, i.e. $i++. Each loop type has it’s uses.
(more…)

Tags: do, for, loop, MySQL, PHP, PHP Developer, PHP MySQL Developer