Archive for October, 2007
How to turn a php script to an exe..for free
There are a few commercial products out there that allow you to turn your php scripts into an executable. While most of them work well, I have found a way to do it for free, using an open source application. This application is called Wapache (based on the apache web server) and it is open source (distributed under the Apache License 2.0).
WApache doesn’t convert your script directly into an executable, it runs on the combination of a windows app (which uses an embedded IE control) and a stripped down version of apache.
Features
- No Internet Explorer menu, tool bar, or address bar.
- Precise control over placement of windows
- Three types of windows: basic, tool windows, and dialog boxes (modal and modeless)
- Fully customizable drop-down and context menu
- System Tray integration
- Asynchronous data handling
- Works with standard Apache modules like mod_php and mod_perl
screenshot
(this is a screenshot of wapache running phpmyadmin)
How to turn your php script into an executable
1) copy all of your scripts/files into the htdocs directory (make sure that the main file is called index.php)
2) launch bin/wapache.exe
3) you will now see your php script in the application that is running
There is also many options that allow you to configure the app in many different ways. This can be found on line 100 of conf/default.wcf (documentation for this config file can be found here):
<StandardWindow Main>
HorizontalAlign Center
VerticalAlign Middle
Height 60%
Width 60%
3DBorder Off
IconPath "../icons/lightbulb.ico"
</StandardWindow>
This could be used for a demo/trial of a web application. A windows installer could also be used (NSIS works well and is free) to create a fully installable, desktop application.
Since this only relies on the apache web server, it’s also possible to use this with any type of supported scripts.
Download
The latest version of Wapache can be found here
A better way to Protect Your PHP/MySQL Queries from SQL Injection
By Justin Silverton
In a recent article I saw today about php/mysql security, called “protecting your php/mysql queries from sql injection”, The following method was described as a safe way to execute mysql queries (preventing what is known as a sql injection attack).
// This is a vulnerable query.
$query = "SELECT * FROM products WHERE name='$productname'";
mysql_query($query);
// This just uses mysql_escape_string
$query = sprintf("SELECT * FROM products WHERE name='%s'",
mysql_real_escape_string($productname));
mysql_query($query);
This will work, with select and insert statements, but will not work with statements such as: LIKE, GRANT, or REVOKE. This is a more secure way of preventing SQL injection attacks.
// This query is more secure
$query = sprintf("SELECT * FROM products WHERE name='%s'",
addcslashes(mysql_real_escape_string($productname),'%_'));
mysql_query($query);
How to create a self extracting PHP script
By Justin Silverton
PHP has a built-in command called __HALT_COMPILER__. This command Halts the execution of the compiler. This can be useful to embed data in PHP scripts. Below is an example of a self-extracting php script. When executed, a second php file will be extracted in the same directory called testscript1.php.
<?php
//gzdecode function
function gzdecode ($data) {
$flags = ord(substr($data, 3, 1));
$headerlen = 10;
$extralen = 0;
$filenamelen = 0;
if ($flags & 4) {
$extralen = unpack('v' ,substr($data, 10, 2));
$extralen = $extralen[1];
$headerlen += 2 + $extralen;
}
if ($flags & 8 ) // Filename
$headerlen = strpos($data, chr(0), $headerlen) + 1;
if ($flags & 16) // Comment
$headerlen = strpos($data, chr(0), $headerlen) + 1;
if ($flags & 2) // CRC at end of file
$headerlen += 2;
$unpacked = gzinflate(substr($data, $headerlen));
if ($unpacked === FALSE)
$unpacked = $data;
return $unpacked;
}
$fp = fopen(__FILE__, 'r');
// seek file pointer to data
fseek($fp, __COMPILER_HALT_OFFSET__);
// and output it
$buffer = fread($fp,8192);
$decoded = gzdecode(base64_decode($buffer));
//$uncompressed = gzdecode($decoded);
$filename = "testscript1.php";
$fd = fopen($filename,"w");
fwrite($fd,$decoded);
fclose($fd);
__halt_compiler();H4sICKE9CEcAC3Rlc3RmaWxlMS5waHAAs
7EvyCjg5eLlSk3OyFdQKsnILFYAopLU4hKFtMycVAVDJWteLns7AKhVcUooAAAA
How it works
The file that is extracted is gzipped, base64 encoded, and stored at the end of the the file (right after the __halt_compiler directive). The script uses a custom function called gzdecode to gunzip the file, it is then base64 decoded and written to a file. This is just a simple example to show what is possible with PHP. A more advanced version could use a function to tar and gzip a file so multiple files can be extracted.
The code example from this article can be download here
5 sins of ruby
By Justin Silverton
Introduction
Ruby has become more and more popular over the past couple of years. This month, I decided to start coding a few smaller apps to see if there was something I was missing. The following are a few issues with ruby that I feel need to be changed, before it really becomes a mainstream language.
1) Horrible syntax
It looks like a mix between Visual Basic and Pascal. I can’t imagine coming back to a large project with hundreds of files and functions and trying to keep everything organized. It would be even worse coming back to a project that someone else created.
2) missing/lacking documentation
Most popular languages are documented very well. For instance, you can go to the main php website and find out how to do pretty much anything (in english or almost any other language). Ruby’s documentation is available, but needs a lot of work to help out developers that are learning the language.
3) slow
Ruby is noticeably slower than other interpreted languages. I am not the only one that has seen performance issues. More on this can be found here. Jruby, a pure-Java implementation of the Ruby programming language, might help increase execution speed.
4) lack of libraries
Just searching google for ruby libraries or extensions doesn’t return many results. This also might be because it is a relatively new language compared to much older languages such as Java or PHP.
5) poor unicode support
Although there are Third party libraries that enhance ruby unicode support, it should be built into the language itself.
How to store large amounts of data in Firefox
by Justin Silverton
For most web applications, there are a couple of different options available for storing data on the client (within the web browser).
Flash allows the storage of up to 100 KB/domain without any user security prompts. The data being stored is accessible across the user’s Flash Player instances, loading stored data into Internet Explorer, Firefox, or any other browser that supports it.
Cookies are another option. A cookie stores user data across multiple browsing sessions. They are limited to 4 KB of storage per domain and are a good way to store user data for convenience or tracking. Web browsers contain cookie and privacy management features to wipe away stored cookies and their stored data and therefore have limited utility for continued persistence. Cookies are sent along with every request on a given domain, adding onto every message exchanged between an end-user’s browser and your site, even if the cookie data is only occasionally used.
Firefox has the ability to store an unlimited amount of data using DOM storage (This may be limited in future versions greater than 2.X).
Here is an example of how use DOM storage:
<script type="text/javascript">
//for security, this must be set to your domain
var storage = globalStorage['yourdomain.com'];
var pageCount;
function setItem(key,value) { //store an item
storage.setItem(key,value);
}
function getItem(key) { //retrieve an item and display it
alert(storage.getItem(key));
}
function removeItem(key) { //remove an item
storage.removeItem(key)
alert("Key:" +key +" was removed.");
}
</script>
Here are some other options that can be used with the globalStorage object:
- globalStorage[’developer.mozilla.org’] - All web pages within the developer.mozilla.org sub-domain can both read and write data to this storage object.
- globalStorage[’mozilla.org’] - All web pages with the mozilla.org domain can both read and write to this storage object.