Find a Book  

Biography : Kazi Mahbub Hussain


Life
Kazi Mahbub Hussain was the youngest son of National Philosopher Kazi Motahar Hussain. One of the youngest of eleven siblings, Mahbub grew up in an abundance of cultural and literary richness. His father was one of the closest friends to Kazi Nazrul Islam, the Revolutionary Poet. In his younger years, he won the National Tennis Championship.

Writers in his family include Zobaida Mirza, his oldest sister, Sanjida Khatun, 5th sister, Fahmida Khatun, 6th sister as well as his nephews Partho Tanvir Naved, Kazi Maymur Hussain and Kazi Shahnur Hussain.

The singers in his family include his sisters Sanjida Khatun, Fahmida Khatun and Mahmuda Khatun; and Sanjida Khatun's children Partho Tanvir Naved and Apala Farhad Naved. The style of music they specialize in is Rabindra Shangeet, songs written by Rabindranath Thakur (more widely popular as Rabindranath Tagore).

As a mining engineer, Mahbub Hussain travelled in many countries. He was in Texas, the main land of western literature for many years also lived in London for 15 years. Later in life he translated and authored some of the first Western Novels in Bengali with Sheba Prokashoni, a publication founded by his older brother Kazi Anwar Hussain.

Works
At first he used to a pen name. Later, he wrote `Aleyar Piche', the first western novel of Bangladesh. He also wrote some horror stories, science fictions and translated many other books.

Westerns
- Aleyar Piche
- Patoki
- Roktakto Khamar
- Jolonto Pahar
- Manush Shikar
- Vaggochokro-1
- Vaggochokro-2
- Ar Kotodur
- Badhon
- Rider
- Epith Opith
- Abar Erfan
- Rupantor
- Death City
- Buno Poschim
- Lasor Fash
- Luttoraj
- Apomrittu
- Cowboy
- Gunfight
- Dabanol-1
- Dabanol-2
- Beloroya Poschim
- Chokranto
- King Colt
- Mrittur Mukhe Erfan
- Arizonay Erfan
- Nisthur Paschim
- Roktoranga Trail

 
Few Books of Kazi Mahbub Hussain
Apache Chief
Download
Bera
Download
 
All Books of Kazi Mahbub Hussain
Article and Tutorial


Vulnerabilities & Concepts

Vulnerability Types

Cross Site Scripting (XSS)

This vulnerability allows data to be injected into webpages. This data is then interpreted as code and executed by the viewer‘s web browser, which can effectively be seen as remote controlling a victim‘s browser.

Cross Site Request Forgery (CSRF)

CSRF refers to a type of exploits where the victim‘s browser is being tricked into triggering an authenticated action inside a vulnerable web application. The target website can be affected by CSRF regardless of being susceptible to XSS. How dangerous CSRF can be really depends on the kind of action triggered this way and its impact.

SQL Injection

SQL injection attacks lead to the manipulation of SQL queries. Vulnerable applications allow dynamically built SQL queries to contain unfiltered or improperly sanitised user input. If exploited successfully an attacker can gain access to all data in the database as well as modify data, limited only by the access level of the database user.

Insecure Session Handling

This category covers problems enabling attackers to access or manipulate a session token in order to control or take over a session.

Session Fixation

Session Fixation allows an attacker to control the session of a user. This is done by injecting a known token to be used as a valid session token.

Information Disclosure

As the name suggests, security related information is being divulged by the target system, which may simplify an attack. Such information can be found in various places, e.g. code comments, directory listings, error messages or even in search results of your favourite search engine.

Header Injection

This vulnerability allows HTTP headers to be injected into an HTTP response.

File Inclusion

The inclusion of local or remote files into a web application is a serious security vulnerability, which may lead to arbitrary code execution on the server.

Insecure Configuration

Misconfiguration of server or application software may facilitate or simplify attacks.

Weak randomness

This problem refers to predictable random number generation; e.g. badly chosen random seeds or algorithms using insufficient entropy are known to generate weak random numbers.

Concepts

Secure Input Handling

Input filters and validators can be used to scan user input for specific patterns known to trigger unwanted side effects in web applications. User input can contain fragments of JavaScript, SQL, PHP or other code which – if unfiltered – could then lead to code execution within the context of the web application.

Sanitising

Sanitising functions can be used to “repair” user input, according to the application‘s restrictions (e.g. specific datatypes, maximum length) instead of rejecting potentially dangerous input entirely. In general, the use of sanitising functions is not encouraged, because certain kinds and combinations of sanitising filters may have security implications of their own. In addition, the automatic correction of typos could render the input syntactically or semantically incorrect.

Escaping

There are several different kinds of escaping:

- The backslash prefix “\” defines a meta character within strings. For Example: \t is a tab space, \n is a newline character, … This can be of particular interest for functions where the newline character has a special purpose, e.g. header(). Within regular expressions the backs- lash is used to escape special characters, such as \. or \*, which is relevant for all functions handling regular expressions.

- HTML encoding translates characters nor- mally interpreted by the web browser as HTML into their encoded equivalents – e.g. < is < or < or < and > is > or > or >. HTML encoding should be used for output handling, where user input should be reflected in HTML without injecting code. (See also: htmlentities())

- URL encoding makes sure, that every character not allowed within URLs, according to RFC 1738, is properly encoded. E.g. space converts to + or and < is <. This escaping is relevant for functions handling URLs, such as urlencode() and urldecode().

White-/Blacklisting

There are two different approaches to filtering input data – whitelisting and blacklisting. Blacklisting checks input data against a list of “bad patterns”. This way, unwanted input can be discarded and all other content can be processed further. On the other hand, whitelisting checks input data against a list of known “good patterns”. All unmatched input can be discarded and only input recognised as valid is accepted.

In the real world whitelisting turned out to be far more resistant to security vulnerabilities than blacklisting, since it is usually a lot easier to specify the narrow set of valid patterns for the whitelist than to exclude every invalid input with a blacklist. In particular, whitelisting should be used for input directly controlling the program flow, e.g. for include statements or eval().

Security Related PHP Functions

Validation and Sanitising Functions

PHP-Core-Functions

The PHP core provides a few functions suitable for sanitising:

is_numeric() Checks a variable for numeric content.

is_array() Checks if a variable is an array.

strlen() Returns a string‘s length.

strip_tags() Removes HTML and PHP tags. Warning: As long as certain HTML tags remain, JavaScript can be injected along with tag attributes.

CType Extension

By default, PHP comes with activated CType exten- sion. Each of the following functions checks if all characters of a string fall under the described group of characters:

ctype_alnum() alphanumeric characters – A-Z, a-z, 0-9

ctype_alpha() alphabetic characters – A-Z, a-z

ctype_cntrl() control characters – e.g. tab, line feed

ctype_digit() numerical characters – 0-9

ctype_graph() characters creating visible output e.g. no whitespace

ctype_lower() lowercase letters – a-z

ctype_print() printable characters

ctype_punct() punctuation characters – printable characters, but not digits, letters or whitespace, e.g. .,!?:;*&$

ctype_space() whitespace characters – e.g. newline, tab

ctype_upper() uppercase characters – A-Z

ctype_xdigit() hexadecimal digits – 0-9, a-f, A-F

<?php

if (!ctype_print($_GET['var'])) {

die("User input contains non-printable characters");

}

Filter Extension – ext/filter

Starting with PHP 5.2.0 the filter extension has provided a simple API for input validation and input filtering.

filter_input() Retrieves the value of any GET, POST, COOKIE, ENV or SERVER variable and applies the specified filter.

<?php $url = filter_input(INPUT_GET, 'url', FILTER_URL); ?>

filter_var() Filters a variable with the specified filter.

<?php $url = filter_var($var, FILTER_URL); ?>

List of Filters Validation Filters

Validation Filters

FILTER_VALIDATE_INT Checks whether the input is an integer numeric value.

FILTER_VALIDATE_BOOLEAN Checks whether the input is a boolean value.

FILTER_VALIDATE_FLOAT Checks whether the input is a floating point number.

FILTER_VALIDATE_REGEXP Checks the input against a regular expression.

FILTER_VALIDATE_URL Checks whether the input is a URL.

FILTER_VALIDATE_EMAIL Checks whether the input is a valid email ad- dress.

FILTER_VALIDATE_IP Checks whether the input is a valid IPv4 or IPv6.

Sanitising Filters

FILTER_SANITIZE_STRING / FILTER_SANITIZE_STRIPPED Strips and HTML-encodes characters according to flags and applies strip_tags().

FILTER_SANITIZE_ENCODED Applies URL encoding.

FILTER_SANITIZE_SPECIAL_CHARS Encodes ‘ " < %gt; & \0 and optionally all characters > chr(127) into numeric HTML entities.

FILTER_SANITIZE_EMAIL Removes all characters not commonly used in an email address.

FILTER_SANITIZE_URL Removes all characters not allowed in URLs.

FILTER_SANITIZE_NUMBER_INT Removes all characters except digits and + -.

FILTER_SANITIZE_NUMBER_FLOAT Removes all characters not allowed in floating point numbers.

FILTER_SANITIZE_MAGIC_QUOTES Applies addslashes().

Other Filters

FILTER_UNSAFE_RAW Is a dummy filter.

FILTER_CALLBACK Calls a userspace callback function defining the filter.

Escaping and Encoding Functions

htmlspecialchars() Escapes the characters & < and > as HTML entities to protect the application against XSS. The correct character set and the mode ENT_QUOTES should be used.

<?php echo "Hello " . htmlspecialchars(

$_GET['name'], ENT_QUOTES, 'utf-8'); ?>

htmlentities() Applies HTML entity encoding to all applicable characters to protect the application against XSS. The correct character set and the mode ENT_QUOTES should be used.

<?php echo "Hello " . htmlentities($_GET['name'], ENT_QUOTES, 'utf-8'); ?>

urlencode() Applies URL encoding as seen in the query part of a URL.

<?php $url = "http://www.example.com/" .

"index.php?param=" . urlencode($_GET['pa']); ?>

addslashes() Applies a simple backslash escaping. The input string is assumed to be single-byte encoded. addslashes() should not be used to protect against SQL injections, since most database systems operate with multi-byte encoded strings, such as UTF-8.

addcslashes() Applies backslash escaping. This can be used to prepare strings for use in a JavaScript string context. However, protection against HTML tag injection is not possible with this function.

mysql_real_escape_string() Escapes a string for use with mysql_query(). The character set of the current MySQL connection is taken into account, so it is safe to operate on multi-byte encoded strings. Applications implementing string escaping as protection against SQL injection attacks should use this function.

<?php

$sql = "SELECT * FROM user WHERE" .

 " login='" . mysql_real_escape_string($_GET['login'], $db) . "'";

?>

preg_quote() Should be used to escape user input to be inserted into regular expressions. This way the regular expression is safeguarded from semantic manipulations.

<?php

$repl = preg_replace('/^' .

preg_quote($_GET['part'], '/').

'-[0-9]{1,4}', '', $str);

?>



escapeshellarg() Escapes a single argument of a shell command. In order to prevent shell code injection, single quotes in user input are being escaped and the whole string enclosed in single quotes.

<?php

system('resize /tmp/image.jpg' .

 escapeshellarg($_GET['w']).' '.

 escapeshellarg($_GET['h']));

 ?>

escapeshellcmd() Escapes all meta characters of a shell command in a way that no additional shell commands can be injected. If necessary, arguments should be enclosed in quotes.

<?php

system(escapeshellcmd('resize /tmp/image.jpg "' .

 $_GET['w'].'" "'.

 $_GET['h']. '"'));

 ?>

  Secure Programming

Securing HTML Output

In order to prevent the execution of JavaScript code originating from user input, it is mandatory to perform a suitable string sanitisation on all dynamic data before any HTML output. The use of htmlentities() is considered sufficient within normal HTML context.

However, if data can be injected into tags or tag attributes, JavaScript can be executed by means of event handlers such as onClick or by modifying style attributes. For these cases it is recommended to apply a whitelist filter allowing only predefined tag attributes or style sheets to be inserted.

URLs within tag attributes must be checked as well. Some URI schemes, such as data: [removed] and [removed] can be used to execute code. Therefore only specific schemes should be allowed. Of course, it is always a good idea to encode the query part of a URL appropriately as well.

Finally, data put directly into JavaScript code must be prevented from breaking out of its JavaScript context. JavaScript strings are known to be particularly prone to incorrect escaping.

Regular Expressions

Every user input placed inside regular expressions must be prepared using preg_quote(). Otherwise an injection into the expression‘s logic can easily lead to incorrect application behaviour, buffer overflows, denial of service or application crashes.

HTTP Header Output

HTTP headers can be set using the header() function. User input should always be checked before being passed to header(), otherwise a number of security issues become relevant.

Newline characters should never be used with header() in order to prevent HTTP header injections. Injected headers can be used for XSS and HTTP response splitting attacks, too. In general, user input should be handled in a context-sensitive manner.

Dynamic content within parameters to Location or Set-Cookie headers should be escaped by urlencode().

<?php if (strpbrk($_GET['x'], "\r\n"))

die('line break in x'); header("Location: " .

"http://www.example.com/?p=".

urlencode($_GET['x'])); header("Set-Cookie: mycookie=". urlencode($_GET['x']) .

?>

more

Online Marketing Strategies for a Tight Budget

1. Get endorsed by a local celebrity.
Many business owners dream of having their product or service endorsed by a global celebrity. But instead of trying to get a superstar to support your business, try seeking out a local celebrity instead.

Who exactly are local celebrities? These are people your local paper is writing about -- perhaps an "unsung hero" such as a teacher or a resident who's doing something positive and newsworthy. Since they're in your neighborhood, these people should be relatively easy to locate and contact by phone or e-mail. Let them know you'd like to send them a gift, namely your product or service.

The only catch: you'd like to follow up with them in a few days to get their honest feedback. Their responses can make for useful blog or marketing content.

2. Create a LinkedIn group.
Not only is a LinkedIn group free to create, it can enable you to offer your professional network a vibrant, useful information resource all while driving traffic to your site and increasing sales. Just don't use the platform to hard sell anyone.

It can take time and effort to get one going, but the goal should be to help provide resources and start discussions on topics that can benefit your community. Groups should also be a place for your members to network with other professionals online.

3. Get published on niche blogs.
While it may be difficult to get on the front cover of a major magazine, you can create marketing opportunities by being featured in a popular niche blog. Identify three to five blogs that target your market then contact the creator and offer a few ideas of how you'd like to bring value to his or her readers. You can:

• Demonstrate good will by offering the niche blog owner a small amount of your product or service for free, which they can give away to their audience as a gift. This is different than a product review, which only offers information.
• Send ideas for blog posts you'd like to write and explain why they would be helpful for their readers.
• Ask if you can interview them for your site. This might entice the blog manager to promote your content since it highlights his or her business.

4. Create videos for YouTube.
With more than 800 million unique visitors a month, YouTube can be a powerful platform for marketing a business online. To do so, go beyond simply posting random videos of your product or sharing your thoughts.

The marketing videos you create should include the following elements:
• A keyword-researched headline
• A clear editorial message (don't try to accomplish too much in one video)
• A call to action (tell the viewer to do something, such as subscribing to your channel)

While you can spend a small fortune on cameras, lighting equipment and editing software, the camera built into your smartphone should be able to capture suitable online video. As for editing, if you're on a Mac, for instance, you should already have iMovie in your applications. Even if you don't have a Mac you can find free software online or hire a professional editor on sites such as Fiverr.com, possibly for as little as $5 depending on the scope of the work.

5. Facebook Ads
It’s no secret that Facebook advertising has taken a lot of heat lately. This baffles me. At ZAGG, we run some fairly aggressive Facebook ad campaigns and we typically see greater than 100% ROI.

The beauty of Facebook ads is unmatched targeting. Have a product that is perfect for an 18-24 year-old male with an iPhone who lives in Denver and ‘Likes’ SportsCenter (by the way, there are just over 3,000 of them)? Facebook will find him and, with a decent ad, you’ll get the clicks from the ultimate potential customer.

The one aspect of Facebook ads to be aware of is ad fatigue. As you’re targeting a very specific group of people, it’s likely that they will see your ad repeatedly. Upload new ads frequently to keep the messaging fresh.

Back to our Miami Heat iPhone skin… With Facebook ads, I know I want to show my ads to iPhone users who ‘Like’ the Heat and its players.

So under the “Broad Categories” setting I’ll select Mobile and iPhone. Then using “Precise Interests,” I’ll build a group of people who ‘Like’ The Heat, LeBron James, Dwayne Wade, Chris Bosh, and so on until I have my perfect target market. If I wanted to narrow it down even more, I’d limit the ad so it only shows to people in or around Miami. When I’m done, I know my ad will only be shown to and clicked by people who are most likely to buy.

6. Email Marketing
Email is the most underappreciated marketing channel. Everyone likes to talk about the sexiness and adventure of social media, but it’s email that truly has the most money-making potential. If Facebook was the email killer, it’d have killed email by now.

It wasn’t until early 2010 that ZAGG started dedicating time and resources to email marketing. From April 2010 to December 2010, we tripled the size of our email list. In 2011, we increased the size by about another 50%. In 2012 our list size continues to surge.

How has the increase in list size translated to revenue? After only seeing a 12% growth in web sales from 2008-2009, sales increased 66% in 2010 and 71% in 2011. Obviously, building our email list isn’t the only thing we’ve done in that time, but it has been at the center of our internet marketing strategy.

Organizations should focus on email before anything else. Once you have a decent email list built up, leverage that base to build a social media following.
If they subscribe to your emails, they’re literally waiting for you to send them something awesome. If you have a product or service that people are excited about, they will open your emails. If you’re decent at email, people will open their wallets.

7. Submit Your Site to Trade Organization Sites and Specialized Directories.
Some directories focused on particular industries, such as education or finance. You probably belong to various trade associations that feature member directories. Ask for a link. Even if you have to pay something for a link from the organization, it may help boost your PageRank.

Marginal directories, however, come and go very quickly, making it hard to keep up, so don’t try to be exhaustive here. Beware of directories that solicit you for “upgraded listings.” Unless a directory is widely used in your field, a premium ad is a waste of money — but the (free) link itself will help boost your PageRank and hence your search engine ranking.

SubmitWolf is a directory submission tool I’ve used with good success. You complete a listing form in the software interface. Then they submit your listing to all the appropriate directories they know of, plus links to sites that require manual submission. It’s a timesaver and works well. Just be careful to submit only to actual directories, not “linking sites.”

8. Create a multi-faceted Internet marketing strategy.
In order to increase your brand recognition you should launch several marketing campaigns at once. The following are marketing strategies that you should look at starting within a few weeks of each other:

• Create social media accounts and assign someone to launch interesting material every day. In order to attract followers, social media accounts and blogs must be consistently updated.

• Create or pay someone to write SEO articles. Articles that mention popular keywords related to your product, but also offer tips or advice are a great way to introduce people to your product. They also help your website to show up on the first pages of an Internet search. Do not scrimp on the money you spend for SEO articles, Google has created a way to list top quality articles first.

• Collect or buy email lists. People who have stores have most likely collected emails throughout the years, which can be used for email blasts. If you do not have any emails, you can buy them from marketing companies or neighboring markets. Send an initial blast and monthly blasts updating your customers on new products.

• Create videos of people using your product, how-tos or people vouching for your product. You can launch these videos via your website, You Tube, Vimeo, Facebook or other places in order to draw interest to your website.

• Buy ads on sites that cater to your market. Communicate your brand image, videos or other product info on banner ads. If you don't have the skills to craft a well-designed ad, hire a graphic designer to create a good ad.

9. Include Your URL on Stationery, Cards, and Literature.
Make sure that all business cards, stationery, brochures, and literature contain your company’s URL. And see that your printer gets the URL syntax correct. In print, I recommend leaving off the “http://” part and including only the www.domain.com portion.

10. Promote using traditional media.
Don’t discontinue print advertising that you’ve found effective. But be sure to include your URL in any display or classified ads you purchase in trade journals, newspapers, yellow pages, etc. View your website as an information adjunct to the ad. Use a two-step approach: (1) capture readers’ attention with the ad, (2) then refer them to a URL where they can obtain more information and perhaps place an order. Look carefully at small display or classified ads in the back of narrowly targeted magazines or trade periodicals. Sometimes these ads are more targeted, more effective, and less expensive than online advertising. Consider other traditional media to drive people to your site, such as direct mail, classifieds, post cards, etc. TV can be used to promote websites, especially in a local market.

11. Develop a Free Service.
It’s boring to invite people, “Come to our site and learn about our business.” It’s quite another to say “Use the free kitchen remodeling calculator available exclusively on our site.” Make no mistake, it’s expensive in time and energy to develop free resources, but it is very rewarding in increased traffic to your site — and a motivation to link to the site! Make sure that your free service is closely related to what you are selling so the visitors you attract will be good prospects for your business. Give visitors multiple opportunities and links to cross over to the sales portion of your site.

12. Install a “Signature” in your Email Program
Install a “Signature” in your Email Program to help potential customers get in touch with you. Most email programs allow you to designate a “signature” to appear at the end of each message you send. Limit it to 6 to 8 lines: Company name, address, phone number, URL, email address, and a one-phrase description of your unique business offering. Look for examples on email messages sent to you.

13. Announce a Contest.
People like getting something free. If you publicize a contest or drawing available on your site, you’ll generate more traffic than normal. Make sure your sweepstakes rules are legal in all states and countries you are targeting. Prizes should be designed to attract individuals who fit a demographic profile describing your best customers.

14. Purchase Pay Per Click (PPC)
Purchase Pay Per Click (PPC) ads with Google AdWords, Yahoo! Search Marketing, or Microsoft adCenter. This strategy is way down the list, but it is vitally important. Most Internet businesses will want to explore using Google AdWords to drive targeted traffic to their websites.

These PPC ads appear on the search engine results page, typically both above and to the right of the organic or natural search engine results. Since they are keyword-driven, they can be quite relevant to what a searcher is trying to find. Your ranking in this list of paid text ads is determined by (1) how much you have bid for a particular search word compared to other businesses, (2) the click-through rate on your ad, and (3) your Quality Score, which reflects the relevancy and quality of your ad and the landing page it points to.

PPC ads can be a cost-effective way to get targeted traffic, since you only pay when someone actually clicks on the link. But I strongly recommend that you study this carefully and expect a learning curve before you invest large sums of money in PPC advertising. You can find articles on Paid Search on our site.

15. Window display or office front
The external presentation of your business office or shop is one of the principal ways of establishing your business image. An attractive, well maintained exterior with clear, bold sign writing is an essential start. Windows should be bright, attractively presented, scrupulously clean and well lit at night. The display should be arranged neatly and aimed at projecting an attractive company image and providing a reason to buy your products or services. Above all it should have sufficient impact to attract attention.

16. Customer Referral Incentive Program
The customer referral incentive program is a way to encourage current customers to refer new customers to your store. Free products, big discounts and cash rewards are some of the incentives you can use. This is a promotional strategy that leverages your customer base as a sales force.

17. Causes and Charity
Promoting your products while supporting a cause can be an effective promotional strategy. Giving customers a sense of being a part of something larger simply by using products they might use anyway creates a win/win situation. You get the customers and the socially conscious image; customers get a product they can use and the sense of helping a cause. One way to do this is to give a percentage of product profit to the cause your company has committed to helping.

18. Branded Promotional Gifts
Giving away functional branded gifts can be a more effective promotional move than handing out simple business cards. Put your business card on a magnet, ink pen or key chain. These are gifts you can give your customers that they may use, which keeps your business in plain sight rather than in the trash or in a drawer with other business cards the customer may not look at.

19. Listen. Tweet. Listen. Listen Again.
Identify your ideal clients and find them on Twitter. Then start following them! Spend weeks listening to them; you’ll be amazed what they will tell you about their concerns, their ideal products, their current frustrations with their vendors. It’s a great way to get open honest market research.

Get a Twitter account in your business name. Post links to your articles educating people in your niche market. At the bottom of the article have links to your products & services. Also offer discount coupon codes to twitter members. This has worked very well for me.

20. Inspire Customers To Call You
Do something really different. Send a monthly postcard instead of a hard copy newsletter. Self-printed cost is $0.46 ea. including the stamp. Make it fun and colorful with a strong “Call to Action” title, like: “100 reasons to call us. List 10-to-20 reasons, including your skills, talents, and tasks. Give customers a coupon for a discount, or a free doughnut, or something fun to inspire them to call.

21. Be Generous
To keep customers loyal to you, instead of a frequent buyer program, send your customers small “surprise” gifts. Customers come to expect rewards when they are members of a program. Surprises always work to instill loyalty and retention.

Don’t make the mistake of thinking that promotional items are only for conferences and tradeshows. When given out with (or in place of) a business card at a lunch, a meeting or in passing, small promotional items become a gift. People expect free stuff at conferences, they don’t expect gifts. Keep a small, branded (and useful) item with you. You can be sure they’ll remember you. They don’t have to be expensive. Tip calculator cards, tea bags, pens and pads, small flashlights or things very target specific to your industry, like small packets of flower seeds for a gardener or landscaper with their contact information on it.

Donate several of your products or services to a non-profit organization that is sponsoring a live auction and the proceeds will be donated to the charity. Your store name will be displayed on the products for the duration of the event and the donation is tax deductible. Plus, you’ll be helping others

more


Writing Secure PHP
Learn how to avoid some of the most common mistakes in PHP, and so make your sites more secure.


PHP is a very easy language to learn, and many people without any sort of background in programming learn it as a way to add interactivity to their web sites. Unfortunately, that often means PHP programmers, especially those newer to web development, are unaware of the potential security risks their web applications can contain. Here are a few of the more common security problems and how to avoid them.

Rule Number One: Never, Ever, Trust Your Users

It can never be said enough times, you should never, ever, ever trust your users to send you the data you expect. I have heard many people respond to that with something like "Oh, nobody malicious would be interested in my site". Leaving aside that that could not be more wrong, it is not always a malicious user who can exploit a security hole - problems can just as easily arise because of a user unintentionally doing something wrong.

So the cardinal rule of all web development, and I can't stress it enough, is: Never, Ever, Trust Your Users. Assume every single piece of data your site collects from a user contains malicious code. Always. That includes data you think you have checked with client-side validation, for example using JavaScript. If you can manage that, you'll be off to a good start. If PHP security is important to you, this single point is the most important to learn. Personally, I have a "PHP Security" sheet next to my desk with major points on, and this is in large bold text, right at the top.
Global Variables

In many languages you must explicitly create a variable in order to use it. In PHP, there is an option, "register_globals", that you can set in php.ini that allows you to use global variables, ones you do not need to explicitly create.

Consider the following code:

    if ($password == "my_password") {

    $authorized = 1;

    }

    if ($authorized == 1) {

    echo "Lots of important stuff.";

    }



To many that may look fine, and in fact this exact type of code is in use all over the web. However, if a server has "register_globals" set to on, then simply adding "?authorized=1" to the URL will give anyone free access to exactly what you do not want everyone to see. This is one of the most common PHP security problems.

Fortunately, this has a couple of possible simple solutions. The first, and perhaps the best, is to set "register_globals" to off. The second is to ensure that you only use variables that you have explicitly set yourself. In the above example, that would mean adding "$authorized = 0;" at the beginning of the script:

$authorized = 0;

if ($password == "my_password") {

    $authorized = 1;

}



if ($authorized == 1) {

    echo "Lots of important stuff.";

}

Error Messages

Errors are a very useful tool for both programmer and hacker. A developer needs them in order to fix bugs. A hacker can use them to find out all sorts of information about a site, from the directory structure of the server to database login information. If possible, it is best to turn off all error reporting in a live application. PHP can be told to do this through .htaccess or php.ini, by setting "error_reporting" to "0". If you have a development environment, you can set a different error reporting level for that.

SQL Injection

One of PHP's greatest strengths is the ease with which it can communicate with databases, most notably MySQL. Many people make extensive use of this, and a great many sites, including this one, rely on databases to function.

However, as you would expect, with that much power there are potentially huge security problems you can face. Fortunately, there are plenty of solutions. The most common security hazard faced when interacting with a database is that of SQL Injection - when a user uses a security glitch to run SQL queries on your database.

Let's use a common example. Many login systems feature a line that looks a lot like this when checking the username and password entered into a form by a user against a database of valid username and password combinations, for example to control access to an administration area:

$check = mysql_query("SELECT Username, Password, UserLevel FROM Users WHERE Username = '".$_POST['username']."' and Password = '".$_POST['password']."'");

Look familiar? It may well do. And on the face of it, the above does not look like it could do much damage. But let's say for a moment that I enter the following into the "username" input box in the form and submit it:

' OR 1=1 #

The query that is going to be executed will now look like this:

SELECT Username, Password FROM Users WHERE Username = '' OR 1=1 #' and Password = ''

The hash symbol (#) tells MySQL that everything following it is a comment and to ignore it. So it will actually only execute the SQL up to that point. As 1 always equals 1, the SQL will return all of the usernames and passwords from the database. And as the first username and password combination in most user login databases is the admin user, the person who simply entered a few symbols in a username box is now logged in as your website administrator, with the same powers they would have if they actually knew the username and password.

With a little creativity, the above can be exploited further, allowing a user to create their own login account, read credit card numbers or even wipe a database clean.

Fortunately, this type of vulnerability is easy enough to work around. By checking for apostrophes in the items we enter into the database, and removing or neutralising them, we can prevent anyone from running their own SQL code on our database. The function below would do the trick:

function make_safe($variable) {

    $variable = mysql_real_escape_string(trim($variable));

    return $variable;

}

Now, to modify our query. Instead of using _POST variables as in the query above, we now run all user data through the make_safe function, resulting in the following code:

$username = make_safe($_POST['username']);

$password = make_safe($_POST['password']);

$check = mysql_query("SELECT Username, Password, UserLevel FROM Users WHERE Username = '".$username."' and Password = '".$password."'");

Now, if a user entered the malicious data above, the query will look like the following, which is perfectly harmless. The following query will select from a database where the username is equal to "\' OR 1=1 #".

SELECT Username, Password, UserLevel FROM Users WHERE Username = '\' OR 1=1 #' and Password = ''

Now, unless you happen to have a user with a very unusual username and a blank password, your malicious attacker will not be able to do any damage at all. It is important to check all data passed to your database like this, however secure you think it is. HTTP Headers sent from the user can be faked. Their referral address can be faked. Their browsers User Agent string can be faked. Do not trust a single piece of data sent by the user, though, and you will be fine.

File Manipulation

Some sites currently running on the web today have URLs that look like this:

index.php?page=contactus.html

The "index.php" file then simply includes the "contactus.html" file, and the site appears to work. However, the user can very easily change the "contactus.html" bit to anything they like. For example, if you are using Apache's mod_auth to protect files and have saved your password in a file named ".htpasswd" (the conventional name), then if a user were to visit the following address, the script would output your username and password:

index.php?page=.htpasswd

By changing the URL, on some systems, to reference a file on another server, they could even run PHP that they have written on your site. Scared? You should be. Fortunately, again, this is reasonably easy to protect against. First, make sure you have correctly set "open_basedir" in your php.ini file, and have set "allow_url_fopen" to "off". That will prevent most of these kinds of attacks by preventing the inclusion of remote files and system files. Next, if you can, check the file requested against a list of valid files. If you limit the files that can be accessed using this script, you will save yourself a lot of aggravation later.

Using Defaults

When MySQL is installed, it uses a default username of "root" and blank password. SQL Server uses "sa" as the default user with a blank password. If someone finds the address of your database server and wants to try to log in, these are the first combinations they will try. If you have not set a different password (and ideally username as well) than the default, then you may well wake up one morning to find your database has been wiped and all your customers' credit card numbers stolen. The same applies to all software you use - if software comes with default username or password, change them.

Leaving Installation Files Online

Many PHP programs come with installation files. Many of these are self-deleting once run, and many applications will refuse to run until you delete the installation files. Many however, will not pay the blindest bit of attention if the install files are still online. If they are still online, they may still be usable, and someone may be able to use them to overwrite your entire site.

Predictability

Let us imagine for a second that your site has attracted the attention of a Bad Person. This Bad Person wants to break in to your administration area, and change all of your product descriptions to "This Product Sucks". I would hazard a guess that their first step will be to go to http://www.yoursite.com/admin/ - just in case it exists. Placing your sensitive files and folders somewhere predictable like that makes life for potential hackers that little bit easier.

With this in mind, make sure you name your sensitive files and folders so that they are tough to guess. Placing your admin area at http://www.yoursite.com/jsfh8sfsifuhsi8392/ might make it harder to just type in quickly, but it adds an extra layer of security to your site. Pick something memorable by all means if you need an address you can remember quickly, but don't pick "admin" or "administration" (or your username or password). Pick something unusual.

The same applies to usernames and passwords. If you have an admin area, do not use "admin" as the username and "password" as the password. Pick something unusual, ideally with both letters and numbers (some hackers use something called a "dictionary attack", trying every word in a dictionary as a password until they find a word that works - adding a couple of digits to the end of a password renders this type of attack useless). It is also wise to change your password fairly regularly (every month or two).

Finally, make sure that your error messages give nothing away. If your admin area gives an error message saying "Unknown Username" when a bad username is entered and "Wrong Password" when the wrong password is entered, a malicious user will know when they've managed to guess a valid username. Using a generic "Login Error" error message for both of the above means that a malicious user will have no idea if it is the username or password he has entered that is wrong.

Finally, Be Completely and Utterly Paranoid

If you assume your site will never come under attack, or face any problems of any sort, then when something eventually does go wrong, you will be in massive amounts of trouble. If, on the other hand, you assume every single visitor to your site is out to get you and you are permanently at war, you will help yourself to keep your site secure, and be prepared in case things should go wrong.

more