Due to latency issues, and the lack of multi site support I have ditched my old web-host.

 In favour of an all singing all dancing NEW ONE! nativespace thus-far I have had excellent ticket turn around (all in 30 mins or less), and my initial sales enquiry (consisting of a lot of lengthy questions)  responded to in …. 6 minutes!

So thus far definitely on my recommended list

To often I get passed code to review that quite frankly is so full of holes it wouldn’t make an adequate sieve…

So in this quick blog I outline a few simple and easily implemented steps to ensure as you start out in the world of PHP, your first site isn’t hacked within 5 minutes, leaving you a whimpering wrek …

PHP DON’T EXAMPLE 1:

Passing RAW globals to mysql!

i.e.

$sql = "SELECT * FROM users WHERE email='.$_GET['email']."' and password='".$_GET['password']"';";
$result = mysql_query($sql);

So what is wrong with the above? SQL INJECTION welcome to a world where people want to break your website, simply because they can …

I am not going to add more description, just click through to the wiki pedia entry linked above …

To avoid this PHP comes with two functions mysql_escape_string() and mysql_real_escape_string()

An example taken from the mysql_real_escape_string() page:

Example#2 An example SQL Injection Attack

<span style="color: #000000;"><span style="color: #0000bb;">&lt;?php
</span><span style="color: #ff8000;">// Query database to check if there are any matching users
</span><span style="color: #0000bb;">$query </span><span style="color: #007700;">= </span><span style="color: #dd0000;">"SELECT * FROM users WHERE user='{$_POST['username']}' AND password='{$_POST['password']}'"</span><span style="color: #007700;">;
</span><span style="color: #0000bb;">mysql_query</span><span style="color: #007700;">(</span><span style="color: #0000bb;">$query</span><span style="color: #007700;">);</span></span>

<span style="color: #000000;"><span style="color: #007700;"> </span><span style="color: #ff8000;">// We didn't check $_POST['password'], it could be anything the user wanted! For example:
</span><span style="color: #0000bb;">$_POST</span><span style="color: #007700;">[</span><span style="color: #dd0000;">'username'</span><span style="color: #007700;">] = </span><span style="color: #dd0000;">'aidan'</span><span style="color: #007700;">;
</span><span style="color: #0000bb;">$_POST</span><span style="color: #007700;">[</span><span style="color: #dd0000;">'password'</span><span style="color: #007700;">] = </span><span style="color: #dd0000;">"' OR ''='"</span><span style="color: #007700;">;</span></span><span style="color: #007700;"><span style="color: #ff8000;">// This means the query sent to MySQL would be:
</span><span style="color: #007700;">echo </span><span style="color: #0000bb;">$query</span><span style="color: #007700;">;
</span><span style="color: #0000bb;">?&gt;</span></span>

The query sent to MySQL:

<div class="highlight"><pre><code class="bash"><span></span>SELECT * FROM users WHERE <span class="nv">user</span><span class="o">=</span><span class="s1">&#39;aidan&#39;</span> AND <span class="nv">password</span><span class="o">=</span><span class="s1">&#39;&#39;</span> OR <span class="s1">&#39;&#39;</span><span class="o">=</span><span class="s1">&#39;&#39;</span>
</code></pre>
</div>

This would allow anyone to log in without a valid password.

So in summary READ the mysql_real_escape_string() page, and even if you don’t implement the “best practice” example on that page PLEASE make sure you at least escape $_SESSION $_GET $_POST inputs with a mysql escape function!

Here in the UK there appears to be a major shift in mentality as the country looks set to slide into a major slowdown. Far from accepting the reality of the situation, all sense of reality seems to have gone out of the window with both Alastair Darling and The Bank of England downplaying the effects of the banking crisis on the economy. As we have discovered on P45now job losses both here in the UK are threatening to reach epidemic proportions with banks, shops and the civil service all facing major cutbacks. Surely this institution is aware of a crisis looming? The latest news coming out of the North East, however, leads one to conclude that current policy among those with vested interests is to bury their head in the sand while all around people are losing theirs! We hear today that the North East Regional Development Agency is “upbeat over jobs”. This is despite 2,000 jobs going at Northern Rock contributing to a 7% cut in the region’s banking and insurance sector jobs and a strike over job cuts in the regions job centres. We then hear that there are 1,100 vacancies in the financial sector which should cater for about half the people who will be out of work this year. Rather than being kept in the dark by agencies more concerned with damaging reputations it’s high time they come clean about what’s really happening….

[VIA: p45now.com]

So you’ve recently made a change to your mysql installation and see the following in

 /var/lib/mysql/server.err

080317 14:08:50 mysqld started
080317 14:08:50 [ERROR] Fatal error: Can't change to run as user 'mysql' ; Please check that the user exists!

080317 14:08:50 [ERROR] Aborting

080317 14:08:50 [Note] /usr/sbin/mysqld: Shutdown complete

080317 14:08:50 mysqld ended

 This is a problem that many a time spent on google has not found the result, so I am writing here what exactly to do in this situation …

 First off

 cd /var/lib/mysql

Now run

ls -la

 No doubt you will see something similar to this:

drwx--x--x   2 27 mysql     4096 Mar 17 14:05 mysql

Notice the “27 mysql”, the user no longer existsing in /etc/passwd.

This is fairly simple to fix.

adduser mysql

chown mysql:mysql -R /var/lib/mysql

Now start up Mysql i.e. “service start mysql” and everyhing should be fine. 

If like me you have a PHP framework, that runs multiple sites, you no doubt have thought at some point in time …

 ”Hey I realy could do with this re-write rule on that site, but I don’t want it applying to all sites running on the same framework”

Well fear not, after much head scratching, AccessFileName directive to the rescue! i.e.

 Using the above method you can specify bespoke htaccess files on a per VirtualHost basis.

<VirtualHost xxx.xxx.xxx.xxx:80>
        DocumentRoot /path/to/framework
        ServerName buzz.blog.oneiroi.co.uk
        <strong>AccessFileName .buzz_htaccess</strong>
        CustomLog logs/buzz_access_log combined
        ErrorLog logs/buzz_error_log
&lt;/VirtualHost&gt;

 Enjoy!