Category: PHP Stuff
Posted by: spyhwearslayer
The answer is a little piddly bit more complicated, but any way we are going to tell you anyway.
This article is assuming that you have successfully installed a MySQL server on your local computer, I also assume that you have successfully installed Apache Web Server and PHP and have configured Apache to recognize that php is installed.. You should know if php is recognised by the local Web server because Apache monitor will say so when you start it up... At the bottom of the monitor you will see Apache version 2.2.11 or what ever but will also see /php/5.2.5 or what ever...
To check that php is definitely working create create an html file with a bit of php in it calling either phpinfo();
or try;
print_r(get_loaded_extensions());
?>
That will print out an array of all loaded extensions, useful and a test to see if php is in fact working....

do be careful though to see if the MySQL server has installed with one or more anonymous users. Put simply these are users with no password, and if they do exist then connecting to your local server using any user name will fail.. There are two thing to do, or possibly three and those are;
A. write a bit of code to reveal whether those anonymous user are in fact there, and look at the result.
B. Remove any anonymous users you find completely
C. Create a user with a password you know and make a real careful note of that users name and their password.

That's it,... except remember at in MySQ; all users passwords are encrypted, so that means you can not just issue a command to reveal it...... well that's how it is!!!
Category: PHP Stuff
Posted by: spyhwearslayer
We offer Intense and sudden training in PHP and MySQL along with Fireworks, to a practical and intermediate level right in the center of Reading Berkshire, just go to chephrenrepairs.com and scroll down to the links there or if thats not convenient then come back to this blog and follow one of the new links in the links section of follow this link right here and now PHP and MySQL Intense Training, or ring us up, you can find us at yell.com
Category: PHP Stuff
Posted by: spyhwearslayer
We are writing a computer repair call out calculator using PHP. This requires a flat file storing the first three characters of the post code and followed by the call out cost range. One problem is that we need a form to enter new locations to place into the data file and we need another form to enter the post code that the web page user enters, now if you try to put two forms that have separate actions you may encounter problems.. also you need to carefully consider is all the code to work out the line in the flat file going to put into the same php script that the form is in or are you going to place this in another form.
We will explain in some further posts to this blog... shortly these are very subtle aspects of PHP writing: but the devil is in the detail... so if you are interested in PHP writing then revisit the compuer fixer blog, where we explain aspects of writing php scrips every now and again... in fact they will be in their own category
Category: PHP Stuff
Posted by: spyhwearslayer
Basically, if you write a form and then write a PHP Script to place the data entered into that form into a MySQL Database. You may be laying yourself open to a so called injection attack, or more correctly an SQL Injection attack!. What is an injection attack you ask.???? Well, it is where somebody deliberately places text into one of your fields in you Form that is designed to run some SQL Query. This query tries to find out about your database, what tables are in it, what are the tables called, is there any data that can be selected from the table and then displayed on the screen?! You get the idear... if an attack is successful, it may be able to extract data from your own database on you database server and read it. It may also be able to read it and store it and then perhaps destroy you tables partially or completely! If you know enough about writing an SQL Query, and you are able to get the server on the web site you are attacking to run that query you can cause absolute havack, and really mess stuff up... But thats why we are going to write about steps you can take to make this far more difficult..... Ultimately these steps make writing you PHP Script both longer and harder and more involved, but a little bit of caution is justified and worthwhile.

Here are some simple things you should do.

1. A new installation of MySQL comes with an administrator that has no password and two guest accounts, make sure you give the administrator a password that is fairly long and hard to crack, like more than 6 characters, and not made of guessable words., and disable the guest accounts. -- we will put more details about this (plus how to do it) in further blogs on this blog shortly.

2. Make sure that you investigate the PHP Functions that remove characters the are required to write an SQL Query. There are a few of these functions, and you can apply them to the text entered by your user before you allow the text to be placed inside the database table.

3. Make sure that the PHP script that you write that is designed to process you Web Form has very limited rights to the database it connects to. In other words, do not on a live Web server connect to the MySQL server using the root or so called supper uesr..??!!! Use another user that has restricted rights to that Database... Expect more on this in further blog entries...

4. You can if you wish to make your tables in you Database have unusual names, So instead of having a table called Users and a table called Customers, you could have a table called Marbles, or a table called Gee_Gees. sounds just plain mad.... well may be not, because some one attacking your MySQL Database has got to guess the table name in order to select records from it or to destroy it haven't they...
.?!

Expect more on this specific subject shortly and come back to "The Computer Fixer Blog:" New and launched July 2007.. another great idea from Chephrenrepairs.com

Prevention of an SQL Injection attack is in itself a fairly small subject, but it requires a number of steps and specific knowledge to do well.., and you need specific knowledge of PHP to carry it off.
We Recommend Highly Wellho.net otherwise known as Well House Consultants Ltd, based in Wiltshire for PHP Training and of course their forum that they run on their web site, see link here to Well House Consultants LTD http://www.wellho.net