A better way to Protect Your PHP/MySQL Queries from SQL Injection
By Justin Silverton
In a recent article I saw today about php/mysql security, called “protecting your php/mysql queries from sql injection”, The following method was described as a safe way to execute mysql queries (preventing what is known as a sql injection attack).
// This is a vulnerable query.
$query = "SELECT * FROM products WHERE name='$productname'";
mysql_query($query);
// This just uses mysql_escape_string
$query = sprintf("SELECT * FROM products WHERE name='%s'",
mysql_real_escape_string($productname));
mysql_query($query);
This will work, with select and insert statements, but will not work with statements such as: LIKE, GRANT, or REVOKE. This is a more secure way of preventing SQL injection attacks.
// This query is more secure
$query = sprintf("SELECT * FROM products WHERE name='%s'",
addcslashes(mysql_real_escape_string($productname),'%_'));
mysql_query($query);
How to create a self extracting PHP script
By Justin Silverton
PHP has a built-in command called __HALT_COMPILER__. This command Halts the execution of the compiler. This can be useful to embed data in PHP scripts. Below is an example of a self-extracting php script. When executed, a second php file will be extracted in the same directory called testscript1.php.
<?php
//gzdecode function
function gzdecode ($data) {
$flags = ord(substr($data, 3, 1));
$headerlen = 10;
$extralen = 0;
$filenamelen = 0;
if ($flags & 4) {
$extralen = unpack('v' ,substr($data, 10, 2));
$extralen = $extralen[1];
$headerlen += 2 + $extralen;
}
if ($flags & 8 ) // Filename
$headerlen = strpos($data, chr(0), $headerlen) + 1;
if ($flags & 16) // Comment
$headerlen = strpos($data, chr(0), $headerlen) + 1;
if ($flags & 2) // CRC at end of file
$headerlen += 2;
$unpacked = gzinflate(substr($data, $headerlen));
if ($unpacked === FALSE)
$unpacked = $data;
return $unpacked;
}
$fp = fopen(__FILE__, 'r');
// seek file pointer to data
fseek($fp, __COMPILER_HALT_OFFSET__);
// and output it
$buffer = fread($fp,8192);
$decoded = gzdecode(base64_decode($buffer));
//$uncompressed = gzdecode($decoded);
$filename = "testscript1.php";
$fd = fopen($filename,"w");
fwrite($fd,$decoded);
fclose($fd);
__halt_compiler();H4sICKE9CEcAC3Rlc3RmaWxlMS5waHAAs
7EvyCjg5eLlSk3OyFdQKsnILFYAopLU4hKFtMycVAVDJWteLns7AKhVcUooAAAA
How it works
The file that is extracted is gzipped, base64 encoded, and stored at the end of the the file (right after the __halt_compiler directive). The script uses a custom function called gzdecode to gunzip the file, it is then base64 decoded and written to a file. This is just a simple example to show what is possible with PHP. A more advanced version could use a function to tar and gzip a file so multiple files can be extracted.
The code example from this article can be download here
5 sins of ruby
By Justin Silverton
Introduction
Ruby has become more and more popular over the past couple of years. This month, I decided to start coding a few smaller apps to see if there was something I was missing. The following are a few issues with ruby that I feel need to be changed, before it really becomes a mainstream language.
1) Horrible syntax
It looks like a mix between Visual Basic and Pascal. I can’t imagine coming back to a large project with hundreds of files and functions and trying to keep everything organized. It would be even worse coming back to a project that someone else created.
2) missing/lacking documentation
Most popular languages are documented very well. For instance, you can go to the main php website and find out how to do pretty much anything (in english or almost any other language). Ruby’s documentation is available, but needs a lot of work to help out developers that are learning the language.
3) slow
Ruby is noticeably slower than other interpreted languages. I am not the only one that has seen performance issues. More on this can be found here. Jruby, a pure-Java implementation of the Ruby programming language, might help increase execution speed.
4) lack of libraries
Just searching google for ruby libraries or extensions doesn’t return many results. This also might be because it is a relatively new language compared to much older languages such as Java or PHP.
5) poor unicode support
Although there are Third party libraries that enhance ruby unicode support, it should be built into the language itself.
How to store large amounts of data in Firefox
by Justin Silverton
For most web applications, there are a couple of different options available for storing data on the client (within the web browser).
Flash allows the storage of up to 100 KB/domain without any user security prompts. The data being stored is accessible across the user’s Flash Player instances, loading stored data into Internet Explorer, Firefox, or any other browser that supports it.
Cookies are another option. A cookie stores user data across multiple browsing sessions. They are limited to 4 KB of storage per domain and are a good way to store user data for convenience or tracking. Web browsers contain cookie and privacy management features to wipe away stored cookies and their stored data and therefore have limited utility for continued persistence. Cookies are sent along with every request on a given domain, adding onto every message exchanged between an end-user’s browser and your site, even if the cookie data is only occasionally used.
Firefox has the ability to store an unlimited amount of data using DOM storage (This may be limited in future versions greater than 2.X).
Here is an example of how use DOM storage:
<script type="text/javascript">
//for security, this must be set to your domain
var storage = globalStorage['yourdomain.com'];
var pageCount;
function setItem(key,value) { //store an item
storage.setItem(key,value);
}
function getItem(key) { //retrieve an item and display it
alert(storage.getItem(key));
}
function removeItem(key) { //remove an item
storage.removeItem(key)
alert("Key:" +key +" was removed.");
}
</script>
Here are some other options that can be used with the globalStorage object:
- globalStorage[’developer.mozilla.org’] - All web pages within the developer.mozilla.org sub-domain can both read and write data to this storage object.
- globalStorage[’mozilla.org’] - All web pages with the mozilla.org domain can both read and write to this storage object.
ajaxwindows: the next big thing?
By Justin Silverton
A virtual operating system in Ajax is an interesting idea. Although it can’t completely replace a desktop operating system, it can allow you to access your documents and files from anywhere.
Ajaxwindows allows you to do the following:
- Backup your files, music, and pictures with one click.
- Display, edit, and save popular file formats.
- Access your data remotely.
Some cool features
- Firefox and IE support - Both Internet Explorer and Firefox are supported. (An activeX control needs to be downloaded for it to work with IE)
-
synchronize desktop wallpaper, IE/firefox favorites, windows startup sounds, windows shutdown sounds, “my documents”, “my pictures”, and outlook express contacts.
-
Change the Theme/Desktop wallpaper (many built-in themes/wallpaper available).
-
Store files using your gmail account. This is an interesting feature. An email is sent to your gmail account with the file as an attachment.
-
The ability to add remove programs/widgets.
Conclusion
Overall, I was impressed with ajaxwindows. However, I did did get the following error a few times when I was within Firefox (IE also crashed whenever I tried to logout):
