All posts by vjks

Notes From the book “Security Principles for PHP Applications”

Introduction: 

  • Do not treat application security as a “tack on” when building an application.
  • Best developers are lazy in a good way. They find ways to write efficient, reusable code.
  • Security is the job of an entire team.
  • Tools like Composer can be used to prototype applications. 
  • The extensions and libraries used in an application should be vetted for security, independently. 
  • JOSE stands for JSON Object Signing and Encryption standards. Not implementing it correctly can result in vulnerabilities added to the system.

Security First Mindset

  • Every line of code has to be written with the security first mindset. 
  • Users should have the permission to perform only the task that they need to and nothing more.
  • Security, data integrity and overall stability are as important as any other business requirement. 
  • The following tasks need to have the same level of precedence as user stories during planning:
    • Proper password management
    • Query parameterization
    • Server hardening
    • Request throttling
  • Here are a few things that compromise security so they should not be done:
    • Hardcoded password
    • HTTP Basic Authentication
    • non-SSL-protected server 
    • SQL queries via string interpolation
  • Threat modeling should be used in development.
  • Regulations like PCI and HIPAA won’t necessarily apply on apps that are social media extensions.

ASR1: Injection

  • Injection attacks occur when user input is erroneously trusted.
  • List of things that can be done with an injection attack:
    • Use a server for DDoS attack
    • Send spam or phishing emails
    • Use server as a prox or host
  • A framework should not allow the ability to inject non-alphanumeric characters into a SQL statement.
  • Users should be protected against certain characters like apostrophes that can be part of a name or non-Latin characters.
  • Do not use unparameterized SQL queries.
  • In SQL, values should be sanitized with SQL-specific mechanisms.
  • Timestamps should be passed through functions that ensure that they are positive values. 
  • One way to protect against the malicious use of passthru() is to use a whitelist of filenames that can be used. 
  • In many situations readfile can be used instead of passthru() to mitigate the risks caused when an unescaped shell argument is passed.
  • Two general rules of thumb for working with data: 
    • Sanitize all incoming data before using it
    • Escape all outgoing data

Advertisements

Introduction to Algorithms by CLRS, 3rd Edition

Chapter 2
Implementation of Insertion Sort algorithm described in chapter 2 using JavaScript:

var nums = [ 31, 41, 59, 26, 41, 58 ];
for ( i = 1; i 0 && nums[ j ] > key ) {
nums[ j + 1 ] = nums[ j ];
j = j - 1;
}
nums[ j + 1 ] = key;
}

sortedArray = " ";
for ( k = 0; k < nums.length; k++ ) {
sortedArray += nums[ k ];
sortedArray += " ";
}

alert( sortedArray );

Chapter 4
– Fibonacci Series grows exponentially.
– Strassen’s Recursive algorithm is asymptotically better than the simple Square-Matrix-Multiply procedure.

A Good Design Pattern for Institutions and Courses?

I need to come up with a design pattern to create a WordPress plugin.

Here are the things to keep in mind in the design of this plugin:

Institutions

  • There can be many institutions.
  • An institution has an ‘institution-term-id’.
  • Courses

  • Each institution can have many courses.
  • Each course can belong to only one institution.
  • Each course can have 0 or more lessons.
  • A course can have one or more video URLs in it.
  • Each course has an author.
  • Each course has a course description
  • Each course description can have 0 or more images
  • Lessons

  • There can be one or more more lessons
  • Things about the “Simple HTML DOM Parser”

    Here’s the webpage that has some very useful information about the “simple_html_dom.php”: http://simplehtmldom.sourceforge.net/

    How to get the “content” attribute from meta tag using simple_html_dom.php:


    function get_videos_from_landing_pages( $landingPage ) {
    $vidURL = "";

    // Get the page that contains the instructors bio in it.
    $html = file_get_html( $landingPage );

    $landingpageHTML = plugin_dir_path( __FILE__ ) . "landing-page.txt";
    file_put_contents( $landingpageHTML, $html, FILE_APPEND );

    // From the page obtain the paragraph tags inside the div element that contains the instructor's bio.
    if( !empty( $html ) ) {

    $vidURL = $html->find( 'meta[property=og:video]', 0 );

    $vidURL = $vidURL->content;
    // For debugging, create a file path and a file name
    $youtubeSource = plugin_dir_path( __FILE__ ) . "source-description.txt";

    // For debugging, write the contents of the string to a file to see what value is being obtained.
    file_put_contents( $youtubeSource, $vidURL . PHP_EOL, FILE_APPEND );
    }
    return $vidURL;
    }


    How to get the value stored inside the p tag of a div inside the class “js-simple-collapse-inner”:

    function getInstructorBio( $courseInstructorBioURL ) {

    // Get the page that contains the instructors bio in it.
    $html = file_get_html('https://www.udemy.com' . $courseInstructorBioURL);

    // From the page obtain the paragraph tags inside the div element that contains the instructor's bio.
    $description = $html->find('div.js-simple-collapse-inner p');

    // The data obtained is in the form of an array. It needs to be changed into a string.
    $strDescription = implode( " ", $description );

    // For debugging, create a file path and a file name
    //$instructorDescription = plugin_dir_path( __FILE__ ) . "instructor-description.txt";
    // For debugging, write the contents of the string to a file to see what value is being obtained.
    //file_put_contents( $instructorDescription, $courseInstructorBioURL . " - ", FILE_APPEND );

    return $strDescription;
    }

    Things About JSON Data

    Square brackets represent arrays.

    Curly brackets represent objects.

    How you would get the sum of all “value” attributes?

    $data = array(
    'title' => 'Nested Data Test',
    'items' => array(
    array(
    'value' => 5,
    ),
    array(
    'value' => 10,
    ),
    ),
    );

    Answer:

    $sum = 0;
    foreach( $data['items'] as $item) {
      $sum += item['value'];
    }
    

    Creating a Firefox Extension

    I started by googling the topic and coming upon this article: https://blog.mozilla.org/addons/2014/06/05/how-to-develop-firefox-extension/

    It then took me to this link that had a whole bunch of instructions and tutorials on how to develop the plugin: https://developer.mozilla.org/en-US/Add-ons/SDK

    My goal for this plugin was to be able to press a button to display the total number of words completed on duolingo.com. As of April 26th, 2016 duolingo doesn’t show the total number/count of words that you have completed in it. For me that count was over 1000 so it wasn’t practical for me to know how many words I have in my vocabulary. The completed words are displayed on this link when you are logged in: https://www.duolingo.com/words

    In order to install jpm, node.js had to be installed first. Then the following command was run in the command prompt: npm install jpm

    If you try running a non-signed extension in Firefox it’s going to display an error and not let you install that extension. So API credentials need to be created on developer.mozilla.com. You will have to create a Mozilla account before you do that.

    Once any modification is made to the plugin during development I use the following command to see the new functionality: jpm run

    I’m going to try to use this: https://developer.mozilla.org/en-US/Add-ons/SDK/High-Level_APIs/page-worker

    Then I’m going to count the rows somehow.

    How to List the Directory Structure in Java

    Came across this great post on stackoverflow.com while I was searching for a solution to the same problem: http://stackoverflow.com/questions/11553042/the-system-cannot-find-the-file-specified-in-java

    The following two lines of code will list the files and folders of a directory from where the program is running:

    File file = new File(“.”);
    for(String fileNames : file.list()) System.out.println(fileNames);

    Uploading Images on WordPress Using XML

    The following XML code downloads an image attachment from a link and uploads it to the Media library. Initially I had erroneously thought that it might actually be creating a Course post.
    <?xml version=”1.0″ encoding=”UTF-8″ ?>
    <!– This is a WordPress eXtended RSS file generated by WordPress as an export of your site. –>
    <!– It contains information about your site’s posts, pages, comments, categories, and other content. –>
    <!– You may use this file to transfer that content from one site to another. –>
    <!– This file is not intended to serve as a complete backup of your site. –><!– To import this information into a WordPress site follow these steps: –>
    <!– 1. Log in to that site as an administrator. –>
    <!– 2. Go to Tools: Import in the WordPress admin panel. –>
    <!– 3. Install the “WordPress” importer from the list. –>
    <!– 4. Activate & Run Importer. –>
    <!– 5. Upload this file using the form provided on that page. –>
    <!– 6. You will first be asked to map the authors in this export file to users –>
    <!–    on the site. For each author, you may choose to map to an –>
    <!–    existing user on the site or to create a new user. –>
    <!– 7. WordPress will then import each of the posts, pages, comments, categories, etc. –>
    <!–    contained in this file into your site. –>

    <!– generator=”WordPress/4.2.5″ created=”2015-10-01 08:30″ –>
    <rss version=”2.0″
    xmlns:excerpt=”http://wordpress.org/export/1.2/excerpt/&#8221;
    xmlns:content=”http://purl.org/rss/1.0/modules/content/&#8221;
    xmlns:wfw=”http://wellformedweb.org/CommentAPI/&#8221;
    xmlns:dc=”http://purl.org/dc/elements/1.1/&#8221;
    xmlns:wp=”http://wordpress.org/export/1.2/&#8221;
    >

    <channel>
    <title>LMS Press</title>
    <link>http://demo3.pressapps.co/lmspress</link&gt;
    <description>Just another Demo 3 Sites site</description>
    <pubDate>Thu, 01 Oct 2015 08:30:03 +0000</pubDate>
    <language>en-US</language>
    <wp:wxr_version>1.2</wp:wxr_version>
    <wp:base_site_url>http://demo3.pressapps.co/</wp:base_site_url&gt;
    <wp:base_blog_url>http://demo3.pressapps.co/lmspress</wp:base_blog_url&gt;

    <wp:author><wp:author_id>13400</wp:author_id><wp:author_login>vjtestxml</wp:author_login><wp:author_email>test@test.com</wp:author_email><wp:author_display_name><![CDATA[Vjtest Xml]]></wp:author_display_name><wp:author_first_name><![CDATA[Vjtest]]></wp:author_first_name><wp:author_last_name><![CDATA[Xml]]></wp:author_last_name></wp:author>

    <wp:category><wp:term_id>13</wp:term_id><wp:category_nicename>beauty</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[Beauty]]></wp:cat_name></wp:category>
    <wp:category><wp:term_id>9</wp:term_id><wp:category_nicename>cooking</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[Cooking]]></wp:cat_name></wp:category>
    <wp:category><wp:term_id>12</wp:term_id><wp:category_nicename>health</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[Health]]></wp:cat_name></wp:category>
    <wp:category><wp:term_id>14</wp:term_id><wp:category_nicename>music</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[Music]]></wp:cat_name></wp:category>
    <wp:category><wp:term_id>11</wp:term_id><wp:category_nicename>photography</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[Photography]]></wp:cat_name></wp:category>
    <wp:category><wp:term_id>1</wp:term_id><wp:category_nicename>uncategorized</wp:category_nicename><wp:category_parent></wp:category_parent><wp:cat_name><![CDATA[Uncategorized]]></wp:cat_name></wp:category>
    <wp:term><wp:term_id>20</wp:term_id><wp:term_taxonomy>event_category</wp:term_taxonomy><wp:term_slug>business</wp:term_slug><wp:term_parent></wp:term_parent><wp:term_name><![CDATA[Business]]></wp:term_name><wp:term_description><![CDATA[Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt utlam dolore magnam aliquam quaerat voluptatem unert enim ad minima veniam.]]></wp:term_description></wp:term>
    <wp:term><wp:term_id>9</wp:term_id><wp:term_taxonomy>event_category</wp:term_taxonomy><wp:term_slug>cooking</wp:term_slug><wp:term_parent></wp:term_parent><wp:term_name><![CDATA[Cooking]]></wp:term_name><wp:term_description><![CDATA[Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt utlam dolore magnam aliquam quaerat voluptatem unert enim ad minima veniam.]]></wp:term_description></wp:term>
    <wp:term><wp:term_id>5</wp:term_id><wp:term_taxonomy>product_type</wp:term_taxonomy><wp:term_slug>external</wp:term_slug><wp:term_parent></wp:term_parent><wp:term_name><![CDATA[external]]></wp:term_name></wp:term>
    <wp:term><wp:term_id>3</wp:term_id><wp:term_taxonomy>product_type</wp:term_taxonomy><wp:term_slug>grouped</wp:term_slug><wp:term_parent></wp:term_parent><wp:term_name><![CDATA[grouped]]></wp:term_name></wp:term>
    <wp:term><wp:term_id>22</wp:term_id><wp:term_taxonomy>event_category</wp:term_taxonomy><wp:term_slug>health-fitness</wp:term_slug><wp:term_parent></wp:term_parent><wp:term_name><![CDATA[Health &amp; Fitness]]></wp:term_name><wp:term_description><![CDATA[Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt utlam dolore magnam aliquam quaerat voluptatem unert enim ad minima veniam.]]></wp:term_description></wp:term>
    <wp:term><wp:term_id>23</wp:term_id><wp:term_taxonomy>course_category</wp:term_taxonomy><wp:term_slug>health-fitness-2</wp:term_slug><wp:term_parent></wp:term_parent><wp:term_name><![CDATA[Health &amp; Fitness]]></wp:term_name><wp:term_description><![CDATA[Dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt utlam dolore magnam aliquam quaerat voluptatem unert enim ad minima veniam.]]></wp:term_description></wp:term>
    <wp:term><wp:term_id>21</wp:term_id><wp:term_taxonomy>event_category</wp:term_taxonomy><wp:term_slug>lifestyle</wp:term_slug><wp:term_parent></wp:term_parent><wp:term_name><![CDATA[Lifestyle]]></wp:term_name><wp:term_description><![CDATA[Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt utlam dolore magnam aliquam quaerat voluptatem unert enim ad minima veniam.]]></wp:term_description></wp:term>
    <wp:term><wp:term_id>14</wp:term_id><wp:term_taxonomy>course_category</wp:term_taxonomy><wp:term_slug>music</wp:term_slug><wp:term_parent></wp:term_parent><wp:term_name><![CDATA[Music]]></wp:term_name><wp:term_description><![CDATA[Porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt utlam dolore magnam aliquam quaerat voluptatem unert enim ad minima veniam.]]></wp:term_description></wp:term>
    <wp:term><wp:term_id>11</wp:term_id><wp:term_taxonomy>course_category</wp:term_taxonomy><wp:term_slug>photography</wp:term_slug><wp:term_parent></wp:term_parent><wp:term_name><![CDATA[Photography]]></wp:term_name><wp:term_description><![CDATA[Cestqui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt utlam dolore magnam aliquam quaerat voluptatem unert enim ad minima veniam.]]></wp:term_description></wp:term>
    <wp:term><wp:term_id>2</wp:term_id><wp:term_taxonomy>product_type</wp:term_taxonomy><wp:term_slug>simple</wp:term_slug><wp:term_parent></wp:term_parent><wp:term_name><![CDATA[simple]]></wp:term_name></wp:term>
    <wp:term><wp:term_id>4</wp:term_id><wp:term_taxonomy>product_type</wp:term_taxonomy><wp:term_slug>variable</wp:term_slug><wp:term_parent></wp:term_parent><wp:term_name><![CDATA[variable]]></wp:term_name></wp:term>
    <wp:term><wp:term_id>7</wp:term_id><wp:term_taxonomy>nav_menu</wp:term_taxonomy><wp:term_slug>main</wp:term_slug><wp:term_name><![CDATA[Main]]></wp:term_name></wp:term>
    <wp:term><wp:term_id>6</wp:term_id><wp:term_taxonomy>nav_menu</wp:term_taxonomy><wp:term_slug>menu-1</wp:term_slug><wp:term_name><![CDATA[Menu 1]]></wp:term_name></wp:term>

    <generator>http://wordpress.org/?v=4.2.5</generator&gt;

    <item>
    <title>Test cooking course</title>
    <link>http://demo3.pressapps.co/lmspress/steaming-stewing-and-braising/cooking-course/</link&gt;
    <pubDate>Wed, 18 Feb 2015 11:00:11 +0000</pubDate>
    <dc:creator><![CDATA[vladka]]></dc:creator>
    <guid isPermaLink=”false”>http://demo3.pressapps.co/lmspress/wp-content/uploads/sites/13522/2015/02/cooking-course.jpg</guid&gt;
    <description></description>
    <content:encoded><![CDATA[jumbalaya]]></content:encoded>
    <excerpt:encoded><![CDATA[]]></excerpt:encoded>
    <wp:post_id>2106</wp:post_id>
    <wp:post_date>2015-02-18 11:00:11</wp:post_date>
    <wp:post_date_gmt>2015-02-18 11:00:11</wp:post_date_gmt>
    <wp:comment_status>open</wp:comment_status>
    <wp:ping_status>open</wp:ping_status>
    <wp:post_name>test-cooking-course</wp:post_name>
    <wp:status>inherit</wp:status>
    <wp:post_parent>0</wp:post_parent>
    <wp:menu_order>0</wp:menu_order>
    <wp:post_type>attachment</wp:post_type>
    <wp:post_password></wp:post_password>
    <wp:is_sticky>0</wp:is_sticky>
    <wp:attachment_url>http://demo3.pressapps.co/lmspress/wp-content/uploads/sites/13522/2015/02/cooking-course.jpg</wp:attachment_url&gt;
    <wp:postmeta>
    <wp:meta_key>_wp_attached_file</wp:meta_key>
    <wp:meta_value><![CDATA[2015/02/cooking-course.jpg]]></wp:meta_value>
    </wp:postmeta>
    <wp:postmeta>
    <wp:meta_key>_wp_attachment_metadata</wp:meta_key>
    <wp:meta_value><![CDATA[a:5:{s:5:”width”;i:1600;s:6:”height”;i:1100;s:4:”file”;s:26:”2015/02/cooking-course.jpg”;s:5:”sizes”;a:7:{s:9:”thumbnail”;a:4:{s:4:”file”;s:26:”cooking-course-150×150.jpg”;s:5:”width”;i:150;s:6:”height”;i:150;s:9:”mime-type”;s:10:”image/jpeg”;}s:6:”medium”;a:4:{s:4:”file”;s:26:”cooking-course-300×206.jpg”;s:5:”width”;i:300;s:6:”height”;i:206;s:9:”mime-type”;s:10:”image/jpeg”;}s:5:”large”;a:4:{s:4:”file”;s:27:”cooking-course-1024×704.jpg”;s:5:”width”;i:1024;s:6:”height”;i:704;s:9:”mime-type”;s:10:”image/jpeg”;}s:14:”shop_thumbnail”;a:4:{s:4:”file”;s:26:”cooking-course-180×180.jpg”;s:5:”width”;i:180;s:6:”height”;i:180;s:9:”mime-type”;s:10:”image/jpeg”;}s:12:”shop_catalog”;a:4:{s:4:”file”;s:26:”cooking-course-300×300.jpg”;s:5:”width”;i:300;s:6:”height”;i:300;s:9:”mime-type”;s:10:”image/jpeg”;}s:11:”shop_single”;a:4:{s:4:”file”;s:26:”cooking-course-600×600.jpg”;s:5:”width”;i:600;s:6:”height”;i:600;s:9:”mime-type”;s:10:”image/jpeg”;}s:17:”thumbnail_800x550″;a:4:{s:4:”file”;s:26:”cooking-course-800×550.jpg”;s:5:”width”;i:800;s:6:”height”;i:550;s:9:”mime-type”;s:10:”image/jpeg”;}}s:10:”image_meta”;a:10:{s:8:”aperture”;i:0;s:6:”credit”;s:0:””;s:6:”camera”;s:0:””;s:7:”caption”;s:0:””;s:17:”created_timestamp”;i:0;s:9:”copyright”;s:0:””;s:12:”focal_length”;i:0;s:3:”iso”;i:0;s:13:”shutter_speed”;i:0;s:5:”title”;s:0:””;}}]]></wp:meta_value>
    </wp:postmeta>
    </item>
    </channel>

    </rss>