Security in PHP

PHP Security

PHP is a very flexible language. But sometimes this flexibility creates security flaws because of improper use of it. I had just read an article “Top 7 PHP Security Blunders” by Pax Dickinson. It shows top 7 mistakes or flaws that may break site security.

“Security is a process, not a product, and adopting a sound approach to security during the process of application development will allow you to produce tighter, more robust code.” – Pax Dickinson

In this article the author has shown how PHP application be infected and how to protect it. He has described the followings with reference to different articles:

• Unvalidated Input Errors
• Access Control Flaws
• Session ID Protection
• Cross Site Scripting (XSS) Flaws
• SQL Injection Vulnerabilities
• Error Reporting
• Data Handling Errors
• Configuring PHP For Security

I found this article knowledgeable. Hope you will like it. You may read it from here http://www.sitepoint.com/article/php-security-blunders.

I want to conclude with lines from this article…

“…there are many things to be aware of when programming secure PHP applications, though this is true with any language, and any server platform. PHP is no less secure than many other common development languages. The most important thing is to develop a proper security mindset and to know your tools well…”

cPanel: Class for creating email account and mail forwarder

This class can be used to create email account and mail forwarders using PHP, without logging to cPanel. It is an extension of script made by www.zubrag.com. You can access the original link from here http://www.zubrag.com/scripts/cpanel-create-email-account.php. And it is also a modified version of the class “cpmail” which was coded by Md. Zakir Hossain (Raju), http://www.rajuru.xenexbd.com. How to configure:

1. Download the zipped file.
2. Unzip the file. This file contains the class file and an example file.
3. Open the class file and change these variables -
   • $currentTheme – Your cPanel theme
   • $userName – Your cPanel user name
   • $password – Your cPanel password
   • $domain – Your cPanel domain
   • $cPanelPort – Your cPanel port [optional]
4. Include the class in the file where you want to use it.

Example:

// include the class file
include('class.cpmailmanager.php');
 
// create an instanse of the class
$cp = new CPMailManager();
 
// create an email account
$cp->createEmail('sadat', 'sadat123', 10);
 
if($cp->status) //account created successfully
{
     echo 'Mail created successfully';
}
else
{
     echo $cp->message;
}
 
// create mail forwarder
$cp->createForwarder('sadat', 'msh@example.com');
echo '' . $cp->message;
 
// delete mail forwarder
$cp->deleteForwarder('sadat', 'msh@example.com');
echo '' . $cp->message;
 
// delete email account
$cp->deleteEmail('sadat');
echo '' . $cp->message;

CodeIgniter – Plugin for DOMPDF

I have modified the plugin for DOMPDF which is found in CodeIgniter forum. I have added the paper size and orientation parameters. Here is the code to share with you.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

<?php if (!defined('BASEPATH')) exit('No direct script access allowed');
 
    function pdf_create($html, $filename, $stream=true, $papersize = 'letter', $orientation = 'portrait')
    {
        require_once("dompdf/dompdf_config.inc.php");
 
        $dompdf = new DOMPDF();
        $dompdf->load_html($html);
        $dompdf->set_paper($papersize, $orientation);
        $dompdf->render();
 
        if ($stream)
        {
            $options['Attachment'] = 1;
            $options['Accept-Ranges'] = 0;
            $options['compress'] = 1;
            $dompdf->stream($filename.".pdf", $options);
        }
        else
        {
            write_file("$filename.pdf", $dompdf->output());
        }
    }
?>

DOMPDF without PDFLib as back-end PDF support

I was implementing PDF generation in one of projects which is built with CodeIgniter. I searched for PDF support for CodeIgniter and found help on CI forum. I followed the instruction given there and used DOMPDF. The result was satisfactory though I faced an issue. I was happy, but the problem was with the PDFLib. Its not free and our client would not buy it. I thought that DOMPDF will not work without the help of PDFLib. Soon I loss my happiness and started looking for an alternate solution. Then our team decided to use HTML2FPDF. But the result was not satisfactory. We had to rewrite our html files. It was lacking lots of HTML support. I was not happy with the output. So I started googling again for a PDF library. While searching I came accross a library called HTML2PS/HTML2PDF. But, it seemed to me complex. I again started searching for any solution which will help me use DOMPDF in my project without PDFLib. At last I got the solution from DOMPDF site .

“…Edit dompdf_config.inc.php to fit your installation. If you leave the DOMPDF_PDF_BACKEND setting at ‘auto’ dompdf will use PDFLib if it is installed, otherwise it will use the bundled R&OS CPDF class…”

I was very much happy to read this. I might have missed this while installing DOMPDF for the first time. Thanks DOMPDF for a nice interface and output. Really DOMPDF made our coding not just easy, but saved our times .

DOMPDF Attachment issue in IE (Internet Explorer)

I have used DOMPDF in my project. But I was facing problem with Attachment. In FireFox it was working fine. But in Internet Explorer (I used IE 6) it ended with an error. In IE it was showing the download dialogue box offering the script page I used to generate the PDF file. When I tried to download the file it showed an error.

I searched the web and found no suitable solution. I followed the instruction given in http://www.corenettech.com/blog/ but it didn’t work . But I got an idea from this post. I started digging the code and have done following changes to PDFLib_Adapter class (available in DOMPDF_DiRECTORY/include/pdflib_adapter.cls.php).

I have removed the following line (line 829):

header("Cache-Control: private");

and added

if (strstr($_SERVER['HTTP_USER_AGENT'], "MSIE"))
{
     header('Expires: 0');
     header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
     header("Content-Transfer-Encoding: binary");
     header('Pragma: public');
     header("Content-Length: ".strlen($data));
}
else
{
     header("Cache-Control: private");
     header("Content-Transfer-Encoding: binary");
     header('Expires: 0');
     header('Pragma: no-cache');
     header("Content-Length: ".strlen($data));
}

After

header("Content-type: application/pdf");
header("Content-Disposition: $attach; filename=\"$filename\"");

That’s it! My code started working .

Hope this will save your time of surfing the net .

Paging Class using PHP and MySQL

Based on my last post on paging using PHP and MySQL, I have coded this class. It is very easy to implement and it will save your time. Here is a code snippet to show how simple to use it.

//include the class file
include('Pager.php');
 
//making connection to the database
mysql_connect('localhost', 'root', '');
mysql_select_db('test');
 
//prepare SQL
$sql = 'SELECT * FROM books';
 
//create an object of Pager passing the SQL
$pager = new Pager($sql);
 
//set the url. this is the current page
$pager->url = 'index.php';
 
//set number of rows. by default it is 10
$pager->rowPerPage = 5;
 
//build the pager
$pager->build();
 
//get paged data
$rows = $pager->getPagedData();

Click the download link given below for a copy of the class. It also includes an working example.