18 Jul 10 Redirecting all HTML files to PHP files

Let’s say that you want to rename all your HTML files to PHP files to begin PHP Programming. However, you don’t want to lose all your inbound links to your HTML files. Here’s a quick and easy way to automatically convert all .html incoming addresses to .php files on your server, allowing you to switch to PHP and also keeping all your existing .html links working.

Create a .htaccess file, and enter:

RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)\.html $1.php [R=301,NC]

This creates a permanent working 301 redirect (Search Engine Friendly) to your new .PHP file.

Tags: htaccess, PHP, php programmer, rewrite, rewritecond, rewriteengine, rewriterule

17 Jul 10 A PHP programmer indeed

You may be browsing through my site, or maybe you came here because you’re looking for a PHP programmer. Allow me to introduce myself. I am Adam Palmer, and I’m a freelance website security consultant, developer, and, of course, a PHP programmer. I’m willing and able to do most any web, Linux, or hosting-related project.

If you have something along those lines that needs to be done, simply contact me, and we can discuss your needs in greater detail.

In addition to doing this sort of work, I run APNIC Solutions, Ltd., which is a leader in network and business integration. You can be confident that when you hire me for your PHP, web, or other needs, you are getting a competent, skilled industry leader who will do a smashing job for a reasonable fee.

Feel free to browse through my blog and read my articles on a variety of PHP and security topics. Then, get in touch with me to see what I can do for you! If all you need is a consultant to point you in the right direction and help you get to to the finish line, I would be more than happy and honoured to be that person.

Tags: Linux, PHP, php programmer, web, website security consultant

14 Jul 10 Securing PHPMyAdmin and SQL

PHP is of course a valuable tool, and PHPMyAdmin is an equally valuable asset for those that don’t like command line administration. The problem is that because it’s a valuable tool, it’s a security exposure. As a website security consultant, I see the problem often: people don’t secure the one thing that, if accessed by a malicious party, can give carte blanche for destruction.

One simple way to secure your installation is to slightly modify your config.inc.php file:

Look for this line:

$cfg['Servers'][$i]['auth_type'] = ‘config’;

Change “config” to “http”. By doing this, you will require that the database information (username and password) be entered prior to accessing PHPMyAdmin. Of course, this only addresses attacks over the web. If someone tries to remotely connect to your database and knows the root password, or the credentials for any of your database, then you’re still vulnerable.

One way to address the security of your config.inc.php file is to secure the directory that it’s stored in. This is especially important if you should be on a shared server.

Of course, there is still the matter of your SQL port, 3306, being open to remote attacks. The solution to this problem can be found in the /etc/my.cnf file.

You need to add this line to make it so that only your server can connect to the SQL server.

Ensure that it’s under the “[mysqld]” section:

bind-address = 127.0.0.1

This sets it so that the SQL daemon only listens for connections locally, i.e. on your server. Anyone who tries to connect remotely will be denied. Now, the argument could be made that you could also try to add “skip-networking” to your my.cnf file, and then specify the path to your socket file, but you still need a way to administer your SQL, preferably via SSH. By adding the “bind-address” command, you can do just that.

The name of the game is security, and assumption. You have to assume that everyone’s out to attack you. If you think like that, you’ll narrow down all the ports that are exposed, and secure your server. Your SQL server is, like your DNS server, vital. It most likely powers your site. If the database is attacked, the damage can be considerable. Do understand that if a hacker is intent enough, they will find a way in, but by making it as difficult as possible, you reduce the chances of that happening.

Tags: attacks, MySQL, PHP, php programmer resume, phpmyadmin, sql, website security consultant

06 Jul 10 Disabling phpinfo

The phpinfo() function is a very powerful one; through it, you can learn quite a lot about your PHP installation. The problem is, so can someone else. PHP, of course, is a very powerful application, but it is also a very powerful tool that can be used to compromise your server’s security if used by the wrong person.

The best way to combat the potential problems that someone using phpinfo() can cause is, of course, to not have a script accessible to the public that runs the command. Sometimes, during the testing process, you need to upload a simple script that executes the command, for your own reference. It’s simply phpinfo(), inserted into PHP brackets.

If you should forget to delete the script when you’re done, it’s possible that someone who’s intent on compromising your system could try to find the page, especially if you name it something simple such as test.php or phpinfo.php. If you’re the extremely cautious sort, there’s something you can do.

You can completely disable phpinfo(), and then re-enable it later should you need to perform more testing. To do this, find your php.ini file. The location can be found by executing the phpinfo() command, as the precise location depends on your operating system and distribution. Once you’ve found the file and opened it with your favourite text editor, insert the following command:

disable_functions = phpinfo

Reboot your server, and you’re secure. Just remember to re-enable it if you should need to do further testing on PHP.

There are all sorts of things you can do to make your server secure. Securing PHP is one of the most vital things, because PHP can be used a gateway into your system, even being used to perform SQL injection attacks. Of course, one would really have to know what they’re doing to gain access to your system, but you never want to give out too much information. By disabling phpinfo(), you can accomplish that, at least as far as PHP is concerned.

Tags: PHP, phpinfo, security

03 Jul 10 PHP Developer – Base64

Base64 is a type of encoding (NOT encryption). Essentially, you can take any binary data and encode it into one of 64 characters for more information on the encoding process and how this is done, visit http://en.wikipedia.org/wiki/Base64.

It is useful for a variety of things, specifically encoding non standard characters that may not be safe to pass around such as in a browser address bar or in a plaintext email..

Here’s one example..

<?php
$obj = new stdClass();
$obj->a = “test”;
$obj->b = “string”;
$obj->c = 12345;
$output = base64_encode(serialize($obj));
echo $output;

?>

This returns ‘Tzo4OiJzdGRDbGFzcyI6Mzp7czoxOiJhIjtzOjQ6InRlc3QiO3M6MToiYiI7
czo2OiJzdHJpbmciO3M6MToiYyI7aToxMjM0NTt9′

We could now pass this as an HTTP safe string between pages; decoding using $v = unserialize(base64_decode());

This is obviously not an optimal way of storing or passing this example data between various pages however is one example of how base64 encoding can be used.

Tags: base64, PHP

30 Jun 10 Cross Site Scripting XSS

As a website security consultant, Cross Site Scripting or XSS vulnerabilities are something that I see just as often as the always popular SQL Injection attack.

Cross Site Scripting seems to have originally meant, placing some malicious code on your victim site, that would pull code (usually javascript, but sometimes vbscript) from another malicious domain. Each client that visited the victim site, would end up unknowingly having 3rd party malicious script code executed on his own browser. Now, it has become a term used to describe any type of malicious scripting attack.

The first example is a simple one. Many sites allow user comments. A user could quite easily enter:
This is my comment!<script type=”text/javascript”>
alert(“script!”);
</script>

Any user that hits this affected page, will now see a popup box with the text “script!”. The user could also just as easily have entered a script source of http://www.nastydomain.com/nastyscript.js which will be downloaded and executed.

The second option is to place some javascript code that steals the user’s cookies for that particular site, and then post them to a 3rd party site. His cookies may contain a login and password, or more likely a login hash. The attacker can then use these cookies to hijack the user’s session, and access possible sensitive areas of a site under that user’s account, as that hijacked user.

Fortunately the solution is simple. Either use htmlentities() to ‘escape’ HTML entities, i.e. converting <’s to &lt; etc. Or, use strip_tags, to remove all HTML tag input.

Tags: cross site scripting, html, htmlentitie, javascript, PHP, strip_tags, website security consultant, xss

24 Jun 10 PHP, MySQL and memcached

According to memcached is a distributed object memory caching system. It can be used to set and get data by keys by any application that supports sockets.

As a website security consultant I advise you to ensure that your memcache server runs on 127.0.0.1 only and that you secure your server. Anyone with access to the server can telnet to the server’s local interface and get/set your memcache data.

I’ve used memcached for a number of PHP/MySQL projects, where I want greater cache control on database queries, than just relying on MySQL’s inbuilt caching abilities.

Now, whilst memcached should not be used to mask bad database design and optimization, or badly written SQL queries, it can help dramatically with queries that simply take a long time and have already been optimized as far as possible.

Assume that you had a simple database query wrapper:
(more…)

Tags: memcache, memcached, MySQL, PHP

19 May 10 PHP – Passing Variables By Reference and By Value

By default in PHP, variables are passed around ‘by value’. i.e.

<?php
function increment($i)
{
$i++;
return $i;
}

$a = 10;
$b = increment($a);
?>

At this point, $a remains as 10, however $b is now 11. $b = increment(10); works just the same, and you can assign 10 back to the original variable with: $a = 10; $a = increment($a); This is called passing variables by value. i.e. I am passing the VALUE of $a to the increment() function.

We also have the option of passing variables by reference. For programmers that have worked with C before, this is a ‘pointer’.

<?php
function increment(&$i)
{
$i++;
return $i;
}

$a = 10;
increment($a);
echo “a has now become: ” . $a;
?>

In the case above, I am passing $a by reference.  i.e. the increment() function is operating on the variable $a rather than the value of the variable. Certain things that shouldn’t work get fixed by PHP, i.e. increment(&$a). By the time the increment() function gets to it, it is actually passing the reference to the reference to the variable. Certain other things will fail entirely, i.e. increment(10); will give “Fatal error: Only variables can be passed by reference”

Tags: by reference, by value, PHP

18 May 10 PHP Programmer – Remove characters from the end of a string

<?php
$s = “This is my string”;
$s = substr($s, 0, strlen($s)-2);
?>

This trims 2 characters from $s, resulting in “This is my stri”;

Tags: PHP, php programmer, string, strlen, substr

14 May 10 PHP – Checking for Array Keys

As a PHP Programmer, I recently came up against an error while testing another developer’s code.. Within PHP, testing for the existance of the referring URL:

if (empty($_SERVER['HTTP_REFERER'])) will produce a notice:
Undefined index: HTTP_REFERER

The correct way to check for the existence of an array key is: if (array_key_exists(“HTTP_REFERER”, $_SERVER))

Tags: array_key_exists, PHP, php programmer