UGN Security Forums
My ProfileMember DirectoryLogin
Search our ForumsView our FAQView our Site Rules
View our CalendarView our Active TopicsGo to our Main Page

UGN Security Store
 

Network Sites UGN Security, The GoNix Initiative, Elite Web Gamers, Back of the Web, EveryDay Helper, VNC Web Design & Development
November
Su M Tu W Th F Sa
1
2 3 4 5 6 7 8
9 10 11 12 13 14 15
16 17 18 19 20 21 22
23 24 25 26 27 28 29
30
Sponsored Links
Latest Postings
Latest Reviews
Topic Options
Rate This Topic
#18524 - 09/24/05 01:14 PM Useful PHP Functions & Code
Gremelin Offline

Community Owner
*****

Registered: 02/28/02
Posts: 7193
Loc: Portland, OR; USA
Learner's Picks:
You will need the following(assuming you know html, xhtml, xml, or some markup to dissplay data)

date
http://us2.php.net/manual/en/function.date.php

sessions(login auth)
http://us2.php.net/manual/en/function.session-start.php
http://us2.php.net/manual/en/function.session-is-registered.php
http://us2.php.net/manual/en/function.session-unregister.php
http://us2.php.net/manual/en/function.session-unset.php

MySQL db functions(unless of course you want to learn a different db)
http://us2.php.net/manual/en/function.mysql-connect.php
http://us2.php.net/manual/en/function.mysql-close.php
http://us2.php.net/manual/en/function.mysql-query.php
http://us2.php.net/manual/en/function.mysql-fetch-array.php
http://us2.php.net/manual/en/function.mysql-fetch-assoc.php

MySQL links
http://dev.mysql.com/doc/mysql/en/delete.html
http://dev.mysql.com/doc/mysql/en/insert.html
http://dev.mysql.com/doc/mysql/en/update.html

Gizmo's Picks:
arrays:
http://us2.php.net/manual/en/function.array.php
http://us2.php.net/manual/en/ref.array.php

file_exists:
http://us2.php.net/manual/en/function.file-exists.php

file:
http://us2.php.net/manual/en/function.file.php

fopen/fclose:
http://us2.php.net/fopen
http://us2.php.net/manual/en/function.fclose.php

fsockopen:
http://us2.php.net/manual/en/function.fsockopen.php

other disk/file functions:
http://us2.php.net/manual/en/function.disk-free-space.php
http://us2.php.net/manual/en/function.disk-total-space.php
http://us2.php.net/manual/en/function.chmod.php
http://us2.php.net/manual/en/function.copy.php
http://us2.php.net/manual/en/function.delete.php
http://us2.php.net/manual/en/function.filesize.php
http://us2.php.net/manual/en/function.filetype.php
http://us2.php.net/manual/en/function.flock.php
http://us2.php.net/manual/en/function.is-writable.php
http://us2.php.net/manual/en/function.touch.php

BTW, if you're going to go off playing with MySQL you should also look into:

http://us2.php.net/manual/en/function.str-replace.php
http://us2.php.net/manual/en/function.stripslashes.php
http://us2.php.net/manual/en/function.strip-tags.php

so you don't go and get yourself owned...

Coding for Security:
Trust nothing from the user. Code every form as if you know a hacker is coming at it. Also safe guard from URL submissions. Remember the GET method. If someone views source on your form they will see all variables that will be passed. Even if you are using host, they can mess with the URL and try submiting malious code that way.

1.) Code like registered globals is off.
http://us2.php.net/variables.external

2.) Make sure the user came from the page the form is on. See the predefined variables
http://us2.php.net/manual/en/reserved.variables.php#reserved.variables.request

Here is a function snagged from PHP.net to make sure your forms are secure.
PHP:

<?php

   function form_post_check()
   {
       $referring_url = $_SERVER['HTTP_REFERER'];    // get the referring URL
       $host = $_SERVER['HTTP_HOST'];    // get the header from the current request (example: www.yoursite.com)
       $valid_url = 'http://'.$host.'/';    // finish defining a valid referring URL
       $valid_len = strlen( $valid_url );    // get the length of the valid url

       // if the valid url isn't the first part of the referring url
       if ( substr( $referring_url, 0, $valid_len ) != $valid_url )
       {
           die( 'You submitted this form from an invalid URL.' );    // stop everything and display a message
       }
   }

?>

Useful Links:
If you are going into mySQL get very used to reading the manual on thier site.
http://dev.mysql.com/doc/mysql/en/tutorial.html

Also see thier forums
http://forums.mysql.com/

for thier PHP forum
http://forums.mysql.com/list.php?52

Most MySQL you can just see the info on PHP.net and run with it. Some tricky stuff you will need to look at thier manual and play with the PHP code to get it to work.

PHP.net MySQL functions
http://us2.php.net/manual/en/ref.mysql.php
_________________________
Donate to UGN Security here.
UGN Security, Back of the Web, Elite Web Gamers & VNC Web Design Owner

Top
Sponsored Links
      
#18525 - 05/18/06 10:23 AM Re: Useful PHP Functions & Code
§intå× Offline


*****

Registered: 12/03/02
Posts: 3255
Loc: Maryland
As of php 5 no longer use mysql_blah Now use functions mysqli_blah See url

http://us3.php.net/manual/en/ref.mysqli.php

Using these funtions is much more secure than mysql. and they benchmark for more indepth queries. But a major reason to use them is you can do more OOP object oriented programming, and you can release the arrays formed from memory at the end of the function.

Check this out on ZEND.
http://www.zend.com/php5/articles/php5-mysqli.php

You will notice there is no more mysql_db_select&#0028; The db is in the mysqli_connect&lsaquo;&rsaquo;; function. This it seems was a security hole. If you did not specify a db it would open a connection to a default. BAD times.


Now I also learned a nifty little trick. We all know not to accept data from a user as being clean. We have to check it. So you probably use

$my_var = $_POST[my_var]; // for post methods
$my_var = $_GET[my_var]; // for get methods

But just because we know where it came from does that make it safe? We could use strip_tags&lsaquo;&rsaquo;; or htmlentities&lsaquo;&rsaquo;;

But check this out. At the top of your code verify all veriables you know are coming in and try to make as many as possible integers.

$my_var = &lsaquo;int&rsaquo;$_GET[my_var];// 100% safe variable

Now even if the user take the URL and changes it my script will convert anything it gets to an integer. So if the attacker took

http://bougus_site.com?myfunction=process&my_var=2134

and changed it to

http://bougus_site.com?my...=phpinfo&lsaquo;&rsaquo;;

My script would convert this to an integer making $my_var = 0;

so if you build your scripts so they all used integers and set it up so no integer should ever be "0" then you could detect when and who is messing with the URLs easily using sessions and some predefind variables.
_________________________
My New site OpenEyes

Top
#18526 - 05/18/06 10:12 PM Re: Useful PHP Functions & Code
Ghost Offline


Registered: 06/16/03
Posts: 807
Loc: Wisconsin
Speaking of MySQL, here is a segment of code that I find extremely useful and efficient for what it does (forgive the PHP 4)

PHP:
$Query = 'SELECT * FROM table WHERE 1=1'; $mysql_Query = mysql_query($Query); $i = 0; while($Query_data = mysql_fetch_assoc($mysql_Query)) { $mysql_array[$i] = $Query_data; $i++; }


Gets all the rows for a query as opposed to just one, as is done with mysql_fetch_assoc. I find it extremely awesome.


Edited by Gizmo (01/03/07 08:14 PM)
_________________________
[[ GamerSupport ] [ UGN Security ] [ Evil Hosting ] [ Comic Relief ]
~[Ghost]

Top
#18527 - 05/20/06 01:52 AM Re: Useful PHP Functions & Code
§intå× Offline


*****

Registered: 12/03/02
Posts: 3255
Loc: Maryland
Quote:
Originally posted by Ghost:
Speaking of MySQL, here is a segment of code that I find extremely useful and efficient for what it does (forgive the PHP 4)

Php Code:

$Query = 'SELECT * FROM table WHERE 1=1';
$mysql_Query = mysql_query($Query);

$i = 0;
while($Query_data = mysql_fetch_assoc($mysql_Query)) {
$mysql_array[$i] = $Query_data;
$i++;
}
 


Gets all the rows for a query as opposed to just one, as is done with mysql_fetch_assoc. I find it extremely awesome.
There isn't major differences... Here, here is an example of 5 and 4 to see some differences. Basicaly you can save a few lines of code in 5. It is a bit more secure in 5.


Lets say you are processing a login from a web form.

Php Code:
 
//////////////////////////////
//		PHP 5 OOP way
//////////////////////////////

$mysqli = new mysqli("localhost", "username", "password", "database"); // php 5 connect makes you specify the db in the connect statement
//this makes for better security

$dg = "SELECT * FROM members WHERE"
	   ."member = "$login'"
	   ."and psswd = '$cpass'";// the ."and can go on and on and on
if($result = $mysqli->query($dg)){ // only do the following if the query worked

	 WHILE($result2 = $result->fetch_array(MYSQLI_ASSOC)){ //OOP way of mysql_fetch_array
		  $my_array[] = $result2; //[] will fill with the num values

	 }$result->close();//release memory used in query and while loop
$mysqli->close();//close db connection
	$my_array_count = count($my_array); // get a count of all in the array

	 // count($value, COUNT_RECURSIVE); counts the values in a multi demensional array

}else{
	 echo "I am sorry we can not process your request at this time"; //graceful failure
	  // set mail(); function here to notify admin of errors
}
for($i = 0; $i <= $my_array_count; $i++){ // why we counted the array

//do stuff with data

}
  
Now we look at php 4

Php Code:
 
//////////////////////////////
// PHP 4 Procedural style
//////////////////////////////

$dbc = mysql_connect("localhost", "username", "password"); // php 4 connect can open a connection to a default db, this is bad
$dbs = mysql_select_db('mt_database', $dbc);// use the mysql_connect values and a database name to auth a database
//this makes for better security

$dg = "SELECT * FROM members WHERE"
	   ."member = "$login'"
	   ."and psswd = '$cpass'";// nothing changes here
$result = $mysql_query($dg); // Now we have to do a second function to check
if($result){
	 WHILE($result2 = mysql_fetch_array($result)){ //Procedural style of mysql_fetch_array
		  $my_array[] = $result2; //[] will fill with the num values
	 }
	$my_array_count = count($my_array); // get a count of all in the array
	 // count($value, COUNT_RECURSIVE); counts the values in a multi demensional array
}else{
	 echo "I am sorry we can not process your request at this time";//graceful failure
	 // set mail(); function here to notify admin of errors
}
for($i = 0; $i <= $my_array_count; $i++){ // why we counted the array
//do stuff with data
}
  


Edited by §intå× (06/02/08 06:03 AM)
_________________________
My New site OpenEyes

Top
#41294 - 01/03/07 12:45 PM Re: Useful PHP Functions & Code [Re: §intå×]
§intå× Offline


*****

Registered: 12/03/02
Posts: 3255
Loc: Maryland
When working with classes I have found the __autoload() function very nice. It saves you from haveing a tone of require once() statements.

if you name your classes using the naming convention of the PEAR project you could do this.

PHP:
function __autoload($classname){ $path = str_replace('_', DIRECTORY_SEPARATOR, $classname); $path = $_SERVER[DOCUMENT_ROOT]."/$path.php"; require_once($path); }


The naming convention is one '_' for every '/' in the directory path to get to your file.

So /home/docs/public_html/project/classes/myclass.php could be
PHP:
class classes_myclass{ /* class code here */ }


$_SERVER[DOCUMENT_ROOT] should fill in /home/docs/public_html/project. What __autoload does is if a attempt to call the class fails it will hit the function I gave and try one last time to open and used the file needed. This allows you to only call files as needed. You can then add a bit more abtration to your classes.

I have yet to get this to work within a class though or work with a class method that creates a new object.


Edited by Gizmo (01/03/07 08:12 PM)
_________________________
My New site OpenEyes

Top
#41297 - 01/03/07 08:11 PM Re: Useful PHP Functions & Code [Re: §intå×]
Gremelin Offline

Community Owner
*****

Registered: 02/28/02
Posts: 7193
Loc: Portland, OR; USA
BTW, if you're going to post PHP code, use the [php] tags vs the [code] tags, it'll use the php syntax highlighter
_________________________
Donate to UGN Security here.
UGN Security, Back of the Web, Elite Web Gamers & VNC Web Design Owner

Top
#42164 - 02/08/07 10:29 PM Re: Useful PHP Functions & Code [Re: Gremelin]
geneta Offline
UGN Newbie

Registered: 01/12/07
Posts: 1
That's so good!!!!he he ```

Top
#47032 - 11/07/08 11:21 PM Re: Useful PHP Functions & Code [Re: geneta]
Testing Offline
UGN Member

Registered: 09/21/05
Posts: 102
Loc: Sacramento, CA
I still use the listed resources from this post! Thanks again!
_________________________
Flipping houses in Sacramento market has been fantastic. Curious about what it takes to flip houses? Follow me at http://sacramentoflips.com.

Top
#47062 - 11/13/08 07:09 PM Re: Useful PHP Functions & Code [Re: Testing]
§intå× Offline


*****

Registered: 12/03/02
Posts: 3255
Loc: Maryland
Originally Posted By: Testing
I still use the listed resources from this post! Thanks again!


Keep coming back too. I learned most of what I know on this site. Gizmo is the man.
_________________________
My New site OpenEyes

Top
#47064 - 11/13/08 09:25 PM Re: Useful PHP Functions & Code [Re: §intå×]
Gremelin Offline

Community Owner
*****

Registered: 02/28/02
Posts: 7193
Loc: Portland, OR; USA
Originally Posted By: §intå×
Keep coming back too. I learned most of what I know on this site. Gizmo is the man.
An anal retentive man who made you cry and reanalyze every bit of code you've ever made... lol
_________________________
Donate to UGN Security here.
UGN Security, Back of the Web, Elite Web Gamers & VNC Web Design Owner

Top

Moderator:  §intå×, Gremelin 
Featured Member
Registered: 02/28/02
Posts: 7193
Forum Stats
2150 Members
46 Forums
35720 Topics
70890 Posts

Max Online: 1567 @ 04/25/10 05:20 AM
Top Posters
UGN Security 28881
Gremelin 7193
§intå× 3255
SilentRage 1273
Ice 1146
pergesu 1136
Infinite 1041
jonconley 955
Girlie 908
unreal 860
Newest Members
golqm, Tim050, Gecko666, defghi795767, Devo60
2149 Registered Users
Who's Online
0 registered (), 352 Guests and 349 Spiders online.
Key: Admin, Global Mod, Mod
Latest News
luxury goods sales at $405B by 2019
by golqm
10/28/14 05:19 AM


Donate
  Get Firefox!
Get FireFox!