CartMetrix - Do you know yours?

8/23/2007

PHP gethostbyname() and DNS

For PHP’s gethostbyname() to work properly, the server’s DNS must be properly configured with available nameservers in /etc/resolv.conf (on Linux boxes). Without a work domain name resolution kit, gethostbyname() returns the hostname supplied to the function.

Make sure /etc/resolv.conf contains several nameservers to query. The format is

nameserver xxx.xxx.xxx.xxx
nameserver yyy.yyy.yyy.yyy

Where xxx.xxx.xxx.xxx and yyy.yyy.yyy.yyy are the IP addresses of nameservers the host has permission to use.

OpenDNS is a free DNS service that allows public access to their nameservers at:

208.67.222.222
208.67.220.220

To use in /etc/resolv.conf use:

nameserver 208.67.222.222
nameserver 208.67.222.220

Using OpenDNS’s nameservers could even boost your server’s performance. Their goal is to provide some of the faster domain name resolvers on the internet for free.

Popularity: 37%

Share This

8/6/2007

Easily View PHP Errors on Yahoo Business Hosting

I don’t often use Yahoo Business Hosting, but every once and a while I have a client who is already hosting their sites there. With all large monolithic hosting companies there are caveats to using their systems… PHP especially.

Yahoo Hosting does not support .htaccess files and does not allow display of PHP error messages directly in the pages. These are all well and good for the obvious security reasons. Yahoo does allow the logging of PHP errors if you follow their directions to enable it.

Once you enable the scripts log, lock down the directory so you must have a password to access. It doesn’t quite make sense to put the logs in a live web directory. It is trivial for any script kiddie to call up the script log errors in their browser by manually keying in the URL. Yahoo Hosting should make a bigger point of emphasizing securing this directory when it shows how to enable the scripts log.

Unfortunately, without console access there is no easy way to follow the log as one would normally do with tail. Directly loading the log in a browser can return a very long page with the most important information (ie. the last error encountered) at the very bottom of the page. I created a simple script called phperrors.php to make following the log easier. The script provides easy access to the errors log by refreshing automatically every 30 seconds and displaying only the last lines of the log with the newest ones on top. The refresh time is configurable and can be disabled. The number of lines listed may be set in the refresh form. Plus, the script is completely self-contained in a single file.

Installation / Usage

  1. Enable scripts.log as directed above from Yahoo’s support.
  2. Upload this file to the root of your hosting account.
  3. For security, rename this file to a long (at least 6 characters) random name
    that only you know. Something like:

    zx89adsf8-phperrors.php

    Don’t use my example name. That kind of defeats the purpose. I have included code to generate a random filename to use for renaming the file.

  4. Load the page in your browser.
  5. Bookmark the URL so you can find it again.
  6. Refresh browser as needed or select automatic refresh and hit Go.
  7. To stop automatic refresh uncheck refresh box and hit Go.
  8. To adjust the refresh rate adjust the $refresh_seconds variable below.
  9. If you find this script useful, buy me a beer by dropping a couple of bucks in my tip jar.

I realize renaming the file may be a moot point being that Yahoo allows direct access to the scripts log for anyone, but perpetuating poor security is never acceptable in my book. Perhaps some day soon, Yahoo will better emphasize how to protect this directory from everyone but the account owner.

Download: phperrors.php

Popularity: 38%

Share This

7/18/2007

PHP Stopwatch Class to Time and Log Script Execution

Timing code execution is an often overlooked debugging tool. On a current large project we are doing a lot of work interfacing with multiple SOAP implementations on multiple servers and through multiple vendors. When script execution slows down considerably (or stops responding altogether) we needed to know which SOAP calls were causing the slowdown.

Using code and ideas from php.net/microtime I devised this PHP class to handle the timing tasks.

class StopWatch
{
   private $round       = 3;
   public   $logfile = 'time.log';

   function __construct($logfile = '')
   {
      $this->start = microtime();
      if($logfile != '')   $this->logfile = $logfile;
      $this->fp = fopen($this->logfile, 'a+');
   }

   function __destruct()
   {
      fclose($this->fp);
   }
   
   
   function now()
   {
      $start   = $this->math($this->start);
      $now    = $this->math();
      return round($now - $start, $this->round);
   }

   function math($time = false)
   {
      if ( !$time ) $time = microtime();
      $temp = explode(' ', $time);
      return $temp[0] + $temp[1];
   }

   function write_log($loc, $data) 
   {   
      return fwrite($this->fp, date("Y-m-d H:i:s").' '.$loc.': '.$data."s \n");     
   }
   
}

Download class.StopWatch.php

Usage

Include the class in your application and create a new instance at the very top of the code.

$sw = new stopwatch();
$time1 = $sw->now();

... snip more code ...

$time2 = $sw->now();
$sw->write_log('CODE-LOCATION', $time2-$time1);

Substitute CODE-LOCATION with the function name or other identifier being timed.

In this case, the stopwatch class logged this data...

2007-07-18 05:00:07 GetVendor: 1.311s
2007-07-18 05:01:10 GetLocationByZip: 62.439s
2007-07-18 12:19:18 GeneratePin: 12.232s
2007-07-18 12:19:24 GetVendor: 5.377s
2007-07-18 12:20:31 GetLocationByZip: 66.779s

It is now trivial to see which SOAP call is the culprit (GetLocationByZip) and which vendor to contact.

Popularity: 31%

Share This

6/29/2007

Coding on a Live Site

I have written several times about debugging a live site and posted snippets for working on the themes of a live Wordpress install. One trick I haven’t mentioned is using the PHP error log.

PHP on any production site should be configured to not display errors. I see all too often on random sites that PHP has been configured to show errors (sometimes even in Google results). This gives away too much information about your application and server.

On the servers and applications I work on all of the time, I configure PHP to log errors to /var/log/php_errors. Simply tailing this file through a console will quickly show any errors caused by the edits.

To enable logging, check these two variables in your php.ini:

; Log errors into a log file (server-specific log, stderr, or error_log (below))
; As stated above, you’re strongly advised to use error logging in place of
; error displaying on production web sites.
log_errors = On
; Log errors to specified file.
;error_log = filename
error_log = /var/log/php_errors

To tail the log file from an SSH console:

tail -f /var/log/php_errors

Popularity: 26%

Share This

6/23/2007

Wordpress Bug - Theme Reverts to Default Theme

I have been working on a new Wordpress theme for this site and have noticed on several occasions that Wordpress has reverted back to the default theme.

Google turned up a few helpful pages:

The problem boiled down to the fact that I was editing the file remotely via SFTP. If I happened to save the file at same time as someone was trying to access a page it the file exists check would fail as there is always a split second while the file is being saved that it technically doesn’t exist. The code suggested in the bug report above worked well for me.

Popularity: 25%

Share This

6/22/2007

Zencart Hack - Logout Customer Automatically After X Failed Payment Attempts

Credit card slamming is the practice of trying hundreds or thousands of card numbers and security code combinations to find the few in the batch that will actually work. I have discussed credit card slamming here and over at the ZenCart forums several times in the past.

The code snippet below can be used in modules/checkout_process.php to automatically log a user out after a set number (6 in the below snippet) of payment attempts.

// damonp add auto logoff after 6 attempts
if(! isset($_SESSION['payment_attempt'])) $_SESSION['payment_attempt'] = 0;
$_SESSION['payment_attempt']++;

if($_SESSION['payment_attempt'] > 6)   { // change 6 to change how many attempts to allow before logout
   // log attempt or email report 
   // the following information is useful
   // "Host:\t\t".$_SESSION['customers_host_address'].
   // "\nCustomer:\t".$_SESSION['customer_id'].
   // "\nTotal:\t\t".$_SESSION['cart']->total,
   // destroy session to log customer out
   zen_session_destroy();
   // redirect to timeout page or create new page to redirect to
   zen_redirect(zen_href_link(FILENAME_TIME_OUT, '', 'SSL'));
}

Place in between this code near the top of the file:

// if the customer is not logged on, redirect them to the time out page
  if (!$_SESSION['customer_id']) {
    zen_redirect(zen_href_link(FILENAME_TIME_OUT));
  }

INSERT AUTO LOGOUT FUNCTIONALITY HERE

// load selected payment module
  require(DIR_WS_CLASSES . 'payment.php');
  $payment_modules = new payment($_SESSION['payment']);
// load the selected shipping module
  require(DIR_WS_CLASSES . 'shipping.php');

I found six attempts to work well on the sites I implemented on. You do not want to adversely impact normal users but you do want to make it harder on abusers so that they just go away.

BE WARNED

Improper use of this code could prevent anyone from checking out. The two things that will save you when trying this out are:

  1. MAKE A BACKUP
  2. FULLY TEST BEFORE CALLING IT COMPLETE

Popularity: 23%

Share This

Next Page »


damonparker.org is proudly powered by WordPress
Entries (RSS) and Comments (RSS).

copyright © 2002-2008 damonparker.org. all rights reserved.

Close
E-mail It