Using GitHub

GitHub is an open source version control system (VCS) called Git*. Created by the same team that created Linux.

Using Git Hub on other platforms like Windows or Linux has no such difference you just need to download the respective binaries for your platform with platform dependent Git.

Here are some steps you need to use Git Hub:

Setting Up Git Hub

  1. Download Git Hub for windows (check above links for other platform): http://github-windows.s3.amazonaws.com/GitHubSetup.exe
  2. Download Git: http://git-scm.com/download/win
  3. Create an account on Git Hub
  4. Open Git Shell or use Git GUI
  • Using Git Shell:
    1. git config –global user.name “Your Name Here”
    2. git config –global user.email your_email@example.com
    3. Done

 Create a Repo

  1. Go to this url to create a new repo https://github.com/repositories/new
  2. Put a name for a repo and create it. (this is on remote server)
  3. Done

 Setup a local git

  1. Open Git Shell
  2. Change path to working directory (Assuming you have some working directory)
  3. Type git init
  4. Done

Commit your code

  1. Add files to your local git. git add someFile.someExt or git add some directory
  2. git commit –m “Some description what has been commit and why”
  3. Done

Push your commits to remote

  1. git remote add origin https://github.com/username/name-of-your-working-git.git
  2. git push origin master
  3. Checkmate! // Note that “origin” is a remote name

 Forking a repo

  1. Go to a project page
  2. Click on fork button
  3. Clone this project to local by running: git clone https://github.com/your-username/recently-added-git.git
  4. This will add to current working directory

 Up-streaming a git

  1. Go to project directory using shell
  2. git remote add upstream https://github.com/octocat/Spoon-Knife.git (forked git url)
  3. git fetch upstream

Pull in up-stream changes

  1. git fetch upstream
  2. git merge upstream/master

Creating a Branch

  1. git branch mybranch
  2. git checkout mybranch
  • or
  1. git checkout -b mybranch

To switch

  1. git checkout master
  2. git checkout mybranch

Merging back the branch

  1. git checkout master
  2. git merge mybranch
  3. git branch -d mybranch
Advertisements

Securing PHP Apps

The Beginning!

I am going to discuss security issues with PHP web applications that we normally code or what ever you use platform use to develop web applications. When it comes to security, you need to ensure that you write your application to be secure. When you write PHP applications, make sure you look at these guide lines.

  1. Web Forms
  • Secure Web Forms

Normally we see this types of forms, <form action=”/process.php” method=”POST”> but if this is done by <form action=”http://example.org/process.php&#8221; method=”POST”>. This new form can now be located anywhere (a web server is not even necessary, since it only needs to be readable by a web browser), and the form can be manipulated as desired. The absolute URL used in the action attribute causes the POST request to be sent to your sever.
So you need to check what are the requirements of these forms with absolute URLs, in recent development we are talking about nice URLs which may require absolute URLs to be used in images, anchors and locations as well. So try avoiding these absolute URLs in forms.

  • Validate Input

Validating data is the most important habit you can possibly adopt when it comes to security. And when it comes to input, it’s simple: Don’t trust users. Your users are probably good people, and most are likely to use your application exactly as you intended. However, whenever there is chance for input, there is also chance for really, really bad input. As an application developer, you must guard your application against bad input.

For example, say we are creating an application that lists users birthdays and allows users to add their own. We will be wanting to accept a month as a digit between 1-12, a day between 1-31 and a year in the format of YYYY.

Use simple validation techniques with PHP. Here I mentioned a user name validation you can write your own! return 1 is your success case;

case ‘USER_NAME’:
$value = trim($value);
$valueLen = strlen($value);

if($valueLen<3 || $valueLen>256)
return 2;

$pattern = ‘/^([A-Za-z]+[.]{0,1})*[a-z]+$/’;
if (!preg_match($pattern,$value))
return 3;

$values = explode(‘.’ , $value);
$tValues = count($values);
for($i=0 ; $i<$tValues ; $i++)
{
if($this->isRejectedWord($values[$i]) === true)
return 4;
}

return 1;
break;

  • Working with Register Globals

In short, register_globals was meant to help rapid application development. Take for example this URL,
http://yoursite.tld/index.php?var=1, which includes a query string. The register_globals statement allows us to access the value with $var instead of $_GET[‘var’] automatically. This might sound useful to you,
but unfortunately all variables in the code now have this property, and we can now easily get into PHP applications that do not protect against this unintended consequence. The following code snippet is just one
common example you will see in PHP scripts:

if( !empty( $_POST[‘username’] ) && $_POST[‘username’] == ‘test’ && !empty( $_POST[‘password’] ) && $_POST[‘password’] == “test123” )
{
$access = true;
}

If the application is running with register_globals ON, a user could just place access=1 into a query string, and would then have access to whatever the script is running.

  1.  Form Submissions

In order to appreciate the necessity of data filtering, consider the following form located (hypothetically speaking) at http://example.org/form.html:
<form action=”/process.php” method=”POST”>
<select name=”color”>
<option value=”red”>red</option>
<option value=”green”>green</option>
<option value=”blue”>blue</option>
</select>
<input type=”submit” />
</form>
Imagine a potential attacker who saves this HTML and modifies it as follows:
<form action=”http://example.org/process.php&#8221; method=”POST”>
<input type=”text” name=”color” value=”joker” />
<input type=”submit” />
</form>

In PHP script you will be getting this like this $_POST[‘color’] which is absolutely wrong, as mentioned earlier define you domain for your color i.e. red, green and blue are only acceptable.

This form is also accessible form there domain as well, i.e a simple post to http://example.org/process.php from http://localhost/hackphpapp/, then what you need to do here???

With simple tokenism form technique you can create a session based token that is used to valid every form that the form posted from your site only!! here is a PHP example of same our case (improver version of our form post).

session_start();
if (isset($_POST[‘color’]))
{
if (isset($_SESSION[‘token’]) && $_POST[‘token’] == $_SESSION[‘token’])
{
$color= htmlentities($_POST[‘color’]); // remove script injections
if($color == ‘red’ || $color == ‘blue’ || $color == ‘green’)
echo ‘Great! No hack :)’;
}
}

$token = md5(uniqid(rand(), true));
$_SESSION[‘token’] = $token;
?>
<form action=”./process.php” method=”POST”>
<input type=”hidden” name=”token” value=”<?php echo $token; ?>” />
<select name=”color”>
<option value=”red”>red</option>
<option value=”green”>green</option>
<option value=”blue”>blue</option>
</select>
<input type=”submit” />
</form>

  1. Guard your file system
  2. Downloading a file
  3. Secure your database with sql injections
  4. Secure your sessions
  5. Security against Cross-Site Scripting
  6. Security against Cross-Site Request Forgeries (CSRF)
  7. Working with Escape Strings and Magic Quotes

 

session_start();

if (isset($_POST[‘message’]))

{

if (isset($_SESSION[‘token’]) && $_POST[‘token’] == $_SESSION[‘token’])

    {

        $message = htmlentities($_POST[‘message’]);

 

        $fp = fopen(‘./messages.txt’, ‘a’);

        fwrite($fp, “$message<br />”);

        fclose($fp);

    }

}

 

$token = md5(uniqid(rand(), true));

$_SESSION[‘token’] = $token;

 

?>

 

<form method=”POST”>

<input type=”hidden” name=”token” value=”<?php echo $token; ?>” />

<input type=”text” name=”message”><br />

<input type=”submit”>

</form>

PHP IDEs compared!

I’ve talked with many PHP programmers, and one thing that surprises me most is how few use IDEs. Most use text editors, such as Notepad++, dreamweaver.

The text editors I mentioned (and others I didn’t) are great — I don’t want to start a pointless war over which editor is better. However, I have ranked them.

1. Codelobster PHP Edition

Codelobster PHP Edition streamlines and simplifies php development process. You don’t need to keep in mind names of functions, arguments, tags and their attributes; methods etc – we’ve implemented it for you in the autocomplete feature for PHP, HTML, JavaScript and even CSS. Also, you can always get necessary help information by F1 or using special Help control.

Internal free PHP Debugger allows validating code locally. It automatically detects your current server settings and configures corresponding files in order you can use the Debugger.

Supported CMS: Drupal CMS  Joomla CMS  WordPress Blogging Platform

Supported Frameworks: Symfony framework  CakePHP framework  CodeIgniter framework  FaceBook Social Network  Yii framework Smarty Template Engine

Supported JavaScript Libraries: JQuery library

2. PHP Storm

PhpStorm is a lightweight and smart PHP IDE focused on developer productivity that deeply understands your code, provides smart code completion, quick navigation and on-the-fly error checking. It is always ready to help you shape your code, run unit-tests or provide visual debugging.

PHP code completion
PHP refactoring
Smarty and PHPDoc support
Quick navigation
Language mixing (JS/SQL/XML etc.)

3. Net Beans

The NetBeans project offers a version of the IDE tailor-made for developing PHP web sites that comprise a variety of scripting and mark-up languages. The PHP editor is dynamically integrated with HTML, JavaScript and CSS editing features.

Focus on the code and speed up code scanning by excluding individual directories in the Project properties. The NetBeans IDE fully supports iterative development, so testing PHP projects follows the classic patterns familiar to web developers.

The Main features:

PHP Files Without Projects
Rename Refactoring and Instant Rename
PhpDocumentor Support
Zend and Symfony Framework
PHP Source Code Editor
Namespace and Variable Types
Easy Code Navigation
Code Coverage
PHP Unit Testing
Remote and Local Project Development
PHP Debugging
MySQL Integration

4. Eclips

Two plug-ins support PHP in the Eclipse development platform. The first, PHP IDE Project, is an Eclipse Foundation project, which means it is released under the Eclipse license and is developed using the Eclipse Foundation’s tools and processes.

The other is PHPEclipse and is developed independently. As with Eclipse, both run on the Big Three operating systems: Windows, Linux®, and Mac OS X. You can download just the plug-ins (if you already use Eclipse), or download a pre-fab version with everything you need.

Both plug-ins support core IDE features you would expect to find. The code intelligence is rock-solid, pops up when you want it, and displays all the information you need for classes, methods, and arguments.

Figure 1 shows PHPEclipse running on Mac OS X. On the left side is the project view with the files in the project. Below that is the class view, which shows any classes I’ve defined. In the center is my code. I can have multiple files open in multiple tabs simultaneously. On the right side are panels for debugging and browsing. This is the stock PHPEclipse user interface.

5. Komodo

Next up is ActiveState’s Komodo IDE. This IDE runs on Windows, Mac OS X, and Linux, and it supports the usual open source language suspects — Perl, PHP, and Ruby. The code intelligence engine is solid. It scans all your language installations to find custom extensions, such as PEAR modules. On the project side, it supports integration with CVS, Subversion, and Perforce, as well as allowing for direct FTP transfer of code to the server.

Figure 3 shows Komodo running on Windows. A class view is on the left, and the project view is on the right. Dominating the center is the tabbed code view. To the bottom are the breakpoints for the debugger, the command output, and so on. As with all these systems, you can significantly customize the UI to match your preferences.

6. PHP Designer

PHP Designer takes a different tack from the other IDEs. Sure, it supports limited code intelligence. However, its focus is on further enabling the design aspect of the PHP Web application. This is evidenced by its integrated browser being adorned with pixel rulers to help in positioning elements on the page.

  • PHP code completion
  • PHP refactoring
  • Smarty and PHPDoc support
  • Quick navigation
  • Language mixing (JS/SQL/XML etc.)