Posts Tagged ‘PHP’

« Older Entries

PHP Performance Tip

Saturday, June 4th, 2011

To improve the performance of your PHP application, you should work with object properties directly, rather than writing naive settings and getters. If you need getter/setters, you can use the __get and __set magic methods.

I have performed a quick test with the following script (base code is from google performance tips) to show the performance savings.

php -d implicit_flush=off -r ‘class dog { public $name = “”;} $rover = new dog(); for ($x=0; $x<10; $x++) { $t = microtime(true); for ($i=0; $i<1000000; $i++) { $rover->name = “rover”; $n = $rover->name;} echo microtime(true) – $t;echo “\n”;}’
0.27138209342957
0.27215003967285
0.27119302749634
0.27127695083618
0.27089595794678
0.27323412895203
0.27595901489258
0.27139592170715
0.27534413337708
0.27470207214355

php -d implicit_flush=off -r ‘class dog {public $name = “”;public function setName($name) {$this->name = $name; }public function getName() {return $this->name; } }$rover = new dog();for ($x=0; $x<10; $x++) { $t = microtime(true);for ($i=0; $i<1000000; $i++) { $rover->setName(“rover”);$n = $rover->getName();}echo microtime(true) – $t;echo “\n”;}’
0.88418102264404
0.90805292129517
0.88095903396606
0.9102931022644
0.88606786727905
0.91241002082825
0.88503313064575
0.90973210334778
0.87963604927063
0.91335105895996

php -d implicit_flush=off -r ‘class dog {public $name = “”;public function __set($key, $value) {$this->$key = $value;}public function __get($key) {return $this->$key;}}$rover = new dog(); for ($x=0; $x<10; $x++) { $t = microtime(true); for ($i=0; $i<1000000; $i++) { $rover->name = “rover”; $n = $rover->name;} echo microtime(true) – $t;echo “\n”;}’
0.27974605560303
0.28078198432922
0.27995705604553
0.280522108078
0.27998900413513
0.28067207336426
0.27970504760742
0.28028988838196
0.27951693534851
0.28037190437317

Tags: ,
Posted in PHP | No Comments »

Installing PHP extensions on Mac OS X under xampp

Monday, May 31st, 2010

The other day I installed xampp on a mac os x running snow leopard but I was having an issue installing any extra extensions like xdebug and apc. I found out it was because it was compiling the extensions in 64bit but xampp is compiled in 32bit and I did the following to fix the issue:

  1. Download and extract the source
  2. Run phpize
  3. Adding the following parameters to configure: 
    ./configure MACOSX_DEPLOYMENT_TARGET=10.6 CFLAGS="-arch i386 -g -Os -pipe -no-cpp-precomp" CCFLAGS="-arch i386 -g -Os -pipe" CXXFLAGS="-arch i386 -g -Os -pipe" LDFLAGS="-arch i386 -bind_at_load"
  4. make (and make install if required)
  5. done :)

If that doesnt work, try adding: 

--with-php-config=/Applications/XAMPP/xamppfiles/bin/php-config-5.3.1

to the configure command.

I hope that will help some people out there, because it was driving me insane!

Tags: , , , , ,
Posted in PHP, Web | 2 Comments »

OpenCart CSRF Vulnerability

Thursday, January 28th, 2010

I have have started at a new job in Toronto this year, and my first project is an e-commerce website and was tasked to use OpenCart which is the best open source e-commerce software we could find. However an issue I noticed straight away was the application is vulnerable to CSRF attacks via the POST method. Since I take no risks with security I have implemented a fix which generates a token when an admin logs in and appends it to the URL through the Url class.

I have drafted an example of the exploit, sent it to the creator of OpenCart and gave an example of how a user could be targeted with the attacker changing the PayPal email address to their own account. I did this as I didn’t want to publish the exploit until a fix was implemented and a new version was released, but as the following email transcript will show, this is not going to happen anytime soon.

————————————————–
From: “Ben”
Sent: Friday, January 22, 2010 8:06 PM
To: < *******@opencart.com>
Subject: OpenCart – Enquiry

Hi,

I recently installed OpenCart and I noticed that it is vulnerable to CSRF attacks. I have created a sample page that is capable of inserting a rouge user (the page currently prompts you but could be done silently if the attacker knows the url of the site).

http://visionsource.org/*********.html

Please let know that you are looking into the security issue and are going to release an update with a fix otherwise I will make the issue public.

If you need any help fixing the problem please let me know.

Thanks,
Ben.
————————————————–
On 2010-01-22, at 4:50 PM, Daniel Kerr wrote:

Ben you seem to be very clever to come up with this. But! you need to be logged in for this to happen.

————————————————–
From: “Ben Maynard”
Sent: Friday, January 22, 2010 11:34 PM
To: “Daniel Kerr”
Subject: Re: OpenCart – Enquiry

HI Daniel,

That is the whole point of a CSRF attack. Please read http://en.wikipedia.org/wiki/Csrf for an explanation on the attack.

This can be very dangerous, for example:

I am an attacker looking at stealing money, I find a websites that are running opencart and have paypal as a payment method. I send the owner an email asking a question about a product and send a link that will perform the attack on the website. The chances of the owner being logged into their opencart admin is high since they are dealing with orders, and a rouge account is created without the user knowing (The attacker could just format the malicious page to look like a 404 not found page so it doesnt raise suspicion with the owner).

The attacker makes the script send an email when the page is hit, so he knows when to logged into the admin section. The attacker then logs in, changes the paypal email address to his own account, deletes the new account to help cover his tracks. He starts to get the money from the website and the owner of the website may not realize what has happened for a couple of days (maybe even longer)!

If someone was to do this, it would cause a major problem for the owner (and buyers who money was stolen).

I have implemented a fix on the website i am working on and dont mind sharing the fix. I create a random token when the user logs in, and in the Url class I add it to the url. There is also a check on the user auth.

Thanks,
Ben.
————————————————–
On 2010-01-22, at 7:31 PM, Daniel Kerr wrote:

This sort of thing is down to the client. The software on a clients computer is nothing to do with opencart! There is no way that I’m responsible for a client being stupid enough to click links in emails.

Even professional banking sites have trouble with the problem you describe.

The only thing a client can take steps to do is only allowing certain IP’s to access the admin via their hosting.

————————————————–
From: “Ben Maynard”
Sent: Saturday, January 23, 2010 12:52 AM
To: “Daniel Kerr”
Subject: Re: OpenCart – Enquiry

A link in an email is not the only way for this attack to be performed, it was just an example. Its not hard to add protection and would make open cart more secure, security is not something you can take lightly.

————————————————–
On 2010-01-22, at 8:05 PM, Daniel Kerr wrote:
what protection do you recommend?
————————————————–
On 2010-01-22, at 8:05 PM, Daniel Kerr wrote:
to be honest this again is down to the client. not opencart.

the security problem is very low. seriously how is some one going to trick some one into clicking a link to a site that will them display there own web site admin?

your just wasting my time.

Now as you can see, the creator doesn’t care about security which is a very dangerous thing especially when you are creating e-commerce websites. It is also not hard to find websites running OpenCart, you can just google “Powered By OpenCart” and you get thousands of results, imagine how much money could be stolen by targeting half of these websites and who says its not being done right now? This is why it makes me really angry when web developers don’t take security seriously. Now I love PHP and hate it when people say bad things about the language but its true when they say PHP is like a handgun.

PHP is like a handgun. On its own, it is simply an inanimate tool that has no moral leaning. In the hands of a responsible citizen, it can be used to the benefit of society. But in the hands of someone who is untrained or mentally unstable, it can be used to commit horrible atrocities.

Whenever there’s such a tragedy, other developers are quick to blame PHP. If PHP were illegal, then Yahoo! would never have happened. If we regulated PHP tightly, then there would be no Digg.

via The Register.

Now does anyone have any suggestions on what could be done to get the developer to acknowledge the problem and not just put his head in the sand?

Tags: , , ,
Posted in PHP, Security, Web | 29 Comments »

PHP libraries and components

Monday, June 2nd, 2008

Well I haven’t blogged for a bit, so im hoping to do some catch up today. Since working in the business world, I find you never have time to write libraries for everything you want your application to do, and why would you when there are excellent classes out there that do just what you need to, have community + developer support so you do not need to worry about any bugs within your system. Then with all this, it frees up your time so you can spend time working on the things that matter.

So with this in mind, i read an article about 30 useful classes and components, and I recommend checking out half these items. Personally my favorite is HTML Purifier as its a must have to prevent XSS injection attacks + cleaning up user submitted code.

Click here to view 30 useful php classes and components.

Tags: , , ,
Posted in PHP | No Comments »

PHP Frameworks

Tuesday, May 20th, 2008

Over the last week Ive been testing out some php frameworks and seeing what they are like (mainly the install process and checking out the structure of the application).

The first one i tried was symfony. First off, having a php web application that has to be created via command line sucks! (I think you can install it without having ssh access but it is a bit of a mission). After following the instructions step by step, the program just kept throwing errors when creating a project. I may have missed something or my server wasn’t set up quite right but overall i just wasn’t impressed with the installer, IT IS JUST TOO HARD! In the end I had to install it straight from the svn which worked fine, but the styles didn’t come through so looking at the pages was very plain.

When I say the installation is just too hard, I am talking in the fact that I should just be able to copy over some files and expect it to work for a php application, and if it needs some type of installation, then have a web install page. I believe that if you have no linux adminstration skills then you are pretty much screwed if you wish to use the symfony framework.

The second framework i tried was cakephp, now cakephp is how you install a php framework. All i had to do was copy the files over and it was up and running.  There is not much more i can say on cakephp because the setup was very easy and took me 2 mins not 2 hours.

As for the coding aspects of the frameworks, I didn’t really get my hands too dirty and they both to seem to work in the same manner with following the MVC architecture. I’m sure both frameworks have there advantages but based on the install process i would be swinging to cakephp.

Tags: , , ,
Posted in PHP | 1 Comment »

« Older Entries