PHP & Web Development Blogs

In his talk, “Writing Viruses for Fun, Not Profit,”Ben Dechrai (after making the viewer take a pledge to only use this knowledge for good and not evil) walks through how many viruses operate, and just how easy it is to build your own self-replicating virus in PHP.

The danger of many of these viruses according to Ben is that the most dangerous viruses often escape detection by not looking like a virus. Instead they encrypt their code to hide their true intent, while also constantly adapting and evolving.

Perhaps even more dangerously, they act like they’re benign and don’t actually do anything - often times laying dormant until called upon by the malicious actor.

Creating the Virus

What’s scary is just how simple it was for Ben to create such a virus, one that mutated ever so slightly as it infected every other file on the server. Opening up unlimited possibilities from scraping customer data, to DDOS attacks, to simply hijacking your domain.



But those attacks are just the start as Ben demonstrated how easy it is to write new files, delete files, eval() and execute foreign code - which could even be extended to accessing the underlying server itself if shell_exec() is enabled.

To add to the problem, Ben shares how challenging it can be to identify malicious code on your server as many of these attacks are far more sophisticated than the the virus he created in a matter of minutes - hiding themselves and often appearing as if they are part of the original source code.

Deploying the Virus

To drive his point home, Ben demonstrates how even seemingly secure systems can be vulnerable - as all it takes is one tiny misstep within your application.

He highlights this by building what should be a secure photo gallery - one that checks the extension and mime-type of the image - and even stores it outside of the public directory. He goes even farther by adding additional sanity checks with a PHP script that then renders the image.

After walking through the code and it’s security features, he then downloads a simple image from the internet. Opening his editor he quickly injects the virus (written in PHP) into the image and uploads it, passing all of the server checks.

Surely, since it passed these checks the system is secure, right? Ben loads the gallery to proudly show off the image - which is just that… an image, with nothing special or out of the ordinary.
Except that when he opens the image gallery files, each has been infected with the malicious code.

The culprit that allowed for Ben to hijack an entire system and execute foreign code, create new files, and even hijack the entire site? When displaying the image the file was included using PHP’s include() function, instead of pulling in the data using file_get_contents() and echoing it out.

Such a simple mistake provided Ben, if he was a malicious hacker, complete access to all of the files on the system.

Protecting Yourself

Security always exists in layers - and this could have been prevented by including a few more layers, such as using an open source library to rewrite the image, reviewing the image source before pulling it in, or again not giving it executable access by using the PHP include() function.

But what’s terrifying is how simple it is to hijack a site, how easy it is to get access to your system and private data, and how easy it is to overlook security vulnerabilities - especially with open source tooling and those that take plugins.

As Ben explains, sometimes the core code itself is really secure, but then you get two different plugins that when used together accidentally create a security vulnerability. That by itself is one of the most challenging as you can audit each plugin individually, and still not know you’re opening up your system to malicious actors.

This is why it's not just important to stay up to date on the latest security measures and best practices, but to be constantly thinking like a hacker and testing your code for vulnerabilities.

Learn More

You can watch thefull video to learn more how viruses operate, how to quickly build your own PHP virus (but you must promise to use it for good), and what to watch for in order to protect yourself, your customers, and your architecture.

Welcome back! If you’re new to this series have a look at Part 1 here

Today’s focus is on templating, the aesthetic that will make or break your web application.

Having a clean design with well defined CSS that’s responsive and user friendly goes a long way.

Developers often stick to their lane but delving into templating will bode in your favor, you can indeed
create a functional and launch-worthy application all on your own!

Let’s jump into it!

Structured structure

Everything you tackle should be found with ease down the line. Therefore careful planning is fundamental to the success and sustainability of your project. You’ll also find that clearly defining your work lends itself to more productivity overall as you spend less that explaining your work during a handover / looking for a specific piece of code or resource. You’ll probably end up spending more time on actual work.
Finding your own unique pattern with file structure and CSS identifiers will also work in your favor as something unique to your process will most likely be easier to remember and form a tactile relationship with.

Our project’s current structure looks like this:



>If you need to backtrack, Part 1 is a great place to start!

In part 1, we created our index.php which displays info from our database.

Let’s take this a step further and create a header and a footer for our index.php

Create a file called header.php and save this to your includes folder.

Next, create a file called footer.php and save this to your includes folder.

Your file structure should now look like this.

A header above all the rest

The header file will be a file we reuse throughout your web application. This file will contain important information that’s vital to the functionality and aesthetic of your website.
The type of info you’ll expect to see in a header.php file:
Script includes
Such as JQuery and important libraries
CSS includes
CSS files loaded from internal or external sources
Meta information
Contains important information that’s readable by search engines.
The basic structure of the beginning of your app, including your menu, and your logo.
For now, how header is going to have a basic layout.

Let’s get our HTML on!

<html>
<head>
<title>My Awesome CMS – Page Title</title>
</head>
<body>

A footer that sets the bar

Create a file called footer.php and save it to your includes folder (yourcms/includes/footer.php).

Add this code to your new file.

</body>
</html>

Next, let’s focus on the gravy… The CSS

CSS, when written beautifully, can truly set you apart.

You can tell your web application to load various styles to specific elements by defining unique identifiers.
Styles that are only used once are denoted with a # (a CSS “ID”) whereas styles that are reused multiple times are denoted with a . (a CSS “class”)

The best way to delve into the realm of CSS is to learn by experience.

Let’s create!

First, we need to create and load our CSS file. Remember our nifty new pal header.php? This created a convenient way to load our CSS file!

Add the following code to your header.php just above the </head> tag.

<link href=”../assets/css/style.css” type=”text/css” rel=”stylesheet”/> 

The ../ in the link to our stylesheet means we have to leave the current directory (the directory that header.php is in) and look for the assets/css/ directories.

Go ahead and create the css folder under your assets folder.

Next we’re going to create some simple CSS to test things out.

It’s time to add some style!

We are going to create two divs.
A div is a divider / section in HTML.
Add this to your index.php (located in your CMS’ root folder) above the <?php tag.

<div id="myfirstid"></div>
<div class="myfirstclass"></div>
<div class="myfirstclass"></div>
<div class="myfirstclass"></div>
<div class="myfirstclass"></div>
<div class="myfirstclass"></div>

Then, create a CSS file

Add this:

#myfirstid{
Background:lightblue;
Font-family:Arial;
Font-size:44px; 
Font-weight: Bold; 
}
.myfirstclass{
Font-size:15px;
Color: darkblue;
}

Save your newly created CSS to assets/css/ as style.css.

Pulling it all together, let’s see what we can do!

Let’s apply what we just learned to our index.php. But first, we should add our header.php and footer.php files.

Including everyone

Add this to the top of your index.php file:

include(‘includes/header.php’);

Remove the <divs> we used for practice earlier, we have something better in store!

Add this to the bottom of your index.php:

include(‘includes/footer.php’);

Next, let’s modify our code so we can add some style to the data we retrieve from our database.

Modify the following line:

foreach($getmydata as $mydata){ echo "Title: "; echo $mydata['title']; echo "<br/>"; echo "Content: "; echo $mydata['content']; echo "<br/>"; echo "Author: "; echo $mydata['author']; echo "<br/>"; echo "<br/>";

as follows:

?>

<div id=”myfirstid”>
<?php
foreach($getmydata as $mydata){
echo "<div class=”myfirstclass”>Title: "; 
echo $mydata['title']; 
echo "<br/>"; 
echo "Content: "; 
echo $mydata['content']; 
echo "<br/>"; 
echo "Author: "; 
echo $mydata['author']; 
echo "</div><br/><br/>";
}?>
</div>
<?php 

Your full index.php should now look like this:

<?php
include('includes/header.php');
include('includes/conn.php');

if ($letsconnect -> connect_errno) { echo "Error " . $letsconnect -> connect_error;

}else{

$getmydata=$letsconnect -> query("SELECT * FROM content");

?>
<div id="myfirstid">
<?php
foreach($getmydata as $mydata){
echo "<div class=”myfirstclass”>Title: "; 
echo $mydata['title']; 
echo "<br/>"; 
echo "Content: "; 
echo $mydata['content']; 
echo "<br/>"; 
echo "Author: "; 
echo $mydata['author']; 
echo "</div><br/><br/>";
}
?>
</div>
<?php 
}

$letsconnect -> close();
include('includes/footer.php');
?>

Go ahead, test it out!

There’s a lot to unpack and I will break things down a little more during our next tutorial!

Challenge

Study the final index.php and try to form a few theories about why closing a php tag is necessary before adding raw html.

Next Up: #CodeWithMe Part 4: Building A Good Base

In the realm of web development, the Model-View-Controller (MVC) architectural pattern stands as one of the most influential paradigms. It provides a structured approach to designing web applications, promoting modularity, scalability, and maintainability. In this guide, we'll delve into the MVC framework in PHP, exploring its key components, principles, and benefits.

Understanding MVC Architecture:

MVC separates an application into three interconnected components, each with its distinct responsibility:

Model: The model represents the application's data and business logic. It encapsulates the data structure, database interactions, and validation rules. In MVC, the model is responsible for managing data persistence and state.

View: The view is responsible for presenting data to the user in a visually appealing format. It encompasses the HTML markup, CSS styling, and client-side scripting necessary to render the user interface. Views are typically passive components that receive data from the controller and display it to the user.

Controller: The controller acts as an intermediary between the model and the view. It processes user requests, invokes the appropriate methods in the model to retrieve or manipulate data, and selects the appropriate view to render the response. Controllers handle user input, orchestrate business logic, and coordinate the flow of data between the model and the view.

Implementing MVC Framework in PHP:

PHP offers a robust foundation for building MVC-based web applications. Let's explore how to implement each component of the MVC pattern in PHP:

Model:

In PHP, models typically represent data entities and interact with the database. They encapsulate data access logic and provide methods for querying, inserting, updating, and deleting records. Here's a simplified example of a model class:

class User { 
 public function getUserById($userId) { 
 } 

 public function updateUser($userId, $userData) { 
 }

}

View:

Views in PHP are responsible for generating HTML markup to render the user interface. They receive data from the controller and use it to dynamically generate the content displayed to the user. Views can include HTML templates with embedded PHP code or utilize template engines for better separation of concerns. Here's a basic example of a view:

<!DOCTYPE html>

<html>

<head> <title>User Profile</title>

</head>

<body> <h1>Welcome, <?php echo $user['username']; ?>!</h1> <p>Email: <?php echo $user['email']; ?></p>

</body>

</html>

Controller:

Controllers in PHP handle user requests, process input data, and interact with models to retrieve or manipulate data. They select the appropriate view to render the response and pass data to the view for presentation. Controllers are responsible for defining application routes and managing the overall application flow. Here's an example of a controller method:

class UserController { 
 public function profile($userId) { 
 $userModel = new User(); 
$userData = $userModel->getUserById($userId); 

include 'views/profile.php'; 
 }
}

Benefits of MVC Framework in PHP:

Separation of Concerns: MVC promotes a clear separation of concerns, making it easier to manage code complexity and maintainability.

Modularity: Components in MVC are modular and reusable, allowing developers to build and extend applications more efficiently.

Testability: With distinct components, it becomes easier to write unit tests for models, views, and controllers independently.

Scalability: MVC facilitates the scalability of web applications by enabling developers to add new features or modify existing ones without impacting other parts of the system.

Conclusion:

The MVC framework in PHP provides a robust architectural pattern for building scalable and maintainable web applications. By separating concerns into models, views, and controllers, developers can organize code more effectively, enhance testability, and streamline the development process. Whether you're building a simple blog or a complex enterprise application, leveraging the MVC pattern in PHP can significantly improve the quality and maintainability of your codebase.

In modern software architecture, developers are constantly exploring new paradigms to enhance the performance, scalability, and maintainability of their applications. One such architectural pattern gaining popularity is Command Query Responsibility Segregation (CQRS). CQRS separates the responsibility of handling read and write operations, offering numerous benefits in complex systems. In this article, we'll delve into CQRS and explore its implementation in PHP.

What is CQRS?

CQRS, coined by Greg Young, is an architectural pattern that segregates the responsibility for handling read and write operations in a system. In traditional CRUD-based architectures, the same model is often used for both reading and writing data. However, CQRS advocates for a clear distinction between commands (write operations that modify state) and queries (read operations that retrieve data).

Key Concepts of CQRS:
   

. Command: Commands represent actions that modify the state of the system. They encapsulate the intent to perform an operation, such as creating, updating, or deleting data.
   
. Query: Queries retrieve data from the system without modifying its state. They are read-only operations used to fetch information for presentation or analysis.
   
. Command Handler: Responsible for processing commands by executing the necessary business logic and updating the system's state accordingly.
   
. Query Handler: Handles queries by retrieving data from the appropriate data source and returning the results to the caller.
   
. Separate Models: CQRS often involves maintaining separate models for commands and queries. This allows each model to be optimized for its specific use case, leading to improved performance and scalability.

Implementing CQRS in PHP:

Implementing CQRS in PHP involves structuring your application to separate command and query responsibilities effectively. Here's a high-level overview of how to implement CQRS in PHP:

1. Define Commands and Queries:

Start by defining the commands and queries your application will support. Commands should encapsulate actions that modify state, while queries should retrieve data.

class CreateProductCommand {
 public $name;
 public $price;
}

class GetProductQuery {
 public $productId;
}

2. Create Command and Query Handlers:

Next, implement handlers for processing commands and queries. Command handlers execute the necessary business logic to fulfill the command, while query handlers retrieve data based on the query criteria.

class CreateProductCommandHandler {
 public function handle(CreateProductCommand $command) {
 }
}

class GetProductQueryHandler {
 public function handle(GetProductQuery $query) {
 }
}

3. Use Separate Models:

Maintain separate models for commands and queries to optimize each for its specific purpose. This separation allows you to design models tailored to the needs of write and read operations.

class Product {
 public $name;
 public $price;
}

class ProductView {
 public $name;
 public $price;
}

4. Wiring Everything Together:

Finally, wire up your command and query handlers to the appropriate endpoints or controllers in your application. Dispatch commands to their respective handlers and invoke query handlers to retrieve data.

$command = new CreateProductCommand();
$command->name = "Example Product";
$command->price = 99.99;

$handler = new CreateProductCommandHandler();
$handler->handle($command);

$query = new GetProductQuery();
$query->productId = 123;

$handler = new GetProductQueryHandler();
$product = $handler->handle($query);

Benefits of CQRS in PHP:

-Improved Scalability: Separating read and write operations allows you to scale each independently based on demand.

-Enhanced Performance: Optimizing models and handlers for specific tasks can lead to improved performance and responsiveness.

-Simplified Maintenance: Clear separation of concerns makes the codebase easier to understand, maintain, and extend over time.

-Flexibility: CQRS enables flexibility in choosing the most suitable data storage and retrieval mechanisms for different use cases.

Conclusion:

CQRS is a powerful architectural pattern that offers numerous advantages for building complex and scalable PHP applications. By segregating command and query responsibilities, developers can achieve better performance, scalability, and maintainability in their systems. While implementing CQRS in PHP requires careful planning and design, the benefits it provides make it a compelling choice for projects requiring high performance and flexibility.

In today's digital age, where data breaches and cyber attacks are increasingly prevalent, safeguarding sensitive information is paramount. Cryptography, the art of secure communication, plays a crucial role in ensuring data confidentiality, integrity, and authenticity. Implementing cryptography in PHP, one of the most widely used server-side scripting languages, offers a robust means to protect your data. In this guide, we'll explore how to utilize cryptography effectively in PHP to enhance the security of your applications.

Understanding Cryptography Basics

Before diving into PHP implementations, it's essential to grasp the fundamental concepts of cryptography. At its core, cryptography involves techniques for encrypting plaintext data into ciphertext to conceal its meaning from unauthorized parties. Key aspects of cryptography include:
   
. Encryption: The process of converting plaintext data into ciphertext using an algorithm and a secret key. This ciphertext can only be decrypted back to its original form using the appropriate decryption key.
   
. Decryption: The reverse process of encryption, where ciphertext is transformed back into plaintext using the decryption algorithm and the correct key.
   
. Symmetric Encryption: A type of encryption where the same key is used for both encryption and decryption. Examples include AES (Advanced Encryption Standard) and DES (Data Encryption Standard).
   
. Asymmetric Encryption: Also known as public-key cryptography, it involves a pair of keys: a public key for encryption and a private key for decryption. RSA and ECC (Elliptic Curve Cryptography) are common asymmetric encryption algorithms.

Implementing Cryptography in PHP

PHP provides robust cryptographic functions through its OpenSSL and Mcrypt extensions, allowing developers to implement various encryption techniques easily. Here's a step-by-step guide on how to perform common cryptographic operations in PHP:

1. Symmetric Encryption

<?php
$encryptionKey = openssl_random_pseudo_bytes(32);

$plaintext = "Sensitive data to encrypt";
$ciphertext = openssl_encrypt($plaintext, 'aes-256-cbc', $encryptionKey, 0, $iv);

$decryptedText = openssl_decrypt($ciphertext, 'aes-256-cbc', $encryptionKey, 0, $iv);

echo $decryptedText;
?>

2. Asymmetric Encryption

<?php
$config = array(
 "digest_alg" => "sha512",
 "private_key_bits" => 4096,
 "private_key_type" => OPENSSL_KEYTYPE_RSA,
);
$keyPair = openssl_pkey_new($config);

openssl_pkey_export($keyPair, $privateKey);
$publicKey = openssl_pkey_get_details($keyPair)["key"];

$plaintext = "Confidential message";
openssl_public_encrypt($plaintext, $encrypted, $publicKey);

openssl_private_decrypt($encrypted, $decrypted, $privateKey);

echo $decrypted;
?>

Best Practices for Cryptography in PHP

While implementing cryptography in PHP, it's essential to adhere to best practices to ensure maximum security:
   
. Use Strong Algorithms: Always use widely recognized cryptographic algorithms like AES for symmetric encryption and RSA for asymmetric encryption.
   
. Key Management: Safeguard encryption keys carefully. Utilize secure key management practices, such as storing keys in secure vaults and rotating them regularly.
   
. Data Integrity: Implement mechanisms to verify data integrity, such as HMAC (Hash-based Message Authentication Code), to detect tampering attempts.
   
. Secure Communication: When transmitting encrypted data over networks, use secure protocols like HTTPS to prevent eavesdropping and man-in-the-middle attacks.
   
. Stay Updated: Keep PHP and cryptographic libraries up to date to patch any security vulnerabilities and ensure compatibility with the latest cryptographic standards.

By following these guidelines and leveraging the cryptographic capabilities of PHP, developers can strengthen the security posture of their applications and protect sensitive data from unauthorized access. Remember, effective cryptography is not just about encryption but also encompasses key management, integrity verification, and secure communication practices. With diligence and proper implementation, PHP can be a powerful tool for building secure and resilient systems in today's digital landscape.