Bits of Wisdom

Usualy  it’s no big deal, uncomment

extension=php_oci8.dll

in php.ini and you are ready to go.

If you are unlucky you can have an outdated oracle instance you can not upgrade (say oracle 8.1)

This might result in erros like

Entry point OCIStmtPrepare2 could not be located

or

OCI.dll could not be loaded

This means you’re apache has problems accessing the OCI.dll in your oracle/bin directory. Or the versions may be incompartible. Or something may be very wrong with your Oracle installation. Anyhow, there is a very dirty hack:

• Get the Oracle instant client, extract it
• Copy the contents of your instant client to apache/bin (this includes OCI.dll and a lot of other files)
• Restart Apache
• Profit!

Another possible error

ORA-12705: Cannot access NLS data files or invalid environment specified

Solution: unset the NLS_LANG variable. This may be in the enviroment, but it may also be in the registry (HKEY_LOCAL_MACHINE\SOFTWARE\ORACLE). A possible good setting might be AMERICAN_AMERICA.WE8MSWIN1252

Longtail is one of the best flv players out there, but it has some shortcommings:

Missing callback function closeplayer

Internt Explorer has currently problems with IE 8 (IE 6 confirmed). This results from a missing callback function. Solution in wordpress enviroment:

<span id="flashholder">
<span id="mplayer">
<!-- here's your standard flash link, the rest does the magic -->
</span>
</span>

<script>

function closeplayer() {
document.getElementById(‘flashholder’).removeChild(document.getElementById(‘myplayer’));
}

window.onbeforeunload=’closeplayer()’

</script>

Found at longtail support forums

Accessing XML playlists over SSL may cause problems

Restrictive session settings cause IE to keep flash from accessing the downloaded xml file myextractXML.php.

Bad HTTP headers:

Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache


Good HTTP Headers

Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: private, max-age=-1 pre-check=-1
Pragma: public

You can experiment with php.ini configs
session.cache_limiter = private
session.cache_expire

But you’ll experience IE 6 chaching problems (IE 6 must die).

Best to set the headers correctly in the files you deliver. In wordtube it’s myextractXML.php

SANS.org has put togehter a list of the most dangerous – and often encountered – programming errors. Nothing realy new here, but nicely put together:

CATEGORY: Insecure Interaction Between Components

CWE-20: Improper Input Validation

It’s the number one killer of healthy software, so you’re just asking for trouble if you don’t ensure that your input conforms to expectations…MORE >>

CWE-116: Improper Encoding or Escaping of Output

Computers have a strange habit of doing what you say, not what you mean. Insufficient output encoding is the often-ignored sibling to poor input validation, but it is at the root of most injection-based attacks, which are all the rage these days…MORE >>

CWE-89: Failure to Preserve SQL Query Structure (aka ‘SQL Injection’)

If attackers can influence the SQL that you use to communicate with your database, then they can…MORE >>

CWE-79: Failure to Preserve Web Page Structure (aka ‘Cross-site Scripting’)

Cross-site scripting (XSS) is one of the most prevalent, obstinate, and dangerous vulnerabilities in web applications…If you’re not careful, attackers can…MORE >>

CWE-78: Failure to Preserve OS Command Structure (aka ‘OS Command Injection’)

When you invoke another program on the operating system, but you allow untrusted inputs to be fed into the command string that you generate for executing the program, then you are inviting attackers…MORE >>

CWE-319: Cleartext Transmission of Sensitive Information

If your software sends sensitive information across a network, such as private data or authentication credentials, that information crosses many…MORE >>

CWE-352: Cross-Site Request Forgery (CSRF)

With cross-site request forgery, the attacker gets the victim to activate a request that goes to your site. Thanks to scripting and the way the web works in general, the victim…MORE >>

CWE-362: Race Condition

Attackers will consciously look to exploit race conditions to cause chaos or get your application to cough up something valuable…MORE >>

CWE-209: Error Message Information Leak

If you use chatty error messages, then they could disclose secrets to any attacker who dares to misuse your software. The secrets could cover a wide range of valuable data…MORE >>

CATEGORY: Risky Resource Management

CWE-119: Failure to Constrain Operations within the Bounds of a Memory Buffer

Buffer overflows are Mother Nature’s little reminder of that law of physics that says if you try to put more stuff into a container than it can hold, you’re…MORE >>

CWE-642: External Control of Critical State Data

There are many ways to store user state data without the overhead of a database. Unfortunately, if you store that data in a place where an attacker can…MORE >>

CWE-73: External Control of File Name or Path

When you use an outsider’s input while constructing a filename, you’re taking a chance. If you’re not careful, an attacker could… MORE >>

CWE-426: Untrusted Search Path

If a resource search path is under attacker control, then the attacker can modify it to point to resources of the attacker’s choosing. This causes the software to access the wrong resources at the wrong time…MORE >>

CWE-94: Failure to Control Generation of Code (aka ‘Code Injection’)

For ease of development, sometimes you can’t beat using a couple lines of code to employ lots of functionality. It’s even cooler when…MORE >>

CWE-494: Download of Code Without Integrity Check

You don’t need to be a guru to realize that if you download code and execute it, you’re trusting that the source of that code isn’t malicious. But attackers can perform all sorts of tricks…MORE >>

CWE-404: Improper Resource Shutdown or Release

When your precious system resources have reached their end-of-life, you need to…MORE >>

CWE-665: Improper Initialization

Just as you should start your day with a healthy breakfast, proper initialization helps to ensure…MORE >>

CWE-682: Incorrect Calculation

When attackers have some control over the inputs that are used in numeric calculations, this weakness can lead to vulnerabilities. It could cause you to make incorrect security decisions. It might cause you to…MORE >>

CATEGORY: Porous Defenses

CWE-285: Improper Access Control (Authorization)

If you don’t ensure that your software’s users are only doing what they’re allowed to, then attackers will try to exploit your improper authorization and…MORE >>

CWE-327: Use of a Broken or Risky Cryptographic Algorithm

You may be tempted to develop your own encryption scheme in the hopes of making it difficult for attackers to crack. This kind of grow-your-own cryptography is a welcome sight to attackers…MORE >>

CWE-259: Hard-Coded Password

Hard-coding a secret account and password into your software’s authentication module is…MORE >>

CWE-732: Insecure Permission Assignment for Critical Resource

If you have critical programs, data stores, or configuration files with permissions that make your resources accessible to the world – well, that’s just what they’ll become…MORE >>

CWE-330: Use of Insufficiently Random Values

If you use security features that require good randomness, but you don’t provide it, then you’ll have attackers laughing all the way to the bank…MORE >>

CWE-250: Execution with Unnecessary Privileges

Spider Man, the well-known comic superhero, lives by the motto “With great power comes great responsibility.” Your software may need special privileges to perform certain operations, but wielding those privileges longer than necessary can be extremely risky…MORE >>

CWE-602: Client-Side Enforcement of Server-Side Security

Remember that underneath that fancy GUI, it’s just code. Attackers can reverse engineer your client and write their own custom clients that leave out certain inconvenient features like all those pesky security controls…MORE >>

swfupload is a great utility to do fancy uploads. Supports multiple uploads at once, nice progress bars, uses flash. So all things have good and bad sides.

If you work in a distributed enviroment and want to upload not to your metadata server but to one of you satelite-servers, flash says: no cross domain posting. But there is a workaround. Create a crossdomain.xml in the root folder of the server you’re uploading to. It should look a bit like this

<?xml version=”1.0″?>
<!DOCTYPE cross-domain-policy
SYSTEM “http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd”>
<cross-domain-policy>
<allow-access-from domain=”tintifax.yourdomain.com” />
<allow-access-from domain=”*.otherdomain.com” />
</cross-domain-policy>

In short: the correct way is to nest a select with a ROWNUM < X around it.
Example:

select *
from (
select *
from emp order by sal desc
)
where ROWNUM <= 5;


In more detail: Ask Tom

Using an external Programm do do rewriting – in fact it can do anything depending on the request.

First a non-mentioned fact: if you use an external rewriting program  apache will spawn it as a child process. Yes, a deamon child spawned by mod_rewrite. Be shure to know what you do, otherwise you’ll do more harm than good.

First a simple rewrite Statement

RewriteEngine On
# define the rewrite map – videoMap will be spawned and used by rewrite rules. php-win does not open a window
RewriteMap videoMap “prg:c:/path/php-win.exe -c E:/path/to/php.ini/ E:/path/external_rewriteMap.php”

# match for /video/v= and throw anything after v= into the daemon child
RewriteRule ^/video/v=(.*) /vardump.php?param=${videoMap:$1} [NC]

# RewriteLock file is needed for process communication
RewriteLock rewriteLockFile.txt

The PHP file for it

<?php

// HERE BE DRAGONS
// as php runs as daemon, NEVER exit(), and note that input comes from STDIN as we are piping

while($input = trim(fgets(STDIN, 1024))) {
if ($input) {
fputs(STDOUT, decode($input) ); // IMPORTANT: write out result to STDOUT
}
fputs(STDOUT, “\n” ); // end processing for this line with linebreak
flush(); // flush sends the result to STDOUT, this is very important to, no buffering
}

function decode($encoded) {
// some code to decode encrypted request parameters
}

?>

Pitfalls for the php: if your php deamon exits, your rewritemap will return nothing. Make shure apache has a php child. Testing is a pain as you can use $argv[] while writing your php, but you need STDIN in the apache version. Make shure you pass the correct php ini when spawning the php process (-c path/to/php.ini/ )

Problem: svn add auf ein directory ausgeführt, in dem auch Dateien liegen die nicht ins svn sollen

Lösung: Erstaunlich einfach, svn revert macht svn add rückgängig. Manchmal ists schon zu einfach um gleich drauf zu kommen

As part of pear MDB2 is quite easy to get

pear install MDB2
pear install MDB2_Driver_$db

Usage is quite straigtforward too:

<?php

$dburl = “mysql://user:password@localhost/databaseName”;
require_once(“MDB2.php”);
$dbconnection = MDB2::factory($dburl);

$sql = “select * from users”;
$resultset = $dbconnection->query($sql);
if(PEAR::isError($resultset)) {
die(‘Failed to issue query, error message : ‘ . $resultset->getMessage());
}

while($row = $resultset->fetchRow(MDB2_FETCHMODE_ASSOC)) {
foreach($row as $field => $value) {
echo “$field / $value “;
}
}

/*************************************
* prepared statements are not to difficult
*************************************/
$sql = “UPDATE table SET column = ? WHERE id = ?”;
$types = array(‘integer’, ‘text’);
$statement = $con->prepare($sql, $types, MDB2_PREPARE_MANIP);
$data = array(5, ‘blah’);
$affected_rows = $statment->execute($data);
if(PEAR::isError($affected_rows)) {
// die etc.
}

?>

I have been trying around and i think i got it figuted out why mod_rewrite ignored the directives i gave for a directory. The simplified vhost file should explain

<VirtualHost 143.161.2.140:80>
DocumentRoot d:\Sites\app1
ServerName example.com

RewriteEngine on
RewriteLog logs/mod_rewrite.log
RewriteLogLevel 0

Alias /app2 “d:\Sites\eparcelroot\pages\eParcel”
<Directory d:\Sites\approot\pages\app2>

Options Indexes MultiViews FollowSymLinks
# without FollowSymLinks mod_rewrite does nothing in the direcotry

AllowOverride All
Order allow,deny
Allow from all

RewriteBase /app2
# without RewriteBase you’ll be stuck in the documentroot

RewriteCond   %{THE_REQUEST}   /download/
RewriteRule    download.php/(.*)/(.*)   download.php?id=$1&file=$2 [nocase,last]

</Directory>

</VirtualHost>

As Obtree dates back in the times before xhtml it takes a few tweaks to get the output to be xhtml conform.

In the StyleDefinition DefaultStyles add the following

<!– convert the sys-break of text objects from <br> to <br /> –>
<styledef sys-break>
<styleheader><br /></styleheader>
<stylefooter></stylefooter>
<stylepreview displayname=”sys-break” font=”sans-serif” size=”12″  color=”black” />
</styledef>

<!– change the <p> that a <sty sys-align-left> creates from<p> to a <div> – so you can use <h1> in it –>
<styledef sys-align-left>
<styleheader><div style=”padding-bottom: 12px”></styleheader>
<stylefooter></div></stylefooter>
<stylepreview displayname=”sys-break” font=”sans-serif” size=”12″  color=”black”/>
</styledef>