易栈网-膘叔（Neatstudio.COM）

易栈网-膘叔

利用PHP裁剪图片

PHP的XSS攻击过滤函数

使用PHP得到所有的HTTP请求头

Jadu: 将 PHP 编译成 .NET

Good and Bad PHP Code

利用PHP裁剪图片

PHP的XSS攻击过滤函数

使用PHP得到所有的HTTP请求头

Jadu: 将 PHP 编译成 .NET

Good and Bad PHP Code

日志分类

热门标签

日志归档

搜索文章

最新评论

博客信息

友情链接

浏览模式: 标准 | 列表分类:PHP

Submitted by gouki on 2008, December 6, 11:45 PM

其实，用PHP裁剪图片的原理是很简单的，无非就是用javascript画出一个方块，计算一下四个角的顶点，然后从原图中按照这四个点的坐标把当中的图切出来。

网上有现成的例子：http://www.coderhome.net/zifa/?p=351，不过里面的JS库用的是mootools的，如果要看，请直接到该网上去看，以后，等有空了，用jQuery的模拟一下，呵呵。
jQuery的插件还是很好开发的

Tags: php, 裁剪, mootools, javascript

PHP | 评论:4 | 阅读:29129

Submitted by gouki on 2008, December 4, 11:35 PM

XSS攻击在最近很是流行，往往在某段代码里一不小心就会被人放上XSS攻击的代码，看到国外有人写上了函数，咱也偷偷懒，悄悄的贴上来。。。
原文如下：
The goal of this function is to be a generic function that can be used to parse almost any input and render it XSS safe. For more information on actual XSS attacks, check out http://ha.ckers.org/xss.html. Another excellent site is the XSS Database which details each attack and how it works.

PHP代码

<?php
function RemoveXSS($val) {
// remove all non-printable characters. CR(0a) and LF(0b) and TAB(9) are allowed
// this prevents some character re-spacing such as <java\0script>
// note that you have to handle splits with \n, \r, and \t later since they *are* allowed in some inputs
$val = preg_replace('/([\x00-\x08,\x0b-\x0c,\x0e-\x19])/', '', $val);
// straight replacements, the user should never need these since they're normal characters
// this prevents like <IMG SRC=@avascript:alert('XSS')>
$search = 'abcdefghijklmnopqrstuvwxyz';
$search .= 'ABCDEFGHIJKLMNOPQRSTUVWXYZ';
$search .= '1234567890!@#$%^&*()';
$search .= '~`";:?+/={}[]-_|\'\\';
for ($i = 0; $i < strlen($search); $i++) {
// ;? matches the ;, which is optional
// 0{0,7} matches any padded zeros, which are optional and go up to 8 chars
// @ @ search for the hex values
$val = preg_replace('/(&#[xX]0{0,8}'.dechex(ord($search[$i])).';?)/i', $search[$i], $val); // with a ;
// @ @ 0{0,7} matches '0' zero to seven times
$val = preg_replace('/(&#0{0,8}'.ord($search[$i]).';?)/', $search[$i], $val); // with a ;
}
// now the only remaining whitespace attacks are \t, \n, and \r
$ra1 = Array('javascript', 'vbscript', 'expression', 'applet', 'meta', 'xml', 'blink', 'link', 'style', 'script', 'embed', 'object', 'iframe', 'frame', 'frameset', 'ilayer', 'layer', 'bgsound', 'title', 'base');
$ra2 = Array('onabort', 'onactivate', 'onafterprint', 'onafterupdate', 'onbeforeactivate', 'onbeforecopy', 'onbeforecut', 'onbeforedeactivate', 'onbeforeeditfocus', 'onbeforepaste', 'onbeforeprint', 'onbeforeunload', 'onbeforeupdate', 'onblur', 'onbounce', 'oncellchange', 'onchange', 'onclick', 'oncontextmenu', 'oncontrolselect', 'oncopy', 'oncut', 'ondataavailable', 'ondatasetchanged', 'ondatasetcomplete', 'ondblclick', 'ondeactivate', 'ondrag', 'ondragend', 'ondragenter', 'ondragleave', 'ondragover', 'ondragstart', 'ondrop', 'onerror', 'onerrorupdate', 'onfilterchange', 'onfinish', 'onfocus', 'onfocusin', 'onfocusout', 'onhelp', 'onkeydown', 'onkeypress', 'onkeyup', 'onlayoutcomplete', 'onload', 'onlosecapture', 'onmousedown', 'onmouseenter', 'onmouseleave', 'onmousemove', 'onmouseout', 'onmouseover', 'onmouseup', 'onmousewheel', 'onmove', 'onmoveend', 'onmovestart', 'onpaste', 'onpropertychange', 'onreadystatechange', 'onreset', 'onresize', 'onresizeend', 'onresizestart', 'onrowenter', 'onrowexit', 'onrowsdelete', 'onrowsinserted', 'onscroll', 'onselect', 'onselectionchange', 'onselectstart', 'onstart', 'onstop', 'onsubmit', 'onunload');
$ra = array_merge($ra1, $ra2);
$found = true; // keep replacing as long as the previous round replaced something
while ($found == true) {
$val_before = $val;
for ($i = 0; $i < sizeof($ra); $i++) {
$pattern = '/';
for ($j = 0; $j < strlen($ra[$i]); $j++) {
if ($j > 0) {
$pattern .= '(';
$pattern .= '(&#[xX]0{0,8}([9ab]);)';
$pattern .= '|';
$pattern .= '|(&#0{0,8}([9|10|13]);)';
$pattern .= ')*';
}
$pattern .= $ra[$i][$j];
}
$pattern .= '/i';
$replacement = substr($ra[$i], 0, 2).'<x>'.substr($ra[$i], 2); // add in <> to nerf the tag
$val = preg_replace($pattern, $replacement, $val); // filter out the hex tags
if ($val_before == $val) {
// no replacements were made, so exit the loop
$found = false;
}
}
}
return $val;
}

经过这样的过滤后，应该被攻击的机会会少上很多吧？试试看呢？

Tags: php, xss, filter, function

PHP | 评论:2 | 阅读:44605

Submitted by gouki on 2008, December 3, 11:54 PM

PHP中一般采用getallheaders来获取头部，但事实上，有些模式下是获取不到的（以前真没有注意过在fastcgi下这个函数不能用，当然我现在也没有测试。是老王说的）

他说：

在PHP里，想要得到所有的HTTP请求头，可以使用getallheaders方法，不过此方法并不是在任何环境下都存在，比如说，你使用fastcgi方式运行PHP的话，就没有这个方法，所以说我们还需要考虑别的方法，幸运的是$_SERVER里有我们想要的东西，它里面键名以HTTP_开头的就是HTTP请求头：

$headers = array(); foreach ($_SERVER as $key => $value) { if ('HTTP_' == substr($key, 0, 5)) { $headers[str_replace('_', '-', substr($key, 5))] = $value; } }

代码很简单，需要说明的是RFC里明确指出了信息头的名字是不区分大小写的。

不过并不是所有的HTTP请求头都是以HTTP_开头的的键的形式存在与$_SERVER里，比如说Authorization，Content-Length，Content-Type就不是这样，所以说为了取得所有的HTTP请求头，还需要加上下面这段代码：

if (isset($_SERVER['PHP_AUTH_DIGEST'])) { $header['AUTHORIZATION'] = $_SERVER['PHP_AUTH_DIGEST']); } elseif (isset($_SERVER['PHP_AUTH_USER']) && isset($_SERVER['PHP_AUTH_PW'])) { $header['AUTHORIZATION'] = base64_encode($_SERVER['PHP_AUTH_USER'] . ':' . $_SERVER['PHP_AUTH_PW'])); } if (isset($_SERVER['CONTENT_LENGTH'])) { $header['CONTENT-LENGTH'] = $_SERVER['CONTENT_LENGTH']; } if (isset($_SERVER['CONTENT_TYPE'])) { $header['CONTENT-TYPE'] = $_SERVER['CONTENT_TYPE']; }

搞定！

网址为：http://hi.baidu.com/thinkinginlamp/blog/item/c0bff01f3beb66f2e1fe0b7e.html

Tags: php, header, getallheaders

PHP | 评论:3 | 阅读:64440

Submitted by gouki on 2008, December 2, 10:22 AM

新闻来源:itnews.com.au
内容管理公司 Jadu 最近发布了一个工具，可以让 PHP 和 .NET 这对冤家和平共处。他们开发了一个叫做 Phalanger PHP compiler 的工具，可以将 PHP 程序编译成本地 .NET 程序执行。他们还准备将这一工具开源。

据 Jadu CEO Suraj Kika 介绍，这个工具对 PHP 程序进行编译，编译成 .NET 框架下下的本地程序。比如，你想用 WordPress，但你属于微软阵营，你可以将 WordPress 编译成可执行文件，放到 .NET 中并在 Visual Studio 中针对这个编译过的 WordPress 做进一步开发。

这个工具将为 PHP 和 .NET 开发工程师带来职业上的便利，避免在各自对方的技术领域内再培训。Kika 表示，我们会看到大量 PHP 开发者在微软阵营找到客户群。

Kika 还表示，开源和商业软件之间向来泾渭分明，这一工具将让这两个阵营的开发者走到一起。

本文来源：http://www.itnews.com.au/News/90129,jadu-brings-php-and-net-closer-together.aspx
中文翻译：COMSHARP CMS
膘叔：好妖的功能呀，一直以为PHP要想在windows下独立运行，得使用php GTK的，结果现在居然有人编译成.net，真是心有多大，世界有多大呀

Tags: php, .net, 编译

PHP | 评论:0 | 阅读:18451

Submitted by gouki on 2008, December 5, 12:13 AM

by Kevin Yank

The following is republished from the Tech Times #165.

When interviewing a PHP developer candidate for a job at SitePoint, there is one question that I almost always ask, because their answer tells me so much about the kind of programmer they are. Here’s the question: “In your mind, what are the differences between good PHP code and bad PHP code?”

The reason I like this question is because it tests more than just a candidate’s encyclopedic knowledge of PHP’s functions. Zend’s PHP certification does a good job of that (as does the test that Yahoo! issues to applicants for its PHP developer jobs, apparently).

Rather, the answer to this question tells me whether a PHP developer has, for example, experienced the pain of working with poorly-written code inherited from a careless predecessor, and whether he or she will go the extra mile to save the rest of the team from that same pain.

I don’t have a set notion of the perfect answer to the question, but I do know the kinds of things I’m hoping to hear. Just off the top of my head:

Good PHP code should be structured. Long chunks of code can be broken up into functions or methods that achieve sub-tasks with simple code, while non-obvious snippets should be commented to make their meaning plain. As much as possible, you should separate frontend HTML/CSS/JavaScript code from the server-side logic of your applications. PHP’s object oriented programming features give you some especially powerful tools to break up your applications into sensible units.

Good PHP code should be consistent. Whether that means setting rules for the names of variables and functions, adopting standard approaches to recurring tasks like database access and error handling, or simply making sure all of your code is indented the same way, consistency makes your code easier for others to read.

Good PHP code should be portable. PHP has a number of features, such as magic quotes and short tags, that can break fragile code when they are switched on or off. If you know what you’re doing, however, you can write code that works by adapting to its environment.

Good PHP code should be secure. While PHP offers excellent performance and flexibility out of the box, it leaves important issues like security entirely in the hands of the developer. A deep understanding of potential security holes like Cross-Site Scripting (XSS), Cross-Site Request Forgeries (CSRF), code injection vulnerabilities, and character encoding loopholes is essential for a professional PHP developer these days.

Once a candidate has answered this question, I usually have a pretty good idea of whether they’ll be hired or not. Of course, there’s always the possibility that an interviewee simply isn’t able to articulate these types of things, so we also have our candidates sit a PHP developer exam.

Many of the questions in this exam seem straightforward on the surface, but they give candidates plenty of opportunity to show how much they care about the little details.

The following “bad” code is a highly simplified example of the sort of thing we might put in our PHP developer exam. The question might be something like “How would you rewrite this code to make it better?”

<?php
 echo("Search results for query: " .
 $_GET['query'] . ".");
?>

<?php
 echo("Search results for query: " . $_GET['query'] . ".");
?>

The main problem in this code is that the user-submitted value ($_GET['query']) is output directly to the page, resulting in a Cross Site Scripting (XSS) vulnerability. But there are plenty of other ways in which it can be improved.

So, what sort of answer are we hoping for?

Good:

<?php
 echo("Search results for query: " .
 htmlspecialchars($_GET['query']) . ".");
?>

<?php
 echo("Search results for query: " .
 htmlspecialchars($_GET['query']) . ".");
?>

This is the least we expect. The XSS vulnerability has been remedied using htmlspecialchars to escape dangerous characters in the submitted value.

Better:

<?php
 if (isset($_GET['query']))
 {
 echo 'Search results for query: ',
 htmlspecialchars($_GET['query'], ENT_QUOTES), '.';
 }
?>

<?php
 if (isset($_GET['query'])) {
 echo 'Search results for query: ',
 htmlspecialchars($_GET['query'], ENT_QUOTES), '.';
 }
?>

Now this looks like someone we might want to hire:

 * The “short” opening PHP tag (<?) has been replaced with the more portable (and XML-friendly) <?php form.
 * Before attempting to output the value of $_GET['query'], isset is used to verify that it actually has a value.
 * The unnecessary brackets (()) around the value passed to echo have been removed.
 * Strings are delimited by single quotes instead of double quotes to avoid the performance hit of PHP searching for variables to interpolate within the strings.
 * Rather than using the string concatenation operator (.) to pass a single string to the echo statement, the strings to be output by echo are separated by commas for a tiny performance boost.
 * Passing the ENT_QUOTES argument to htmlspecialchars to ensure that single quotes (') are also escaped isn’t strictly necessary in this case, but it’s a good habit to get into.

Somewhat distressingly, the number of PHP developers looking for work that are able to give a fully satisfactory answer to this sort of question—at least here in Melbourne—are few and far between. We spent a good three months interviewing for this latest position before we found someone with whom we were happy!

So, how would you do when asked a question like this one? Are there any factors that make PHP code good or bad that you feel I’ve left out? And what else would you look for in a PHP developer?

PHP | 评论:0 | 阅读:17315

Records:648«‹110 111 112 113 114115116 117 118 119 ›»

« 2025年05月 »