June 2009

The future of PHP

php-logo

A few changes in PHP 6:

This post is mainly about what is removed (and will no doubt break countless scripts out there)

  • magic quotes
  • register_globals
  • register_long_arrays
  • safe_mode

magic_quotes


// Assuming magic_quotes is on
$sql = "INSERT INTO USERS (USERNAME) VALUES $_GET['username'];

// Using proper parameterised query method (MySQL)
$statement = $dbh->prepare("INSERT INTO USERS (USERNAME) VALUES ?";
$statement->execute(array($_GET['username']));

Obviously the get_magic_quotes_gpc() function will no longer be available.

register_globals

// a security hole because if register_globals is on the value for user_authorised can be set by a user sending
// them in the query string
// i.e www.example.com/index.php?user_authorised=true
if ($user_authorised){
// show all the data
}

// Being specifc
function is_authorised{
if (isset($_SESSION['user'])){
return true;
}else{
return false;
}
}
$user_authorised = is_authorised();

register_long_arrays

Using deprecated registered arrays:

// Echo the name of the user value given on the query string
// http://www.example.com/index.php?username=notgood
echo "Welcome, $HTTP_GET_VARS['username']";

Using $_GET

// Using the supported $_GET array instead
echo "Welcom, $_GET['username']@;

safe_mode
This was originally to ensure that the owner of a file being operated on matches the owner of the script that is executing. It was originally a way to attempt to handle security when operating on a shared server environment (like many ISPs would have) It is outside the scope of this blog to document the numerous functions affected by this change, so consult your documentation.

The future of PHP Read More »

WordPress Tips

wordpress_logo

Ongoing tips and tricks for WordPress installations:

1) By default WordPress adds a version number to the header of blog pages.

<meta name="generator" content="WordPress 2.7" />

Unfortunately this information is valuable for WordPress hackers as they can target blogs using the older and less secure versions of WordPress software. To remove this version number from the header add this line to your functions.php file in the WordPress themes folder.

<?php remove_action('wp_head', 'wp_generator'); ?>

2) Since WordPress 2.6 there are document revisions allowing access to all previous versions. This is a fantastic feature for blogs with multiple authors and multiple versions of documents; however many of us do not require this functionality. These post revisions also increase the size of the wp_posts table as each revision creates a new row.

To disable revisions add the following line to your wp-config.php file

define('WP_POST_REVISIONS', false);

3) Hot Linking is the unauthorised linking of images or downloads from your website to another. Basically the images are hosted on your website and other websites link their image tags to your files, – essentially stealing your bandwidth. If people are ‘hotlinking’ to your image files, they are using your bandwidth which you pay for one way or another through bandwith or performance issues.
You can edit your .htaccess file to disable this behaviour:

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(.*\.)?yourservername.com [NC]
RewriteRule \.(jpeg|jpg|gif|png)$ - [F]

4) Users can of course print from your blog directly from their browser, however you can simplify this by providing a direct print button right there on the post.

Edit the single.php file (for individual posts) from the relevant theme folder and add the following code wherever you want to have the option to print.

<a href="javascript:window.print()" rel="nofollow">Print post</a>

WordPress Tips Read More »