Bank Islam phishing site through e-mail

bankislam

This is one phishing mail I received today. If you hover the link, the URL seems correct, but you can’t fool me waltersgreenhouse.ca / rumahhawa.com, see the bottom left of the browser windows, it shows the link it’ll redirect you to.

bankislam2
See where they send the form to

Don’t enter your info to that site!!!

P/S: I don’t have Bank Islam account…

Singleton class

This is continuation from singleton pattern post.

Here’s the abstract class for singleton pattern, and other classes that need to be singleton just need to extend this class.

class singleton {
    private static $instance;
    private function __construct() {}
    private function __clone() {}
    protected static function init($class) {
        if (!isset(self::$instance[$class]) ||
            !self::$instance[$class] instanceof $class) {
            self::$instance[$class] = new $class();
        }
        return self::$instance[$class];
    }
}

We can’t directly use self::$instance = new self(); because self will refer to this singleton class itself, not the class we extend. So, to get the extending class, the extending class need to explicitly pass the classname to parent class to init().

class app extends singleton {
    var $i = 0;
    static function o() {
        return parent::init(__CLASS__);
    }
    function run() {
        $this->i++;
        echo 'run app...';
    }
}
// to access app class and its methods & attr
app::o()->run();
echo app::o()->i;

Filter nudity with PHP

nude.js is JS based nudity scanner using HTML5 Canvas and Webworker. The algorithm is based on this research paper http://www.math.admu.edu.ph/~raf/pcsc05/proceedings/AI4.pdf.

I’ve been working on to port the script to PHP and using GD library. So, here’s the result: php-nudity-filter. It’s a direct porting of the nude.js script to PHP, where I maintain the data structure, functions and algorithm, therefore its performance is not very optimized for PHP. Scanning a 500×500 image will take around 8-10 seconds.

But overall it’s working as expected, it can detect nude picture at rate similar to nude.js. There are several steps that still not complete (esp. the bounding polygon) and optimization. Fork it at Github, improve it and make internet a better place.

Git basic

I’m a noob in using Git, and I’m using Github to host some of the code I wrote. Here are some basic commands to host a project with Github (or using Git revision control generally) (sometimes I forgot the command or the order of which command goes first)

Global setup:

Set up git

git config --global user.name "Your Name"
git config --global user.email myemail@maildomain.com

Next steps:

mkdir project-name
cd project-name
git init
touch README
git add README
git commit -m 'first commit'
git remote add origin git@github.com:username/project-name.git
git push -u origin master

Existing Git Repo?

cd existing_git_repo
git remote add origin git@github.com:username/project-name.git
git push -u origin master

To commit changes (and optionally push changes to Github)

git add .
git commit -m 'commit message'
git push -u origin master

Common SVN users may find it confusing when using Git. Here’s some of the tips:

  • There are no centralized server or repo. You are the server / repo
  • In SVN, what’s in your computer is working copy and the center for committing changes is the repository, In Git, your working copy is your repository.
  • In SVN, project members checked out a working copy and commit changes to a centralized repository. In Git, everyone in a project can be the repository, can checkout (pull) and commit (push) changes to each other
    (Note: In Git, ‘checkout’ is called `pull`, ‘commit’ is saving changes to your own repository, ‘push’ is sending and merging changes to remote repository

GIMP Single Window Mode

I’ve been using Gimp as my primary image editing software. I never used photoshop (and I don’t want to). The only thing that make using Gimp quite difficult is the user interface – the main application window is separated into 3 (sometimes 2) tiny windows. I used to promote the software to other users, but this one important feature has been missing since the existence of Gimp, cause many of them prefer photoshop.

Finally!

Single window mode is available for Gimp (2.7.3). However this version is still in development phase, and it’s rumoured that version 2.8 will be the stable release for this most requested feature.

PHP timezone handling

Within PHP app, we need to set the timezone to only one timezone – UTC. All timestamp data that going in and out of the database must use UTC timezone so that it’s easier to convert to other timezone value. It’s a basic in PHP script to first set the timezone data

date_default_timezone_set('UTC');

Then it is highly encourage to store all datetime related data in UNIX timestamp, since retrieving it from database is faster than formatted datetime, also easier to format using date() function, and also easy to convert from one timezone to another timezone value, using function below:

timezone_offset_get(new DateTimeZone($timezone), new DateTime()));

$timezone value is one of the timezone identifier listed at List of Supported Timezones at php.net. This function will handle the DST conversion automatically.

To summarize, here’s the correct usage and handling of timezone in PHP

  1. Always set default timezone to UTC, and store user specific timezone info in database or in cookies
  2. Store and retrieve timestamp in UTC timezone
  3. Only convert to local timezone when displaying the timestamp info
// set first early in the script
date_default_timezone_set('UTC');

// data retrieved from database is based on UTC timezone
$timestamp = 1310529794;

// and you're in Los Angeles
$timezone = 'America/Los_Angeles';

// show the formatted datetime for time in L.A
echo date('F j Y, g:i:s a', $timestamp + timezone_offset_get(new DateTimeZone($timezone), new DateTime()));

PHP async request with auth

In http://stackoverflow.com/questions/962915/how-do-i-make-an-asynchronous-get-request-in-php, it shows how to send asynchronous request from PHP script, so that the webpage is immediately rendered without waiting the request to finish.

This technique is important if you want to implement background processing in web app, just by send a request to own script that going to run the process at background, while the main script continue to run and produce the webpage.

However, the request made to the background process page maybe can be accessed directly, just by entering the correct URL to browser, and you want to make sure this page is not being abused by users.

During sending the request, we can modify the request header as an authentication method to check if request is originally come from our own web application. You may modify user agent header and set it as your own webapp UA

‘User-Agent: my-web-app’, and in your script, check the value of $_SERVER[‘HTTP_USER_AGENT’]

Or, for more security, use custom header name, as follows:

$host = 'localhost';
$path = '/bg.php';
$qs = array(); // query string
if (!empty($qs)) {
    $qs = http_build_query($qs);
    $path = $path .'?'. $qs;
}
$fp = fsockopen($host, 80, $errno, $errdesc);
if ($fp) {
    $req  = "GET $path HTTP/1.0\r\n";
    $req .= "Host: $host\r\n";
    $req .= "Content-Type: application/x-www-form-urlencoded\r\n";
    $req .= "Content-Length: ". strlen($qs) ."\r\n";
    $req .= "Anxx0Wjoiw3: asmkd3A0das2wq2\r\n";
    $req .= "Connection: Closern\r\n";
    fputs($fp, $req);
    fclose($fp);
}

And in the background process script, check if the custom header is correct:

if (isset($_SERVER['HTTP_ANXX0WJOIW3']) && $_SERVER['HTTP_ANXX0WJOIW3'] == 'asmkd3A0das2wq2') {
    // do background process
}

Note: Custom header (or other headers), can be access using $_SERVER variables, with the key prepended with ‘HTTP_’

As an addition, use encrypted value for the header name and value, and also change the value for every several hour by autogenerate it using mktime() and strtotime(), provided you secure the encrypted string with salt data, example:

$salt = 'secret-key';
$hash = md5($salt . mktime(date('H', strtotime('+6 hour')), 0, 0));

PHP Templating

Here’s a simplified template class that was inspired by PHP Tip: Extract, Variable Variables and Templating. It supports template inheritance, it’s object oriented & got auto escaping variables. Furthermore, it doesn’t need to be compiled, since it’s using plain PHP

The class: tpl.class.php

class tpl {

    var $file;
    var $folder = 'template';
    var $vars;

    function __construct($file) {
        $this->file = $file;
    }

    /**
     * Assign variables to class attributes
     */
    function assign($name, $value) {
        // need to render child template
        if ($value instanceof self) {
            ob_start();
            foreach ($this->vars as $k => $v) {
                if (is_scalar($v) || is_array($v)) {
                    // copy variables to child template
                    $value->assign($k, $v);
                }
            }
            $value->render();
            $html = ob_get_contents();
            ob_end_clean();
            // assign output HTML to parent template variable
            $this->vars[$name] =& $html;
        } else {
            $this->vars[$name] =& $value;
        }
    }

    /**
     * Echo variables and auto escape HTML for string vars
     */
    function e($name) {
        if (is_string($this->vars[$name])) {
            echo htmlspecialchars($this->vars[$name], ENT_QUOTES, 'UTF-8');
        } else {
            echo $this->vars[$name];
        }
    }

    /**
     * Display the main template (usually master/layout template)
     * and set header
     */
    function display() {
        if (!headers_sent()) {
            header('Content-type: text/html; charset=utf-8');
        }
        $this->render();
    }

    /**
     * Include template file
     */
    private function render() {
        require_once dirname(__FILE__) .'/'. $this->folder .'/'. $this->file .'.php';
    }
}

This class is just a basic class that organize the template files, and it can be easily applied to your page controller script, so that you can separate the presentation layer and business logic part.

To use, here are some of the template files, that consist of 3 inheritance levels.

Top level: layout.tpl.php

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>
    <title><?php echo $this->vars['title']; ?></title>
    <meta http-equiv="content-type" content="text/html;charset=utf-8" />
</head>

<body>
    <?php echo $this->vars['body']; ?>
</body>

</html>

Middle level: body.tpl.php

<h2><?php $this->e('blog_title'); ?></h2>
<p><?php $this->e('blog_content'); ?></p>
<hr />
<?php echo $this->vars['portlet']; ?>

Bottom level: portlet.tpl.php

<div style="width: 120px; border: 1px solid #ccc; background: #eee; text-align: center; padding: 10px;">
    <span style="color: #333; font-size: 11px; font-family: sans-serif">This is portlet<br/><?php $this->e('portlet_name'); ?></span>
</div>

Then in your page controller code, add this to the bottom of the file to render the template & output:

require_once 'tpl.class.php';

$tpl = new tpl('layout.tpl');
// assign all variables first before display the template
$tpl->assign('title', 'New Test Template');
$tpl->assign('blog_title', 'My First Post');
$tpl->assign('blog_content', 'Lorem ipsum dolor sit amet');
$tpl->assign('portlet_name', 'My lil' portlet');
$tpl->assign('portlet', new tpl('portlet.tpl')); // this variable needed by body.tpl, so assign it first
$tpl->assign('body', new tpl('body.tpl'));
$tpl->display();

The order of assigning the variables is important, because you cannot echo or access variables that are not yet assigned.

This class is very much working now, and you may add more features to it – template caching, setting custom header to support other output type (such as RSS, XML etc.), data formatting functions, language translation support, gzip support etc.

Singleton pattern

Singleton class is class that allow only one instance of its class to be instantiated.

A lot of examples I see the way to implement singleton pattern whether:

1. Extends a base singleton class
2. Each class apply singleton pattern (get_instance() method, has static $instance attribute)
3. Using registry pattern where one dedicated class act as the singleton instances manager

Well, things shouldn’t get too hard. Here, I will use the combination of registry pattern and singleton in just a function

function o($class) {
    static $instances;
    if (!isset($instances[$class]) || !$instances[$class] instanceof $class) {
        $instances[$class] =& new $class();
    }
    return $instances[$class];
}

To use it:

o('db')->query(...);
o('db')->fetch();
o('singleton_class')->do_something();

PHP Hooks System

After reading Explaining Hooks, finally I understand the concept of hooks in PHP and why people use it in WordPress and say WP codes is poetry.

The general idea is, in a web application, during the runtime of the program it go through stages of processes, such as connecting to database, start the session, rendering template etc. These are known as events. When these events occured during the runtime of the program, some external code can be run as additional processing to the core program. These external/additional process is known as plugin.

So, the hooks system expose these events for the plugins to attach to. So that when the event occur, the plugin will be run. Even though the concept seems simple, but there are problem that we need to handle:

Which plugin to call first when this event occur? The hooks system need to have priority feature to make sure plugins are called in correct order, to produce the intended result

What plugin need to load? If load all, wouldn’t it affect the site performance? This is why plugins need to be registered to the plugins system of an application. So that, the core application know what plugins to load at what time, and what function to run.

Therefore, the hooks system need to have plugin registration section, priority section, specify the list of hooks event available and know how to handle unknown events. The plugin data can be stored in database, and stored the configuration data temporarily in cache for faster access.