Upgrading to PHP 5.3 in Ubuntu

I’ve been using PHP 5.2 for a long time now. I’m not so apt towards change but PHP 5.3 has some cool features which I needed very much for my projects. So yesterday I decided to do that conversion. The process was not at all so simple and it took lots of googling and searching the forums, especially for removing the post-installation bugs. Finally, at Dec 27 12:45 AM I achieved 100% transformation to PHP 5.3. As my usual habit, I like documenting the stuff I do, so here it goes.

First thing before starting the process is to make sure that none of my existing projects would break. Because as the developers have said, PHP 5.3 is a major release with lots of changes. Many new features were added while many were removed or deprecated. And to avoid getting unnecessary warnings or notices, it was better to recheck my codes for compatibility with PHP 5.3. The PHP developers have written a good page in the PHP Manual which tells in detail about the things to take care of when migrating to 5.3 from 5.2. You can check it here : http://php.net/manual/en/migration53.php

So don’t forget to go through that page once, at the least the section which tells about the “removed and deprecated” features in PHP 5.3 and use the alternatives as suggested. Now you’re ready to upgrade. BUT, before that, you’ve to know that any software you use like phpMyAdmin or ldapPhpAdmin which uses PHP might broke. Well, you cannot do anything about it but you’ll have to reinstall them. Anyways, moving ahead, take a backup copy of your php.ini configuration file. You may need it for reconfiguring your PHP 5.3. If you’re using Apache 2, it can be found in /etc/php5/apache2/php.ini

Now, just run the following commands one by one,

Continue reading →

PHP Optimizations

PHP is my favourite web development language.(Not anymore, its Python now). Nevertheless, here are a few tips I follow to make PHP work faster :

• When you’re creating PHP files, you’ll start with <?php tags as usual, but DON’T end the file with ?> tags if its not your main index.php file. Its optional and ignoring it is not just safe but recommended. So always leave the <?php tags unclosed in files which you are going to include in your main file. Do close it properly in your main index.php file though.
• Don’t use functions in FOR loop condition if the function returns the same result always e.g.

for($i=0; $i<length(arr); $i++)

IS VERY VERY SLOW than

for($i=0, $N=length($arr); $i<$N; $i++)

That’s because since the condition is checked on every iteration. The function is called again and again to check the lenght of the same array every time. Instead since you know the array length is the same, why not save it in $N so that it won’t have to calculate it again and again. Though if your array $arr may change in length, you can use that. Continue reading →

Defending against SQL Injection Attack in PHP any version

Internet Security is a very sensitive issue and many websites have vulnerabilities which are easily exploitable. One such vulnerability is SQL Injection, in which the attacker can literally execute any kind of query in your database, even gain administrator privileges and if things are even worse, then he may also gain access to your system and execute any command. No wonder how dangerous this vulnerability is, but it has a very easy fix. I’d like to introduce you with a small function escape(), I’ve written for sanitizing data while querying the database, which will disable SQL Injection attacks in PHP, irrespective of the PHP version you use.

function escape($input)
{
if (!get_magic_quotes_gpc()) {
$input = addslashes($input);
}
return $input;

}

By default the Magic GPC Quotes feature of PHP is turned ON. So it will automatically sanitize any data it receives from $_GET and $_POST by placing slashes before any ‘, ” or \ characters. However, as of PHP 5.0+, this feature is deprecated and hence relying on it is highly discouraged. Instead, use the addslashes() function which does the same thing. So the function I wrote will basically identify whether the Magic GPC feature is turned ON, if it is, then it will simply return the query as it is, else it will call the addslashes() method on the query. So simple !
However, there’s a more “secure” version of it. But this one is not suitable for large-scale systems as it requires an extra-connection to the MySQL server.

function escape($input)
{
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
return mysql_real_escape_string($input);

}

You can use the above function as follows :

Find out all the form variables that you receive in your PHP code i.e. all the occurrences of $_GET and $_POST and whenever you use then, use

escape($_POST[‘var’])

instead of just $_POST[‘var’]. Similary for $_GET variables also.

For example, suppose you have stored the mysql query like :

$username=$_GET[‘username’];
$password=$_POST[‘password’];
$query=”SELECT * FROM `users` WHERE `username`=’$username’ AND `password`=’$password'”;

To secure the above code, use this code instead :

$username=escape($_GET[‘username’]);
$password=escape($_POST[‘password’]);
$query=”SELECT * FROM `users` WHERE `username`=’$username’ AND `password`=’$password'”;

or, by writing it in a single line only :

$query=”SELECT * FROM `users` WHERE `username`='”.escape($username).”‘ AND `password`='”.escape($password).”‘”;

This simple thing will completely disable any kind of SQL Injection attacks in your website or web-application, irrespective of the PHP version you use. However, beware of other attacks ! 🙂