Philip Norton

Looks good, I wonder if I can get my work to pay for me to go?

Yesterday we had a representative of one of our clients in for a meeting. I can’t say who it was, or what company they where from but I spent most of the day working on some simple PHP programs for them. I had worked on them before, but they wanted some changes to be done. So at about 4pm this client comes to my desk and says that he has this problem that he thinks I may be able to help with.

He wanted a program that would take in multiple IP addresses and find out not only where in the world they were from, but also who the IP address belonged to, basically the ISP of these IP addresses. The interesting thing was that I was in a race with one of their programmers who had been working on the same thing since Monday and was several hours away from completing it. So I started work.

At about 12:00 today I had a fully working IP address to ISP lookup tool which I packaged up and sent off to them. The client said it was exactly what he was looking for and that the data that their programmer had come up with was only a fraction of the information that my tool displayed. It also allowed the user to export the data into a CSV file, which he thought was brilliant.

Paul (my company director) was very impressed (he even shook my hand) and it looks as though I have made the company a lot of money. But not only that, on a personal level I beat a lead developer in another company by at least 4 days to produce a fully working tool that was said to be impossible.

Sometimes I surprise even myself!

Those of you who are PHP programmers will probably be familiar with opening a file. You use the PHP function fopen() to create a handle for the file, and then use this handle to do things like read or write to the file.

The usual syntax for fopen() is as follows, the first parameter is the file name and the second is the type of opening that PHP will do. Be careful what you use here as it effects the contents of the file and what you are trying to do with it.

$handle = fopen("afile.txt", "r");

Did you also know that you can open a URL as a file. This means that you can grab the contents of a website quite easily. For example:

$handle = fopen("http://www.aurl.co.uk/", "r");

The difficulty next is how to access this file handle, you can’t just use the fread() function as you can’t tell how big the file is, and therefore how much to download. There is a solution, but it depends on the version of PHP you are using. With PHP5 there is a function called stream_get_contents() which will push the contents of the page into a variable. You can say how much of the page you want, but you can also just leave it blank to get all of it. For PHP4 users you will need to use fread() in little chunks of 8192 bytes each until the page has been downloaded. The following if statement will give you the contents of a page that has previously been opened using the fopen() function.

$contents = "";
//check php version
if(phpversion()>5){
	$contents = stream_get_contents($urlh);
}else{
	while(!feof($urlh)){
		$contents .= fread($urlh, 8192);
	};
};

You can now use the $contents variable to do whatever you want.

There is one possibility in that the site you want to get hold of may be behind server side authorisation. To get hold of this you will need to force a HTTP/1.0 request for it as fopen() doesn’t support HTTP/1.1 requests. Most servers should be set up to be able to support this so you should get away with it. To do this use the following code:

fopen("http://username:password@www.example.com","r");

This will allow you to get hold of the page with the proper authentication. Obviously you will need to exchange username for you username and password for your password. I found this really useful, so please borrow it for whatever you want.

You may not have realised but XHTML doesn’t support the target attribute of the <a> tag.

For example, this code:

<a href="blabla.html" target="_blank">Bla bla</a>

Would not validate as the "target"attributewas left out of the XHTML specification. This code is meant to open up a new window when the user clicks on the link.

The only way so solve this is to use JavaScipt in one of two ways.

The first is to add lots of things to the a tag to get the tag to open in another window. This is a bit messy, but generally works. The trick is to remember to put all of this code every time you want a link to open in a new window.

<a href="http://www.norton42.org.uk" onclick="window.open(this.href); return false;" onkeypress="window.open(this.href); return false;">Norton42.org.uk</a>

As the first method is a bit messy the other solution is to drop the target attribute and use the rel attribute with the value of external. Like this:

<a rel="external" href="http://blahblah.com">new link</a>

Using this attribute you can then use a Javascript method to replace all of the rel attributes with target attributes.

function externalLinks() {
 if (!document.getElementsByTagName) return;
 var anchors = document.getElementsByTagName("a");
 for (var i=0; i<anchors.length; i++) {
   var anchor = anchors[i];
   if (anchor.getAttribute("href") &&
       anchor.getAttribute("rel") == "external")
     anchor.target = "_blank";
 }
}
window.onload = externalLinks;

With the rel attribute the XHTML validates, and the JavaScript allows the <a> tags to open in another window. Although what we are doing here is getting JavaScript to replace the code on the site, and this seems a little cheeky to me. However, if a user doesn´t have JavaScript then they won´t see any funny effects.

I recently came across a mechanism by which someone could take over a "Contact Form" written in PHP and use it to send spam. They do this by over filling certain fields in a hope that they can add more parameters to the mail() function.

The mail() function in PHP has the following parameters:

mail( string to, string subject, string message [, string additional_headers [, string additional_parameters]] )

The additional headers parameter is used to convey anything else you can find in an email, these are things like CC and BCC. It is the BCC header that the spammer hopes to take over, adding his own set of addresses so that it looks as though you have been sending spam. He does this in one of two ways:

1. By adding PHP code to the message box so that when the mail function is called there will be extra headers in the additional headers parameter.
2. By adding code to the address bar of the browser in such a way that the form is changed. He might change one of the text boxes to a text area and use this new area to add the headers.

By doing either of these things he hopes to add another carage return character and adding a BCC field after that.

There are a number of ways to combat this.

The first is to use the strip_tags() method. This will remove any PHP or HTML tags from any string. The strip_tags() method has two parameters. The first is the string that you are supplying to the method, the second is any HTML tags that you do actually want to be kept. You can use the following value to allow a number of HTML tags at once.

$allowedTags = '<p><br><b><i><strong><u><h1><h2><h3><h4><h5><h6>'

This will allow most of the formatting tags to be passed through. The main use of this function is to strip out any PHP tags.

You can also use the str_replace() method to do more or less the same thing. This method takes three arguments. The first is what to look for in a string, also called the needle. The second is what to replace it with, also called the haystack, and the third is the string itself. If you want to pass more than one needle in a single function call by using an array of values, as in the following:

$deleteAllTags=array('<','>','','/','=','+');

Using these two methods in conjunction should stop most stuff getting through. You should be checking all of the fields to validity anyway, and by doing this you stop most of these attacks getting in.

The second method is to always use POST methods to send the data in the form to the server. This way the form will ignore anything written in the address bar. As it is bad practice to use GET methods in any form you can usually get around this method without even trying.

The contact us form on my website should stop this sort of thing. I have tested it as well as I can. If you want the code then contact me! If you have any other comments or questions then let me know.