20.6.08

Fyodor's Security Reading List

Fyodor's Good Reading List: "Fyodor's Good Reading List

Lighter Reading / Misc

Tainted Data PHP Functions

[Summary]
This file describe the sources from which tainted data can be imported.
An conservative approach is taken. Everything that retrieves data from
a source outside PHP, such as the file system or a database, is considered
tainted. Notice that this should be adaptable within the tool.

[Language constructs]
Predefined variables:
$_SERVER $_SESSION
$_GET $_REQUEST
$_POST $_FILES
$_COOKIE

[Internal functions]
Most functions only return tainted data if the parameter given contains tainted data.
* base64_decode | Returns decoded string, could contain tainted data
* base_convert | Returns decoded string with letters if toBase is high enough
* basename | Returns a part of a filename.
* bzread | Returns a string coming from a bz compressed file handle
* chr | Returns the string-representation of the ASCII-number. Could be dangerous if a lot are concatted
* convert_cyr_string | Returns string in cyr-encoding
* current | Returns the current element of an array
* dba_nextkey | Returns the next key in a database
* dns_get_record | Fetch DNS Resource Records associated with a hostname
* end | Returns last element of an array
* extract | Import variables into the current symbol table from an array
* fdf_get_attachment | Extracts an uploaded file from a FDF document
* fdf_open | Opens an FDF document
* fdf_open_string | Opens an FDF-file
* fdf_save_string | Returns the FDF document as a string
* fgetc | Get one character from a file pointer. Could be dangerous if a lot are concatted
* fgetcsv | Gets line from file pointer and parse for CSV fields
* fgets | Gets line from file pointer
* fgetss | Gets line from file pointer and strip HTML tags
* file | Reads entire file into an array
* file_get_contents | Reads entire file into a string
* fopen | Opens a file, binds a resource
* fread | Returns a string of a file read
* func_get_arg | Return an item from the argument list
* func_get_args | Returns an array comprising a function's argument list
* get_browser | Returns info about the browser, using USER_AGENT
* get_headers | Fetches all the headers sent by the server in response to a HTTP request
* get_meta_tags | Extracts all meta tag content attributes from a file and returns an array
* getallheaders | Fetch all HTTP request headers
* getenv | Gets the value of an environment variable, some come from the user
* getopt | Gets options from the command line argument list
* gettext | Lookup a message in the current domain
* gzdeflate | Deflate a string
* gzfile | Read gz-file into an array
* gzgetss | Get a line from a gz-file and strip HTML-tags
* gzopen | Opens a gz-file
* gzread | Reads a gz-file
* headers_list | Returns a list of response headers sent (or ready to send)
* hebrev | Convert logical Hebrew text to visual text
* hebrevc | Same as Hebrev, with newline conversion
* highlight_string | Highlights a string
* html_entity_decode | Convert all HTML entities to their applicable characters
* ibase_blob_import | Create blob, copy file in it, and close it
* iconv | Convert string to requested character encoding
* id3_get_tag | Get all information stored in ID3-tags
* imap_base64 | Decode BASE64 encoded text
* imap_bodystruct | Read the structure of a specified body section of a specific message
* imap_fetchbody | Fetch a particular section of the body of the message
* imap_fetchheader | Returns header for a message
* imap_fetchstructure | Read the structure of a particular message
* imap_headerinfo | Read the header of the message
* imap_headers | Returns headers for all messages in a mailbox
* imap_mime_header_decode | Decode MIME header elements
* implode | Join array elements with a string
* imap_utf8 | Converts MIME-encoded text to UTF-8
* import_request_variables | Import GET/POST/Cookie variables into the global scope
* ircg_nickname_unescape | Decodes encoded nickname
* join | Alias of implode
* ldap_get_values | Get all values from a result entry
* mb_decode_mimeheader | Decode string in MIME header field
* mb_parse_str | Parse GET/POST/COOKIE data and set global variable
* mcrypt_decrypt | Decrypts crypttext with given parameters
* mdecrypt_generic | Decrypt data
* msession_get | Get value from session
* msession_get_array | Get array of msession variables
* msession_get_data | Get data session unstructured data
* msg_receive | Receive a message from a message queue
* ngettext | Plural version of gettext
* ob_get_contents | Return the contents of the output buffer
* ob_get_flush | Flush the output buffer, return it as a string and turn off output buffering
* parse_ini_file | Parse a configuration file
* parse_str | Parses the string into variables
* parse_url | Parse a URL and return its components
* parsekit_compile_string | Compile a string of PHP code and return the resulting op array
* pfpro_process_raw | Process a raw transaction with Payflow Pro
* pfsockopen | Open persistent Internet or Unix domain socket connection
* pg_copy_to | Copy a table to an array
* pg_fetch_all | Fetches all rows from a result as an array
* pg_fetch_array | Fetch a row as an array
* pg_fetch_assoc | Fetch a row as an associative array
* pg_fetch_result | Returns values from a result resource
* pg_fetch_row | Get a row as an enumerated array
* rawurldecode | Decode URL-encoded strings
* readline | Reads a line
* readlink | Returns the target of a symbolic link
* scandir | List files and directories inside the specified path
* shm_get_var | Returns a variable from shared memory
* socket_read | Reads a maximum of length bytes from a socket
* sprintf | Return a formatted string
* SQLiteUnbuffered->fetchAll | Fetches all rows from a result set as an array of arrays
* SQLiteUnbuffered->fetch | Fetches the next row from a result set as an array
* SQLiteDatabase->fetchColumnTypes | Return an array of column types from a particular table
* SQLiteUnbuffered->fetchObject | Fetches the next row from a result set as an object
* SQLiteUnbuffered->fetchSingle | Fetches the first column of a result set as a string
* SQLiteDatabase->singleQuery | Executes a query and returns either an array for one single column or the value of the first row
* stripcslashes | Un-quote string quoted with addcslashes()
* stripslashes | Un-quote string quoted with addslashes()
* strval | Get string value of a variable
* sybase_fetch_array | Fetch row as array
* sybase_fetch_assoc | Fetch a result row as an associative array
* sybase_fetch_assoc | Fetch a result row as an associative array
* sybase_fetch_object | Fetch a row as an object
* sybase_fetch_row | Get a result row as an enumerated array
* sybase_result | Get result data
* token_get_all | Split given source into PHP tokens
* unpack | Unpack data from binary string
* vsprintf | Return a formatted string

[PHP5 only]
* convert_uudecode (5) | Returns an uu-decoded string
* iconv_mime_decode | Decodes a MIME-header field
* iconv_mime_decode_headers| Decodes several MIME-header field
* php_strip_whitespace | Return source with stripped comments and whitespace
* SQLiteDatabase->arrayQuery | Execute a query against a given database and returns an array
* stream_get_contents | Reads remainder of a stream into a string
* stream_get_line | Gets line from stream resource up to a given delimiter


12.6.08

Automated Snapshot Backup Shell-Script with cpio

Linux shell script automatically creates backups of a specific folder at regular hourly, nightly, weekly, and monthly intervals. Uses CPIO.

read more | digg story

11.6.08

The PHP Benchmark

The PHP Benchmark: "Right now this page has a huge amount of attention by the international website programming community. Because of this I've had many many different opinions emailed to me about what people think about these results and how they were found. Keep sending them in.

This project has been a long time dream for me and I'd love to keep on learning about what I'm doing right / wrong and how we should approach this topic. If you have any information / opinions that you would like to share (especially about the larger bottleneck problems), please contact me via my portfolio.

Chris Vincent
PHPBench.com was constructed as a way to open people's eyes to the fact that not every PHP code snippet will run at the same speed. You may be surprised at the results that this page generates, but that is ok. This page was also created so that you would be able to find discovery in these statistics and then maybe re-run these tests in your own server environment to play around with this idea yourself, by using the code examples (these code examples are automatically generated and as the code in my .php files change, so do they).

NOTE: You must keep in mind to refresh this page a few times to 'catch' the right result. The numbers change sometimes drastically during each refresh. I assume that this is because of PHP's memory garbage collector that drops in randomly and also other processes"

10.6.08

The tragic tale of a hacked blog

The girl realized she had been careless. Her blog had been hacked.The hacker had been a sneaky one. She did not see any difference on the front page of her blog. There were no sudden big banners or pop-ups. If she had not checked the details of the visitors to her site, she would never have known.

read more | digg story

Various Social and Blogger Sites

ActiveRain ActiveRain http://activerain.com/
Bebo Bebo http://bebo.com/Profile.jsp?MemberId=
Blogger Blogger http://www.blogger.com/profile/
del.icio.us del.icio.us http://del.icio.us/
Digg Digg http://digg.com/users/
DOPPLR DOPPLR http://www.dopplr.com/traveller/
eBay eBay eBay User ID:
Facebook Facebook http://www.facebook.com/profile.php?id=
Flickr Flickr screen name or id:
FriendFeed FriendFeed http://friendfeed.com/
Friendster Friendster http:// .blogs.friendster.com/
Google Calendar Google Calendar email:
Google Reader Google Reader http://www.google.com/reader/shared/
Jaiku Jaiku http:// .jaiku.com/
Jumpcut Jumpcut http://www.jumpcut.com/
Kiva Kiva http://www.kiva.org/lender/
Last.fm Last.fm http://www.last.fm/user/
LinkedIn LinkedIn http://www.linkedin.com/in/
LiveJournal LiveJournal username:
Ma.gnolia Ma.gnolia http://ma.gnolia.com/people/
Multiply Multiply http:// .multiply.com/
MyBlogLog Actions MyBlogLog Actions
Service Added!
Blog Comments Blog Comments
Service Added!
MySpace MySpace http://www.myspace.com/
Netflix Netflix http://rss.netflix.com/QueueRSS?id= (Get your Netflix ID)
OpenID OpenID url:
Plaxo Plaxo email:
Pownce Pownce http://pownce.com/ /
Second Life Second Life name:
Seesmic Seesmic http://seesmic.com/
Shelfari Shelfari http://www.shelfari.com/
StumbleUpon StumbleUpon http:// .stumbleupon.com
Technorati Technorati http://www.technorati.com/people/technorati/
The DJ List The DJ List http://www.thedjlist.com/djs/
30 Boxes 30 Boxes url:
ThisNext ThisNext http://www.thisnext.com/by/ /
Trulia Trulia http://www.trulia.com/voices/profile/
Tumblr Tumblr http:// .tumblr.com
Twitter Twitter http://twitter.com/
TypeKey TypeKey http://profile.typekey.com/ /
Upcoming Upcoming http://upcoming.yahoo.com/user/
Wakoopa Wakoopa http://wakoopa.com/
Wink Wink http://wink.com/p/
Yahoo! Answers Yahoo! Answers http://answers.yahoo.com/my/profile?show=
Yelp Yelp http://www.yelp.com/user_details?userid=
YouTube YouTube http://youtube.com/user/
Zillow Zillow http://www.zillow.com/profile/
Zorpia Zorpia http://www.zorpia.com/

About XMPP

About XMPP: "About XMPP

The Extensible Messaging and Presence Protocol (XMPP) is an open XML technology for real-time communication, which powers a wide range of applications including instant messaging, presence, media session management, shared editing, whiteboarding, collaboration, lightweight middleware, content syndication, and generalized XML routing.

The core technology was invented by Jeremie Miller in 1998, refined in the Jabber open-source community in 1999 and 2000, and formalized by the IETF in 2002 and 2003, resulting in publication of the XMPP RFCs in 2004.

Although the core technology is stable, the XMPP community continues to define various XMPP extensions through an open standards process run by the XMPP Standards Foundation. There is also an active community of open-source and commercial developers based at jabber.org."

DataPortability.org - Share and remix data using open standards

DataPortability.org - Share and remix data using open standards: "Conect. Control. Share. Remix.
Mission: To Consult, Design, Educate and Advocate Interoperable Data Portability to Users, Developers and Vendors.
Definition: Data Portability is the option to use your personal data between trusted applications and vendors."

Plaxo » A Recipe for OpenID-Enabling Your Site

Plaxo » A Recipe for OpenID-Enabling Your Site: "A Recipe for OpenID-Enabling Your Site

Prepared by Joseph Smarr at Plaxo on July 18, 2007.

This is a step-by-step tutorial guide for implementing OpenID consumer-side support with a web site that already has users with accounts. It will explain how to easily let new users sign up for an account on your site using their OpenID URL and how to let existing users attach their OpenID(s) so they can sign in using them.

I developed this guide by talking to fellow OpenID developers at the Internet Identity Workshop and elsewhere, and by implementing OpenID support for Plaxo using these instructions. I've also posted detailed screenshots of Plaxo's implementation for reference. I've intended for this guide to be clear and complete and to follow best-practices, but if you have any questions or feedback, please let me know at joseph@plaxo.com or by posting a comment on Plaxo's blog.

This guide may look a bit long, but my hope is you can just follow it straight through without thinking much, and you'll be completely done by the time you reach the end! :)
Overview

I'm assuming your web site currently has:

* A user database with rows for each user
o Each user has a unique internal user ID
o Users currently sign in using a username/e-mail and password
*"

9.6.08

Digg Joins the DataPortability Project

"Digg has joined the DataPortability Project, a group of websites cooperating to help you securely use your data however you want. Why? Because you own your data. It’s that simple. From the start, Digg has supported the idea that you own your own data."

read more | digg story

PHP Script - Anti-Spam Human-Checker

PHP-based system that simply asks the user to select which image is different from the others. This would normally be placed at the bottom of the form.The code is very flexible in how the images can be displayed in the form, so can easily integrated into the look-and-feel of any website.

read more | digg story

2.6.08

YouTube - cptcoding's Channel

YouTube - cptcoding's Channel: "cpt coding and Bill Dunbar
Please login to perform this operation.
See related Channels
cptcoding
cptcoding
Joined: May 15, 2008
Last Login: 2 weeks ago
Videos Watched: 1
Subscribers: 0
Channel Views: 32
billdunbar cpt practicemanagement medical bda coding daviddann icd documentation billing physician healthcare occupational health
Name: Bill
billdunbar cpt practicemanagement medical bda coding daviddann icd documentation billing physician healthcare occupational health
City: Indianapolis
Hometown: Indianapolis
Country: United States
Occupation: Medical Coding, Medical Billing
Companies: Bill Dunbar and Associates, Inc.
Interests and Hobbies: billdunbar cpt practicemanagement medical bda coding daviddann icd documentation billing physician healthcare occupational health
Website: http://www.billdunbar.com/"

Mellow Morning » Setting up .htaccess for Wordpress

Mellow Morning » Setting up .htaccess for Wordpress: "Setting up .htaccess for Wordpress
By Thierry Schellenbach on 05 Sep 2007

Usually .htaccess for Wordpress is set automatically when you change the permalink settings.

Unfortunately for me the Wordpress system was not working properly. When I wrote the first posts on this blog however I did not bother to deal with the issue. Doing so leaves you with two problems:

1. How to set .htaccess
2. How to ensure the links to your old posts get redirected

After reading the great mod_rewrite documentation and combining that with a great .htaccess files here my solution.

In order to deal with the old posts:

RewriteCond %{QUERY_STRING} ^p=11$
RewriteRule ^$ http://www.mellowmorning.com/2007/08/27/picture-resizing-on-steroids/? [R=301,L]
RewriteCond %{QUERY_STRING} ^p=3$
RewriteRule ^$ http://www.mellowmorning.com/2007/08/18/ten-reasons-why-symfony-rocks-part-1/? [R=301,L]
RewriteCond %{QUERY_STRING} ^p=4$
RewriteRule ^$ http://www.mellowmorning.com/2007/08/12/barcamp-events/? [R=301,L]
RewriteCond %{QUERY_STRING} ^feed=atom&cat=1$
RewriteRule ^$ http://www.mellowmorning.com/category/symfony/feed/? [R=301,L]

Note that HTTP_HOST and QUERY_STRING are by not included in the conditions checked by RewriteRule. The rewrite rule only ge"

1.6.08

Creating Redirects for Affiliate Links

Creating Redirects for Affiliate Links: ".htaccess redirect

.htaccess redirect

Editing the .htaccess file can make your website inaccessible if done incorrectly. Always make sure you have a back-up of the current version of the .htaccess file, to go back to a working version.

.htaccess is a file on Apache servers. It’s a very powerful tool, but often requires rather detailed technical knowledge to edit. Thankfully it’s not that difficult for the purpose of redirecting pages on server level.

Step 1: Check for existing .htaccess
First you need to find out whether you have a .htaccess file already. Start your FTP-program (make sure your program shows the .htaccess file), browse to the root of your domain and look for it (it’s usually on top of the list). If it’s there, download it. Make sure to make a back-up of the current file!

Step 2: Edit it to add redirects
Open the .htaccess file in a text editor and add the following lines to the file.

# Temporary redirects for affiliate links
Redirect 302 /[subdir]/[filename] http://example.com/?id=12345
Redirect 302 /[subdir]/[filename] http://example.com/?id=34567
# End of affiliate redirects

Now replace /[subdir]/[filename] with the right link, and replace http://example.com/?id=12345 with the address you want to send your visitors to when they click the link.

Make sure you use a temporary redirect. The status code 302 tells the other server that the page is redirected temporary, and that they should not update their addresses to the new address.

For example, for my e-junkie affiliate link this looks like this:

Redirect 302 /go/e-junkie.php http://www.e-junkie.com/?r=11261

Step 3: Save and upload
Upload and overwrite the old .htaccess file on the server.
Again make sure you have a back-up of the old version before you do this!

Step 4: Link to it.
That’s it, now use that link instead of the original link. It doesn’t even matter if there’s a file or not on the original location.

If you’re using WordPress as your (self-hosted) blogging platform, you could also use Joost de Valk’s plugin Robots Meta to edit the .htaccess file from within the WordPress admin interface.

Again, use caution with this file. Make sure you have a copy of a working version and ftp-access to your server in case things go wrong. An error in the .htaccess file could effectively deny you access to the WordPress Admin interface. In which case you’ll have to replace the erroneous file with the back-up through FTP.

htaccess and .htaccess rewrite links « WordPress .htaccess

htaccess and .htaccess rewrite links « WordPress .htaccess: "How to Use .htaccess, mod_rewrite, and Related (for Apache)


How to Use .htaccess, mod_rewrite, and Related (for Apache)

SRC: http://brainstormsandraves.com/archives/2005/10/09/htaccess/