Welcome to ProfWebDev.com WEB log

Welcome to ProfWebDev WEB log. The blog is devoted to WEB development, WEB Security, and SEO optimization. We are going to talk about PHP and ASP.NET development. They are the most attractive WEB development languages for me. The other languages are powerful too, bit I like these ones. PHP and ASP.NET allow me to create sites any kind of difficulty.

Sometimes I use PHP but sometimes I use ASP.NET. Why I choose one of the languages? I don’t know. I just choose one. It depends on my mood. Sometimes it depends of weather.

Introduction to PHP

PHP commands are inserted right into HTML documents. But how does the web server can tell the PHP code to be executed embedded into the HTML document? Actually, it’s very easy: Special tags are used to indicate the beginning and the end of the PHP code. Everything outside of these tags is treated as HTML code.

Most often, the beginning and the end of PHP commands are marked in the following way:

<?php
 PHP code
?>

Everything between the tags the web server treats as PHP code and processes it accordingly. Everything outside of these tags is treated as HTML code and is sent to the client as is and is processed in the browser.

This is the most preferential format of the PHP code delimiting tags; using it you can be certain that it will processed by the server correctly. There also are other currently supported PHP code delimiting formats. Despite this, you should realize that only the tags are guaranteed support in all PHP versions. Use of other PHP code delimiting tags may be discontinued or limited in any future version of the language. This may lead to the problem of having to rewrite all the scripts in which discontinued delimiters are used. It’s no big deal if you have only a few of them, but if you have a big site with lots of PHP scripts, then you’ve got a problem.

Including files

Every programmer tries to reuse existing code and any programming language tries to provide support for this. When we develop a new project, we don't feel at all as solving the same problems that had been solved in previous projects. Being able to reuse already developed code allows us to avoid doing the same mundane routines over and over again.

You have probably heard a lot about Windows dynamic libraries. These libraries store various different resources (images, icons, dialog window forms, menus, etc.) and/or program code. Any program can load this library and use the resources stored in it. For example, the OpenGL graphics library stores functions for creating 3D graphics of practically any complexity. Any programmer can load this library into the computer memory and use its resources in his or her own projects. Accordingly, it is not necessary to write graphic functions code for each new program, but use code already developed by other programmers.

Dynamic libraries not only allow a programmer use his or her own code in different projects, but also share it with other programmers, as we saw in the example with the OpenGL library.

Being able to reuse code is even more important when programming web pages. Your site may contain hundreds of files doing the same thing. Writing the same piece of code in each of them is a tedious time-consuming task. Moreover, this results in bloated, slow-executing files.

Outputing information on the page

We already used the print function to observe the results of script execution. We have to explore the available output functions more closely, because if you can`t see the results of your scripts` work, you may have problems digesting the material presented. The best way to learn anything is to personally touch and see every detail.

In addition to the print function, information can be displayed by the echo function. There are two ways of calling it. These are the following:

echo("Hello, this is text");
echo "Hello, this is text";

In the first case, the text to be displayed in placed into parenthesis, and in the other, it is simply placed after the function name after a space. In either case, the output text is enclosed into quotation marks. Both calling method are equivalent to each other, and you can use the one you feel more comfortable with. You can output several strings with the echo function by separating them with a comma. For example:

Fundamentals of Hacker Attacks

There is no such thing as a universal method to break into an Internet site or server. Every time, an individual approach must be taken to open the necessary doorway. Although some attacks can overpower any defense, for example, a distributed denial-of-service (DoS) attack or brute-force password guessing, they can be too expensive in terms of time and computer resources to implement. Moreover, these attacks are as smart and subtle as driving a tank up to a bank and blasting the vault open. A hacker who breaks into a server using a brute-force attack to discover the password or who takes it out of commission by launching a distributed DoS attack against it will never be recognized as a professional; thus, these methods are used as a last resort and mostly by beginning crackers.

Why are attacks on computers increasing every year? The information about the security holes and vulnerabilities in computer systems used to be stored on bulletin board systems (BBSs), and only a few people with special privileges had access to it. So, it was hackers among these chosen few who carried out attacks with impunity, because their level of education and experience were quite high. It was difficult, often impossible, for a beginner or someone not belonging to the inner circle to gain access to such BBSs. This means that information about vulnerabilities and programs for implementing attacks were available only to a limited number of people.

Nowadays, this information and the necessary tools are available to anyone; thus, anyone can get into the cracking business. The situation is exacerbated by a host of utilities that automate the break-in process and are available to anyone at a number of Internet sites. With some of these utilities, all you have to do is to enter the address of the site to crack and click the Go button. The rest is done by the computer without any involvement on your part. You will not know how the computer did this, but there are quite a few individuals who could not care less; the only thing they are interested in is the results.

ASP.NET and SQL Injection

How to protect ASP.NET application from SQL Injection vulnerabilities? The first step we can take to protect our software is to understand the SQL Injection vulnerability problem. SQL Injection is a vulnerability that allows hackers to inject malicious code into your SQL script. More info about SQL Injection may be found in my SQL Injection and PHP article.

How to prevent SQL Injection in ASP.NET applications? I do not recommend you to use regular expressions to prevent users or hackers from entering characters that may allow them to break into the database. It is not the best practice in ASP.NET application. Do not try to remove any symbols from the parameters with the data received from the WEB site users. The best practice is to use parameterized SQL queries. You have to use parameters in you queries!

Let's take a look at the next example that use parameterized query to prevent SQL Injection attack on my ASP.NET application:

How do viruses spread?

Every executable file has a header. This header contains the entry point: a program address from which it starts its execution. When a virus piggybacks on a program, it adds itself at the program's end and changes the entry point to itself, passing control to the old entry point only after the virus code executes. This way, when an infected executable file starts, the virus code executes first, after which control is passed to the program.

Some especially lazy virus writes do not like bothering with headers. They do it the other way around: They add the executable file to their virus, that is, the virus's body goes first.

This is the main manner of operation of most attachable viruses that were common until about 2000 – MS DOS viruses in particular. The least you can do to protect against this type of malicious code is to check the headers of executable files. A modified header is good cause for alarm, as this may have been done by a virus or a worm. Of course, keeping track of all file headers is a difficult task to carry out manually. At least the size of the main programs, however, can be checked, for it changes when a virus attaches itself to a file.

Variables in PHP

If you have experience programming in high-level languages (e.g., C++, Delphi), you must know that all variables must be of a strictly defined type, and the code must follow quite stringent syntax rules. PHP is more flexible and does not impose strict rules. This flexibility, however, comes at the price of greater chances of erroneous script execution and being much more difficult to provide proper security. Lots of break-ins have been perpetrated exactly because variables in PHP are not assigned a specific type when declared.

Suppose a hacker passes a database query string through a parameter that the programmer intended to be used to pass a numerical value. (By the way, this is how the PHPNuke site management system was cracked.) If the parameter variable were defined of a specific type, such action would return an error, because the string could not be converted into a number. Because PHP is weak-typed language, programmers must implement data type checks and handle incorrect data type errors themselves.

If you have programmed in C, Java, or Perl before, many concepts in PHP will be familiar to you, because PHP is very similar to C/C++.

We have already touched slightly on variables and know that a variable is a memory area in which values can be stored and can be referenced by a name. We don't care where exactly in the memory our variables are stored, because their values can always be retrieved or changed by referencing their names. PHP variables have the following properties:

PHP Main Operations

Variables are created to perform some operations on them. At present, we will consider only the following simple mathematical operations:

• + (addition)
• - (subtraction)
• * (multiplication)
• / (division)

As is common in mathematics, mathematical operations in PHP are performed in the order of operator precedence. Multiplication and division are performed before addition and subtraction. Consider the following classical example:

$index = 2 + 2 * 2;

If you ask, for example, a third-grader to evaluate the above expression, the most likely answer will be 8. But those with further advances in math will not fall into the sequential evaluation trap. Their answer will be 6, because pursuant to the mathematical operator precedence order, first the multiplication operation is performed, yielding 4, which is then added to 2, thus producing 6.

Input Validation

Input Validation is the primary task for every security specialist and software (web) developer. I will describe the problem using web development because it is my passion. Web programs get data from users using parameters. The parameters it is an entry point to your application. Hackers may impact on the parameters to impact on your application to intrude to your system. Parameters are the gate between your application and users. You have to take the gate protected and your application will be secure.

Input validation is not only security issue but it is the main one. You have to provide proper input data validation to make your system protected. There is no single solution to make the parameters secure. It depends on your application and how you use the data.

Assume all input is malicious. Do not trust to data received from users. Trust only to data received personally from you or your code that already checked the values. Other values must be checked.

Constants in PHP

Constants are similar to variables in that they are named memory locations holding certain values; unlike variables, however, once a constant was assigned a value at its declaration, it cannot be changed during script execution.

Constants are used to store some frequently used numbers or strings. For example, your site may be programmed for 640-pixel wide pages and you want to switch to using 800-pixel wide pages. If you used number 640 explicitly in your code, you will have to find all instances it was used in the code and change it. Even though this task can be automated, there is no guarantee that you will find all the numbers that need to be changed or not change a number 640 referring to something other than the page width. Instead of using the number 640 explicitly, you can declare a constant, for example $PgWdth, at the beginning of the file, set it to 640, and then use the constant throughout the file wherever you need to use number 640. Then, if you need to change 640 to 800, all you need to do is to reassign the value of the constant $PgWdth to 800 once at the beginning of the file.

I recommend always using constants or at least variables if a number or a string is used more than once in the code. These constants and variables can be stored in a separate file, which can then be included into the PHP files using these constants or variables. Based on my personal experience, I can tell that using constants can make software maintenance and modification significantly easier.

Controlling Program Execution

It is a rare program that simply executes from the beginning to the end, because in most cases there are some conditions that can change the program execution flow. Thus, these conditions have to be checked and reacted to in one way or another. Let's consider an example of a site's main page. When a user visits the site for the first time, he or she can be shown some additional information or greeted with some funny presentation to get him interested in the site. For succeeding visits by the same user, the presentation is no longer shown. The script logic for these actions will be something like the following:

• If visiting for the first time, show the presentation before showing the main page.
• Otherwise, show the main page right away.

As another example, we have to do numerous checks to ensure that a script is reliable and secure. For example, if a script is intended to send a mail message, it is a good idea to check whether the address is specified correctly before mailing the message. Here, the logic can be the following:

• If the address format is valid, mail the message.
• Otherwise, don't and issue an error message.

Loops in PHP

Loops are important program flow control. For example, the problem of raising a number to a power that we used as an example when considering the switch statement, can be solved much easier and more efficient using one of the loop statements. A number is raised to a certain power by multiplying it by itself this number of times. For example, the operation of raising 2 to the power of 3 can be written as follows: 2*2*2. But what if a number has to be raised to the power of 100? This task is somewhat more difficult. Even more difficult is the problem when the power is not known in advance. Here is where loops come to the rescue.

The most often used loop is the for loop. It is also the easiest to understand, so we start our study of loops with it. In the general format it looks as the following:

for (start counter value; end counter value; counter step)
 Statements

Let's use the for loop to raise a number to a power. The code for this may look like the following:

PHP Web Hosting

If you are looking for the key to your website design then PHP, PHP Hypertext Processor, just might be the thing. PHP is one of the most popular open source scripting languages and with it you will be able to create beautifully designed dynamic websites. One of its biggest advantages is that it is so very easy to use that even the most inexperienced web developer will be able to use it. Why make life more difficult than it has to be?

PHP and Web Development

As PHP is open source it is also free and to that it will match all of your web design requirements. When looking at PHP Hosting you will quickly notice that it is usually part of a web hosting package known as LAMP for Linux, Apache, MySQL and PHP. Linux is the operating system that is being used, Apache is the web server software, MySQL is the database management system that you will be using and PHP is nothing less than the programming language.

Terminating Programs

Sometimes a situation will arise when a loop execution has to be terminated. Quite often, this is necessary when an error occurs and further execution may have serious consequences. For example, the required file is not available or a user provided wrong parameters. In either case, further script execution may display confidential information or perform some other undesirable actions. Do not experiment in such case and stop the script execution.

Script execution can be interrupted with the exit() function. Script execution is terminated at once when this command is executed. The die() command is an alias for exit(), and both command allow a message to be displayed in the browser to be specified as a parameter. Consider the following classical example of connecting to a database:

PHP Functions

When I was beginning to learn programming in Pascal, for a long time I could not fathom what functions were needed for. All my programs had flat structure without branchings or any kind. But once I ran into a problem: I had to write a program whose code looked like shown in next code.

print("Select one of the actions<BR>");

print("===========================<BR>");
print("Search <BR>");
print("===========================<BR>");

print("===========================<BR>");
print("Print <BR>");
print("===========================<BR>");

print("===========================<BR>");
print("Exit <BR>");
print("===========================<BR>");

Jacking Up Voting Results

Voting systems on different sites are constantly developing and programmers are trying to devise protection against visitors jacking up the voting counters. Suppose that you have decided to take a part in a poll conducted by some site and want your preferred answer to prevail. How can this be done? There are many ways. The one to employ depends on the program used to conduct the polling.

Let's consider one vote-boosting method, using the www.download.com site as an example. Here, visitors can vote for their favorite programs. When you see that your favorite program is way down in the ratings, you naturally want to lift it up and help the developers.

In order to know how to pad the votes, you must know how they are counted. The simplest methods use cookie files. These are files in which web servers save any useful for them information. Each web site has its own file, which only it can read. No site can read cookies created by other site servers. When you cast your vote for some cause or issue, the server saves the information about your vote in a cookie file. Let's consider the steps performed when registering votes:

Arrays in PHP

An array is list of values that can be referenced with a single variable. This is achieved by using an index to reference individual array elements. Either a number or a word can be an index. Number indices start with zero.

Arrays are named in exactly the same way as variables, but with square brackets after the array name. In the following example, words "cake," "bread," and "carrot" are added to an array.

$goods[]= "cake";
$goods[]= "bread";
$goods[]= "carrot";

A particular array element is referenced by specifying its index in square brackets. For example, the following code displays the contents of the zero element, which is "cake":

Error Handling in PHP

At certain configuration settings, PHP may not issue error messages. For production web sites, I recommend to keep this feature disabled. An extra message for a hacker is an extra hint to a successful break-in. For example, a message informing of excessive parameters tells me that the script does not check for the number of parameter passed to it, so it may not do other checks either, for example, whether the system function is called the right way. We will talk about the dangers inherent to this function repeatedly in this book.

A system used for application development must issue messages for any errors; otherwise, it is more likely than not that you will miss some potential errors, and will not be able to understand why the script code is not performing the way you intend it to.

The error reporting feature is enabled by setting the error_reporting parameter in the php.ini file to E_ALL. Error messages may be issued when numerical data is compared with string data. For example, adding a command error_reporting (E_ALL) command at the beginning of the script in which we considered the print_max() function (see Section 2.8) will produce the following error when a number and string are compared:

Environmental Variables

All environmental variables passed to a script are placed by the interpreter into the $HTTP_ENV_VARS array. The format of this array is different on different computers. In Windows, environmental variables can be checked by executing the set command in the command line; in UNIX-like systems, environmental variables can be viewed by executing the env command.

You can find the following PHP environmental variables of use:

• $DOCUMENT_ROOT — The path to the document root directory of the currently executing script on the server.
• $SCRIPT_FILENAME — The current script's path.
• $SERVER_ADDR – The address of the IP server on which the current script is executing.
• $SERVER_PORT — The server port used by the web server for communication.

Parameter Passing

Static web pages are a rarity nowadays. Practically any more or less big web site asks for some data from the users. The data supplied by the users are passed as parameters to the specified script using HTML forms. The following example shows how to create a form for entering a user name:

The <form> tag takes the following two parameters:

• Action — Specifies the name or the complete URL to the script file to which the form parameters are to be passed.
• Method — The method used to pass the parameters. There are two methods for doing this: get and post. We will consider in detail both of these methods, as you should have clear understanding of how they work.

CyD Web Development Tools 2010 Beta

I want to introduce you a new software product for WEB developers, Security specialists and SEO professionals: CyD Web Development Tools. It is a new product and you can test beta version at this moment. The product will consist of modules for WEB developers and SEO professionals. Some of the modules will be available as part of CyD Network Utilities - Security tools.

At this time the product consist of only one module - search for WEB site vulnerabilities. The program needs improvements but you can try the module absolutely free-of-charge with no limits. Tell me if you have any suggestions for the program or if you found error. Some commands do not work in the program. I'm going to implement the full set of the features as soon as possible.

PHP and the POST Method

The mechanism of using the POST method is the same as that for the GET method. You only have to change the name of the method to be used (i.e., replace GET with POST) and your code will work without requiring any additional modifications. This, although, is conditional on that global parameters had been used to pass data and not the $HTTP_GET_VARS array (the POST method uses a different array). The earlier example demonstrating passing parameters using the GET method can be changed to use the POST method as follows:

<form action="param.php" method="post">
User Name: 
 <input name="UserName">
 <input type="hidden" name="Password" value="qwerty">
</form>

Other than replacing GET with POST, no other changes are necessary.

When the POST method is used, all parameters are also included in the request body in the parameter_name=parameter_value format. Additionally, the variable's names and their values are placed into the $HTTP_POST_VARS array, or $_POST for short.

Comments in PHP

The format of PHP comments is similar to that of C/C++ and Java, which is another indication of these languages being related. What is a comment as related to a programming language? This is supplementary information given in the code that has no effect on the program execution. For example, you may want to explain how a particular piece of code works. Naturally, you don't want this explanation to execute or to show in the browser. Such explanation is inserted as a comment in the vicinity of the code it explains.

There are single-line and multi-line comments. A single line comment starts with two slashes (like in C++) or with the pound sign (like in Linux). Everything following these characters is disregarded by the interpreter and treated as a comment. For example:

<?php
 # This is a comment
 //This is also a comment
 This is code//But this is a comment
?>

Sensitivity to spaces, carriage returns, and tabs

PHP is not sensitive to spaces, carriage returns, and tabs. This means that you can break one command into several lines, or delimit variables, values, or operators with different number of spaces. For example, as the following:

<?php
 $index = 10;
 $index   =  10  +   20;
 $index=10+10;
 $index=
 10
 +

 10;
?>

All of the code above is correct and will work without a hitch.

Each PHP command is terminated with a colon (;). In this way, the interpreter separates one command from another. Do not forget to use this character where it is required, because failing to do so may cause unpredictable errors, which usually cannot be attributed to a missing command separator.

The command separator makes it possible to write one command on several lines or place several commands in one line. The interpreter will be able to tell the commands apart thanks to the command separator.

The GET Method

When the GET method is used, all the parameters that are passed to the script are placed into global variables. In addition, they are also placed into the $HTTP_GET_VARS array, or $_GET for short. But there is more to come. The parameters are also displayed in the browser's URL field. Thus, when the above example code with passing name and password parameters is executed, the URL will change to this: http://192.168.77.1/param.php?UserName=Flenov&Password=qwerty.That is, the original URL is appended with a question sign followed by the parameters passed in the parameter_name=parameter_value format and delimited by the ampersand (&).

How safe do you think this method is? Good thinking! Any of the parameters can be easily changed manually without even changing the form's source code. When developing scripts you should make it as hard as possible for hackers to be able to be able manipulate parameters. For example, do not use the GET method to transmit passwords, because it can be easily intercepted.

Another problem with this method is its openness. Consider the password example again. When a user enters a password via this method, the password will be displayed in the browser's URL field. Anyone passing by at this time can see this password in there.