Monthly Archives: December 2010

How to prevent XSS attacks through php?

There are a number of ways hackers put to use for XSS attacks, PHP’s built-in functions do not respond to all sorts of XSS attacks. Hence, functions such as strip_tags, filter_var, mysql_real_escape_string, htmlentities, htmlspecialchars, etc do not protect us 100%. You need a better mechanism, here is what is solution:

]+?[\x00-\x20"\'])(?:on|xmlns)[^>]*+>#iu', '$1>', $data);

// Remove javascript: and vbscript: protocols
$data = preg_replace('#([a-z]*)[\x00-\x20]*=[\x00-\x20]*([`\'"]*)[\x00-\x20]*j[\x00-\x20]*a[\x00-\x20]*v[\x00-\x20]*a[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu', '$1=$2nojavascript...', $data);
$data = preg_replace('#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*v[\x00-\x20]*b[\x00-\x20]*s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:#iu', '$1=$2novbscript...', $data);
$data = preg_replace('#([a-z]*)[\x00-\x20]*=([\'"]*)[\x00-\x20]*-moz-binding[\x00-\x20]*:#u', '$1=$2nomozbinding...', $data);

// Only works in IE: 
$data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?expression[\x00-\x20]*\([^>]*+>#i', '$1>', $data);
$data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?behaviour[\x00-\x20]*\([^>]*+>#i', '$1>', $data);
$data = preg_replace('#(<[^>]+?)style[\x00-\x20]*=[\x00-\x20]*[`\'"]*.*?s[\x00-\x20]*c[\x00-\x20]*r[\x00-\x20]*i[\x00-\x20]*p[\x00-\x20]*t[\x00-\x20]*:*[^>]*+>#iu', '$1>', $data);

// Remove namespaced elements (we do not need them)
$data = preg_replace('#]*+>#i', '', $data);

do
{
        // Remove really unwanted tags
        $old_data = $data;
        $data = preg_replace('#]*+>#i', '', $data);
}
while ($old_data !== $data);

// we are done...
return $data;
}
?>

Share

MYSQL data manipulation language (DML) commands?

Data Manipulation Language

Data Manipulation Language (DML) statements are used for managing data within tables. Some commands of DML are:


1. SELECT - retrieve data from the a database
2. INSERT - insert data into a table
3. UPDATE - updates existing data within a table
4. DELETE - deletes all records from a table, the space for the records remain
5. MERGE - UPSERT operation (insert or update)
6. CALL - call a PL/SQL or Java/php subprogram
7. LOCK TABLE - control concurrency

Share

MYSQL data definition language (DDL) commands?

Data Definition Language (DDL)

DDL statements are used to define and modify the database structure of your tables or schema. When you execute a DDL statement, it takes effect immediately.
Some commands of DDL are:

1. CREATE - to create table (objects) in the database
2. ALTER - alters the structure of the database
3. DROP - delete table from the database
4. TRUNCATE - remove all records from a table, including all spaces allocated for the records are removed
5. COMMENT - add comments to the data dictionary
6. RENAME - rename a table
Share

How to run perl in MAMP?

If everything is configured properly, put a perl file in your cgi-bin folder, set permissions so that apache can execute it, and you are all set ready to go.

Basically, Perl suffers in this aspect just because it was first and that is the way CGIs were done. PHP came along and the default setting allowed PHP scripts to run from any directory. So this is a little trouble for php programmers.

It took one hour for me to figure out how to run perl in MAMP.

Well here are some easy steps for you.

The permissions for all of those files needs to be 755.


Go to a  Application >> Utility >> and open Terminal.

    cd /Applications/MAMP
    chmod 755 cgi-bin
    cd cgi-bin
    find . -type f -exec chmod 755 \{\} \;

   Put all perl files in cgi-bin folder. 

  /Applications/MAMP/cgi-bin

Run your script 

http://localhost/cgi-bin/test.pl

You are done!

Share