Category Archives: Php

Tunneling a multipart POST message through PHP and CURL

In this post I’m going to cover a particular solution to a given problem we’ve faced up in our last project. Let’s set the background: there is a complex web application under development on a shared virtual machine, installed on a subdomain of a public network that will change when going to production. We have also a commercial website hosted in a shared server under a domain that should not change, since it is our first step out of this virtual farm.

For this project, we require to integrate some cameras which send pictures via GPRS connections to the server, and we want to provide some user authentication to avoid having anybody posting whatever to this web service. So, we have developed a controller in Code Igniter which gets a camera ID / password from POST, and also the bytes for the image, and proceeds to do some filtering. For instance, camera ID and password should match with the values previously registered in the database, and the picture should be MIME image/jpeg, with a limit of 2MBs. Up to now, nothing special, tested and working with POSTS from the within the website.

The problem came when we found out that cameras only allow to send their information to a root domain, to a particular file, let’s say upload.php. So, we would only need to put this file in the root path and it’s done. Unfortunately, doing so in the application virtual server would result on flashing again all the cameras once we move to a new server and set up a final domain name. We might be able to install this receiver in the commercial website root path, but then we would require to send the message back to the application server in any way, so it is not the best solution we want to solve this issue.

‘Just add a domain that points to this subdomain and you are done’ would you say. Well, yes, that would have done the trick. Unfortunately, we cannot host this domain in the machine since we have no administrator rights on the servers farm. Nor can we just use this external domain because it produces an HTTP redirection which, to make things worse, is not supported by the camera. We’ve even tried with cloaking the url of the receiver with an external subdomain, with no success – since cloaking wraps the real content inside an iframe and it breaks the POST message.

What a headache! it seemed there was no way to implement the system with the full functionality we wanted…

Continue reading Tunneling a multipart POST message through PHP and CURL

Access Control List (ACL) with Code Igniter

In the last project I’ve worked on, I needed to install any kind of ACL to allow certain methods to be accessed only by some user roles, like website administration, etc. I’m building this website on Code Igniter, so I missed some related features that are available in other PHP frameworks like CakePHP or Zend.

After googling a bit, I found our several methods to get an ACL. Zend framework can be integrated into Code Igniter to use its library, but doesn’t seem really natural to me. I prefer having an previously constructed list, than building it ‘on the fly’ inside my code.

Then I fell into phpGACL, a free software project which allows to solve this problem on an easy way. It uses an API to connect to a database, where tuples of ‘controller’ – ‘method’ – ‘user’ can be stored (actually, AXO – ACO – ARO, acronyms of Access eXtended Object, Access Control Object, Access Request Object). And I developed my first version over this tool, on the most transparent way I was able to find:

Continue reading Access Control List (ACL) with Code Igniter

Creating Triggers in MySQL from PHP

On my last project, I needed to create tables periodically on a database, to partition data in several identical tables, named according to the year quarter. Instead of using MySQL 5.1 automatic partition, I preferred doing it in a more manual way, to allow accessing individual partitions if suitable to speed up queries.

So I wrote a php script that would run with a cron job and every three months, create a new table, add it some triggers, and remap a MyISAM merged table on another database. Clear and easy, at the beginning. Everything went right until I went for the triggers creation…

Continue reading Creating Triggers in MySQL from PHP

Protecting your application from exploits related to include()

Como hemos visto en capítulos anteriores sobre problemas de seguridad y sql injection, hay una serie de aspectos relacionados con la seguridad a tener en cuenta a la hora de diseñar una aplicación web. Uno de los más explotados es la falla abierta por un uso indebido de la función de php include().

Veamos un ejemplo:

1
2
3
4
5
6
7
8
<a href="?page=home.php">Home</a> | <a href="?page=contact.php">Contact</a>
< ?php
  $page = $_GET['page'];
  if ($page)
    include $page;
  else
    echo "404, page not found!";
?>

En el ejemplo anterior, pasamos como variable ‘$page’ el nombre del archivo (php en este caso, podrí­a ser html u otra extensión), que será cargado en la lí­nea correspondiente mediante ‘include()’. La ausencia de filtrado de esta variable puede dejar nuestra aplicación a merced de cualquier intruso poco experimentado, veamos por qué.
Continue reading Protecting your application from exploits related to include()

Formatting data in XML with PHP

Notice: Article only available in Spanish!

Ahora que ya he explicado cómo crear una clase en php para leer datos de una base de datos, y que también conocemos las bases del lenguaje XML, vamos a crear una clase para formatear estos datos en XML. De este modo, podremos compartir datos entre distintos tipos de aplicaciones, sin necesidad de tener acceso al servidor de bases de datos más que en una de ellas: la pasarela de datos.

Una vez formateamos en correcto XML, podemos ofrecer un documento como XML puro para aplicaciones externas que quieran utilizar nuestros datos, o un RSS estándar para que nuestros visitantes sincronicen las noticias del sitio; podemos también ofrecer un servicio SOAP para aplicaciones que no sólo precisen nuestros datos sino también funciones y servicios avanzados; o podemos simplemente adjuntar una hoja de estilos xls y mostrar nuestro documento en un navegador, como lo haríamos con xhtml y css. Bastante útil, ¿no?
Continue reading Formatting data in XML with PHP