Categories
Archives
Syndication
How to create a sha256 hash?
Since PHP 5.1.2 the hash function is enabled by default. To create a sha256 hash you simply write:
hash("sha256", $data, false);
There you have your sha256 hash!
How to prevent SQL injections
SQL injections are common nowadays and plenty of sites get hacked because of insecure database calls.
Making it bulletproof against injections is hard and will take time, but making safer calls are essential and doesn’t take that long to make.
So, what is a SQL injection?
To clearify it I will give a very easy example:
A database may look something like this:
ID | USERNAME | PASSWORD
When you make a call to that database your query can look something like this:
SELECT * FROM database_name WHERE id = '2'So far no problems.. But when you code it, it will be something like this (the insecure way):
$sql = "SELECT * FROM database_name WHERE id = '".$_POST['id']."'";
If you make that query and has a id that is “2″, there will be no problem, but if you change it to something else, you will get some problems.
What if $_POST[’id’] would contain something like: ‘ or 1=1– ?
The query would now be:
$sql = "SELECT * FROM database_name WHERE id = '' or 1=1--";
That would automaticly select the whole database since that “or 1=1″ definetly is true.
That was a very short description of what a SQL injection is so how can we now prevent without using any PDO? Using PDO may be the most secure way but requires more knowledge too.
Three lines of code will secure your code against the most known injections and will make it a lot harder to inject your site and hack it. One of this lines will take care of XSS hacking methods too:
1 2 3 | $_POST = array_map("htmlspecialchars", $_POST); # Will secure from XSS $_POST = array_map("trim", $_POST); # Remove spaces before and after posts $_POST = array_map("mysql_real_escape_string", $_POST); # Protects from most known SQL injections |
Just add these lines in the top include file and you will always have your $_POST protected from the most known SQL injections. One easy way of securing your web applications a little further.
Google REST API code
Google recently released a new REST API which will replace their old SOAP API (which they haven’t given out keys for since 2006)
This is very good news for those who want to do searchqueries “server-side”.
Documentation: http://code.google.com/apis/ajaxsearch/doc…entation/#fonje
Video: http://google-code-updates.blogspot.com/20…om-outside.html
Here’s some PHPcode of how to use this API:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | <?php $url = “http://ajax.googleapis.com/ajax/services/search/web?v=1.0&q=Hello%20World” // sendRequest // note how referer is set manually $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_REFERER, “http://www.knark.com”); $body = curl_exec($ch); curl_close($ch); // now, process the JSON string $json = json_decode($body); // now have some fun with the results… ?> |
Geeky and funny pictures
Here’s a compilation of some very funny and very geeky pictures! Have fun!
Yeah right!
Prepare!
Watch out!
Or not?
shitty:D
Haha.. Basic algebra you know!
Print this and use for your own safety;) 
Insert where?
Remember to first google, then ask!
Based on ascii-characters, pretty nice.
Nice lego-art!
Handbag for your wife? Or maybe not..:D
Ethernet is roolling:D
I wonder if Bill Gates uses this one ;)
Podcast geek.
Ok.. Thats scary:)
…. But this is even more scary
Some rings for the geek!
yeeees.. just press it ffs!
And the grandé finale..
Tavis Ormandy - Google Security Team
Tavis Ormandy is the guy from the Google Security Team who “makes it happend”.
He’s a researcher on the Google Security Team and faces the unpleasent responsibility of passing all googles products pass the security tests. Tavis is also an open-source contributer, working as a co-lead of the Gentoo Security Team as well. He is one of the faces that should make the Linux Gentoo distribution safe.
In September 2006, Tavis reported vulnerabilities in the gunzip decompressor on behalf of Google. Here is the link to the report made by Tavis: http://www.scary.beasts.org/security/tavis_gzip.txt
He has also discovered lot’s of other vulnerabilities such as PCRE (Perl Compitable Regular Expressions) and Perl Unicode Regular Expression buffer overflow. Links to these hacks can be found here: (PCRE) (UNICODE)
Summary: We should be glad of Tavis work since he’s making the web and the servers safer by contributing and telling the software creators before making the exploits public.
Here’s some collected links that can be interesting:
Tavis Ormandy’s blog
Secwatch profile
Milw0rm profile
Since a couple of Swedens largest sites got hacked and the passwords are floating across the internet, we thought writing a small guide of how to not do the same mistake as those people have done, not using any salts. So, first of all, what is a md5 hash?
MD5 stands for Message-Digest algorithm 5 and has a 128bit hash value. An MD5 hash is typically a 32-character hexadecimal number. At first, there were problems cracking MD5 hashes, but in later time there have been something called a “rainbow table” which easily can crack md5 hashes. So, what to do to protect ourself against those rainbow tables? Use something called a “salt”. The reason why you have to add salts is because lot’s of people are using words such as “mydamncatsname” or “ilovejesus” which hashes have been generated and then if you compare your databases password-hash against the generated list, you will find out which password you have in your database. If you then have a salt such as “fsjlk4u9pfs” and the hash would generate the word ilovejesusfsjlk4u9pfs or something, which is not likely at all that a dictionary will have.
So how to implement this salt then? Does it involve some tremendous programming effort? No. It’s the easiest thing you can do.
To simplify this, heres a code snippet of how a salt works.
1 2 3 4 | <?php $salt = "kfoe56"; $hash = md5($salt.$password); ?> |
That is a static salt, which is better then nothing, but not far as good as a dynamic salt. There is absolutely no reason why to use a static salt since it’s not any harder to create a dynamic salt.
A dynamic salt can be something that uses the userid or something like that. This is a pretty good example of how a dynamic salt can be used:
1 2 3 4 | <?php $salt = $userid; md5($salt.md5($password.$salt)); ?> |
The time to crack that password is by far longer then a normal hash.
So please, use some damn salt when you store your users passwords.
If you lack inspiration, as all people sometimes do, you try out checking those clips we got here. Here’s our top 5 of inspirational speeches, without order (since it’s impossible to order them). Btw, please comment any other inspirational or motivational speech and we will add them as well!
Any given sunday speech, Al Pacino
Apple ad, “here’s to the crazy ones”
Steve Jobs, Apple, at Stanford University
Braveheart speech, Mel Gibson
Michael Jordan failure ad by Nike
Autistic basketball player makes it
Independence day speech, Bill Pullman
Armageddon president speech
This is a slideshow from John Buckman, the founder of Magnatune. It is based on the “fact” that employees suck. A very nice slideshow for the entrepeneur people:
It’s called “Employees suck”