Archives For PHP

A database is a fundamental component for most web applications. If you’re using PHP, you’re probably using MySQL–an integral part of the LAMP stack.

PHP is relatively easy and most new developers can write functional code within a few hours. However, building a solid, dependable database takes time and expertise. Here are ten of the worst MySQL mistakes I’ve made (some apply to any language/database)… Continue Reading…

Web Security: The Big Picture
Whether your site is the web presence for a large multinational, a gallery showing your product range and inviting potential customers to come into the shop, or a personal site exhibiting your holiday photos, web security matters. After the hard work put in to make your site look good and respond to your users, the last thing you want is for a malicious hacker to come along, perform a PHP hack and break it somehow.

There are a number of problems in web security, and unfortunately not all of them have definite solutions, but here we’ll look at some of the problems that should be considered every time you set out to write a PHP script to avoid a PHP hack attack. These are the problems which, with well-designed code, can be eliminated entirely. Before looking in detail at the solutions, though, lets take a moment to define the problems themselves.

SQL Injection
In this attack, a user is able to execute SQL queries in your website’s database. This attack is usually performed by entering text into a form field which causes a subsequent SQL query, generated from the PHP form processing code, to execute part of the content of the form field as though it were SQL. The effects of this attack range from the harmless (simply using SELECT to pull another data set) to the devastating (DELETE, for instance). In more subtle attacks, data could be changed, or new data added.

Directory Traversal
This attack can occur anywhere user-supplied data (from a form field or uploaded filename, for example) is used in a filesystem operation. If a user specifies “../../../../../../etc/passwd” as form data, and your script appends that to a directory name to obtain user-specific files, this string could lead to the inclusion of the password file contents, instead of the intended file. More severe cases involve file operations such as moving and deleting, which allow an attacker to make arbitrary changes to your filesystem structure.

Authentication Issues
Authentication issues involve users gaining access to something they shouldn’t, but to which other users should. An example would be a user who was able to steal (or construct) a cookie allowing them to login to your site under an Administrator session, and therefore be able to change anything they liked.

Remote Scripts (XSS)
XSS, or Cross-Site Scripting (also sometimes referred to as CSS, but this can be confused with Cascading Style Sheets, something entirely different!) is the process of exploiting a security hole in one site to run arbitrary code on that site’s server. The code is usually included into a running PHP script from a remote location. This is a serious attack which could allow any code the attacker chooses to be run on the vulnerable server, with all of the permissions of the user hosting the script, including database and filesystem access.

Processing User Data – Form Input Verification & HTML Display

Validating Input And Stripping Tags
When a user enters information into a form which is to be later processed on your site, they have the power to enter anything they want. Code which processes form input should be carefully written to ensure that the input is as requested; password fields have the required level of complexity, e-mail fields have at least some characters, an @ sign, some more characters, a period, and two or more characters at the end, zip or postal codes are of the required format, and so on.

Each of these may be verified using regular expressions, which scan the input for certain patterns. An example for e-mail address verification is the PHP code shown below. This evaluates to true if an e-mail address was entered in the field named ’email’.

preg_match(‘/^.+@.+\..{2,3}$/’,$_POST[’email’]);

This code just constructs a regular expression based on the format described above for an e-mail address. Note that this will return true for anything with an @ sign and a dot followed by 2 or 3 characters. That is the general format for an e-mail address, but it doesn’t mean that address necessarily exists; you’d have to send mail to it to be sure of that.

Interesting as this is, how does it relate to security? Well, consider a guestbook as an example. Here, users are invited to enter a message into a form, which then gets displayed on the HTML page along with everyone else’s messages. For now, we won’t go into database security issues, the problems dealt with below can occur whether the data is stored in a database, a file, or some other construct.

If a user enters data which contains HTML, or even JavaScript, then when the data is included into your HTML for display later, their HTML or JavaScript will also get included.

If your guestbook page displayed whatever was entered into the form field, and a user entered the following,

Hi, I <b>love</b> your site.

Then the effect is minimal, when displayed later, this would appear as,

Hi, I love your site.

Of course, when the user enters JavaScript, things can get a lot worse. For example, the data below, when entered into a form which does not prevent JavaScript ending up in the final displayed page, will cause the page to redirect to a different website. Obviously, this only works if the client has JavaScript enabled in their browser, but the vast majority of users do.

Hi, I love your site. Its great!<script
language=”JavaScript”>document.location=”http://www.acunetix.com/”;</script>

For a split second when this is displayed, the user will see,

Hi, I love your site. Its great!

The browser will then kick in and the page will be refreshed from www.acunetix.com. In this case, a fairly harmless alternative page, although it does result in a denial of service attack; users can no longer get to your guestbook.

Consider a case where this was entered into an online order form. Your order dispatchers would not be able to view the data because every time they tried, their browser would redirect to another site. Worse still, if the redirection occurred on a critical page for a large business, or the redirection was to a site containing objectionable material, custom may be lost as a result of the attack.

Fortunately, PHP provides a way to prevent this style of PHP hack attack. The functions strip_tags(), nl2br() and htmlspecialchars() are your friends, here.

strip_tags() removes any PHP or HTML tags from a string. This prevents the HTML display problems, the JavaScript execution (the <script> tag will no longer be present) and a variety of problems where there is a chance that PHP code could be executed.

nl2br() converts newline characters in the input to <br /> HTML tags. This allows you to format multi-line input correctly, and is mentioned here only because it is important to run strip_tags() prior to running nl2br() on your data, otherwise the newly inserted <br /> tags will be stripped out when strip_tags() is run!

Finally, htmlspecialchars() will entity-quote characters such as <, > and & remaining in the input after strip_tags() has run. This prevents them being misinterpreted as HTML and makes sure they are displayed properly in any output.

Having presented those three functions, there are a few points to make about their usage. Clearly, nl2br() and htmlspecialchars() are suited for output formatting, called on data just before it is output, allowing the database or file-stored data to retain normal formatting such as newlines and characters such as &. These functions are designed mainly to ensure that output of data into an HTML page is presented neatly, even after running strip_tags() on any input.

strip_tags(), on the other hand, should be run immediately on input of data, before any other processing occurs. The code below is a function to clean user input of any PHP or HTML tags, and works for both GET and POST request methods.

function _INPUT($name)
{
if ($_SERVER[‘REQUEST_METHOD’] == ‘GET’)
return strip_tags($_GET[$name]);
if ($_SERVER[‘REQUEST_METHOD’] == ‘POST’)
return strip_tags($_POST[$name]);
}

This function could easily be expanded to include cookies in the search for a variable name. I called it _INPUT because it directly parallels the $_ arrays which store user input. Note also that when using this function, it does not matter whether the page was requested with a GET or a POST method, the code can use _INPUT() and expect the correct value regardless of request method. To use this function, consider the following two lines of code, which both have the same effect, but the second strips the PHP and HTML tags first, thus increasing the security of the script.

$name = $_GET[‘name’);
$name = _INPUT(‘name’);

If data is to be entered into a database, more processing is needed to prevent SQL injection, which will be discussed later.

Executing Code Containing User Input
Another concern when dealing with user data is the possibility that it may be executed in PHP code or on the system shell. PHP provides the eval() function, which allows arbitrary PHP code within a string to be evaluated (run). There are also the system(), passthru() and exec() functions, and the backtick operator, all of which allow a string to be run as a command on the operating system shell.

Where possible, the use of all such functions should be avoided, especially where user input is entered into the command or code. An example of a situation where this can lead to attack is the following command, which would display the results of the command on the web page.

echo ‘Your usage log:<br />’;
$username = $_GET[‘username’];
passthru(“cat /logs/usage/$username”);

passthru() runs a command and displays the output as output from the PHP script, which is included into the final page the user sees. Here, the intent is obvious, a user can pass their username in a GET request such as usage.php?username=andrew and their usage log would be displayed in the browser window.

But what if the user passed the following URL?

usage.php?username=andrew;cat%20/etc/passwd

Here, the username value now contains a semicolon, which is a shell command terminator, and a new command afterwards. The %20 is a URL-Encoded space character, and is converted to a space automatically by PHP. Now, the command which gets run by passthru() is,

cat /logs/usage/andrew;cat /etc/passwd

Clearly this kind of command abuse cannot be allowed. An attacker could use this vulnerability to read, delete or modify any file the web server has access to. Luckily, once again, PHP steps in to provide a solution, in the form of the escapeshellarg() function. escapeshellarg() escapes any characters which could cause an argument or command to be terminated. As an example, any single or double quotes in the string are replaced with \’ or \”, and semicolons are replaced with \;. These replacements, and any others performed by escapeshellarg(), ensure that code such as that presented below is safe to run.

$username = escapeshellarg($_GET[‘username’]);
passthru(“cat /logs/usage/$username”);

Now, if the attacker attempts to read the password file using the request string above, the shell will attempt to access a file called “/logs/usage/andrew;cat /etc/passwd”, and will fail, since this file will almost certainly not exist.

It is generally considered that eval() called on code containing user input be avoided at all costs; there is almost always a better way to achieve the desired effect. However, if it must be done, ensure that strip_tags has been called, and that any quoting and character escapes have been performed.

Combining the above techniques to provide stripping of tags, escaping of special shell characters, entity-quoting of HTML and regular expression-based input validation, it is possible to construct secure web scripts with relatively little work over and above constructing one without the security considerations. In particular, using a function such as the _INPUT() presented above makes the secure version of input acquisition almost as painless as the insecure version PHP provides.

How to check for PHP vulnerabilities
The best way to check whether your web site & applications are vulnerable to PHP hack attacks is by using a Web Vulnerability Scanner. A Web Vulnerability Scanner crawls your entire website and automatically checks for vulnerabilities to PHP attacks. It will indicate which scripts are vulnerable so that you can fix the vulnerability easily. Besides PHP security vulnerabilities, a web application scanner will also check for SQL injection, Cross site scripting & other web vulnerabilities.

Acunetix Web Vulnerability Scanner ensures website security by automatically checking for SQL injection, Cross site scripting and other vulnerabilities. It checks password strength on authentication pages and automatically audits shopping carts, forms, dynamic content and other web applications. As the scan is being completed, the software produces detailed reports that pinpoint where vulnerabilities exist. Take a product tour or download the evaluation version today!

Scanning for XSS vulnerabilities with Acunetix WVS Free Edition!
To check whether your website has cross site scripting vulnerabilities, download the Free Edition from http://www.acunetix.com/cross-site-scripting/scanner.htm. This version will scan any website / web application for XSS vulnerabilities and it will also reveal all the essential information related to it, such as the vulnerability location and remediation techniques. Scanning for XSS is normally a quick exercise (depending on the size of the web-site).

Source: acunetix.com

Written by Andrew J. Bennieston

PHP: indicates the earliest version of PHP that supports the function.

Function Description PHP
addcslashes() Returns a string with backslashes in front of the specified characters 4
addslashes() Returns a string with backslashes in front of predefined characters 3
bin2hex() Converts a string of ASCII characters to hexadecimal values 3
chop() Alias of rtrim() 3
chr() Returns a character from a specified ASCII value 3
chunk_split() Splits a string into a series of smaller parts 3
convert_cyr_string() Converts a string from one Cyrillic character-set to another 3
convert_uudecode() Decodes a uuencoded string 5
convert_uuencode() Encodes a string using the uuencode algorithm 5
count_chars() Returns how many times an ASCII character occurs within a string and returns the information 4
crc32() Calculates a 32-bit CRC for a string 4
crypt() One-way string encryption (hashing) 3
echo() Outputs strings 3
explode() Breaks a string into an array 3
fprintf() Writes a formatted string to a specified output stream 5
get_html_translation_table() Returns the translation table used by htmlspecialchars() and htmlentities() 4
hebrev() Converts Hebrew text to visual text 3
hebrevc() Converts Hebrew text to visual text and new lines (\n) into <br /> 3
html_entity_decode() Converts HTML entities to characters 4
htmlentities() Converts characters to HTML entities 3
htmlspecialchars_decode() Converts some predefined HTML entities to characters 5
htmlspecialchars() Converts some predefined characters to HTML entities 3
implode() Returns a string from the elements of an array 3
join() Alias of implode() 3
levenshtein() Returns the Levenshtein distance between two strings 3
localeconv() Returns locale numeric and monetary formatting information 4
ltrim() Strips whitespace from the left side of a string 3
md5() Calculates the MD5 hash of a string 3
md5_file() Calculates the MD5 hash of a file 4
metaphone() Calculates the metaphone key of a string 4
money_format() Returns a string formatted as a currency string 4
nl_langinfo() Returns specific local information 4
nl2br() Inserts HTML line breaks in front of each newline in a string 3
number_format() Formats a number with grouped thousands 3
ord() Returns the ASCII value of the first character of a string 3
parse_str() Parses a query string into variables 3
print() Outputs a string 3
printf() Outputs a formatted string 3
quoted_printable_decode() Decodes a quoted-printable string 3
quotemeta() Quotes meta characters 3
rtrim() Strips whitespace from the right side of a string 3
setlocale() Sets locale information 3
sha1() Calculates the SHA-1 hash of a string 4
sha1_file() Calculates the SHA-1 hash of a file 4
similar_text() Calculates the similarity between two strings 3
soundex() Calculates the soundex key of a string 3
sprintf() Writes a formatted string to a variable 3
sscanf() Parses input from a string according to a format 4
str_ireplace() Replaces some characters in a string (case-insensitive) 5
str_pad() Pads a string to a new length 4
str_repeat() Repeats a string a specified number of times 4
str_replace() Replaces some characters in a string (case-sensitive) 3
str_rot13() Performs the ROT13 encoding on a string 4
str_shuffle() Randomly shuffles all characters in a string 4
str_split() Splits a string into an array 5
str_word_count() Count the number of words in a string 4
strcasecmp() Compares two strings (case-insensitive) 3
strchr() Finds the first occurrence of a string inside another string (alias of strstr()) 3
strcmp() Compares two strings (case-sensitive) 3
strcoll() Locale based string comparison 4
strcspn() Returns the number of characters found in a string before any part of some specified characters are found 3
strip_tags() Strips HTML and PHP tags from a string 3
stripcslashes() Unquotes a string quoted with addcslashes() 4
stripslashes() Unquotes a string quoted with addslashes() 3
stripos() Returns the position of the first occurrence of a string inside another string (case-insensitive) 5
stristr() Finds the first occurrence of a string inside another string (case-insensitive) 3
strlen() Returns the length of a string 3
strnatcasecmp() Compares two strings using a “natural order” algorithm (case-insensitive) 4
strnatcmp() Compares two strings using a “natural order” algorithm (case-sensitive) 4
strncasecmp() String comparison of the first n characters (case-insensitive) 4
strncmp() String comparison of the first n characters (case-sensitive) 4
strpbrk() Searches a string for any of a set of characters 5
strpos() Returns the position of the first occurrence of a string inside another string (case-sensitive) 3
strrchr() Finds the last occurrence of a string inside another string 3
strrev() Reverses a string 3
strripos() Finds the position of the last occurrence of a string inside another string (case-insensitive) 5
strrpos() Finds the position of the last occurrence of a string inside another string (case-sensitive) 3
strspn() Returns the number of characters found in a string that contains only characters from a specified charlist 3
strstr() Finds the first occurrence of a string inside another string (case-sensitive) 3
strtok() Splits a string into smaller strings 3
strtolower() Converts a string to lowercase letters 3
strtoupper() Converts a string to uppercase letters 3
strtr() Translates certain characters in a string 3
substr() Returns a part of a string 3
substr_compare() Compares two strings from a specified start position (binary safe and optionally case-sensitive) 5
substr_count() Counts the number of times a substring occurs in a string 4
substr_replace() Replaces a part of a string with another string 4
trim() Strips whitespace from both sides of a string 3
ucfirst() Converts the first character of a string to uppercase 3
ucwords() Converts the first character of each word in a string to uppercase 3
vfprintf() Writes a formatted string to a specified output stream 5
vprintf() Outputs a formatted string 4
vsprintf() Writes a formatted string to a variable 4
wordwrap() Wraps a string to a given number of characters 4

Information courtesy: W3Schools.com

PHP- PHP Hyphertext Preprocessor. Its is server side scripting which enables web applications to making it functioning. PHP is open source language anyone can learn from their own in free. All you need is interest in what you doing. that make sense rather than studying these stuffs 😉

Here we go with PHP handbook – reference book. This book can be used for reference while you learning or coding in PHP language for web applications. Click Download button to download the PHP handbook for your reference.

Download Now

This book comes with Common creative license attribution 2.0 so you can study, redistribute, reuse of this book.  Please feel free to share your comments.

A cron job allows you to run a certain command at times set by the job. For example, you could set a cron job to delete temporary files every week so that your disk space is not being used up by those files.

Cron Jobs Detailed Tutorial

To access the Cron Jobs Menu, click on the corresponding icon located on the main screen of your cPanel interface.

The Cron Jobs Menu in the x3 theme appears as follows:

cPanel - Cron Jobs

There are two different modes you can use to add a cron job: Standard and Advanced (UNIX Style)

Standard Cron Manager

The Standard mode provides a range of pre-set options that you can choose. This is the simplest method and is recommended.

cPanel - Standard Cron Manager

Adding a cron job in standard mode

Step 1: To access the Cron Jobs Menu, click on the corresponding icon located on the main screen of your cPanel interface.

Step 2: Click on Standard to access the Standard Cron Manager.

Step 3: Enter the email address where the cron output will be sent to in the corresponding field.

Step 4: Enter the command you wish the cron job to run in the blank field next to the Command to run label.

Step 5: Select how often you wish the command to be run by selecting an option in each of the boxes.

Step 6: Click on Save Crontab to save your changes and set up your cron job.

Important The command run by the cron job must be a valid command.

Deleting a cron job in standard mode

When a cron job is no longer needed, you should delete it so the command will not continue to run.

Step 1: To access the Cron Jobs Menu, click on the corresponding icon located on the main screen of your cPanel interface.

Step 2: Click on Standard to access the Standard Cron Manager.

Step 3: Click on the Delete button next to the cron job you wish to remove.

Source: SiteGround.com – Web Hosting service provider