Categories
News PHP

Serious shortcomings with PHP5 get_headers() function

I was writing some code to find out if a file exists on a server and if it does, have it return the size in bytes.  I found a useful function built into PHP 5, get_headers().  For getting file sizes, it works flawlessly.  For situations where the file does not exist on the server, the behavior of this function was less than desirable.

Be forewarned, none of the user contributed get_headers() functions on the get_headers() documentation page on PHP.net will replicate the behavior of PHP 5’s get_headers() for URLs that use the ‘Location:’ redirect header or return File Not Found headers.

According to RFC1945, A user agent should never automatically redirect a request more than 5 times, since such redirections usually indicate an infinite loop.  For true compatibility, the functions below should be able to handle up to 5 Location redirects within one function call.  Only the native get_headers() function exhibits this behavior.  None of the user contributed functions on PHP.net handle the ‘Location’ redirection.

The native PHP >= 5 get_headers() function will not return headers in some instances where the user contributed functions would.  For example, if the server returns a 404 status, get_headers() will throw a PHP warning.  Unfortunately, the 404 error can only be known by looking at the headers.  From first glance, all of the user contributed functions will return 404 headers, which may be a desired effect but does not replicate the behavior of the native get_headers() function.

The function I created is included below.  It works well if the file exists.  Unfortunately for the project I am using the code for, I also need to verify if the file exists on the server.  I will not be able to use this function.

<CODE>
function remotefsize($url) {
$sch = parse_url($url, PHP_URL_SCHEME);
if (($sch != “http”) && ($sch != “https”) ) {
return false;
}
$headers = array_change_key_case(get_headers($url, 1),CASE_LOWER);
if ((!array_key_exists(“content-length”, $headers)))
return false;
if( is_array($headers[“content-length”]) )
return array_pop($headers[“content-length”]);
return $headers[“content-length”];
}
</CODE>

Categories
Apache PHP Subversion

Quick .htaccess to list files in directory on apache web server

If your web server to supports .htaccess files and you can specify “Options” from within your .htaccess file, then the following is a quick 1 line solution to your file listing needs.

So you just uploaded a tun of pictures to a web directory and you want a list of all the images.  Since the only types of files in the directory are images, the security risk of displaying the list diminishes.  In actuality, the list of images can be quite useful especially when trying to find a specific one.

The answer, create a 1 line .htaccess file with the following: Options Indexes

If you don’t have control over your apache configuration files and this option is not available to you, don’t fret.   Chris Snyder created an excellent php script that allows you to list the contents of a web directory.

Link: http://chxo.com/scripts/image-list.php

This script is very useful, I’ve customized it for my subversion repository in order to display a list of repositories in the root of the subversion web server.

Categories
PHP

E-mail Injection

E-mail injection is caused when form fields entered by hackers who add unexpected lines of text to the from and/or subject lines of your form.

For instance, many web sites add a contact us page to their web site to allow a web visitor an opportunity to send comments and suggestions. Usually these forms ask the user for a subject and an E-mail address. The risk of injection occurs when these fields are placed into the headers of the E-mail sent from the script to the E-mail address assigned to the contact submission.

The injection works when the hacker adds extra lines to the field before sending it to your script. IF your script does not check the E-mail address entered then the injection will find its way to the PHP mail() function. Then the rest is history.

The PHP mail() function takes multi lines in the to field and may treat them as additional lines for the headers of the E-mail message.

Click here http://securephp.damonkohler.com/index.php/Email_Injectionfor some better detailed examples of E-mail injections.

You can prevent E-mail injections in a number of ways. The easiest is to only place data that is submitted by the user in the message body of the E-mail. If you want your script to automatically generate a response message to the user, then you will need to verify the E-mail address entered is valid and does not contain additional lines of information.

Click here http://www.bl0g.co.uk/?d=060214 for an alternative method for protecting your script from E-mail injections.

Categories
PHP

Creating PDF reports with PHP

If you have found yourself developing a web site that requires printable reports, then you will love this blog entry.

A year ago I created a PDF reporting system that used the HTMLtoPDF library. This is a great HTMLtoPDF converter. It utilizes Ghostscript and a few other nifty Perl scripts to generate the PDFs. The only drawback to this package is it requires a few things to be installed on your server.

Today I came across a new HTMLtoPDF php library on Source Forge. This may be another alternative if you are in need of a report writing library but cannot install or modify the required software for the RustyParts HTMLtoPDF php library.