Sunday, 26 February 2012

PHP Security Tips

Today PHP emerged as one of the leading programming languages used in web development. It had increased the responsibility of PHP programmers to save web pages from security threats. Some holes in programming can damage the whole website. Sometimes programmers, in most cases beginners, are not aware of these security holes. In this tutorial we are going to discuss where could be the problem and we would be able to fix them.

1) Global Variables (regiser_globals):

You should do your best to write your scripts so that they do not require register_globals to be on.  Using variables as globals can easily lead
to possible security problems.  For example

<?php
// define $authorized = true only if user is authenticated
if (authenticated_user()) {
    
$authorized true;
}

// Because we didn't first initialize $authorized as false, this might be
// defined through register_globals, like from GET auth.php?authorized=1
// So, anyone can be seen as authenticated!

if ($authorized) {
    include 
"/highly/sensitive/data.php";
}
?>

When register_globals = on, our logic above may be compromised. When off, $authorized can't be set via request so it'll be fine, although it really is generally a good programming practice to initialize variables first. For example, in our example above we might have first done $authorized = false. Doing this first means our above code would work with register_globals on or off as users by default would be unauthorized.

With register_globals turned off, this type of forced entry isn’t possible. The good news is that PHP 4.2.0 has register_globals turned off as its default setting, and PHP 6.0.0 has actually removed the feature. In terms of PHP security it’s a crucial step in the right direction. register_global can turned on or off from php.ini file.

So instead of relying on register_globals, you should instead go through PHP Predefined Variables, such as $_REQUEST. To further tighten security, you should also specify by using: $_ENV, $_GET, $_POST, $_COOKIE, or $_SERVER instead using the more general $_REQUEST.

2) Error Reporting :

Error reporting is a great tool for diagnosing bugs and allowing you to fix them quicker and easier, but it also poses a potential security threat. The problem occurs when the error is visible to others on-screen, because it reveals possible security holes in your source code that a hacker can easily take advantage of. If display_errors is not turned off, or have a value of “0”, the output will appear on the end user’s browser – Not good for security! You do, however, want to set log_errors to on, and then indicate the exact location of the log with error_log.

            So what should you do when you have launched your new killer app? Bugs might still appear and you need the before-mentioned information in order to fix them. What you can do, and should do, is write the errors into a log file. Actually, PHP does insert all errors into a log file on the server by default. However, if you are on shared hosting then you will most likely not have access to that file and it will therefore be necessary to write it into your own file. There are a couple of php.ini directives that are relevant to our problem:
  • display_errors this directive controls whether PHP errors should be sent to the screen. In a production environment this should always be turned off.
  • error_reporting this directive controls which errors that should be reported. You should set this to E_ALL and you should fix all issues that appear by doing this.
  • log_errors this controls whether errors should be logged to a file. I would recommend that you always turn this on.
  • error_log this is the path of the file errors should be written to. This is only applies if log_errors is turned on obviously.
 
3) SQL Injections :

These days sql injections are one of the common threats to security. In this case of vulnerability user(hacker) provide input in such a ways that it is embedded to the query and produce undesired results. In serious cases it may empty your database tables or even drop them.
With the sql injections, all you really have to do is to filter all user input through a function specially designed for this purpose. There is a special feature in php called ”magic quotes”. Magic Quotes automatically perfom an addslashes opration to the GET, POST and COOKIE values. But this is not the full proof solution to the SQL Injection. Moreover, it is deprecated from PHP 5.3.0. and will be removed from PHP 6.0. Let’s have an example:

PHP Code:
<?php
           include(”dbconnect.php”);
          
$id $_GET['id'];
          
$result mysql_query(”SELECT FROM `newsWHERE `id`='{$id}');  
           while(
$row mysql_fetch_assoc($result)) {
                 
print_r($row);
           }
?>
 
This code is vulnerable as it doesn't filter user input and simply inserts whatever the id variable contains into the query. You have two options when you're about to safen up this code. Either use addslashes() or use mysql_real_escape_string(). I would suggest the latter unless you don't use mysql as database server. Both because it filters more characters and because it's binary-safe. The code looks like this when we've added a filter:
PHP Code:
<?php
include(”dbconnect.php”);
$id mysql_real_escape_string($_GET['id']);
$result mysql_query(”SELECT FROM `newsWHERE `id`='{$id}');
while(
$row mysql_fetch_assoc($result)) {
    
print_r($row);
}
?>

4) Cross Site Scripting (XSS attacks)

Hackers can gather an important information from your site by using malicious html or javascript. They can redirect your web page to another one. Think about your site is having a login page and it’s been redirected to another login page looks similar to yours’ one. In this way hackers can get the login details of your website users. Now you can imagine how harmful it could be for you and your website users.

The best way to defend against XSS is to disable JavaScript and images while surfing the web, but we all know that’s nearly impossible with so many websites using JavaScript’s rich application environment these days.  Other method is to put filters on user input. You can use htmlentities() and htmlspecialchars() functions for that. While htmlentities() will simply convert characters which have a meaning in HTML to their corresponding entities, htmlspecialchars() will convert all special characters to HTML entities.

Let’s have an example:

PHP Code:
<?php
include(”dbconnect.php”);
$str = "<a href='test'>Test</a>”;
$text = htmlspecialchars($str, ENT_QUOTES);
echo $text;
?>

Output:
&lt;a href=&#039;test&#039;&gt;Test&lt;/a&gt;


5) Remote File Inclusion

Remote file inclusion attacks (sometimes abbreviated RFI) is a vulnerability many people probably do not know of, but it is a very serious issue that also must be addressed. As the name implies, it is when remote files are included, but what exactly does that? Let us look at an example:

<?php

$page = isset($_GET['page']) ? $_GET['page'] : 'home';
require $page . '.php';

?>

This is a very basic front controller that will forward the request to whatever file that should be responsible for that particular request.

Imagine that at http://example.com/malice.php a file exists and our script is located at http://site.com/index.php. The attacker will do this request: http://site.com/index.php?page=http://example.com/malice. This file will get executed when it is included and it will a write a new file to the disk. This file could be a shell which would allow people to execute commands to the terminal from it as well as other things they should not be able to. Another thing the attacker can do is set page to http://example.com/malice.php? (note the ending question mark). That will make whatever follows it part of the query string and therefore ignored by the server the file is getting included from. Why this is a security issue should be pretty obvious. People should definitely not be able to execute whatever commands they want on our server, so how can we prevent them?

There are a couple of php.ini directives you can use to prevent this:
  • allow_url_fopen this directive is set to on by default and it controls whether remote files should be includable.
  • allow_url_include this directive is set to off by default and was introduced in PHP 5.2. It controls whether the include(), require(), include_once() and require_once() should be able to include remote files. In versions below PHP 5.2 this was also controlled by allow_url_fopen. Furthermore, if allow_url_fopen is set to off then this directive will be ignored and set to off as well.
Basically those two directives will enable you to set the required security settings you will need. Again, no data that is not from the inside of your system should be trusted. You must validate user input and ensure that people will not enter malformed or unexpected data.

Thanks!!!!!!!!!!! Enjoy Programming :)
 

Sunday, 5 February 2012

Java : Convert jar file into exe file in Windows

Recently I had developed a desktop application in Java. After completion of my source code i created a jar file of the package named tool.jar, but using .jar file is not that user friendly so i decided to go with .exe file. Here are the following steps using JSmooth to create .exe file from .jar file.

1)  Download exe file jsmooth-0.9.9-7-setup.exe using following link:
http://sourceforge.net/projects/jsmooth/files/jsmooth/0.9.9-7/jsmooth-0.9.9-7-setup.exe/download \

2) Run downloaded exe file. Following window would appear.



3) Go to Application tab and set the Main class file. Put the same name which you had used in netbeans/eclipse IDE project as Main Class.

If the jar file is embedded in your package check the box ‘Use an embedded jar’. Put full path of the jar fiile of your package.

In Classpath mention all the libraries you have used in the project and the jar file. So here you are specifying the full code you needed to run your application.

Note : You can add the files by click on the yello + button and remove by using yello – button. You can also pass the Application Arguments if any default argument is required to run your application. In my case there is not any requirement of default arguments to run my application so I kept it blank.


4) Go to Executable tab and set Executable Binary file path. Mention the full path with name of the .exe file you want to be created. You can also set the Executable icon that you want to appear on exe file.


5) Go to  JVM Selection tab. Mention Minimum and Maximum JVM Versions required to run your application. It's optional.


6) Go to  Skeleton tab. Under Skeleton Properties Section there are number of options.

Against Message you can put the message that would be displayed to the user if java is not installed on the system.  You can also specify the url from where user can download that specific JRM/JRE that is required to run your application.


7) Go to Project  Menu and compile the file. Following message would appear if there is not any compilation error.

 
Click Done.

8) Your executable file is ready. Check the exe file location you had mentioned in step 4. Double click on that. It would work like charm.

Note :  You can also download detailed pdf from here.
 
 Thanks!!!!!! Enjoy Programming!!!!!!!!!!

Saturday, 4 February 2012

!important Statement in CSS

As the name indicates it’s an important statement in CSS. From interview point of view too it’s commonly asked question even from the back end programmers. If you will search in google about the !important statement you will find a list of pages. I am writing about it to include everything possible under this topic and to keep it in my mind for times.

What is !important Statement?

The !important statement is actually a keyword you can use at the end of CSS property. It would give more importance to that statement. For example :

p {margin-left: 10px !important}

How it works?

Normally what happened, when you have two statements with same property and different values then as per the CSS rules, recent one would be used. For example :

p{margin-left : 10px}
p{margin-left : 20px}

in this case 2nd one would be used.

But when you use !important statement as following :

p {margin-left: 10px !important}
p{margin-left : 20px}

then the first one will get the importance and will be used.
 
Rules :

1) If a rule(CSS statement block) between an author(browser) and a user stylesheet conflicts, the user's rules will get applied over author's rules.

2) When 2 or more important statements that apply to the same element have same properties then the normal cascading rules will apply or the statement with the most specific selector will get applied.  For ex:

#example p {
    color: blue !important;
}

#example p {
    color: red !important;
}

Here as the statements are same except value, so latest one will be used.

div #leftSide {
            background-color: #00f !important;
}

#leftSide {
            background-color: #0f0 !important;
}

#header #leftSide {
            background-color: #f00;
}

In this style example, the first background-color value will take precedence because of two factors: First, it uses the!important declaration; and second, it is more selector-specific.

If you add !important statement to the inline style then that will of course have precedence: 

CSS: #example p {
    color: blue !important;
}

<div id="example">
  <p style="color:green !important;">This paragraph has an inline style</p>
</div>

the paragraph will be in green text and not blue.

Why it’s important?

1) Actually the statement was evolved for IE6 and previous versions. In all other browsers if you will use !important keyword with css statement then that particular statement would be used but it won’t work in IE6 and previous versions.

For example

#main {
width:auto !important;
width:800px;
}

In this case for browsers like firefox, safari, Opera, chrome and IE7 and latest versions first statement would work while for IE6 and previous versions 2nd statement would work.

The situation was fixed in IE7, but if it's in quirks mode, or you don't specify a doctype at all, then IE7 will revert to the same behaviour as IE6 and use the last declaration.
Internet Explorer 8, on the other hand, seems to always support !important declarations no matter what I did to try to make it act quirky.

2) It is also used to override inline styles. So with only one extra stylesheet and without changing any code in the html and it’s css you could change the whole appearance of the html.

Drawbacks : We all knew that each and everything have it’s own drawbacks if not used properly. Here is the following drawback of !important statement.

1) If !important statement is used without care then it could encourage sloopy and less maintainable code.

Conclusion :

Don’t use too much !important statements. Only use it where it’s required by keeping in mind it’s drawbacks.  If it’s used properly then it could save a lot of time and effort.
Some more important points :
 
#header {
            padding: 20px 10px 20px 10px !important;
}

Is equivalent to

#header {
            padding-left: 10; !important
            padding-right: 10; !important
            padding-top: 20; !important
            padding-bottom: 20; !important
}



Odoo 10: Close wizard and open standard form

Hi, Today we are going to learn how to open standard form after saving data in wizard. Let's say I have created an wizard to fill bas...