Make PHP’s $_POST data more secure

PHP is a great programming language, but it is not a framework like many of the newer “languages” and as such its basic functions are not as secure as required in a modern web application. Trusting PHP’s $_POST is risky but we have functions that can help make PHP’s $_POST data more secure. This is done by using a few of PHPs functions to get and filter the variable data and provide it in a somewhat more secure manor.

Web application security, nowadays, is quite different to when PHP first started as “Personal Home Page” and you need to ensure that any “web application” published is as secure as possible. Using Posted data (via $_GET or $_POST) directly without filtering is not a good idea in almost any situation. There are a few exemptions where we think this is acceptable, and we cover this below.

So we are providing an alternative function to the $_POST variable, which returns the same data after we make PHP’s $_POST data more secure by filtering (sanitizing) it for naughty stuff. Explanations are below, but here is the function …

Function to make PHP’s $_POST data more secure

function Input_Post($par, $parType = '')
{
	if($parType == '')
	{
		$parType = gettype($par);
	}
	$return = '';
	switch ($parType) {
		case 'email':
			$return = filter_input(INPUT_POST, $par, FILTER_SANITIZE_EMAIL);
			break;
		case 'int':
			$return = filter_input(INPUT_POST, $par, FILTER_SANITIZE_NUMBER_INT);
			break;
		case 'float':
			$return = filter_input(INPUT_POST, $par, FILTER_SANITIZE_NUMBER_FLOAT);
			break;
		case 'double':
			$return = filter_input(INPUT_POST, $par, FILTER_SANITIZE_NUMBER_FLOAT);
			break;
		case 'url':
			$return = filter_input(INPUT_POST, $par, FILTER_SANITIZE_URL);
			break;
		default: // 'string'
			$return = filter_input(INPUT_POST, $par, FILTER_SANITIZE_STRING);
			break;
	}
	if($par != $return)
	{
		//Log error to SQL and ban if more than predefined amount of errors in predefined amount of time ...
	}
	return $return;
}

Explanation

The function name should be short and succinct. we think input_post() is about as good as we need it, but you may also like _post().

We also need two parameters ($par & $parType) in some situations, to check for email addresses for example.

Next we need to make the second parameter $parType optional and check the type of the first variable (using gettype()). This is important to ensure we are providing the correct type of sanitizing and filtering of the input data so we do not filter any important data out and filter any harmful data.

Now comes the critical part, sanitizing any data based on the type and storing that in $return variable.

Using a switch (or case) is more efficient than if/elseif when dealing with many options and it just looks better.

Last test is if the return data $return is different to input data $par (eg, if we did any filtering / sanitizing), then we can call a logging function to ensure this is logged for auditing / banning users (we run functions that log to an SQL table and check how many failures in X days for this session footprint), but this is beyond the scope of this post.

Then, return the filtered data $return.

Implementation

Using STG’s Input_Post() function is as simple as replacing occurrences of:
$_POST[‘variable’]
with
Input_Post(‘variable’)

Exceptions

As stated above, there are exceptions to when you can use $_POST variables directly. We only use submitted data directly when testing, such as if it equals a value:

if($_POST['me'] == 'you') 
{
echo 'you';
}
elseif($_POST['me'] == 'me')
{
echo 'me';
}
else
{
echo 'you and me';
}

Unless you make PHP’s $_POST data more secure, you should NEVER EVER trust any $_GET or $_POST variable as trusting PHP’s $_GET is risky and using it directly should be avoided. We rather using submitted data to make decisions from.

Make PHP’s $_GET data more secure

PHP is a great programming language, but it is not a framework like many of the newer “languages” and as such its basic functions are not as secure as required in a modern web application. Trusting PHP’s $_GET is risky but we have functions that can help make PHP’s $_GET data more secure. This is done by using a few of PHPs functions to get and filter the variable data and provide it in a somewhat more secure manor.

Web application security, nowadays, is quite different to when PHP first started as “Personal Home Page” and you need to ensure that any “web application” published is as secure as possible. Using Posted data (via $_GET or $_POST) directly without filtering is not a good idea in almost any situation. There are a few exemptions where we think this is acceptable, and we cover this below.

So we are providing an alternative function to the $_GET variable, which returns the same data after we make PHP’s $_GET data more secure by filtering (sanitizing) it for naughty stuff. Explanations are below, but here is the function …

Function to make PHP’s $_GET data more secure

function Input_Get($par, $parType = '')
{
	if($parType == '')
	{
		$parType = gettype($par);
	}
	$return = '';
	switch ($parType) {
		case 'email':
			$return = filter_input(INPUT_GET, $par, FILTER_SANITIZE_EMAIL);
			break;
		case 'int':
			$return = filter_input(INPUT_GET, $par, FILTER_SANITIZE_NUMBER_INT);
			break;
		case 'float':
			$return = filter_input(INPUT_GET, $par, FILTER_SANITIZE_NUMBER_FLOAT);
			break;
		case 'double':
			$return = filter_input(INPUT_GET, $par, FILTER_SANITIZE_NUMBER_FLOAT);
			break;
		case 'url':
			$return = filter_input(INPUT_GET, $par, FILTER_SANITIZE_URL);
			break;
		default: // 'string'
			$return = filter_input(INPUT_GET, $par, FILTER_SANITIZE_STRING);
			break;
	}
 	if($par != $return)
	{
		//Log error to SQL and ban if more than predefined amount of errors in predefined amount of time ...
	}
	return $return;
}

Explanation

The function name should be short and succinct. we think input_get() is about as good as we need it, but you may also like _get().

We also need two parameters ($par & $parType) in some situations, to check for email addresses for example.

Next we need to make the second parameter $parType optional and check the type of the first variable (using gettype()). This is important to ensure we are providing the correct type of sanitizing and filtering of the input data so we do not filter any important data out and filter any harmful data.

Now comes the critical part, sanitizing any data based on the type and storing that in $return variable.

Using a switch (or case) is more efficient than if/elseif when dealing with many options and it just looks better.

Last test is if the return data $return is different to input data $par (eg, if we did any filtering / sanitizing), then we can call a logging function to ensure this is logged for auditing / banning users (we run functions that log to an SQL table and check how many failures in X days for this session footprint), but this is beyond the scope of this post.

Then, return the filtered data $return.

Implementation

Using STG’s Input_Get() function is as simple as replacing occurrences of:
$_GET[‘variable’]
with
Input_Get(‘variable’)

Exceptions

As stated above, there are exceptions to when you can use $_GET variables directly. We only use submitted data directly when testing, such as if it equals a value:

if($_GET['me'] == 'you') 
{
echo 'you';
}
elseif($_GET['me'] == 'me')
{
echo 'me';
}
else
{
echo 'you and me';
}

Unless you make PHP’s $_GET data more secure, you should NEVER EVER trust any $_GET or $_POST variable as trusting PHP’s $_GET is risky and using it directly should be avoided. We rather using submitted data to make decisions from.

Remotely Lock & Shutdown computers using PowerShell

PowerShell takes the functionality of batch scripts to the next level and allows you to Remotely Lock & Shutdown computers using PowerShell.

The following needs to be run on each computer if using a workgroup setup. or changed in your AD security policy (to make it permanent – which isn’t advisable without signing the script)

https://www.howtogeek.com/117192/how-to-run-powershell-commands-on-remote-computers/

Enable-PSRemoting
Set-executionpolicy unrestricted
Set-Item WSMan:\localhost\Client\TrustedHosts -Value "192.168.1.250" -Force 
Get-Item WSMan:\localhost\Client\TrustedHosts
Restart-Service WinRM

The above does the following:
Enable-PSRemoting sets up the policies and firewalls to allow remote connections using powershell
Set-executionpolicy unrestricted changes the local execution policy to allow execution of all scripts (not just signed)
Set-Item WSMan:\localhost\Client\TrustedHosts -Value "192.168.1.250" -Force Adds server IP into the trustedhosts to allow execution
Restart-Service WinRM restarts windows remote management service

We are assuming that your server IP is 192.168.1.250, change as appropriate

Now to the actual shutdown code that will be run from our “Server”:

Function Get-MyCredential{
 param(
 [string]$username,
 [string]$password
 )

 $secStr = new-object -typename System.Security.SecureString
 $password.ToCharArray() | ForEach-Object {$secStr.AppendChar($_)}
 return new-object -typename System.Management.Automation.PSCredential -argumentlist $username,$secStr
}
Function Lock-Machine{
 param(
 $machineName
 )

 & winrm set winrm/config/client `@`{TrustedHosts = `"$machineName`"`}
 Invoke-Command -ComputerName $machineName -ScriptBlock { tsdiscon.exe console } -Credential (Get-MyCredential User Pa$W0rd)
 }
Function Hibernate-Machine{
 param(
 $machineName
 )

 & winrm set winrm/config/client `@`{TrustedHosts = `"$machineName`"`}
 Invoke-Command -ComputerName $machineName -ScriptBlock { &"$env:SystemRoot\System32\rundll32.exe" powrprof.dll,SetSuspendState Hibernate } -Credential (Get-MyCredential Administrator password)
}
Lock-Machine "192.168.1.84"
#Lock-Workstation "NameOfTheComputer" (Get-Credential)
Stop-Computer -ComputerName 192.168.1.85 -Force -Credential (Get-MyCredential User Pa$W0rd)

Relaunching a windows app using a batch script

We recently had need to restart an app server exe automatically when the demonstration license it was running on caused the server to close regularly, annoying everyone trying to learn the system. We had need of a script (YAY) to check if it was running and restart it when required.

Requirements:

  1. Check to see if the app is running on start if not running, start it.
  2. wait for some period of time (60 seconds)
  3. Check to see if the app is running, if not running, start it

Flourishes:

  1. Date app last restarted is displayed in title
  2. ability to close script with a button press
  3. ability to cancel wait time and relaunch app now
  4. ability to log when app was restarted

Working on it:

checking if a process is running:

It turns out that checking if a process is running is relatively easy:

tasklist /FI "IMAGENAME eq appServer.exe" | findstr "appServer.exe"
if %ERRORLEVEL% == 1 Echo No server Process found
if %ERRORLEVEL% == 1 goto start

and of course, now you have to choose:

choice /T 60 /D y /C YABCDEFGHIJKLMNOPQRSTUVWXZ /N >NUL
if %ERRORLEVEL% == 1 goto loop

now we start the exe

start "" "C:\Program Files (x86)\AppVision 4.0\Bin\appServer.exe"

Set the title

title appServer (re)Started at %NowDate% %NowTime% (Press X to exit script before closing appServer.exe)

Pulling it all together:

@echo off
title appServer (re)Launching script started at %time:~0,2%_%time:~3,2%_%time:~6,2% (Press X to exit script before closing appServer.exe)
pushd "C:\Program Files (x86)\AppVision 4.0\Bin"

:loop
timeout 2 >NUL
rem ping 127.0.0.1 -n 2 >NUL
echo.
tasklist /FI "IMAGENAME eq appServer.exe" | findstr "appServer.exe"
if %ERRORLEVEL% == 1 Echo No server Process found
if %ERRORLEVEL% == 1 goto start
echo Server process found at %time%, waiting 60 seconds
echo.
rem timeout 60
rem ping 127.0.0.1 -n 30 >NUL
choice /T 60 /D y /C YABCDEFGHIJKLMNOPQRSTUVWXZ /N >NUL
rem echo %ERRORLEVEL%
if %ERRORLEVEL% == 1 goto loop
goto eof

:start
set NowTime=%time:~0,2%_%time:~3,2%_%time:~6,2%
set NowDate=%date:~10,4%_%date:~4,2%_%date:~7,2%

cls
echo starting
start "" "C:\Program Files (x86)\AppVision 4.0\Bin\appServer.exe"
title appServer (re)Started at %NowDate% %NowTime% (Press X to exit script before closing appServer.exe)
choice /T 10 /D y /C YABCDEFGHIJKLMNOPQRSTUVWXZ /N >NUL
rem ping 127.0.0.1 -n 11 >NUL
goto loop

:eof
popd
echo script finished due to keypress
rem pause

Icons for webpages using Font-Awesome

At SecureTech, our staff have been creating websites since the early days of the web. When we first started building webpages (20+ years ago), it was rather difficult to put icons on webpages, as each icon required the developer (no such thing as web designers back then … ) to create it as an image and upload it into the site, before creating an <img> tag to insert it into the code. now, we can have icons for webpages using Font-Awesome, which is awesome (it had to be said…).

Font-Awesome allow the web-designer or developer to quickly insert some unicode to insert an icon, or use CSS to insert it wherever required after the development is done (provided the developer allowed for this by labelling each section of the HTML appropriately.

We needed a list of available icons in Font-Awesome and decided to create a list of the Font-Awesome icons on our website, to make it easier for others to use (but its mostly for us)

IPChanger for Windows IPV4 settings

The IPChanger for Windows 10, allows you to change your IP address details with just two clicks, disconnect/reconnect adapters .

WARNING
This program is designed to be used by personnel who administrate Network’s and/or have a good understanding of the Network addressing scheme’s of their networks.
Using this program incorrectly may stop your computer from accessing or being accessible on the network, and you may loose internet connection.

Download

Download IPChangerV3.8

Screenshots

Welcome Screen for IPChanger (V3.8)
Main Screen for IPChanger (V3.8)

History

Originally created by Timmio (Circa 2009), the application was updated by us to deal with Windows 7 changes and then again for Windows 10, Unfortunately the original location of the software has been lost to us, so we cannot link to it. If you find it, please comment below, so we can give credit where its due.

Backup MYSQL databases on Windows 10 free Script

We needed a simple way to automatically Backup MySQL on windows 10 for free. Our development and testing environments required:

  • The convenience of backing up all DBs (such as This Script does).
  • Ability to exclude some of the DBs in each machine.
  • Date stamped backups, so changes are backed up each day.
  • Free and preferably open-source.
  • Easy to integrate into our existing backup scripts.

A quick search showed up nothing. We decided to expand the above mentioned script functionality to include what we require. Provided below is the important parts of the script:

:: allows for skipping of particular databases
set SkipThis=0
for /d %%f in (*) do (
    set /A Counterf=!Counterf!+1
    :: remove echo here if you like
    echo processing folder "%%f"
    pushd "%~dp0"
        set Countera=0
        for %%a in (*.exclude) do (
            rem increment the counter, so we know how many files we have read.
            set /A Countera=!Countera!+1
            if %Debug% == 1 echo DEBUG - Exclude file found: "%%~na"
            if %%a == %%f.exclude set SkipThis=1
            if !SkipThis! == 1 if %Debug% == 1 echo DEBUG - Skipping Backup of "%%f"
            )
        If %Debug% == 1 echo DEBUG - !Countera! exclude files checked
    popd

    if !SkipThis! == 0 %mysqldump% --host="localhost" --user=%dbUser% --password=%dbPassword% --single-transaction --add-drop-table --databases %%f > %backupDir%\%dirName%\%%f.sql
    if !SkipThis! == 0 %zip% a -tzip %backupDir%\%dirName%\%fileSuffix%_%%f.sql.zip %backupDir%\%dirName%\%%f.sql
    if !SkipThis! == 0 set /A Counterb=!Counterb!+1

    :: make sure to set this back to normal, so we don't skip the next DB backup as well
    set SkipThis=0
)
echo DONE - !Counterf! DBs found, !Counterb! DBs backed up

We then just need to create some blank files with “.exclude” extension. The “.exclude” files have the same name as the DB to exclude. Example such as “sys.exclude” will exclude the “sys” DB from backups

Licensing is as usual, this script is Open Source and we provide a download for your easy of use.

Troubleshooting

  1. If backups are not created, check all your location variables are set correctly

How to Use

  1. Download the MySQL Backup Script and extract into a suitable location.
  2. Open up “MySQLBackup.bat” in notepad++ (or similar).
  3. You will need to change the dbUser, dbPassword, backupDir, mysqldump, mysqlDataDir and zip file/app locations on lines 4-9.
  4. Save the file and run (you can open a command prompt by typing cmd into the title bar of explorer)
  5. This script will now be executable. Go to your command prompt and run this to backup your databases.
  6. If backups are not created, check all your location variables are set correctly

Next time you need to Backup MySQL on windows 10 for free, use this script to make it easy

Contact Us

Sutherland
Sydney
NSW
2232
Australia
(+61) 02 9043 5030
(+61) 0411 275 633
http://yts.com.au
Your Tech is Our Business

Flonix IT Solutions

Flonix IT Solutions offers flexible IT support, professional IT project delivery and expert IT advice. Our Head Office is based in Perth but with offices in Edinburgh, Manchester & London we service most areas within the UK.   We can support any size of company. We excel in delivering a fast, reliable and accountable service to our clients. We take a flexible approach to IT which is determined by our clients business needs. We can operate as the client’s IT department, or add to an existing IT resource within the company. Our people are highly-trained, professionals who have the expertise to assess, repair and maintain any PC, Server, network or Apple Macintosh system.

JWR Constructions

JWR Constructions specialises in arcitectural glass and aluminium products, such as doors, bi-fold doors, windows, shop fronts, Balustrades, pool fences, shower screens, splash backs and much more. Based in Kirrawee (Sydney), they have clients all over the country.