Clouds in my coffee

PHP: Searching every table in a database for a string

Brian Hare — Tue, 01 Nov 2011 04:35:19 +0000

I recently wanted this ability in a PHP script I was writing, very similar to how you can search the whole database for a string using PHPMyAdmin. My first place I go when I have a problem is google, but a google result returned no matches at that time, so I decided to write a quick method of my own.

Upon futher investigation, I did finally find this project: http://code.google.com/p/anywhereindb/. I didn’t take a close look into it but I saw it seemed to be a bit more polished and probably has better error checking and handling than mine does. I am still giving you my version though, as I feel it’s a bit more simple and grasps the key concepts.

The code was tested against PHP 5.3, other versions I have no idea if it will work. Note my user and pass for my database are server variables using the security method mention in this post: http://www.brianhare.com/wordpress/2011/02/18/hiding-mysql-passwords-in-php-using-apache-environment-variables/

Source code


$config['host'] = "localhost";
$config['user'] = $_SERVER['db_user'];
$config['pass'] = $_SERVER['db_pass'];
$database = "my_database";
$search = "billy";
 
mysql_connect($config['host'], $config['user'], $config['pass']);
mysql_select_db($database);
 
$SQL = "SHOW TABLES FROM $database";
$result = mysql_query($SQL) or die ("DB Error, could not list tables - MySQL Error: " . mysql_error());
 
while ($row = mysql_fetch_row($result)) {
	$table = $row[0];
	$SQL = "SELECT * FROM `$table`";
	$table_result = mysql_query($SQL) or die("". $SQL . "
MYSQL Error: " . mysql_error() . "
");
	if(mysql_num_rows($table_result) < 1)
		continue;
	$array = mysql_fetch_assoc($table_result);
	$table_fields = array_keys($array);
	$SQL = "SELECT * FROM `$database`.`$table` WHERE (`" . implode("` LIKE '%$search%' OR `", $table_fields) . "` LIKE '%$search%');";
	$search_result = mysql_query($SQL) or die("". $SQL . "
MYSQL Error: " . mysql_error() . "
");
	if(mysql_num_rows($search_result) < 1)
		continue;
 
	print "Search results for '$search' in table: $table 
";
	print "";print"";foreach($table_fieldsas$field){print"";}print"";
 
	while($row=mysql_fetch_assoc($search_result)){echo"";foreach($rowas$field=>$value){$style=(strpos($value,$search)===false) ? '':'style="background-color:lightgreen;"';echo"";}echo"";}echo"
	
	    
		 $field
	
	   
		 
		    
			       
			 $style>$value
		
		 
	
	 


";
}
?>

$field
$style>$value

The most confusing part is probably the

Source code    
WHERE (`" . implode("` LIKE '%$search%' OR `", $table_fields) . "` LIKE '%$search%');";

Where basically the implode function will expand the array that contains the table fields ($table_fields)and between each table it will add ` LIKE '%billy%' OR ` between each table field. However, you have to take into considerationthe first table field won't have a ` in front and the last one wont have the ` LIKE '%billy%', so those must also be appended. Perhaps the more inuitive thing to have done would of been to do it this way:

Source code    
$SQL = "SELECT * FROM `$database`.`$table` WHERE (";
foreach($table_fields as $field) {
	$SQL .= "`$field` LIKE '%$search%' OR ";
}
$SQL = rtrim($SQL, " OR ");
$SQL .= ");";

Creating Secure Passwords That You’ll Remember

Brian Hare — Wed, 02 Mar 2011 15:39:50 +0000

There are 4 things that make a good password.

Hard to bruteforce – It should be a certain length and/or contain certain characters.
Hard to guess – It shouldn’t contain personal things, such as a birth date.
Uniqueness – It should not be the same as all your other passwords.
Unforgettable - You should be able to remember it off top of your head , and never write it down.

I am going to address each element of a good password in order, and show you my technique in accomplishing all 4 of these things, and allowing you to add your own little twist to suit your needs.

Hard to bruteforce

What doe’s bruteforce mean? Well it’s a technique that crackers use to figure out your password. The name goes well with the technique because what they do is have some software “guess” every possible combination your password could be. Lets say they think your password is lowercase letters and consist of atleast 3 characters. The software will then try to guess your password by brute force, that is it guesses your password to be aaa, and tries it..if it fails it moves on to aab, if that fails, aac…until it reaches zzz, and then it will move on to aaaa and start all over. It keeps doing this forever until the cracker gives up.

Depending on the protocol which is being bruteforce, each guess could take anywhere from 0.01 seconds to 1 second for online attacks, like your accounts. Or, if the attacker was able to get inside and retrieve the file with your password in it, then a modern PC could do as many as 10 million password guesses a second. This is why many sites require you have atleast 8 characters for your password, and that is the typical drop off for when a bruteforce attack takes many years to complete. The more combinations there are, and the more characters in your password, the longer it would take to bruteforce.

For example, the cracker knew you only used lowercase letters in your password, no numbers, no uppercase, no symbols. That would mean 26 letters, you would then take it to the expotiential of your number of characters in your password. So a password consisting of just lowercase letters with 5 characters assuming a delay of 0.01 seconds would take 26^5 * 0.01 seconds, or 26*26*26*26*26*0.01. You will be surpized to know that’s only a little over 33 hours, less than a day and a half. If we just add 3 more characters to the password (26^8), it goes from 1.3 days to 66 years! Yes, 3 little characters can make that much difference.

This is of course if the attacker is trying to guess your password through an internet protocol such as FTP, SSH, or HTTP. If the attacker has access to a file with your password in it, refer to this chart for times: http://www.lockdown.co.uk/?pg=combi. Which state a modern PC could find a 5 length password instantly, and a 8 length password in a little under 6 hours. Again, this is only for password that have known requirement of only alphabet characters (26 possibilities).

It is advised that your password contain atleast 8 characters, or use more than 26 combinations by including uppercase, numbers, symbols. uppercase (26), lowercase (26), symbols (~34), numbers (10). If you had one of each of the categories and your password was 8 characters long. you would have 7.2 Quadrillion (96^8) possible combinations…thats around 1.6 million years to bruteforce through an online protocol or 23 years through a encrypted file.

Hard to guess

The second technique and third techniques there are used with password cracking are dictionary, and social engineering attacks

Dictionary attacks are similar to bruteforce attacks, but instead of trying to guess every possible combinations the software will have a list of words (the dictionary) it will try. The most popular dictionaries contain the most common passwords (Top 500 most used passwords Warning: contains vulgar words). So the computer runs down the list of words in the dictionary and attempts to see if that is the password. If your password is common, or an english word that it will be likely to be guessed quickly. A lot of techniques include a mix of dictionary and bruteforce, where it would try each word in the dictionary, but then add a suffix or prefix. Such as a dictionary with animal species, it would try alligator, 1alligator, 2alligator…alligator1, alligator2 …elephant…elephant1 elephant2, etc.

Social Engineering is just a fancy word for manipulating people to gain knowledge. Such as getting to know the victim and acting as their friend to get information such as birth date, favorite food, mothers maiden name, etc. This doesn’t include just being friends with the victim, but also things like calling them at their house and acting like fraud protection service, saying there has been a compromise and they need to the last 4 of your social security. It also includes not talking to the victim directly such as acting as a investigation bureau and calling a victim’s Internet Provider for address information based on their IP address. If any of this personal information is used in a password, it will help the attacker.

Social Engineering is typically where an attacker starts. They will enter all your personal information into a dictionary, along with popular passwords and common english words. They then perform a dictionary/bruteforce attack, trying combinations of letters, numbers, popular words, and personal information. The combination of all these methods usually (probably 90%) end up in an attacker obtaining access to the site they are trying to enter. Many times people use the same password for everything, so once an attacker has the password to a site you signed up for 3 years ago and forgot all about, they now have the password to your email, your bank account, everything you share that password with. This brings us to the next important thing;

First off, we are going to tackle the problem of having the same passwords for all your apps/sites. The reason why this is insecure is that if a cracker/hacker was to gain knowledge of your password for 1 site, they would automatically try that password on other sites.

Now I know what you are thinking, if you are like me you probably have hundreds of sites you visit with accounts, there is no way you will be able to remember 100 different passwords. Well, there is. One of the ways I do it is by incorporating the name of the website/software into the password.

Password Techniques & Rants

Brian Hare — Wed, 02 Mar 2011 15:38:11 +0000

One of the most annoying things to me is when a website will attempt to “improve security” and think they are helping out the end-user by requiring a password to be a certain length, contain certain symbols, or pass a strength meter– but then get lazy on their coding and cannot/won’t allow for special characters such as ^%#, etc.

For one, it should be totally up to the user what password they have, if they want to use the password “pass”, then let them. It’s their own fault. I totally support those password strength meters, but I don’t think you should require them to be strong. This leads to users having to have completely different passwords for numerous things which then lead to them forgetting them, or worse yet writing them down on paper. How is that improving security at all?

The same could be said about requring a user to change their password every X days, or requiring them to have special characters in their password like it cannot start with a number or must have one capital letter.

I understand wanting your users to have strong passwords, especially if your promote that you require all users to have 1 letter, 1 lowercase, and 1 uppsercase a potiential cracker might be put off as bruteforcing a-z,A-Z,0-9 takes a whole lot longer than just a-z.

One of the worse examples of a password field I have seen is strangly enough from one of my personal bank accounts. They require 1 number and 1 uppercase letter, and atleast 8 characters. Seems pretty normal and good practice so far right? well the password cannot contain any special characters and cannot exceed 14 characters. Why? I guess, maybe i’ll understand if your lazy and dont feel like escaping and account for special characters in the passwords, but why limit it to only 14 characters?

As an amateur software programmer, and power end-user here is my list of Do’s and Don’ts for web designers:

DO:

Create a real-time password strength meter. Don’t just base it on just length, but also on variety. A 10 character password consisting of just numbers can be cracked very very very fast compared to 8 character password consisting of upper and lowercase letters, numbers, and symbols.

DONT:

Require them to have a strong password, only give them the information about how strong/weak it is.

DO:

Require a mininum length for the password. The highest miminum i’d ever require would be 5. The lowest I’d ever require is 3. A 1 character password would be laughable.

DONT:

Never require a high mininum length such as 7 or 8. Yes, I know 8 characters is the dropoff between a bruteforce attack to take 1 day to 1 year, that doesn’t mean you should require it. If your users pick easy passwords, that’s on them.

DONT:

Set a maxium length for a password. I know this is hard to do sometimes, as having a 200 character password would wreak havoc in a lot of systems. I think the lowest maxium should be around 20 or 25. I personally use a 15-17 character password depending on, so they do exist.

DO:

Allow for a-z A-Z 0-9 and `~!@#$%^&*()_+-={}|[]\:”<>?/.,;’. Don’t be lazy and avoid the symbols because it requires more coding/escaping on the backend. I probably wouldn’t allow for foreign characters or alt-codes, but it would depend on how well the backend could handle it. See my idea on a website specifically designed for this: ________

DONT:

Require special squences or characters such as 1 lowercase and 1 uppercase, or must begin with a letter. I know it’s more secure, but don’t force it on users.

DONT:

Expire passwords after so many days. I never once met someone who ever liked this idea, not even techs because it results in people writing passwords down and/or forgetting them, which results in more support calls/help. If you do end up expiring passwords, allow for the exact same password as before. And especially don’t store their last X passwords in order to determine if it matches one of the old.

Anyways, this post is becoming too long, I originally had planned to touch on how to make the perfect password scheme for end-users but I now will have to break them up into seperate posts.

See “Creating Secure Passwords That You’ll Remember” : http://www.brianhare.com/wordpress/2011/03/02/creating-secure-passwords-that-you%E2%80%99ll-remember/

Programming Input Validation Database

Brian Hare — Wed, 02 Mar 2011 15:34:57 +0000

Recently I had some issues with correctly escaping my MSTP command I detailed HERE. During the process of testing the escaping, I realized there wasn’t any sites dedicated to numerous escaping techniques and/or testing strings. Normally what I do when I want to test some escaping is i’ll just go through the keys like so `~!@#$^&*

That works to get an idea of which characters are being escaped or not but there are ways in which certain patterns or order you write some chracters that may end up breaking some escaping techniques.

For example with any type of BASH command, you want to make sure the user input escapes semicolons, as a user could use it to break the current command and run something malicious.

I know SQL especially has had many vunerabilities in the past when certain squences are injected. The benefit for SQL database software like MySQL is that their product is specific to one task, and they can perfect their escaping functions to avoid many of these vunerabilities, however open-ended languages that are for numerous tasks such as PHP, BASH, PERL, etc all are too broad and have many escape functions but none of them work for every situation.

Simiarly, not only have I had issues of finding the best ways to escape things, but also I am always googling for a good regex for email validation from HTML forms.

I am a big fan of web 2.0 type websites where the whole website is based slowly on a single task. Therefore, I think there should be a website where users can submit and improve on the best validation techniques for common tasks. This would include not only escaping harmful characters but also regex for validation.

The idea of the site would be all about escaping and testing escapes and input validation for certain languages. It would be heavy on user submission and almost act like a wiki.

Alot of resources are a bit outdated as far as regex go as well. For exmaple not many email validation allows for periods or plus signs that gmail will let you use. One of my biggest pet peeves is when people don’t bother with correctly escaping/validation complex password forms either. I believe every character on the standards QWERTY american keyboard should be allowed in password fields. Including chars like @$#*^, but probably none of the special alt-codes, as thats a bit overkill.

As far as I know, there is no central place where all types of input validation is kept. There are good libaries that try to take care of it for you, for example one that I have used before was JQuery’s Validation plugin. However, javascript is still clientside only, you still want to double check everything on the serverside with PHP or similar serverside language.

Block TOR Exit Nodes Using BASH Script

Brian Hare — Wed, 02 Mar 2011 15:26:10 +0000

I’ve always attempted to block TOR proxies from my server because the proxies can be abused and used to jump bans on some custom software that I host. Recently I found an official TOR blacklist for exit nodes located here: https://check.torproject.org/cgi-bin/TorBulkExitList.py.

I assume they require you to put in an IP address to give better results which exit nodes have access to your server. What isn’t really documented either is that you can also specify which port to check on as well by adding &port=###, where ### would be the port number you wish to see. This is greatly benefitical for me because the custom software runs on an irregular 9998 port.

Blacklists are great but they aren’t very useful unless you can actually use them on your server and block the IP addresses. Therefore, I wrote the following BASH script:

Source code

#!/bin/bash
 
IPTABLES_TARGET="DROP"
IPTABLES_CHAINNAME="TOR"
 
WORKING_DIR="/tmp/"
 
# get IP address of eth0 network interface
IP_ADDRESS=$(ifconfig eth0 | awk '/inet addr/ {split ($2,A,":"); print A[2]}')
 
if ! iptables -L "$IPTABLES_CHAINNAME" -n >/dev/null 2>&1 ; then			#If chain doesn't exist
	iptables -N "$IPTABLES_CHAINNAME" >/dev/null 2>&1				#Create it
fi
 
cd $WORKING_DIR
 
wget -q -O - http://proxy.org/tor_blacklist.txt -U NoSuchBrowser/1.0 > temp_tor_list1
sed -i 's|RewriteCond %{REMOTE_ADDR} \^||g' temp_tor_list1
sed -i 's|\$.*$||g' temp_tor_list1
sed -i 's|\\||g' temp_tor_list1
sed -i 's|Rewrite.*$||g' temp_tor_list1
 
wget -q -O - "https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=$IP_ADDRESS&port=80" -U NoSuchBrowser/1.0 > temp_tor_list2
wget -q -O - "https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=$IP_ADDRESS&port=9998" -U NoSuchBrowser/1.0 >> temp_tor_list2
sed -i 's|^#.*$||g' temp_tor_list2
 
iptables -F "$IPTABLES_CHAINNAME"
 
CMD=$(cat temp_tor_list1 temp_tor_list2 | uniq | sort)
 
for IP in $CMD; do
	let COUNT=COUNT+1
	iptables -A "$IPTABLES_CHAINNAME" -s $IP -j $IPTABLES_TARGET
done
 
iptables -A "$IPTABLES_CHAINNAME" -j RETURN
 
rm temp_tor*

It basically downloads the official blacklist and another blacklist that I found and extracts the IP addresses from the files, sorts them, and gets rid of any duplicates they may exist. Then it adds a DROP command to IPTABLES under the specified IPTABLES chain.

I suggest that you set this script to run hourly or daily depending on your needs with cron.

I also have written a custom progress bar to indicate how far along you are. The progress bar code and example using the TOR proxy blocker can be seen at this post: http://www.brianhare.com/wordpress/2011/03/02/bash-progress-bar/

BASH Progress Bar

Brian Hare — Wed, 02 Mar 2011 15:21:30 +0000

Recently I rewrote one of my Bash Shell Scripts that blocks TOR proxy exit nodes. It does this by doing numerous DROPs in IPTABLES and because of this, it take 1 minute or so to go through all of them. I decided that it would be nice to have a progress bar display in the shell while it was running to give me an idea how far along it was (You can see the final script at the bottom of this post).

I started to look around for some BASH scripts that have a progress bar and I found 2 notable ones; the first one is called Bar and the second PV (Pipe Viewer). These were nice but I actually needed something that was more based on strictly elements in an array. I reused some code and then optimized it a bit and I got something that is not only very customizable but also will resize the progress bar depending on the window size, much like WGET’s progress bar. The code is here:

Source code

�
lib_progress_bar() {
	local current=0
	local max=100
	local completed_char="#"
	local uncompleted_char="."
	local decimal=1
	local prefix=" ["
	local suffix="]"
	local percent_sign="%"
	local max_width=$(tput cols)
 
	local complete remain subtraction width atleast percent chars
	local padding=3
 
	local OPTIND
 
	while getopts c:u:d:p:s:%:m:hV flag; do
		case "$flag" in
			c) completed_char="$OPTARG";;
			u) uncompleted_char="$OPTARG";;
			d) decimal="$OPTARG";;
			p) prefix="$OPTARG";;
			s) suffix="$OPTARG";;
			%) percent_sign="$OPTARG";;
			m) max_width="$OPTARG";;
 
			(h) lib_help;;
			(V) echo "$lib_script_name: version $Revision$ ($Date$)"; exit 0;;
			(*) lib_usage;;
		esac
	done
	shift $((OPTIND-1))
 
	current=${1:-$current}
	max=${2:-$max} 
 
	if (( decimal > 0 )); then
		(( padding = padding + decimal + 1 ))
	fi
 
	let subtraction=${#completed_char}+${#prefix}+${#suffix}+padding+${#percent_sign}
	let width=max_width-subtraction
 
	if (( width < 5 )); then
		(( atleast = 5 + subtraction ))
		echo >&2 "the max_width of ($max_width) is too small, must be atleast $atleast"
		return 1
	fi
 
    if (( current > max ));then
        echo >&2 "current value must be smaller than max. value"
        return 1
    fi
 
    percent=$(awk -v "f=%${padding}.${decimal}f" -v "c=$current" -v "m=$max" 'BEGIN{printf('f', c / m * 100)}')
 
    (( chars = current * width / max))
 
    # sprintf n zeros into the var named as the arg to -v
    printf -v complete '%0*.*d' '' "$chars" ''
    printf -v remain '%0*.*d' '' "$((width - chars))" ''
 
    # replace the zeros with the desired char
    complete=${complete//0/"$completed_char"}
    remain=${remain//0/"$uncompleted_char"}
 
    printf '%s%s%s%s %s%s\r' "$prefix" "$complete" "$remain" "$suffix" "$percent" "$percent_sign"
 
	if (( current >= max )); then
		echo ""
	fi
}
 
if [ ! -z $1 ] && [ $lib_script_name = "lib_main" ]; then
	"$1" "$2" "$3" "$4" "$5" "$6" "$7" "$8" "$9" "${10}" "${11}" "${12}" "${13}" "${14}" "${15}"
fi

Here are some examples to demostrate how it works:

Source code

# [#########################################..........................................] 50.0%
for i in {1..100}; do
	lib_progress_bar $i 100
done

Source code    
# [@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@__________________________________________] 50.0%
for i in {1..100}; do
	lib_progress_bar -c '@' -u ' ' $i 100
done

Source code    
#   (******************************                            ) 50 percent
for i in {1..754}; do
	lib_progress_bar -c '*' -u '-' -d 0 -p '   (' -s ')' -% ' percent' -m 75 $i 754
done

Source code    
#|******.......|-- 50.00%
for i in {1..100}; do
	lib_progress_bar -c '*' -u '.' -d 2 -p '|' -s '|--' -% ' ' -m 25 $i 100
done

Source code    
# [######################----------------------] 51.43%
for i in {1..1241}; do
	lib_progress_bar -d 2 -m 55 $i 1241
done
Finally, here is a real-world example showing how to use it for blocking TOR nodes:
Source code    
#!/bin/bash
 
IPTABLES_TARGET="DROP"
IPTABLES_CHAINNAME="TOR"
 
WORKING_DIR="/tmp/"
 
# get IP address of eth0 network interface
IP_ADDRESS=$(ifconfig eth0 | awk '/inet addr/ {split ($2,A,":"); print A[2]}')
 
if ! iptables -L "$IPTABLES_CHAINNAME" -n >/dev/null 2>&1 ; then			#If chain doesn't exist
	iptables -N "$IPTABLES_CHAINNAME" >/dev/null 2>&1				#Create it
fi
 
cd $WORKING_DIR
 
wget -q -O - http://proxy.org/tor_blacklist.txt -U NoSuchBrowser/1.0 > temp_tor_list1
sed -i 's|RewriteCond %{REMOTE_ADDR} \^||g' temp_tor_list1
sed -i 's|\$.*$||g' temp_tor_list1
sed -i 's|\\||g' temp_tor_list1
sed -i 's|Rewrite.*$||g' temp_tor_list1
 
wget -q -O - "https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=$IP_ADDRESS&port=80" -U NoSuchBrowser/1.0 > temp_tor_list2
wget -q -O - "https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=$IP_ADDRESS&port=9998" -U NoSuchBrowser/1.0 >> temp_tor_list2
sed -i 's|^#.*$||g' temp_tor_list2
 
iptables -F "$IPTABLES_CHAINNAME"
 
CMD=$(cat temp_tor_list1 temp_tor_list2 | uniq | sort)
UBOUND=$(echo "$CMD" | grep -cve '^\s*$')
 
for IP in $CMD; do
	let COUNT=COUNT+1
	lib_progress_bar $COUNT $UBOUND
	iptables -A "$IPTABLES_CHAINNAME" -s $IP -j $IPTABLES_TARGET
done
 
iptables -A "$IPTABLES_CHAINNAME" -j RETURN
 
rm temp_tor*

New Theme

Brian Hare — Sat, 19 Feb 2011 06:16:45 +0000

I have updated to the jQ theme by http://devolux.nh2.me/.

I really liked the default look and I just made some minor changes to suit my needs. I added a welcome paragraph to index.php and also changed the CSS for hyperlinks to actually be underline to help them stand out more. I also sized strong/bold elements to be a tad bit bigger than the other text, but it doesn’t show much.

I am actually looking to perhaps implement an inline code block similar to how www.stackoverlow.com let’s you do with the `codehere` command. It would have the same basic idea but be rounded and not just a sqaure.

Hiding MySQL Passwords In PHP Using Apache Environment Variables

Brian Hare — Sat, 19 Feb 2011 04:47:00 +0000

This technique assumes you are running Apache Web Server and have access to edit the Apache configuration files; this technique can be used with .htaccess files but it’s not as secure. It’s generally geared towards users who don’t like having important passwords or information in PHP files owned by Apache’s user (www-data, nobody, etc). This is especially more risky if you don’t limit where users can open files or run suPHP or similar

This technique works by including a root owned file into the public run-time environment variables of apache. using Apache directives you can control which site or even page has access to these variables.

You start off by creating a root owned file somewhere outside where any other user has access to. For example, my file is located in /home/shared/ as all my users are jailed to their home directory both in FTP and SSH. Furthermore, you must make sure only root has access to the file. The great thing about apache is that it reads any included files as root before it actually switches to it’s running owner (www-data, nobody, etc). Therefore this file can only be read by someone who actually has root-access to your server, and if that’s the case then you’re out of luck anyways.

Inside the file, you want to define the Apache Environment Variables you will be using. Even though this post is more about keeping PHP passwords safe, this can be used for anything you want to hide from users in case somehow they get apache user permissions.

I am going to keep it basic with simple commands, but you can read more about setting Apache Environment Variables here: http://httpd.apache.org/docs/2.0/env.html

For this example I am going to name the file secret_mysql_passwords.conf located in /home/shared/

cd /home/shared/
touch secret_mysql_passwords.conf
chown root:root secret_mysql_passwords.conf
chmod 700 secret_mysql_passwords.conf

Inside the file you will put something similar to the following:

Source code

SetEnvIf Host "^www.yoursitehere.com$" secret_db_user=testusername
SetEnvIf Host "^www.yoursitehere.com$" secret_db_pass=testpassword

where www.yoursitehere.com will be whichever website you are using. For now, let’s leave testusername and testpassword as is for testing purposes, in case we mess something up we aren’t publishing our real username and password. If you don’t use the www prefix or you want the password to be visiable on all your subdomains, then use
“yoursitehere.com$” instead of “^www.yoursitehere.com$”

The reason why I used SetEnvIf and then define the Host I want the variable to be accessed on is because by default every website you are hosting with apache will have access to this environment variables through PHP’s global $_SERVER array.

Important: If you don’t specify the exact host/website that will have access to these variables you’re doing more harm than you would in the first place by publically displaying your username and password for every user to see.

Now that you have the file created, with the correct owner and permissions, and have correctly set up the SetEnvIf or other declarations it’s time to include the file to your apache configuration. The file I am going to be using is httpd.conf which for me is located in /etc/apache2/

inside httpd.conf put:

Source code

Include "/home/shared/secret_mysql_passwords.conf"

If you have a vhost that’s specific to your website, place the include text inside the vhost; otherwise just apply it globally because the If statement in our file should only make it visible to your website.

Restart apache on your machine, for my debian system with apache2 the command is

Source code

/etc/init.d/apache2 restart

You should now test and make sure you set up everything correctly, browse to your site files and create a PHP file. Inside it put:

Source code

print $_SERVER['secret_db_user'];
print "
";
print $_SERVER['secret_db_pass'];

then execute it from a browser. If done correctly, you should see testusername and testpassword. This is proof that the environment variables are working for the website. Now the next thing to do is do the same thing for a website that is outside the specified host you defined above.

For example using a subdomain such as test.yoursitehere.com or a totally different website all together. If you cannot see testusername and testpassword on a different host, then we have done it correctly. If you still see our test values on a different host, then something is wrong the SetEnvIf statement.

Now that we have tested it and everything is working correctly, delete the file you made for testing so it’s not accessed anymore. Now it’s time to go and edit the test values we put and replace it with your real MySQL username and password. Restart Apache once you’ve done this and you should be all set.

Anytime you need to enter your MySQL username or password in a PHP file simple just use the appropriate $_SERVER variables instead. This can be a bit tedious but it will become beneficial in the long run, especially if you don’t run suPHP or restrict other users to their home directory.

Guess Who’s Back

Brian Hare — Sat, 19 Feb 2011 04:04:38 +0000

Back again
Brian’s back
tell a friend

OK, but seriously. I am not really the type to blog much because I am quite lazy and even though I am always working on something or busy, I never really want to document what I am doing. Lately though I’ve been tweaking alot of personal stuff as if its going to be released to the public, so I decided to come back and give this another shot.

I originally lost hope in this blog and when I found a new way to secure my MySQL passwords in PHP code, I didn’t bother to update brianhare.com with this handy trick. I ended up changing the MySQL password for the database and never really cared to update it for this blog. Not anymore though.

I will start things off in explaining the apache trick to securing secret passwords in PHP.

Why depreciate the TARGET attribute in HTML Strict?

Brian Hare — Thu, 19 Aug 2010 02:59:34 +0000

The HTML Strict standard does not allow for the target attribute to be applied to a tags. This means that you can no longer force a new window to open with valid strict HTML.

One of the reasonings for this seems to be that “It should be up to the end user, not the web site, to decide if a link should be opened in the same window, a new window or a new tab; web developers shouldn’t force such behavior on people.” (Reference: Robert Nyman)

I’ve been recently working on redoing the registration form of one of my websites. Instead of using a weird javascript library that validates on submission, I’ve opt to use JQuery and the use of the JQuery Validation plugin. The JQuery Validation plugin allows me to validate the entries on key press, so I can validate them in real-time and don’t have to wait for the user to click submit. This is especially useful for looking up if usernames are taken.

The form babble actually relates to the post at hand; I have a terms of service that must be agreed upon before form submission is allowed. Instead of providing a normal hyperlink to the ToS, which would cause all the form entries to disappear or reset on some browsers, I wanted to simply open them up in a new window. Well I cant. I could do one of method “hacks” to get it to work using JavaScript (Like this one), but why should I have to? I am trying to help the end-user, not force them to look at something.

I’ve decided to keep the target links and switch to a loose HTML standard for the form. It’s a shame, just because I try to use the “Evil Target Attribute” to do something good for the end-user.