HPH - XP: April 2010

Thursday, April 29, 2010

mysql - The Replication Process

Before explaining how to set up replication, let me quickly explain the steps that MySQL goes through to maintain a replicated server. The process is different depending on the version of MySQL. For purposes of this article, my comments will be for version 4.0 or higher, since most systems now are using the later versions.

Vấn đề về w3c với ampersand (&) trong javascript location.href

Mình đang làm dự án khách hàng yêu cầu validate css, thì có gặp 1 trường hợp
Code:

<script type="text/javascript">
function es2eng(){
location.href = "http://translate.google.com/translate?u=" + this.location.href + "&langpair=es|en&h1=es&ie=UTF-8";
}
</script>

Mình search google nhưng thấy có 1 số ý kiến đổi ‘&’ thành ‘&’ hoặc thành ‘%26′ nhưng test thấy không ổn. Một số ý kiến thì cho rằng tách file js ra 1 file riêng, nhưng vì đây chỉ là 1 dòng code js rất ngắn nên mình không muốn tách riêng. Sau 1 hồi tìm kiếm mình thấy vấn đề có thể được giải quyết như sau
Code:

<script type="text/javascript">
// <![CDATA[
your script is here
// ]]>
</script>

Việc thay đổi như vậy W3C’s validator sẽ không validate đoạn code javascript. Đây là chút kinh nghiệm của mình muốn chia sẻ với mọi người

Tìm hiểu về PHP Language Construct

Nguon: http://bloghoctap.com/lap-trinh-php/tim-hieu-ve-php-language-construct.html

Nếu các bạn lập trình trên PHP, thì chắc đã làm việc rất nhiều với khái niệm hàm (Function). Tuy nhiên, không biết các bạn có từng nghe về Language Construct trong PHP chưa. Có lẽ các bạn đã sử dụng hoài mà không biết thôi ^^. Nói 1 cách đơn giản, Language Construct là một dạng hàm đặc biệt, các hàm này được khai báo kèm với core của PHP, tức là không thông qua một thư viện hay extension nào cả. Số lượng Language Construct của PHP không nhiều.

Vậy lợi ích của Language Construct là gì? Sau đây mình liệt kê 1 số ích lợi khi sử dụng Language Construct:
- Tốc độ thực hiện rất nhanh
- Được tối ưu cùng với trình phiên dịch của PHP, nên yên tâm về hiệu suất.
- Không có overhead khi sử dụng các Language Construct vì chúng không cần gọi thêm 1 thư viện hay 1 hàm nào thêm để thực thi cả.

Mình liệt kê các Language Construct của PHP v5.3 để các bạn tham khảo:

array()

die()

echo()

empty()

exit()

eval()

include()

include_once()

isset()

list()

require()

require_once()

return()

print()

unset()

Note: Because this is a language construct and not a function, it cannot be called using variable functions

Database Denormalization - chuẩn hóa ngược

Database Denormalization

Wednesday, April 28, 2010

Quick Tip: Loop Through Folders with PHP’s Glob()

5 Cool htaccess Tips For Beginners

Tuesday, April 27, 2010

9 Useful PHP Functions and Features You Need to Know

FCKeditor - và lỗi convert font chữ về dạng HTMLEntities

Nhập dữ liệu TV vào Editor của FCK sẽ bị convert sang dạng HTMLEntities

Guardiola đang đối mặt với một trong những đối thủ kh&oacute; lường như Mourinho

Xử lý: đặt các cấu hình sau trong fckconfig.js

FCKConfig.ProcessHTMLEntities = false ;
FCKConfig.IncludeLatinEntities = false ;
FCKConfig.IncludeGreekEntities = false ;

Khi tắt các cấu hình trên đi, FCK tự động thêm vào dòng

khi View Source
Tắt FCK tự động thêm dòng bằng sửa cấu hình sau:
FCKConfig.FillEmptyBlocks = false ;

Monday, April 26, 2010

Ra quyết định như thế nào để đạt hiệu quả tối ưu nhất? - hay là cách trình bày 1 vấn đề?

http://fli.fpt20.com/blog_detail.asp?id=7713&page=1

Giả sử bạn là một người thuyền trưởng đang điều khiển một con tàu chở 600 hành khách trên Đại Tây Dương thì bất ngờ tàu đâm phải đá ngầm. Bạn chỉ có duy nhất 2 phương án có thể thực hiện để đối phó với thảm họa này.

Phương án A: Nếu phương án này được chọn, chúng ta chắc chắn cứu được 200 sinh mạng.

Phương án B: Nếu phương án này được chọn, với xác suất 33%, chúng ta có thể cứu được cả 600 sinh mạng, và với xác suất 66%, chúng ta không cứu được sinh mạng nào.

Vậy bạn sẽ chọn phương án nào trong 2 phương án (A và B) nêu trên?

Cũng với tình huống trên nhưng có thể có 2 phương án khác để bạn lựa chọn:

Phương án C: Nếu phương án này được chọn, chắc chắn 400 người sẽ chết

Phương án D: Nếu phương án này được chọn, với xác suất 33%, không ai chết, và với xác suất 66%, tất cả 600 người sẽ chết.

Vậy bạn sẽ chọn phương án nào trong 2 phương án (C và D) nêu trên?

Nếu để ý kỹ thì bạn sẽ thấy phương án A tương tự như phương án C, còn phương án B tương tự như phương án D; chúng chỉ khác nhau ở cách trình bày vấn đề. Ấy vậy mà trên thực tế, khi vấn đề được trình bày dưới dạng những gì có thể đạt được (như phương án A và B), phần lớn mọi người sẽ có xu hướng chọn phương án an toàn; trong khi nếu vấn đề được trình bày dưới dạng những gì có thể mất, phần lớn mọi người sẽ có xu hướng chọn phương án mạo hiểm.

Có thể khi tham gia vào bài tập này, bạn sẽ không nằm trong đa số những người nói trên, nhưng ở đây tôi chỉ nói đến số đông và xu hướng của họ.

Từ tình huống trên, có thể thấy cách trình bày (framing) một vấn đề có tác động lớn đến việc chọn phương án để giải quyết vấn đề đó. Đối với một doanh nghiệp, khi doanh nghiệp đó nhìn nhận một vấn đề dưới góc nhìn như một mối đe dọa, doanh nghiệp đó sẽ đưa ra quyết định khác với khi nhìn nhận vấn đề dưới góc độ như một cơ hội.

Khi nhìn nhận vấn đề như một mối đe dọa, doanh nghiệp thường phân bổ một nguồn lực lớn để đối phó, tuy nhiên giải pháp đưa ra thường cứng nhắc và thiếu sáng tạo. Còn khi nhìn nhận vấn đề như một cơ hội thì doanh nghiệp có thể đưa ra được các giải pháp sáng tạo, linh hoạt nhưng lại thường không phân bổ đủ nguồn lực để thực hiện. Những doanh nghiệp thành công trên thực tế thường là những công ty nhìn nhận vấn đề cả dưới góc độ cơ hội và mối đe dọa, họ thường đưa ra những giải pháp sáng tạo, đồng thời lại phân bổ đủ nguồn lực để thực hiện những giải pháp đó.

Đối với người lãnh đạo, bài học có thể rút ra từ tình huống trên là người lãnh đạo nên tránh áp đặt cách nhìn nhận, cách trình bày vấn đề (framing an issue) lên nhân viên, nên để cho nhân viên nêu lên cách nhìn nhận vấn đề của riêng mình.

The Business Benefits of Web Standards

The Business Benefits of Web Standards

http://www.maxdesign.com.au/articles/benefits/ The benefits of Web Standards to your visitors, your clients and you!

wget - lấy 1 page save thành 1 file khác trên server

wget -O 1.html http://www.google.com/

Thursday, April 22, 2010

bloh.phpquiz.net - tát nước theo mưa

Kiểm tra G.A thấy có 1 số visit vào blog của mình bằng từ khóa bloh.phpquiz.net
Tranh thủ làm seo cho từ khóa bloh.phpquiz.net này luôn vậy.

Website chính thức là blog.phpquiz.net nhé.

Cám ơn các bác đã ghé thăm :)

Wednesday, April 21, 2010

Tối ưu câu lệnh SQL

Nguyên tắc order:
Order theo table nào sẽ lấy dữ liệu của table đó làm chính.
Tối ưu nhất chỉ order theo 1 bảng.

Chuyển đổi order từ nhiều bảng thành order từ 1 bảng, bất lợi: Ko sử dụng được các index trong bảng đã có, test thử cũng ko thấy chạy nhanh hơn. Chắc phải test lại - ghi note vào đây cho nhớ cách làm

EXPLAIN
SELECT SQL_NO_CACHE
*
FROM
(SELECT
*
FROM
newscategory nc
,news_ban_can_biet bcb
WHERE
nc.NewsID = bcb.news_ban_can_biet_news_id
AND nc.CategoryID =46
AND nc.Status >0
AND '2010-04-21' BETWEEN news_ban_can_biet_start_date AND news_ban_can_biet_end_date

LIMIT 20
) as temp

ORDER BY
news_ban_can_biet_vip DESC
,PublishedDate2 DESC
LIMIT 20

--------------

EXPLAIN
SELECT
*
FROM
newscategory nc
,news_ban_can_biet bcb
WHERE
nc.NewsID = bcb.news_ban_can_biet_news_id
AND nc.CategoryID =46
AND nc.Status >0
AND '2010-04-21' BETWEEN news_ban_can_biet_start_date AND news_ban_can_biet_end_date
ORDER BY
news_ban_can_biet_vip DESC
,nc.PublishedDate2 DESC
LIMIT 20

Nguyên tắc đánh index:
1 index nên được đánh ở nhiều field mà có liên quan đến where và order,

Nguyên tắc viết where:

http://www.petefreitag.com/item/613.cfm MySQL Optimization Hints

10 Tips for Optimizing MySQL Queries (That don’t suck)

http://opsmonkey.blogspot.com/2009/03/mysql-query-optimization-for-order-by.html

Tuesday, April 20, 2010

1 số thông tin trong Predefined Variables ko chính xác

$_SERVER['HTTP_HOST']
$_SERVER['HTTP_REFERER']

Cách tốt nhất là cấu hình cứng trong server.

Tương tự như wordpress đã làm.

Monday, April 19, 2010

1 số lệnh linux hay sử dụng

http://www.quantrimang.com.vn/hethong/linux/58488_10-cau-lenh-Linux-huu-dung-nhat.aspx

http://www.quantrimang.com.vn/hethong/linux/48792_Huong-dan-ve-Unix-Cac-lenh-voi-file.aspx

http://www.quantrimang.com.vn/hethong/linux/48701_Huong-dan-ve-Unix-Cac-lenh-voi-thu-muc.aspx

http://www.quantrimang.com.vn/hethong/linux/44920_Mot-so-thanh-phan-chinh-cua-he-thong-Linux.aspx

http://www.quantrimang.com.vn/hethong/linux/35789_Cac-lenh-Shell-co-ban-trong-Linux.aspx

http://www.pixelbeat.org/cmdline.html

http://ss64.com/bash/

http://bash.cyberciti.biz/guide/Main_Page Linux Shell Scripting Tutorial

http://www.ss64.com/bash/

http://www.pixelbeat.org/cmdline.html

http://www.linuxcommand.org/learning_the_shell.php

On naming functions sanely

When naming your functions, there are certain function prefix/postfixes that should only return specific types. They help the programmers who follow in your footsteps to grasp what it is you were trying to do. It also reduces the number of comments you need because the naming conventions are self explanatory. Here is a short list of some of those function modifiers and the expected return values.

The following should only return boolean values, they should not set anything in the class. They are idempotent. If they are not, you have probably done something wrong or your function is misnamed. Rename it quick before anyone else mistakes it for something that it is not and causes a long bug search.

is_something();
something_exists();

The following should probably not return a value (but if they do it should be true or false based on their success).

set_something();
unset_something();
import_something();
read_something();
calculate_something();
something_calculation();
//this one obviously shouldn't return a value... it could throw an exception though
$something->var = $something_else;

The following should only return values not set them or change anything prior to returning them.

get_something();
retrieve_something();
$something_else = $something->var;
something_value();

The following should only return an integer (long, double…).

count_something();
something_count();

The following are similar, they should also return a number of some sort (could be a float, an int, a double).

total_something();
something_total();
sum_something();

Another thing, don’t use this naming scheme:

get_something();
get_somethings();

There is not enough difference when you are glancing at them quickly or trying to debug something, or you are scrolling through them in an auto-complete pop-up, or documentation. Rather use this one, it is easier to differentiate.

get_something();
get_all_somethings();

Remember:

Always code as if the person who ends up maintaining your code is a violent psychopath who knows where you live

PHP Functions, you’re doing it wrong

Just a quick tip today. If your function looks something like this:

/**
* A really long function definition
* @param string $has
* @param bool $a
* @param int $lot
* @param float $of
* @param assoc_array $parameters
* @param string $I
* @param string $wonder
* @param int $what
* @param int $they
* @param int $do
*/
function myfunction(
$has=null,
$a=null,
$lot=null,
$of=null,
$parameters=null,
$I=null,
$wonder=null,
$what=null,
$they=null,
$do=null
){
//do some magic
}

//this is how it would be called
myfunction(null, false, null, 1.2, array('one'=>1, 'two'=>2), 'I', null, 1, null, 3);

You are doing it wrong, if all of these parameters are really nullable and required for your function, and there is no way for you to split it up, then you _can_ refactor it like this:

/**
* Quickly refactored to make it easier to use
* @param array $array containing: (string)'has', (bool)'a', (int)'lot', (float)'of', (assoc_array)'parameters', (string)'I', (string)'wonder', (int)'what', (int)'they', (int)'do'
*/
function myFunction(array $array){
//make sure we are only taking in parameters that we recognize...
$has = isset($array['has'])? $array['has']:null;
//array key exists because it is a fake boolean value... it has 3 possibilities
$a = array_key_exists('a', $array)? $array['a']:null;
$lot = isset($array['lot'])? $array['lot']:null;
$of = isset($array['of'])? $array['of']:null;
$parameters = isset($array['parameters'])? $array['parameters']:null;
$I = isset($array['I'])? $array['I']:null;
$wonder = isset($array['wonder'])? $array['hwonders']:null;
$what = isset($array['what'])? $array['what']:null;
$they = isset($array['they'])? $array['they']:null;
$do = isset($array['do'])? $array['do']:null;

//some magic
}

//it could also be written:

/**
* Quickly refactored to make it easier to use
* @param array $array containing: (string)'has', (bool)'a', (int)'lot', (float)'of', (assoc_array)'parameters', (string)'I', (string)'wonder', (int)'what', (int)'they', (int)'do'
*/
function myFunction(array $array){
//make sure we are only taking in parameters that we recognize...
$args = array('has', 'a', 'lot', 'of', 'parameters', 'I', 'wonder', 'what', 'they', 'do');
foreach($args as $arg){
$$arg = array_key_exists($arg, $array)? $array[$arg]:null;
}
//some magic
}

//this is how it would be called
//equivalent to:
//myfunction(null, false, null, 1.2, array('one'=>1, 'two'=>2), 'I', null, 1, null, 3);
myfunction(array('a'=> false, 'lot'=>1.2, 'parameters'=>array('one'=>1, 'two'=>2), 'I'=>'I', 'what'=>1, 'do'=>3));

It may be more to type, but it is harder to get it wrong when you are using named parameters. You don’t have to remember what each of the parameters do in their specific positions either so it is easier to understand the code as you quickly glance at it. Note that this is similar to the way that a lot of ruby functions are written, except we don’t have a short hand for named parameters like they do (it would be awesome if we did…):

myfunction(:a => false, :lot => 1.2, :parameters => { :one => 1, :two => 2 }, :I => 'I', :what => 1, :do => 3)

While this is definitely easier to read and remember, it is probably worth refactoring a function like this (as it is an extreme case) further because it is likely that you are doing way too many things within it.

Sunday, April 18, 2010

Học sử dụng PHPDoc

Tuân theo chuẩn của PHPDoc, Zend Coding Std khi viết code

framework?

Sửa lại hay sử dụng Zend đây?

Friday, April 16, 2010

Lỗi khi copy file cũ hoặc restore lại file cũ

Server sẽ không đồng bộ được file do ngày tháng ở các slave mới hơn

Cách làm: touch lại file lấy ngày tháng mới để server có thể đồng bộ được.

Nhớ chè vỉa hè

Có trà nóng, kẹo lạc gặp trời se lạnh thì còn gì bằng.

Lock cho cronjob

Khi khao báo 1 cron chạy định kỳ trong 1 thời gian ngắn, ví dụ 3 phút chạy 1 lần

Nên lock cho chỉ có 1 cron được chạy.

Đề phòng trường hợp rủi ro, (viết code tệ) cùng 1 lúc có 2 cron của 1 file được chạy

Thursday, April 15, 2010

How to Control Post Revisions in WordPress

Disabling revisions in WP

define('WP_POST_REVISIONS', false);

http://www.sitepoint.com/blogs/2010/03/18/configure-wordpress-post-revisions/

Wednesday, April 14, 2010

Printable PHP security checklist

http://www.sk89q.com/content/2010/04/phpsec_cheatsheet.pdf

Mỗi ngày học thêm 1 thứ gì đó

Đặt mục tiêu mỗi ngày phải học - kiểm tra lại được 1 thứ gì đó mới hoặc đã làm.

Hôm nay PHP streams
-> Introduction to PHP streams

Definitive PHP security checklist

http://www.sk89q.com/2009/08/definitive-php-security-checklist/

There was a recent question about a PHP security checklist on a forum I frequent, and I’ve decided to write my own comprehensive checklist to fill the void. There’s something for everyone but the security expert. In fact, you might find an issue that you never thought about. Securing PHP web applications would be a better title for this article.

If you have any questions, feel free to leave a comment. The following is also now in a very concise printable form.

Basic:
- Have strong passwords be sure that your “password recovery questions” are not too obvious.
  - If you write down your passwords, ensure that you put it in a safe place.
- Make sure that register_globals is disabled, because that allows arbitrary variables to be injected into your script’s environment (!).
- Disable magic quotes. It has no effect on security, but it leads people to think that it actually helps secure applications against SQL injection, and so people rely on it for escaping (highly wrong!). The two relevant PHP settings are magic_quotes_gpc and magic_quotes_runtime.
- Disable display_errors on your production environment to make it more difficult to learn details about your environment. You should continue to log errors, however.
- Don’t forget about the physical security of your server(s). Make sure you’re in a secure data center (hint: some are grossly insecure).
User input and non-uploaded content:
- Be aware that you can initiate a request from something as simple as telnet, so that means that all incoming data can be forged.
  - This means that everything in $_GET, $_POST, $_COOKIE, and $_REQUEST can all contain any value.
  - $_SERVER and $_ENV are a bit different: some values come from the web server, while others come from the client.
    - $_SERVER['PHP_SELF'] is not entirely safe, as URLs can be, depending on your configuration, cleverly constructed to contain arbitrary data and yet still work.
- Filter and validate data to make sure that it is safe for the environment that you are using the data in.
  - Be aware that incoming data can contain control characters such as null. Null signifies the end of a string in C/C++, so you can imagine what could happen if you are passing a PHP string to another program or the system API.
  - Check the length of inputted data to make sure that it is not too long.
  - Make sure to validate email addresses, because it is possible to inject email headers by crafting specially constructed email addresses.
    - Email address validation is fairly complicated. “John Doe”@example.com is actually a valid email address (quotation marks and space included). You can validate email addresses by using filter_var() with FILTER_VALIDATE_EMAIL (do not use the sanitization version), a sufficiently inclusive validation regex (catching most email address use cases), or a fully compliant regex.
  - Don’t forget that inputted numbers can be very large, very small, zero, or negative. You don’t want to deposit a negative number of credits!
  - Be aware that some character sets (namely Unicode) have “invisible” characters, characters that look alike, or different ways of combining characters (for diacritics, namely). This could be used to impersonate another user.
    - Some character sets also contain layout control characters (namely Unicode), which could be used to modify the layout of the page slightly.
- Before outputting data to the browser, make sure to properly escape it to prevent cross-site scripting (XSS). As a general rule, use a white list, never a black list.
  - If you are allowing the user to use (some) HTML, it is important that you use a very secure HTML sanitizer (HTML Purifier is recommended).
    - There are many many ways to achieve the same result in HTML, so don’t try to do HTML sanitizing yourself (seriously, just forget it).
  - If CSS is allowed, then that must be sanitized as well.
    - Be aware that certain CSS properties such as “position” could be used maliciously (elements overlaying login forms, etcetera).
    - CSS can also contain escape sequences both inside and outside strings (\34).
    - CSS files can contain JavaScript. This manifests itself in the form of “CSS expressions” and “behaviors” (Internet Explorer features) or Gecko “bindings.”
  - Check to make sure that any user-supplied URLs are valid and safe. URLs to websites, URLs to images, etc.
    - Be aware of the different protocols: http:, https:, ftp:, ftps:, gopher:, 3rd-party ones such as aim:, and data:.
  - If you allow users to embed plugins (i.e. Flash movies), make sure you embed it in a way where a different plugin cannot be loaded (based on file type).
  - Included Java applets, Flash movies, or other plugin content may be able to access the page by executing JavaScript, depending on the way that the content was embedded into the page.
- Use a “safe” encoding for your page (such as ISO-8859-1) or otherwise verify that the content of inputted data to see if it valid (including if you use UTF-8). This is because certain invalid character sequences can cause the next character (the next character possibly being an important <>
- You must specify the encoding, otherwise you allow the web browser to guess at the encoding, and leaving the possibility that it may switch to a “dangerous” encoding.
- Specify the encoding in an HTTP header and not in the HTML.

Uploaded files:

Verify that the type of the file is what you expected.
- The mime type/file type in the $_FILES array is provided by the user and can contain any value. Not only can the provided mime type be spoofed, it could also just be wrong or be overly generic.
  (Conclusion: The field is useless.)
- The best way to check whether the file is of the format you expected is to analyze the contents of the file.
  - A simple file type check algorithm can be easily fooled by putting the minimum necessary parts of the file format to pass that check. For example, you could take the first 20 bytes of a PNG file and then append the contents of badvirus.vbs to the end, giving you a file that would easily pass through many filters. A more complicated filter is more computationally intensive to use, however, and the few benefits are usually not worth it.
  - An alternative method to verify the format of the file is to re-save it. A PNG image could be re-saved using the GD library, for example. However, this can degrade the quality of the file, especially if JPEG is concerned.
- Be aware that some formats can contain arbitrary data and still be valid (think “comment fields” in some file types).
Verify that the size of the file is not too large.
- If you are using MAX_FILE_SIZE, you still need to perform the check. Do not use the value of MAX_FILE_SIZE to check again, as this can be spoofed (remember that all input data is suspect).
- Make sure that you don’t allow uploaded files to completely take up all the space for your system, possibly causing grave consequences.
Be aware that uploaded files, even if valid, can still contain malicious content.
- Uploaded files may be or contain viruses. You can scan for viruses if you wish, although it does use up (possibly expensive) resources to do so.
- Uploaded HTML files can contain malicious JavaScript.
Don’t move uploaded files to web-accessible directories, as your web server may parse some files as executable code (i.e. an uploaded .php file). It also hampers your ability to restrict access to the files (as noted before about hiding files).
Do extensive path checks to make sure you do not serve a non-uploaded file.
Don’t execute/serve uploaded files with include(). This executes PHP code, as previously mentioned. Use readfile().
Serve all uploaded files as an attachment and never inline (it’s a HTTP header called “Content-Disposition”). This is because Internet Explorer will override the content type you tell it and guess on its own. PNG image? No! Internet Explorer says it’s a HTML file with JavaScript code.
- Send the “X-Content-Type-Options: nosniff” header. This only alleviates the problem for IE8 and above, but IE7 and below would still have the issue (so you still need to send files as attachments).
Avoid serving files with content types of “application/octet-stream,” “application/unknown,” or “text/plain” unless necessary.

Database:

When inserting inputted data into an SQL query, escape the data or use parameterized/prepared statements. The issue at hand is called SQL injection.
- Do not use addslashes() to escape data; use the function for your particular DBMS to escape data, because different databases escape differently.
- A good way to prevent SQL injection is to use prepared statements. PDO supports prepared statements, among other libraries.
Lock down access permissions so that your application does not have excess privileges to the database (unnecessary write privileges, etc.).
Be aware that your DBMS may allow remote connections (by default), so disable that feature as necessary.

Including and serving files:

Never use user input directly in a pathname.
- Check for directory traversal.
- Check for null poison bytes.
- Be aware of the “:” character, which is used on NTFS and Windows to access alternate data streams.
- Be aware of PHP streams, which allows you (and attackers) to access non-file-based resources with URIs like http://example.com/badcode.txt.
  - Check to make sure that attackers can’t include a remote file containing PHP code.
You should not be merely hiding files in a web-accessible directory because people may guess URLs.
- This applies to hiding things based on the content of a GET or POST variable. Actually verifying the identity of the user and his or her authorization level is a much better approach.
When you need to get a remote file, do not use include(), as that will also execute any PHP code on the page. Use something such as file_get_contents().

Authentication and authorization:

Install a bad password throttling system to prevent brute force attacks.
- You should consider throwing up a CAPTCHA test before outright denying any further login attempts. Do that not for security reasons, but rather to make it less annoying for your more forgetful users.
Be aware that a malicious user can sniff for packets to get a user’s password. The only real solution to this problem is to use SSL. It is possible to setup your own challenge and response system, but it won’t protect users if they are also susceptible to a man-in-the-middle attack.
Don’t store a user’s password in a cookie when logging in, for obvious reasons. This may seem like an easy way to implement “remember me,” but it is a bad idea.
Hash stored passwords to make it harder for an attacker who has gained access to your database to get the raw password of users.
- Use salts to make rainbow tables ineffective. It is highly recommended that you use a different salt per user to make intrusion more difficult (you will have to store the individual salts). Salts should be sufficiently long and complex to be strong.
- Use the PHP crypt() function if possible, as it generates very good hashes. You want to use Blowfish or SHA and use a good number of rounds. Increasing the number of rounds causes the hash calculation to be more computationally expensive, making the hashes much harder to brute force. Because you don’t constantly generate hashes, the extra CPU required should not have a major impact.
- Don’t use MD5.
If you allow your users to input password recovery questions, make sure to remind users to not use questions with answers that can be easily guessed by someone else. People’s accounts have been lost due to this very reason.
Be careful with account recovery forms to not allow malicious users from discovering whether an email address is registered in your database. The only solution to this problem is to not let the user know whether the email address exists in the database when they use the password recovery form. An email always has to be sent in that situation.
Remember to throttle any page that sends emails to prevent a malicious user from using your script to abuse your application.

Sessions and cookies:

Use only cookies for sessions, to prevent session fixation (i.e. a malicious user sending a target user a link to use an existing session already under the control of the attacker) and session hijacking (i.e. leaking a session ID placed in the URL) attacks. If you are using the PHP sessions, there is a PHP setting named session.use_only_cookies that determines this behavior.
After a session is complete (“logout”), destroy its data and don’t just clear the cookie (a malicious user could otherwise just re-instate the cookie and use the session again).
When changing a user’s authorization level (i.e. from guest to a logged in user), destroy the old session and create a new session to make session fixation harder. This is because if the attacker has access to the session (for some reason), the old session will now become useless rather than get extra privileges.
Even if you are not in a shared hosting environment, if you use the same directory to store session files for two or more of your sites, then a session created on one website will be a valid session on another.

Remote websites:

Be aware that other sites can conduct cross-site request forgeries, and pass off as a logged in user (both GET and POST requests can be forged).
- Don’t rely on referrers to protect against CSRFs, because many Internet security programs block the referrer field or give it some dubious value (like “—”).
- Use tokens/keys with your forms to prevent CSRFs. Do this for important pages.
- Using POST for pages that perform actions helps mitigate the issue, although it is still possible to submit a POST request from a form automatically.
- Be aware that even material you host on your website can be used against you, because the content is already on your website, and thus there are no cross-domain sanctions.
  Example: An avatar URL that loads your logout page.
Be aware that, while other websites cannot just read content off your pages, some files can be read remotely (such as .js files) by their nature (including them via SCRIPT tags, etcetera).
- Files that look like JavaScript files could possibly be read remotely.
- Don’t forget about your files that contain JSON.
Older versions (and possibly current) of Flash could play media files remotely and bypass referrer checks, because Flash Player did not send a referrer.
Be aware that information could be probed using the inclusion of a file on your server on a remote site.
- Be aware that the existence of a file could be detected using the “onerror” event of an image element.
- Pages that conditionally take a longer time to load could be detected on a remote website.
  - Cached files will take a shorter time to load.
- The dimensions of images on you server can be detected on a remote website.
- CSS files can be included remotely, and although not read, if the CSS files are conditional, information could be garnered from how the attack site is changed with the inclusion of the CSS file. Rather than including a CSS file, an attacker could attempt to include an HTML file directly as well, because the CSS parsers in web browsers are fairly lax and will try their best.
- Some browsers allow a remote site to detect the frames within another site.
- Some browsers may throw a different error if you attempt to delete a non-existent variable in a frame contain a remote website than if you were to delete an existing variable.
- It is possible to detect whether a user has visited a URL by checking how the browser has styled the link (visited vs. unvisited styles).
Be aware that Internet Explorer allows a remote website to include another website in an inline frame but disable JavaScript and cookies to function inside the inline frame. This breaks frame break-out attempts.
Install frame busting code and send the X-Frame-Options header to protect against UI redressing/clickjacking. Frame bursting code won’t work in IE if the attacker’s website disabled JavaScript in an inline frame (see above), but that’s what the header is for. Older versions of IE are still left vulnerable.

Miscellaneous:

If you are using random numbers for security, be aware that you need to be using a cryptographically secure random number generator otherwise it is possible to guess the pattern of random numbers.
- Things such as account activation links and randomly generated secret IDs need to be generated using a cryptographically secure random generator. Basically anything that is random that needs to be kept secret needs to be generated using a secure PRNG.
- PHP does not provide a cryptographically secure random number generator. However, you can access /dev/urandom (*nix) or CAPICOM.Utilities.1 (Windows). For an example, see this comment. You can also install the Suhosin patch instead.
Anything that consumes a lot of resources should be throttled and limited.
- Pages that conduct long or resource intensive operations should be throttled, so that performing a denial-of-service attack against you isn’t as simple as leaving 10 browser windows on auto-refresh.
- Check to make sure that pages that access remote resources (i.e. APIs, etc.) cannot be used to launch denial of service attacks against these remote resources by using your site as a proxy.
Don’t try to create your own encryption algorithm.
If you are calling external programs (i.e. exec()), make sure that you escape the arguments.
If you using a page to redirect to other pages (or other sites), make sure that this cannot be abused.
Be aware that something could go wrong, and your PHP files may suddenly be exposed (it has happened to big name sites, such as Facebook and others). Take precautions to prevent this.
Don’t put configuration files or any critical files in a web accessible directory, especially if their content can be read via the browser.
If you need to protect files (for example, against a login), put the files into a non-web-accessible directory and route all files through a PHP script. (This has been touched on previously.)
Internet Explorer has an XSS filter that could possibly be exploited to prevent a piece of code in a page to be executed by passing that piece of code as a query parameter in the URL.

Shared host security:

Be aware that on many shared hosts, users can access the files of other users. It may not be doable via PHP, but it may be doable via PHP via CGI (or Perl, etc. via CGI).
- In shared hosts where security is slightly better, you should chmod your files so that users of other groups cannot access your files.
- Someone noted that I glossed over this issue. Okay, read that again: users can access the files of other users. That should be a major worry, and the best part is that most PHP shared web hosts don’t secure their servers against this. You should verify that the web host that you are working with has properly secured their environment, and if it hasn’t, you should move.
Be aware that IE6 allows header spoofing with XMLHttpRequest, including the spoofing of Host and Referer. If you are on a virtual host setup (which you likely are if you are on a shared host), then another site can spoof the Host header and thus send arbritrary requests to your website from another website on the same server. (IE6 does not allow cross-domain requests. It’s the fact that the Host header tells the web server which site to host if several sites are all on the same IP address.)
Be aware that other users on the same server may have the same IP address as your website or can access your website from 127.0.0.1.
Be aware that other users on the same server may be able to run a server on the same IP as your website but on a different port.
Be aware that other users are “not” remote as far as your database may be concerned.
Be aware that another user on the same server may be able to create a false session for use on your own site (because in many configurations, all session temporary files are stored in the same directory for all users).
- Consequently, that means that other users may also be able to read your session data.
- A session created on one site can be used on another as well.
File uploads on one site might be accessible on another site because sites often share a single world-readable /tmp directory.

And don’t forget: this list is also available as a printable cheat sheet.

Download: phpsec_cheatsheet.pdf

Tạo thư mục đệ quy

PHP:
mkdir(’/home/huypv/d1/d2/d3/d4′, 0775, true);

Linux (đã có bài đề cập nhưng nhắc lại ^^):
mkdir -p /home/huypv/d1/d2/d3/d4

Bonus: Tạo thư mục và set quyền khi gõ lệnh trong Linux
mkdir -p d1/d2/d3/writeable && chmod 777 d1/d2/d3/writeable
(man mkdir => mkdir có tham số -m nhưng hem quen)

source: http://phungvanhuy.net/index.php/2009/11/09/mkdir-recursive/

dollar character in Shell Programming

$$ = The PID number of the process executing the shell.
$? = Exit status variable.
$0 = The name of the command you used to call a program.
$1 = The first argument on the command line.
$2 = The second argument on the command line.
$n = The nth argument on the command line.
$= All the arguments on the command line.
$# The number of command line arguments.

Đọc các dòng của file ra mảng

Kiểu truyền thống!
$arrLines = file(’/home/huypv/xxx.txt’);
Ưu điểm: Dễ nhớ
Hạn chế: Có thể gặp problem với kí tự \r, \n, dòng trống

Đọc pro hơn
$arrLines = file(’/home/huypv/xxx.txt’, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);
Ưu điểm: \r, \n đã biến mất, dòng trống được bỏ qua
Hạn chế: Phải nhớ tên hằng số FILE_???

Tuesday, April 13, 2010

Bắt đầu học SP in mysql

Google stored procedures mysql

Tìm lý do để mua laptop mới

Ngắm các em mới thấy phê quá nhưng chưa tìm được lý do nào để cưới em đó về cả.

Tối ưu hóa lệnh count số lượng bản ghi

Hiện tại chưa biết làm thế nào cả.

Đang nghĩ tới giải pháp để 1 server riêng ra cho xử lý câu lệnh count theo điều kiện

Khai báo các lệnh, danh sách các đầu vào của lệnh rồi đẩy cho cron chạy định kỳ.

Đặt 2 or nhiều lệnh chạy nối tiếp nhau

Các lệnh viết cách nhau bằng dấu &&

top -n 1 && date

Muốn lệnh chạy ở background thêm dấu & sau lệnh

top -n 1 && date&

Gõ enter để thấy kết quả

Three Management Methods

Command and Control
Bật máy, Bật

Econ 101
Developer: “Cái đó mà gọi là bug à.”,
Tester: “Ừ đấy”, ...

Indentity

http://cntt.tv/nodes/show/25
http://joelonsoftware.com/items/2006/08/07.html

Xuất các processlist của mysql ra file

mysql -u username -p -h mysql_hostname -e "show full processlist;" >processlist.txt

Người làm hệ thống

Người làm hệ thống thật là gay

Server quá tải suốt cả ngày

Lỗi đến đâm đầu vào xử lý

Đêm về mới thấy đầu quay quay

tặng các bác làm HT cùng cty

Cảnh người fix bug

Cảnh người fix bug thật là hay

Email nhận được suốt cả ngày

Lỗi đến thì lao vào xử lý

Đêm về cứ thấy đầu quay quay

Chạy lệnh vào 1 thời điểm

at 20:30 today

gõ các lệnh cần chạy

Ctrl + D để kết thúc

Monday, April 12, 2010

PHP command line progress bar

http://brian.moonspot.net/php-progress-bar

Video demo: http://www.screencast.com/users/brianlmoon/folders/Jing/media/822d9970-a6a3-4071-bdc6-1303cce9800a

10 Things I Wish I Knew as a Web Programmer 10 Years Ago

http://www.montanaprogrammer.com/php-web-programming/10-things-web-programmers-should-know/

MySQL Query Optimization

http://www.informit.com/articles/article.aspx?p=377652

Chú ý lỗi viết lệnh SQL

Thông thường chỉ xử lý các trường hợp NSD nhập: ‘, “, để show lỗi mà chưa ko để ý rằng nhập anc\ cũng có thể gây báo lỗi.

2009-11-24 21:09:57; Err_Code: 256; Err_Str: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'verified'' at line 1;;;SELECT * FROM member WHERE Username='g\' AND auth_code='verified'; Err_File: /home/vieclam24h/public_html/ladybirdphp/fw24h/driver/mysql.php; Err_Line: 18

Top 20+ MySQL Best Practices

http://net.tutsplus.com/tutorials/other/top-20-mysql-best-practices/

Đếm số lượt click

http://abhinavsingh.com/blog/2009/12/how-to-use-locks-in-php-cron-jobs-to-avoid-cron-overlaps/

Hoặc sử dụng cách
đặt số ngẫu nhiên và tăng số ngẫu nhiên theo quy tắc

ví dụ cần đếm cho ID 30
$id = 30;
$rand = rand(0,10);
$a[$id.'-'.$rand]++;

sau đó dùng cron để gộp các giá trị lại.

Ưu điểm ko cần lock biến.

test mysql voi so luong lon từ client

test mysql voi so luong lon từ client

for i in `seq 1 1500` ; do mysql -uusername -ppassword -h172.16.1.110 -P4040 -e "exit"; done ;

Things Caches Do

http://tomayko.com/writings/things-caches-do

Tạo 1 connection đến csdl nếu đã có 1 conn cũ đã được tạo


$link = mysql_connect('localhost', 'mysql_user', 'mysql_password', true);

Trong nhiều trường hợp cần tạo lại conn ví dụ như thời gian thực thi script quá lâu
nhất là chạy ở cmd

function _connect() {
$this->link = mysql_connect( $this->host, $this->user, $this->pass) or die( mysql_error( $this->link));
mysql_select_db( $this->db_name, $this->link);
}

Khi code chạy đến dòng mysql_select_db thì báo lỗi mysql has gone away mặc dù trên đã có lời gọi hàm kết nối mới

Nguyên nhân là mặc dù sử dụng lời gọi hàm kết nối nhưng kết nối mới ko được tạo ra

If a second call is made to mysql_connect() with the same arguments, no new link will be established, but instead, the link identifier of the already opened link will be returned. The new_link parameter modifies this behavior and makes mysql_connect() always open a new link, even if mysql_connect() was called before with the same parameters. In SQL safe mode, this parameter is ignored.

Chuyển blog

Quyết định chuyển cái blog.phpquiz.net sang cho anh Google,

tự cài tự sửa đổi mệt quá mà cũng có dùng nhiều gì đâu.

Để đây cho nhàn

read stuff

http://tomayko.com/writings/

Sunday, April 11, 2010

Đếm có bao nhiêu lỗi xuất hiện trong ngày theo file log

grep "2010-04-12" runtime-error.log | wc -l

SVN keyword su dung o header cua file

/**
* SVN FILE: $Id: fw24h.js 46 2008-10-30 07:52:17Z dungpt $
*
* $Author: dungpt
* $Revision: 46 $
* $Date: 2008-10-30 14:52:17 +0700 (Thu, 30 Oct 2008) $
* $LastChangedBy: dungpt $
* $LastChangedDate: 2008-10-30 14:52:17 +0700 (Thu, 30 Oct 2008) $
* $URL: http://192.168.1.10/svn_code24h/js/fw24h.js $
*
*/

Date Author Id Copyright Revision LastChangedBy LastChangedDate License URL

svn propset svn:keywords "Date Author Id Copyright Revision LastChangedBy LastChangedDate License URL" *.php

Howto paste HTML/PHP code on blogspot

http://francois.schnell.free.fr/tools/BloggerPaste/BloggerPaste.html

Howto paste HTML/PHP code on blogspot

There are many ways to do this, but one of the simpliest is to use francois.schnell.free.fr/tools/BloggerPaste/BloggerPaste.html.
Happy pasting!

Lấy quý theo ngày tháng đưa vào


Easy way to numeric representation of a quarter from passed as parametr date.

<?php
/**
 * quarterByDate()
 *
 * Return numeric representation of a quarter from passed free-form date.
 *
 * @param mixed $date
 * @return integer
 */
function quarterByDate($date)
{
    return (int)floor(date('m', strtotime($date)) / 3.1) + 1;
}
?>

Example:

<?php
$quarter = quarterByDate(date('Y-m-d'));    // current quarter. For 2009-08-29 will be "3"
$quarter = quarterByDate('2009-12');        // will be "4"
$quarter = quarterByDate('March');        // will be "1"
?>

I hope it will be useful.

Best regards,
S_P_E_C

Đồng bộ dữ liệu giữa mysql 4 và 5

được anh, hiện chiếc mst.24h đang là MySQL4; còn các Slave đang dùng MySQL5

chỉ có ngược lại thì ko được --> bắt buộc upgrade lên cùng version.

On 4/7/2010 2:23 PM, Nguyen Tuan Anh-TTCN wrote:
Hi DũngNT,
Dũng cho anh hỏi với: Nếu máy master chạy mysql4, máy slave chạy mysql5 thì có thiết lập được cơ chế đồng bộ dữ liệu CSDL không ?

Triển khai 1 server riêng cho các dịch vụ tách rời

TL:
giảm tải cho server chính

KK:
dữ liệu cập nhật ko chính xác

Có thể khi cập nhật lấy ở server chứa dữ liệu cũng được.