Skip to content

Tag: PHP

NFSN PHP file write permissions in safe_mode

I've been causing some (security) concerns for myself by thoughtlessly using the dreaded 777 permissions for upload directories to allow the various PHP-based websites that I host at to write files there. What this drastic anti-security measure didn't allow me to is to manage these uploaded files through SSH (and SCP/Rsync). In the chroot jail which I'm allowed to enter through SSH, I am ‘me’, while the files created from PHP end up being owned by user ‘web’. However, for some reason these files didn't get owned by group ‘web’ of which the ‘me’ user is a member. Also, I got into trouble with new directories that were being created by the upload scripts. Read More »

How to test

I haven't got much experience when it comes to testing web applications. Instead (and more so out of apathy than belief), I've always adhered to the ad-hoc test approach. However, the usage of pure Posgres unit tests back when I worked on a complicated investment database with Halfgaar did teach me the advantages of test-driven development. Read More »

Executing system commands from PHP with SUID executable.

If you want to execute system commands from something like PHP, you need a SUID executable which you can call from your PHP scripts. This is such a script. It could be extended to support parameters for the commands you want to execute, but that would be an enormous security risk, because then anybody can execute any command. If you need something as flexible as that, you need to think about adding some kind of security restrictions, like a list of allowed commands. Read More »

Taking control of the wpautop filter

Wordpress does automatic paragraph formatting using the wpautop filter, some PHP code originally developed by Matt Mullenweg. For most of the time that this blog has existed, I've disabled the wpautop filter using the following two lines in my theme's functions.php file: Read More »

PHP include exploits

A year ago, my web host thoroughly explained how PHP include vulnerabilities can be exploited, hoping that better user education would leave less member-sites vulnerable to automated attacks by spammer scum.

Read More »

Ytec, WordPress and

On Oktober, the 25th, in what will be known to future generations as a historical move, Wiebe changed the A record of to point to the new production site running at Ytec. The new site, a collaboration by Ytec and me, based on WordPress, has been in development since May. At least, that's when I started taking notes. There had been some discussion, wire-framing and design done before that time. Read More »

MediaWiki thumb.php and rewrite rules

May, last year, I created an empty draft for this post, because, around that time, I had gone through quite some effort before I got thumbnails for foreign file repos working just right. Now, I'm taking a dive into my MediaWiki working dirs in preparation of the creation of a separate development environment, so it's a good moment to rehash the past experience (almost as good as when I'd have done it right away). Read More »

Stichting EcoSafe is a Dutch foundation for the safe-keeping of the funds that are necessary for the maintenance of hardwood plantations. In July of 2006, together with Johan Ockels, I created a website for the Foundation. Johan was responsible for the organization of the whole process. This went very smooth and the website ended up being an emblem of simplicity and clarity. That's why I wanted to blog a bit about it now, even though there are a few things that I'd probably end up doing different if I were to start from scratch. [There's actually a disturbing number of things for which this is true, I'm coming to notice.] Read More »

PHP fgetcsv() behavior on empty lines

The PHP documentation for fgetcsv() states that A blank line in a CSV file will be returned as an array comprising a single null field, and will not be treated as an error. Here's a quick demonstration of this behavior. Read More »

Enforcing Drupal URL aliases

I hate modules, especially core modules. I prefer code to be tightly integrated. I want it to work together. Is that too much to ask? In Drupal, most functionality has been stuffed in modules. There's a Locale module, a Content Translation module and a Path module. What's missing is a Working Together module. Read More »