Jorge Albaladejo

Sometimes it is useful to have an automated tool to get the full web map of your site. Perhaps not your own web site, since you have already implemented some kind of automatic generation and notification to Google (have not yet?), but a client’s one.

There are a few tools to map an external web site, I tried some in my particular case. They were just adware, or demos, or they obscured the links in the final report… Yeah, of course, sometimes a $30 license is worth it, but you might not want to acquire a new piece of proprietary software every time you need a new feature, might you?

So I decided to write it myself in PHP, not for the money, but for the fun

Read the rest of this entry »

In this post I’m going to cover a particular solution to a given problem we’ve faced up in our last project. Let’s set the background: there is a complex web application under development on a shared virtual machine, installed on a subdomain of a public network that will change when going to production. We have also a commercial website hosted in a shared server under a domain that should not change, since it is our first step out of this virtual farm.

For this project, we require to integrate some cameras which send pictures via GPRS connections to the server, and we want to provide some user authentication to avoid having anybody posting whatever to this web service. So, we have developed a controller in Code Igniter which gets a camera ID / password from POST, and also the bytes for the image, and proceeds to do some filtering. For instance, camera ID and password should match with the values previously registered in the database, and the picture should be MIME image/jpeg, with a limit of 2MBs. Up to now, nothing special, tested and working with POSTS from the within the website.

The problem came when we found out that cameras only allow to send their information to a root domain, to a particular file, let’s say upload.php. So, we would only need to put this file in the root path and it’s done. Unfortunately, doing so in the application virtual server would result on flashing again all the cameras once we move to a new server and set up a final domain name. We might be able to install this receiver in the commercial website root path, but then we would require to send the message back to the application server in any way, so it is not the best solution we want to solve this issue.

‘Just add a domain that points to this subdomain and you are done’ would you say. Well, yes, that would have done the trick. Unfortunately, we cannot host this domain in the machine since we have no administrator rights on the servers farm. Nor can we just use this external domain because it produces an HTTP redirection which, to make things worse, is not supported by the camera. We’ve even tried with cloaking the url of the receiver with an external subdomain, with no success – since cloaking wraps the real content inside an iframe and it breaks the POST message.

What a headache! it seemed there was no way to implement the system with the full functionality we wanted…

Read the rest of this entry »

In the last project I’ve worked on, I needed to install any kind of ACL to allow certain methods to be accessed only by some user roles, like website administration, etc. I’m building this website on Code Igniter, so I missed some related features that are available in other PHP frameworks like CakePHP or Zend.

After googling a bit, I found our several methods to get an ACL. Zend framework can be integrated into Code Igniter to use its library, but doesn’t seem really natural to me. I prefer having an previously constructed list, than building it ‘on the fly’ inside my code.

Then I fell into phpGACL, a free software project which allows to solve this problem on an easy way. It uses an API to connect to a database, where tuples of ‘controller’ – ‘method’ – ‘user’ can be stored (actually, AXO – ACO – ARO, acronyms of Access eXtended Object, Access Control Object, Access Request Object). And I developed my first version over this tool, on the most transparent way I was able to find:

Read the rest of this entry »

Como hemos visto en capítulos anteriores sobre problemas de seguridad y sql injection, hay una serie de aspectos relacionados con la seguridad a tener en cuenta a la hora de diseñar una aplicación web. Uno de los más explotados es la falla abierta por un uso indebido de la función de php include().

Veamos un ejemplo:

1
2
3
4
5
6
7
8

<a href="?page=home.php">Home</a> | <a href="?page=contact.php">Contact</a>
< ?php
  $page = $_GET['page'];
  if ($page)
    include $page;
  else
    echo "404, page not found!";
?>

En el ejemplo anterior, pasamos como variable ‘$page’ el nombre del archivo (php en este caso, podrí­a ser html u otra extensión), que será cargado en la lí­nea correspondiente mediante ‘include()’. La ausencia de filtrado de esta variable puede dejar nuestra aplicación a merced de cualquier intruso poco experimentado, veamos por qué.
Read the rest of this entry »

Notice: Article only available in Spanish!

Ahora que ya he explicado cómo crear una clase en php para leer datos de una base de datos, y que también conocemos las bases del lenguaje XML, vamos a crear una clase para formatear estos datos en XML. De este modo, podremos compartir datos entre distintos tipos de aplicaciones, sin necesidad de tener acceso al servidor de bases de datos más que en una de ellas: la pasarela de datos.

Una vez formateamos en correcto XML, podemos ofrecer un documento como XML puro para aplicaciones externas que quieran utilizar nuestros datos, o un RSS estándar para que nuestros visitantes sincronicen las noticias del sitio; podemos también ofrecer un servicio SOAP para aplicaciones que no sólo precisen nuestros datos sino también funciones y servicios avanzados; o podemos simplemente adjuntar una hoja de estilos xls y mostrar nuestro documento en un navegador, como lo haríamos con xhtml y css. Bastante útil, ¿no?
Read the rest of this entry »