Jan 13 2007

Is PHP Secure?

PHP has to be one of the easiest programming languages to learn for building dynamic web sites. In less than a week of study, you can be adding PHP code to your web sites and saving form data to a database instead of having it e-mailed to you. The only other language that is just as easy to learn is VBScript for ASP programming (I should note that I’m not talking about ASP.NET programming which is a bit more involved!).

The problem with the ease of learning PHP is that its also easy to write code that is not secure and can be exploited by hackers. This isn’t just a challenge for novices, experienced programmers also can inadvertently write dangerous code.

Apart from coding mistakes, bugs are discovered over time in PHP itself. One would think that once they are found, its developers would move quickly to fix them. According to Stefan Esser, this is not the case. Esser runs the PHP Security Blog and also the Hardened-PHP Project Forum.

He made a post to his blog last month which angered many in the PHP community. In it, Esser announced that he resigned from the PHP Security Response Team which was originally his idea to create several years ago. The main reason he quit was that PHP Group constantly blocked his attempts to improve the security of PHP. The Group preferred blaming the developer for any security issues that occur with PHP.

Esser, while still having faith in the potential of PHP, developed Suhosin. You can find it on the Hardened-PHP Project site. Briefly, to plagiarize his site,

Suhosin is an advanced protection system for PHP installations. It was designed to protect your servers on the one hand against a number of well known problems in PHP applications and on the other hand against potential unknown vulnerabilities within these applications or the PHP core itself.

Its highly recommended that you use Suhosin for any web site that is exposed to the Internet. You probably don’t have to worry much if your site is just an intranet. The National Institute of Standards and Technology (NIST) reported that PHP applications were involved in 43% of security problems in 2006. In 2005, PHP accounted for 29% of the security issues. With the growing numbers of users and applications in PHP, I expect the numbers to be even higher in 2007. All the more reason to take a closer at Suhosin.

By Johan • Programming, Security 0

Jan 11 2007

It’s Not a Bug … It’s a Feature!

I maintain a Windows server running IIS and SQL Server. Normally, it runs without problems and I periodically check to make sure everything is ok.

A couple of days ago, people were complaining that they had problems uploading documents to the server. I checked it and saw that SQL Server was using about 1 GB of RAM. The server has 2 GB installed memory, but in spite of that, the server was running extremely slow. You could actually watch dialog boxes being painted on the screen!

I restarted the SQL Server service and it was back to using 37 MB of RAM, but I watched it take more and more memory throughout the day. Eventually, it was using around 400 MB of RAM even though the computer had light usage that day.

The first thought was that this must be a bug in SQL Server … a memory leak to be more precise. After some research, it was discovered that this isn’t a bug in the software, but its a feature.

SQL Server by design grabs as much RAM as it can. The more memory it has, the larger its cache will be which will allow it to respond faster to more queries without disk access. If other applications request memory, SQL server will release it to them. The problem is that the database server may not release the memory fast enough and could slow down performance of the entire computer. This is why its a good idea to have a dedicated database server.

You could limit the amount of memory that SQL Server can use, but it should be the only application running on your server. IIS and SQL Server should not share the same computer for commercial web hosting.

By Johan • How To 2

Jan 10 2007

Know Your Users

Most software developers dream of writing a program which will bring them riches. The more ambitious ones have already found the luxury home on beach front property they’ll be eventually owning. Unfortunately, many programs that are created do not succeed.

One reason for failure is the way the software is built. Eager programmers would like to start writing code soon after their revolutionary idea is thought of. While this approach works quite well for writing scripts and other small programs, it falls apart when trying to create large applications.

After it is determined what your software will do, the next thing to decide is who will be using it. The tendency is to assume, for example, that your market is the entire 650 million strong Windows community. Even if 1% of them buy your product, you will be rich enough to retire early.

Unless your writing an operating system, its highly unlikely that every computer user in the world will need your software. Its also not a good idea writing software for the general population unless you have Microsoft’s marketing budget. To build a successful application, you need to focus on what it will do and who will be using it.

For example, software for controlling inventory will likely be used by managers in a corporate environment, while an adventure game will probably be played mainly by college students. If the marketing for an adventure game targets a middle manager, it will not succeed. Your software needs to solve a specific problem for a group of people confronted by that problem. If you can show someone how their life can be made easier with your application, you’ve made a sale.

By Johan • Programming 0

Jan 6 2007

Finding the Physical Location of Your IP

Have you ever wondered where the location of your IP was? You would probably be thinking of things like this if you were one of those people who enjoy reading hacker magazines.

An easy way to find the real, bricks-and-mortar address where your IP was being hosted is with IP-adress.com. When you first open the web site, it will give the location of the IP of your Internet provider, which is an interesting bit of information. If you don’t know the IP of your web site, you can find out by installing the ShowIP plugin with Firefox and then opening your site with the browser.

IP-address.com also give other details about the IP’s location, such as the country, state, city, latitude, longitude, and organization. There is even a little map from Google showing where the company is located.

I found that the IP of my web sites were being hosting in Ohio. The office of my web hosting company is in Pennsylvania so I would imaging my servers are located there.

I’m not sure what practical use this web site can have but its to fun to play with.

By Johan • How To 2

Jan 6 2007

Important WordPress Security Update

The WordPress Organization released an important update to their blogging software yesterday. Its a good idea to update your software because it fixes a problem which hackers may be able to use to compromise your blog’s security.

I updated the software without any problems. This was my first WordPress update so I was interested in seeing how simple it would be to do. I have many different plugins installed and modified PHP code so I wouldn’t be able to just delete all of the files and upload the new version.

After backing up the blog and deactivating the plugins, I uploaded the new version which overwrote the existing files. Then I reactivate the plugins and everything was working as before.

I have to admit that whole process would be difficult and intimidating to novices. Backing up the PHP code can be done with an FTP client. You can backup the database with the WordPress Database Plugin that comes with WordPress. After activating it, go to Manage -> Backup in the Site Admin area. There you can backup the database to a file that is saved on your computer. Its simpler than WordPress’ recommendation of using phpMyAdmin to backup your database.

The latest version of WordPress is 2.06 and next version will be 2.10. I still recommend WordPress for blogging because of its ease of use and versatility.

By Johan • Applications 0

1 2 3 4