- Aigaion, Web based bibliography management system.
Aigaion is a php/mysql based multi-user system for managing annotated bibliographies. It allows the user(s) to order publications in a self-chosen (overlapping) topic structure, offers BibTex and RIS import and export and has an intuitive user interface.
Download Aigaion 2.1.0.zip - Visit Author website - Bibliography DataBase BDB.
Written in PHP and requires MySQL, web server and web browser. bdb can work under almost any operating system. With bdb one can easily add items to the database, search for information and generate reports. Download bdb 0.2.6. - APData, The Academic Publication Database.
APData is a web based aplication written in php to let researchers publicate their bibliography in the internet. Download APData 0.1.1 Alpha
string gethostbyname() is used to get the IP address corresponding to a given Internet host name.
Examples code:
<?php
$ip = gethostbyname('www.example.com');
echo $ip;
?>
Example to checking dns reverse name resolution:
<?php
$ip = gethostbyname($host);
if(ip2long($ip) == -1 || ($ip == gethostbyaddr($ip) && preg_match("/.*\.[a-zA-Z]{2,3}$/",$host) == 0) )
echo 'Error, incorrect host or ip';
}
else {
echo 'Ok';
}
?>
To prepend for all websites to cut down the amount of abuse by automated scripts:
<?PHP
$blacklists = array('web.sorbs.net');
$parts = explode('.', $_SERVER['REMOTE_ADDR']);
$ip = implode('.', array_reverse($parts)) . '.';
foreach($blacklists as $bl) {
$check = $ip . $bl;
if ($check != gethostbyname($check)) {
error_log('PHP Security: [DNSBL] - ' . $_SERVER['REMOTE_ADDR'] . ' - ' . $bl);
die('Put a detailed error here so the client knows why they have been blocked');
}
}
?>
One way to discover your IP address automatically:
<?php
// need to trim() because whitespace will confuse the name lookup
$myIP = gethostbyname(trim(`hostname`));
echo $myIP;
?>
What is Cloaking or Masking Links?
Cloaking or Masking links is just a simple way to hide your affiliate link and make the link look more natural in the status bar at the bottom of your browser. Take the Adwatcher banner up top for example, instead of displaying this link:
http://www.affiliatepage.com/affiliate/youraffiliatepage.php?id=6159383
you can change it to simply redirect and display your own link:
http://yourdomainl.com/product/yourtitle.php
Why you should hide your affiliate links?
- Get better conversions when you "hide" your affiliate links.
- Get higher & increase CTRs.
- Get shorten Url, Some people get spooked when they see long web addresses with numbers and letters.
- Some people won't go to a link (i.e Clickbank) when they can see an affiliate's code embedded into the url.
- Some people will know and type the original url, rather than click and follow your affiliate link.
- Link hijackers can replace your nickname with their own and steal your commission.
- If people see your link in a post or email, they just won’t click it just because of the affiliate connection.
- Original affiliate link looks ugly and suspicious.
How to hide the links?
# Redirect links
Go to your control panel and their should be a redirect icon, in cPanel it is under domains and says Redirects. Just click on the icon and fill out your link and the affiliate link! Simple and painless.
# Using .htaccess
Htaccess is server directory configuration file (apache server). Usually in root of your site, and it can be added to other directories. Can be used for redirection and enabling some more functions. With htaccess, main server configuration can be partially overridden.
Let's say that you want to hide affiliate link or simply make shorter and better looking url. Edit htaccess in text editor and add this line:
redirect 301 /yournewlink http://YourAffiliateUrl
In above example, /yournewlink could be anything, just keep in mind, if that directory already exist, every page in that dir will be redirected to YourAffiliateUrl. If page (site) you are redirecting to is not on your site, use redirect 301 or redirect permanent, to "tell" SE spiders that it is not your page:
http://www.yourdomain/yournewlink
# use OnClick event javascript
<a href="http://www.ciao.com/" onclick="this.href='www.ciao.com/reg.php?FriendId=10023163'" target="_blank">join here</a>
# Javascript masking 2:
code:
<a href="http://yourname.com/" onmouseover="this.href='http://www.domain.com/';" onclick="this.href='http://yourname.com';">your name</a>
when you move mouse over the link this will show http://www.domain.com on the status bar but on click it leads to http://yourname.com, this way you can hide all your referral links.
# Use smartlink service (http://scriptsking.com/smartlinks/)
# Subdomain masking
let's say you have a dating banner ad, but you want its link to be masked. You could create a subdomain called "dating" on your existing site http://dating.yoursite.com) and then upload a php file in the subdomain directory with the following code:
<?
Header( "HTTP/1.1 301 Moved Permanently" );
Header( "Location: http://www.YOURAFFILIATELINK.com" );
?>
Then you simply link the dating banner to http://dating.yoursite.com.
That way your link looks clean, and there is no affiliate link to be found on your site. Even if the SE's are looking for php redirects (which I don't think they care about just yet), they will see it on your subdomain, which is technically considered a separate site, so it still won't affect your main site's rank.
# wp-affiliate for wordpress(http://wordpress.org/extend/plugins/wp-affiliate/)
download here: (http://downloads.wordpress.org/plugin/wp-affiliate.zip)
Use link cloaker from www.addme.com
# Use link cloaker from freelinkcloaker.com
# Use meta redirect:
example:
<meta equiv="REFRESH" content="0; url=http://www.yourlinkhere.com">
Just create a file names whatever.html and then put that line at the top. You can also use whatever.php. Change the url to your clickbank url.
# Use simple Frameset
code:
<title>recommended</title>
<noframes><br /><p align="center"><span style="font-family:Arial;">click <a href="http://www.yourdomainname.com"><b>Here</b></a></span><br /></noframes>
# Use html page with Frameset and PHP script
Example:
<html>
<head>
</head>
<frameset rows='100%, *' frameborder=no framespacing=0 border=0>
<frame src="http://affiliate.product.hop.clickbank.net" name=mainwindow frameborder=no framespacing=0 marginheight=0 marginwidth=0>
</frame></frameset>
<noframes>
<?php
header( 'Location: http://affiliate.product.hop.clickbank.net' ) ;
?>
</noframes>
</html>
If you use the following piece of code, the user will not see that you're redirecting to another site, i.e if you put this code in yoursite.com/affiliateproduct_page.html, and it redirects to affiliateproduct_page, the users will not see www.affiliateproduct_page.com as the site viewed, but they'll see yoursite.com/affiliateproduct_page.html , so this is a true and nice URL cloaking ever.
Read more...
1. Register Globals
When this directive is On, PHP will inject extra variables in the script such as HTML request variables, etc. PHP could inject these sort of variables in a script. The problem with this approach is that a developer cannot rely anything outside of his script and by injecting these variables an outside attacker could overwrite already defined variables or create potentially dangerous ones.
Suggestion: Always Set register_globals directive to Off
2. Error Reporting
Enabling errors display is essential. You cannot fix the committed errors if you can’t see them, but once the website is in production, the errors display should be disabled, because PHP errors provides detailed information to the outside attacker.
A good approach is to enable error display in development environment:
error_reporting(E_ALL);
ini_set('display_errors','On');
And once in production environment disable error display, but enable error logging to a file:
error_reporting(E_ALL);
ini_set('display_errors','Off');
ini_set('log_errors', 'On');
ini_set('error_log', '/path/to/error/log');
Alternatively you can use error_reporting(E_ALL | E_STRICT), this is the highest setting, offering suggestion for forward compatibility too.
Suggestion: Disable error display in production environment
3. Cross-Site Scripting (XSS)
Cross-site scripting vulnerability is the most common form of attack on websites. The mistake made by developers is not filtering input data from web forms and not escaping the output.
For example we have the following comment form:
<form action="process.php" method="post" accept-charset="utf-8" enctype="multipart/form-data" name="frmComment">
<textarea name="txtMessage" id="txtMessage"></textarea>
<input type="submit" name="submit" value="Send" id="submit" />
</form>
The application displays the following data like:
echo $_POST['txtMessage'];
The vulnerability is that the application doesn’t filter the input and escape the output. Let’s say someone writes the following javascript in the comment textarea:
alert ('hacked');
If an application doesn’t escape this output on every page request a Javascript alert box will pop up. The best a developer can do is to filter out any HTML tags from the data with:
$clean_message = strip_tags($_POST['txtComment']);
And escape it when outputting the date with htmlentities:
htmlentities($clean_message, ENT_QUOTES, 'UTF-8');
A better solution is to use HTML Purifier to filter out any unwanted malicious input and to test your web forms that it’s XSS proof use the XSS cheat sheet.
Suggestion: Filter your input and escape your output to avoid XSS attacks.
4. Exposing Sensitive Information
Store sensitive information in files such as database passwords and other credentials. If these files are not properly secured an attacker could see the contents of them, therefore hacking the applications database, etc.
The most common file extension for php include files is .inc. By using this extension and not properly creating parsing rules in Apache, a developer could create a major security hole in the web application.
In Apache configuration the default file type for unknown file extensions is text/plain. If the .inc file is not set to be parsed as a PHP file and it is in the document root then we can access this file and see the contents of it by visiting the corresponding URL.
The best solution to this problem is to store these files outside of your document root (e.g. /www, /public_html, etc.). A best practice is to place the most essential files in your document root.
If you don’t have access outside your document root then at least use the following 2 methods:
1. Use an extra .php extension on the end of your file. E.g. sensitive.inc.php
2. Secure the .inc file in a .htaccess file:
<Files ~ "\.inc$">
Order allow,deny
Deny from all
</Files>
Suggestion: Move all your sensitive information outside of your document root, if that’s not possible add an extra .php extension to your .inc files and/or secure them in a .htaccess file
Bootstraping file in php will help instantiate objects that are needed by every page in general such as starting a session, connecting to a database, defining constants and default variables.
It means that every server request are funneled through a single (or a few) PHP file. This file will be the “bootstrapper” of our application.
It’s a good practice to setup a bootstrap file for every PHP website or web application. This way a developer could easily manage the behavior of his application in a centralized manner.
This file is generally the main entry point on each HTTP request, usually the index.php file in the document root.
This file usually doesn’t contain any HTML markup, just pure PHP that will load the template files or a front controller as how most of the MVC frameworks implement it.
How to Create a Bootstrap File? just create a file in your document root and name it index.php. let it blank file and save it.
What to Bootstrap? Usually a bootstrap file contains the necessary source code, libraries and logic to start the entire application. From showing figuring out what page to show, how to communicate with the database, etc.
Generally the file should contain the following initializations:
* Configuration
* Session, cookies
* Caching
* Database
* Directory and file paths
* Global variables and constants
* Web application status
* Web page routing
* Feeds
* XML/RPC
Bootstrap Setting
A bootstrap file usually starts by including those libraries that are necessary for the file itself to function correctly. This involves setting general directory and file paths, loading configuration files, etc.
//let's set up a root path constant
define('ROOT',getcwd().DIRECTORY_SEPARATOR);
//define the includes and config folders
define('INCLUDES',ROOT.'includes'.DIRECTORY_SEPARATOR);
define('CONFIG',ROOT.'config'.DIRECTORY_SEPARATOR);
//load in the main configuration file
include_once(CONFIG.'base.inc.php');
After the basic configuration we can write additional logic into the file, e.g. loading the session object, database object, etc. It’s worth mentioning that every item from the list above should be an object/class, if we are using OOP, that manages that particular feature.
It’s also encouraged that even for a basic web project we set up different application statuses such as Development, Production or Testing and to load different libraries, logic for every status. E.g. In production is a good practice to disable error display:
//define our status constant
define('STATUS','production');
//check what status we have
switch (STATUS) {
case 'production': {
ini_set('display_errors','Off');
//and other specific includes, commands, etc.
}
}
Lastly we would set the page routing logic. A class that parses the HTTP request and renders the page by loading the necessary template files if any.
After we set up the bootstrap file, we have to direct all request to this file. This is usually achieved with the help of a few rewrite rules in a .htaccess file in our root directory (or that directory where the index.php file is stored).
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
# Rewrite all other URLs to index.php/URL
RewriteRule ^(.*)$ index.php/$1 [PT,L]
</IfModule>
<IfModule !mod_rewrite.c>
ErrorDocument 404 /index.php
</IfModule>
Visit here to view sample code to funnel the HTTP requests in one single file, which handles the web application.
