Categories
Software Development System Administration

Security Weekly: The State Of Healthcare Security

Security Weekly episode 479 has an interesting section about the State of Healthcare Security.


The most interesting question is how we as an sector are going to convince people to by new equipment every 3 to 5 years or how we can make something that will last at least 20 to 30 years.

Categories
Software Development

Using :nth-child from CSS3

As written is a previous posting about PHPUnit I also wrote the time has come to rewrite an application that is now mainly functional to a object oriented model. As doing standardized unit testing becomes easier and not an one project solution. One of the first goals is to separate the presentation layer from the application layer.

To complete this goal the first requirement is to see which browser versions needed to be supported. Based on the numbers from w3schools.com it is safe to say that both Mozilla Firefox and Google Chrome users are following the latest version in majority. For Microsoft Internet Explorer it is a different story as IE8 is the last possible version on Windows XP and the out of the box version for Windows 7. The numbers for IE8 are declining for months now and Microsoft started to push IE10 out to customers. For now I will select IE9 features when implementing Cascading Style Sheets and those features also need to be supported by the previous released version of Firefox and Chrome.

While moving a lot of inline style sheet information into separate file I also found the odd and even row coloring code. This code assigns a different style sheet class to the rows in question, but with CSS level 3 the pseudo-class selector :nth-child exits and this now can be done in the presentation layer and making the application layer lighter. So a style sheet file that defines the correct tr:nth-child(even) and tr:nth-child(odd) pseudo-clases will do the trick.

tbody tr:nth-child(odd) {
    background: rgb(255,255,255);
}
 
tbody tr:nth-child(even) {
    background: rgb(245,245,245);
}

The following HTML-tags are now completely clean and generating the correct colors will be done by the webbrowser. Saving expensive server-side execution time and precious bandwidth both resulting in a quicker response for the user.

Odd
Even

As this is the first step to separate the presentation layer form the application layer it is also a step that can take a while due to checking if everything still works and looks correct. The next step maybe even more daunting as it requires the separation of creating HTML-tags and business logic. As it looks now I will be moving everything into a PHP-version of CGI.pm known from Perl.

Categories
Software Development

PHPUnit, a beginning

One of my goals for this year is to write more secure code and make my current code more secure. Secure is a very broad concept so let’s start with getting up to speed and reach Evaluation Assurance Level 1 where the code needs to be functionally tested. And this in essence means that functions need to produce certain results under set conditions. Unit testing is a method for this and while it has it’s limitations like only able to test classes, it also has it’s potentials as running time after time in the background or during a nightly batch job. One of the requirements for Evaluation Assurance Level 2.

As first project I chosen a PHP-project to be rewritten from being functional to an object oriented setup to make it more extendable and maintainable, but also easier to test with PHPUnit. After writing a basic PHP-class I started to experiment with PHPUnit and after a few hours experimenting I got 9 checks and after a while 8 where successful.

$ phpunit
PHPUnit 3.6.10 by Sebastian Bergmann.

I........

Time: 1 second, Memory: 3.00Mb

OK, but incomplete or skipped tests!
Tests: 9, Assertions: 8, Incomplete: 1.

While these are the very basics for now I will be posting examples to coming weeks and also how to setup PHPUnit for other projects. Hopefully will this series also inspire others to join and make their code more secure and future proof.

Categories
Software Development

Starting to stop SQL-injections, part 2

In a previous posting, I gave an example of how to make database queries safer by using parameter binding and basically stopping SQL-injections. The next step is to make the code more readable and maintainable. This doesn’t sound like a priority for secure software development, but readable code is also code that can be verified and maintained by other people. It gives you the edge to debug problems quickly and invites others to supply patches. So let take the example where the previous posting ended.

$sth = $dbh->prepare('select userid from accounts where username = ?');
$sth->execute(array($form_username));

For one or two parameters this may work, but when queries become bigger you need to start counting, and counting beyond three is a bad idea in most cases. So let change the question mark with a named variable called ‘:username‘ in this example. One could then use the function bindParam() to specify which named variable needs to be replaced and has additional features, but in this example, we use the standard binding during in execute phase.

$sth = $dbh->prepare('select userid from accounts where username = :username');
$sth->execute(array(':username'=>$form_username));

Please remember to use a named variable only once in a SQL-query as it will only be replaced one time and not multiple times.

Categories
Software Development

Wanting real schema support in MySQL

While upgrading WordPress towards the latest version it also required some database modifications, but here is where I start hating MySQL again and more. I really hope that MySQL will get support for schemas as PostgreSQL or Oracle has, but it appears that MySQL has painted itself in the corner. And before some will say that MySQL has, the create schema function is only an alias to create a database.

There lies a problem as I don’t want to create a new database for every new instance of an application. Others suggest to use a prefix for the tables, but this means I need to know the prefix in advance before creating tables and/or altering tables. This is nice when you have two or three instances, but there it stops. I want a single set of commands and just switch from schema to schema and apply the patches without any additional scripting changing prefixes.

So you have the choice of creating a “database” for every instance, which will just create another directory with database files. Or you need to use prefix, but then you’re limited to a max of 64 characters for the complete table name. If you would do replication it may even need to be shorter then that if I may believe MySQL fora. I can only hope that some applications will get decent PostgreSQL support or that Oracle will give MySQL real schema support, but I doubt if they would do that.