Posted by: Shofiur Rahman

Posted on: August 15, 2012 4:03 pm

-

Zen optimizer acts in a similar way to APC and eAccelerator. It caches the compiled state of PHP scripts, enabling faster execution on consequent requests. To accelerate the performance of PHP scripts, Zen Optimizer also allows us to run scripts encoded by Zend Encoder on the server.

Installing Zend Optimizer

Installing the Zend Optimizer is easier than the other caching solutions, as it comes with a setup wizard.

To install Zend Optimizer follows the steps below:

  1. Download the appropriate package from http://zend.com/store/products/zend-optimizer.php.
  2. Decompress the archive, and go into the newly created directory:

    tar -xvzf ZendOptimizer-2.5.10a-linux-glibc21-i386.tar.gz

    cd ZendOptimizer-2.5.10a-linux-glibc21-i386

  3. Run the install wizard as root:

    ./install.sh

    Run through the wizard, specifying the necessary paths when prompted.

  4. At the end, restart Apache.

Removing Zend Optimizer

To remove Zend Optimizer follows the steps below:

  1. Delete the symbolic link it created for php.ini.
  2. Restore the backed-up original php.ini file to its former location.
  3. Restart Apache

The Zend Optimizer will no longer be active. Now we can delete the Zend Optimizer files—the default location is /usr/local/Zend.

Posted by: Shofiur Rahman

Posted on: July 25, 2012 3:14 pm

-

PHP5 has provided magic methods to make Object Oriented Programming (OOP) easier. These magic methods are specially named methods for all classes, which are called automatically in certain scenarios.

Some Magic methods in PHP5

__construct() Called when an object is instantiated.
__destruct() Called when an object is destroyed.
__call() Provide actions or return values when undefined methods are called on an object.
__get () To specify custom functions to store and retrieve data in properties that are not already defined in the class. It takes one argument, the name of the property.
__set() Same as __get() method but it requires 2 arguments: the name of the property and the new value.
__toString() Returns a custom string value that is automatically used when the object is converted to a string.

Posted by: Shofiur Rahman

Posted on: July 11, 2012 4:13 pm

-

Every day hackers are discovering new exploits and hacking techniques. We can defend some categories of attacks in our PHP script.

Abusing register_globals

It is a setting in php.ini that controls the auto population of variables with the same name as form elements or cookies. If register_globals set to on then it may bring a disaster for your website.

Since PHP 4.2.0, the default value for register_globals is off. But often web hosts will re-enable register_globals to provide compatibility with older scripts. We can get clear concept of register_globals on or off with the following example.

Suppose username is a form element. With register_globals ‘off’, the only way to get the value of this form element using $_POST or $_GET array, depending on form action method. On the other hand, when register_globals is ‘on’, the username field value is accessible using $_POST, $_GET and $username as well.

If you are not able to disable register_globals in php.ini, you can turn it off use an .htaccess file.

php_flag register_globals off

SQL Injection Attacks

SQL injection attacks are simply the inclusion of malicious SQL statements in the place of what should normally be inoffensive data. SQL injection preys on a lack of input scrubbing and data validation.

SQL injection is fairly avoidable with an insignificant preparation and thorough coding practices. If magic_quotes_gpc is enabled, PHP automatically escapes any escape characters (e.g. apostrophes). Unluckily, this activities is applied to all GET, POST and Cookie variables in spite of whether they are going to used in a SQL statement or not. Most of the time it can be annoying. To make sure the data is escaped only when we need it to be, we can turn off magic_quotes_gpc in php.ini, and use addslashes() on all data that is being passed to MySQL. The addslashes() function will automatically escape any unsafe characters so our input will not choke MySQL.

Cross-Site Scripting

Cross-Site Scripting abbreviated XSS, cross-site scripting is the abuse of unfiltered dynamic output, where the invader has the skill to add or change the page’s generated markup. Most commonly, this means the addition of a small bit of JavaScript to the output of a page, which then does something ominous, such as trick another user into revealing their login credentials or credit card information, or possibly divulging cookie or session information for immediate account compromise.

Posted by: Shofiur Rahman

Posted on: July 4, 2012 3:46 pm

-

The basic four steps to generate an image using PHP are as follows:

  • Creating a canvas image on which to work.
  • Drawing Shapes or printing text on that canvas.
  • Outputting the final graphic
  • Cleaning up resources.

Sample PHP script:

// Creating a canvas image

$height = 200;

$width = 200;

$im = imagecreate($width, $height);

$white = imagecolorallocate($im, 255, 255, 255);

$black = imagecolorallocate($im, 0, 0, 0);

// Drawing Shapes or printing text

imagefill($im, 0, 0, $black);

imageline($im, 0, 0, $width, $height, $white);

imagestring($im, 4, 50, 150, 'Label text', $white);

// Output image

header('Content-type: image/png');

imagepng($im);

// Clean up

imagedestroy($im);

?>

Posted by: Shofiur Rahman

Posted on: June 27, 2012 4:32 pm

-

To authenticate a user includes the following steps:

  • Identifying visitors
  • Implementing access control
  • Authentication

Identifying Visitors

The web is fairly anonymous medium, but it is often useful to know who is visiting your site to focus on right business area. You are able to get little about the visitors due to users privacy. With a little work server can find out quite lot about users computers, networks, browsers, etc.  From visitor’s IP address you are able to know visitor’s geographic location.

Implementing access control

Simple access control is not difficult to implement. A simple PHP script is shown below.

<?php
//create short names for variables

$name = $HTTP_POST_VARS['name'];

$password = $HTTP_POST_VARS['password'];

if(empty($name) || empty($password)){

//Visitor needs to enter a name and passwor.

?>

<strong>Please Log In</strong>

<form method=”post” action=”login.php”>
<label>User Name: </label> <input type=”text” name=”name” />
<label>Password:</label> <input type=”password” name=”password” />
<input type=”submit” value=”Log In” />

</form>

<?php

}

else if($name==’user’&& $password==’pass’){

//login successful

}

else {
//login failed
}

?>

Encrypting passwords

To secure the access control you need to implement encryption algorithm on the user login. The PHP function crypt () provides a one-way cryptographic hash function. The prototype for this function is

String crypt (string str [, string salt])

Basic Authentication in PHP

There are some built-in authentication facilities in to HTTP. Scripts or web servers can request authentication from a web browser. The web browser is then responsible for displaying a dialog box or similar device to get required information from the user.

PHP scripts are generally cross-platform, but using basic authentication relies on environment variables set by the server.  A sample of HTTP basic authentication using PHP is shown below.

<?php
// if we are using IIS, we need to set $PHP_AUTH_USER and $PHP_AUTH_PW

if(substr($SERVER_SOFTWARE, 0, 9) == ‘Microsoft’ && !isset($PHP_AUTH_USER) && !isset($PHP_AUTH_PW) && substr($HTTP_AUTHORIZATION, 0, 6) == ‘Basic’)
{

list($PHP_AUTH_USER, $PHP_AUTH_PW) = explode(‘:’, base64_decode(substr($HTTP_AUTHORIZATION, 6)));

}

//Replace this if statement with a database query or similar

if($PHP_AUTH_USER!=’user’ || $PHP_AUTH_PW != ‘pass’)

{

// Visitor has not yet given details, or their
// name and password combination are not correct

header(‘WWW-Authenticate: Basic realm=”Realm-Name”‘);
if(substr($SERVER_SOFTWARE, 0, 9) == ‘Microsoft’)
header(‘Status: 401 Unauthorized’);

else
header(‘HTTP/1.0 401 Unauthorized’);

echo ‘You are not authorized to view this resource.’;

}

else {

// visitor provided correct details.

}

?>

Posted by: Shofiur Rahman

Posted on: June 20, 2012 4:00 pm

-

An ecommerce website security policy is a manuscript that explains

  • The common idea towards security in your ecommerce website.
  • What is to be protected (e.g. software, hardware, data)
  • Who is accountable for defending these items
  • Standards for security and metrics, which quantify how well those standards are being met

A good guideline for writing your security policy is that it’s like writing a set of functional requirements for ecommerce website. The policy should not have a discussion about exact implementations or solutions, but instead about the goals and security necessities in your environment.

You should maintain a separate document that sets out strategies for how the requirements of the security policy are met in a specific environment. You can have different policy for different parts of your website. This is more along the lines of a design document or a course of action manual that documents what is actually done in order to make sure the level of security that you require.

Posted by: Shofiur Rahman

Posted on: June 13, 2012 4:41 pm

-

Disclosure of secret data:

In ecommerce website confidential information provided by a customer, such as his password, contact details and credit card details. To reduce the risk of exposure, you need to limit the methods by which information can be accessed and introduce user authentication with the system.

Passing or demolition of data:

It can be more costly for you to lose data than to have it exposed.  If you spent months build up your site, gather user data and orders, how much would it cost you, in time, reputation, and pounds to lose all that information? If you have no backups of any of your data, you need to rewrite the website in a hurry and start from scratch.  So you need to integrate ‘backup system’ with your ecommerce website.

Mutation of data:

Although the loss of data could be damaging, mutation could be worse. To protect mutation of data you need to look at some points such as file permission, data encryptions and digital signature etc.

Denial of service:

One of the most difficult threats to guard against is denial of service. These attacks are so difficult to guard against is that there are a huge number of ways of carrying them out. Methods include installing a program on a target machine that uses most of the systems processor time, reverse spamming, etc.

Inaccuracy in software:

Errors in software can lead to all sorts of unpredictable behavior including service unavailability, security breaches, financial losses and poor customer service. Common causes of errors that you can look for include poor specifications, faulty assumptions made by developers and inadequate testing.

Repudiation:

The final risk we will consider is repudiation. Repudiation occurs when a party involved in a transaction denies having taken part.

Posted by: Shofiur Rahman

Posted on: June 6, 2012 3:52 pm

-

To develop an E-commerce website we have to create a security policy. Some issues are point out below to build secure ecommerce website.

  • How important is your information?
  • Security threats
  • Designing a security strategy
  • Balancing usability, performance, cost and security
  • Authentication principles
  • Using authentication
  • Encryption basics
  • Private key encryption
  • Public key encryption
  • Digital signatures
  • Digital certificates
  • Secure web server
  • Auditing and logging
  • Firewalls
  • Backup data
  • Physical security

How important is your information?

When considering website security, you need to assess the importance of data to both you and the hackers.  It might be attractive to maintain highest level of security, but it increases the website development and maintenance cost.  So, you have to calculate costs to implement security polices and the value of the information.

Security Threats

Security threats might include the following points. It depends on your website.

  • Disclosure of secret data
  • Passing or demolition of data
  • Mutation of data
  • Denial of service
  • Inaccuracy in software
  • Repudiation

The above security threats will be discuss in details on next tutorials.

Posted by: Shofiur Rahman

Posted on: November 29, 2011 11:04 am

-

flash player We all know how amazing flash is, it is possibly the nicest looking type of website out there. However there are a few problems with having flash on your site. The first is that it is invisible to Google, the second is that they can take a long time to load and finally they cannot be used on mobiles.

Google has released a tool called Swiffy, which may be because it requires a SWF file to convert. Swiffy takes the SWF file you have uploaded and then the tool converts the file. It shows you the coding and the flash file next to each other so you can compare the two.

At the bottom of the page there is a link which sends you to your uploaded flash file in HTML, all you then have to do is view the source code and copy the script, your code is now ready to upload to any site you want.

I have already tested the HTML 5 conversions on a mobile device (iPhone 3 GS) and they do work, even the games that Google provide, I have also uploaded my own flash files. Flash games do work when converted but the more complex the game is, then the laggier the html version is for mobile devices. This may not be the case for phones such as the iPhone 4s, but unfortunately I have not had the opportunity to test this. Converted flash animations are quite fast and are only a little slower than what is displayed on a PC.

All in all, Swiffy is going to be of great use to all web design and animators, now their work will be easily displayed on not only computers but also mobile devices. It is only a matter of time before Swiffy becomes more popular and all flash files become converted into HTML for speed, SEO reasons and across the board usability.

Authors
Categories
Archives
Blogroll