Tuesday, January 18, 2011

PHP array_map

One very useful function in PHP is array_map.

Today I am going to show you an example of how you can use this function to quickly filter possibly dangerous data in an array to prevent XSS attacks.

First you will need to create a function that will be used to clean the data:

// heres function that escapes html data to prevent xss attacks
function map_entities($str) {
    return htmlspecialchars($str, ENT_QUOTES);
}

Next you need to apply that data to an array containing user input (in real life this could be from a $_POST or $_GET or even from a database:

// here $suspect_data is an array containing data needing to be cleaned
$safe_data = array_map('map_entities',$suspect_data);

And now our array is ready for use ... obviously there is more to filtering data then just stripping html characters, but hopefully this little tutorial is helpful in showing you how you can use array_map to solve some real life problems.
Posted by Yunk at 10:38 PM 0 comments
Labels: , , ,

Monday, January 17, 2011

Using Smarty PHP Template Engine for Your Design Layer

Looking for a template engine for your latest web application? The good folks over at Smarty have got you covered.

I have been using Smarty for quite awhile now and it has been great. I won't go into all of the reasons I prefer it to some of the other options out there, but I will show you how to use it...

First, you need to download the source from the Smarty website: http://www.smarty.net/download

Now you are ready to get your hands dirty.

The PHP side will look something like this:

// first include the smarty library
include('Smarty.class.php');

// now we create the smarty object
$smarty = new Smarty;

// now we tell smarty where to look for template files
// and where to store compile/config/cache info
$smarty->template_dir = THEFULLPATH.'views/templates/';
$smarty->compile_dir  = THEFULLPATH.'views/templates_c/';
$smarty->config_dir   = THEFULLPATH.'views/configs/';
$smarty->cache_dir    = THEFULLPATH.'views/cache/';

// lets assign our data to template variables now
// in real life you would be getting this data
// from user input or a database, but here we
// are just using a static value
$smarty->assign('FullName', 'Jon Doe');

// display the template
$smarty->display('mytemplate.tpl');

Not bad so far ... now lets create the actual template:

<html>
   <head>
      <title>Hello World</title>
   </head>
   <body>
      Hello {$FullName}
   </body>
</html>

As you can see, Smarty is pretty simple to use. If you would like to become a Smarty expert, a good place to start is here: http://www.smarty.net/crash_course
Posted by Yunk at 7:45 PM 0 comments
Labels: , , , , , ,

Friday, January 14, 2011

Good Security Practice - Never Store Passwords in Plain Text

There are many many things to take into consideration when building a secure application.

Today I am going to be talking about storing passwords in a database.

It is all to easy to fall prey to thinking that just because you utilize an SSL certificate that your clients passwords are safe from prying eyes. But what if someone gets access to your database?

One of the most overlooked areas in an organizations security infrastructure is backups. Including backups of MySQL databases. All it takes is one disgruntled ex employee or clever hacker for all of your data to be out there for the world to see.

An easy way to protect passwords is a one way hash. Lets be honest here, there is no reason for you to ever be able to see your clients passwords.

Before you save a new clients password to the database simply run it through a one way hash. For added security you can also add a salt value to the hash like so.

// here we set a global salt value for our site
define('SITESALT', 'YAWRIFJW');

// this function prepares a password for insertion into the database
function getEncryptedPassword($password) {
   return sha1(SITESALT.$password);
}

// now we call our function
$secure_password = getEncryptedPassword($plain_password);

This same code can also be called when a client logs into the system for comparison. This way if anyone ever gets access to the data, they won't be able to just view all of your clients passwords.
Posted by Yunk at 10:29 AM 0 comments
Labels: , ,

Thursday, January 13, 2011

Switch Two Variables

If you ever need to switch the values of two variables without using a temporary variable, this should come in handy.

list($var1, $var2) = array($var2, $var1);
Posted by Yunk at 1:40 PM 0 comments
Labels: , , ,

Tuesday, January 11, 2011

How to Display Youtube Videos on Pages with SSL

So there is a pretty neat trick everyone should be aware of, if you have a site using SSL.

As I am sure you are aware, if you post anything referencing 'http://' on a page using SSL, Internet Explorer will display a wonderful little message to your clients basically telling them you are trying to destroy their lives with your evil insecure page.

In order to avoid mass panic, there is a simple way to fix this problem on your server.

Just add the following lines to your sites .htaccess file :

RewriteEngine On
RewriteRule ^youtube/(.*)$ http://www.youtube.com/$1 [L]

Now you can reference youtube videos like this:

       
   <param name='movie' value='https://www.yoururl.com/youtube/v/querystuff'>
   </param>
   <embed src='https://www.yoururl.com/youtube/v/querystuff' type='application/x-shockwave-flash' width='400' height='300'>
   </embed>

Just a quick FYI, this method will only work on an apache server with mod_rewrite enabled.
Posted by Yunk at 1:11 PM 0 comments
Labels: , , , ,

Saturday, January 8, 2011

PHP Autoload

I fought it for a long time, but I think I am finally convinced that PHP autoload functionality is a good idea.

In case anyone out there needs an example, the following is a custom autoload function that allows for multiple directories to be checked for class files.

Just a quick note, the 'THEFULLPATH' constant should already be set to your server path, and the directories array should be updated to include the directories that your class files are in.

// global function for autoload functionality
function class_autoload($class_name)
{
   // directories where class files are located
   $directory_list = array(
      THEFULLPATH.'common/',
      THEFULLPATH.'models/',
   );

   // for consistency make sure the class name is lower case
   $class_name = strtolower($class_name);

   // for each directory in our directory list
   foreach ($directory_list as $directory)
   {
      // does the file exist? notice the naming convention used here
      // is classname.class.php, feel free to use your own naming 
      // structure and modify the following lines to fit, just 
      // be consistent
      if (file_exists($directory.$class_name.'.class.php'))
      {
         require($directory.$class_name . '.class.php');
         // only require the class once, we exit here to cut down on 
         // processing time
         return;
      } 
   }

   // if we are dealing with another class that had a different 
   // naming convention we add it here if you have many classes 
   // like this (and they should be common libraries, since if 
   // you are writing them they should follow your convention) 
   // you may want to change this to a switch statement
   if ($class_name == 'phpmailer') {
      require(THEFULLPATH."common/PHPMailer/class.phpmailer.php");
   }
}

Once you have created your function, you will need to register it with PHP

spl_autoload_register('class_autoload');

Congratulations, you now have a working autoload function!

For more information on PHP autoload, read the manual Here
Posted by Yunk at 1:12 PM 0 comments
Labels: , ,

Friday, January 7, 2011

Welcome to Code By Yunk

Welcome to my Blog, I am going to continually post snippets, tutorials, and other information that I think will be helpful to Web Programmers out there.  I currently work mostly in PHP in the LAMP stack, so most of what I post here will be relevant to PHP.
Posted by Yunk at 12:45 PM 0 comments
Subscribe to: Posts (Atom)