This is a great post about writing secure PHP code and part 2. The articles pretty much cover all the points we need to look at to write secure PHP code.

Additionally this post talks about how hackers can use Google code search and a simple sitemap to gain access to your system.

This is a tool to convert an ascii stream to character string. I wrote this tool to make my life easier to peek into the spam page I got in the email and figure how do they hide the Javascript re-direct. Please do not try to inject executable commands or XSS. They are blocked.

The crontab is a scheduled job utility on *nix server.

To edit a cron schedule:

crontab -e

This will open the schedule file based on the EDITOR setting in your shell. VI is the most commonly used editor.

A cron schedule file can look like this:

MAILTO="support@phinesolutions.com" 

*/10 * * * *  php -f Ping.php > ping.out

MAILTO sets the address where the output of the cron goes. If you don't even want to receive it, set MAILTO="".

The first part of the second line is the schedule, and the second part is the command. 

The schedule 

The job schedule is set in the following sequence:

• minute of the hour
• hour of the day
• day of the month
• month of the year
• day of the week

So in the example above:

• */10 means every 10 minute in an hour
• 2nd * means every hour of the day
• 3rd * means every day of the month
• 4th * means every month of the year
• 5th * means every day of the week

*/10 is the abbreviated way of saying "every 10 minutes in an hour". 

Two other commonly used forms are comma separated values and a range using "-" (dash). For example:

0 9,12 * * *  sets the job to run on top of the hour at 9am and 12 am, every day.

0 9,12 * * 1-5 sets the job to run on top of the hour at 9am and 12 am, every weekday.

The command 

The command can be anything executable, either be a unix command or a script. A good practice is to test the command from the console and make sure everything is setup environmentally and then put them into the crontab. Since I want to track the output the above example writes the output from the script to a file.

Sometimes I prefer the logging implemented in the script and do not want to receive it from cron email, I can set the it like this:

*/10 * * * * php -f Ping.php > /dev/null

/dev/null is the almighty black hole of a Unix system and it will swallow everything without a trace.

If I really don't want to be bothered with ANYTHING, I can also do this:

*/10 * * * * php -f Ping.php > /dev/null 2>&1

This may look weird the first time you saw it. In a nutshell, the Unix shell assigns different handlers to STDOUT and STDERR, and "2>&1" means all the errors are re-directed to standard output.

We can also create a separate cron file that has all the jobs and use the crontab command to load them up in once:

crontab filename 

Some other notes:

Some hosting does not encourage the use of the crontab from a console. In most cases, a control panel like Cpanel provides a nice interface to set cron jobs.

Once I tried to set up cron job and it kept give me some weird error like "command not found", which made no sense since I have tested everything from the script to the PATH. It turned out the cron file I was trying to load is in DOS format and the carriage return messed it up. I ran "dos2unix" on the cron file and fixed it.

This little tool is written with ajax and php script.

This mortgage calculator can be used to figure out monthly payments of a home mortgage loan,
based on the home’s sale price, the term of the loan desired, buyer’s down payment percentage, and the loan’s interest rate.
This calculator factors in PMI (Private Mortgage Insurance) for loans where less than 20% is put as a down payment.

This is a little tool to convert the decoded URL back to an Ascii string.

The regular query log:

The MYSQL query can be logged by starting mysqld with –log[=file]

or adding this line in my.cnf file: 

log=/var/log/mysql.log (/var/log/mysql.log is the actual file path)

Since the query log will record every query happening on every connection it is more or less a overhead for the mysql for server.

The logrotate utility can be used to manage the log files generated in this way. 

The binary log

The binary log records every updates happened in the database. As the name suggests, it is stored in a binary form . The parameters that are related to this setting:

log-bin[=binary-log-file-name]

binlog-ignore-db=the-db-to-ignore

binlog-do-db=the-db-updates-need-logging 

The log file(s) will be managed by the MYSQL server and each file will be appended with an index as the new file gets rolled in. The files look something like this:  mydb-bin.000001, mydb-bin.000002,…

Since it's in binary form, we can't view them directly. This command comes in for viewing the binary log:

% mysqlbinlog mydb-bin.001

The error log

The error log stores all the errors (obviously). In a Linux system, it can be found under /var/lib/mysql, which is the default installation path for MYSQL. Ideally you should only see messages like "mysqld started" and "mysqld ended"… type of messages.

The slow log 

This is a neat feature of MYSQL. Basically this log stores the "slow" queries that have run on the server. The default one will be servername-slow.log. To define "slow", you can add this to the my.cnf:

long-query-time=1 (comment: one second is too slow!) 

MYSQL reference manual. 

I have several hosting accounts ranging from shared hosting to VPS. Besides their hosting duties, I also assigned them some additional tasks.

Install cron jobs on a shared hosting account to ping the other servers for uptime. A simple PHP script like this can do the job:

<?php

$url = "http://www.domain.com";

$ch = curl_init();

curl_setopt($ch, CURLOPT_URL, $url);

curl_setopt($ch, CURLOPT_HEADER, 0);

curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);curl_exec($ch);

if (curl_errno($ch) != 0) {

  $subject = "Site is down";

  $message = "Site is down at " . date("Y-m-d H:i:s");

  mail("webmaster@domain.com", $subject, $message);

  echo date("Y-m-d H:i:s") . " $url is down \n";

} else {

  echo date("Y-m-d H:i:s") . " $url is up \n";

}

curl_close($ch);

?>

Also, there are several sites that offer free domain monitoring like:

SiteUptime Website Monitoring

Montasitic 

Both of them are pretty solid based on my experience. SiteUptime also offers pinging from west coast server or east coast server. With the combination of the free service and your own monitoring, you can get a decent idea about the stability of the domain you are trying to keep an eye on.

Use one account for CVS code repository.

CVS is developer's friend to maintain code.

On server side, to create a CVS repository we can run this command:

cvs init -d ~HOME/project_cvs

On client side, there is a pretty nice tool we can use for CVS utility: Tortoise CVS.

Most shared hosting services are loaded utilities; with a little additional SSH can be available too. So why not use them.

Create a new user: 

grant all on mydb.* to myuser@localhost identified by 'mypass';

show grants for ‘username’@'localhost’

revoke all privileges on db_name.* from ‘username’@'localhost’

drop user ‘username’@'localhost’

If you are using image manipulation functions in PHP to resize a image, a common mistake is to use the imagecreateresized() function. Actually, most of the time, imagecreateresampled() function should be used.

According to the API document, imagecreateresampled()

copies a rectangular portion of one image to another image, smoothly interpolating pixel values so that, in particular, reducing the size of an image still retains a great deal of clarity.

This brings the question that if imagecreateresampled() produce better image, why do we still need imagecreateresized() at all? My take on this is that the latter, although not creating as pretty image as the former one, executes much faster since less smoothing (anti-aliasing) is done during the process.