Tara Andrei » web app

The magic of mode_rewrite

admin — Tue, 08 Jun 2010 20:00:35 +0000

There’s a long time in the galaxy since I haven’t post on my blog and now, finally here I am, posing a new article. Today I will speak about htaccess mod_rewrite. Well despite the tons of examples and docs, mod_rewrite is voodoo. Damned cool voodoo, but still voodoo.

The majority of the web servers, that are based on Apache, have the mod_rewrite enabled so you don’t have to get dirty to install it on the hosting server.But anyone of those that are developing web application based on Apache server, using PHP have a local installed server therefore mode_rewrite is also necessary in testing process.

Installing mod_rewrite :

On Linux: edit the Apache configuration file ( httpd.conf ) and uncomment LoadModule rewrite_module modules/mod_rewrite.so (remove the pound ‘#’ sign from in front of the line) . Also be sure that the lines containing ClearModuleList and AddModule mod_rewrite.c are uncommented . Now you can create the famous .htacess file on the root of you website and start adding your code.
On Windows: well as we are expecting, things are a bit more complicated because on Windows you cannot create a file that doesn’t have a name (.htacess is a file that only have an extension). For first just uncomment the same lines as in the Linux example. Now you have to tell Apache to use you’re custom file instead of .htacess file, so search in the configuration file (httpd.conf) for the following lines:

# AccessFileName: The name of the file to look for in each directory # for additional configuration directives. See also the AllowOverride
# directive.
#
AccessFileName .htaccess (change the .htaccess to [name].htaccess where name can be whatever what you wish )

You can escape this step and create the .htacess file even on windows, actually the restriction of creating a file without name is an restriction of Windows Explorer is not an restriction of the operating system . Open the command (cmd), go to the root folder of the website and type copy con .htacess and press Ctrl+Z. well… that’s all folks.

Maybe you are asking yourself about mod_rewrite and where to use it, well the short and simple answer is : for simplifying the URL of a website, simpler/shorter URL are easier to write easier to remember. For example instead of having an URL like this www.example.com?id_product=23123&color=23 you can have something like www.example.com/iphone-white. Mod_rewrite basicly make use of regular expression to rewrite an specified URL.

When to use it: mod_rewrite can be used in many circumstances where you may want to rewrite the an URL, also you can create dynamically virtual hosting entry; practically mode_rewrite is an “Swiss Army Knife”.

When not to use it: well as I have mentioned before mode_rewrite make use of regular expression, and evaluating regular expression takes time, use memory and the global performance of the server is decreasing.

I will provide you some basic example of using mode_rewrite. .htaccess file should begin with:

Options +FollowSymLinks
RewriteEngine On
RewriteBase /

Redirecting
Redirect /index.php http://www.example.com/ -this example redirect the current site to www.example.com
RedirectMatch (.*)\.gif http://images.example.com$1.png -In this example, we’ve taken all of our GIF files, converted them to PNG files, and
moved them to another server

Require www

Options +FollowSymLinks
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_HOST} !^www\.example\.com$ [NC]
RewriteRule ^(.*)$ http://www.example.com/$1 [R=301,L]

Denying access to a folder except of fopen file from php

RewriteEngine On
RewriteBase /
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /([^/]+)/.*\ HTTP [NC]
RewriteRule .* - [F,L]

Limit access during some hours

Options +FollowSymLinks
RewriteEngine On
RewriteBase /
# If the hour is 7
RewriteCond %{TIME_HOUR} ^7$
RewriteRule ^.*$ - [F,L]

These samples are here just to open your appetite for mode_rewrite. Practically this tool can be used in any other ways,yes… the limit is your imagination.

Protecting HTML source code from being stolen

admin — Mon, 01 Mar 2010 19:01:45 +0000

A lot of people are asking me how they can protect the source code of HTML of they’re site from being seen or worst being stolen. Well, the simple and short answer is that you can’t everything that the browser loads to render it can be seen by the user. The simplest method to protect you’re source HTML code is never to publish it on Internet .

Well seriously, there are some meta methods to protect you’re HTML source from being seen by a common user not from an expert user.I will enumerate some methods starting with the simplest.

The first method, maybe the most stupid one but used by many people (stupid ideas work for stupid people ) is putting a lot of empty line in front of HTML source. If the user looks at the source will see just empty white page. But if he scroll down on bottom of the page he will see the source.
The second method is to disable right click on page. To do that just take a look at next code://Disable right click script III- By Renigade (renigade@mediaone.net)
//For full source code, visit http://www.dynamicdrive.com

var message=”";
///////////////////////////////////
function clickIE() {if (document.all) {(message);return false;}}
function clickNS(e)
{
if(document.layers||(document.getElementById&&!document.all))
{
if (e.which==2||e.which==3)
{(message);return false;}
}
}

if (document.layers)
{
document.captureEvents(Event.MOUSEDOWN);document.onmousedown=clickNS;
}
else
{
document.onmouseup=clickNS;document.oncontextmenu=clickIE;
}

document.oncontextmenu=new Function(”return false”)
// –>

Now that the user can do right click->show page source, you have achieved a good protection method, if you user is a old granny that doesn’t know to use (Ctrl+U) shortcut or Edit->View page soure.
The third method is to use javascript to hide the HTML content. A short example is presented next:
Let’s suppose that the page has the following code:

Sample HTML-hide sorece code

Blah blah blah

Now what we have to do next is to “encrypt” this content, go to http://www.swingnote.com/tools/texttohex.php or a similar page and convert the text source code to an hexa representation. You will obtain something similar to this:
%3c%21%44%4f%43%54%59%50%45%20%68%74%6d%6c%20%50%55%42%4c%49%43%20%5c%22%2d%2f%2f%57%33%43%2f%2f%44%54%44%20%58%48%54%4d%4c%20%31%2e%30%20%54%72%61%6e%73%69%74%69%6f%6e%61%6c%2f%2f%45%4e%5c%22%20%5c%22%68%74%74%70%3a%2f%2f%77%77%77%2e%77%33%2e%6f%72%67%2f%54%52%2f%78%68%74%6d%6c%31%2f%44%54%44%2f%78%68%74%6d%6c%31%2d%74%72%61%6e%73%69%74%69%6f%6e%61%6c%2e%64%74%64%5c%22%3e%20%3c%68%74%6d%6c%20%78%6d%6c%6e%73%3d%5c%22%68%74%74%70%3a%2f%2f%77%77%77%2e%77%33%2e%6f%72%67%2f%31%39%39%39%2f%78%68%74%6d%6c%5c%22%3e%20%3c%68%65%61%64%3e%20%3c%6d%65%74%61%20%68%74%74%70%2d%65%71%75%69%76%3d%5c%22%43%6f%6e%74%65%6e%74%2d%54%79%70%65%5c%22%20%63%6f%6e%74%65%6e%74%3d%5c%22%74%65%78%74%2f%68%74%6d%6c%3b%20%63%68%61%72%73%65%74%3d%75%74%66%2d%38%5c%22%20%2f%3e%20%3c%74%69%74%6c%65%3e%53%61%6d%70%6c%65%20%48%54%4d%4c%2d%68%69%64%65%20%73%6f%72%65%63%65%20%63%6f%64%65%3c%2f%74%69%74%6c%65%3e%20%3c%2f%68%65%61%64%3e%20%20%3c%62%6f%64%79%3e%20%09%42%6c%61%68%20%62%6c%61%68%20%62%6c%61%68%20%3c%2f%62%6f%64%79%3e%20%3c%2f%68%74%6d%6c%3e

The page is the same but now has a different representation that is strange to a common user but remember that this is a meta protection method an advanced user can and will do the reverse method to obtain you’re source.
The next step is to create the “protected” page, create a new HTML document and add the next code:

As you can see all we are doing is to use javascript to write the content (document.write method).
!!! Important : if user has the javascript disabled he will not see anything because the code will not execute, therefore will be nothing displayed. Also remember that most of searchengine as Google or Yahoo crawl the web in text mode, remember that javascript is luxury not a necessity.
Now is time to get serious and speak about some more advanced, a little bit harder to break (not impossible to break), technique to keep you HTML source protected.The base idea is to encrypt the content of the HTML page, this time really encryption . Let imagine a function for encryption this time a simple one that is using xor logic function to achieve encryption. The code to do that is showed next:
//Encryptionfunction encrypt(text,key){

var rez=new Array(text.length);
for(i=0;i rez[i]=text.charCodeAt(i) ^key.charCodeAt(i%key.length);
}
return rez;
}

//Decryption

function decrypt(text,key){
var rez=”";
for(i=0;i rez+=String.fromCharCode(text[i] ^key.charCodeAt(i%key.length));

}
return rez;
}

Using the functions in this form won’t help to much because the user will see clear what is about, so I am going to obfuscate the code (if you don’t know what is that google it ). Now the code looks not so friendly :

eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!”.replace(/^/,String)){while(c–){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return’\\w+’};c=1};while(c–){if(k[c]){p=p.replace(new RegExp(’\\b’+e(c)+’\\b’,'g’),k[c])}}return p}(’8 c(2,4){9 3=d b(2.5);7(1=0;1<2.5;1++){3[1]=2.6(1)^4.6(1%4.5)}a 3}8 f(2,4){9 3=”";7(1=0;1<2.5;1++){3+=e.g(2[1]^4.6(1%4.5))}a 3}’,17,17,’|i|text|rez|key|length|charCodeAt|for|function|var|return|Array|encrypt|new|String|decrypt|fromCharCode’.split(’|'),0,{}))

The next step is to convert you’re page in hexa as showed previously in this post, suppost that we are using the same page the hexa will be:

%3c%21%44%4f%43%54%59%50%45%20%68%74%6d%6c%20%50%55%42%4c%49%43%20%5c%22%2d%2f%2f%57%33%43%2f%2f%44%54%44%20%58%48%54%4d%4c%20%31%2e%30%20%54%72%61%6e%73%69%74%69%6f%6e%61%6c%2f%2f%45%4e%5c%22%20%5c%22%68%74%74%70%3a%2f%2f%77%77%77%2e%77%33%2e%6f%72%67%2f%54%52%2f%78%68%74%6d%6c%31%2f%44%54%44%2f%78%68%74%6d%6c%31%2d%74%72%61%6e%73%69%74%69%6f%6e%61%6c%2e%64%74%64%5c%22%3e%20%3c%68%74%6d%6c%20%78%6d%6c%6e%73%3d%5c%22%68%74%74%70%3a%2f%2f%77%77%77%2e%77%33%2e%6f%72%67%2f%31%39%39%39%2f%78%68%74%6d%6c%5c%22%3e%20%3c%68%65%61%64%3e%20%3c%6d%65%74%61%20%68%74%74%70%2d%65%71%75%69%76%3d%5c%22%43%6f%6e%74%65%6e%74%2d%54%79%70%65%5c%22%20%63%6f%6e%74%65%6e%74%3d%5c%22%74%65%78%74%2f%68%74%6d%6c%3b%20%63%68%61%72%73%65%74%3d%75%74%66%2d%38%5c%22%20%2f%3e%20%3c%74%69%74%6c%65%3e%53%61%6d%70%6c%65%20%48%54%4d%4c%2d%68%69%64%65%20%73%6f%72%65%63%65%20%63%6f%64%65%3c%2f%74%69%74%6c%65%3e%20%3c%2f%68%65%61%64%3e%20%20%3c%62%6f%64%79%3e%20%09%42%6c%61%68%20%62%6c%61%68%20%62%6c%61%68%20%3c%2f%62%6f%64%79%3e%20%3c%2f%68%74%6d%6c%3e

now is time to encrypt the hexa representation with a key, so apply encrypt(”…hexa text ….”,”…you personal key…”) . I used as key “secret” and have obtained this:

86,86,0,87,87,69,86,81,87,87,81,18,86,81,80,87,80,64,86,80,90,87,80,68,86,81,86,87,87,68,86,83,91,87,82,64,86,83,7,87,83,23,86,87,83,87,80,68,86,80,86,87,81,70,
86,81,0,87,81,77,86,81,80,87,87,68,86,80,0,87,87,70,86,87,7,87,87,18,86,87,5,87,80,67,86,86,80,87,81,71,86,87,5,87,87,18,86,81,87,87,80,64,86,81,87,87,87,68,86,
80,91,87,81,76,86,80,87,87,81,16,86,81,0,87,87,68,86,86,82,87,87,17,86,86,83,87,87,68,86,80,87,87,82,70,86,83,82,87,83,17,86,82,80,87,83,77,86,82,87,87,83,77,86,
83,5,87,83,17,86,83,82,87,83,23,86,87,5,87,87,18,86,81,86,87,81,17,86,80,0,87,87,70,86,87,83,87,80,23,86,87,81,87,83,76,86,82,87,87,82,64,86,82,83,87,86,21,86,87,5
,87,87,18,86,82,84,87,82,67,86,82,84,87,87,17,86,82,84,87,86,71,86,87,6,87,83,18,86,82,81,87,83,67,86,87,5,87,80,64,86,80,81,87,87,18,86,82,91,87,83,76,86,82,87,87,
83,16,86,83,0,87,86,69,86,87,5,87,81,64,86,80,87,87,81,64,86,87,5,87,82,76,86,83,91,87,82,64,86,83,7,87,83,23,86,86,82,87,87,16,86,82,87,87,82,70,86,83,82,87,83,17,
86,82,80,87,83,77,86,82,87,87,83,77,86,83,5,87,83,17,86,83,82,87,83,23,86,87,6,87,83,64,86,82,87,87,83,64,86,80,0,87,87,70,86,86,6,87,87,68,86,86,0,87,83,76,86,82,
87,87,83,16,86,83,0,87,87,68,86,82,91,87,83,16,86,83,0,87,83,17,86,82,80,87,86,16,86,80,0,87,87,70,86,83,91,87,82,64,86,82,87,87,82,68,86,86,2,87,87,18,86,87,5,87,
82,67,86,82,84,87,82,67,86,87,6,87,82,67,86,86,80,87,87,17,86,83,5,87,82,70,86,83,84,87,87,18,86,86,82,87,86,77,86,86,90,87,86,77,86,87,5,87,82,76,86,83,91,87,82,64
,86,83,7,87,83,23,86,80,0,87,87,70,86,86,6,87,87,68,86,86,0,87,83,76,86,83,86,87,83,69,86,83,87,87,86,17,86,87,83,87,86,23,86,83,7,87,83,65,86,82,87,87,83,69,86,87,83,
87,83,76,86,82,87,87,82,64,86,82,83,87,87,16,86,83,86,87,82,69,86,82,86,87,83,77,86,82,85,87,86,16,86,80,0,87,87,70,86,81,80,87,83,18,86,83,6,87,82,64,86,83,86,87,83,
17,86,82,87,87,87,16,86,80,87,87,82,77,86,82,83,87,83,65,86,80,0,87,87,70,86,87,83,87,83,71,86,83,5,87,83,17,86,82,87,87,83,65,86,83,6,87,82,64,86,86,7,87,80,23,86,87
,81,87,82,64,86,83,86,87,82,76,86,82,87,87,87,18,86,83,91,87,82,64,86,83,7,87,83,23,86,86,1,87,87,68,86,83,80,87,83,76,86,83,82,87,82,70,86,82,80,87,83,65,86,82,87,87,86,
16,86,82,86,87,82,64,86,83,85,87,87,16,86,86,91,87,80,23,86,87,81,87,87,68,86,87,5,87,86,17,86,87,83,87,86,23,86,82,87,87,83,77,86,82,87,87,83,23,86,83,86,87,86,17,86,
80,80,87,83,69,86,83,7,87,82,68,86,83,0,87,83,65,86,87,83,87,81,76,86,80,87,87,81,16,86,81,0,87,87,16,86,83,91,87,83,77,86,83,87,87,83,65,86,87,83,87,82,71,86,83,5,
87,82,70,86,83,86,87,83,71,86,83,86,87,87,68,86,83,80,87,83,18,86,83,87,87,83,65,86,86,0,87,87,18,86,82,87,87,83,77,86,82,87,87,83,23,86,83,86,87,86,17,86,87,83,87,
86,23,86,87,5,87,83,76,86,83,86,87,83,69,86,83,87,87,86,17,86,87,83,87,87,68,86,86,0,87,83,70,86,83,5,87,83,64,86,82,90,87,86,17,86,87,83,87,85,77,86,81,81,87,83,23,
86,83,82,87,83,76,86,87,83,87,83,70,86,83,0,87,83,69,86,83,91,87,87,68,86,83,81,87,83,23,86,83,82,87,83,76,86,87,83,87,86,23,86,87,5,87,83,70,86,83,5,87,83,64,86,82,
90,87,86,17,86,87,83,87,86,23,86,87,5,87,83,76,86,82,87,87,83,16,86,83,0,87,86,17

Now let’s create the script,that will display the content of page, that will be the final step:

document.write(unescape(decrypt(new Array(86,86,0,87,87,69,86,81,87,87,81,18,86,81,80,87,80,64,86,80,90,87,80,68,86,81,86,87,87,68,86,83,91,87,82,64,86,83,7,87,83,23,86,87,83,87,80,68,86,80,86,87,81,70,
86,81,0,87,81,77,86,81,80,87,87,68,86,80,0,87,87,70,86,87,7,87,87,18,86,87,5,87,80,67,86,86,80,87,81,71,86,87,5,87,87,18,86,81,87,87,80,64,86,81,87,87,87,68,86,
80,91,87,81,76,86,80,87,87,81,16,86,81,0,87,87,68,86,86,82,87,87,17,86,86,83,87,87,68,86,80,87,87,82,70,86,83,82,87,83,17,86,82,80,87,83,77,86,82,87,87,83,77,86,
83,5,87,83,17,86,83,82,87,83,23,86,87,5,87,87,18,86,81,86,87,81,17,86,80,0,87,87,70,86,87,83,87,80,23,86,87,81,87,83,76,86,82,87,87,82,64,86,82,83,87,86,21,86,87,5
,87,87,18,86,82,84,87,82,67,86,82,84,87,87,17,86,82,84,87,86,71,86,87,6,87,83,18,86,82,81,87,83,67,86,87,5,87,80,64,86,80,81,87,87,18,86,82,91,87,83,76,86,82,87,87,
83,16,86,83,0,87,86,69,86,87,5,87,81,64,86,80,87,87,81,64,86,87,5,87,82,76,86,83,91,87,82,64,86,83,7,87,83,23,86,86,82,87,87,16,86,82,87,87,82,70,86,83,82,87,83,17,
86,82,80,87,83,77,86,82,87,87,83,77,86,83,5,87,83,17,86,83,82,87,83,23,86,87,6,87,83,64,86,82,87,87,83,64,86,80,0,87,87,70,86,86,6,87,87,68,86,86,0,87,83,76,86,82,
87,87,83,16,86,83,0,87,87,68,86,82,91,87,83,16,86,83,0,87,83,17,86,82,80,87,86,16,86,80,0,87,87,70,86,83,91,87,82,64,86,82,87,87,82,68,86,86,2,87,87,18,86,87,5,87,
82,67,86,82,84,87,82,67,86,87,6,87,82,67,86,86,80,87,87,17,86,83,5,87,82,70,86,83,84,87,87,18,86,86,82,87,86,77,86,86,90,87,86,77,86,87,5,87,82,76,86,83,91,87,82,64
,86,83,7,87,83,23,86,80,0,87,87,70,86,86,6,87,87,68,86,86,0,87,83,76,86,83,86,87,83,69,86,83,87,87,86,17,86,87,83,87,86,23,86,83,7,87,83,65,86,82,87,87,83,69,86,87,83,
87,83,76,86,82,87,87,82,64,86,82,83,87,87,16,86,83,86,87,82,69,86,82,86,87,83,77,86,82,85,87,86,16,86,80,0,87,87,70,86,81,80,87,83,18,86,83,6,87,82,64,86,83,86,87,83,
17,86,82,87,87,87,16,86,80,87,87,82,77,86,82,83,87,83,65,86,80,0,87,87,70,86,87,83,87,83,71,86,83,5,87,83,17,86,82,87,87,83,65,86,83,6,87,82,64,86,86,7,87,80,23,86,87
,81,87,82,64,86,83,86,87,82,76,86,82,87,87,87,18,86,83,91,87,82,64,86,83,7,87,83,23,86,86,1,87,87,68,86,83,80,87,83,76,86,83,82,87,82,70,86,82,80,87,83,65,86,82,87,87,86,
16,86,82,86,87,82,64,86,83,85,87,87,16,86,86,91,87,80,23,86,87,81,87,87,68,86,87,5,87,86,17,86,87,83,87,86,23,86,82,87,87,83,77,86,82,87,87,83,23,86,83,86,87,86,17,86,
80,80,87,83,69,86,83,7,87,82,68,86,83,0,87,83,65,86,87,83,87,81,76,86,80,87,87,81,16,86,81,0,87,87,16,86,83,91,87,83,77,86,83,87,87,83,65,86,87,83,87,82,71,86,83,5,
87,82,70,86,83,86,87,83,71,86,83,86,87,87,68,86,83,80,87,83,18,86,83,87,87,83,65,86,86,0,87,87,18,86,82,87,87,83,77,86,82,87,87,83,23,86,83,86,87,86,17,86,87,83,87,
86,23,86,87,5,87,83,76,86,83,86,87,83,69,86,83,87,87,86,17,86,87,83,87,87,68,86,86,0,87,83,70,86,83,5,87,83,64,86,82,90,87,86,17,86,87,83,87,85,77,86,81,81,87,83,23,
86,83,82,87,83,76,86,87,83,87,83,70,86,83,0,87,83,69,86,83,91,87,87,68,86,83,81,87,83,23,86,83,82,87,83,76,86,87,83,87,86,23,86,87,5,87,83,70,86,83,5,87,83,64,86,82,
90,87,86,17,86,87,83,87,86,23,86,87,5,87,83,76,86,82,87,87,83,16,86,83,0,87,86,17),”secret”)));

As you can see the key is “secret” you must chose a better one dynamic generate on each session stored in cookies. For extra security obfuscate this cod too:

eval(function(p,a,c,k,e,d){e=function(c){return(c35?String.fromCharCode(c+29):c.toString(36))};if(!”.replace(/^/,String)){while(c–){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return’\\w+’};c=1};while(c–){if(k[c]){p=p.replace(new RegExp(’\\b’+e(c)+’\\b’,'g’),k[c])}}return p}(’y.w(A(v(t z(4,4,0,3,3,m,4,b,3,3,b,j,4,b,a,3,a,c,4,a,r,3,a,f,4,b,4,3,3,f,4,8,l,3,9,c,4,8,7,3,8,e,4,3,8,3,a,f,4,a,4,3,b,g,4,b,0,3,b,k,4,b,a,3,3,f,4,a,0,3,3,g,4,3,7,3,3,j,4,3,
5,3,a,o,4,4,a,3,b,q,4,3,5,3,3,j,4,b,3,3,a,c,4,b,3,3,3,f,4,a,l,3,b,h,4,a,3,3,b,i,4,b,0,3,3,f,4,4,9,3,3,d,4,4,8,3,3,f,4,a,3,3,9,g,4,8,9,3,8,d,4,9,a,3,8,k,4,9,3,3,8,k,
4,8,5,3,8,d,4,8,9,3,8,e,4,3,5,3,3,j,4,b,4,3,b,d,4,a,0,3,3,g,4,3,8,3,a,e,4,3,b,3,8,h,4,9,3,3,9,c,4,9,8,3,4,u,4,3,5,3,3,j,4,9,p,3,9,o,4,9,p,3,3,d,4,9,p,3,4,q,4,3,6,3
,8,j,4,9,b,3,8,o,4,3,5,3,a,c,4,a,b,3,3,j,4,9,l,3,8,h,4,9,3,3,8,i,4,8,0,3,4,m,4,3,5,3,b,c,4,a,3,3,b,c,4,3,5,3,9,h,4,8,l,3,9,c,4,8,7,3,8,e,4,4,9,3,3,i,4,9,3,3,9,g,4,8,9,
3,8,d,4,9,a,3,8,k,4,9,3,3,8,k,4,8,5,3,8,d,4,8,9,3,8,e,4,3,6,3,8,c,4,9,3,3,8,c,4,a,0,3,3,g,4,4,6,3,3,f,4,4,0,3,8,h,4,9,3,3,8,i,4,8,0,3,3,f,4,9,l,3,8,i,4,8,0,3,8,d,4,9,
a,3,4,i,4,a,0,3,3,g,4,8,l,3,9,c,4,9,3,3,9,f,4,4,2,3,3,j,4,3,5,3,9,o,4,9,p,3,9,o,4,3,6,3,9,o,4,4,a,3,3,d,4,8,5,3,9,g,4,8,p,3,3,j,4,4,9,3,4,k,4,4,r,3,4,k,4,3,5,3,9,h,4,8,
l,3,9,c,4,8,7,3,8,e,4,a,0,3,3,g,4,4,6,3,3,f,4,4,0,3,8,h,4,8,4,3,8,m,4,8,3,3,4,d,4,3,8,3,4,e,4,8,7,3,8,n,4,9,3,3,8,m,4,3,8,3,8,h,4,9,3,3,9,c,4,9,8,3,3,i,4,8,4,3,9,m,4,
9,4,3,8,k,4,9,s,3,4,i,4,a,0,3,3,g,4,b,a,3,8,j,4,8,6,3,9,c,4,8,4,3,8,d,4,9,3,3,3,i,4,a,3,3,9,k,4,9,8,3,8,n,4,a,0,3,3,g,4,3,8,3,8,q,4,8,5,3,8,d,4,9,3,3,8,n,4,8,6,3,9,c,4,4,
7,3,a,e,4,3,b,3,9,c,4,8,4,3,9,h,4,9,3,3,3,j,4,8,l,3,9,c,4,8,7,3,8,e,4,4,1,3,3,f,4,8,a,3,8,h,4,8,9,3,9,g,4,9,a,3,8,n,4,9,3,3,4,i,4,9,4,3,9,c,4,8,s,3,3,i,4,4,l,3,a,e,4,3,
b,3,3,f,4,3,5,3,4,d,4,3,8,3,4,e,4,9,3,3,8,k,4,9,3,3,8,e,4,8,4,3,4,d,4,a,a,3,8,m,4,8,7,3,9,f,4,8,0,3,8,n,4,3,8,3,b,h,4,a,3,3,b,i,4,b,0,3,3,i,4,8,l,3,8,k,4,8,3,3,8,n,4,
3,8,3,9,q,4,8,5,3,9,g,4,8,4,3,8,q,4,8,4,3,3,f,4,8,a,3,8,j,4,8,3,3,8,n,4,4,0,3,3,j,4,9,3,3,8,k,4,9,3,3,8,e,4,8,4,3,4,d,4,3,8,3,4,e,4,3,5,3,8,h,4,8,4,3,8,m,4,8,3,3,4,
d,4,3,8,3,3,f,4,4,0,3,8,g,4,8,5,3,8,c,4,9,r,3,4,d,4,3,8,3,s,k,4,b,b,3,8,e,4,8,9,3,8,h,4,3,8,3,8,g,4,8,0,3,8,m,4,8,l,3,3,f,4,8,b,3,8,e,4,8,9,3,8,h,4,3,8,3,4,e,4,3,5,3,
8,g,4,8,5,3,8,c,4,9,r,3,4,d,4,3,8,3,4,e,4,3,5,3,8,h,4,9,3,3,8,i,4,8,0,3,4,d),”x”)));’,37,37,’|||87|86||||83|82|80|81|64|17|23|68|70|76|16|18|77|91|69|65|67|84|
71|90|85|new|21|decrypt|write|secret|document|Array|unescape’.split(’|'),0,{}))

We have an pretty good protection, must remember a meta HTML protection because this can be broken by a good hacker.

I hope that this article was helpful I am waiting for you’re feedback.

[UPDATE:] here are the source used in this article
Secure_HTML_code

Bad web programming technique.

admin — Wed, 24 Feb 2010 19:01:19 +0000

ASP.Net and JSP are two wonderful enviroment to create web application, application that are easy to modify and adapt to all requirements, but the major problems of ASP.Net and JSP is that they are not cheap and slow, in fact there are not many hosting provider that are offering hosting service for this technologies at a affordable price (for a common user ).

Therefore other affordable technology like PHP are commonly wide used by most common users. In comparison with Java or C#, PHP language is pretty simple and doesn’t relay on so much formalism and doesn’t need a lot of knowledge about programming, allowing users to create application without knowing much think about programming technique.

The side effect is that the applications developed in this way are extremely hard to debug and even more harder to extend from a very wide variety of factors, some I will discuss later in this paper.

The first think to speak about is the “spaghetti code” where the entire application logic (code) is meshed up in same file, you know what I am talking about: a lot of if/else/for/while and functions with no logic organization. To extend such crap application wrote by some other programmers is quite hard and unproductive.
Since version 4 PHP offers OOP(object orientated programming) but it seams that most of users doesn’t know how to use it right, how to increase their productivity using OOP programming technique and software engineering technique .It seams that web programmers are still writing code like in the stone age.
Another problem, the biggest one is that users are creating applications dependent on design. The design of a web site is changing frequently that means restructuring the code again and again and again.

The list is still open. I will continue to add more and more bad programming technique.

Prototipuri in JAVASCRIPT

admin — Mon, 19 Jan 2009 21:36:48 +0000

Desi javascript nu suporta clase totusi se poate poate programa obiectual si anume folosind prototipuri. Javascript este un limbaj in care gasesti atat cele mai mari idiotenii posibile care s-au putut inventa in vre-un limbaj de programare cat si unele cu adevarat geniale, printre acestea se numara faptul ca un obiect in Javascript este un container generic la care ii poti adauga oricand o noua proprietate sau “metoda”. Mai jos este un exemplu de “clasa” (un echivelent al unei clase din limbaje care suporta asa ceva) ce incapsuleaza mecanismul cunoscut si sub denumirea de AJAX.

Pentru cei care nu stiu AJAX este un mecanism de comunicare asicrona cu server-ul, adica pentru a aduce informatie nu este necesara un refresh de pagina.

function AjaxRequest(url)

{

this.url=url;

this.xmlHttp=”";

this.init=function()

{

try

{

// Firefox, Opera 8.0+, Safari

this.xmlHttp=new XMLHttpRequest();

}

catch (e)

{

// Internet Explorer

try

{

this.xmlHttp=new ActiveXObject(”Msxml2.XMLHTTP”);

}

catch (e)

{

try

{

this.xmlHttp=new ActiveXObject(”Microsoft.XMLHTTP”);

}

catch (e)

{

alert(”Your browser does not support AJAX!”);

return false;

}

}

}

}

this.request=function()

{

this.init();

try{

this.xmlHttp.open(this.requestType,this.url,true);

}

catch(e)

{

this.onLoadFaild(e);

}

this.xmlHttp.send(this.vars);

var parent=this;

this.xmlHttp.onreadystatechange=function()

{

var done = 4, ok = 200;

if (parent.xmlHttp.readyState == done && parent.xmlHttp.status == ok)

{

if (parent.xmlHttp.responseText)

{

parent.onLoad(parent.xmlHttp.responseText);

}

}

}

}

this.get=function(vars)

{

this.vars=vars;

this.requestType=”GET”;

this.request();

}

this.post=function(vars)

{

this.vars=vars;

this.requestType=”POST”;

this.request();

}

}

Codul este destul de simplu ..aproape ca vorbeste de la sine. Avantajul programarii folosind obiecte este ca utilizare este foarte simpla plus ca putem avea conexiuni multiple pe servere separate

script1=new AjaxRequest(”http://un.site.de.undeva”);

script1.onLoad=function(sucess){

if(sucess==true){

prelucreaza informatia primita

}

}

script1.get(”");

script2=new AjaxRequest(”http://un.site.de.altundeva”);

script2.onLoad=function(sucess){

if(sucess==true){

prelucreaza informatia primita

}

}

script2.get(”");

XSS -cross site scripting

admin — Sun, 16 Nov 2008 19:10:12 +0000

Pentru cei care nu stiu cross site scripting-ul est o vulnerabilitatea de securitate ,specifica aplicatiilor web, ce permite injectare de cod distrugator in paginile web vizualizate de catre utilizator. Ea este o vulnerabilitate client side adica nu are efect propriu-zis asupra informatie de pe server ..ati putea spune ca nu este un pericol din moment ce este client side dar sa ne imaginam urmatoare situatie : ce ar insemna daca pe site-ul unei banci , pe una dintre pagini exista un fromular in care toti clientii sunt rugati sa isi introduca datele personale, iar infromatia se va trimite undeva in internet,..ei bine in acest caz este grav.

Pentru a rezolva problema a inputurilor nesecurizate am realizat utmatoarea clasa in php cu o implementare simplificata mult.

class Secure {
/**internals
*
*/
var $data;
var $notSecured=array();

/**Constructor
*
*/
public function Secure(&$data,$autosecure=true)
{

$this->data=&$data;
if($autosecure==true)
$this->secureInputs();

}
/**
* verify if the array is empty
*/
public function isEmpty()
{

if(count($this->data)<=0)
return true;

foreach($this->data as $key=>$value)
{if(empty($value))
return true;
}

return false;
}
/**
* secure all filds
*/
public function secureInputs()
{

foreach ($this->data as $k => $v)
{
if($this->isNotSecured($k)==false)
$this->data[$k]=htmlspecialchars($v, ENT_QUOTES);
}

}
/**
* add key that is not secured
*/
public function addNotSecuredInputs(array $key)
{
$this->notSecured=$key;

}
/**
* check if input is one that that dosen’t have to be secured
*/
private function isNotSecured($key)
{

for($i=0;$inotSecured);$i++)
if(!strcmp($this->notSecured[$i],$key))
return true;

return false;

}

}
?>

Iata cum ar arata utilizarea acesti clase

$sec=new Secur($_POST);

dupa cum se vede am salvat mult munca, clasa putand fi utilizata ori de cate ori avem nevoie sa securizam inputurile.Ce s-ar intimpla daca de exmplu dorim ca anumite inputuri sa contina cod html ??? Ei bine si problema acesta este rezolvabila cu mare usurinta

$sec=new Secure($_GET,false);

$sec->addNotSecuredInputs(”nume_variabila_ce_contine_cod_html”);

$sec->secureInputs();

Am ales o versiune minimala de implementare ce securizeaza doar cod html..voi reveni cu o versiune completa mult mai complexa ce securizeaza si injectie sql generand rapoarte de securitate ( de exmplu se ia ip-ul utilizatorului cu ganduri necurate printre multe altele) …Oricum clasele de php pe care le mai postez din cand in cand pe blog sun cioturi din un farmawork al meu pe care intr-un final sper sa il aduc la stadiul unui cms..dar asta este o alta poveste.

PHP o abordare obiectuala a dialogului cu baza de date

admin — Tue, 11 Nov 2008 15:39:04 +0000

Dupa cum bine se stie PHP-ul este un limbaj orientat pe cod iar suportul pentru clase a aparut abia mai tarziu.
Astazi m-am gindit sa va arat un mic tutorial, si ca sa fiu mai practic am sa realizez citeva clase ce implementeaza majoritatea operatiilor necersare in lucrul cu baza de date in principiu este vorba de patru clase
MysqlQuerry MysqlConnector MysqlController si MysqlResource.
Si ca sa profitam la maxim de flexibilitatea oferita de progrmarea obiectuala haideti ca si clasele noastre sa implementeze fiecate cite o interfata…poate considerati acest pas inutil dar sa ne inchipuim ca dorim sa realizam o aplicatie ce foloseste un server de Mysql dar in timp s-ar putea sa facem o migratie catre un alt server tot ce trebuie sa facem este sa realizam clase ce implementeaza interfetele si modificariile in aplicatia noastra vor fi minime minime atita vreme cit interfata este respectata.
Mai jos este dat codul pentru fiecare dintre interfete

DbQuerry

Cod:

interface DbQuerry {

/**
* @ReturnType void
* @ParamType querry
*/
public function execQuery($querry);
}

DbController

Cod:

interface DbController {

/**
* @ReturnType void
* @ParamType name string
* @ParamType colomns
*/
public function createTable($name, $colomns);

/**
* @ReturnType void
* @ParamType name string
*/
public function deleteTable($name);

/**
* @ParamType name string
* @ParamType clone string
*/
public function cloneTable($name, $clone);

/**
* @ParamType name string
* @ParamType connector Database.DbConnector
*/
public function createDatabase($name);

/**
* @ParamType name string
* @ParamType connector Database.DbConnector
*/
public function deleteDatabase($name);

/**
* @ReturnType Database.DbResource
*/
public function getLink();
}

DbConnector

Cod:

interface DbConnector {

/**
* @ReturnType Database.DbResource
*/
public function getLink();

/**
* @ReturnType void
*/
public function disconnect();

/**
* @ReturnType void
*/
public function reconnect();
}

DbTable

Cod:

interface DbTable {

/**
* @ParamType colomns
* @ParamType values
*/
public function insert($colomns, $values);

/**
* @ParamType condition
*/
public function delete($condition,$operation=’AND’);

/**
* @ParamType colomns
* @ParamType values
* @ParamType conditions
*/
public function update($colomns, $values, $conditions);

/**
* @ParamType condition
*/
public function select($colomns,$condition=”");

/**
* @ReturnType Database.DbResource
*/
public function getData();
/**
* @ReturnType integer
*/
public function getRowsNumber();
}

Aplicatia va lucra doar cu interfatele (de fapt cu implementari ale interfetelor) si in acest mod se respecta bine cunoscutul principuiu al segregarii interfetelor de implementare.
Acum haideti sa arunacam o privire asupra implemetarii interfetelor

MysqlQuerry

Cod:

class MysqlQuerry implements DbQuerry {
/**
* @AttributeType Database.MysqlResource
*/
private $resource;
/**
* @AttributeType boolean
* */
public static $debug=false;

/**
* @ParamType resource Database.MysqlResource
*/
public function setResource(MysqlResource $resource) {
$this->resource=$resource;
}

/**
* @ParamType resource Database.MysqlResource
*/
public function MysqlQuerry(MysqlResource $resource) {
$this->setResource($resource);
}

/**
* @ParamType querry
*/
public function execQuery($querry) {
if(MysqlQuerry::$debug==true)
echo($querry);

$result=mysql_query($querry,$this->resource->getResource());
if(!$result){
$error=mysql_error();
throw new MysqlSintaxException($error);
}

$resource=new MysqlResource($result);

if(MysqlQuerry::$debug==true)
echo(mysql_info($this->resource->getResource()));

return $resource;
}
}

MysqlController

Cod:

class MysqlController extends MysqlQuerry implements DbController {
/**
* @AttributeType string
*/
private $databaseName;

/**
* @AttributeType DbResource
*/
private $resource;

/**
* @ParamType dbName
* @ParamType connector Database.MysqlConnector
*/
public function MysqlController($dbName, MysqlConnector $connector) {
parent::MysqlQuerry($connector->getLink());
$this->databaseName=$dbName;
$this->resource=$connector->getLink();

}

/**
* @ReturnType void
* @ParamType name string
* @ParamType colomns
*/
public function createTable($name, $colomns) {

if(is_array($colomns))
$colomns=implode(”,”,$colomns);
$this->execQuery(”CREATE TABLE $name ($colomns)”);
}

/**
* @ReturnType void
* @ParamType name string
*/
public function deleteTable($name) {
$this->execQuery(”DELETE TABLE $name”);
}

/**
* @ParamType name string
* @ParamType clone string
*/
public function cloneTable($name, $clone) {
$this->execQuery(”CREATE TABLE $clone LIKE $name”);
$this->execQuery(”INSERT $clone SELECT * FROM $name”);
}

/**
* @ParamType name string
*/
public function createDatabase($name) {
$this->execQuery(”CREATE DATABASE $name”);
}

/**
* @ParamType name string
*/
public function deleteDatabase($name) {
$this->execQuery(”DELETE DATABASE $name”);
}
/**
* @ParamType querry
*/
public function execQuery($querry) {
mysql_select_db($this->databaseName,$this->resource->getResource());
return parent::execQuery($querry);

}
/**
* @ReturnType Database.DbResource
*/
public function getLink(){
return $this->resource;
}
};

MysqlConnector

Cod:

lass MysqlConnector implements DbConnector {
/**
* @AttributeType string
*/
private $password;
/**
* @AttributeType Database.DbResource
*/
private $link;
/**
* @AttributeType string
*/
private $user;
/**
* @AttributeType string
*/
private $host;

/**
* @ReturnType boolean
*/
public function pingServer() {
$result= mysql_ping($this->getLink());
return $result;
}

/**
* @ParamType host
* @ParamType user
* @ParamType password
*/
public function MysqlConnector($host=null, $user=null, $password=null) {
$this->host=$host;
$this->user=$user;
$this->password=$password;
$this->reconnect();
}

/**
* @ReturnType Database.DbResource
*/
public function getLink() {
return $this->link;
}

/**
* @ReturnType void
*/
public function disconnect() {
mysql_close($this->getLink()->getResource());
}

/**
* @ReturnType void
*/
public function reconnect() {
$result=mysql_connect($this->host,$this->user,$this->password);
if($result==false){
$error=mysql_error();
throw new MysqlConnectionException($error);
return;
}

$this->link=new MysqlResource($result);
}
/**
* @ReturnType void
*/
public function __destruct(){
$this->disconnect();
}
};

MysqlResource

Cod:

class MysqlResource implements DbResource {
private $resource;

/**
* @ParamType resource
*/
public function MysqlResource($resource) {
$this->resource=$resource;
}

public function getResource() {
return $this->resource;
}

}

MysqlTable

Cod:

class MysqlTable extends MysqlQuerry implements DbTable {
/**
* @AttributeType string
*/
private $name;
/**
* @AttributeType string
*/
private $tableResource=null;
/**
* @AttributeType DbController
*/
private $controllerLink;
/**
* @ParamType name
* @ParamType connector Database.MysqlConnector
*/
public function MysqlTable($name, MysqlController $controler) {
parent::MysqlQuerry($controler->getLink());
$this->name=$name;
$this->controllerLink=$controler;
}

/**
* @ParamType colomns
* @ParamType values
*/
public function insert($colomns, $values) {
if(is_array($colomns))
$colomns=implode(”,”,$colomns);
if(is_array($values))
$values=implode(”,”,$values);

$this->execQuery(”INSERT INTO $this->name ($colomns) VALUES (’$values’)”);
}

/**
* @ParamType condition
*/
public function delete($condition,$operation=’AND’) {
if(is_array($condition))
$condition=implode(” $operation “,$condition);
$this->execQuery(”DELETE FROM $this->name WHERE $condition”);
}

/**
* @ParamType colomns
* @ParamType values
* @ParamType conditions
*/
public function update($colomns, $values, $conditions) {
if(!is_array($colomns))
$colomns=explode(”,”,$colomns);
if(!is_array($values))
$values=explode(”,”,$values);
if(is_array($conditions))
$conditions=implode(” AND “,$conditions);
if(count($colomns)!=count($values))
throw new SintaxErrorException(”values and colomn must have the same size.”);

$rez=array();

for($i=0;$i $rez.=$colomns[$i]=”=’$values[$i]‘,”;
}
$rez.=$colomns[$i]=”=’$values[$i]‘”;

$this->execQuery(”UPDATE $this->name SET $rez WHERE $conditions”);

}

/**
* @ParamType condition
*/
public function select($colomns,$condition=”") {
if(is_array($colomns))
$colomns=implode(”,”,$colomns);
if(is_array($condition))
$condition=implode(” AND “,$condition);
if($condition!=”")
$this->tableResource=$this->execQuery(”SELECT $colomns FROM $this->name WHERE $conditions”);
else
$this->tableResource=$this->execQuery(”SELECT $colomns FROM $this->name “);

}

/**
* @ReturnType Database.DbResource
*/
public function getData() {
if($this->tableResource==null)
throw new MysqlTableException(”no data selected in table”);

$i=0;
$result=array();

while($row=mysql_fetch_object($this->tableResource->getResource()))
{
$result[$i++]=$row;
}

return new MysqlResource($result);
}
/**
* @ReturnType integer
*/
public function getRowsNumber() {
if($this->tableResource==null)
throw new MysqlTableException(”no data selected in table”);

return mysql_num_rows($this->tableResource->getResource());
}
/**
* @ParamType querry
*/
public function execQuery($querry) {
return $this->controllerLink->execQuery($querry);

}
};

Pentru a trata diversele erori ce pot aparea in timpul lucrului cu baza de date se lucreaza cu exceptii.Iata un exemplu ce foloseste clasele de mai sus, sa presupunem ca avem un tabel cu doua cimpuri id si nume:

Cod:

…
try
{
$connector=new MysqlConnector(”host”,”user”,”parola”);
$controller=new MysqlController(”nume_baza_de_date”,$connector);
$table=new MysqlTable(”nume_tabel”,$controller);
$table->select(”*”,”id=’1′”);
$data=$table->getData()->getResource();

for($i=0;$i {
echo($data->id);
}

}

catch $ex)
{
echo(”eroare de sintaxa:”.$ex->getMesage());
}
catch(MysqlTableException $ex)
{
echo(”eroare:”.$ex->getMessage());
}
catch(MysqlConnectionException $ex)
{
echo(”eroare :”.$ex->getMessage());
}
catch(MysqlException $ex)
{
echo(”eroare :”.$ex->getMessage());
}
..

O observatie foarte importanta este ce in cazul catchurilo ordinea este importanta astfel de exmplu daca aveam primul chatch MysqlException de fiecare data cind aparea o exceptie se intra pe primul catch deoarece MysqlException este o calsa din care se deriveaza celelalte tipuri astfel o exceptie de tipul MysqlSintaxException este si de tipul MysqlException.
Pentru a va face o face o imagine asupra ierarhiei de clase am atasat o imagine