A Note on Security of PHP

PHP is a powerful and versatile tool. This power and adaptability comes from PHP being a really thin framework sitting on prime of dozens of distinct 3rd-party libraries. every of those libraries have their own distinctive input data characteristics. data that will be safe to pass to at least one library might not be safe to pass to a different.

A recent internet Worm referred to as NeverEverSanity exposed a slip within the input validation within the standard phpBB message board application. Their highlighting code did not account for double-urlencoded input properly. while not correct input validation of untrusted user data combined with any of the PHP calls that may execute code or write to the filesystem you produce a potential security drawback. Despite some confusion relating to the temporal order of some unrelated PHP security fixes and also the NeverEverSanity worm, the worm did not even have something to try to to with a security drawback in PHP.

When we name security in a very internet application we actually have 2 classes. Remote and local. each remote exploit are often avoided with terribly careful input validation. If you're writing an application that asks for a user's name and age, check and ensure you're solely obtaining characters you'd expect. conjointly ensure you're not obtaining an excessive amount of data that may overflow your backend data storage or no matter manipulation functions you'll be passing this data to. A variation of the remote exploit is that the XSS or cross-site scripting drawback wherever one user enters some javascript that consequent user then views.

For local exploits we principally hear concerning open_basedir or safemode issues on shared virtual hosts. These 2 options are there as a convenience to system administrators and may in no means be thought of as an entire security framework. With all the 3rd-party libraries you'll hook into PHP and every one the inventive ways that you'll trick these libraries into accessing files, it's not possible to ensure security with these directives. The Oracle and Curl extensions each have ways that to travel through the library and browse a local file, as an example. wanting modifying these 3rd-party libraries, which might be tough for the closed-source Oracle library, there extremely is not a lot of PHP will do regarding this.

When you have PHP by itself with solely alittle set of extensions safemode and open_basedir are usually enough to frustrate the typical soul, except for crucial security things you must be using OS-level security by running multiple internet servers every as their own user id and ideally in separate jailed/chroot'ed filesystems. Better yet, use utterly separate physical servers. If you share a server with somebody you do not trust you wish to understand that you simply can ne'er reach airtight security.

JavaScript Variable Scope & Hoisting Explained

In this post, we'll learn JavaScript’s variable scope and hoisting and every one the idiosyncrasies of each.

It is imperative that we perceive however variable scope and variable hoisting work in JavaScript. These ideas might sound simple, however they're not. There are some necessary subtleties that we should understand, if we would like to achieve JavaScript development.

Variable Scope

A variable’s scope is that the context within which the variable exists. It specifies from wherever you'll access a variable and whether or not you have got access to the variable in this context.

Variables have either a local scope or a global scope.

Local Variables (Function-level scope) :

Unlike most programming languages, JavaScript doesn't have block level scope (variable scoped to close ringleted brackets); instead, JavaScript has function-level scope. Variables declared among a function ar local variables and ar solely accessible among that functions or by fuction within that function. See my post on Closures for a lot of on accessing variables in outer functions from inner functions.

Demonstration of Function-Level Scope

var name = "Richard";

function showName () {

var name = "Jack"; // local variable; only accessible in this showName function

console.log (name); // Jack

}

console.log (name); // Richard: the global variable

YII FRAMEWORK: A SHORT REVIEW

Yii Framework has recieved abundant buzz within the recent times. it's rock solid PHP based mostly full stack web frameworks for quickly developing net applications. Today, we shall see why Yii is completely different from others.

Yii comes with wealthy features: 

MVC, DAO/ActiveRecord, I18N/L10N, caching, authentication and role-based access management, system, testing, etc. It will scale back your development time considerably. The in-built elements won't solely ease your development curve however also will assist you start along with your application pretty quick.

Yii solely masses the options that you simply would like. No further resource usages, no overkills. it's powerful caching support. Cached web content load quite quicker than applications developed on different platforms. it's expressly designed to figure with efficiency with Ajax. you'll be able to seamlessly integrate Ajax requests with Yii.

Security comes as customary with Yii. The framework aims at providing most security for it’s users. in-built elements build information validation and input sanitation a breeze. It includes input validation, output filtering, SQL injection and Cross-site scripting hindrance. simply tweak these gems to your needs!

Yii helps you develop clean and reusable code. It follows the MVC pattern, making certain a transparent separation of logic and presentation. Following the Yii prescribed writing vogue, you get to create robust, well organized and simply maintainable code base.

You can transfer Yii from: http://www.yiiframework.com/. In future posts, we shall try and cover Yii development a lot of.

Understand JavaScript Closures With Ease

Closures are pretty and faithfully serviceable: they permit programmers to program creatively, expressively, and in brief. they're used oftentimes in JavaScript and, regardless of your JavaScript ability level, you'll no doubt encounter them. Sure, closures may seem advanced and on the far side your scope, however when reading this article, closures are additional far more simply understood and more appealing for usage in your everyday JavaScript programming.

This is a comparatively short (and sweet :) ) post on the main points of closures in JavaScript. you must be aware of JavaScript variable scope before you browse more, because to know closures you need to understand JavaScript’s variable scope.

What is a closure?

A closure is an inner function that has access to the outer (enclosing) function’s variables—scope chain. The closure has 3 scope chains: it's access to its own scope (variables outlined between its curly  brackets), it's access to the outer function’s variables, and it's access to the global variables.

The inner function has access not solely to the outer function’s variables, however additionally to the outer function’s parameters. Note that the inner function cannot call the outer function’s arguments object, however, despite the fact that it can call the outer function’s parameters directly.
You create a closure by adding a function within another function.

function showName (firstName, lastName) {

var nameIntro = "Your name is ";

    // this inner function has access to the outer function's variables, including the parameter

function makeFullName () {        

return nameIntro + firstName + " " + lastName;

   

}

return makeFullName ();

}

showName ("Michael", "Jackson"); // Your name is Michael Jackson

8 Rules to Implement Secure File Uploads

The IIS semicolon file extension issue prompted me to write a number of the principles to implement file uploads firmly. this can be particularly advanced as there's sometimes no simple way to validate the content of the file.

The overall goal is to create a group of defensive layers that tightly management the method of uploading the file and later retrieval of the file. The user will continually act indirectly with the file and ne'er directly access the file system while not application control.

1. create a new file name

Do not use the user provided file name as a file name on your native system. Instead, produce your own unpredictable file name. something sort of a hash (md5/sha1) works because it is easily validated (it is simply a hex number). perhaps add a serial range or a time stamp to avoid accidental collisions. you'll add a secret to the name to form it more durable to guess the file name. If you wish to stay the original file name: use a look-up table to link the validated user equipped file name to the server created name.

2. Store the file outside of your document root

If your document root is /var/www/html, produce a directory /var/www/uploads and use it to store