So, how do you signup? Easy simply link to whatsthetide.com from your website, and send me the link.

And I’ll generate you a juicy serial! :)

Oh… and prizes for who can crack my serial algorithm! (Probably best not to bother with this one!)

After doing a lot of mapping, say 500 points on my GPS, I needed a way to get them of my GPS. Doing it by hand, are you crazy or just really, really technophobic? So after purchasing a cable off eBay for a few bucks, and not sure if Garmin’s software required a license, I downloaded the free software EasyGPS. Great! I thought, until I noticed that it only exported to GPX format, and I could only use copy and paste internally in the application. Well thank god, they aren’t Microsoft[1][2][3][4][5][6][7][8] and used XML [properly]. So I built a GPX2KML Converter. Questions, comments, suggestions are welcome. Leave them in the comments.

Have a look that this source code:

// Lowercase via is used by open proxies/referrer spammers
// Exceptions: Clearswift uses lowercase via (refuses to fix;
// may be blocked again in the future)
if (array_key_exists(’via’, $package['headers']) &&
!strstr($package['headers']['via'],’Clearswift Web Policy Engine’)) {
return “9c9e4979″;
}

Hm….

4.2 Message Headers

   HTTP header fields, which include general-header (section 4.5),
   request-header (section 5.3), response-header (section 6.2), and
   entity-header (section 7.1) fields, follow the same generic format as
   that given in Section 3.1 of RFC 822 [9]. Each header field consists
   of a name followed by a colon (”:”) and the field value. Field names
   are case-insensitive. 

Well, it seems that: Clearswift, Coral CDN, etc are getting blocked because of this…

If you use Bad Behavior let me know you experiences with it, and if this is affecting you, you might want to contact them.

Today I needed to use curl, but this time via a http proxy that required authentication:

curl_setopt($ch, CURLOPT_HTTPPROXYTUNNEL, 1);
curl_setopt($ch, CURLOPT_PROXY, ‘proxy.mybusiness.null:8080′);
curl_setopt($ch, CURLOPT_PROXYUSERPWD, ‘user:password’);

Easy, huh? Just add those three lines before you call curl_exec().

Steven.

Stefan Esser of the Hardened-PHP Project posted a security advisory of a flaw in ModSecurity regarding POST Data NULL Byte Rule Bypass.

The problem is that it is possible to bypass rules by adding NULL bytes to POST data with the application/x-www-form-urlencoded media type.

Now the funny part:

SOLUTION:
Do not rely solely on ModSecurity to block attacks.

ModSecurity isn’t a magical anti-hack solution, and the people who use it know that. Kinda stating a very obvious fix. How about “turn off scripting” :) [IE]

Steven.

Yesterday I made a nother presentation at the Sydney PHP Group February Meeting.

This time about dealing with comment spam.

For those who are interested my slides are in S5 format (xHTML + CSS + JScript).

Yesterday I made a presentation at the Sydney PHP Group February Meeting.

For those who are interested my slides are in S5 format (xHTML + CSS + JScript).

No preamble needed…

Readonly:

*[readonly] {
/* CSS for all nodes with readonly attribute */
}

input[readonly] {
/* CSS for input nodes with readonly attribute */
}

textarea[readonly] {
/* CSS for textarea nodes with readonly attribute */
}

select[readonly] {
/* CSS for select nodes with readonly attribute */
}

Disabled:

*[disabled] {
/* CSS for all nodes with disabled attribute */
}

input[disabled] {
/* CSS for input nodes with disabled attribute */
}

textarea[disabled] {
/* CSS for textarea nodes with disabled attribute */
}

select[disabled] {
/* CSS for select nodes with disabled attribute */
}

Notes:
Works with:
readonly=”[anything]”
readonly
disabled=”[anything]”
disabled

Steven

Well, I finally made some time to go down the the testing centre. And I passed, becoming an Zend Certified Engineer!

While developing a project using two factor authentication, with a key fob, I needed to use HTTP Basic Authentication over SSL, to prevent XSS as the project was a web based proxy. Now I had PHP5 running as a module, but PHP4 as CGI. There was the problem HTTP Authentication isn’t available under PHP running as CGI.

First you need to configure mod_rewrite:

.htaccess:

RewriteEngine on
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]

What that will do is feed the base64′d user:pass into an environment variable named HTTP_AUTHORIZATION.

Then just add this above your script:

list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(’:’ , base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6)));

That splits up the username and password, and makes it look as if you were running PHP as a module.
So for a sample script:

// split the user/pass parts
list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(’:', base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6)));

// open a user/pass prompt
if (!isset($_SERVER['PHP_AUTH_USER'])) {
header(’WWW-Authenticate: Basic realm=”My Realm”‘);
header(’HTTP/1.0 401 Unauthorized’);
echo ‘Text to send if user hits Cancel button’;
exit;
} else {
echo ‘Hello, ‘.htmlentities($_SERVER['PHP_AUTH_USER']).’

‘;
echo ‘You entered as your password: ‘.htmlentities($_SERVER['PHP_AUTH_PW']).’

‘;
}
?>

Steven