Jsp, Tomcat, J2Ee, Linux Web Hosting, Hibernate Programming Blog

CHAPTER 21 SECURE PHP PROGRAMMING 519 disable_classes (string) Scope: PHP_INI_SYSTEM; Default value: NULL Given the new functionality offered by PHP s embrace of the object-oriented paradigm, it likely won t be too long before you re using large sets of class libraries. However, there may be certain classes found within these libraries that you d rather not make available. You can prevent the use of these classes with the disable_classes directive. For example, suppose you want to completely disable the use of two classes, named administrator and janitor: disable_classes = “administrator, janitor” Note that the influence exercised by this directive does not depend on the safe_mode directive. doc_root (string) Scope: PHP_INI_SYSTEM; Default value: NULL This directive can be set to a path that specifies the root directory from which PHP files will be served. If the doc_root directive is set to nothing (empty), it is ignored, and the PHP scripts are executed exactly as the URL specifies. If safe mode is enabled and doc_root is not empty, PHP scripts residing outside of this directory will not be executed. max_execution_time (integer) Scope: PHP_INI_ALL; Default value: 30 This directive specifies for how many seconds a script can execute before being terminated. This can be useful to prevent users scripts from consuming too much CPU time. If max_execution_time is set to 0, no time limit will be set. memory_limit (integer) Scope: PHP_INI_ALL; Default value: 8M This directive specifies, in megabytes, how much memory a script can use. Note that you cannot specify this value in terms other than megabytes, and that you must always follow the number with an M. This directive is only applicable if –enable-memory-limit was enabled when you configured PHP. open_basedir (string) Scope: PHP_INI_SYSTEM; Default value: NULL PHP s open_basedir directive can establish a base directory to which all file operations will be restricted, much like Apache s DocumentRoot directive. This prevents users from entering otherwise restricted areas of the server. For example, suppose all Web material is located within the directory /home/www. To prevent users from viewing and potentially manipulating files like /etc/passwd via a few simple PHP commands, consider setting open_basedir like so: open_basedir = “/home/www/”
If you are looking for cheap and quality webhost to host and run your website check Jboss Web Hosting services.

518 CHAPTER 21 SECURE PHP PROGRAMMING Note that specifying a particular path without a tailing slash will cause all directories falling under that path to also be ignored by the safe mode setting. For example, setting this directive to /home/configuration means that /home/configuration/templates/ and /home/ configuration/passwords/ are also exempt from safe mode restrictions. Therefore, if you d like to exclude just a single directory or set of directories from the safe mode settings, be sure to conclude each with the trailing slash. safe_mode_allowed_env_vars (string) Scope: PHP_INI_SYSTEM; Default value: “PHP_” When safe mode is enabled, you can use this directive to allow certain environment variables to be modified by the executing user s script. You can allow multiple variables to be modified by separating each with a comma. safe_mode_exec_dir (string) Scope: PHP_INI_SYSTEM; Default value: NULL This directive specifies the directories in which any system programs reside that can be executed by functions such as system(), exec(), or passthru(). Safe mode must be enabled for this to work. One odd aspect of this directive is that the forward slash (/) must be used as the directory separator on all operating systems, Windows included. safe_mode_protected_env_vars (string) Scope: PHP_INI_SYSTEM; Default value: LD_LIBRARY_PATH This directive protects certain environment variables from being changed with the putenv() function. By default, the variable LD_LIBRARY_PATH is protected, because of the unintended consequences that may arise if this is changed at run time. Consult your search engine or Linux manual for more information about this environment variable. Note that any variables declared in this section will override anything declared by the safe_mode_allowed_env_vars directive. Other Security-Related Configuration Parameters This section introduces several other configuration parameters that play an important role in better securing your PHP installation. disable_functions (string) Scope: PHP_INI_SYSTEM; Default value: NULL For some, enabling safe mode might seem a tad overbearing. Instead, you might want to just disable a few functions. You can set disable_functions equal to a comma-delimited list of function names that you want to disable. Suppose that you want to disable just the fopen(), popen(), and file() functions. Just set this directive like so: disable_functions = fopen,popen,file Note that this directive does not depend on whether safe mode is enabled.
We would like to recommend you tested and proved virtual web hosting services, which you will surely find to be of great quality.

CHAPTER 21 SECURE PHP PROGRAMMING Attempts to execute scripts via functions like popen(), system(), or exec() are only possible when the script resides in the directory specified by the safe_mode_exec_dir configuration directive. This directive is discussed later in this section. HTTP authentication is further strengthened because the UID of the owner of the authentication script is prepended to the authentication realm. Furthermore, the PHP_AUTH variables are not set when safe mode is enabled. If using the MySQL database server, the username used to connect to a MySQL server must be the same as the username of the owner of the file calling mysql_connect(). Safe Mode and Disabled Functions The following is a complete list of functions, variables, and configuration directives that are affected when the safe_mode directive is enabled: apache_request_headers() backticks() and the backtick operator chdir() chgrp() chmod() chown() copy() dbase_open() dbmopen() dl() exec() filepro() filepro_retrieve() filepro_rowcount() fopen() header() highlight_file() ifx_* ingres_* link() mail() max_execution_time() mkdir() move_uploaded_file() mysql_* parse_ini_file() passthru() pg_lo_import() popen() posix_mkfifo() putenv() rename() rmdir() set_time_limit() shell_exec() show_source() symlink() system() touch() unlink() safe_mode_gid (boolean) Scope: PHP_INI_SYSTEM; Default value: 0 This directive changes safe mode s behavior from verifying UIDs before execution to verifying group IDs. For example, if Mary and John are in the same user group, Mary s scripts can call fopen() on John s files. safe_mode_include_dir (string) Scope: PHP_INI_SYSTEM; Default value: NULL You can use safe_mode_include_dir to designate various paths in which safe mode will be ignored if it s enabled. For instance, you might use this function to specify a directory containing various templates that might be incorporated into several user Web sites. You can specify multiple directories by separating each with a colon on Unix-based systems, and a semicolon on Windows.
Visit our web design programs services for an affordable and reliable webhost to suit all your needs.

516 CHAPTER 21 SECURE PHP PROGRAMMING Perhaps the best place to start is with a review of PHP s configuration parameters, because you can take advantage of them right from the very start, prior to doing anything else with the language. Configuring PHP Securely PHP offers a number of configuration parameters that are intended to greatly increase PHP s level of security awareness. This section introduces many of the most relevant options. Note Disabling the register_globals directive aids tremendously in the prevention of user-initiated attempts to trick the application into accepting otherwise dangerous data. However, because this matter was already discussed in detail in Chapter 3, the same information will not be repeated in this chapter. Safe Mode Safe mode is of particular interest to those running PHP in a shared-server environment. When safe mode is enabled, PHP always verifies that the executing script s owner matches the owner of the file that the script is attempting to open. This prevents the unintended execution, review, and modification of files not owned by the executing user, provided that the file privileges are also properly configured to prevent modification. Enabling safe mode also has other significant effects on PHP s behavior, in addition to diminishing, or even disabling, the capabilities of numerous standard PHP functions. These effects and the numerous safe mode related parameters that comprise this feature are discussed in this section. safe_mode (boolean) Scope: PHP_INI_SYSTEM, Default value: 0 Enabling the safe_mode directive places restrictions on several potentially dangerous language features when using PHP in a shared environment. You can enable safe_mode by setting it to the Boolean value of on, or disable it by setting it to off. Its restriction scheme is based on comparing the UID (user ID) of the executing script and the UID of the file that the script is attempting to access. If the UIDs are the same, the script can execute; otherwise, the script fails. Specifically, when safe mode is enabled, several restrictions come into effect: Use of all input/output functions (fopen(), file(), and require(), for example) is restricted to only files that have the same owner as the script that is calling these functions. For example, assuming that safe mode is enabled, if a script owned by Mary calls fopen() and attempts to open a file owned by John, it will fail. However, if Mary owns both the script calling fopen() and the file called by fopen(), the attempt will be successful. Attempts by a user to create a new file will be restricted to creating the file in a directory owned by the user.
We recommend high quality webhost to host and run your jsp application: christian web host services.

CHAPTER 21 Secure PHP Programming Any Web server can be thought of as a castle under constant attack by a sea of barbarians. And, as the history of both conventional and information warfare shows, often the attackers victory isn t entirely dependent upon their degree of skill or cunning, but rather on an oversight by the defenders. As keepers of the electronic kingdom, you re faced with no shortage of potential ingresses from which havoc can be wrought, perhaps most notably: User input: Exploiting disregarded user input is perhaps the easiest way to cause serious damage to an otherwise secure application infrastructure, an assertion backed up by the numerous reports of attacks launched on high-profile Web sites in this fashion. Deft manipulation of parameters emanating from Web forms, URL parameters, cookies, and other readily accessible routes enables attackers to exploit a multitude of routes to strike the very heart of your application logic. Software vulnerabilities: Web applications are often constructed from numerous technologies, typically a database server, a Web server, and one or more programming languages, all of which run on one or more operating systems. Therefore, it s crucial to constantly keep abreast of exposed vulnerabilities and take the steps necessary to patch the problem before someone takes advantage of it. The inside job: Shared host servers, such as those often found in ISPs and educational hosting environments, are always susceptible to damage, intentional or otherwise, by a fellow user s actions. Because each scenario poses significant risk to the integrity of your application, all must be thoroughly investigated and handled accordingly. In this chapter, we ll review many of the steps you can take to hedge against and even eliminate these dangers. Specifically, you ll learn about: Securely configuring PHP via its configuration parameters The safe mode security option The importance of validating user data Protecting sensitive data through common sense and proper server configuration PHP s encryption capabilities
Check Tomcat Web Hosting services for best quality webspace to host your web application.

514 CHAPTER 20 WEB SERVICES Compile this client, like so: csc boxing.cs /r:boxing.dll What results is a file named boxing.exe. This is the executable C# client. Finally, test your program by executing it, like so: C:vsprojbook20boxing.exe Pending no unforeseen issues, you should see output similar to that shown in Figure 20-5. Summary The promise of Web Services and other XML-based technologies has generated an incredible amount of work in this area, with progress regarding specifications, and the announcement of new products and projects happening all of the time. No doubt such efforts will continue, given the incredible potential that this concentration of technologies has to offer. In the next chapter, you ll turn your attention to the security-minded strategies that developers should always keep at the forefront of their development processes.
If you are looking for affordable and reliable webhost to host and run your business application visit our ftp web hosting services.

CHAPTER 20 WEB SERVICES Once the packages are installed, it s time to begin. For starters, you need to generate a C# proxy for the Web Service. You can do this by using the Web Services Description Language tool (wsdl.exe), included within the SDK. Reference the WSDL-enabled boxing server script shown in Listing 20-8: wsdl /l:CS /protocol:SOAP http://localhost/book/20/boxing.php?wsdl The result is a file named boxing.cs. Feel free to open it up and examine the file s contents; just be sure not to change anything. Next, you ll compile this proxy as a DLL library. This is necessary because the DLL will be referenced by the C# application so that the Web Service s methods can be called. You compile a DLL like you would any other C# program, using the C# compiler tool (csc.exe): csc /t:library /r:System.Web.Services.dll /r:System.Xml.dll boxing.cs The /r flags tell the compiler to reference these libraries during the compilation process. The result is a file named boxing.dll. In turn, you ll reference this DLL when you compile the C# SOAP client, discussed next. Note Generating and compiling the proxy via the command line is indeed a tedious process. Bear in mind that the process is automated within Visual Studio .NET, greatly reducing development overhead. Finally, create the C# application. Although you could conceivably create a full-blown GUI application using a text editor, to stay on track, we ll forego doing so here. Instead, create a simple console application, as shown in Listing 20-13. Listing 20-13. The C# SOAP Client using System; using System.Web.Services; using System.Web.Services.Protocols; using System.Xml.Serialization; namespace ConsoleApplication { class boxing { [STAThread] static void Main(string[] args) { BoxingService bx = new BoxingService(); Console.WriteLine(bx.getRandQuote()); } } }
We highly recommend you visit web and email hosting services if you need stable and cheap web hosting platform for your web applications.

512 CHAPTER 20 WEB SERVICES getQuote(”Ali”); ?> Executing the client produces the following output: I am the greatest. (1962) Using a C# Client with a PHP Web Service Although Linux is in widespread use as a server platform, it s apparent that the Microsoft Windows operating system will continue to dominate the desktop for some time to come. That said, quite a bit of interest has been generated regarding using Web Services as the tool of choice to enable Windows-based desktop applications to seamlessly integrate with Linux-based server applications. This section offers a brief yet effective example that demonstrates just how easy it is to do this. Specifically, we ll create a simple console-based C# application that talks to the PHP-based boxing Web Service built using the NuSOAP extension (refer to Listing 20-8). Although it s simplistic, this example should provide you with enough information to get the ball rolling on more complex applications. In this final example, a C# application and our PHP Web Service will be coerced into playing nice with each other. This example is particularly compelling because it demonstrates just how easy it is to integrate a Windows desktop application and an open-source server. Because not everybody has a copy of Visual Studio .NET at their disposal, this example uses the freely downloadable .NET Framework SDK, which contains all the tools you need to successfully carry out this experiment. If you re running Visual Studio .NET, the general process is the same, although considerably more streamlined. For demonstration purposes, we ll use the PHP-based boxing Web Service discussed throughout this chapter. The finished C# client simply invokes the getRandQuote() function, outputting a random quotation to a console window. Example output is provided in Figure 20-5. Figure 20-5. Retrieving a random quote via a C# client If you don t already have it installed, you need to download and install the .NET Framework SDK to follow along with the example. Because the URL is quite long, execute a search on the Microsoft site (http://search.microsoft.com/) for the package. In addition, you need to download the .NET Framework Redistributable Package, which is also readily available from the Microsoft Web site. If you re unfortunate enough to be using a dial-up connection, consider ordering both on CD, because the SDK weighs in at over 100MB, while the redistributable package tops out at over 24MB.
You need excellent and relaible webhost company to host your web applications? Then pay a visit to Inexpensive Web Hosting services.

CHAPTER 20 WEB SERVICES SOAP_PERSISTENCE_REQUEST: This mode specifies that PHP s session-handling feature should be used to persist the object. SOAP_PERSISTENCE_SESSION: This mode specifies that the object is destroyed at the end of the request. SOAP Client and Server Interaction Now that you re familiar with the basic premises of using this extension to create both SOAP clients and servers, this section presents an example that simultaneously demonstrates both concepts. This SOAP service retrieves a famous quote from a particular boxer, and that boxer s last name is requested using the exposed getQuote()method. It s based on the boxing.wsdlfile shown in Listing 20-12. Let s start with the server. Boxing Server The boxing server is simple but practical. Extending this to connect to a database server would be a trivial affair. Let s consider the code: setClass(”boxingQuotes”); $soapserver->handle(); ?> The client, introduced next, will consume this service. Boxing Client The boxing client consists of just two lines, the first instantiating the WSDL-enabled SoapClient() class, and the second executing the exposed method getQuote(), passing in the parameter “Ali”:
Go visit our java server pages services for a reliable, lowcost webhost to satisfy all your needs.

510 CHAPTER 20 WEB SERVICES $soapserver->handle(); setClass() void SoapServer->setClass (string class_name [, mixed args]) Although the addfunction() method works fine for adding functions, what if you want to add class methods? This task is accomplished with the setClass() method, with the class_name parameter specifying the name of the class, and the optional args parameter specifying any arguments that will be passed to a class constructor. Let s create a class for the boxing quote service, and export its methods using setClass(): setClass(”boxingQuotes”); $soapserver->handle(); ?> The decision to use setClass() instead of addFunction() is irrelevant to any requesting clients. setPersistence() void SoapServer->setPersistence (int mode) One really cool feature of the SOAP extension is the ability to persist objects across a session. This is accomplished with the setPersistence() method. This method only works in conjunction with setClass(). Two modes are accepted:
Note: In case you are looking for affordable and reliable webhost to host and run your j2ee application check Vision J2ee Web Hosting services.