So you’ve mastered the ifs thens and whiles, you’re the king of loops and you can honestly call MySQL your bitch, but what’s the point if everything you code is insecure and full of holes? PHP security is something not many people are worried about and even less know how to implement it. This artile will attempt to describe a few common mistakes and ways to work a round them…

Data Filtering

Data filtering is one of the cornerstones of secure application development. It involves the mechanism by which you determine the validity of data that is entering and exiting the application, and a good software design can help developers to:

• Ensure that data filtering cannot be bypassed
• Ensure that invalid data cannot be mistaken for valid data, and
• Identify the origin of data.

As described in the PHP Security Guide, there are two general methods of data filtering, The Dispatch Method and The Include Method.

The Dispatch method

One method is to have a single PHP script available to the web and have every other module included with the include or require functions. This method usually calls for a GET variable to be passed with every URL that identifies the task. This method uses the GET variable to ‘dispatch’ or send the page to the desired location. Two main reasons this method is popular is because it allows the developer to implement global security measures on one single script and ensure that it cannot be bypassed. Second, one could easily see that data filtering takes place when necessary, by focusing on the control flow of a specific task. It should be noted that if this method were combined with mod_rewrite, the user wouldn’t even know that such a method was in action, for example, http://www.sleepingawake.net/index.php?do=printcould end up looking like http://www.sleepingawake.net/app/print

The Include Method

The second approach is to have a single include that is responsible for the security of each document. This module is included at the top of each script that’s accessiblr through the web.

With either of these methods, it’s important to remember to filter all data that comes from the user. Be sure that the submitted email is in fact an email address, be sure that every integer variable returns an interger, and if there’s a finite list of possibilities for a variable (perhaps from a dropdown list or a Yes/No) that only one such possibility is returned. This not only strengthens security but also improves overall accuracy of the data.

Form Processing

Spoofed Form Submissions

One common practice for hackers is to view the source of your forms and copy them elsewhere where they can easily be manipulated. They can change limited possibility dropdown lists into textboxes, where they’d then be able to submit any content they want to your site using an absolute URL in the action attribute.

Spoofed HTTP Requests

Another more advanced (and therefore less used) method is Spoofed HTTP requests. These requests can be sent from a telnet source or via a PHP script and basically does the same as the method above. For a more detailed description of HTTP Requests, visit the HTTP Request section over at W3.org and/or the articleUnderstanding HTTP by Perlfect Solutions.

Databases and SQL

Exposed Access Credentials

A VERY common mistake (one that I was guilty of for a while) is to provide your database access credentials in one single .inc file in the root directory. Although this method is quite simple, it’s full of more holes than swiss cheese. You see, .inc files by nature are displayed as plaintext in browsers so if someone bychance found out the file path to it your database security would be compromised. One common remedy is to rename your .inc file, for example, from db.inc to db.inc.php. This simple practice hides the content of the file from showing via a browser. Another even more secure method is to place the file in a folder that is not accessable via a browser and calling the actual filepath in the PHP scripts. For more advanced information on this subject visit Exposed Access Credentials in the PHP Security Guide

SQL Injection

SQL injection attacks are extremely simple to defend against, but many applications are still vulnerable. This is another one I was guilty of for a long time. Using variables directly from forms with no data filtering in place can cause horrible problems. A sneaky user can go so far as to send multiple queries to the database server in a single call. Worse still, a user can potentially terminate the existing query with a semicolon and follow this with a query of the user’s choosing. The good news is that Data Filtering as explained above can prevent or even eliminate the possibility if this happening. Another useful tidbit is to put single quotes around all values in your SQL statements, regardless of the data type. That and escaping your data using mysql_escape_string() or addslashes() will also help prevent unwanted SQL results.

Sessions

Session Fixation

Session security is a fairly advanced topic, which is why it’s widely exploited. Mose session attacks involve impersonation, where an attacker gains access to someones session identifier. There are three common methods used to obtain a valid session identifier:

• Prediction
• Capture
• Fixation

This topic can be seen in more detail over at the PHP Security Consortium under Sessions.

Early in this article I raved about the simplicity of using include. Well there’s yet another step you can take to ensure your site’s safety with regards to these include files. The script below (graciously taken from the folks over at phpfreaks.com) will stop your files being directly accessed. Place This At The Begging Of The File Your Going To Include: <?php
     if ( !defined(’IN_VALID’) )
     {      die("<Center><B>Error: This File Cannot Be Accessed Directly</B><BR>To Return To The Main Site <a href=\"#\">Click Here</a></Center>");
     }
?>

For example, say the file with the above code is now in is called menu.php, we have to specify IN_VALID so you can include it: <?php
     define(’IN_VALID’, true);
     include("menu.php");
?> Ultimately the user will not know what’s required in order to view the include and therefore allows the contents of it to remain hidden

I hope this wasn’t too confusing to read, if you have any questions regarding this post let me know and I will do my best to make it easier to understand. I’d like to thank PHPFreaks, The W3C, the PHP Security Consortium and Perlfect Solutions for their (albeit unintentional) participation in the making of this article.

If this appeals to anyone there is a job opening at an established design firm in Mt. Prospect / Des Plains, IL. PHP Programmer / Web Developer. If interested please send resume to info@chamerlik.com. http://www.chamerlik.com/ They might be interested in some SEO work as well. Just passing on the info. Kevin

Westciv has released the 4th version of thir CSS editing software, check out the features and screenshots! Style Master 4.0

For those unaware, May 1st Reboot is a yearly international relaunch of websites with new designs. This marks it’s fifth anniversary, each year that has passed has made it more and more popular and therefore more and more fun to witness. Check out their site and if you’re so inclined register to be a part of the Reboot!

---

Also, a new site has sprung up this year called CSS Reboot, it’s run independently but with the same passion as the original. The purpose of this site is to raise more awareness of the CSS and Web Standards design community.

unfortunately what the May 1st Reboot is most certainly not is a CSS and web standards-minded community project. The entries have been famously lopsided in the Flash department. So I got to thinking today that maybe this year could be the year to change all that. We can call it the May 1st Reboot Reboot… or something.

Here’s a link to the article that started CSS Reboot CSS Web Standards May 1st Reboot

DAVE School - The Digital Animation and Visual Effects School is a non-public career education school providing technical training for people who want to become professional Computer Animators or Visual Effects Artists. Every graduating class has a group assignment to make a short movie using the skills they learned. The newest student movie out, “Batman New Times” is pretty sweet so check it out!

Ok… this is far from perfect, but its atleast mostly functional. This code would be used as a scroll handler onEnterFrame for a clip. So something like my_mc.onEnterFrame = handle_scroll(); or you can use it inside some other code inside an onEnterFrame. // I never have luck with Stage.width or Stage.height // so I use a border around the stage, and call it border_mc centerx = (border_mc._x + border_mc._width)/2; function handle_scroll{ // mx = the currentmouse x position mx = _root._xmouse; // dx = the distance from the center of the stage and the mouse x dx = Math.abs(centerx - mx) * 0.2; // lx = the left side of the movie clip lx = this._x; // rx = the right side of the movie clip rx = this._x + this._width; // r_rx = the right side of our stage area r_rx = border_mc._x + border_mc._width; /* —- Big chunk of commenting —– This is only part that may be hard to follow. These are just nested "conditionals" The logic is as follows… if mouse is left or right of center (plus padding, so theres no jerk movement in center then update the clip location. (level1) If left of center, (level2) if left side of clip plus the distance of mouse from center (the distance to slide over) is less than 20 (our padding value) then add dx to the current _x of the clip (so it moves to the right, visually scrolling to left)…. (level2) otherwise just go the rest of the way to the end of the clip (level1) OR if the right side minus the distance of mouse from center (dx), so moving the clip to the left, visually scrolling to the right, is greater than the right side of stage area minus 40 (this is a value that just needs to be tinkered with to make it stop at the correct value of the end of your clip, it SHOULD be 20 (or our padding value), but just didnt work for me then this means the right side of the clip is not scrolled past the point we want the clip to end on the right, (level2) then add the negative of the dx value (level2) if not (meaning it will scroll too far to the left if we use the dx value) then we use the distance that would make it flush with our right bounds

-End of comment block - if ( (mx < centerx-20) || mx > (centerx+20)) { this._x += (mx < centerx) ? ( ((lx+dx)&lt;20) ? (dx) : (Math.abs(20-(lx))) ) : ( ((rx-dx)>(r_rx - 40)) ? (-dx) : (-Math.abs((r_rx-40)-rx)) ); } so if you get anything out of this long ass complicated post, its maybe the usage of “conditionals”, which follow the format of: [variable] = (condition) ? [value of variable if condition true] : [value of variable if condition false]. Nesting this makes it a bit difficult to read until your used to it, but it makes much for compact (visually) code, and also is processed better than a bunch of if statements.

There’s been much speculation on whether or not there’s going to be a Google browser coming. More important still is the talk of what this would do to Microsoft’s Internet Explorer, Mozilla’s Firefox and other popular browsers in use today. The only clear-cut indication we’ve seen so far is that the domain gbrowser.com was registered in ‘04 by Google Inc. So could this be yet another attack waged by Google to maintain their grip on our day to day internet use? We all remember the gMail phenomenon, select few people were extended invitations to open accounts and they, in turn, were allowed to invite 6 people themselves to the new service. The exclusivity of this new mail system along with the massive storage space made gMail a permanent fixture in the free email world. With the same naming structure, it’s our belief that Googles rumored gBrowser would be yet another offensive on their competitors and a step closer for them to becoming another powerhouse. All this competition, however, has provided nothing but good results for us the consumers. The competition has forced other rival companies, namely Yahoo! and MSN to step up their efforts and provide comparable services. With all their successes in the past I don’t doubt Google could pull this off, they’d have stiff competition especially with Firefox’s rising popularity but only time will tell what the outcome of such a release would be.

Well now you’ve finished all the animating, motion tweens, and transitioning between sections of your Flash movie, but wait! What is this? Awwww all the text looks blurry! Well here’s a nifty little tip that normally works my friends. First select your nasty looking text, and go to the info panel. Make sure your X and Y Co-Ordinates are set without any number after the decimal. Example X= 255.0 and Y= 15.0. If you make sure there’s a 0 after the decimal it’ll fix that blurry text. When you correct the placement it sets it in the “perfect position”. Now the next problem: Your text is set to a “perfect position” in a movie clip but when you return to the main timeline it appears blurry. This is because the text is not set to a “perfect position” by the main timeline’s standards even if it is inside the movie clip. You may need to then copy your movie clip and paste it in place on a different layer on the main time line, then break the movie clip up so it’s in individual parts. Align the text to its “perfect position” and then lock that layer with the broken parts. go into the actual movie clip and align the text with the text on the main timeline. Seems like alot of work? Well this is just one way of fixing your blurry text and it mostly occurs with fonts that are bitmaps. In the end a crystal clear font is a beautiful thing and it won’t take away from the rest of your insane layout. Hope this helps!!!!!

Here’s two sites I’ve stumbled upon in my web surfing, check them out! www.trudydesign.it www.burntgraphix.com

What’s New 1.0.1 Important Note If you are experiencing a crash while typing in the Firefox address bar, you can fix the problem by uninstalling Firefox 1.0.1, completely removing the Firefox program folder (probably C:Program FilesMozilla Firefox on Windows or /home//firefox-installer/ on Linux), and reinstalling Firefox 1.0.1. To avoid this crash and other problems, do not install a new version using the installer into the same folder as an older zipped installation. Here’s what’s new in Firefox 1.0.1: Improved stability International Domain Names are now displayed as punycode. (To show International Domain Names in Unicode, set the “network.IDN_show_punycode” preference to false.) Several security fixes.

http://www.mozilla.org/products/firefox/releases/