God has bless Nigeria with one of the best thinking Idea but few of them use it wrongly .That does not mean that all Nigerians are the same and please change your mindset. I will like you to read this article i got from http://en.wikipedia.org/.
Scammers post profiles on dating websites to fish for victims. Upon finding victims scammers lure them to more private means of communication to allow for fraud to occur.
Some scammers use religious dating websites such as Christian sites, as the victims feel complacent, believing that the scammer has high moral values. [4][2]
Rhonda McGregor, an online moderator for the ROMANCE SCAMS Yahoo! group, stated that many romance scammers avoid answering personal questions and ask their victims many questions.
Narratives used to extract money from the victims of romantic scams include the following:
1. The scammer says that his or her boss paid the scammer in postal money orders. The scammer wants the mark to cash the scammer's money orders and then wire money to the scammer. The forged money orders leave the banks to incur debts against the victims.
2. The scammer says that he or she needs the mark to send money to pay for a passport. The scammer wants the mark to cash the scammer's money orders and then wire money to the scammer. The forged money orders leave the banks to incur debts against the victims.
3. The scammer says that he or she requires money for flights to the victim's country and somehow never comes, or says that he or she is being held against his or her will be immigration authorities, who demand bribes.
4. The scammer says that he or she is being held against her will for failure to pay a bill or requires money for hospital bills.
5. The scammer asks the victim to package goods sent from one address and send the goods to another address. The victim does not realize that the scammer set him or her as a part of a stolen goods distribution scheme. If police investigate the trail, the scammer's use of mules makes tracing of the scammer more difficult. In addition many businesses do not trust Nigerian addresses, so scammers use mules' United States addresses to give the businesses the impression that their transaction is domestic.
6. The scammer makes a proposal of marriage and needs the victim to send them the cash for the ticket. This is happening more out of the Ukraine now as the Federal Ahents begin to reel in Nigerian scammers.
Thursday, 7 February 2008
How not to optimize a MySQL query
I just read a blog post discussing mysql query optimization and thought I’d put in my two cents.
The post suggests using a number of mysql specific statements (e.g. SQL_SMALL_RESULT, HIGH/LOW_PRIORITY, and INSERT DELAYED. STRAIGHT_JOIN was conspicuously missing). Unless absolutely necessary, this is usually A Bad Idea for at least two reasons. First, they are specific to MySQL which makes your database code less portable. This might or might not be a problem. Second, and perhaps more importantly, giving the SQL interpreter this sort of hint can lead to decreased performance in the future when your database or the interpreter changes. Telling the interpreter to anticipate a small result set (with SQL_SMALL_RESULT) might seem like a good idea, but could lead to problems when your table grows and the result becomes large! Basically, use these keywords with caution, and only when you really need them. And when you do use them, take special care in documenting where and why they’re in use.
The truth is there is no silver bullet that is going to make MySQL (or any dbms) run a poorly written query lightning fast. But here are some tips that the post somehow neglected to mention.
Properly index your tables
If you do a lot of lookups using a particular column of a table, or if you join on a column, that column should be indexed. Moreover, if all of the data that you are retrieving is available in the index (e.g. you’re using a multi-column index) then MySQL can avoid looking at the table altogether and execute your query using just the index.
Avoid superfluous queries
Don’t do this:
$result = query_db('select * from table1');
for each $result as $row
$array[] = query_db('select * from table2 where column = '.$row['id']);
endforeach;
Do this:
$result = query_db('select table2.* from '
.'table1, table2 where table1.id=table2.column');
Look for bottlenecks
Don’t waste time optimizing queries that aren’t bottlenecks in your application. Find the low hanging fruit and correct those problems first.
Learn SQL
This is the most important tip. SQL optimization really has to be done on a case by case basis, and you can’t do it unless you have a good understanding of the language and how you can use it to your advantage. You need to understand things like subqueries, grouping, left joins vs. right joins vs. full joins, etc. There is no free lunch.
If you’re interested in learning more, I highly recommend Stephane Faroult’s book The Art of SQL.
Even a Newbie Can get a Website On the Internet Quite Simply
Have you ever thought you would like to place a website on to the internet but have no idea where to start and how to finish. Well let's run through it step by step. You will soon realize that it is not that difficult.
First off, your website needs a name and address. That name is referred to as a domain name. There is a wide assortment of online sources where you can purchase your domain name. They will guide you through the whole process. They will help you to select an available domain that is not currently in use. The name you want quite possibly is already taken so they will guide you in the selection of a domain name that closely matches the one you want. At that point they will register the name with domain authority registry.
Now you need to assign that domain name to a hosting location. This is commonly referred to as pointing your domain or assigning nameservers to that domain. To accomplish this task you will need to select the hosting company where your website will be stored and displayed on the internet. Each hosting company has addresses or so called nameservers to describe the location of your domain and in turn the website that you upload to that location.
The types of website hosting packages available today vary widely and a package is available that will satisfy any need. Someone just entering the website hosting arena will likely do just fine with a shared webhosting package. These typically include every imaginable feature a newbie could want. One fine example of a monsterhost package can be found at Hostmonster Website Hosting. They are a good suggestion for newbies simply due to simplicity. They offer one package only for all customers.
This is a very good package that satisfies most requirements for everyone from newcomer to advanced and their price is quite competitive. Many other reputable hosting providers can be found as well. Most offer several levels of hosting that are more tailored to specific needs. These would include well known names such as Yahoo and Godaddy.
You may encounter a few choices with all website hosting offers. The two most common platforms, Unix and Windows are widely available and offer various options and have differing abilities. Don't let this choice confuse you. It bears no relationship to the operating system you will be using on your computer. Your choice of platform will determine the utility and type of software that you can use. Unix Hosting allows for easier use of common programming languages such as Perl, PHP, MySQL and Python.
For most basic shared hosting; the operating system should not make a big difference. UNIX and Linux are stable and more affordable than Windows. Microsoft FrontPage is supported on the Windows OS, UNIX, and Linux.
Arguably, the best way to choose between UNIX and Windows is to look at your website publishing resources. If your website publishing resources use mostly Microsoft products, such as Access, Front Page, or VBScripts, it's probably better to stick with Windows. But, if reliability, universal compatibility, and stability are a concern, UNIX would probably be the way to go.
Features of either package will be the same and in fact the features offered by most reputable hosting providers will be very similar. Competition has closed the gap on pricing as well. Most packages offered today will allow you a free domain registration and free account setup. Other typical features usually include several email accounts, the ability to host several domains within that same account.
Many offer onsite website building software. You can use their step by step tutorials and their templates to quickly produce a very nice and professional looking website. No previous website building knowledge is required.
Most of the process is quite simple but it does revolve around one issue. If you are depending heavily on your hosting provider to step you through the whole process, it is critical that they have a reputation of good support. This can not be overstated. Support is important. You are dead in the water if you have run into obstacles and can not get help from the support people.
Again, it important to select a proven reliable website hosting provider with top notch support. This may well be the most important issue in your selection.
That should be the basics you need to know to get off and running with your website. It really will not be that difficult. Start now by selecting a hosting company and deciding on a preferred domain name. I like the monsterhost for newbies. Check them out!
First off, your website needs a name and address. That name is referred to as a domain name. There is a wide assortment of online sources where you can purchase your domain name. They will guide you through the whole process. They will help you to select an available domain that is not currently in use. The name you want quite possibly is already taken so they will guide you in the selection of a domain name that closely matches the one you want. At that point they will register the name with domain authority registry.
Now you need to assign that domain name to a hosting location. This is commonly referred to as pointing your domain or assigning nameservers to that domain. To accomplish this task you will need to select the hosting company where your website will be stored and displayed on the internet. Each hosting company has addresses or so called nameservers to describe the location of your domain and in turn the website that you upload to that location.
The types of website hosting packages available today vary widely and a package is available that will satisfy any need. Someone just entering the website hosting arena will likely do just fine with a shared webhosting package. These typically include every imaginable feature a newbie could want. One fine example of a monsterhost package can be found at Hostmonster Website Hosting. They are a good suggestion for newbies simply due to simplicity. They offer one package only for all customers.
This is a very good package that satisfies most requirements for everyone from newcomer to advanced and their price is quite competitive. Many other reputable hosting providers can be found as well. Most offer several levels of hosting that are more tailored to specific needs. These would include well known names such as Yahoo and Godaddy.
You may encounter a few choices with all website hosting offers. The two most common platforms, Unix and Windows are widely available and offer various options and have differing abilities. Don't let this choice confuse you. It bears no relationship to the operating system you will be using on your computer. Your choice of platform will determine the utility and type of software that you can use. Unix Hosting allows for easier use of common programming languages such as Perl, PHP, MySQL and Python.
For most basic shared hosting; the operating system should not make a big difference. UNIX and Linux are stable and more affordable than Windows. Microsoft FrontPage is supported on the Windows OS, UNIX, and Linux.
Arguably, the best way to choose between UNIX and Windows is to look at your website publishing resources. If your website publishing resources use mostly Microsoft products, such as Access, Front Page, or VBScripts, it's probably better to stick with Windows. But, if reliability, universal compatibility, and stability are a concern, UNIX would probably be the way to go.
Features of either package will be the same and in fact the features offered by most reputable hosting providers will be very similar. Competition has closed the gap on pricing as well. Most packages offered today will allow you a free domain registration and free account setup. Other typical features usually include several email accounts, the ability to host several domains within that same account.
Many offer onsite website building software. You can use their step by step tutorials and their templates to quickly produce a very nice and professional looking website. No previous website building knowledge is required.
Most of the process is quite simple but it does revolve around one issue. If you are depending heavily on your hosting provider to step you through the whole process, it is critical that they have a reputation of good support. This can not be overstated. Support is important. You are dead in the water if you have run into obstacles and can not get help from the support people.
Again, it important to select a proven reliable website hosting provider with top notch support. This may well be the most important issue in your selection.
That should be the basics you need to know to get off and running with your website. It really will not be that difficult. Start now by selecting a hosting company and deciding on a preferred domain name. I like the monsterhost for newbies. Check them out!
Top 25 PHP template engines
After searching the Internet for a good template engine, I have compiled the following list:
Smarty
Smarty is a template engine that compiles the templates into PHP scripts, then executes those scripts. Very fast, very flexible.
Heyes Template Class
A very easy to use, yet powerful and quick template engine that enables you to separate your page layout and design from your code.
FastTemplate
A simple variable interpolation template class that parses your templates for variables and spits out HTML with their values
ShellPage
A simple and easy to use class that lets you make whole websites based on template files for layouts. Change the template and your whole site changes.
STP Simple Template Parser
A simple, light weight and easy to use template parser class. It can assemble a page from several templates, output result pages to the browser or write them to the filesystem.
OO Template Class
An object oriented template class you can use in your own programs.
SimpleTemplate
A template engine to create and structure websites and applications. It can translate and compile the templates.
bTemplate
A small and fast template class that allows you to separate your PHP logic from your HTML presentation code.
Savant
A powerful but lightweight PEAR-compliant template system. It is non-compiling, and uses PHP itself as its template language.
ETS - easy template system
A template system that allows you to reshuffle templates with exactly the same data.
EasyTemplatePHP
A simple, yet powerful templating system for your site.
vlibTemplate
A fast, full featured template system that includes a caching and debugging class.
AvanTemplate
A template engine that is multi-byte safe and consumes little computing resource. It supports variable replacement and content blocks that can be set to hidden or shown.
Grafx Software’s Fast Template
A modification of the popular Fast Template system, this includes a cache function, debug console, and silent removal of unassigned dynamic blocks.
TemplatePower
A fast, simple and powerful template class. Features nested dynamic block support, block/file include support and show/hide unassigned variables.
TagTemplate
This library function was designed for use with template files and allows you to retrieve info from HTML files.
htmltmpl: templating engine
A templating engine for Python and PHP. Targeted to web application developers, who want to separate program code and design of their projects.
PHP Class for Parsing Dreamweaver templates
A simple class to parse a Dreamweaver template for use in custom mods for a Gallery 2 and a WordPress blog.
MiniTemplator (Template Engine)
A compact template engine for HTML files. It features a simple syntax for template variables and blocks. Blocks can be nested.
Layout Solution
Simplifies website development and maintenance. It holds commonly used variables and page elements so you don’t need to duplicate common layouts over and over.
Cached Fast Template
This inclusion into FastTemplate allows for caching of the template files, and can even cache with different specifications on separate blocks of content.
TinyButStrong
A template engine that supports MySQL, Odbc, Sql-Server and ADODB. It includes seven methods and two properties.
Brian Lozier’s php based template engine
Only 2k in size, very fast and object-orientated.
WACT
a template engine that separates code from design.
PHPTAL
a XML/XHTML template library for PHP.
Wednesday, 6 February 2008
Basic PHP Script Security
The Security of PHP scripts has become a major issue lately. The very power and flexibility of PHP scripting architecture has become its major vulnerability, if certain simple steps are not taken to protect the script. The simple ability to take data from a webpage is also a potential gateway for a variety of attacks that aim to steal information from databases, or to corrupt that data. Not only server-side data is at risk, but attacks are possible that may harm all the visitors of the site by simple injection of malicious code.
For the purpose of this tutorial we have listed some commonly known attacks, and how to protect against them. This is crucial for beginners in PHP because PHP tutorials and basic documentation does not accentuate this problem enough. Examples are given that are vulnerable to attacks, and students are either not aware of the vulnerabilities, or are not adequately educated how to protect their scripts.
In addition, the types of attacks presented here are not limited only to PHP, since they exploit standard HTTP request/response protocol which is available to any server-side scripting language.
SQL Injection
SQL injection is a security threat that appears wherever a PHP script is presenting data from a database, taking as input some identification of the content that needs to be presented, for instance with content management systems, or even simple scripts that return simple data. As long as input identification is inserted into SQL for data retrieval, the threat exists!
Let's look at a simple example. Let's say that you have a script that presents web pages according to user selection which is passed through URL variable 'page=':
index.php?page=links
This script then takes page identifier in variable 'page' and puts it into SQL query to fetch the page with that identifier:
PHP:
The above is very common example of content retrieval. And a very vulnerable one. All it takes for the attacker is to bypass your single quotes and insert some malicious code. And all the attacker needs is to pass one simple string through the URL:
index.php?page=%27%3B%20DROP%20DATABASE%20--
The above is valid URL request, and server will parse the encoded characters into '; DROP DATABASE which effectively closes the single quotes of your original query, ends it with a semicolon and inserts new directive that drops your entire database and comments out everything else you may have in your SQL. And buh-bye database! Gone. Deleted.
Of course, this is a blatant example that does not need to work, especially if user-level the script is using does not allow dropping entire database. But, it can do a variety of other things, like selecting usernames or passwords, or inserting passwords where ID=1 which is usually the admin's user id, etc... Or it can bypass WHERE clauses with simple 'OR WHERE 1=1' and avoid password checks for example, or any other data retrieving filter you may have had, especially because data passed through URLs for content retrieval is usually a filter in a WHERE clause.
Naturally, it is difficult for the attacker to know the structure of your tables and fields if he/she did not see the code. With some guessing and luck he or she may be able to extract the structure, especially if your scripts visibly report errors (which is another security threat we'll deal with later). But what about open-source projects where code is available for everyone? Incidentally, open-source projects are frequent targets of attackers that seek loopholes in thousands of lines of code managed by many people who can easily omit a hole or two.
The most simple way to protect against such SQL injections is to escape sensitive characters like single or double quotes. It is best to use database-native functions for that, and in the case of our example, and MySQL, the proper handling would be:
PHP:
One much better way to protect against SQL injections is to use numeric identifiers wherever possible, so instead of index.php?page=links use ?page=1 and cast all data from this variable into integer:
PHP:
Another way is to filter the variable for allowed characters. For simple identifiers, allowed characters are usually alphanumeric (a-z0-9), which can be a case with simple page retrieval. Filter with preg_match:
PHP:
And of course, keep your code to yourself if at all possible. So, to recapitulate, to protect against SQL-injections, very useful methods are:
* Using integers as data identifiers wherever possible
* Escaping all string inputs that may contain sensitive characters
* Filtering input identifiers for allowed characters
* Keeping the code to yourself
As a final note, since we used $_GET variable for example, same threat exists for POST-ed data. Since http request headers are text based, over TCP/IP type connection, it is very easy for the attacker to write a program (in C for example) that opens a connection to your script and sends malicious requests through POST'ed data.
XSS Attacks
XSS, or Cross Site Scripting Attacks, are attacks aimed at identity theft and stealing passwords from the users of a website (and sometimes more). XSS attacks do not threat directly the database like SQL injections do, but threat all users, especially admins that have high privileges in operating a website.
A Cross Site Scripting attack consists of inserting usually Javascript code, into any content that will be presented to the users, like in Blogs, Forums, Comments, etc... By inserting such malicious Javascript code, they can effectively "hijack" user's browser with Javascript and perform attack, usually without user's knowledge.
Most often, XSS attacks steal data from cookies. A valid browser, and a properly set cookie, will send a cookie only to the domain from where it was set. Combine this with the fact that cookies are used to pass user authentication data, sometimes even passwords, and especially session data since. Therefore Javascript is used to fetch local cookies aimed at the domain in question, and to send them to a third party domain - the attacker's domain - where the attacker can read its contents.
For example, an XSS attack can insert the following code inside a forum post, or blog comment post. It will not be visible to users (unless they look at the page source):
Code:
Now, let's see what happens here. The script routes your browser to the attacker's domain, and in the URL request passes local cookie data to a remote script on the attacker's server. The script receives the cookie data, and the attacker can view its contents.
Of course, the above example is visible, since your browser is suddenly directed to a third-party website. However, a clever attacker can wrap the URL request inside
tag, and remote (attacker's) server will return a valid image, but will also receive the cookie data in the image request:
Code:
And there you go, the user's cookie data is sent to the attacker. Now, if the user is admin, and cookies contained session data, and/or passwords or usernames, a great deal of damage can be done if the attacker gets hold of admin's password.
In order to protect your site against XSS attacks, you need to filter all input. Wherever there is some string data that will be presented back to users (usernames, forum posts, blog posts, comments, etc...) you need to filter that data. The most simple filtering against XSS is to encode all HTML entities, where <> becomes > and browsers will not parse any tags inside them as valid HTML tags that would enable Javascript. PHP has one very useful little function for that, namely the htmlentities().
More complex filtering involves solving for character encoding hacks, pre-escaped characters that with additional escaping revert to HTML tags, writing routines that seek out malicious script combinations, etc...
In addition to input filtering, make sure your cookies do not carry any sensitive data, like passwords or usernames.
As a test, to check out if your filtering is moderately sufficient, try to insert something like this:
Code:
CSRF Attacks
Cross Site Request Forgery Attacks are similar to XSS in that the attacker posts malicious code to a forum, blog comment, or any other interactive part of the website that will return that content (and code) to users.
Unlike XSS, however, CSRF does not need Javascript. Plain HTML or even BBCode is sufficient, so this makes CSRF the sneakiest of attacks that need careful handling.
Let's start with one simple example. Let's say that your website has a script called delete.php that deletes some content in the database. It takes numeric ID as input to identify the content that needs deletion:
delete.php?id=123
Let's say that the attacker knows of this script. All the attacker needs to do is to insert an image request with SRC set to this script, in a forum post for example, even using BBCode:
[img]http://attackedsite.com/delete.php?id=123[/img]
Server would translate this to a valid HTML image tag. Anyone who visits the page where this code is presented, will have their browsers issue a call to the above script, and if the script is not protected, it will delete content with ID=123.
This may not sound as a big threat until you perhaps imagine what would happen if the admin visits the page with malicious code. No Javascript, no illegal characters, a simple image request. The admin is probably logged-in, and has proper authentication so even if the delete.php script solves for authentication (only admins can delete with it), the admin is the one who's browser issued the call, so damage is done!
Fortunately, though, there are ways to prevent CSRF attacks to certain extent:
First and foremost, this works only with GET requests, since there is no other sneaky way to issue a hidden call without an image (and without a script, which is solved with XSS protection), except maybe framed pages and/or iframes which are harder to insert into a forum (or blog) post that usually disables such tags. Therefore, move all your sensitive data inputting to POST, instead of GET. This may make your simple administration scripts a bit complex, since in order to POST data you need a form, whereas with GET you can put a simple link somewhere.
And, of course, have all your potentially damaging scripts require a second confirmation. So, even if a CSRF attack happens, you will need to confirm the (damaging) request.
One other additional protection is to compare timestamps. Have the forms with which you issue calls to potentially damaging scripts carry a timestamp, and inside the (damaging) script compare the timestamp from the form with current timestamp. If the difference is greater than, say, 10 seconds, do not perform the potentially damaging action. There is a logic behind this. When you access the page where you need to click to delete some content, you have 10 seconds to click it, after which the script will reject deleting (reload to reset timestamps, of course). So, when you reach a page with CSRF attack against you, if you visited that page more than 10 seconds ago, the attack will not work.
Note that this protection is not perfect. In some complex AJAX application that takes data via URL (GET), does something to it, and passes it to a server script via POST, it is possible to pipe a CSRF attack, if the attacker knows your software arhitecture - as is the case with open-source software.
PHP variable insertion
This is a security threat that is mostly patched nowadays, but from time to time I come across servers without the patch so I guess it should be mentioned.
Back in the old days of PHP before PHP 4, it was common to pass data to PHP scripts directly as registered global variables. For example:
script.php?somevar=blahblah&anothervar=123
If your PHP server settings allow registered globals, variables somevar and anothervar will become global PHP variables $somevar (containing string "blahblah") and $anothervar (containing integer 123).
Sounds fun, since you don't need to use cumbersome $_GET['somevar'] and $_GET['anothervar'] (try to fast-type these too and you'll know what I'm talking about). But also it poses a security threat. Not by itself, of course, but by bad script design that misses to initialize variables before use, for example. If the attacker somehow finds out your variable names in your scripts (open-source, anyone?) and finds that you are using a variable without initializing it first, all he or she needs to do is to pass some value to that variable via URL as in the example above.
What does using "uninitialized" variables mean? It means you are using contents of a variable which you didn't use or set before:
PHP:
A beginner PHP programmer will assume that $somevar is NULL, if $a is not 1, so SQL will be valid. But a hacker will see the opportunity!
So, the most simple way to protect your scripts from such registered globals, is to turn the register_globals directive OFF. Most PHP servers nowadays have this by default, but always check your PHP.ini (where the directive is) to make sure.
If you don't have access to PHP.ini, write an empty script with one simple call to phpinfo(); That will print out server settings and you can see if register_globals is on or off.
If you can't modify your PHP.ini, you can set this directive through .htaccess, if the server settings allow you to:
php_flag register_globals off
Or, call your server administrator and demand this directive in your PHP.ini.
Speaking of phpinfo(), and as we have mentioned earlier, it is wise to set your PHP server to suppress any output of errors, except to a log file. Because, error reporting can reveal sensitive information about your webiste: script location in the server and database table structure, if SQL error is being reported. PHP4 and above, by default, does not report MySQL SQL errors, so admins write their own code to report SQL errors. Be careful where you report such errors. You don't want everyone to know your tables structure.
Input validation
Last but not least, one additional step in protecting your scripts and content is input validation. Validate ALL data that your scripts receive. See if all POST vars are in place, since attackers may try to send partial POST requests to try and crash your site, and respond properly. Initialize ALL your variables (regardless of register_globals directive) before you use them, to a default value. Check for allowed characters in string variables, and allowed ranges in integer variables, especially if these are used as identifiers in the database.
In addition, do another such validation via Javascript. Valid users will have Javascript check for errors, and hackers will try to avoid Javascript and send data directly. In this case, when your scripts recognize such errors, do not report, simply silently route to your main index.php. This will leave hackers in darkness, they will not know if their attempt did anything wrong, they will not have access to the logic in your code.
You can also track IPs of attempted SQL injections, and automatically ban users who attempted an attack. This works effectively with double protection, where Javascript ensures legitimate users to pass valid data, and all invalid data therefore belongs to hackers, so you can cut them off automatically and effectively.
Note that with this last you introduce a drawback to your website. Hackers can exploit automatic banning and do a series of attacks from major provider IP addresses, effectively shutting down your site to legitimate users who access your site from same provider IPs. So, be careful how and when you ban your users.
Final Notes
In this tutorial we have covered some common PHP script security threats. You are advised to seek out more information on the subject since hackers are becoming smarter and smarter every day, devising new ways to hack into your system. Also, the solutions presented in this tutorial are not all that there is, but are most common ways of patching. There are surely better and more clever ways to protect your scripts.
At any rate, if you're beginner in PHP, make sure you incorporate protections presented here in your coding so that it becomes automatic. So automatic that you never, ever insert value from a variable into SQL without escaping sensitive chars or typecasting to int, for example, since SQL injections are always attempted first, when attacking a server.
For the purpose of this tutorial we have listed some commonly known attacks, and how to protect against them. This is crucial for beginners in PHP because PHP tutorials and basic documentation does not accentuate this problem enough. Examples are given that are vulnerable to attacks, and students are either not aware of the vulnerabilities, or are not adequately educated how to protect their scripts.
In addition, the types of attacks presented here are not limited only to PHP, since they exploit standard HTTP request/response protocol which is available to any server-side scripting language.
SQL Injection
SQL injection is a security threat that appears wherever a PHP script is presenting data from a database, taking as input some identification of the content that needs to be presented, for instance with content management systems, or even simple scripts that return simple data. As long as input identification is inserted into SQL for data retrieval, the threat exists!
Let's look at a simple example. Let's say that you have a script that presents web pages according to user selection which is passed through URL variable 'page=':
index.php?page=links
This script then takes page identifier in variable 'page' and puts it into SQL query to fetch the page with that identifier:
PHP:
The above is very common example of content retrieval. And a very vulnerable one. All it takes for the attacker is to bypass your single quotes and insert some malicious code. And all the attacker needs is to pass one simple string through the URL:
index.php?page=%27%3B%20DROP%20DATABASE%20--
The above is valid URL request, and server will parse the encoded characters into '; DROP DATABASE which effectively closes the single quotes of your original query, ends it with a semicolon and inserts new directive that drops your entire database and comments out everything else you may have in your SQL. And buh-bye database! Gone. Deleted.
Of course, this is a blatant example that does not need to work, especially if user-level the script is using does not allow dropping entire database. But, it can do a variety of other things, like selecting usernames or passwords, or inserting passwords where ID=1 which is usually the admin's user id, etc... Or it can bypass WHERE clauses with simple 'OR WHERE 1=1' and avoid password checks for example, or any other data retrieving filter you may have had, especially because data passed through URLs for content retrieval is usually a filter in a WHERE clause.
Naturally, it is difficult for the attacker to know the structure of your tables and fields if he/she did not see the code. With some guessing and luck he or she may be able to extract the structure, especially if your scripts visibly report errors (which is another security threat we'll deal with later). But what about open-source projects where code is available for everyone? Incidentally, open-source projects are frequent targets of attackers that seek loopholes in thousands of lines of code managed by many people who can easily omit a hole or two.
The most simple way to protect against such SQL injections is to escape sensitive characters like single or double quotes. It is best to use database-native functions for that, and in the case of our example, and MySQL, the proper handling would be:
PHP:
One much better way to protect against SQL injections is to use numeric identifiers wherever possible, so instead of index.php?page=links use ?page=1 and cast all data from this variable into integer:
PHP:
Another way is to filter the variable for allowed characters. For simple identifiers, allowed characters are usually alphanumeric (a-z0-9), which can be a case with simple page retrieval. Filter with preg_match:
PHP:
And of course, keep your code to yourself if at all possible. So, to recapitulate, to protect against SQL-injections, very useful methods are:
* Using integers as data identifiers wherever possible
* Escaping all string inputs that may contain sensitive characters
* Filtering input identifiers for allowed characters
* Keeping the code to yourself
As a final note, since we used $_GET variable for example, same threat exists for POST-ed data. Since http request headers are text based, over TCP/IP type connection, it is very easy for the attacker to write a program (in C for example) that opens a connection to your script and sends malicious requests through POST'ed data.
XSS Attacks
XSS, or Cross Site Scripting Attacks, are attacks aimed at identity theft and stealing passwords from the users of a website (and sometimes more). XSS attacks do not threat directly the database like SQL injections do, but threat all users, especially admins that have high privileges in operating a website.
A Cross Site Scripting attack consists of inserting usually Javascript code, into any content that will be presented to the users, like in Blogs, Forums, Comments, etc... By inserting such malicious Javascript code, they can effectively "hijack" user's browser with Javascript and perform attack, usually without user's knowledge.
Most often, XSS attacks steal data from cookies. A valid browser, and a properly set cookie, will send a cookie only to the domain from where it was set. Combine this with the fact that cookies are used to pass user authentication data, sometimes even passwords, and especially session data since. Therefore Javascript is used to fetch local cookies aimed at the domain in question, and to send them to a third party domain - the attacker's domain - where the attacker can read its contents.
For example, an XSS attack can insert the following code inside a forum post, or blog comment post. It will not be visible to users (unless they look at the page source):
Code:
Now, let's see what happens here. The script routes your browser to the attacker's domain, and in the URL request passes local cookie data to a remote script on the attacker's server. The script receives the cookie data, and the attacker can view its contents.
Of course, the above example is visible, since your browser is suddenly directed to a third-party website. However, a clever attacker can wrap the URL request inside
Code:
And there you go, the user's cookie data is sent to the attacker. Now, if the user is admin, and cookies contained session data, and/or passwords or usernames, a great deal of damage can be done if the attacker gets hold of admin's password.
In order to protect your site against XSS attacks, you need to filter all input. Wherever there is some string data that will be presented back to users (usernames, forum posts, blog posts, comments, etc...) you need to filter that data. The most simple filtering against XSS is to encode all HTML entities, where <> becomes > and browsers will not parse any tags inside them as valid HTML tags that would enable Javascript. PHP has one very useful little function for that, namely the htmlentities().
More complex filtering involves solving for character encoding hacks, pre-escaped characters that with additional escaping revert to HTML tags, writing routines that seek out malicious script combinations, etc...
In addition to input filtering, make sure your cookies do not carry any sensitive data, like passwords or usernames.
As a test, to check out if your filtering is moderately sufficient, try to insert something like this:
Code:
CSRF Attacks
Cross Site Request Forgery Attacks are similar to XSS in that the attacker posts malicious code to a forum, blog comment, or any other interactive part of the website that will return that content (and code) to users.
Unlike XSS, however, CSRF does not need Javascript. Plain HTML or even BBCode is sufficient, so this makes CSRF the sneakiest of attacks that need careful handling.
Let's start with one simple example. Let's say that your website has a script called delete.php that deletes some content in the database. It takes numeric ID as input to identify the content that needs deletion:
delete.php?id=123
Let's say that the attacker knows of this script. All the attacker needs to do is to insert an image request with SRC set to this script, in a forum post for example, even using BBCode:
[img]http://attackedsite.com/delete.php?id=123[/img]
Server would translate this to a valid HTML image tag. Anyone who visits the page where this code is presented, will have their browsers issue a call to the above script, and if the script is not protected, it will delete content with ID=123.
This may not sound as a big threat until you perhaps imagine what would happen if the admin visits the page with malicious code. No Javascript, no illegal characters, a simple image request. The admin is probably logged-in, and has proper authentication so even if the delete.php script solves for authentication (only admins can delete with it), the admin is the one who's browser issued the call, so damage is done!
Fortunately, though, there are ways to prevent CSRF attacks to certain extent:
First and foremost, this works only with GET requests, since there is no other sneaky way to issue a hidden call without an image (and without a script, which is solved with XSS protection), except maybe framed pages and/or iframes which are harder to insert into a forum (or blog) post that usually disables such tags. Therefore, move all your sensitive data inputting to POST, instead of GET. This may make your simple administration scripts a bit complex, since in order to POST data you need a form, whereas with GET you can put a simple link somewhere.
And, of course, have all your potentially damaging scripts require a second confirmation. So, even if a CSRF attack happens, you will need to confirm the (damaging) request.
One other additional protection is to compare timestamps. Have the forms with which you issue calls to potentially damaging scripts carry a timestamp, and inside the (damaging) script compare the timestamp from the form with current timestamp. If the difference is greater than, say, 10 seconds, do not perform the potentially damaging action. There is a logic behind this. When you access the page where you need to click to delete some content, you have 10 seconds to click it, after which the script will reject deleting (reload to reset timestamps, of course). So, when you reach a page with CSRF attack against you, if you visited that page more than 10 seconds ago, the attack will not work.
Note that this protection is not perfect. In some complex AJAX application that takes data via URL (GET), does something to it, and passes it to a server script via POST, it is possible to pipe a CSRF attack, if the attacker knows your software arhitecture - as is the case with open-source software.
PHP variable insertion
This is a security threat that is mostly patched nowadays, but from time to time I come across servers without the patch so I guess it should be mentioned.
Back in the old days of PHP before PHP 4, it was common to pass data to PHP scripts directly as registered global variables. For example:
script.php?somevar=blahblah&anothervar=123
If your PHP server settings allow registered globals, variables somevar and anothervar will become global PHP variables $somevar (containing string "blahblah") and $anothervar (containing integer 123).
Sounds fun, since you don't need to use cumbersome $_GET['somevar'] and $_GET['anothervar'] (try to fast-type these too and you'll know what I'm talking about). But also it poses a security threat. Not by itself, of course, but by bad script design that misses to initialize variables before use, for example. If the attacker somehow finds out your variable names in your scripts (open-source, anyone?) and finds that you are using a variable without initializing it first, all he or she needs to do is to pass some value to that variable via URL as in the example above.
What does using "uninitialized" variables mean? It means you are using contents of a variable which you didn't use or set before:
PHP:
A beginner PHP programmer will assume that $somevar is NULL, if $a is not 1, so SQL will be valid. But a hacker will see the opportunity!
So, the most simple way to protect your scripts from such registered globals, is to turn the register_globals directive OFF. Most PHP servers nowadays have this by default, but always check your PHP.ini (where the directive is) to make sure.
If you don't have access to PHP.ini, write an empty script with one simple call to phpinfo(); That will print out server settings and you can see if register_globals is on or off.
If you can't modify your PHP.ini, you can set this directive through .htaccess, if the server settings allow you to:
php_flag register_globals off
Or, call your server administrator and demand this directive in your PHP.ini.
Speaking of phpinfo(), and as we have mentioned earlier, it is wise to set your PHP server to suppress any output of errors, except to a log file. Because, error reporting can reveal sensitive information about your webiste: script location in the server and database table structure, if SQL error is being reported. PHP4 and above, by default, does not report MySQL SQL errors, so admins write their own code to report SQL errors. Be careful where you report such errors. You don't want everyone to know your tables structure.
Input validation
Last but not least, one additional step in protecting your scripts and content is input validation. Validate ALL data that your scripts receive. See if all POST vars are in place, since attackers may try to send partial POST requests to try and crash your site, and respond properly. Initialize ALL your variables (regardless of register_globals directive) before you use them, to a default value. Check for allowed characters in string variables, and allowed ranges in integer variables, especially if these are used as identifiers in the database.
In addition, do another such validation via Javascript. Valid users will have Javascript check for errors, and hackers will try to avoid Javascript and send data directly. In this case, when your scripts recognize such errors, do not report, simply silently route to your main index.php. This will leave hackers in darkness, they will not know if their attempt did anything wrong, they will not have access to the logic in your code.
You can also track IPs of attempted SQL injections, and automatically ban users who attempted an attack. This works effectively with double protection, where Javascript ensures legitimate users to pass valid data, and all invalid data therefore belongs to hackers, so you can cut them off automatically and effectively.
Note that with this last you introduce a drawback to your website. Hackers can exploit automatic banning and do a series of attacks from major provider IP addresses, effectively shutting down your site to legitimate users who access your site from same provider IPs. So, be careful how and when you ban your users.
Final Notes
In this tutorial we have covered some common PHP script security threats. You are advised to seek out more information on the subject since hackers are becoming smarter and smarter every day, devising new ways to hack into your system. Also, the solutions presented in this tutorial are not all that there is, but are most common ways of patching. There are surely better and more clever ways to protect your scripts.
At any rate, if you're beginner in PHP, make sure you incorporate protections presented here in your coding so that it becomes automatic. So automatic that you never, ever insert value from a variable into SQL without escaping sensitive chars or typecasting to int, for example, since SQL injections are always attempted first, when attacking a server.
Data types
PHP stores whole numbers in a platform-dependent range. This range is typically that of 32-bit signed integers. Integer variables can be assigned using decimal (positive and negative), octal and hexadecimal notations. Real numbers are also stored in a platform-specific range. They can be specified using floating point notation, or two forms of scientific notation.
PHP has a native Boolean type, named "boolean", similar to the native Boolean types in Java and C++. Using the Boolean type conversion rules, non-zero values are interpreted as true and zero as false, as in Perl.
There are eight data types in PHP:
The null data type represents a variable that has no value. The only value in the null data type is NULL.
Variables of the "resource" type represent references to resources from external sources. These are typically created by functions from a particular extension, and can only be processed by functions from the same extension. Examples include file, image and database resources.
Arrays support both numeric and string indices, and are heterogeneous. Arrays can contain elements of any type that PHP can handle, including resources, objects, and even other arrays. Order is preserved in lists of values and in hashes with both keys and values, and the two can be intermingled.
40 Tips for optimizing your php code
- If a method can be static, declare it static. Speed improvement is by a factor of 4.
- echo is faster than print.
- Use echo's multiple parameters instead of string concatenation.
- Set the maxvalue for your for-loops before and not in the loop.
- Unset your variables to free memory, especially large arrays.
- Avoid magic like __get, __set, __autoload
- require_once() is expensive
- Use full paths in includes and requires, less time spent on resolving the OS paths.
- If you need to find out the time when the script started executing, $_SERVER[’REQUEST_TIME’] is preferred to time()
- See if you can use strncasecmp, strpbrk and stripos instead of regex
- str_replace is faster than preg_replace, but strtr is faster than str_replace by a factor of 4
- If the function, such as string replacement function, accepts both arrays and single characters as arguments, and if your argument list is not too long, consider writing a few redundant replacement statements, passing one character at a time, instead of one line of code that accepts arrays as search and replace arguments.
- It's better to use select statements than multi if, else if, statements.
- Error suppression with @ is very slow.
- Turn on apache's mod_deflate
- Close your database connections when you're done with them
- $row[’id’] is 7 times faster than $row[id]
- Error messages are expensive
- Do not use functions inside of for loop, such as for ($x=0; $x <>
- Incrementing a local variable in a method is the fastest. Nearly the same as calling a local variable in a function.
- Incrementing a global variable is 2 times slow than a local var.
- Incrementing an object property (eg. $this->prop++) is 3 times slower than a local variable.
- Incrementing an undefined local variable is 9-10 times slower than a pre-initialized one.
- Just declaring a global variable without using it in a function also slows things down (by about the same amount as incrementing a local var). PHP probably does a check to see if the global exists.
- Method invocation appears to be independent of the number of methods defined in the class because I added 10 more methods to the test class (before and after the test method) with no change in performance.
- Methods in derived classes run faster than ones defined in the base class.
- A function call with one parameter and an empty function body takes about the same time as doing 7-8 $localvar++ operations. A similar method call is of course about 15 $localvar++ operations.
- Surrounding your string by ' instead of " will make things interpret a little faster since php looks for variables inside "..." but not inside '...'. Of course you can only do this when you don't need to have variables in the string.
- When echoing strings it's faster to separate them by comma instead of dot. Note: This only works with echo, which is a function that can take several strings as arguments.
- A PHP script will be served at least 2-10 times slower than a static HTML page by Apache. Try to use more static HTML pages and fewer scripts.
- Your PHP scripts are recompiled every time unless the scripts are cached. Install a PHP caching product to typically increase performance by 25-100% by removing compile times.
- Cache as much as possible. Use memcached - memcached is a high-performance memory object caching system intended to speed up dynamic web applications by alleviating database load. OP code caches are useful so that your script does not have to be compiled on every request
- When working with strings and you need to check that the string is either of a certain length you'd understandably would want to use the strlen() function. This function is pretty quick since it's operation does not perform any calculation but merely return the already known length of a string available in the zval structure (internal C struct used to store variables in PHP). However because strlen() is a function it is still somewhat slow because the function call requires several operations such as lowercase & hashtable lookup followed by the execution of said function. In some instance you can improve the speed of your code by using an isset() trick.
Ex.
if (strlen($foo) < 5) { echo "Foo is too short"; }
vs.
if (!isset($foo{5})) { echo "Foo is too short"; }
Calling isset() happens to be faster then strlen() because unlike strlen(), isset() is a language construct and not a function meaning that it's execution does not require function lookups and lowercase. This means you have virtually no overhead on top of the actual code that determines the string's length. - When incrementing or decrementing the value of the variable $i++ happens to be a tad slower then ++$i. This is something PHP specific and does not apply to other languages, so don't go modifying your C or Java code thinking it'll suddenly become faster, it won't. ++$i happens to be faster in PHP because instead of 4 opcodes used for $i++ you only need 3. Post incrementation actually causes in the creation of a temporary var that is then incremented. While pre-incrementation increases the original value directly. This is one of the optimization that opcode optimized like Zend's PHP optimizer. It is a still a good idea to keep in mind since not all opcode optimizers perform this optimization and there are plenty of ISPs and servers running without an opcode optimizer.
- Not everything has to be OOP, often it is too much overhead, each method and object call consumes a lot of memory.
- Do not implement every data structure as a class, arrays are useful, too
- Don't split methods too much, think, which code you will really re-use
- You can always split the code of a method later, when needed
- Make use of the countless predefined functions
- If you have very time consuming functions in your code, consider writing them as C extensions
What is PHP Social Networking Software?
For those who are unaware of some of the programming languages things like PHP social networking script can seem rather strange, however if you are willing to take the time to really learn about some of the various programming languages you may discover that this is actually one of the best choices available. In the past, the majority of websites were all created using HTML, however in recent years this has rapidly declined as more advanced programming languages were created. PHP is one such example of the new programming languages that is available.
PHP social networking software is quite popular for several reasons. One of the biggest advantages that PHP social networking software has is the ability to be much larger and complex than HTML based programs. For someone who is looking into building a website based around social networking this is important because it allows you to really work at building a site that is large enough as well as stable enough to handle the needs of everyone who may call your website home. PHP social networking script has several ways you can purchase it as well; there are even some versions that are free which can provide you with a very low cost alternative as well.
Looking to find and even build a monster website in the past meant that you would need to have a lot of room for hosting your website, as well as deal with a lot of slow bandwidth issues if your site became very busy. PHP social networking software helps to eliminate some of these problems by providing a much more powerful, versatile and quick loading option that will still do exactly what you need done, without worrying over all of the minor details. However, if you are not able to find a prepackaged version of the PHP networking software you are likely to need someone to script it for you.
PHP is a highly complex language to learn and most people when attempting to learn it become very frustrated with the entire mechanics of the language. Very few who attempt to learn are actually able to build their own site using PHP, yet it provides numerous benefits in terms of what is possible to be done with your site. PHP is one of the best choices that is around in the ability to integrate some of the various components together with other pieces of software to create a completely customized solution. Other programming languages are not always as easy to integrate, however the ultimate decision over which programming language to choose varies greatly.
One of the largest well-known examples of PHP social networking software is Facebook, this is a site that has been scripted and designed largely using PHP as the primary language. MySpace is the largest and one of the most well-known social networking sites and many of the same features can be integrated into a PHP social network software package easily. One of the biggest tasks that you will discover is often choosing which features you are most interested in, this will often determine exactly what software you need to use. Of course while most programming languages can be designed to do what you want; there are some that are much more effective than others at the job. Choosing a program that is able to handle your needs quickly and efficiently is not always easy, but starting with at least determining what you are looking for will allow you to make a very informed decision about whether a PHP social networking software is the best choice for you.
You may be confused and you may not understand PHP at all, but this will not stop your ability to quickly and easily decide upon the best solution for your needs. You may end up discovering that PHP is much too complex for your needs, out of your budget, or plain inappropriate overall. There are plenty of options that you have and looking at a PHP social networking software should be just one of the many options that you explore in your quest to find the solution that is best suited to your needs, rather than the needs of someone else.
Time is ultimately money, deciding what is important to you is a much needed necessity and something that you need to be to be able to do on your own. Exploring PHP social network software may be your ultimate solution, or possibly grossly inappropriate but it is up to you to decide for sure.
PHP social networking software is quite popular for several reasons. One of the biggest advantages that PHP social networking software has is the ability to be much larger and complex than HTML based programs. For someone who is looking into building a website based around social networking this is important because it allows you to really work at building a site that is large enough as well as stable enough to handle the needs of everyone who may call your website home. PHP social networking script has several ways you can purchase it as well; there are even some versions that are free which can provide you with a very low cost alternative as well.
Looking to find and even build a monster website in the past meant that you would need to have a lot of room for hosting your website, as well as deal with a lot of slow bandwidth issues if your site became very busy. PHP social networking software helps to eliminate some of these problems by providing a much more powerful, versatile and quick loading option that will still do exactly what you need done, without worrying over all of the minor details. However, if you are not able to find a prepackaged version of the PHP networking software you are likely to need someone to script it for you.
PHP is a highly complex language to learn and most people when attempting to learn it become very frustrated with the entire mechanics of the language. Very few who attempt to learn are actually able to build their own site using PHP, yet it provides numerous benefits in terms of what is possible to be done with your site. PHP is one of the best choices that is around in the ability to integrate some of the various components together with other pieces of software to create a completely customized solution. Other programming languages are not always as easy to integrate, however the ultimate decision over which programming language to choose varies greatly.
One of the largest well-known examples of PHP social networking software is Facebook, this is a site that has been scripted and designed largely using PHP as the primary language. MySpace is the largest and one of the most well-known social networking sites and many of the same features can be integrated into a PHP social network software package easily. One of the biggest tasks that you will discover is often choosing which features you are most interested in, this will often determine exactly what software you need to use. Of course while most programming languages can be designed to do what you want; there are some that are much more effective than others at the job. Choosing a program that is able to handle your needs quickly and efficiently is not always easy, but starting with at least determining what you are looking for will allow you to make a very informed decision about whether a PHP social networking software is the best choice for you.
You may be confused and you may not understand PHP at all, but this will not stop your ability to quickly and easily decide upon the best solution for your needs. You may end up discovering that PHP is much too complex for your needs, out of your budget, or plain inappropriate overall. There are plenty of options that you have and looking at a PHP social networking software should be just one of the many options that you explore in your quest to find the solution that is best suited to your needs, rather than the needs of someone else.
Time is ultimately money, deciding what is important to you is a much needed necessity and something that you need to be to be able to do on your own. Exploring PHP social network software may be your ultimate solution, or possibly grossly inappropriate but it is up to you to decide for sure.
Find The Right PHP Classified Ads Script
Online business has become more of a way of living for many people after advent of many utilities and version updates of software brought about by various active and competent companies. Server side classifieds software can be used to create several kinds of showrooms for online buyers. The internet market is vastly developing and hence it is only wise to adapt the use of technologies to those that are appropriate. Classified ads have become more relevant and more attractive to the user and they can be integrated with many a software for efficient marketing and reach. When integrated with the billing software, the entire process of e-business becomes much simpler.
A database at its centre, a PHP classified ads script offers highly efficient results based on the queries to it. This is used to convey the deals in offer with their reference, details of the brand, indexed by a reference id or product id and the pricing details and the formalities thereafter. Apart from producing highly appreciable results, such classified ads script also has a potential to turn services more value added businesses. The potential to produce relevant advertising, incorporate dynamism with the display, adapting the display to the theme of the site or page are very interesting features.
Languages such as PHP, Perl have gained appreciation and more populated usage in today's scenario of Web 2.0 technologies. PHP ads script, a more popularly searched for tool as compared to many other software of similar kind, is very dynamic and more relevant to the end user. For example, the PHP ads when installed on a server and used properly, which can be used on a variety of hosting environments, making only minute changes, as long as they support PHP versions required, produces ads that are more attractive, relevant and most importantly reachable for the end user . This means, simple business ads are more marketed with such scripts. It is easily maintainable with the admin interface that usually comes along with such PHP ads. Usually no coding for such software is required for customization .For example, PHP classified ads script may be easily customized to setup an automated online catalog of the properties for sale, car or automotive business, and impress potential buyers with requirements , which will be effectively used for the ads display.
Complete details of the product can be used to build a proper databank along with the exact details of the product in question and this can be easily maintained from any web browser .Customization can be specific to inventory, for instance in automotive business, the classified script can be customized to lay specific models or brands or location of buyer, or features available with a model or anything with a classifiable requirement.
Assigning such tags and categories makes it all the more easier for dynamic advertising and will not thrown away by user or qualified as adware by web bots scanning all the time. In short PHP classified ads script makes the updating of records to the database table easier because of the categorical approach.
Online billing is at a new level with advancements such as these PHP ads. Server side scripting disallows any ambiguity over the usage of the software by the client. Online billing software can be integrated with the PHP scripts for various payment methods applicable or offered to the consumer or visitor online. Advanced versions have multiple utilities with better querying facilitating its purpose for each requirement with their own custom fields. Such PHP classified ads script comes along with facilities to include pay per click advertising, time limited advertising and even link exchange programs.
The advantages dismiss the downfalls of such software. The PHP classifieds features ease of use, ease of install and the support documentation that will always invite an online billing software owner to use these services. Further, the ability to customize every part of the script (if technically qualified), ftp access also provides an added advantage to the billing methods. The integration with the online billing software, although a cause of concern to security analysts because it can produce a divide for hackers, it is not always a concern with advanced versions.
The PHP classified ads scripts usually accompanies Google compatible tools for statistics and search engine optimization and hence are very useful in turning businesses more productive. Such software provides a easy interface and the ability to integrate with online billing software and statistics of usage.
On final note, the PHP classified ads scripts has everything you need to script your online business and turn it more value adding to the customer.
A database at its centre, a PHP classified ads script offers highly efficient results based on the queries to it. This is used to convey the deals in offer with their reference, details of the brand, indexed by a reference id or product id and the pricing details and the formalities thereafter. Apart from producing highly appreciable results, such classified ads script also has a potential to turn services more value added businesses. The potential to produce relevant advertising, incorporate dynamism with the display, adapting the display to the theme of the site or page are very interesting features.
Languages such as PHP, Perl have gained appreciation and more populated usage in today's scenario of Web 2.0 technologies. PHP ads script, a more popularly searched for tool as compared to many other software of similar kind, is very dynamic and more relevant to the end user. For example, the PHP ads when installed on a server and used properly, which can be used on a variety of hosting environments, making only minute changes, as long as they support PHP versions required, produces ads that are more attractive, relevant and most importantly reachable for the end user . This means, simple business ads are more marketed with such scripts. It is easily maintainable with the admin interface that usually comes along with such PHP ads. Usually no coding for such software is required for customization .For example, PHP classified ads script may be easily customized to setup an automated online catalog of the properties for sale, car or automotive business, and impress potential buyers with requirements , which will be effectively used for the ads display.
Complete details of the product can be used to build a proper databank along with the exact details of the product in question and this can be easily maintained from any web browser .Customization can be specific to inventory, for instance in automotive business, the classified script can be customized to lay specific models or brands or location of buyer, or features available with a model or anything with a classifiable requirement.
Assigning such tags and categories makes it all the more easier for dynamic advertising and will not thrown away by user or qualified as adware by web bots scanning all the time. In short PHP classified ads script makes the updating of records to the database table easier because of the categorical approach.
Online billing is at a new level with advancements such as these PHP ads. Server side scripting disallows any ambiguity over the usage of the software by the client. Online billing software can be integrated with the PHP scripts for various payment methods applicable or offered to the consumer or visitor online. Advanced versions have multiple utilities with better querying facilitating its purpose for each requirement with their own custom fields. Such PHP classified ads script comes along with facilities to include pay per click advertising, time limited advertising and even link exchange programs.
The advantages dismiss the downfalls of such software. The PHP classifieds features ease of use, ease of install and the support documentation that will always invite an online billing software owner to use these services. Further, the ability to customize every part of the script (if technically qualified), ftp access also provides an added advantage to the billing methods. The integration with the online billing software, although a cause of concern to security analysts because it can produce a divide for hackers, it is not always a concern with advanced versions.
The PHP classified ads scripts usually accompanies Google compatible tools for statistics and search engine optimization and hence are very useful in turning businesses more productive. Such software provides a easy interface and the ability to integrate with online billing software and statistics of usage.
On final note, the PHP classified ads scripts has everything you need to script your online business and turn it more value adding to the customer.
Using old code with new versions of PHP
Now that PHP has grown to be a popular scripting language, there are a lot of public repositories and libraries containing code you can reuse. The PHP developers have largely tried to preserve backwards compatibility, so a script written for an older version will run (ideally) without changes in a newer version of PHP. In practice, some changes will usually be needed.
Two of the most important recent changes that affect old code are:
- The deprecation of the old $HTTP_*_VARS arrays (which need to be indicated as global when used inside a function or method). The following superglobal arrays were introduced in PHP » 4.1.0. They are: $_GET, $_POST, $_COOKIE, $_SERVER, $_FILES, $_ENV, $_REQUEST, and $_SESSION. The older $HTTP_*_VARS arrays, such as $HTTP_POST_VARS, still exist as they have since PHP 3. As of PHP 5.0.0, the long PHP predefined variable arrays may be disabled with the register_long_arrays directive.
- External variables are no longer registered in the global scope by default. In other words, as of PHP » 4.2.0 the PHP directive register_globals is off by default in php.ini. The preferred method of accessing these values is via the superglobal arrays mentioned above. Older scripts, books, and tutorials may rely on this directive being on. If it were on, for example, one could use $id from the URL http://www.example.com/foo.php?id=42. Whether on or off, $_GET['id'] is available.
PHP History
PHP was written as a set of Common Gateway Interface (CGI) binaries in the C programming language by the Danish/Greenlandic programmer Rasmus Lerdorf in 1994, to replace a small set of Perl scripts he had been using to maintain his personal homepage.[3] Lerdorf initially created PHP to display his résumé and to collect certain data, such as how much traffic his page was receiving. Personal Home Page Tools was publicly released on 8 June 1995 after Lerdorf combined it with his own Form Interpreter to create PHP/FI (this release is considered PHP version 2).[4]
Zeev Suraski and Andi Gutmans, two Israeli developers at the Technion IIT, rewrote the parser in 1997 and formed the base of PHP 3, changing the language's name to the recursive initialism PHP: Hypertext Preprocessor. The development team officially released PHP/FI 2 in November 1997 after months of beta testing. Public testing of PHP 3 began and the official launch came in June 1998. Suraski and Gutmans then started a new rewrite of PHP's core, producing the Zend Engine in 1999.[5] They also founded Zend Technologies in Ramat Gan, Israel, which actively manages the development of PHP.
In May 2000, PHP 4, powered by the Zend Engine 1.0, was released. The most recent update released by The PHP Group, is for the older PHP version 4 code branch which, as of January 2008, is up to version 4.4.8. PHP 4 will be supported by security updates until August 8, 2008.[6]
On July 13, 2004, PHP 5 was released powered by the new Zend Engine II. PHP 5 included new features such as:[7]
* Improved support for object-oriented programming
* The PHP Data Objects extension, which defines a lightweight and consistent interface for accessing databases
* Performance enhancements
* Better support for MySQL and MSSQL
* Embedded support for SQLite
* Integrated SOAP support
* Data iterators
* Error handling via exceptions
Currently, PHP 5.x is the only stable version that is being actively developed; active development on PHP 4 ceased at the end of 2007. However, critical security updates for PHP 4 will be provided until August 8, 2008.[8] PHP 6 is currently under development, and is slated to release in conjunction with the decommission of PHP 4.[citation needed] As a result of the GoPHP5 initiative, many high profile open source projects ceased to support PHP 4 in new code as of 5 February 2008.[9]
Zeev Suraski and Andi Gutmans, two Israeli developers at the Technion IIT, rewrote the parser in 1997 and formed the base of PHP 3, changing the language's name to the recursive initialism PHP: Hypertext Preprocessor. The development team officially released PHP/FI 2 in November 1997 after months of beta testing. Public testing of PHP 3 began and the official launch came in June 1998. Suraski and Gutmans then started a new rewrite of PHP's core, producing the Zend Engine in 1999.[5] They also founded Zend Technologies in Ramat Gan, Israel, which actively manages the development of PHP.
In May 2000, PHP 4, powered by the Zend Engine 1.0, was released. The most recent update released by The PHP Group, is for the older PHP version 4 code branch which, as of January 2008, is up to version 4.4.8. PHP 4 will be supported by security updates until August 8, 2008.[6]
On July 13, 2004, PHP 5 was released powered by the new Zend Engine II. PHP 5 included new features such as:[7]
* Improved support for object-oriented programming
* The PHP Data Objects extension, which defines a lightweight and consistent interface for accessing databases
* Performance enhancements
* Better support for MySQL and MSSQL
* Embedded support for SQLite
* Integrated SOAP support
* Data iterators
* Error handling via exceptions
Currently, PHP 5.x is the only stable version that is being actively developed; active development on PHP 4 ceased at the end of 2007. However, critical security updates for PHP 4 will be provided until August 8, 2008.[8] PHP 6 is currently under development, and is slated to release in conjunction with the decommission of PHP 4.[citation needed] As a result of the GoPHP5 initiative, many high profile open source projects ceased to support PHP 4 in new code as of 5 February 2008.[9]
Subscribe to:
Posts (Atom)