Categories
Software Development

PHP 7.3 and forbidden functions

Last month PHP 7.3.0 was released and with that a lot of functions or aliases were deprecated that may lead to issues down the road. While Xdebug still needs to be released for PHP 7.3 an automated test with GitLab isn’t possible yet as the build phase of Xdebug fails. Luckily I’m using PHP Code Sniffer and extending phpcs.xml.dist with the lines below make the build already fail if any of the forbidden functions are being used in the code.

    <!-- Ban some functions -->
    <rule ref="Generic.PHP.ForbiddenFunctions">
        <properties>
            <property name="forbiddenFunctions" type="array">
                <!-- Deprecated Features 7.0, https://secure.php.net/manual/en/migration70.deprecated.php -->
                <element key="ldap_sort" value="null"/>
                <!-- Deprecated Features 7.1, https://secure.php.net/manual/en/migration71.deprecated.php -->
                <!-- Deprecated Features 7.2, https://secure.php.net/manual/en/migration72.deprecated.php -->
                <element key="create_function" value="null"/>
                <element key="each" value="null"/>
                <element key="gmp_random" value="null"/>
                <element key="read_exif_data" value="exif_read_data"/>
                <element key="png2wbmp" value="null"/>
                <element key="jpeg2wbmp" value="null"/>
                <element key="__autoload" value="null"/>
                <!-- Deprecated Features 7.3, https://secure.php.net/manual/en/migration73.deprecated.php -->
                <!-- Searching Strings for non-string Needle -->
                <element key="strpos" value="chr"/>
                <element key="strrpos" value="chr"/>
                <element key="stripos" value="chr"/>
                <element key="strstr" value="chr"/>
                <element key="stristr" value="chr"/>
                <element key="strchr" value="chr"/>
                <element key="strrchr" value="chr"/>
                <!-- Strip-Tags Streaming -->
                <element key="fgetss" value="fgets"/>
                <element key="gzgets" value="gzgets"/>
                <!-- Image Processing and GD -->
                <element key="image2wbmp" value="imagewbmp"/>
                <!-- Multibyte String -->
                <element key="mbregex_encoding" value="mb_regex_encoding"/>
                <element key="mbreg" value="mb_ereg"/>
                <element key="mbregi" value="mb_eregi"/>
                <element key="mbreg_replace" value="mb_ereg_replace"/>
                <element key="mbregi_replace" value="mb_eregi_replace"/>
                <element key="mbsplit" value="mb_split"/>
                <element key="mbreg_match" value="mb_ereg_match"/>
                <element key="mbreg_search" value="mb_ereg_search"/>
                <element key="mbreg_search_post" value="mb_ereg_search_post"/>
                <element key="mbreg_search_regs" value="mb_ereg_search_regs"/>
                <element key="mbreg_search_init" value="mb_ereg_search_init"/>
                <element key="mbreg_search_getregs" value="mb_ereg_search_getregs"/>
                <element key="mbreg_search_getpos" value="mb_ereg_search_getpos"/>
                <element key="mbreg_search_setpos" value="mb_ereg_search_setpos"/>
            </property>
        </properties>
    </rule>

Hopefully PHP Code Sniffer will be extended to check on deprecated constants as well, but for now all code running on PHP 7.2 can be checked to run smoothly on PHP 7.3 and later.

Categories
Software Development

Using :nth-child from CSS3

As written is a previous posting about PHPUnit I also wrote the time has come to rewrite an application that is now mainly functional to a object oriented model. As doing standardized unit testing becomes easier and not an one project solution. One of the first goals is to separate the presentation layer from the application layer.

To complete this goal the first requirement is to see which browser versions needed to be supported. Based on the numbers from w3schools.com it is safe to say that both Mozilla Firefox and Google Chrome users are following the latest version in majority. For Microsoft Internet Explorer it is a different story as IE8 is the last possible version on Windows XP and the out of the box version for Windows 7. The numbers for IE8 are declining for months now and Microsoft started to push IE10 out to customers. For now I will select IE9 features when implementing Cascading Style Sheets and those features also need to be supported by the previous released version of Firefox and Chrome.

While moving a lot of inline style sheet information into separate file I also found the odd and even row coloring code. This code assigns a different style sheet class to the rows in question, but with CSS level 3 the pseudo-class selector :nth-child exits and this now can be done in the presentation layer and making the application layer lighter. So a style sheet file that defines the correct tr:nth-child(even) and tr:nth-child(odd) pseudo-clases will do the trick.

tbody tr:nth-child(odd) {
    background: rgb(255,255,255);
}
 
tbody tr:nth-child(even) {
    background: rgb(245,245,245);
}

The following HTML-tags are now completely clean and generating the correct colors will be done by the webbrowser. Saving expensive server-side execution time and precious bandwidth both resulting in a quicker response for the user.

Odd
Even

As this is the first step to separate the presentation layer form the application layer it is also a step that can take a while due to checking if everything still works and looks correct. The next step maybe even more daunting as it requires the separation of creating HTML-tags and business logic. As it looks now I will be moving everything into a PHP-version of CGI.pm known from Perl.

Categories
Software Development

PHPUnit, a beginning

One of my goals for this year is to write more secure code and make my current code more secure. Secure is a very broad concept so let’s start with getting up to speed and reach Evaluation Assurance Level 1 where the code needs to be functionally tested. And this in essence means that functions need to produce certain results under set conditions. Unit testing is a method for this and while it has it’s limitations like only able to test classes, it also has it’s potentials as running time after time in the background or during a nightly batch job. One of the requirements for Evaluation Assurance Level 2.

As first project I chosen a PHP-project to be rewritten from being functional to an object oriented setup to make it more extendable and maintainable, but also easier to test with PHPUnit. After writing a basic PHP-class I started to experiment with PHPUnit and after a few hours experimenting I got 9 checks and after a while 8 where successful.

$ phpunit
PHPUnit 3.6.10 by Sebastian Bergmann.

I........

Time: 1 second, Memory: 3.00Mb

OK, but incomplete or skipped tests!
Tests: 9, Assertions: 8, Incomplete: 1.

While these are the very basics for now I will be posting examples to coming weeks and also how to setup PHPUnit for other projects. Hopefully will this series also inspire others to join and make their code more secure and future proof.

Categories
Software Development

Starting to stop SQL-injections, part 2

In a previous posting, I gave an example of how to make database queries safer by using parameter binding and basically stopping SQL-injections. The next step is to make the code more readable and maintainable. This doesn’t sound like a priority for secure software development, but readable code is also code that can be verified and maintained by other people. It gives you the edge to debug problems quickly and invites others to supply patches. So let take the example where the previous posting ended.

$sth = $dbh->prepare('select userid from accounts where username = ?');
$sth->execute(array($form_username));

For one or two parameters this may work, but when queries become bigger you need to start counting, and counting beyond three is a bad idea in most cases. So let change the question mark with a named variable called ‘:username‘ in this example. One could then use the function bindParam() to specify which named variable needs to be replaced and has additional features, but in this example, we use the standard binding during in execute phase.

$sth = $dbh->prepare('select userid from accounts where username = :username');
$sth->execute(array(':username'=>$form_username));

Please remember to use a named variable only once in a SQL-query as it will only be replaced one time and not multiple times.

Categories
Software Development

Starting to stop SQL-injections

In a lot of PHP-examples strings are concatenated before a database query is being executed as below. Some examples advise to use PHP-functions mysql_real_escape_string() and/or addslashes() to make database query safe against SQL-injections. But this isn’t really a solution as when using addslashes() also requires the use of stripslashes() after retrieving data from a database. Some sites show the lack of proper implementation and show the famous \’ string on a website.

$sth = $dbh->prepare('select userid from accounts where username = "'.$form_username.'"');
$sth->execute();

Like in Perl with DBI, also PHP has PDO that allows for variables to be parameterized while executing a query as in the example below. This removes the need for homemade solutions that don’t cover all use-cases and allows for a way to provide a stable and more secure interface for your applications when communicating with databases.

$sth = $dbh->prepare('select userid from accounts where username = ?');
$sth->execute(array($form_username));

This doesn’t stop the need for sanitizing variables like with input from users.