Friday, December 29, 2006

Zip Code To Location Validation

Jason Palmer has a function which make sure the zip code entered by user matches the city and state upon verification function return true, otherwise false. Here goes the post from him..

Recently, a client was interested in verifying that any inputted zip code was matched correctly with the city and state the user provided. This can be a very valuable and important thing to verify, especially if you are shipping items.

Using the CodeBump GeoPlaces Web Service I constructed a function which takes three parameters (zip, city, state) and does a case-insensitive comparison to make sure that the given zip code matches the city and state. Upon verification the function will return true. Otherwise, it returns false.

The GeoPlaces Web Service requires a paid membership. Once you receive a subscription, CodeBump will send you a valid subscriptionID and that is the only thing you will have to provide for this function to work correctly.

<?PHP
//Written by Jason Palmer, 2006.
//Use as you please just please reference back to:
//http://www.jason-palmer.com/

//Returns true on success, and false on failure.
function zip_2_loc($zip, $city, $state)
{
//Provide your subscriptionID
$subscriptionID = ‘;

//Construct the URL
$url = "http://codebump.com/services/placelookup.asmx/
GetPlacesInside
";
$url .= "?AuthenticationHeader=" . $subscriptionID;
$url .= "&place=" . $zip . "&state=";

//Open the URL and read contents
$contents = fopen($url, "r");
$data = fread($contents, 8192);

//Convert XML data to array
$xml = new SimpleXMLElement($data);

foreach($xml->GeoPlaceDistance as $key => $value)
{
//Match case insensitive
if(strtolower($city) == strtolower($value->ToPlace)
&& strtolower($state) == strtolower($value->ToState))
{
//Match
return true;
}
}
return false;
}
?>

Saturday, December 16, 2006

A better RegEx pattern for matching e-mail addresses

Posted in Tiffany B Brown Blog.

Below is a more refined version.

^[-+.\w]{1,64}@[-.\w]{1,64}\.[-.\w]{2,6}$

Just as with the previous pattern, this one will match most valid e-mail addresses including:

  • Addresses with periods and plus signs (e.g. ‘tiffany.brown’ or ‘hotc0derch1ck+todolist’)
  • Top-level British and Australian domain names such as ‘.co.uk’ and ‘.com.au’
  • New top-level domains such as ‘.museum’ and ‘.travel’

This pattern takes advantage of the \w character type. It’s a simpler way of waying “a - z (both upper and lower case), 0 - 9 and the underscore character” (though for many languages, \w means any alphanumeric character).

It also checks to see whether a user or domain name contains at least one, but no more than 64 alphanumeric characters. Sixty-four is the maximum character length for user and domain names under SMTP.

This pattern should work with most regular expression engines.

Compressing files in PHP

by Justin Silverton

Zlib compression has been built into php since version 3 and it can be used to compress the output of your php applications (which can significantly decrease the amount of bandwidth of a page), but what you can also do is compress any file accessible from your webserver.

The code

The following are two functions: compress and uncompress, which can compress and uncompress a specified file.

function uncompress($srcName, $dstName) {
$string = implode(”", gzfile($srcName));
$fp = fopen($dstName, “w”);
fwrite($fp, $string, strlen($string));
fclose($fp);
}

function compress($srcName, $dstName)
{
$fp = fopen($srcName, “r”);
$data = fread ($fp, filesize($srcName));
fclose($fp);

$zp = gzopen($dstName, “w9″);
gzwrite($zp, $data);
gzclose($zp);
}

compress(”test.php”,”test.gz”);
uncompress(”test.gz”,”test2.php”);

Source code can be downloaded here

Description of related zlib functions

gzclose — Close an open gz-file pointer
gzcompress — Compress a string
gzencode — Create a gzip compressed string
gzeof — Test for end-of-file on a gz-file pointer
gzfile — Read entire gz-file into an array
gzgetc — Get character from gz-file pointer
gzgets — Get line from file pointer
gzgetss — Get line from gz-file pointer and strip HTML tags
gzinflate — Inflate a deflated string
gzopen — Open gz-file
gzpassthru — Output all remaining data on a gz-file pointer

How to randomize, return and remove numbers from a pool using PHP

$random_numbers = range(1,100);
shuffle($random_numbers);
$numbers_chosen = array($random_numbers[0],$random_numbers[1],
$random_numbers[2],$random_numbers[3]);

print
"before ";
print_r($random_numbers); // first four numbers chosen

$random_numbers = array_splice($random_numbers,4);

print
"
after "
;
print_r($random_numbers); // first four numbers chosen

print "
chosen "
;
print_r($numbers_chosen); // first four num5 bers chosen
?>

Saturday, December 09, 2006

Network Scanning with HTTP without JavaScript

Here’s a cool way to scan a site visitor’s network using just HTML and the user’s browser.
The concept of doing network scanning via JavaScript is hardly new and is quite easy for anyone with even cursory knowledge of JavaScript. However, the assumption was that as long as you browse the web with JavaScript disabled you are safe from hostile sites from scanning your network. Alas, this was not to be, in a very interesting post Jeremiah Grossman shows how can this be done with plain HTML using no JavaScript what so ever.

Link: Network Scanning with HTTP without JavaScript - iBlog - Ilia Alshanetsk

PHP Version with the help of Javascript

The good thing about images is that JavaScript can check if they are loaded and what size they are. With this ability it is trivial to detect if PHP is running on an URL if expose_php=On.

Here is the little proof of concept:

<html><head><title>Detect PHP Version by JavaScript</title>
<script>
function fail()
{
alert("URL is not powered by PHP or expose_php=off");
}
function detect()
{
if (xxx.width == 100 && xxx.height==58) {
alert("URL is powered by PHP 4");
} else if (xxx.width == 113 && xxx.height==72) {
alert("URL is powered by PHP 5");
} else {
alert("No PHP or unknown PHP version");
}
}
</script></head>
<body>
<img
src="http://URL/?=PHPE9568F35-D428-11d2-A769-00AA001ACF42"
onerror=
"fail()" name=xxx onload="detect()">

</body>
</html>

File downloads in PHP

This is a simple code snippet. It will allow you to force the web-browser that is currently viewing your script to come up with a file-download box (and the a file on your system can be downloaded).

Here is the code:

//so only the data from the headers is sent
ob_start();
//dispable caching
header (”Cache-Control: must-revalidate, pre-check=0, post-check=0″);
header (”Content-Type: application/binary”);
header (”Content-Length: ” . filesize($export_long_name));
header (”Content-Disposition: attachment; filename=yourfile.ext”);
readfile($export_long_name)

PHP currently #4 language

The TIOBE Programming Community index gives an indication of the popularity of programming languages. The index is updated once a month. The ratings are based on the world-wide availability of skilled engineers, courses and third party vendors. The popular search engines Google, MSN, and Yahoo! are used to calculate the ratings. Observe that the TPC index is not about the best programming language or the language in which most lines of code have been written.

Where PHP stands currently (In the month of october)

Position (Oct 2006): 4
Position (Oct 2005): 4
Ratings (Oct 2006): 9.863%
Delta (Oct 2005): +0.19%
Status: A

The status of A means it is a mainstream programming language language

The full list can be found here: http://www.tiobe.com/tpci.htm

php easter eggs

By Justin Silverton

The following are some easter eggs found in various version of php. To see these easter eggs, find any webserver installed with the respective version of php installed on it & append this to any url that ends with a php script.

php 4.x

php image (depending on the version, either a dog or a rabbit):

?=PHPE9568F36-D428-11d2-A769-00AA001ACF42

Note: The dog was a part of the php community. More information can be found here

The php logo:

?=PHPE9568F34-D428-11d2-A769-00AA001ACF42

Powered by zend logo:

?=PHPE9568F35-D428-11d2-A769-00AA001ACF42

credits (shows all authors and contributors):

?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000

If you have a website running php and you would like to disable these, you can by changing the variable: “expose_php” to off in php.ini.

Zend Studio Client (ZDE)

When the studio is open, simply press on Ctrl+Shift+Z+(left mouse click) to see a team members picture.

mysql will now support scheduled events

By Justin Silverton

Mysql 5.1 beta has recently been released. It is only a beta (and should not be used in a production environment), but it does show us some of the new features that will appear in future, stable, releases:
  • Partitioning: This capability enables distributing portions of individual tables across a filesystem, according to rules which can be set when the table is created. In effect, different portions of a table are stored as separate tables in different locations, but from the user point of view, the partitioned table is still a single table. Syntactically, this implements a number of new extensions to the CREATE TABLE, ALTER TABLE, and EXPLAIN ... SELECT statements. As of MySQL 5.1.6, queries against partitioned tables can take advantage of partition pruning. In some cases, this can result in query execution that is an order of magnitude faster than the same query against a non-partitioned version of the same table.
  • Row-based replication: Replication capabilities in MySQL originally were based on propagation of SQL statements from master to slave. This is called statement-based replication. As of MySQL 5.1.5, another basis for replication is available. This is called row-based replication. Instead of sending SQL statements to the slave, the master writes events to its binary log that indicate how individual table rows are effected. As of MySQL 5.1.8, a third option is available: mixed. This will use statement-based replication by default, and only switch to row-based replication in particular cases.
  • Plugin API: MySQL 5.1 adds support for a very flexible plugin API that enables loading and unloading of various components at runtime, without restarting the server. Although the work on this is not finished yet, plugin full-text parsers are a first step in this direction. This allows users to implement their own input filter on the indexed text, enabling full-text search capability on arbitrary data such as PDF files or other document formats. A pre-parser full-text plugin performs the actual parsing and extraction of the text and hands it over to the built-in MySQL full-text search.
  • Event scheduler: MySQL Events are tasks that run according to a schedule. When you create an event, you are creating a named database object containing one or more SQL statements to be executed at one or more regular intervals, beginning and ending at a specific date and time. Conceptually, this is similar to the idea of the Unix crontab (also known as a “cron job”) or the Windows Task Scheduler.
  • A new password flaw found in Firefox 2

    By Justin Silverton

    In a recent article, a new flaw in firefox 2 is discussed:

    “Mozilla’s Firefox 2.0 has long been considered a safer Web browser than Microsoft’s Internet Explorer, but a new flaw in the Firefox Password Manager, which lets users store usernames and passwords for trusted Web sites, could let hackers steal their login data.

    The problem, known as a reverse cross-site request, or RCSR, was first discovered by Robert Chapin, a Microsoft Certified Systems Engineer (MCSE) and I.T, consultant. The RCSR appears on blogs, message boards, or group forums that let users add comments with embedded HTML code.

    On sites that allow users to enter code, a hacker can embed a form that tricks the user’s browser into sending its username and password information to the hacker’s computer. Because the form is embedded on a trusted Web site, the browser’s built-in antiphishing protection, which is designed to alert users to fraudulent Web sites, does not detect the problem.”

    When will this flaw be fixed?

    The Mozilla Foundation (the group behind the firefox browser) has classified it as Bug #360493 and also announced that it will be fixed in version 2.0.0.1 or 2.0.0.2.

    This attack can be avoided by disabling the browsers’ autosave features for usernames and passwords. I

    Saturday, November 04, 2006

    PHP.Hop - PHP Honeypot Project

    This Post belongs to Ruben he has posted in orkut..

    PHP.Hop - PHP Honeypot Project

    PHP HOP is an Opensource project
    Application-based low-level interaction honeypot Dealing with web threats

    widely in use to

    Fool different kind of web attackers (audit tools, manual hax0rs...)
    Create real statistics about the first top10 commands used by an intruder
    Steal malware (PHP, C, Perl) that attackers wanted to upload
    Identify evil behaviours and learn about current web threats


    Live demo of a fake PHPShell module[http://webmail.rstack.org/config/]

    More information about the project (PDF)[http://www.rstack.org/phphop/phphop.pdf]

    Download current public version of PHP.HoP[http://www.rstack.org/phphop/download/]

    Upcoming changes in PHP 6.0

    The PHP world is really excited about the upcoming release of PHP 6.0. Amongst all the uncertainties in any new release, PHP 6.0 seems to be getting rid of three of the earlier troublesome features: register_globals, magic_quotes_gpc and safe_mode. The first was a big security hole, the second messed with the data and made changing environments quite difficult, while the third was usually misread, and provided a false sense of security.

    Ruben has updated in his blog.. long article.. please read it here

    http://www.rubenbenjamin.com/blogs/?cat=4

    Thursday, September 28, 2006

    Browser detection in PHP

    Did you know that PHP has a built in function to detect which browser your visitor is running?
    There is PHP’s get_browser function.

    Here’s how to use this function:

    < ? $visitorbrowser = get_browser(null,true); print_r($visitorbrowser); ?>

    The output of this function is an object which contains details about the user’s browser and looks something like the one below:

    [browser_name_regex] => ^mozilla/5.0 (windows; .*; windows nt 5.1.*) gecko/.* firefox/1.5.*$
    [browser_name_pattern] => Mozilla/5.0 (Windows; *; Windows NT 5.1*) Gecko/* Firefox/1.5*
    [parent] => Firefox 1.5
    [platform] => WinXP
    [browser] => Firefox
    [version] => 1.5
    [majorver] => 1
    [minorver] => 5
    [css] => 2
    [frames] => 1
    [iframes] => 1
    [tables] => 1
    [cookies] => 1
    [backgroundsounds] =>
    [vbscript] =>
    [javascript] => 1
    [javaapplets] => 1
    [activexcontrols] =>
    [cdf] =>
    [aol] =>
    [beta] =>
    [win16] =>
    [crawler] =>
    [stripper] =>
    [wap] =>
    [ismobiledevice] =>
    [netclr] =>

    To get PHP to detect your browser properly, you’ll have to get the updated browsecap.ini file and set the path to the file in your php.ini file.

    To set the path to browsecap.ini file, add the following entries in your php.ini file:

    [browscap]
    browscap = /path/to/browscap.ini

    Links:

    browsecap.ini file: http://browsers.garykeith.com/downloads.asp
    PHP get_browser function lookup: http://in.php.net/manual/en/function.get-browser.php

    Saturday, July 15, 2006

    Tracking Yahoo User

    Hi All,

    I found the way how to track the yahoo user who is chatting with you.. Please follow the method as i have described below you can get his/her location like Country/State/City/Region and many more information..

    simple method 1
    make a simple script page in asp,php,jsp or any that logs in the remote user ip. then get the ip and do a query on whois.net.

    you can get the geographical ip address.

    simple method 2
    send him an email and make him reply. check the headers.

    all methods can give you his physical ip address and if is in a network you wont get his physical computer access.

    if you want to get his ip for any sort of trojan attack/script attact etc.. this info isnt really useful.

    By method 1 if he/she replies by the mail. In yahoo when you open the mail scroll down on right side you will find the Full header link click it the you will get all the information about the mail find the field [Received: from [202.80.49.75]] this is what the ip address copy this ip address then go to the site http://www.maxmind.com/app/locate_ip and paste the address and press the submit button you will get all the information.

    For example:- i received the mail, then i clicked on Full header link i got the folowing information

    X-Apparently-To: ansarahmed_8@yahoo.co.in via 203.84.221.31; Wed, 28 Jun 2006 21:19:01 +0530
    X-Originating-IP: [209.191.86.236]
    Return-Path:
    Authentication-Results: mta117.mail.in.yahoo.com from=yahoo.com; domainkeys=pass (ok)
    Received: from 209.191.86.236 (HELO web42103.mail.mud.yahoo.com) (209.191.86.236) by mta117.mail.in.yahoo.com with SMTP; Wed, 28 Jun 2006 21:19:00 +0530
    Received: (qmail 33042 invoked by uid 60001); 28 Jun 2006 15:48:58 -0000
    DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:
    To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=KzThMRS6GXE1qm/driHDs9hZ1nylNPMAXvKR3EAVig8V6
    +IAUuDYtpek1jtQHkTqRPYKZE
    +7iGxuA1zWpjfSz8vjcDccm+i8T1PA4J9LpwYu/4k
    +CbLDv9aqZL9Q4vEl3CgDCSn+
    7PcI7HBoCqr3IsaEdeqGYaFL57i3ru6vp7Q= ;
    Message-ID: <20060628154858.33040.qmail@web42103.mail.mud.yahoo.com>
    Received: from [202.80.49.75] by web42103.mail.mud.yahoo.com via HTTP; Wed, 28 Jun 2006 08:48:58 PDT
    Date: Wed, 28 Jun 2006 08:48:58 -0700 (PDT)
    From: Send an Instant Message "h b" Add to Address BookAdd to Address Book
    Yahoo! DomainKeys has confirmed that this message was sent by yahoo.com. Learn more
    Subject: me (dont give to else)
    To: ansarahmed_8@yahoo.co.in
    MIME-Version: 1.0
    Content-Type: multipart/mixed; boundary="0-1255100025-1151509738=:32596"
    Content-Transfer-Encoding: 8bit
    Content-Length: 6942

    I found the received from field i.e Received: from [202.80.49.75].
    When i copied and pasted this ip address
    in http://www.maxmind.com/app/locate_ip i found all the information
    Like Hostname,Country Name,City,State etc..
    Regards,
    Ansar Ahmed

    Saturday, July 01, 2006

    How to Hack Yahoo ID ?

    Hi Guys,

    I was shocked when i heard one of my colleague yahoo id is hacked and its true we were receiving junk mails from that yahoo id and from day i was spending most of my free time to find out how they might have hacked her yahoo id. Then finally i got it how they might have hacked,The four most common ways of Hacking Yahoo ids are ..

    1.) Social Engineering
    2.) Password Crackers
    3.) Using Password Stealing Trojans/Keyloggers
    4.) Fake Login Pages

    1. Social Enginnering is actually nothing but trying to know your personal and confidential details and then using it to change your password ..BUT HOW? ok there's a forgot password option with Yahoo which asks for your B'day,Country & Zip Code & later your security question..Now generally lamers who try this mode of Hacking have lots of time to waste ..They will put you into some kinda friendship/emotional trap and try to get all the above mentioned information .It may take 1-2 days or even 1-2 month ...(Really I pitty on such lamers !! ).

    2.The second kinda Hacking attempt is done with the Help of Yahoo Password Crackers...I doubt bout their efficiency bt still some of them r lucky (other way round u r stupid lol)..Password Crackers & Password Changers use Brute Force Technique with their updated wordlists...WHAT IS BRUTE FORCE ?I'll make it simple ..it's like using all possible combinations and permutations on the available data and using it as a password ..Bt again it takes a hell lot of time to crack a password ....

    3.The third and one of the most frequently used way of hacking or stealing Yahoo password is using trojans and keyloggers ..WHAT ARE TROJANS? hmmm.. I already have one ...bt still TROJANS are simple programs with a server part and the client part ..you infect the victims computer with the server part and the server then connects to the client running on your system and sends passwords and vital informations..and KEYLOGGERS are programs which record your keystrokes in a log.txt file and sends that log file to the Hacker...

    I have this trojan programm beleive me it worked guys i tried it on my yahoo id. Dont want to say more about it secret ... lol.. ;) So please be carefull when you are accepting any files send by some one.

    Once Infected by these trojans the infected server sends your password to the Hackers Yahoo Messenger id as PM 's ...


    4. The last form of Yahoo Password stealing is done by using FAKE LOGIN PAGES ..Now wht the **** :-) is Fake login Page ?These are cloned pages of the real Yahoo Mail Sign in pages .They look very similar to the real conterparts and really very difficult to distinguish..Once you put inyour real id and password and press the submit button you will be either redirected to some other pasge /invalid login page but the trick had already been played by this time ..your id and password would have been mailed to the Hackers mail id by using a 3rd party SMTP server and you don't even realize that you are HACKED...

    So be carefull Always view the address bar ..If the address bar shows something like http://mail.yahoo.com or http://edit.login.yahoo.com then its the authentic page but if its something different then DONOT login.

    Friday, June 30, 2006

    Global Include Trick

    As the major part in my PHP Application Architecture, this trick allows you to include a global file at the top of your scripts. It has the benefit of not keeping the file location or name inside of each individual PHP script.

    I was able to accomplish this by using Apache's SETENV directive. It registers a variable visible to all scripting languages through either an entry in either an .htaccess or httpd.conf file. Then in each of my PHP scripts I include that variable's contents.

    A very handy trick, if you ask me.
    Source:


    /*
    * This goes into the Apache configuration file (or .htaccess)
    *
    * SetEnv GLOBAL /mypage/local/application.php
    *
    * Then put the below PHP into each of your scripts... enjoy!
    *
    */

    require(getenv("GLOBAL"));

    ?>

    Monday, June 12, 2006

    Creating a CAPTCHA with PHP

    You may be thinking just exactly what is a captcha? Well you are likely to have already seen them across the web. They are those little images with a code on the front that you type into a box in order to submit something. This kind of system helps to prevent automatic submitting of an operation by some kind of program or robot. In this tutorial I will show you how to make a CAPTCHA just like the one below. Its not the most advanced captcha available because it uses a simple system font and nothing more.




    The lines that you see above are to make any robots job of trying to work out that code a little harder. The dots in the background also help with this. Follow the link to learn more about how to create CAPTCHA.

    Saturday, June 10, 2006

    Graphs generation using php

    Click on the image for more info

    File Download Security

    File Download Security
    Want to prevent people from linking to your downloads? This script will force a page to be loaded before the download starts. HTML header statements are used to trigger the download of the file. PHP is used to push the file to the browser.
    Principles
    HTML headers must be sent before any output is sent to the browser. PHP uses the header function to pass raw HTML headers.

    $dir="/path/to/file/";
    if (isset($_REQUEST["file"])) {
    $file=$dir.$_REQUEST["file"];
    header("Content-type: application/force-download");
    header("Content-Transfer-Encoding: Binary");
    header("Content-length: ".filesize($file));
    header("Content-disposition: attachment; filename=\"".basename($file)."\"");
    readfile("$file");
    } else {
    echo "No file selected";
    }
    ?>

    We started with setting the directory where the files to be downloaded are located in $dir. Be sure not to use \ in $dir. Then we checked to make sure a filename was specified in the request. If a file was specified then we set $file to the path to the file and the filename. Now that the prep work is done its time to send the file to the browser.
    The first header statement tells the browser to expect a download. The next two header statements tell the browser the format of the data and the size of the file respectively. The last header statement tells the browser the name of the file. Finally the readfile statement sends the file to the browser.

    PHP User Group for Bangalore


    We had our very first Bangalore PHP meetup last Friday. We had a bunch of PHP people join up at our company terrace, to get the momentum going on meeting up PHP professionals around Bangalore. One of the key points at the discussion was to start a PHP user group in Bangalore, since there wasn’t one existing already (yep, the IT city doesn’t yet have a PHP user group). As a first step, we’ve setup a mailing list over at Yahoo groups to enable communication between the users. If you’re interested in joining the group, you can subscribe bang-phpug-subscribe@yahoogroups.com. This is still a new group so we’re still getting the momentum going with discussions and memberships, so do contribute to the discussions over at the group.



    Check the following meetup.com page regarding the meeting:

    http://php.meetup.com/329/