Find a Book  

Biography : Shonkolity/mixed


Few Books of Shonkolity/mixed
All Books of shonkolity/mixed
Article and Tutorial
Flu-fighting foods It takes more than an apple a day to keep the doctor away. It turns out that eating some pretty surprising nutrients will help keep your immune system on guard. You can ensure your body and immunity run smoothly by rounding out your plate with plenty of colorful servings of fruits and veggies, plus 8 to 10 glasses of water a day, at the very least. The following ingredients can add extra flu-fighting punch to your winter meal plan.

Need more advice for staying healthy through the season?

Vulnerabilities & Concepts

Vulnerability Types

Cross Site Scripting (XSS)

This vulnerability allows data to be injected into webpages. This data is then interpreted as code and executed by the viewer‘s web browser, which can effectively be seen as remote controlling a victim‘s browser.

Cross Site Request Forgery (CSRF)

CSRF refers to a type of exploits where the victim‘s browser is being tricked into triggering an authenticated action inside a vulnerable web application. The target website can be affected by CSRF regardless of being susceptible to XSS. How dangerous CSRF can be really depends on the kind of action triggered this way and its impact.

SQL Injection

SQL injection attacks lead to the manipulation of SQL queries. Vulnerable applications allow dynamically built SQL queries to contain unfiltered or improperly sanitised user input. If exploited successfully an attacker can gain access to all data in the database as well as modify data, limited only by the access level of the database user.

Insecure Session Handling

This category covers problems enabling attackers to access or manipulate a session token in order to control or take over a session.

Session Fixation

Session Fixation allows an attacker to control the session of a user. This is done by injecting a known token to be used as a valid session token.

Information Disclosure

As the name suggests, security related information is being divulged by the target system, which may simplify an attack. Such information can be found in various places, e.g. code comments, directory listings, error messages or even in search results of your favourite search engine.

Header Injection

This vulnerability allows HTTP headers to be injected into an HTTP response.

File Inclusion

The inclusion of local or remote files into a web application is a serious security vulnerability, which may lead to arbitrary code execution on the server.

Insecure Configuration

Misconfiguration of server or application software may facilitate or simplify attacks.

Weak randomness

This problem refers to predictable random number generation; e.g. badly chosen random seeds or algorithms using insufficient entropy are known to generate weak random numbers.


Secure Input Handling

Input filters and validators can be used to scan user input for specific patterns known to trigger unwanted side effects in web applications. User input can contain fragments of JavaScript, SQL, PHP or other code which – if unfiltered – could then lead to code execution within the context of the web application.


Sanitising functions can be used to “repair” user input, according to the application‘s restrictions (e.g. specific datatypes, maximum length) instead of rejecting potentially dangerous input entirely. In general, the use of sanitising functions is not encouraged, because certain kinds and combinations of sanitising filters may have security implications of their own. In addition, the automatic correction of typos could render the input syntactically or semantically incorrect.


There are several different kinds of escaping:

- The backslash prefix “\” defines a meta character within strings. For Example: \t is a tab space, \n is a newline character, … This can be of particular interest for functions where the newline character has a special purpose, e.g. header(). Within regular expressions the backs- lash is used to escape special characters, such as \. or \*, which is relevant for all functions handling regular expressions.

- HTML encoding translates characters nor- mally interpreted by the web browser as HTML into their encoded equivalents – e.g. < is < or < or < and > is > or > or >. HTML encoding should be used for output handling, where user input should be reflected in HTML without injecting code. (See also: htmlentities())

- URL encoding makes sure, that every character not allowed within URLs, according to RFC 1738, is properly encoded. E.g. space converts to + or and < is <. This escaping is relevant for functions handling URLs, such as urlencode() and urldecode().


There are two different approaches to filtering input data – whitelisting and blacklisting. Blacklisting checks input data against a list of “bad patterns”. This way, unwanted input can be discarded and all other content can be processed further. On the other hand, whitelisting checks input data against a list of known “good patterns”. All unmatched input can be discarded and only input recognised as valid is accepted.

In the real world whitelisting turned out to be far more resistant to security vulnerabilities than blacklisting, since it is usually a lot easier to specify the narrow set of valid patterns for the whitelist than to exclude every invalid input with a blacklist. In particular, whitelisting should be used for input directly controlling the program flow, e.g. for include statements or eval().

Security Related PHP Functions

Validation and Sanitising Functions


The PHP core provides a few functions suitable for sanitising:

is_numeric() Checks a variable for numeric content.

is_array() Checks if a variable is an array.

strlen() Returns a string‘s length.

strip_tags() Removes HTML and PHP tags. Warning: As long as certain HTML tags remain, JavaScript can be injected along with tag attributes.

CType Extension

By default, PHP comes with activated CType exten- sion. Each of the following functions checks if all characters of a string fall under the described group of characters:

ctype_alnum() alphanumeric characters – A-Z, a-z, 0-9

ctype_alpha() alphabetic characters – A-Z, a-z

ctype_cntrl() control characters – e.g. tab, line feed

ctype_digit() numerical characters – 0-9

ctype_graph() characters creating visible output e.g. no whitespace

ctype_lower() lowercase letters – a-z

ctype_print() printable characters

ctype_punct() punctuation characters – printable characters, but not digits, letters or whitespace, e.g. .,!?:;*&$

ctype_space() whitespace characters – e.g. newline, tab

ctype_upper() uppercase characters – A-Z

ctype_xdigit() hexadecimal digits – 0-9, a-f, A-F


if (!ctype_print($_GET['var'])) {

die("User input contains non-printable characters");


Filter Extension – ext/filter

Starting with PHP 5.2.0 the filter extension has provided a simple API for input validation and input filtering.

filter_input() Retrieves the value of any GET, POST, COOKIE, ENV or SERVER variable and applies the specified filter.

<?php $url = filter_input(INPUT_GET, 'url', FILTER_URL); ?>

filter_var() Filters a variable with the specified filter.

<?php $url = filter_var($var, FILTER_URL); ?>

List of Filters Validation Filters

Validation Filters

FILTER_VALIDATE_INT Checks whether the input is an integer numeric value.

FILTER_VALIDATE_BOOLEAN Checks whether the input is a boolean value.

FILTER_VALIDATE_FLOAT Checks whether the input is a floating point number.

FILTER_VALIDATE_REGEXP Checks the input against a regular expression.

FILTER_VALIDATE_URL Checks whether the input is a URL.

FILTER_VALIDATE_EMAIL Checks whether the input is a valid email ad- dress.

FILTER_VALIDATE_IP Checks whether the input is a valid IPv4 or IPv6.

Sanitising Filters

FILTER_SANITIZE_STRING / FILTER_SANITIZE_STRIPPED Strips and HTML-encodes characters according to flags and applies strip_tags().


FILTER_SANITIZE_SPECIAL_CHARS Encodes ‘ " < %gt; & \0 and optionally all characters > chr(127) into numeric HTML entities.

FILTER_SANITIZE_EMAIL Removes all characters not commonly used in an email address.

FILTER_SANITIZE_URL Removes all characters not allowed in URLs.

FILTER_SANITIZE_NUMBER_INT Removes all characters except digits and + -.

FILTER_SANITIZE_NUMBER_FLOAT Removes all characters not allowed in floating point numbers.


Other Filters

FILTER_UNSAFE_RAW Is a dummy filter.

FILTER_CALLBACK Calls a userspace callback function defining the filter.

Escaping and Encoding Functions

htmlspecialchars() Escapes the characters & < and > as HTML entities to protect the application against XSS. The correct character set and the mode ENT_QUOTES should be used.

<?php echo "Hello " . htmlspecialchars(

$_GET['name'], ENT_QUOTES, 'utf-8'); ?>

htmlentities() Applies HTML entity encoding to all applicable characters to protect the application against XSS. The correct character set and the mode ENT_QUOTES should be used.

<?php echo "Hello " . htmlentities($_GET['name'], ENT_QUOTES, 'utf-8'); ?>

urlencode() Applies URL encoding as seen in the query part of a URL.

<?php $url = "" .

"index.php?param=" . urlencode($_GET['pa']); ?>

addslashes() Applies a simple backslash escaping. The input string is assumed to be single-byte encoded. addslashes() should not be used to protect against SQL injections, since most database systems operate with multi-byte encoded strings, such as UTF-8.

addcslashes() Applies backslash escaping. This can be used to prepare strings for use in a JavaScript string context. However, protection against HTML tag injection is not possible with this function.

mysql_real_escape_string() Escapes a string for use with mysql_query(). The character set of the current MySQL connection is taken into account, so it is safe to operate on multi-byte encoded strings. Applications implementing string escaping as protection against SQL injection attacks should use this function.


$sql = "SELECT * FROM user WHERE" .

 " login='" . mysql_real_escape_string($_GET['login'], $db) . "'";


preg_quote() Should be used to escape user input to be inserted into regular expressions. This way the regular expression is safeguarded from semantic manipulations.


$repl = preg_replace('/^' .

preg_quote($_GET['part'], '/').

'-[0-9]{1,4}', '', $str);


escapeshellarg() Escapes a single argument of a shell command. In order to prevent shell code injection, single quotes in user input are being escaped and the whole string enclosed in single quotes.


system('resize /tmp/image.jpg' .

 escapeshellarg($_GET['w']).' '.



escapeshellcmd() Escapes all meta characters of a shell command in a way that no additional shell commands can be injected. If necessary, arguments should be enclosed in quotes.


system(escapeshellcmd('resize /tmp/image.jpg "' .

 $_GET['w'].'" "'.

 $_GET['h']. '"'));


  Secure Programming

Securing HTML Output

In order to prevent the execution of JavaScript code originating from user input, it is mandatory to perform a suitable string sanitisation on all dynamic data before any HTML output. The use of htmlentities() is considered sufficient within normal HTML context.

However, if data can be injected into tags or tag attributes, JavaScript can be executed by means of event handlers such as onClick or by modifying style attributes. For these cases it is recommended to apply a whitelist filter allowing only predefined tag attributes or style sheets to be inserted.

URLs within tag attributes must be checked as well. Some URI schemes, such as data: [removed] and [removed] can be used to execute code. Therefore only specific schemes should be allowed. Of course, it is always a good idea to encode the query part of a URL appropriately as well.

Finally, data put directly into JavaScript code must be prevented from breaking out of its JavaScript context. JavaScript strings are known to be particularly prone to incorrect escaping.

Regular Expressions

Every user input placed inside regular expressions must be prepared using preg_quote(). Otherwise an injection into the expression‘s logic can easily lead to incorrect application behaviour, buffer overflows, denial of service or application crashes.

HTTP Header Output

HTTP headers can be set using the header() function. User input should always be checked before being passed to header(), otherwise a number of security issues become relevant.

Newline characters should never be used with header() in order to prevent HTTP header injections. Injected headers can be used for XSS and HTTP response splitting attacks, too. In general, user input should be handled in a context-sensitive manner.

Dynamic content within parameters to Location or Set-Cookie headers should be escaped by urlencode().

<?php if (strpbrk($_GET['x'], "\r\n"))

die('line break in x'); header("Location: " .


urlencode($_GET['x'])); header("Set-Cookie: mycookie=". urlencode($_GET['x']) .


The 10 Habits That Keep Marriages Strong
Try these surprisingly simple practices to stay — or fall back — in love with your partner.
By Holly Corbett

1. Not trying to change each other
Maybe you wish he folded his socks, or that he would chat it up with your friends without prompting. But, his inability to notice hair in the sink may stem from the laid-back personality that drew you to him in the first place. "One of the things we see with happy couples is that they know their partner's differences, and have pretty much stopped trying to change the other person," says Darren Wilk, a certified Gottman Couples Therapist with a private practice in Vancouver, British Columbia. "Rather than trying to fight their partner's personality style, they instead focus on each other's strengths." To better understand how to tap into both of your best qualities, take this quick relationship personality quiz.

2. Framing your demands as favors
Whether you want him to unload the dishwasher more often or pay closer attention to the kids, your partner will be more likely to change his behavior if he feels like he'll get relationship brownie points. "Throw it out there like a favor. Present it like 'here is the recipe for what will make me happy,' because everyone wants to make their partner feel happy," says Wilk. "When you present your needs, present them as what you do want rather than what you don't want." Instead of saying, "I hate when you have to have everything scheduled," try saying, "I would love to have a day where we can just be spontaneous."

3. Vocalizing your appreciation
Giving your partner positive reinforcement sounds like a no-brainer, but couples often forget to do it. "Relationship expert Gottman's research found that in everyday life, happy couples have 20 positive moments — such as a shared look, compliment, or affectionate touch — to every negative moment," says Wilk. Tell him something positive three times a day, and be specific. Instead of saying, "You're a good dad," tell him why. "You're a good dad because you helped our daughter with that puzzle, which I never would have had the patience to do."

4. Focusing on the positive
"Unhappy couples are stuck in a negative state of mind," says Wilk. "You will always find what you look for. If you look for stuff that bugs you and that your partner is doing wrong, you will find it every day. If you look at what your partner is doing it right, you’ll find it everyday." It's a choice to flip your mindset, so when you find yourself getting annoyed, visualize something he does that makes your heart flutter to halt the negative thought circuit.

5. Taking trips down memory lane
"Happy couples tend to rewrite history by glossing over the bad stuff and focusing on the happy times," says Wilk. By reliving memories out loud to your partner, it actually changes your mindset, and how you view him and think about your relationship. Try this exercise whenever your feel your relationship needs a boost: Go over the highlights of when you were first dating, or rehearse the best moments of your relationship (such as the day you had an impromptu picnic in the park during your lunch hour, or that surprise anniversary date he took you on) to uncover buried memories.

6. Never siding with the enemy
"Sometimes what affair-proofs relationships is simply being there when your partner needs to vent, and having their back without trying to fix the problem," says Wilk. "People want someone to listen to them.” The key is to be supportive, and never take the side of the person he’s venting about — even if you can see where that person is coming from. For example, if he is upset that his boss took away a contract and gave it to someone else in the office, now is not the time to say, "Well, maybe you didn't put your best effort in." Right now he needs his feelings validated, and to hear you say, "That must have been really hard." Happy couples know when to bite their tongues.

7. Not getting too comfortable
Trust, security, and commitment are key elements in any relationship, but having them doesn't mean you can treat your relationship as rock-solid, and stop trying. "Relationships are a fragile ecosystem, and that's why there is a 50% divorce rate," says Wilk. "Happy couples keep dating, telling each other they look great, and doing things together."

8. Having rituals of connection
"It's not only about having a date night, but happy couples seem to do a lot of mundane things together," says Wilk. "They have little habits that they decide to do together, whether it be sitting down to pay the bills once a month or folding laundry." We say, anything to make that pile of dirty clothes feel more manageable.

9. Knowing your partner's calls for attention
Happy couples are mindful of those little moves their partners do for attention. When Gottman's team studied 120 newlyweds in his Love Lab, they discovered that couples who stayed married six years later were paying attention to these bids for connection 86% of the time, compared to only 33% of the time for those who later divorced. So look out for the little things, and respond to his need to connect. Like if you're grocery shopping and he casually mentions that he hasn't had Fruit Loops since he was a kid, throw them in the cart for him to show that you care.

10. Doing the little things
"When it comes to relationship satisfaction, you can't just ride on the big things like, 'I don’t drink, I pay the bills, I don't beat you, we went to Hawaii last year,'" says Wilk. "This stuff is not really what keeps couples happy in their daily lives." What really matters is all the small stuff that adds up, such as being there for each other when one needs to vent, or noticing when he needs a hug, or making him his favorite meal just because. "It's also giving up on the idea that you have to feel in love all the time. Marriage is about trust and commitment and knowing each other," says Wilk. "That's what love is."