Make PHP’s $_POST data more secure

PHP is a great programming language, but it is not a framework like many of the newer “languages” and as such its basic functions are not as secure as required in a modern web application. Trusting PHP’s $_POST is risky but we have functions that can help make PHP’s $_POST data more secure. This is done by using a few of PHPs functions to get and filter the variable data and provide it in a somewhat more secure manor.

Web application security, nowadays, is quite different to when PHP first started as “Personal Home Page” and you need to ensure that any “web application” published is as secure as possible. Using Posted data (via $_GET or $_POST) directly without filtering is not a good idea in almost any situation. There are a few exemptions where we think this is acceptable, and we cover this below.

So we are providing an alternative function to the $_POST variable, which returns the same data after we make PHP’s $_POST data more secure by filtering (sanitizing) it for naughty stuff. Explanations are below, but here is the function …

Function to make PHP’s $_POST data more secure

function Input_Post($par, $parType = '')
{
	if($parType == '')
	{
		$parType = gettype($par);
	}
	$return = '';
	switch ($parType) {
		case 'email':
			$return = filter_input(INPUT_POST, $par, FILTER_SANITIZE_EMAIL);
			break;
		case 'int':
			$return = filter_input(INPUT_POST, $par, FILTER_SANITIZE_NUMBER_INT);
			break;
		case 'float':
			$return = filter_input(INPUT_POST, $par, FILTER_SANITIZE_NUMBER_FLOAT);
			break;
		case 'double':
			$return = filter_input(INPUT_POST, $par, FILTER_SANITIZE_NUMBER_FLOAT);
			break;
		case 'url':
			$return = filter_input(INPUT_POST, $par, FILTER_SANITIZE_URL);
			break;
		default: // 'string'
			$return = filter_input(INPUT_POST, $par, FILTER_SANITIZE_STRING);
			break;
	}
	if($par != $return)
	{
		//Log error to SQL and ban if more than predefined amount of errors in predefined amount of time ...
	}
	return $return;
}

Explanation

The function name should be short and succinct. we think input_post() is about as good as we need it, but you may also like _post().

We also need two parameters ($par & $parType) in some situations, to check for email addresses for example.

Next we need to make the second parameter $parType optional and check the type of the first variable (using gettype()). This is important to ensure we are providing the correct type of sanitizing and filtering of the input data so we do not filter any important data out and filter any harmful data.

Now comes the critical part, sanitizing any data based on the type and storing that in $return variable.

Using a switch (or case) is more efficient than if/elseif when dealing with many options and it just looks better.

Last test is if the return data $return is different to input data $par (eg, if we did any filtering / sanitizing), then we can call a logging function to ensure this is logged for auditing / banning users (we run functions that log to an SQL table and check how many failures in X days for this session footprint), but this is beyond the scope of this post.

Then, return the filtered data $return.

Implementation

Using STG’s Input_Post() function is as simple as replacing occurrences of:
$_POST[‘variable’]
with
Input_Post(‘variable’)

Exceptions

As stated above, there are exceptions to when you can use $_POST variables directly. We only use submitted data directly when testing, such as if it equals a value:

if($_POST['me'] == 'you') 
{
echo 'you';
}
elseif($_POST['me'] == 'me')
{
echo 'me';
}
else
{
echo 'you and me';
}

Unless you make PHP’s $_POST data more secure, you should NEVER EVER trust any $_GET or $_POST variable as trusting PHP’s $_GET is risky and using it directly should be avoided. We rather using submitted data to make decisions from.

Make PHP’s $_GET data more secure

PHP is a great programming language, but it is not a framework like many of the newer “languages” and as such its basic functions are not as secure as required in a modern web application. Trusting PHP’s $_GET is risky but we have functions that can help make PHP’s $_GET data more secure. This is done by using a few of PHPs functions to get and filter the variable data and provide it in a somewhat more secure manor.

Web application security, nowadays, is quite different to when PHP first started as “Personal Home Page” and you need to ensure that any “web application” published is as secure as possible. Using Posted data (via $_GET or $_POST) directly without filtering is not a good idea in almost any situation. There are a few exemptions where we think this is acceptable, and we cover this below.

So we are providing an alternative function to the $_GET variable, which returns the same data after we make PHP’s $_GET data more secure by filtering (sanitizing) it for naughty stuff. Explanations are below, but here is the function …

Function to make PHP’s $_GET data more secure

function Input_Get($par, $parType = '')
{
	if($parType == '')
	{
		$parType = gettype($par);
	}
	$return = '';
	switch ($parType) {
		case 'email':
			$return = filter_input(INPUT_GET, $par, FILTER_SANITIZE_EMAIL);
			break;
		case 'int':
			$return = filter_input(INPUT_GET, $par, FILTER_SANITIZE_NUMBER_INT);
			break;
		case 'float':
			$return = filter_input(INPUT_GET, $par, FILTER_SANITIZE_NUMBER_FLOAT);
			break;
		case 'double':
			$return = filter_input(INPUT_GET, $par, FILTER_SANITIZE_NUMBER_FLOAT);
			break;
		case 'url':
			$return = filter_input(INPUT_GET, $par, FILTER_SANITIZE_URL);
			break;
		default: // 'string'
			$return = filter_input(INPUT_GET, $par, FILTER_SANITIZE_STRING);
			break;
	}
 	if($par != $return)
	{
		//Log error to SQL and ban if more than predefined amount of errors in predefined amount of time ...
	}
	return $return;
}

Explanation

The function name should be short and succinct. we think input_get() is about as good as we need it, but you may also like _get().

We also need two parameters ($par & $parType) in some situations, to check for email addresses for example.

Next we need to make the second parameter $parType optional and check the type of the first variable (using gettype()). This is important to ensure we are providing the correct type of sanitizing and filtering of the input data so we do not filter any important data out and filter any harmful data.

Now comes the critical part, sanitizing any data based on the type and storing that in $return variable.

Using a switch (or case) is more efficient than if/elseif when dealing with many options and it just looks better.

Last test is if the return data $return is different to input data $par (eg, if we did any filtering / sanitizing), then we can call a logging function to ensure this is logged for auditing / banning users (we run functions that log to an SQL table and check how many failures in X days for this session footprint), but this is beyond the scope of this post.

Then, return the filtered data $return.

Implementation

Using STG’s Input_Get() function is as simple as replacing occurrences of:
$_GET[‘variable’]
with
Input_Get(‘variable’)

Exceptions

As stated above, there are exceptions to when you can use $_GET variables directly. We only use submitted data directly when testing, such as if it equals a value:

if($_GET['me'] == 'you') 
{
echo 'you';
}
elseif($_GET['me'] == 'me')
{
echo 'me';
}
else
{
echo 'you and me';
}

Unless you make PHP’s $_GET data more secure, you should NEVER EVER trust any $_GET or $_POST variable as trusting PHP’s $_GET is risky and using it directly should be avoided. We rather using submitted data to make decisions from.

Icons for webpages using Font-Awesome

At SecureTech, our staff have been creating websites since the early days of the web. When we first started building webpages (20+ years ago), it was rather difficult to put icons on webpages, as each icon required the developer (no such thing as web designers back then … ) to create it as an image and upload it into the site, before creating an <img> tag to insert it into the code. now, we can have icons for webpages using Font-Awesome, which is awesome (it had to be said…).

Font-Awesome allow the web-designer or developer to quickly insert some unicode to insert an icon, or use CSS to insert it wherever required after the development is done (provided the developer allowed for this by labelling each section of the HTML appropriately.

We needed a list of available icons in Font-Awesome and decided to create a list of the Font-Awesome icons on our website, to make it easier for others to use (but its mostly for us)

IPChanger for Windows IPV4 settings

The IPChanger for Windows 10, allows you to change your IP address details with just two clicks, disconnect/reconnect adapters .

WARNING
This program is designed to be used by personnel who administrate Network’s and/or have a good understanding of the Network addressing scheme’s of their networks.
Using this program incorrectly may stop your computer from accessing or being accessible on the network, and you may loose internet connection.

Download

Download IPChangerV3.8

Screenshots

Welcome Screen for IPChanger (V3.8)
Main Screen for IPChanger (V3.8)

History

Originally created by Timmio (Circa 2009), the application was updated by us to deal with Windows 7 changes and then again for Windows 10, Unfortunately the original location of the software has been lost to us, so we cannot link to it. If you find it, please comment below, so we can give credit where its due.

Backup MYSQL databases on Windows 10 free Script

We needed a simple way to automatically Backup MySQL on windows 10 for free. Our development and testing environments required:

  • The convenience of backing up all DBs (such as This Script does).
  • Ability to exclude some of the DBs in each machine.
  • Date stamped backups, so changes are backed up each day.
  • Free and preferably open-source.
  • Easy to integrate into our existing backup scripts.

A quick search showed up nothing. We decided to expand the above mentioned script functionality to include what we require. Provided below is the important parts of the script:

:: allows for skipping of particular databases
set SkipThis=0
for /d %%f in (*) do (
    set /A Counterf=!Counterf!+1
    :: remove echo here if you like
    echo processing folder "%%f"
    pushd "%~dp0"
        set Countera=0
        for %%a in (*.exclude) do (
            rem increment the counter, so we know how many files we have read.
            set /A Countera=!Countera!+1
            if %Debug% == 1 echo DEBUG - Exclude file found: "%%~na"
            if %%a == %%f.exclude set SkipThis=1
            if !SkipThis! == 1 if %Debug% == 1 echo DEBUG - Skipping Backup of "%%f"
            )
        If %Debug% == 1 echo DEBUG - !Countera! exclude files checked
    popd

    if !SkipThis! == 0 %mysqldump% --host="localhost" --user=%dbUser% --password=%dbPassword% --single-transaction --add-drop-table --databases %%f > %backupDir%\%dirName%\%%f.sql
    if !SkipThis! == 0 %zip% a -tzip %backupDir%\%dirName%\%fileSuffix%_%%f.sql.zip %backupDir%\%dirName%\%%f.sql
    if !SkipThis! == 0 set /A Counterb=!Counterb!+1

    :: make sure to set this back to normal, so we don't skip the next DB backup as well
    set SkipThis=0
)
echo DONE - !Counterf! DBs found, !Counterb! DBs backed up

We then just need to create some blank files with “.exclude” extension. The “.exclude” files have the same name as the DB to exclude. Example such as “sys.exclude” will exclude the “sys” DB from backups

Licensing is as usual, this script is Open Source and we provide a download for your easy of use.

Troubleshooting

  1. If backups are not created, check all your location variables are set correctly

How to Use

  1. Download the MySQL Backup Script and extract into a suitable location.
  2. Open up “MySQLBackup.bat” in notepad++ (or similar).
  3. You will need to change the dbUser, dbPassword, backupDir, mysqldump, mysqlDataDir and zip file/app locations on lines 4-9.
  4. Save the file and run (you can open a command prompt by typing cmd into the title bar of explorer)
  5. This script will now be executable. Go to your command prompt and run this to backup your databases.
  6. If backups are not created, check all your location variables are set correctly

Next time you need to Backup MySQL on windows 10 for free, use this script to make it easy

SCPrompt Version 1.11.4.47 released

So much has changed in this version that we figured it was about time to move to version #1 …

**Link removed as old & dead now**

New manual version released (We realised this hadn’t been updated in a while … only about 2 years old)

**Link removed as old & dead now**

Updates for THIS release

  • Add – All GUI – Disclaimer GUI shows on startup if disclaimer.htm or disclaimer_*language*.htm exists in scprompt dir (examples: disclaimer_english.htm or disclaimer_german.htm) 
  • Add – All GUI – New tool menu to allow whiteboard writing on screen 
  • Add – All GUI – New tool menu to Start Beacon GUI to call user back to screen. 
  • Add – All GUI – Contextual menu to the Main GUI Screens (doesn’t work too well on button or automatic GUIs – but otherwise works well) 
  • Add – Auto GUI – translation are now available for this GUI type 
  • Add – Auto GUI – Is now an option in GUI_Type within the INI (in addition to the commandline) 
  • Add – Auto GUI – Option to disable Beeps on timer count-down ([Common] > GUIAUTOSILENT=1) 
  • Add – Manual GUI – Is now an option in GUI_Type within the INI (will make settings manager easier to setup manual & automatic GUI’s). 
  • Add – Button GUI – Service Mode (untested, and needs refining, but its there) 
  • Add – Builder – NSIS to Builder (i just made the Batch script into the autoit script … so now it uses the directory name as the application name) 
  • Add – Builder – Setting for Pre (Before) & Post (After) when creating the shortcuts in NSIS mode Builder.INI (best i can do at this point) 
  • Add – Settings Manager – New settings manager (has 4 tabs in it now, to make selections a little easier to understand, and give me room to add more settings as required). 
  • Add – Settings Manager – a “test it” button (or press “CTRL + T”). 
  • Add – Settings Manager – GUI (Accelerator) shortcut keys for Apply (“CTRL + S”) and new test (“CTRL + T”) 
  • UPDATE – Settings Manager – now uses (most of) the latest settings and should be easier and better to use (a few of the minor setting left out, but it is enough for the moment) 
  • UPDATE – All GUI – Change all Languages to use Seperate Language INI files (including English) to allow better selection of Languages and easier Maintenance into the future. 
  • UPDATE – All GUI – Translations now all use the LANG_*****.INI files. All OS IDs are now automatic – may add manual override at a later date if required. 
  • UPDATE – All GUI – Make sure all Translated Languages are in this release 
  • FIX – Error with Combo GUI and one Predefined Connection + Manual (the Predefined connection would disapear – leaving only manual) 
  • Removed – All GUI – Dependancy on [Common] > UsePredefined=1 has been removed as it is no longer needed due to setting Manual as a GUI_Type option

TO-DO for NEXT release

  • Add – Translator – New App – allows easy selection and addition of languages – which can then be listed for blank translations
  • Add – All GUI – If Admin, shutdown all known other versions of VNC before starting SCPrompt in servicemode, then start them up again on exit (save the services we stopped to a temp .ini to allow for recovery after support finishes, no matter how many reboots later that is)
  • Add – Builder – Allow Setting of Company name and more from INI for NSIS package type
  • Add – Settings Manager – Option to setup your own UVNC Password (and read the current one in if possible
  • UPDATE – All GUI – UVNC version to 1.0.9.5+ (requires above in settings manager)
  • UPDATE – Buttons GUI – Fix when manual button pressed, the manual address, port & ID inputs cannot be clicked (but can tab to them)
  • UPDATE – All GUI – Get all translations updated !!!
  • FIX – Auto GUI – Diagnose why the icon doesn’t change on automatic GUI … (why does it ?)

Delayed indefinitely

  • Add – All GUI – Safemode starting of VNC server – The Latest BETA version of UVNC server allows for rebooting to safe mode … so not needed anymore – just replace winvnc.exe with latest BETA (which is already a to-do for the next release) 

YTS Backup Script

Download YTS Backup Script

YTS_Backup_script.cmd is an easily customisable backup script for Windows

Through the use of .backup files, its easy to add extra directories or files to backup when run.

To setup, we need to extract the files from the ZIP into a directory.
once extracted, edit “YTS_Backup_script.cmd” file with Notepad++ or similar.

You will then need to setup your script location & backup directory location.

  • 1) Look for “set ScriptDir=D:\files\Projects\YTS_Backup_Scripts” and change it to suite your needs.
    NOTE: This Directory name needs to not have any spaces in it, or the script will fail.
  • 2) Look for “set ScriptDrive=D:” and change it to suite your needs.
  • 3) Look for “set BackupDir=C:\Backups\Manual” and change it to suite your needs.
  • 4) Look for “set BackupDrive=C:” and change it to suite your needs.
  • 5) Open “mydocs.bac” with notepad++ by double clicking on the file, and associating with notepad++.
    Edit this File to your needs. the file contains only two lines.
    Line1 is the source file or directory for xcopy to use.
    Line2 is the destination file or directory for xcopy to use.
    NOTE: do not add extra lines to this file, as this will break the script. two lines only.
  • 6) Open “Outlook.bac” with notepad++
    Edit this File to your needs.
    to add more files to your backup, simply change add another .bac file to the script directory and enter the details correctly.

Download YTS_Backup_script

PC Beacon

PC Beacon flashes the screen and speaks “Attention Required” from the speakers of the computer (using . It was made for use on customers sites where you are remotely controlling a computer, and either require the users attention again, or need someone to find the appropriate PC quickly and easily.

Download PC Beacon

This is achieved, through changing the background colour of a full-screen window (with no borders). The colour change rate is easily changeable (set for once per second as standard).

As normal, this application is written in AutoIt Scripting Language, and has the source code included as a resource of the application.

Minor modifications would be needed to allow setting of all variables from an INI, as the whole script is contained within one function (to allow easy importing into existing projects)

Application is licensed under GPL 3 or later.

Web Accessibility

Web accessibility refers to the inclusive practice of making websites usable by people of all abilities and disabilities. When sites are correctly designed, developed and edited, all users can have equal access to information and functionality.

It is an important aspect of a company’s web presence, and can have a profound impact on their user-base and how their users interact with their company.

TheWAI (Web Accessibility Initiative) was set up by the World Wide Web Consortium (W3C) organisation, the governing body of standards and technologies used throughout the web (Founded by the creator of the WWW Tim Berners-Lee).

Moral Dimension

Ensuring your website is accessible means that people with various disabilities can perceive, understand, navigate, and interact with the Web, and that they can also contribute to the Web.

Legal Dimension

In the UK, US and other places, it is law that all websites be accessible. Within Australia, the Disability Discrimination Act, makes it illegal for companies to provide an inferior service to, or discriminate against, a disabled person. This legislation extend to websites.

Despite all this, recent studies by the Equality and Human Rights Commission (UK) and the United Nations have shown that compliance has been very slow.

Business Dimension

Aside from the legal and moral obligations, there are compelling arguments to ensure WAI compatibility from a business perspective. There is a consensus that any site that conforms to the WAI guidelines benefits all users, irrespective of their abilities, due to the general improvements in site navigation and usability, download speed, content clarity and quality of mark-up that compliance provides.

Failing to make a website accessible could mean a very real loss in potential business. The competitive nature of business is born out of the advantages a company can rely on.

When you consider that people with disabilities, have a disposable income of £80 billion per year, in the UK alone and people aged over sixty years old have a large spending power, it would seem that ignoring these demographics could result in considerable financial losses.

The needs that Web accessibility aims to address include:

  • Visual: Visual impairments including blindness, various common types of low vision and poor eyesight, various types of color blindness;
  • Motor/Mobility: e.g. difficulty or inability to use the hands, including tremors, muscle slowness, loss of fine muscle control, etc., due to conditions such as Parkinson’s Disease, muscular dystrophy, cerebral palsy, stroke;
  • Auditory: Deafness or hearing impairments, including individuals who are hard of hearing;Seizures: Photoepileptic seizures caused by visual strobe or flashing effects.
  • Cognitive/Intellectual: Developmental disabilities, learning disabilities (dyslexia, dyscalculia, etc.), and cognitive disabilities of various origins, affecting memory, attention, developmental “maturity,” problem-solving and logic skills, etc.;

References

Australian Human Rights and Equal Opportunity Commission (HREOC) 2003, World Wide Web Access: Disability Discrimination Act Advisory Notes

W3C, Evaluating Web Sites for Accessibility

W3C 2008, Web Content Accessibility Guidelines (WCAG) 2.0

W3C, Evaluation, Repair, and Transformation Tools for Web Content Accessibility

WebAIM 2003, The WAVE

HiSoftware 2003, Cynthia Says

Lynx for WindowsLynx for Mac

Ruderman J 2003, Validation Bookmarklets

Cast 2003, Bobby

Amputee Association of NSW ‘Lost’ website

A few years ago, we started working with the Amputee Association of NSW as a pro-bono technology partner. At that stage, we offered the association our assistance in building a website.

After some investigations, we realised that the association already had a website, but that the domain name registration had lapsed and so the site was no longer available on the internet. we then used “the wayback machine” to retrieve the old site information, and go about retrieving the information from it that was still relevant.

Further investigations led us to the fact that the site was previously hosted by Monash University Rehab Technology Research Unit, a quick phone call to them established that they had lost contact with the old maintainer of the website (a former member of AANSW), and the domain name had lapsed without notice (in-fact, they could still see the site locally, as the internal Monash DNS servers where still resolving the name within Monash).

We asked if they could give us a copy of the original site, and received a zip via email within minutes …

They then offered to host the site again for the association, which we where grateful for (as at that time we did not host clients websites).

This was how the Amputee Association of NSW committee found out that they had an old website, which had laid dormant for several years.

After much discussion, it was decided that a website built around a Content Management System would suit their needs best, as it would allow editing of content by authorised members without technical intervention.