Ingenio Home  | Blog Policies  | Help
ingenio.com > Blogs > Advanced Onsite Technology
Welcome to Community Sign in | Join | Help
Saturday, June 14, 2008 6:19 PM

Welcome to Advanced Onsite Technology

We offer Full PHP Web Solutions to your every day issues.

From PHP to MySQL, Oracle, MS-SQL, Flex, Actionscript, Shell Scripting, LAMP Server installs, Linux Server security, Web Page Security and much much more.

If you are in need of PHP help we are here to help.

Stop ranting about the cost and begin to get the help you need quick and painless, I asure you once you connect with me I'll be able to help you in more ways then you know.

I have the secrets many developers don't for a lot of good reasons, experience over 18 Years of it handling back in Assembly Programming days.

Checkout us at Blogger Website too
posted by jasonbronson | (Comments Off)
Filed Under:
Saturday, June 14, 2008 6:12 PM

XSS cross site scripting attacks how to prevent PHP users posts from harming you or your client

When dealing with XSS cross site scripts or scripting you often need a way to deal with how to prevent problems of users posting malicious code into your database and hijacking your site or user.

Protection on XSS is never a one solid solution and needs often a way to protect the client or users from hijacking is a full time job.

Users and hackers are constantly improving attacks to get by our systems and do harm on us.

<?php

function RemoveXSS($val) {
   // remove all non-printable characters. CR(0a) and LF(0b) and TAB(9) are allowed
   // this prevents some character re-spacing such as <java\0script>
   // note that you have to handle splits with \n, \r, and \t later since they *are* allowed in some inputs
   $val preg_replace('/([\x00-\x08,\x0b-\x0c,\x0e-\x19])/'''$val);
   
   // straight replacements, the user should never need these since they're normal characters
   // this prevents like <IMG SRC=&#X40&#X61&#X76&#X61&#X73&#X63&#X72&#X69&#X70&#X74&#X3A&#X61&#X6C&#X65&#X72&#X74&#X28&#X27&#X58&#X53&#X53&#X27&#X29>
   $search 'abcdefghijklmnopqrstuvwxyz';
   $search .= 'ABCDEFGHIJKLMNOPQRSTUVWXYZ';
   $search .= '1234567890!@#$%^&*()';
   $search .= '~`";:?+/={}[]-_|\'\\';
   for ($i 0$i strlen($search); $i++) {
      // ;? matches the ;, which is optional
      // 0{0,7} matches any padded zeros, which are optional and go up to 8 chars
   
      // &#x0040 @ search for the hex values
      $val preg_replace('/(&#[xX]0{0,8}'.dechex(ord($search[$i])).';?)/i'$search[$i], $val); // with a ;
      // &#00064 @ 0{0,7} matches '0' zero to seven times
      $val preg_replace('/(&#0{0,8}'.ord($search[$i]).';?)/'$search[$i], $val); // with a ;
   }
   
   // now the only remaining whitespace attacks are \t, \n, and \r
   $ra1 = Array('javascript''vbscript''expression''applet''meta''xml''blink''link''style''script''embed''object''iframe''frame''frameset''ilayer''layer''bgsound''title''base');
   $ra2 = Array('onabort''onactivate''onafterprint''onafterupdate''onbeforeactivate''onbeforecopy''onbeforecut''onbeforedeactivate''onbeforeeditfocus''onbeforepaste''onbeforeprint''onbeforeunload''onbeforeupdate''onblur''onbounce''oncellchange''onchange''onclick''oncontextmenu''oncontrolselect''oncopy''oncut''ondataavailable''ondatasetchanged''ondatasetcomplete''ondblclick''ondeactivate''ondrag''ondragend''ondragenter''ondragleave''ondragover''ondragstart''ondrop''onerror''onerrorupdate''onfilterchange''onfinish''onfocus''onfocusin''onfocusout''onhelp''onkeydown''onkeypress''onkeyup''onlayoutcomplete''onload''onlosecapture''onmousedown''onmouseenter''onmouseleave''onmousemove''onmouseout''onmouseover''onmouseup''onmousewheel''onmove''onmoveend''onmovestart''onpaste''onpropertychange''onreadystatechange''onreset''onresize''onresizeend''onresizestart''onrowenter''onrowexit''onrowsdelete''onrowsinserted''onscroll''onselect''onselectionchange''onselectstart''onstart''onstop''onsubmit''onunload');
   $ra array_merge($ra1$ra2);
   
   $found true// keep replacing as long as the previous round replaced something
   while ($found == true) {
      $val_before $val;
      for ($i 0$i sizeof($ra); $i++) {
         $pattern '/';
         for ($j 0$j strlen($ra[$i]); $j++) {
            if ($j 0) {
               $pattern .= '(';
               $pattern .= '(&#[xX]0{0,8}([9ab]);)';
               $pattern .= '|';
               $pattern .= '|(&#0{0,8}([9|10|13]);)';
               $pattern .= ')*';
            }
            $pattern .= $ra[$i][$j];
         }
         $pattern .= '/i';
         $replacement substr($ra[$i], 02).'<x>'.substr($ra[$i], 2); // add in <> to nerf the tag
         $val preg_replace($pattern$replacement$val); // filter out the hex tags
         if ($val_before == $val) {
            // no replacements were made, so exit the loop
            $found false;
         }
      }
   }
   return $val;


?>

posted by jasonbronson | 0 Comments
Filed Under:
Saturday, June 14, 2008 6:10 PM

How to Validate a Phone Number with PHP

I expect You wanna match 555-666-0606? (Angelina Jolies number ;-)

This will match the number from start to end:

^[0-9]{3}-[0-9]{3}-[0-9]{5}$

^ means the start of the string
$ means the end of the string
[0-9] means any number from 0 to 9
{3} means _exactly_ 3 occurences, no more no less (can also be {2,4} if
You world allow from 2 to 4 occurences or {2,} if You want at least 2
digits)

So this line says _start_ with 3 digits followed by a - then 3 digits,
then another - and end with 4 digits

Example:
<?php
$number "555-666-0606";

if(ereg("^[0-9]{3}-[0-9]{3}-[0-9]{4}$"$number)) {
echo "valid phonenumber";
}
else {
echo "invalid phonenumber";
}

?>
posted by jasonbronson | 0 Comments
Filed Under:
Saturday, June 14, 2008 5:55 PM

PHP get remote file size function

When using PHP to retrieve a remote file system you can't just use filesize to get a remote file on a server.

you should also be prepared to know that some servers don't allow you to get the filesize each server has the ability to fake a filesize too.

but most of the times this will get the right filesize for a remote file.

This is my favorite way of reading a remote file because it is very simple. Just call this function and specify a url as the parameter. But make sure you remember to check the return value first to determine if it return an error before processing the result

<?php

$content file_get_contents('http://www.google.com/');
if ($content !== false) {
   // do something with the content
} else {
   // an error happened
}
?>

Unlike the two methods above using CURL cannot be said as straigthforward. Although this library is very useful to connect and communicate with may different protocols ( not just http ) it requires more effort to learn. And another problem is that not all web host have this library in their php installation. So we better make sure to check if the library is installed before trying to use it.

Here is a basic example on fetching a remote file
<?php
// make sure curl is installed
if (function_exists('curl_init')) {
   // initialize a new curl resource
   $ch curl_init();

   // set the url to fetch
   curl_setopt($chCURLOPT_URL'http://www.google.com');

   // don't give me the headers just the content
   curl_setopt($chCURLOPT_HEADER0);

   // return the value instead of printing the response to browser
   curl_setopt($chCURLOPT_RETURNTRANSFER1);

   // use a user agent to mimic a browser
   curl_setopt($chCURLOPT_USERAGENT'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0');

   $content curl_exec($ch);

   // remember to always close the session and free all resources
   curl_close($ch);
} else {
   // curl library is not installed so we better use something else
}
?>
In some cases using CURL is faster than using file_get_contents() or fopen(). This is because CURL handles compression protocols by default ( for example gzip ). Many sites, big and small, use gzip compression to compress their web pages in order to save bandwidth. This site, for example, also use gzip compression which cut the bandwidth used into half. So if you're the type who just can't wait CURL will fit you most.



If you use fopen() to read a remote file the process is as simple as reading from a local file. The only difference is that you will specify the URL instead of the file name. Take a look at the example below :

<?php
// make sure the remote file is successfully opened before doing anything else
if ($fp fopen('http://www.google.com/''r')) {
   $content '';
   // keep reading until there's nothing left
   while ($line fread($fp1024)) {
      $content .= $line;
   }

   // do something with the content here
   // ...
} else {
   // an error occured when trying to open the specified url
}
?>

Now, the code above use fread() function in the while loop to read up to 1024 bytes of data in a single loop. That code can also be written like this :
<?php
// make sure the remote file is successfully opened before doing anything else
if ($fp fopen('http://www.google.com/''r')) {
   $content '';
   // keep reading until there's nothing left
   while ($line fgets($fp1024)) {
      $content .= $line;
   }

   // do something with the content here
   // ...
} else {
   // an error occured when trying to open the specified url
}
?>

instead of fread() we use fgets() which reads one line of data up to 1024 bytes. The first code is much more preferable than the second though. Just imagine if the remote file's size is 50 kilobytes and consists of 300 lines. Using the first code will cause the loop to be executed about fifty times but using the second the loop will be executed three hundred times.

If you consider the cost to call a function plus the time required to make 300 requests compared to just 5 then clearly the first one is the winner.


Fyi here is the filesize for php


<?php

// outputs e.g.  somefile.txt: 1024 bytes

$filename 'somefile.txt';
echo $filename ': ' filesize($filename) . ' bytes';

?> 
posted by jasonbronson | 0 Comments
Filed Under: