Sunday, June 21, 2009

Web Security in php programming

Security section is very import for web development. Every user get scared if his data is looted from the websites. There are many issues which are related to web security. That’s why we are so concerned with web security.
To protect our web application, the first thing is never trust any input. We must escape every inputs properly. Php comes with many escape functions .For input escaping , htmlentities() function converts all applicable characters to HTML entities. It has 4 parameters. The first arguments takes the string to escape. The second argument is the quote style. There are 3 types of styles:
1. ENT_COMPAT: this will convert double quotes and leaves the single quotes.
2. ENT_QUOTES: this will convert both single and double quotes.
3. ENT_NOQUOUTES: this will leave both single and double quotes.
The third parameter is the charset. The default is ISO-8859-1 and the fourth parameter is double_encodes. If it is set to off , then php will not encode existing html entities, the default is On.
There is a similar function called htmlspecialchars() with the exception is that htmlentities convert all characters and htmlspecialchars encodes only special characters.
The translations performed are:
• '&' (ampersand) becomes '&'
• '"' (double quote) becomes '"' when ENT_NOQUOTES is not set.
• ''' (single quote) becomes ''' only when ENT_QUOTES is set.
• '<' (less than) becomes '<'
• '>' (greater than) becomes '>'
This function has the same 4 parameters of htmlentities. These 2 function uses the html translation table. We can find with the function get_html_translation_table.
$trans = get_html_translation_table(HTML_ENTITIES);
$str = "Hallo & & Krämer";
$encoded = strtr($str, $trans);

echo $encoded;
?>
We can decode the encoded string with respective decode functions : html_entity_decode and htmlspecialchars_decode .

The functions urlencode and rawurlencode is used for encoding data on the url. This helps to hide any important data from possible attackers. The difference between these 2 is that the first function converts spaces into ‘+’ sign. Urldecode and rawurldecode decodes the encoded data. The encoded data in $_GET and $_REQUEST method automatically decodes data.

Filtering data:
So, We must filter any input data before use. There are 2 approaches .
1. Blacklist approach: In this approach, we assume every thing is secure except the some given listed data. If any input matches the given data, we will treat is as tainted.
2. Whitelist approach: This approach assumes that all are tainted except some given data. If a data matches this given data, then we can say this data is safe to proceed.
We can use ctype_* and is_* functions for filtering inputs. These functions check whether the given data is our required data type.
if (ctype_alpha($_POST[’username’]))
{
$clean[’username’] = $_POST[’username’];
}
if (ctype_alnum($_POST[’password’]))
{
$clean[’password’] = $_POST[’password’];
}
$colours = array(’Red’, ’Blue’, ’Yellow’, ’Green’);
if (in_array($_POST[’colour’], $colours))
{
$clean[’colour’] = $_POST[’colour’];
}
Here we are checking the input data whether they are of specified type. Sometimes client-side javascript validation is not necessary for filtering, as there is one security issue called ‘spoofed form’. We will talk about this later. So, we must not rely on client-side javascript. We need to use server side filtering also.

This is not all about web security in php world. We will focus on the rest later on.




List of my works:

Opencart Extensions:

  1. Product Based Quantity Wise Shipping: Find it here.
  2. OpenSSLCOMMERZ: integrate SSLCOMMERZ with opencart: Find it here.
  3. Fine Search v.1.0 - Improves Opencart search feature to find relevant: Find it here.
  4. Opensweetcaptcha - An easy way to generate attractive captcha for your system!: Find it here.
  5. Custom Field Product - add unlimited custom fields to the product form: Find it here.
  6. Formcaptcha - add captcha on the register page: Find it here.

My Books:

  1. OpenCart 1.4 Template Design Cookbook.
  2. Joomla Mobile Development Beginners Guide

Friday, June 19, 2009

Requirement analysis in software development

Today I am going to represent the importance of requirement analysis in software industry. We make an application to satisfy our client’s need. Client’s satisfaction is our main goal. That’s why, we must need to understand and figure out what client wants. And also we must make client understand these are the things that will make your requirement fulfill. If he satisfy with the requirement proposal, then we can make the requirement as the programmer’s goal to fulfill. This will definitely reduce both time and workload and also cost. Because, if we don’t collect requirements at the initial stage of a software development, then the scenario becomes like the following:
Programmers and designers working on some scattered information of the project. At the time of their working, client changes his mind and asks some new things. Then the programmers and designers worked on the same module and take the application at some stage where they can say it is ok. And then if client again wishes to change something , then the changes on a same module keeps going. This definitely kills lot of time and makes the work more tedious and costly.
That’s why requirement analysis is so important in software development. If we make a requirement analysis at the initial stage of software development, then we can show our client that this was what you asked from us and see this is what we made. Client can place change request after a requirement is final. So, requirement analysis makes software development procedural, easy and cost-effective.




List of my works:

Opencart Extensions:

  1. Product Based Quantity Wise Shipping: Find it here.
  2. OpenSSLCOMMERZ: integrate SSLCOMMERZ with opencart: Find it here.
  3. Fine Search v.1.0 - Improves Opencart search feature to find relevant: Find it here.
  4. Opensweetcaptcha - An easy way to generate attractive captcha for your system!: Find it here.
  5. Custom Field Product - add unlimited custom fields to the product form: Find it here.
  6. Formcaptcha - add captcha on the register page: Find it here.

My Books:

  1. OpenCart 1.4 Template Design Cookbook.
  2. Joomla Mobile Development Beginners Guide