Jaslabs: High performance Software

By Justin Silverton

What is mod_rewrite?

Mod_rewrite is a rewriting engine (based on regular-expressions) built into the apache webserver and it is used to rewrite urls dynamically.  The URL manipulations can depend on various tests, of server variables, environment variables, HTTP headers, or time stamps. Even external database lookups in various formats can be used to achieve highly granular URL matching.

How to install it

Apache by default comes with the mod_rewrite module installed but it is not enabled. So if you have Apache installed on your own server, you will need to enable it. 

If you need to install apache on your system, there are many free, easy install packages available:

Xamp - http://www.apachefriends.org/en/xampp.html
apache2triad - http://apache2triad.net/
apachePHPMysql  - http://apachephpmysql.narhoz.ru/
EasyWebServer  - http://e.w.s.free.fr/index_fr.php
FoxServ - http://sourceforge.net/projects/foxserv/

Setting it up

Once installed, mod_rewrite basically relies on one file for all it’s functionality.  It’s called .htaccess.  This file should be placed in the root directory of your website.

A simple Redirect 

Place the following in a .htaccess file:

RewriteEngine on
RewriteRule ^test\.html$ test2.html 

RewriteEngine on should always be placed at the beginning of all your .htaccess files.

Note:  If you are using a hosting provider, you may have to place the following line in your file (under rewrite_engine on): RewriteBase / 

Script details:

• ^ is used before a URL.  If a relative URL is used, it starts in the same directory as the .htaccess file
• $ is used for the end of a string that will be matched.
• \ is used to escape the period, periods need the \ before them if they are not going to be part of the actual rule (in this case, it is part of the filename).

This script will redirect all access from test.html to test2.html.  IE: if a user goes to http://www.yoursite.com/test.html, they will be automatically forwarded to http://www.yoursite.com/test2.html

Other interesting uses

A) Blocking a specific Ip addressing from accessing your website.

RewriteCond %{REMOTE_ADDR} ^(W\.X\.Y\.Z)$
RewriteRule ^/* http://www.yoursite.com/sorry.htm [L]

Replace w.x.y.z with the IP you would like to block and http://www.yoursite.com/sorry.htm with the redirected URL.

B) Block/redirect a site that is linking to you

RewriteCond %{HTTP_REFERER} ^http://www\.blockedsite\.com [NC]
RewriteRule ^/* http://www.yoursite.com/sorry.htm [L]

Replace http://www.blockedsite.com/ with site you do not want linking to you, and http://www.yoursite.com/sorry.htm with the redirected URL.

C) preventing people from linking to your images

RewriteCond %{HTTP_REFERER} !^http://(www\.)?yoursite\.com [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} ^http://.*$
RewriteRule \.(png |gif | bmp | jpe?g|)$ /images/stopstealing.png [L]

Replace http://www.blockedsite.com/ your site, and /images/stopstealing.png with an image path of choice.

Full Apache Docs: http://httpd.apache.org/docs/2.0/mod/mod_rewrite.html

5 comments

By Justin Silverton

In one of my previous articles, I mentioned the top 5 security mistakes made in PHP. This article is a follow-up, with some more common security mistakes.

System Calls

In PHP, there are different ways to execute system calls. The system(), exec(), and passthru() all allow you to execute operating-system commands from within your scripts.

Each of these functions, if not checked, can also allow a malicious user to exploit your system and execute commands that could possible access private files and information.

Protecting your system from this attack

The input from the user, no matter the context, should never be trusted. PHP provides two functions, escapeshellarg() and escapeshellcmd().

The escapeshellarg() function is designed to remove or otherwise eliminate any potentially harmful characters received from user input for use as arguments to system commands (in our case, the zip command).

The syntax for this function is as follows:escapeshellarg($command)
where $command is the input to clean, and the return value is the cleaned string. When executed, this function will add single quotes around the string and escape (add a slash in front of) any single quotes that exist in the string.

escapeshellcmd() is similar to this function, except it will only escape characters that have a special meaning to the underlying operating system. If user input will be used as part of the argument list for a system call, the escapeshellarg() function is always the better choice.

File Uploads

PHP will create a file with the uploaded content, but will not check whether the filename is valid, or if the type and size are correct

A user could potentially create his own form specifying the name of some other file that contains sensitive information and submit it, resulting in the processing of that other file.

Solution

use move_uploaded_file() or is_uploaded_file(). However, there are some other problems with user-uploaded files and check the $_FILES super global array to make sure that the user has uploaded the correct file type/size.

Including Files

In PHP you can include local or remote files by using include(), include_once(), require() and require_once(). It allows you to have separate files for classes, reused code and so on, increasing the maintainability and readability of your code.

The concept of including remote files is dangerous in itself, though, because the remote site could be compromised or the network connection could be spoofed. In either scenario, you are injecting unknown and possibly hostile code directly into your script.

Another issue to think about when including files, is if a file that is included is dependent on user input. This poses a potential securty issue, which can be fixed by verifying and cleaning incoming varialbes.

Conclusion

Don’t trust any incoming variables ($_GET,$_POST, or $_COOKIE). These can all be set by a malicious user and possibly compromise the securty of your system.

9 comments

Introduction

If you’ve decided that working for yourself as a self-employed web developer or PHP coder sounds like your cup of tea, but you feel as if the task is a bit daunting, then listen up. We’ve put together a list of helpful tips that will enable you to go wherever it is you want your own business to go. You should know that these are in no particular order and we consider them all equally important. As well, please be advised that this is by no means a guarantee to your success, nor is it a comprehensive list of potential obstacles you may encounter.

1. Guard Your Reputation With Your Life

Your reputation is the most important asset you have, and you should treat it as such. You might be the most competent coder on the planet, but if you have a reputation for being difficult to work with, or unreliable, getting new clients will be more difficult, you will lose referrals from current clients and you will find you will have to prove yourself over and over again. Don’t make promises you can’t keep, and remember that your actions today may have a profound effect on the future success of your business. Maintaining a contract business is difficult enough without you inadvertently sabotaging your own efforts.

2. Be Passionate About Your Work

Clients want to see genuine enthusiasm and they will take comfort in the fact that you have a personal investment in their web site. A larger company may be able to offer the same coding services that you can, but you can use that “personal touch” to your advantage.

3. Be Responsive And Communicate Often

Even if things are crazy or if you are extremely behind schedule, taking five minutes to make a quick change for a client’s site or sending a quick e-mail to update your client about the status of his project will really go a long way in diffusing a potentially damaging situation. Of course, this will only buy you a little time, but it is much better than ignoring a client altogether and aggravating the situation.You can also provide status reports for your clients weekly or bi-weekly, so they are kept in the loop as to how things are progressing. Knowing that you will have to be presenting these reports helps you maintain accountability for the project and keep you moving forward, as well as keeping your client informed.Along with this goes the advice of promptly returning phone calls and e-mails. Some of us are averse to using the phone, but by giving your client the courtesy of returning a phone call, you are in essence communicating that you value their business and that you are there to help. Likewise with e-mails, they should be responded to immediately, not three or four days later.

4. Don’t Be An Ostrich

When things get overwhelming (and they will), resist the urge to stick your head in the sand and play another game of . This will only exacerbate the situation. If you cannot see the light at the end of the tunnel, get help. Enlist a trusted colleague with a few small pieces of the bigger project. Better yet, enlist several trusted colleagues. Whatever you do, make sure you’re doing something to chip away at the workload.

5. Remember That You Are Your Own Ambassador

Tact and diplomacy can be your best friends, especially when a client is asking for the impossible. Unlike coding jobs in the industry, where you have a full staff of sales and marketing and executive types buffering the client from the dungeons of the coders, when you are your own boss, you are thrust onto the surface world and must deal directly with the clients. Try not to be condescending or openly laugh at their ignorance; you will only alienate them and risk losing them as a client (and any referrals they might have passed your way). At least wait until they are no longer within earshot; then mock away.

Original article:

http://www.php-mag.net/magphpde/magphpde_article/psecom,id,746,nodeid,21.html

5 comments

By Justin Silverton

What is Open Commerce?

From oscommerce.com: “osCommerce is the leading Open Source online shop e-commerce solution that is available for free under the GNU General Public License. It features a rich set of out-of-the-box online shopping cart functionality that allows store owners to setup, run, and maintain their online stores with minimum effort and with no costs, license fees, or limitations involved.

The goal of the osCommerce project is to continually evolve by attracting a community that supports the ongoing development of the project at its core level and extensively through contributions to provide additional functionality to the already existing rich feature set.”

Why Shouldn’t I use it?

1) no separation of logic and presentationSmaller applications can be created without separating logic and presentation, but when an application gets as large as oscommerce, there needs to be some kind of templating system in place.
A templating system can also be used to cache dynamic pages and improve the overall performance.A good, scalable system needs to be engineered from the ground up. It looks to me like it was hacked together with pieces of code here and there

2) difficult to integrate into an existing design

out of the box, the cart works fairly well. If you want to make any drastic design changes, you will run into major issues.

Although it is free, and this may be intising to many companies, the time and labor cost of updating the cart to suit your needs ends up being more than many of the commerical carts available.

3) security

although it is updated, #1 makes it very difficult to make updates without having to manually open up each .php file and make the changes yourself.

4) cannot have multiple sizes of image previews (thumbnail, medium, large)

5) admin navigation issues

a) hard to do shipping cost per item (with different items having different costs) per country
b) editing product descriptions seems a little awkward. overall, it looks like it was developed for a programmer, rather than a store owner.

commercial

cubecart - http://www.cubecart.com/
sunshop - http://www.turnkeywebtools.com/
miva mercant - http://www.miva.com

open source

interchange - http://www.icdevgroup.com/

Followup

Another alternative to Oscommerce is a fork of the original project called Zen Cart.  It is also freely available and can be downloaded here: http://www.zen-cart.com/ 

 

 

16 comments