Category Archives: Articles

Scrawlr: Crawls your website for SQL Injection

Posted on by

Scrawlr, short for SQL Injector and Crawler will crawl your website and will analyze the parameters of each individual pages for SQL injection vulnerabilities. Very useful tool for small to medium sized websites. Free for the first 1,500 pages.

From HPs website:

Technical details for Scrawlr

  • Identify Verbose SQL Injection vulnerabilities in URL parameters
  • Can be configured to use a Proxy to access the web site
  • Will identify the type of SQL server in use
  • Will extract table names (verbose only) to guarantee no false positives

Scrawlr does have some limitations versus our professional solutions and our fully functional SQL Injector tool

  • Will only crawls up to 1500 pages
  • Does not support sites requiring authentication
  • Does not perform Blind SQL injection
  • Cannot retrieve database contents
  • Does not support JavaScript or flash parsing
  • Will not test forms for SQL Injection (POST Parameters)

It’s worth trying out.

–aj

NuSphere PHPEd Review

Posted on by

NuSphere PHPEd Review
By: Reynold E. Lariza (reynoldlariza.com)

about.gif

NuSphere PhpED is an Integrated Development Environment (IDE) for PHP, a server-side HTML-embedded scripting language. PhpED provides a flexible, easy-to-use platform for developing web sites using PHP, XML, CSS style sheets, and HTML.

PhpED also provides streamlined functionality for debugging code, publishing projects to remote servers through FTP, SFTP and WebDAV, working with SOAP servers, and integrating with repository-based code management systems such as CVS. PhpED is suitable for multiple developers and very large projects.

ide1.png
(Click for a bigger image)

PhpED IDE is a powerful development environment for developing applications in php. Balanced combination of advanced code editor, reliable PHP Debugger, productive database connectivity client and fast and secure deployment abilities make PhpED a complete solution for the most sophisticated developer needs. For example, developing a console php application with ncruses may require running and debugging it using php command line interface (php-cli). At the same time developing a web application designed to run on the remote server requires special tools for the effective work with a remote server, such as remote debugger, source deployment and most likely, the profiler.

System Requirements:
• Microsoft Windows 2000 and higher
• 256 MB RAM or better

My job as a web developer began at my 2nd job as IT Administrator in a Freight/Shipping Company, and that was year 2005. The company needed a system reformation to accommodate new changes of the industry it is sitting on. When we were thinking of new system, we all agreed of a centralized one. So, we decided for a Web-based development and agreed as well to use PHP as the standard development programming language for this purpose.

When we started our development, we were using a variety of Text Editors. Like EditPlus, PSPad, Notepad++, and SEG editor for writing PHP modules extensively.

Hmmm… Come to think of it… I haven’t realized why it’s called SEG.

Anyway, I can say, we were doing great then. We were able to develop the core modules a few months early before the set deadline in our timeline.

When we reach the 6-month era of our development, our difficulty with our development rise to what we’re ignoring from the beginning. The project was getting bigger and the deadline was getting nearer. Keeping track of everything we do is getting more difficult. I have more than 20 opened PHP files which are all related to each other. Which is a bit tiresome for our current development culture, but we managed to complete it anyway. Though we were a few days late to our expected deadline.

During these time of development. I was asking myself, is there a better way for doing this?

April 2006, I’ve began my research to answer this particular question. I was looking for an editor that combines everything I need. Like code editing, a built-in PHP manual, database connectivity, as well as be able to directly edit PHP files from the server thru SCP/SSH protocol, plus my favorite HTML and color toolbar. In short, an Integrated Development Environment, or simply IDE.

In a matter of seconds, I just realized that it was that easy to find answer I’m looking for.

I found many PHP IDE, including the very popular among PHP developers is Zend Studio, WaterProof PHPEdit, and NuSphere PHPEd.

I first tried the Zend Studio 5 and I was really amazed to what it can do. All the features I needed, plus some extras were really great. However, I only tried it for a about a week, and got frustrated with it. Why? It’s was slow, compared to the PHP editor I was using. Yes, that’s right. Speed is important to me. And that’s one thing I didn’t like with Zend. It’s most important feature is that, its cross-platform, which means that it can run on Linux as well, aside from Microsoft Windows. But that time, we only use MS Windows XP Pro SP2 for Development, so it got nothing to do for us.

The next IDE I tested was WaterProofs’ PHPEdit. The Workspace is a bit different from Zend Studio. But it does have everything I needed. It’s also much faster than Zend Studio. So I decided to try it. But just the next day, during the development… it crashed!

What the *$^#*$& !!!

All of my unsaved changes which took me about a few hundreds of lines, have all gone to nothingness. I hated it at that instance. So I conclude that this IDE is NOT for the likes of me.

I looked for another option. And there I found NuSphere PHPEd. Like the the previous IDE I mentioned, it got all the necessary tools I needed. Plus it was faster than WaterProof’s PHPEdit. But the question popped into my head. Will it crash too? Like WaterProof’s?

So I gave it week. And to my surprise, it never crashed.

Need I say more? If there’s one IDE that’s worth to use and buy, It’s NuSphere PHPEd. No more, no less.

You ask, what are the features? I don’t think re-writing it, is necessary, since its all in the manual. But for the sake of it, Ill put it here too.


NuSphere PhpED features:

This chapter provides a basic introduction to PhpED features. Key features of NuSphere PhpED 5.2 include:

*Features marked with the asterix are not available in Standard and Educational versions of PhpED

Advanced Editor
• Multiple Language Syntax Highlighting
Code sensitive syntax color highlighter gives you the ability to have separate highlighting for different languages in the same file. Highlighting for each language is of course fully configurable in PhpED’s settings.

• Dynamic Syntax Highlighting
The editor will automatically switch the syntax highlighting dependant on the position in the file. The strength of PHP is in ability to embed it in the other documents, like PHP. However, sometimes the document becomes too crowded with the lines of code from multiple languages. Auto-switch feature will let you focus on the code and the language that you are currently working on. It will only highlight those parts of the document, which are written in the same language as the current position of the cursor and dim the rest of the text. The editor will switch between php, html, smarty, css and javascript, depending on the type of the file.

• Smarty Highlighter
NuSphere continues to embrace the best technologies and design patterns in PHP. PhpED comes with Syntax Highlighter for Smarty’s .tpl files. This feature, combined with Dynamic Syntax Highlighting and Multiple Language Syntax Highlighting provides for unmatched convenience and productivity of PHP developers using Smarty templates in their work.

• True Unicode editing. Create projects in several natural languages simultaneously.

• Code templates allow you to type whole code fragments at once by a single key press. You can add new templates and change existing ones.

• Fully customizable shortcuts, advanced editor features such as brace matching, context-sensitive auto-indent and smart-home speed up your work significantly.

• Search and replace scope. Find and replace works in multiple files and directories as well as in all opened files! Regular expressions allow you to find text using complex conditions.

• Drag-n-drop operations support. Try to drag an image from the file browser or project manager in to your HTML page directly. Database explorer supports drag operations too.

Code Insight
• Code Completion. Dynamically provides the available properties and methods for a given variable or class, and automatically concludes partially typed keywords. Code completion works for HTML and CSS too. It shows properties for tags, classes and attributes. Nested calls are supported with unlimited nesting level.

• Tool tips and Instant error analysis for both php and HTML make coding an easy task – no more simple mistakes and typos.

• Project-wide code explorer in PhpED IDE shows all php classes, methods, properties, functions and variables in every detail and facilitates object-oriented programming.

• Hints show you arguments and returning value for a just typed function, as well as a short description for them.

• Fast functions reference shows you all the PHP functions as they are available from PHP extensions.

Debugging and Profiling
• Commercial versions of PHP DBG Debugger – the best debugger currently available provides unmatched debugging productivity in both local and remote debugging modes.

• NuSphere Toolbar for Internet Explorer

The best debugger on the market got even better. PhpED’s unmatched remote debugging capabilities are now simply breathtaking with this feature, which allows starting the remote debugging session with one button click.

• Remote debugging of code on external servers.*

• Local debugging of code on integrated WEB server or PHP CGI module.

• Supports debug sessions

• Advanced PHP profiler

• PhpED profiler shows executing time for each line, function or module of the code with tenth millisecond’s precision. You can locate all the bottlenecks quickly and efficiently. Profiler saves all the timings among multiple sessions so your can compare them and evaluate your improvements

Project and File Management
• Quick deployment. Once publishing is set up according to your needs, you can upload your PHP projects with a single click!

• Project-wide code explorer in PhpED IDE shows all php classes, methods, properties, functions and variables in every detail and facilitates object-oriented programming.

• Secure deployment. Support for SFTP*, FTPS (TLS/SSL*) and WebDAV/HTTPS (SSL*) protocols make deployment and data transfer secure now.

• Publishing filters. The user can exclude and include files and directories for publishing thus saving time and traffic

• Enhanced integration.* Integrate PhpED IDE with 3rd party tools like Tortoise SVN or Tortoise CVS.

• Terminal connections (Telnet and SSH) are supported. Perform your remote administration tasks from within PhpED *

• Embedded tools for more effective coding, editing and code management. PhpED IDE includes a number of pre-configured tools like PHP documentor, HTML Tidy, Code Formatter, Html Validator and CVS client. *

Database client
• SQLite, MySQL, MSSQL, Oracle, UltraSQL/PostgreSQL and InterBase support

Quick access to multiple types of databases through a GUI tool boosts up your productivity. Browse the tables, drag and drop fields, tables names, views, stored procedures, triggers etc. and run any sql statement to manipulate the data and the metadata stored in the database – all without leaving the IDE.

• DB form wizard enables easy creation of database forms

Running abilities
• Built-in SRV web server allows to run php scripts locally independent from your web server

• All browsers installed on your system are supported. Choose your default browser or specify the desired browser for the run.

• Launch box allows saving and applying different run parameters (browser, run parameters, variables, etc)

• Run history for Run and Run-in-debugger for easy run tracking

NuSOAP Wizard
• Easily generate PHP script for calling SOAP services using NuSOAP script library.

About the author
Reynold Lariza is a Junior Developer at SimpleSoft Inc. Reynold is a very active member of PHPUGPH and has contributed a lot in the organization. His website can be found at http://reynoldlariza.com

Some of his recent works are:
http://www.firstorient.com.ph

http://ctpl.com.ph

http://www.sarisaristore.com

The 7 Habits for Exceptional Performance

Posted on by

The 7 Habits for Exceptional Performance

January 7, 2008

Source

In July 2007 I took over the reins from Steve Souders (my former boss, performance co-hort, and someone I greatly respect) as manager of Yahoo!’s Exceptional Performance team. I was humbled and excited about the opportunity to lead Yahoo!’s now worldwide effort on accelerating the user experience and making our products faster, better, and more efficient.

Improvements in web site performance are similar to improvements in energy or fuel efficiency. We make good progress yet we continue to consume more, which reverse the results of our improvements. The net effect is that optimizing performance is an on-going battle. To ring in the New Year, the Exceptional Performance team would like to share our 7 Habits for Exceptional Performance:

1. LOFNO – Look out for number one, that is, your users. Be an advocate for your users. You do control the user experience, so don’t settle for excuses and don’t make excuses. A lot of people shift the blame towards things they don’t control. The truth is that even if it’s slow ads or the framework that’s slowing down your site, chances are there are still things you can do personally to optimize performance for your users. Has every image been optimized? Have you evaluated whether users really use that feature you pushed so hard for? Did you run YSlow? Have you set the right tone and leadership so that others know performance is a top priority for your product? Focus on what you can do, not what you can’t do. Leave no stone unturned.

2. Harvest the low hanging fruit – Find the optimizations that give you the biggest bang for your buck. If your web site has many pages, prioritize the pages. Look first at pages with higher traffic since those are the ones your users visit most. Identify strategic pages, ones that are important for the business. Create a list of performance optimizations and then prioritize that list starting with what will improve performance most. Then prioritize the same list again based on how much effort is required. Remember that removing just one image can often improve the user’s perceived response time by as much as an entire rewrite of the backend. Implement the Rules for High Performance Web Sites (aka YSlow Rules). These rules were identified at Yahoo! as the low hanging fruit for making web sites faster without compromising design or features.

3. Balance features with speed – Exceptional performance is a cross-team discipline. Our performance golden rule tells us that 80-90% of the time a user waits for a page to load is spent on the front-end. This makes the decision about what goes into the product (design, features, etc.) a major chunk of the time a user spends waiting for the components (images, JavaScript, CSS, etc.) to come down the wire. Think Yin and Yang, a constant flux of alternating forces. Designers add visual appealing elements. Product managers add functionally rich features. Engineers add flexible frameworks. All this equates to more time a user waits for your page to load. Remove images, eliminate features, compress components – all that equates to less time a user waits. Faster response time reduces site abandonment and increases usability. Less abandonment and better usability increases page views. And hey, you’ll also have a happier, less frustrated user.

4. Start early and make performance part of the process – Don’t wait until right before your product is about to be launched to discover that your product performs badly. By then, it’ll be too late. Incorporate performance into the product roadmap at design time and requirements gathering. Make performance part of the process early in the development cycle. Run performance tests at every major milestone. Every feature has a performance cost associated with it. Develop a test methodology and measure that cost. If your website requires a login, profile your most-valued users and create test accounts with the features you anticipate them to use. If your most-valued users are on dialup or broadband bandwidth speeds, make sure you run performance tests over these types of bandwidth speeds.

5. Quantify and track results – Let’s face it, we all want recognition for good work. There are lots of things we can do to improve the user’s experience. It’s more rewarding when we can quantify those optimizations. Have a portfolio of tools. Quantify performance so that it matches the experience of your users. Understand the differences between the various methodologies and tools your organization uses. If you don’t see an improvement after implementing an optimization, it could be a bad measurement methodology. There are many tools out there and different tools can show you different results. Make sure you are comparing apples to apples. Each tool has its differences, but together they can provide you a complete picture of how your product performs.

6. Set targets – Once you’ve established a methodology to quantify results, set and agree upon a target. Look at your competitors to help you determine a target. Better yet, look at the performance of pages where your users came from. From a quantitative perspective, two pages might take the same amount of time to load but qualitative research has shown us that users’ perception can vary depending on the performance of pages that load right before. Aim high and set a winning target for you, your team, and more importantly, your users.

7. Ask questions and challenge answers – Even smart people make assumptions or repeat incorrect statements. The best thing you can do is ask lots of questions, challenge answers, and if you have time verify the answers yourself. There’s no such thing as a bad question, but there are bad answers. Ask questions that give you the high-level overview. Ask questions that allow you to probe beneath the surface. Where did the information come from? How old is the data? What method was used to obtain the data? What alternative methods were considered and why weren’t they chosen? What assumptions were made? What were the drawbacks to an approach? If there was more time, what else might you have tried? Ask questions before hastily drawing a conclusion.

8. (Bonus) Run YSlowYSlow analyzes web pages and tells you why they’re slow. Download today and run YSlow on all the pages you visit!

Happy Optimizing and Happy New Year!

[Tenni Theurer is a Product Optimization Manager and manages Yahoo!’s Exceptional Performance team. Tenni has spoken at several conferences including Web 2.0 Exp, The Ajax Experience, The Rich Web Experience, AJAXWorld, BlogHer, and CSDN-DrDobbs. She also blogs regularly on Yahoo! Developer Network and Yahoo! User Interface Blog.]

Rails Is A Ghetto

Posted on by

http://www.zedshaw.com/rants/rails_is_a_ghetto.html

Excerpt:

I’ll never be afraid of some pilsner fresh fat fuck who eats donut hamburgers and only gets exercise when he plays World of Warcraft on a DDR pad…

This is exactly what makes Rails a ghetto. A bunch of half-trained former PHP morons who never bother to sit down and really learn the computer science they were too good to study in college. BTW, this is true about Kevin as he’s an English major or something stupid (and it shows).

–aj

40 Tips for optimizing your php Code

Posted on by

Original Content Source:
http://reinholdweber.com/?p=3

  1. If a method can be static, declare it static. Speed improvement is by a factor of 4.
  2. echo is faster than print.
  3. Use echo’s multiple parameters instead of string concatenation.
  4. Set the maxvalue for your for-loops before and not in the loop.
  5. Unset your variables to free memory, especially large arrays.
  6. Avoid magic like __get, __set, __autoload
  7. require_once() is expensive
  8. Use full paths in includes and requires, less time spent on resolving the OS paths.
  9. If you need to find out the time when the script started executing, $_SERVER[’REQUEST_TIME’] is preferred to time()
  10. See if you can use strncasecmp, strpbrk and stripos instead of regex
  11. str_replace is faster than preg_replace, but strtr is faster than str_replace by a factor of 4
  12. If the function, such as string replacement function, accepts both arrays and single characters as arguments, and if your argument list is not too long, consider writing a few redundant replacement statements, passing one character at a time, instead of one line of code that accepts arrays as search and replace arguments.
  13. It’s better to use select statements than multi if, else if, statements.
  14. Error suppression with @ is very slow.
  15. Turn on apache’s mod_deflate
  16. Close your database connections when you’re done with them
  17. $row[’id’] is 7 times faster than $row[id]
  18. Error messages are expensive
  19. Do not use functions inside of for loop, such as for ($x=0; $x < count($array); $x) The count() function gets called each time.
  20. Incrementing a local variable in a method is the fastest. Nearly the same as calling a local variable in a function.
  21. Incrementing a global variable is 2 times slow than a local var.
  22. Incrementing an object property (eg. $this->prop++) is 3 times slower than a local variable.
  23. Incrementing an undefined local variable is 9-10 times slower than a pre-initialized one.
  24. Just declaring a global variable without using it in a function also slows things down (by about the same amount as incrementing a local var). PHP probably does a check to see if the global exists.
  25. Method invocation appears to be independent of the number of methods defined in the class because I added 10 more methods to the test class (before and after the test method) with no change in performance.
  26. Methods in derived classes run faster than ones defined in the base class.
  27. A function call with one parameter and an empty function body takes about the same time as doing 7-8 $localvar++ operations. A similar method call is of course about 15 $localvar++ operations.
  28. Surrounding your string by ‘ instead of ” will make things interpret a little faster since php looks for variables inside “…” but not inside ‘…’. Of course you can only do this when you don’t need to have variables in the string.
  29. When echoing strings it’s faster to separate them by comma instead of dot. Note: This only works with echo, which is a function that can take several strings as arguments.
  30. A PHP script will be served at least 2-10 times slower than a static HTML page by Apache. Try to use more static HTML pages and fewer scripts.
  31. Your PHP scripts are recompiled every time unless the scripts are cached. Install a PHP caching product to typically increase performance by 25-100% by removing compile times.
  32. Cache as much as possible. Use memcached – memcached is a high-performance memory object caching system intended to speed up dynamic web applications by alleviating database load. OP code caches are useful so that your script does not have to be compiled on every request
  33. When working with strings and you need to check that the string is either of a certain length you’d understandably would want to use the strlen() function. This function is pretty quick since it’s operation does not perform any calculation but merely return the already known length of a string available in the zval structure (internal C struct used to store variables in PHP). However because strlen() is a function it is still somewhat slow because the function call requires several operations such as lowercase & hashtable lookup followed by the execution of said function. In some instance you can improve the speed of your code by using an isset() trick.

    Ex.

    if (strlen($foo) < 5) { echo “Foo is too short”; }

    vs.

    if (!isset($foo{5})) { echo “Foo is too short”; }

    Calling isset() happens to be faster then strlen() because unlike strlen(), isset() is a language construct and not a function meaning that it’s execution does not require function lookups and lowercase. This means you have virtually no overhead on top of the actual code that determines the string’s length.

  34. When incrementing or decrementing the value of the variable $i++ happens to be a tad slower then ++$i. This is something PHP specific and does not apply to other languages, so don’t go modifying your C or Java code thinking it’ll suddenly become faster, it won’t. ++$i happens to be faster in PHP because instead of 4 opcodes used for $i++ you only need 3. Post incrementation actually causes in the creation of a temporary var that is then incremented. While pre-incrementation increases the original value directly. This is one of the optimization that opcode optimized like Zend’s PHP optimizer. It is a still a good idea to keep in mind since not all opcode optimizers perform this optimization and there are plenty of ISPs and servers running without an opcode optimizer.
  35. Not everything has to be OOP, often it is too much overhead, each method and object call consumes a lot of memory.
  36. Do not implement every data structure as a class, arrays are useful, too
  37. Don’t split methods too much, think, which code you will really re-use
  38. You can always split the code of a method later, when needed
  39. Make use of the countless predefined functions
  40. If you have very time consuming functions in your code, consider writing them as C extensions
  41. Profile your code. A profiler shows you, which parts of your code consumes how many time. The Xdebug debugger already contains a profiler. Profiling shows you the bottlenecks in overview
  42. mod_gzip which is available as an Apache module compresses your data on the fly and can reduce the data to transfer up to 80%
  43. Excellent Article about optimizing php by John Lim