• Play Detective With URLInfo

    Knowledge, website 30.09.2008 No Comments

    Did you know:


    URLInfo is a new web application that gives you information retrieved from a web-server’s header data, the kind of data that normally web browsers hide from you. These data headers provide a lot of information like the server OS, the web server software, and a number of custom tags. Apart from these header information, URLInfo also gives you the time it took to get the reponse, the data size of the response obtained, the images contained within the page and the number of external and internal links.

    How can you use this application for your benifit?

    1. First, it is pure fun.
      eg: see the the header data of WebWorkerDaily.com here. It says: X-hacker If you're reading this, you should visit automattic.com/jobs and apply to join the fun, mention this...
      Clearly, the people who made the website for WebWorkerDaily thought that anyone smart enough to look into there server tags would be worth hiring!
    2. It gives you an idea of the server, OS and the platform used by the website.
      eg: the header data of DailyGyan.com, shows that the server type is GFE/1.3, which is an indication that it is hosted by blogger.com. See this page for a list of server types that Google uses.
    3. Gives an idea of the tracking software that the website uses.
      It told us that Google is not using any tracking software, but Google Analytics is using itself!
    4. It gives you an idea about the response time of the server. Use it to check the conditions before and after optimizing your site.

    Tags:

  • Quarkbase - Everything about a Website

    Knowledge 27.09.2008 No Comments

    Quarkbase is a free tool to find complete information about a website.

    It is a mashup of over 30 data sources and many algorithms gathering information from Internet on various topics like social popularity, traffic, associated people, etc. Simple type in your webiste URL, you can get a detailed report about your website instantly.

    Tags:

  • Filtering input data

    php 22.09.2008 No Comments

    This guide goes over the basics of cleaning user input for safe use. This includes escaping strings correctly, stripping html and tags, preventing SQL injection, and other security issues. Anytime you use a $_POST, $_GET, or are receiving any information that the user can modify, you must be sure that you properly escape it, and clean it in some cases. This guide will show you how to do that, and more.

      

    Clean All User Input

    Anytime you use a $_POST, $_GET, or are receiving any information that the user can modify, you must be sure that you properly escape it, and clean it in some cases.

    Preventing SQL Injection

    I’m going to use a login form as an example. To query our database and check to see if they logged in correctly, you might use a query like…

    select `username`, `password` from `users` where `username` = '$var' and `pass` = '$var2';

    If someone were to type in ‘ or username like’%admin%’; — into the login form, they would be logged in with an account that has the word admin in it. To fix this problem, after connecting to the MySQL server, you can use…

    mysql_real_escape_string($var);

    Using this will escape all characters that need to be escaped to prevent tampering with the MySQL query. Another problem for MySQL is % and _, which can be escaped using…

    addslashes($var);

    HTML filtering

    Sometimes you may want to clean certain html entities in strings. To do this, you can use…

    $var = “<b>bold</b>”;
htmlentities($var);

    This would output: & l t ; b & g t ; bold & l t ; / b & g t ;

    To change it back to a usable form, you can use…

    html_entity_decode($var);

    To strip the HTML tags from a string, and specify which strings you want to allow, you can use…

    $var = “<a><b>link</a></b>”;
strip_tags($var, '<a><b>');

    The second argument is not needed, passing just the variable you want to clean will strip all tags from the string. This example would only allow b and a tags through. However, it is important to note that strip_tags() is not failsafe; that is, malformed tags can remove more or less than you’d ideally like to.

    To make sure that html does not render if it gets shown, you can use…

    htmlspecialchars($var);

     
    If you have a string that is escaped from using mysql_real_escape_string() or addslashes(), you can use stripslashes($var) to remove all of the slashes.

    Tags: , ,

« Previous Entries

Tags

Recent Posts

 

September 2008
M T W T F S S
    Oct »
1234567
891011121314
15161718192021
22232425262728
2930  

Archives