Header-Ad

Linux & Web Development Geek - Tips & Tricks

PHP,Joomla,WordPress & Linux based server management, error resolutions and fixing problems.

Thursday, May 12, 2016

Best Linux Security Tools 2016

5:45 AM


Always trying for a more robust tool to assist you in your work?

 If there's one web site UN agency is aware of what's happening within the field of security tools, it is ToolsWatch. The site covers new tools, and promotes existing projects once they unharness a brand new version.


Here is the list of  Best Security Auditing Tools so far:


Got some more?  Drop comments! Also let me know which tools you want me to write tutorials about, i will be writing detail tutorials on those tools :)


Best

Thursday, October 11, 2012

How to Check if a URL is UP?

3:18 PM
So in this small quick tutorial i am going to tell you a very short way to determine weather a website is up or not? We will be using the PHP's cURL library in order to determine so.

So lets start:


​function urlUP($url){
    //Validate the URL first!
    if(filter_var($url,FILTER_VALIDATE_URL)){
$handle curl_init(urldecode($url));
curl_setopt($handle,  CURLOPT_RETURNTRANSFERTRUE);
$response curl_exec($handle);
$httpCode curl_getinfo($handleCURLINFO_HTTP_CODE);
if($httpCode >= 200 && $httpCode 400){
return true;
}else{
return false;
}
curl_close($handle);
}
    
    }

This is the function we will be actually using, Lets break it down!

  1. We validate the URL through filter_var().
  2. Open the cURL handle for our URL.
  3. Set option in cURL to receive the incoming.
  4. Execute the handle.
  5. Get the HTTP code response for the executed handle.
  6. If HTTP Response code is greater than or equal to 200 (200 stands for Ok) or its shorter than 400, this means website is up, return true.
  7. Else return false,so that means the website is down.
  8. Close the cURL handle!
To use the function you have to do the following:


if urlUP("http://geeks-wiki.blogspot.com"){
           echo "The website is currently UP!";
}else{
           echo "The website is Down!";
}
    

Use the code freely and leave comments, additionally you can tweak the code as well, or you can also get the HTTP Codes, match them with an array of HTTP Codes and get the specific response as well!


♥ Happy Coding! ♥

Source: https://www.stackflair.com/curl-error0-in-php/


Saturday, October 6, 2012

Best way to Avoid MySQL injection in PHP

11:38 PM
SQL Injection, a commonly method used by majority of hackers and which is the cause for about 70% of the hack's all over the cyber warfare. Mostly hacker uses this (mysql injection) vulnerability to exploit the website and gain access to the server thus through Admin panel or obtain the sensitive information including Credit Cards etc as well.
How to prevent mysql injection in PHP?
SQL Injections are Common nowadays!

So here i am going to explain you the best practices you should do while writing code!
First of all keep it in mind, never ever trust a user's input, you are on to your own! So it is the very first thing to keep in mind that whatever a user sends, intentionally or unintentionally, if it is not properly sanitized and exploits a vulnerability which could be possibly a MySQL injection or even a XSS attack, could let hackers give a way to intrude.


Bullet Points:
  • When you are going to embed strings in HTML for example when you "print" or when you "echo"  you should default to escape the string using htmlspecialchars(); .
  • Never trust user's input, always sanitize the user input by first sanitizing it properly and before performing any SQL query, this can be achieved by mysql_real_escape_string($parameter).Where $parameter is the input you are about to filter.
  • Disable Magic Quotes.
  • Use prepared statements and parameterized queries, always filter the user inputs properly,thoroughly and strictly.
  • Don't through mysql_error() to the user,don't even let them know something happened out there,most of the people use it like, die(mysql_error()); . Instead of just throwing this error straight away to the user you can write your custom messages, prepare some log files or even create a mail() function so you get notified whenever someone tries to pull something off the routine.
  • Log,Log,Log, always log the errors and warning messages, turn off error reporting on live websites and enable only when debugging or during development process or testing phases.
  • Be Self-Aware, never give up, always try up-to-date security precautions, create difficult random passwords for database, encrypt all the user's information in the database and set a value of 666 to the files which contains configuration for mySQL access.
  • Keep your server patched and updated, use only latest software's, if you are on a shared hosting server, and find something which is not fine, notify the Administrator.
  • If you are using some software's like WordPress,Joomla,Drupal or any other free and open-source or even other software's,keep them updates, most of these products have built-in update notifiers in the Admin panel's and most of the time they update themselves with a single click.

Best way to Avoid MySQL Injections.
You basically have two options to achieve this:
  1. Using PDO:
    $stmt = $pdo->prepare('SELECT * FROM employees WHERE name = :name');

$stmt->execute(array(':name' => $name));
foreach ($stmt as $row) {
    // do something with $row
}
  2. Using mysqli:
    $stmt = $dbConnection->prepare('SELECT * FROM employees WHERE name = ?');
$stmt->bind_param('s', $name);

$stmt->execute();

$result = $stmt->get_result();
while ($row = $result->fetch_assoc()) {
    // do something with $row
}

PDO

Note that when using PDO to access a MySQL database real prepared statements are not used by default. To fix this you have to disable the emulation of prepared statements. An example of creating a connection using PDO is:
$dbConnection = new PDO('mysql:dbname=dbtest;host=127.0.0.1;charset=utf8', 'user', 'pass');

$dbConnection->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
$dbConnection->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
In the above example the error mode isn't strictly necessary, but it is advised to add it. This way the script will not stop with a Fatal Error when something goes wrong. And gives the developer the chance to catch any error(s) (which are throwed as PDOExceptions.
What is mandatory however is the setAttribute() line, which tells PDO to disable emulated prepared statements and use real prepared statements. This makes sure the statement and the values aren't parsed by PHP before sending it the the MySQL server (giving a possible attacker no chance to inject malicious SQL).
Although you can set the charset in the options of the constructor it's important to note that 'older' versions of PHP (< 5.3.6) silently ignored the charset parameter in the DSN.

Explanation

What happens is that the SQL statement you pass to prepare is parsed and compiled by the database server. By specifying parameters (either a ? or a named parameter like :name in the example above) you tell the database engine where you want to filter on. Then when you call execute the prepared statement is combined with the parameter values you specify.
The important thing here is that the parameter values are combined with the compiled statement, not a SQL string. SQL injection works by tricking the script into including malicious strings when it creates SQL to send to the database. So by sending the actual SQL separately from the parameters you limit the risk of ending up with something you didn't intend. Any parameters you send when using a prepared statement will just be treated as strings (although the database engine may do some optimization so parameters may end up as numbers too, of course). In the example above, if the $name variable contains 'Sarah'; DELETE * FROM employees the result would simply be a search for the string "'Sarah'; DELETE * FROM employees", and you will not end up with an empty table.
Another benefit with using prepared statements is that if you execute the same statement many times in the same session it will only be parsed and compiled once, giving you some speed gains.
Oh, and since you asked about how to do it for an insert, here's an example (using PDO):
$preparedStatement = $db->prepare('INSERT INTO table (column) VALUES (:column)');

$preparedStatement->execute(array(':column' => $unsafeValue));


Any comments are welcome :) Share your practices with me as well.

♥ Happy Coding ♥

How to Validate a URL in PHP? [Easy]

7:41 PM
Starting from PHP 5.2 we have bunch of built-in functions which makes it easier for programmers to perform small functions without writing up code for them,one of such function is filter_var(); , using filter_var().


How to validate a URL in PHP


 We can validate emails and URL's easily with just a few steps or you can say only 4-5 lines of code, so lets say you want to validate a URL using filter_var() you can do it as follow:

function checkurl($url)
  return filter_var($urlFILTER_VALIDATE_URL);
}

To use this function simply use the following code :

    if(checkurl("http://www.google.com"){
              echo 'URL is correct'
              //continue....            
            }else{
                echo 'URL is incorrect';
                //through an error!                
    }

Simple isn't? And if you don't want to use the complete function,you can simply use the filter_var("Your URL here!", FILTER_VALIDATE_URL); .

Comments are welcome, and once more you must have PHP >= 5.2.


♥ Happy Coding.! ♥ 
 
Subscribe to: Posts (Atom)

Featured Post

Best Linux Security Tools 2016

Always trying for a more robust tool to assist you in your work?  If there's one web site UN agency is aware of what's happenin...

Contact Form

Name

Email *

Message *