 |
 |
|
|
| |
| |
| |
|
Statistics |
| Unique Visitors: 9 |
| Total Unique Visitors: 103179 |
| Visitors Out: 1405 |
| Total Visitors Out: 2220 |
|
|
|
| |
|
|
| |
|
| What Goes in Your Code |
| 2007-03-24 17:06:00 |
Many of the code snippets we have shown for accessing databases have included the database name, username, and user password in plain text, as follows:$conn = @new mysqli("localhost", "bob", "secret", "somedb");While this is convenient, it is slightly insecure because somebody could have immediate access to our database with the full permissions that the user "bob" has if he got his hands on our .php file. It would be better to put the username and password in a file that is not in the document root of the web application and include it in our script, as follows:We should think about doing the same thing for other sensitive data....
|
| |
|
| Code Organization |
| 2007-03-24 17:05:00 |
Some would argue that any file not directly accessible to the user from the Internet should not find a place in the document root of the web site. For example, if the document root for our message board web site is /home/httpd/messageboard/www, we should place all of our .inc files and other files in a place such as /home/httpd/messageboard/code. When we want to include those files, we can simply write in our code:require_once('../code/user_object.inc');The reasons for this degree of caution come down to what happens when a malicious user makes a request for a file that is not a .php or .html file. Many web servers default to dumping the contents of that file to the output stream. Thus, if we were to keep user_object.inc in the public document root and the user requested it, he mi...
|
| |
|
| Filtering Even Basic Values |
| 2007-03-24 11:52:00 |
HTML form elements have no types associated with them, and most pass strings (which may represent things such as dates, times, or numbers) to the server. Thus, if you have a numeric field, you cannot assume that it was entered as such. Even in environments where powerful client side code can try to make sure that the value entered is of a particular type, there is no guarantee that the values will not be sent to the server directly, as in the "Double Checking Expected Values" section. An easy way to make sure that a value is of the expected type is to cast or convert it to that type and use it, as follows:$number_of_nights = (int)$_POST['num_nights'];if ($number_of_nights == 0){ echo "ERROR: Invalid number of nights for the room!"; exit;}If we have the user input a date in a localiz...
|
| |
|
| How to get a site online and have it making money |
| 2007-03-24 11:49:00 |
When building and getting a site online you have to think of a number of things. Some of these include the following: 1.What is your site going to be about If you want to get a site online to make money then you need to do some good research before you choose what your site is going to be about. This is because there is no point in you choosing a topic for your site where other people have no interest in. If no one has any interest in the topic of your site then you will find it very had to get a good amount of visitors to your site. So the best thing to do is to choose a topic that is likely to interest a large number of people and is also likely to make you some good revenue online. 2.What web hosting provider are you going to choose to host your site wit...
|
| |
|
| 7 things to look for in a URL snipping Service |
| 2007-03-24 11:41:00 |
7 things to look for in a URL snipping Service By Charles H Smith URL snipping services are becoming commonplace today. Surfers use them to mask affiliate URLs, shorten very long URL's, even to hide email addresses from spammers and automatic email harvesters. Ther are several URL snipping services that are no longer active. These inculde: shortlink.us, quickones.org, smlnk.com, and smurl.it. Hopefully, you didn't lose any carefully crafted and well planned email link campaigns as these services closed. As you look to snip your URL's using a free service, there are several items to investgate. First, do the links expire? If they expire, you may want to look to another service. Second, is there a direct redirect? If, upon selecting the short URL, you a...
|
| |
|
| The Advantages of Dynamic Website Content |
| 2007-03-24 11:40:00 |
Think about your own surfing behavior. What types of websites do you visit the most often; which ones keep drawing you back? If you are like most internet surfers, you will spend much of your time hanging around websites with dynamic website content, or content that is updated constantly or personalized to your preferences. The age of static, archival websites is long gone, in in its place is a dynamic and powerful internet driven by PHP, ASP, CGI, and Java. But setting up a website with full SQL support and advanced features is not an easy task, especially for someone who is still waist deep in HTML coding. So...what to do? If you don't have the time or the will to commit to an advanced website with cutting-edge features and complicated scripts, there ...
|
| |
|
| Starting a Succesful Forum |
| 2007-03-24 11:32:00 |
How To Create A Successful Forum Hello I have decided to take a few hours of my time to write up a how to on creating a successful forum, these days there are hundreds if not thousands of forums launched each day and I bet more the 80% of them over the next month will shut down. This is because making a forum is just as hard as making a web site if not harder as there is no real content to get visitors attracted what you need is a great design and active members to be on your way to having a forum in which you can receive an income and maybe even live off selling advertising and getting members to pay to signup. Choosing A Theme: When choosing a theme make sure you are knowledgeable in that area as most users will be looking for someone to answer there ques...
|
| |
|
| Serious Internet Security Concerns! |
| 2007-03-24 11:17:00 |
These are some of the most dangerous things you can do online to hurt your Internet Security. They are the most common methods people use to place themselves in danger on the Internet. Download attachements which are included in email messages that are not from people you personally know. Even if you only download them or open them cause you are interested to see what's insde can lead to adware,spyware and related problems. Downloading of cracks from illegal websites, forums or groups. Cracks install adware or spyware when they are downloaded. Registering on websites to be able to download cracks is even worse. Downloading of music from unknown sources. First get advice by visiting yahoo answers. Find out where peop...
|
| |
|
| Cross-Site Scripting |
| 2007-01-18 00:44:00 |
Cross-site scripting (XSS) is deservedly one of the best known types of attacks. It plagues web applications on all platforms, and PHP applications are certainly no exception. Any application that displays input is at riskweb-based email applications, forums, guestbooks, and even blog aggregators. In fact, most web applications display input of some typethis is what makes them interesting, but it is also what places them at risk. If this input is not properly filtered and escaped, a cross-site scripting vulnerability exists. Consider a web application that allows users to enter comments on each page. The following form can be used to facilitate this: <form action="comment.php" method="POST" /> <p>Name: <input type="text" name="name" /><br /> Comment: <textarea n...
|
| |
|
| File Upload Attacks |
| 2007-01-18 00:32:00 |
Sometimes you want to give users the ability to upload files in addition to standard form data. Because files are not sent in the same way as other form data, you must specify a particular type of encodingmultipart/form-data: <form action="upload.php" method="POST" enctype="multipart/form-data"> An HTTP request that includes both regular form data and files has a special format, and this enctype attribute is necessary for the browser's compliance. The form element you use to allow the user to select a file for upload is very simple: <input type="file" name="attachment" /> The rendering of this form element varies from browser to browser. Traditionally, the interface includes a standard text field as well as ...
|
| |
|
| Semantic URL Attacks |
| 2007-01-18 00:00:00 |
Curiosity is the motivation behind many attacks, and semantic URL attacks are a perfect example. This type of attack involves the user modifying the URL in order to discover what interesting things can be done. For example, if the user chris clicks a link in your application and arrives at http://example.org/private.php?user=chris, it is reasonable to assume that he will try to see what happens when the value for user is changed. For example, he might visit http://example.org/private.php?user=rasmus to see if he can access someone else's information. While GET data is only slightly more convenient to manipulate than POST data, its increased exposure makes it a more frequent target, particularly for novice attackers. Most vulnerabilities exist because of oversight, not because of any partic...
|
| |
|
| Forms and Data |
| 2007-01-17 23:49:00 |
When developing a typical PHP application, the bulk of your logic involves data processingtasks such as determining whether a user has logged in successfully, adding items to a shopping cart, and processing a credit card transaction. Data can come from numerous sources, and as a security-conscious developer, you want to be able to easily and reliably distinguish between two distinct types of data: Filtered data Tainted data Anything that you create yourself is trustworthy and can be considered filtered. An example of data that you create yourself is anything hardcoded, such as the email address in the following example: $email = 'chris@example.org'; This email address, chris@example.org, does not come from any remote source. This obvious observation ...
|
| |
|
| Filter Input |
| 2007-01-17 06:59:00 |
Filtering is one of the cornerstones of web application security. It is the process by which you prove the validity of data. By ensuring that all data is properly filtered on input, you can eliminate the risk that tainted (unfiltered) data is mistakenly trusted or misused in your application. The vast majority of security vulnerabilities in popular PHP applications can be traced to a failure to filter input. When I refer to filtering input, I am really describing three different steps: Identifying input Filtering input Distinguishing between filtered and tainted data The first step is to identify input because if you don't know what it is, you can't be sure to filter it. Input is any data that originates from a remot...
|
| |
|
| Error Reporting |
| 2007-01-17 06:10:00 |
Every developer makes mistakes, and PHP's error reporting features can help you identify and locate these mistakes. However, the detailed information that PHP provides can be displayed to a malicious attacker, and this is undesirable. It is important to make sure that this information is never shown to the general public. This is as simple as setting display_errors to Off. Of course, you want to be notified of errors, so you should set log_errors to On and indicate the desired location of the log with error_log. Because the level of error reporting can cause some errors to be hidden, you should turn up PHP's default error_reporting setting to at least E_ALL (E_ALL | E_STRICT is the highest setting, offering suggestions for forward compatibility, such as deprecation notices). All error-reporting behavior can be modified at any level, so if you are on a shared host or are otherwise unable to make changes to files such as php.ini, httpd.conf, or .htaccess, you can implement these recommendations with code similar to the following: <?php ini_set('error_reporting', E_ALL | E_STRICT); ini_set('display_errors', 'Off'); ini_set('log_errors', 'On'); ini_set('error_log', '/usr/local/apache/logs/error_log'); ?> PHP also allows you to handle your own errors with the set_error_handler( ) function: <?php set_error_handler('my_error_handler'); ?> This allows you to define your own function (my_error_handler( )) to handle errors; the following is an example implementation: <?php function my_error_handler($number, $string, $file, $line, $context) { $error = "= == == == ==
PHP ERROR
= == == == ==
"; $error .= "Number: [$number]
"; $error .= "String: [$string]
"; $error .= "File: [$file]
"; $error .= "Line: [$line]
"; $error .= "Context:
" . print_r($context, TRUE) . "
"; error_log($error, 3, '/usr/local/apache/logs/error_log'); } ...
|
| |
|
| Register Globals |
| 2007-01-17 06:00:00 |
If you remember writing CGI applications in C in your early days of web application development, you know how tedious form processing can be. With PHP's register_globals directive enabled, the complexity of parsing raw form data is taken care of for you, and global variables are created from numerous remote sources. This makes writing PHP applications very easy and convenient, but it also poses a security risk. In truth, register_globals is unfairly maligned. Alone, it does not create a security vulnerabilitya developer must make a mistake. However, two primary reasons you should develop and deploy applications with register_globals disabled are that it: Can increase the magnitude of a security vulnerability Hides th...
|
| |
|
| Create Dynamic Navigation Menus |
| 2007-01-16 09:23:00 |
Use PHP to build a navigation menu widget that works consistently across your site. Writing the navigation menu for your site can be a pain. You don't want to write the same code over and over on every page. Ideally, you would have a PHP menu function that would render the menu with the current page highlighted. This hack gives you that simple menu function (for the low cost of this book, no less!). The Code Save the code in Example 1, which demonstrates the use of menu.php as index.php. Example 1. Using the menu library <?phprequire_once( "menu.php" ); $page = "home";if ( $_GET['page'] ) $page = $_GET['page'];?><html><head><title>Page - <?php echo($page); ?></title><?php echo menu_css( ); ?></head><body>...
|
| |
|
| Create Drop-Down Stickies |
| 2007-01-16 09:05:00 |
Use DHTML to position sticky drop-down windows relative to keywords in your HTML. Attaching a drop-down sticky to a word or phrase in your document is an easy way to add valuable information close to the word, without obscuring it. That way, the user can click on the word and get more contextual information, all without scrolling or lots of mouse movement. The Code Save the code in Example 1 as index.php. Example 1. PHP and JavaScript cooperate to make drop-down stickies work <?php$nextid = 1;function start_link( $text ){ global $nextid; $idtext = "a"+$nextid; ?><a href="javascript: void drop( '<?php echo($idtext); ?>' );"><span"a_<?php echo($idtext); ?>"><?php echo($text); ?></span></a><div"<?php echo($idtext); ?>"class="drop"><table cellspacing="...
|
| |
|
| Section Your Content with Spinners |
| 2007-01-16 08:36:00 |
Use spinners to divide your page content into sections, each of which you can show or hide individually. The Code The code for index.php is shown in Example 1. Example 1. PHP allowing for user selection of a specific spinner <?phpfunction start_section( $id, $title ){?><table cellspacing="0" cellpadding="0"><tr><td width="30" valign="top"><a href="javascript: void twist('<?php echo($id); ?>');"><img src="up.gif" border="0""img_<?php echo($id); ?>"/></a></td><td width="90%"><h1><?php echo( $title ); ?></h1><div id="<?php echo($id); ?>"><?php}function end_section( ){?></div></td></tr></table><?php}function spinner_header( ){?><style type="text/css"> body { font-family: arial, verdana; }h1 { font-size: medium; border-...
|
| |
|
| Build Dynamic HTML Graphs |
| 2007-01-16 08:23:00 |
Using DHTML, you can build graphs that change without requiring even a page refresh. The result? Your users can play with data in real time. Something is fundamentally unsatisfying about the way the Web works. You click on a link, the page disappears, and that lovely spinning ball or ticking clock grinds by as a new page appears section by section, (hopefully) with the information you want. This certainly is not the interactivity we're all used to from our client-side applications. But, thank goodness, you can make an application that works without a page refresh. This hack shows you how to make an interactive scatter plot using a few graphics, some PHP, and a whole slew of JavaScript. The Code The index file, index.php, is shown in Example 1. Example 1...
|
| |
|
| Create Drag-and-Drop Lists With PHP |
| 2007-01-16 08:09:00 |
Use JavaScript, DHTML, and PHP to create and use drag-and-drop lists. Creating an interface that allows the user to prioritize a list has always been a problem when working with HTML. With PHP, though, this is no longer the case. This hack uses an open source drag-and-drop library from ToolMan (http://tool-man.org/) to create drag-and-drop lists. The Code Enter the code shown in Example 1 and save it as index.html. Example 1. Building a drag-and-drop list with HTML and CSS <html><head> <style>#states li { margin: 0px; } ul.boxy li { margin: 3px; } ul.sortable li { position: relative;} ul.boxy { list-style-type: none; padding: 0px; margin: 2px; width: 20em; font-size: 13px; ...
|
| |
|
| Create Pop-Up Hints |
| 2007-01-15 18:18:00 |
Use the overLIB library to pop up hints for words on your web page using JavaScript and PHP. With the overLIB JavaScript library (http://www.bosrup.com/web/overlib/), you can have handy pop-up labels that appear above text on your page. This hack makes it a little easier to create these links by providing a PHP wrapper function to invoke the library. The Code Save the code shown in Example 1 as index.php. Example 1. A wrapper function that simplifies overLIB use, courtesy of PHP <?php function popup( $text, $popup ) { ?> <a href="javascript:void(0);""return overlib('<?php echo($popup); ?> ');"><?php echo($text); ?></a> <?php } ?> <html> <head> <script type="text/javascript" src="overlib.js"><!-- overLIB (c) Erik Bosrup --> &l...
|
| |
|
| Put an Interactive Spreadsheet on Your Page |
| 2007-01-15 17:54:00 |
Use the ActiveWidgets spreadsheet library to put an interactive JavaScript data control on your page. Let's face it: some dataparticularly financial and statistical datajust looks better when it's presented as a spreadsheet. Unfortunately, HTML does a poor job of giving you an interactive spreadsheet-style feel, especially when it comes to scrolling around, sorting, or any of the truly interactive user experience elements of a spreadsheet. This hack uses the ActiveWidgets (http://activewidgets.com/) grid control to create a spreadsheet-style interface on a web page. The Code Save the code in Example 1 as index.php. Example 1. A script that provides state-specific data in a spreadsheet format <?php $states =...
|
| |
|
| Build Lightweight HTML Graphs With PHP |
| 2007-01-15 17:43:00 |
Use HTML to create simple graphs for your data. It seems as though every site you go to these days requires QuickTime or Flash so that you can see fancy images and graphs. For simple bar graphs, though, you don't need fancy image rendering or Flash movies. You can use this hack to create bar graphs with just a few HTML tables and some PHP. The result looks just as cool as those other Flash-heavy sites but doesn't require any extra plug-ins or downloads. The Code Save the code in Example 1 as htmlgraph.php. Example 1. Drawing some simple bar graphs <html> <? $data = array( array( "movies", 20 ), array( "food", 30 ), array( "workout", 10 ), array( "work", 40 ) ); $max = 0; foreach ( $data as $d ) { $max += $d[1]; } ?> <body> <t...
|
| |
|
| Add Tabs to Your Web Interface Using PHP and CSS |
| 2007-01-15 17:35:00 |
Use HTML and CSS to create a tabbed interface for your web application. Sometimes there is just too much data to put onto one web page. An easy way to break up a site (or even a content-heavy page) is to display it using tabs, where the data is broken up into subelements, each correlating to a named tab. Lucky for us, tabs are a piece of cake with PHP. The Code Save the code in Example 1 as index.php. Example 1. Using the tabs library to show a tabbed interface <?php require_once("tabs.php"); ?> <html> <head> <?php tabs_header(); ?> </head> <body> <div> <?php tabs_start(); ?> <?php tab( "Tab one" ); ?> This is the first tab. <?php tab( "Tab two" ); ?> This is the second tab. <...
|
| |
|
| |
 |
|
| |
| |
|
 |
