Category: PHP & Java Script

PHP & Java Script

Website Functional testing using Browser automation

Website Functional testing using Browser automation

Introduction-

Website Functional testing using Browser automation is very important and better than just monitoring url with 200 OK! Your Application or Website URL may be working fine but this doesn’t mean that all components are working fine. So testing your Web Application functionalities with screenshot is important in cloud based product and Uptime Reporting for Customers.

Few years back I wrote article “Firefox yslow and Showslow for Website testing and performance” Ref url- http://www.indiangnu.org/2012/firefox-yslow-and-showslow-for-website-testing-and-automation/

The Mechanize library is used for automating interaction with websites and available for Perl, Python and Ruby..
URL-
http://search.cpan.org/~ether/WWW-Mechanize-1.75/lib/WWW/Mechanize.pm
http://wwwsearch.sourceforge.net/mechanize/
https://pypi.python.org/pypi/mechanize/
http://mechanize.rubyforge.org/

There are several wrappers around “Mechanize” designed for functional testing of web applications: zope.testbrowser and twill

Top 5 Products for “Website Functional testing using Browser automation”…

1) Selenium Browser Automation (http://www.seleniumhq.org) –
Selenium automates browsers. Selenium is a portable software testing framework for web applications. Selenium provides a record/playback tool for authoring tests without learning a test scripting language (Selenium IDE). Selenium WebDriver is the successor to Selenium RC. Selenium WebDriver accepts commands (sent in Selenese, or via a Client API) and sends them to a browser. This is implemented through a browser-specific browser driver, which sends commands to a browser, and retrieves results. Most browser drivers actually launch and access a browser application (such as Firefox or Internet Explorer); there is also an HtmlUnit browser driver, which simulates a browser using HtmlUnit.

Selenium Grid- Selenium Grid is a server that allows tests to use web browser instances running on remote machines. With Selenium Grid, one server acts as the hub. the hub has a list of servers that provide access to browser instances (WebDriver nodes)

2) Splinter (https://splinter.readthedocs.org) –
Splinter is an open source tool for testing web applications using Python. It lets you automate browser actions, such as visiting URLs and interacting with their items. It supports multi webdrivers (chrome webdriver, firefox webdriver, phantomjs webdriver, zopetestbrowser, remote webdriver), support to iframe and alert and execute javascripts.

3) twill (http://twill.idyll.org) –
twill: a simple scripting language for Web browsing. twill is a simple language that allows users to browse the Web from a command-line interface. With twill, you can navigate through Web sites that use forms, cookies, and most standard Web features.

4) zope.testbrowser (https://pypi.python.org/pypi?:action=display&name=zope.testbrowser) –
zope.testbrowser provides an easy-to-use programmable web browser with special focus on testing. It is used in Zope, but it’s not Zope specific at all. For instance, it can be used to test or otherwise interact with any web site.

5) PAMIE  (http://pamie.sourceforge.net) –
P.A.M.I.E. – stands for Python Automated Module For I.E.  Pamie’s main use is for testing web sites by which you automate the Internet Explorer client using the Pamie scripting language. Simply create a script using the free PythonWin IDE that comes with the win32all extensions. import cPAMIE and use the Pamie Scripting Language (PSL) to write a script that simulates a user navigating a web site. It’s simple to use.

There are many product available for web site monitoring…

http://www.monitor.us/
https://ghostinspector.com/
https://www.browserstack.com
https://www.alertbot.com/
https://www.pingdom.com/

Thank you,
Arun Bagul

How to configure-add java extension for php on CentOS 5

How to configure-add java extension for php on CentOS 5

Here I have used php version 5.2.11 and to jdk-6u18-linux-x64.bin

( from given JAVA download link)

[root@ravi.com ~]# yum  -y install httpd php php-devel php-gd php-cli php-xml php-ldap php-common php-pear php-pdo

Install java jdk and set env in ~/.bashrc also run this on CLI to verify before next step.

export JAVA_HOME=//usr/java/jdk1.6.0_18
export PATH=/usr/java/jdk1.6.0_18/bin:$PATH

[root@ravi.com ~]# echo $JAVA_HOME

Now set the dynamic linker library path into /etc/ld.so.conf

/usr/java/jdk1.6.0_18/jre/lib/amd64
/usr/java/jdk1.6.0_18/jre/lib/amd64/server

[root@ravi.com ~]# ldconfig

Now download php-java-bridge source rpm

[root@ravi.com ~]# wget ftp://195.220.108.108/linux/sourceforge/p/project/ph/php-java-bridge/OldFiles/php-java-bridge-4.1.8-1.src.rpm

unpack the php-java-bridge rpm

[root@ravi.com ~]# rpm2cpio php-java-bridge-4.1.8-1.src.rpm | cpio -ivd
php-java-bridge.spec
php-java-bridge_4.1.8.tar.gz
16155 blocks

untar the php-java-bridge and configure the module

[root@ravi.com ~]# tar xzf php-java-bridge_4.1.8.tar.gz && cd php-java-bridge-4.1.8

[root@ravi.com ~]# phpize

[root@ravi.com ~]# ./configure –with-java=$JAVA_HOME  &&  make &&  make install

[root@ravi.com ~]# echo “extension=java.so” > /etc/php.d/java.ini

open the php.ini and edit the at the end of file

[java]
java.class.path=/usr/lib64/php/modules/
java.library=/usr/java/jdk1.6.0_18/jre/lib/amd64/server/libjvm.so

Now restart apache
[root@ravi.com ~]# /etc/init.d/httpd restart

[root@ravi.com ~]# php -i | grep java
/etc/php.d/java.ini,
java
java support => Enabled
java bridge => 4.1.8
java.java_home =>
java.java => java
java.log_file => <stderr>
java.log_level => no value (use back-end’s default level)
java.security_policy => Off
java command =>  LD_LIBRARY_PATH=/usr/lib64/php/modules:/usr/lib/10.2.0.3/client64/lib java -Djava.library.path=/usr/lib64/php/modules -Djava.class.path=/usr/lib64/php/modules/JavaBridge.jar -Djava.awt.headless=true -Dphp.java.bridge.base=/usr/lib64/php/modules php.java.bridge.Standalone LOCAL:9267 1
java status => running
java server => 9267
PATH => /usr/java/jdk1.6.0_18/bin:/usr/java/jdk1.6.0_18/bin:/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
JAVA_HOME => /usr/java/jdk1.6.0_18
_SERVER[“PATH”] => /usr/java/jdk1.6.0_18/bin:/usr/java/jdk1.6.0_18/bin:/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
_SERVER[“JAVA_HOME”] => /usr/java/jdk1.6.0_18
_ENV[“PATH”] => /usr/java/jdk1.6.0_18/bin:/usr/java/jdk1.6.0_18/bin:/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
_ENV[“JAVA_HOME”] => /usr/java/jdk1.6.0_18

Test your code in test.php and run to check
<?php
// get instance of Java class java.lang.System in PHP
$system = new Java(‘java.lang.System’); // demonstrate property access
print ‘Java version=’.$system->getProperty(‘java.version’).’ ‘;
print ‘Java vendor=’ .$system->getProperty(‘java.vendor’).’ ‘;
print ‘OS=’.$system->getProperty(‘os.name’).’ ‘.
$system->getProperty(‘os.version’).’ on ‘.
$system->getProperty(‘os.arch’).’ ‘; // java.util.Date example
$formatter = new Java(‘java.text.SimpleDateFormat’,
“EEEE, MMMM dd, yyyy ‘at’ h:mm:ss a zzzz”); print $formatter->format(new Java(‘java.util.Date’));
?>

[root@ravi.com ~]# php test.php
Java version=1.6.0_18 Java vendor=Sun Microsystems Inc. OS=Linux 2.6.18-53.el5xen on amd64 Friday, January 22, 2010 at 4:44:48 AM Pacific Standard Time
Thanks

Ravi

Installing PDO_OCI extension for php5

Installing PDO_OCI extension for php5

To enable pdo_oci module you may need to install oracle client and oci8 module is require. I have installed oracle 10g client here.

[root@ravi.com ~]# export ORACLE_HOME=/usr/lib/oracle/10.2.0.3/client64/ ; export LD_LIBRARY_PATH=/usr/lib/oracle/10.2.0.3/client64/
[root@ravi.com ~]# cd /tmp
[root@ravi.com tmp]# pecl download pdo_oci
[root@ravi.com tmp]# tar xvzf PDO_OCI-1.0.tar.gz
[root@ravi.com tmp]# cd PDO_OCI-1.0 && phpize
[root@ravi.com tmp]# ./configure
[root@ravi.com PDO_OCI-1.0]# make
/bin/sh /tmp/PDO_OCI-1.0/libtool –mode=compile gcc -I/usr/include/php/ext -I. -I/tmp/PDO_OCI-1.0 -DPHP_ATOM_INC -I/tmp/PDO_OCI-1.0/include -I/tmp/PDO_OCI-1.0/main -I/tmp/PDO_OCI-1.0 -I/usr/include/php -I/usr/include/php/main -I/usr/include/php/TSRM -I/usr/include/php/Zend -I/usr/include/php/ext  -DHAVE_CONFIG_H  -g -O2   -c /tmp/PDO_OCI-1.0/pdo_oci.c -o pdo_oci.lo
mkdir .libs
gcc -I/usr/include/php/ext -I. -I/tmp/PDO_OCI-1.0 -DPHP_ATOM_INC -I/tmp/PDO_OCI-1.0/include -I/tmp/PDO_OCI-1.0/main -I/tmp/PDO_OCI-1.0 -I/usr/include/php -I/usr/include/php/main -I/usr/include/php/TSRM -I/usr/include/php/Zend -I/usr/include/php/ext -DHAVE_CONFIG_H -g -O2 -c /tmp/PDO_OCI-1.0/pdo_oci.c  -fPIC -DPIC -o .libs/pdo_oci.o
In file included from /tmp/PDO_OCI-1.0/pdo_oci.c:31:
/tmp/PDO_OCI-1.0/php_pdo_oci_int.h:21:17: error: oci.h: No such file or directory
In file included from /tmp/PDO_OCI-1.0/pdo_oci.c:31:
/tmp/PDO_OCI-1.0/php_pdo_oci_int.h:26: error: expected specifier-qualifier-list before ‘sb4’
/tmp/PDO_OCI-1.0/php_pdo_oci_int.h:32: error: expected specifier-qualifier-list before ‘OCIServer’
/tmp/PDO_OCI-1.0/php_pdo_oci_int.h:48: error: expected specifier-qualifier-list before ‘OCIDefine’
/tmp/PDO_OCI-1.0/php_pdo_oci_int.h:62: error: expected specifier-qualifier-list before ‘OCIStmt’
/tmp/PDO_OCI-1.0/php_pdo_oci_int.h:73: error: expected specifier-qualifier-list before ‘OCIBind’
/tmp/PDO_OCI-1.0/php_pdo_oci_int.h:85: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘PDO_OCI_INIT_MODE’
/tmp/PDO_OCI-1.0/php_pdo_oci_int.h:87: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘*’ token
/tmp/PDO_OCI-1.0/php_pdo_oci_int.h:89: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘_oci_error’
/tmp/PDO_OCI-1.0/pdo_oci.c:71: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘PDO_OCI_INIT_MODE’
/tmp/PDO_OCI-1.0/pdo_oci.c:87: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘*’ token
/tmp/PDO_OCI-1.0/pdo_oci.c: In function ‘zm_startup_pdo_oci’:
/tmp/PDO_OCI-1.0/pdo_oci.c:96: error: ‘pdo_oci_Env’ undeclared (first use in this function)
/tmp/PDO_OCI-1.0/pdo_oci.c:96: error: (Each undeclared identifier is reported only once
/tmp/PDO_OCI-1.0/pdo_oci.c:96: error: for each function it appears in.)
/tmp/PDO_OCI-1.0/pdo_oci.c:96: error: ‘PDO_OCI_INIT_MODE’ undeclared (first use in this function)
/tmp/PDO_OCI-1.0/pdo_oci.c: In function ‘zm_shutdown_pdo_oci’:
/tmp/PDO_OCI-1.0/pdo_oci.c:111: error: ‘dvoid’ undeclared (first use in this function)
/tmp/PDO_OCI-1.0/pdo_oci.c:111: error: expected expression before ‘)’ token
make: *** [pdo_oci.lo] Error 1

Is this the error that pdo does not connect to oci library and its find these into include subfolder, so you may need to copy all the files into include folder.

[root@ravi.com PDO_OCI-1.0]# cp -f /usr/include/oracle/10.2.0.3/client64/* /tmp/PDO_OCI-1.0/include/

Now run make & make install to compile and install the module.

[root@ravi.com PDO_OCI-1.0]# make && make install

enable the pdo_oci extension with php.

[root@ravi.com PDO_OCI-1.0]# echo “extension=pdo_oci.so” > /etc/php.d/pdo_oci.ini

[root@ravi.com PDO_OCI-1.0]# php -m | grep pdo_oci

To work pdo_oci properly you have to restart apache.

Thanks

Ravi

How to build RPM of PHP for apache with mpm-worker

How to build RPM of PHP for apache with mpm-worker

In my last post, we have seen how we build rpm package for apache with default mpm-worker now it this tutorial we will see how we build rpm of php that can work with apache with mpm-worker.

Download php source rpm from mirror.centos.org

http://mirror.centos.org/centos-5/5.2/os/SRPMS/php-5.1.6-20.el5.src.rpm

To resolve the dependancies to build RPM package for PHP installing the require some lib packages

[root@testbed2:/tmp]# yum install bzip2-devel curl-devel gmp-devel aspell-devel libjpeg-devel libpng-devel pam-devel openssl-devel sqlite-devel pcre-devel krb5-devel libc-client-devel mysql-devel postgresql-devel unixODBC-devel libxml2-devel net-snmp-devel libxslt-devel libxml2-devel ncurses-devel gd-devel freetype-devel

install source rpm using
[root@testbed2:/tmp]# rpm -i php-5.1.6-20.el5.src.rpm

[root@testbed2:/tmp]# cd /usr/src/redhat/SPECS

vi php.spec and find “%configure” (without quote) where you can put the “–enable-maintainer-zts \” (without quote)

then rebuild rpm using below command

[root@testbed2:/usr/src/redhat/SPECS]# rpmbuild -bb php.spec

after creating rpm you will find all rpm in /usr/src/redhat/RPMS/{your arch folder} folder
in my condition the rpm’s in /usr/src/redhat/RPMS/x86_64

now change the httpd mpm to worker

[root@testbed2:/usr/src/redhat/X86_64]# /etc/init.d/httpd stop

edit file /etc/sysconfig/httpd

just uncomment the HTTPD=/usr/sbin/httpd.worker line

save and exit then start the httpd service

Now install php rpms from /usr/src/redhat/RPMS/{your arch folder}

[root@testbed2:/tmp]# /etc/init.d/httpd start
[root@testbed2:/tmp]# httpd -V
[root@testbed2:/tmp]# php -v

This is the way that I have done this. I know people are many way and good idea’s to do this.

So keep commenting that update that the things.

PHP – Hide user input using batch script (windows)

PHP – Hide user input using batch script (windows)

Introduction –  I was looking for a PHP CLI (command line) script through which I can hide the user input details like password etc on windows platform. I didn’t find any script in php, which hide the password details while user giving input through command prompt. Then I got an idea to hide the password script using batch command. I tried to find out the batch script through which I can take the inputs and then pass the php script. Finally I found a wonderful batch script, which takes the input user name and password (hidden).

** Batch Script => input.bat

@echo off
cls
SET /P uname=Enter Username:
echo hP1X500P[PZBBBfh#b##fXf-V@`$fPf]f3/f1/5++u5>in.com
set /p password=Enter password :<nul
for /f “tokens=*” %%i in (‘in.com’) do set password=%%i
del in.com
echo.
c:\php\php.exe d:\php\test.php %uname% “%password%”
Pause

Execute the batch  file  on window system (DOS prompt) will take the inputs and give the inputs to php script. To execute batch file just double click on input.bat file…

Thank you,
Arun Bagul and Santhosh Tirunahari

PHP-Java Bridge – compilation, installtion and configuration

PHP-Java Bridge – compilation, installtion and configuration

Introduction –

PHP-Java bridge is the third party extension for PHP by which we can integrate PHP and Java. By using PHP-Java bridge extension you can access Java clasess etc from within your PHP code. We have used this PHP-Java bridge to integrate our  website with ICICI-payment Gateway.

The PHP-Java bridge is an optimized, XML-based network protocol, which can be used to connect a native script engine, PHP, with a Java. It is more than 50 times faster than local RPC via SOAP, requires less resources on the web-server side, and it is faster and more reliable than communication via the Java Native Interface

How to install and compile PHP-Java Bridge –

As I mention that PHP-Java Bridge is third party extension of PHP. you can download source and rpm/debian packages from here…

PHP has three types of Extensions

1) PEAR (PHP Extension and Application Repository)

2) PECL (PHP Extension Community Library) and

3) Third party extension like PHP-Java bridge and PHP-clamavlib

* you can install PHP-Java Bridge extension either by compiling from source or via rpm/debian packages. Here we will consider all this methods.

* Please visit again I will complete this post asap.

Thank you,

Arun

How to optimize PHP code (tips)

How to optimize PHP code (tips)

Introduction –

1. If a method can be static, declare it static. Speed improvement is by a factor of 4.

2. echo is faster than print.

3. Use echo’s multiple parameters instead of string concatenation.

4. Set the max value for your for-loops before and not in the loop.

5. Unset your variables to free memory, especially large arrays.

6. Avoid magic like __get, __set, __autoload

7. require_once() is expensive

8. Use full paths in includes and requires, less time spent on resolving the OS paths.

9. If you need to find out the time when the script started executing, $_SERVER[’REQUEST_TIME’] is preferred to time()

10. See if you can use strncasecmp, strpbrk and stripos instead of regex

11. str_replace is faster than preg_replace, but strtr is faster than str_replace by a factor of 4.

12. If the function, such as string replacement function, accepts both arrays and single characters as arguments, and if your argument list is not too long, consider writing a few redundant replacement statements, passing one character at a time, instead of one line of code that accepts arrays as search and replace arguments.

13. It’s better to use select statements than multi if, else if, statements.

14. Error suppression with @ is very slow.

15. Turn on apache’s mod_deflate

16. Close your database connections when you’re done with them

17. $row[’id’] is 7 times faster than $row[id]

18. Error messages are expensive

19. Do not use functions inside of for loop, such as for ($x=0; $x <>

20. Incrementing a local variable in a method is the fastest. Nearly the same as calling a local variable in a function.

21. Incrementing a global variable is 2 times slow than a local var.

22. Incrementing an object property (eg. $this->prop++) is 3 times slower than a local variable.

23. Incrementing an undefined local variable is 9-10 times slower than a pre-initialized one.

24. Just declaring a global variable without using it in a function also slows things down (by about the same amount as incrementing a local var). PHP probably does a check to see if the global exists.

25. Method invocation appears to be independent of the number of methods defined in the class because I added 10 more methods to the test class (before and after the test method) with no change in performance.

26. Methods in derived classes run faster than ones defined in the base class.

27. A function call with one parameter and an empty function body takes about the same time as doing 7-8 $localvar++ operations. A similar method call is of course about 15 $localvar++ operations.

28. Surrounding your string by ‘ instead of ” will make things interpret a little faster since php looks for variables inside “…” but not inside ‘…’. Of course you can only do this when you don’t need to have variables in the string.

29. When echoing strings it’s faster to separate them by comma instead of dot. Note: This only works with echo, which is a function that can take several strings as arguments.

30. A PHP script will be served at least 2-10 times slower than a static HTML page by Apache. Try to use more static HTML pages and fewer scripts.

31. Your PHP scripts are recompiled every time unless the scripts are cached. Install a PHP caching product to typically increase performance by 25-100% by removing compile times.

32. Cache as much as possible. Use memcached – memcached is a high-performance memory object caching system intended to speed up dynamic web applications by alleviating database load. OP code caches are useful so that your script does not have to be compiled on every request

33. When working with strings and you need to check that the string is either of a certain length you’d understandably would want to use the strlen() function. This function is pretty quick since it’s operation does not perform any calculation but merely return the already known length of a string available in the zval structure (internal C struct used to store variables in PHP). However because strlen() is a function it is still somewhat slow because the function call requires several operations such as lowercase & hashtable lookup followed by the execution of said function. In some instance you can improve the speed of your code by using an isset() trick.

Example –

if (strlen($foo) < 5) { echo “Foo is too short”; }

vs.

if (!isset($foo{5})) { echo “Foo is too short”; }

** Calling isset() happens to be faster then strlen() because unlike strlen(), isset() is a language construct and not a function meaning that it’s execution does not require function lookups and lowercase. This means you have virtually no overhead on top of the actual code that determines the string’s length.

34. When incrementing or decrementing the value of the variable $i++ happens to be a tad slower then ++$i. This is something PHP specific and does not apply to other languages, so don’t go modifying your C or Java code thinking it’ll suddenly become faster, it won’t. ++$i happens to be faster in PHP because instead of 4 opcodes used for $i++ you only need 3. Post incrementation actually causes in the creation of a temporary var that is then incremented. While pre-incrementation increases the original value directly. This is one of the optimization that opcode optimized like Zend’s PHP optimizer. It is a still a good idea to keep in mind since not all opcode optimizers perform this optimization and there are plenty of ISPs and servers running without an opcode optimizer.

35. Not everything has to be OOP, often it is too much overhead, each method and object call consumes a lot of memory.

36. Do not implement every data structure as a class, arrays are useful, too

37. Don’t split methods too much, think, which code you will really re-use

38. You can always split the code of a method later, when needed

39. Make use of the countless predefined functions

40. If you have very time consuming functions in your code, consider writing them as C extensions

41. Profile your code. A profiler shows you, which parts of your code consumes how many time. The Xdebug debugger already contains a profiler. Profiling shows you the bottlenecks in overview.

42. mod_gzip which is available as an Apache module compresses your data on the fly and can reduce the data to transfer up to 80%.

 

Thanks,

Santhosh T.

 

PHP – IP address to Country

PHP – IP address to Country

Introduction –

This is not exactly a tutorial, but a small trick, to access ip-to-country.wehbosting.info demo as a web-service. ip-to-country.wehbosting.info does provide a nice CSV format of transferring IPs to country. Pretty amazing. But the problem is you need to have a good DB support at your end to use it

For example –

<?php

$ip = $_GET[‘ip’];

function get_country($ip)

{

$f = fsockopen(‘ip-to-country.webhosting.info’, 80);

if (!$f)

{

return false;

}

$postdata = “ip_address=”.urlencode($ip).”&submit=”.urlencode(‘Find Country’);

$request = ”;

$request .= “POST /node/view/36 HTTP/1.1\r\n”;

$request .= “Host: ip-to-country.webhosting.info\r\n”;

$request .= “User-Agent: Its me again\r\n”;

$request .= “Content-Length: “.strlen($postdata).”\r\n”;

$request .= “Content-Type: application/x-www-form-urlencoded\r\n”;

$request .= “\r\n”;

$request .= “$postdata\r\n”;

fwrite($f, $request);

$response = ”;

while (!feof($f))

{

$response .= fgets($f, 128);

}

$pos1 = strpos ( $response , ‘</from>’);

$pos2 = strpos ( $response , ‘<br><br><img’ , $pos1 );

$parse_from = substr( $response, $pos1+21, ($pos2-$pos1) );

$pattern = “/<b>([^\/]*)<\/b>/si”;

preg_match_all($pattern, $parse_from, $matches);

return $matches[1][1];

}

echo (get_country($ip));

?>

Thank you,

Santhosh Tirumahari

How to secure Session in PHP

How to secure Session in PHP

Introduction – 

1) Shared web servers— Anyone else on the server can read your session files (typically in the /tmp directory) if PHP is running as an Apache module (so the session files belong to the web user) and possibly when PHP is used as a CGI (depending on how sessions are implemented).

Someone browsing the session files (probably) won’t know the site the server the sessions apply to (so may not be able to use a username / password combination they found) but you may still be putting sensitive info (like credit card details) somewhere for all to see. Plus they’ve got a list of valid session IDs…

If you’re just storing passwords in the session, you can get away with this by using md5() (preferably twice) to one-way encypt the password. This doesn’t help though if you need to recover the value of a session variable.

Using a custom session handler to store the sessions in a database is probably the best solution. You might consider MySQL HEAP tables if performance is an issue (assuming MySQL running on same machine as Apache). If it gets to very high traffic, it’s time to think about getting your own server…

2) XSS exploits (and session hijacking) – Using JavaScript users can be fooled into giving away their active session_id…

All someone needs to “hijack” a session is the unique session id. It’s like the key to a railway station locker. The locker doesn’t check you’re the valid owner of the key, before allowing you to open it so anyone with the key can get in.

Research XSS and how to prevent it –

Accept that session hijacking cannot be entirely prevented (checks on IP address, for example, is foiled by AOL, who assign a new client IP on more or less every page request) so double check “critical actions” a user can perform when logged in e.g. when changing password—require the old password, which the session hijacker will (hopefully) not know. Displaying credit card information—do like Amazon and only display the last four digits. Basically limit the damage someone can do if they hijack a session.

3) Session IDs in URL (and hijacking) – If you’re using session IDs in the URL (as opposed to a session cookie), make sure offsite links do not contain the session ID (or the remote site will be able to hijack) – PHP should take care of this. Also your visitors may give away the session ID in the referrer field—ideally pass off site links through a redirect page, to elimate the referrer (although, unfortunately, some browsers keep the last 3 pages viewed I believe—unsure of facts).

** Ideally, don’t pass session ids in the URL—require users to accept a cookie if they need to “log in”.

4) Session Fixation (pre-hijacking) (see http://www.acros.si/papers/session_fixation.pdf)-

If you assign a session to a visitor to your site, before they are logged in (for example for clickpath analysis), make sure that you assign them a new session id when they do login, so that if someone pre-generated the initial session id for them, they won’t get the new ID.

For PHP 4.2.0+, see session_regenerate_id() (in particular the user submitted comments). For PHP < href=”http://www.php.net/session_id”>session_id() function may also be useful (haven’t explored it in this context myself).

5) Sniffing Packets (use SSL/HTTPS) – a session ID can be “sniffed” between the client and your server. If it’s a site where money is changing hands or other sensitive personal information is involved, SSL is a requirement.

Otherwise, without SSL, you have to live with the risk (just like you do every time you use that FTP client…).

6) Cookies are not for session data – on a related note, don’t use cookies for store sensitive information.

Cookie data, unlike sessions, gets stored on the client site. Apart from the “sniffing risk”, a large majority of Windows users have little idea of security and may be “owned by haxor”.

Otherwise, cookies (aside from session cookie PHP creates for you) are generally meant for long term (i.e. between visits) data persistance (e.g. “Remember Me”) rather than “active session” persistance.

There’s probably more things to watch out for (or facts to correct) – suggestions appreciated.

Thank you,

Santhosh Tirunahari

PHP – Web 2.0 and the AJAX

PHP – Web 2.0 and the AJAX

Introduction –

Web 2.0 is a strange thing in that it doesn’t really exist. You can’t buy Web 2.0; you can’t buy a Web 2.0 programming language, and you can’t buy Web 2.0 hardware. In many ways, the phrase “Web 2.0” is a marketing phrase like “paradigm shift” or “the big picture“. The reason for this vagueness is that Web 2.0 doesn’t have a tightly defined definition. What the phrase Web 2.0 tries to express is, that modern websites are so much better than early websites that they’d better be given a different name. So it is down to marketing.

Web developers need to demonstrate that they may use the same Internet, the same web browsers and the same web servers as their competitors, yet their websites are in fact an order of magnitude better. Our competitors only do websites. We do Web 2.0 websites!

The client is, of course, hugely impressed that his new website will be a Web 2.0 website. But what should he expect to see for his money? What is the client’s view of what Web 2.0 should offer? Is it all smelling of roses or are there some thorny issues too?

I propose that there are in fact three facets to a Web 2.0 website:

1. AJAX

2. Social Networking (Building Communities)

3. Broadband

AJAX is technical and can only be performed by a technically skilled developer, social networking is vague, woolly and is based more on marketing models than web skills, and broadband has been popular for a long time. Even stranger is the fact that AJAX has been available to developers for at least 5 years, and social networking has been around even longer. It is simply the re-branding of these things that is causing the rise in the popularity of these old but current “buzzword” technologies.

AJAX is a mash up of technologies. We’ve had asynchronous JavaScript and XML for many years, but until somebody said “I name this mash up – AJAX it remained out of the mainstream. The same goes with social networking. Forums, blogs, and community-based websites have been around for many years, but giving it a title like “social networking” combined with the success of websites such as www.Youtube.com and www.Linkedin.com makes it mainstream and popular. And to cap it all, the new names invented to re-brand existing technologies are combined into the all encompassing name of Web 2.0(simply rebranding the rebranded).

In summary, we’ve had the ability to create Web 2.0 websites for years. It is not new technology; it is simply the renaming and repackaging of something we already have and enjoy. Marketing has made buzzwords of what we already knew and the public and developers are lapping it up.

The third facet of Web 2.0 was broadband, or as I prefer to call it, broadband abuse. Many developers believe that Web 2.0 is defined by how long it takes to download a website or the size of the broadband connection required to view the site comfortably. They believe that the bigger the connection required or the longer the website takes to download, the more Web 2.0ish the website must be. In my opinion, however, adding vast images, video footage, badly implemented rounded corners and streaming music does not make a Web 2.0 website. It simply makes a regular website that is bloated and annoying.

Presuming that you understand what makes a Web 2.0 website and you are keen to build one, there is an important area that you should consider before you start. And that is the area of Search Engine Optimization.

So what about search engines? Do Web 2.0 websites perform well on search engines? Do search engines need to change to keep pace with development? If we ignore the broadband abusers and look at the two key facets of Web 2.0, AJAX, and social networking we get two very different answers.

Working somewhat in reverse here, the conclusion is that AJAX is a search engine killer. Adding AJAX functionality to your website is like pulling the plug on your search engine strategy. Social networking sites on the other hand typically perform exceptionally well on search engines due to their vast amount of visitor provided content.

The reason AJAX is a search engine killer is pretty obvious once you know how the technology works, and at the risk of offending all the people who know this already, I’ll recap in a brief paragraph.

Simply put, AJAX removes the need to refresh a page in a browser. Say for example, you are on the product-finding page of a website, you can type in a search phrase for the product you want to find and press the submit button. Without refreshing the page, the asynchronous JavaScript runs off, grabs the results of the search, and inserts the details of the found products into the very same page as you sit and look at it.

For the website user this addition of AJAX to the website feels fantastic. No page reloads, no browser flicker, no click noise, but sheer joy. And so the rush for AJAX websites begins, because the visitors will love it.

But what about the search engines, what will they make of web pages that use AJAX to find content? Importantly, search engines don’t run JavaScript. Oh no, not ever, no way José. So the search engine will never run your AJAX. To the search engine, huge areas of your website content are now hidden, never to be spidered, indexed, or found. This really limits the usefulness of AJAX in many applications.

An ideal application of AJAX is Google Maps, where as you drag the map around the browser window, the newly exposed areas of the map are retrieved and shown on the page without a page refresh—smooth, seamless, and very impressive. Does Google care if the single map page gets found by searching? Certainly not!

A very poor application of AJAX is the product portfolio where you can find and view product details for hundreds of products without ever refreshing the page. Nice to use? Yes. Navigation friendly? No—try hitting the back button when the browser ignores your last 20 clicks because you have remained on the same page! Search engine friendly? Forget it. You are invisible.

So what is the solution to the AJAX invisibility cloak that Master Harry Potter himself would be proud of? There are 5 options –

  1. Build two websites, one using AJAX that is lovely for visitors and another using more traditional techniques for search engine spiders to find. If you can find a client to finance both, you have found a client with too much money!

  2. Drop AJAX. Let the visitors suffer the page refresh.

  3. Run with AJAX anyway and just put up with the fact that your perfectly formed website will receive no search engine visitors.

  4. Lobby the major search engines to rebuild their spidering algorithms to take into account AJAX pages and to run JavaScript on the pages they index. This option might take some time.

  5. Increase your Google Ad words payments and ramp up traditional advertising to counteract the missing website traffic from the search engines.

And so, a bleak picture of AJAX is painted and by implication of Web 2.0 as well. The good applications of AJAX and Web 2.0 are few and far between, but when you do find them they are fantastic. Do you remember that feeling when you fist used Google Maps? Do you find that all other mapping websites now feel old fashioned? I would go as far as to say that it was Google Maps that single-handedly bought the technology of AJAX to the masses.

The second most impressive application of AJAX is another Google idea, where when typing in the search field on the Google website, AJAX is used to find results even as you type the words—incredibly quick to use, fantastic for the website visitor, and really demonstrating the technology in a great light.

Isn’t it hugely ironic then that the one website that demonstrates so well the very technology that, if used on our own websites, will force us to spend more on Google Ad words, is in fact Google.

 

Thank you,

Santhosh T.