Category Archives: Intermediate

Scrawlr: Crawls your website for SQL Injection

Posted on by

Scrawlr, short for SQL Injector and Crawler will crawl your website and will analyze the parameters of each individual pages for SQL injection vulnerabilities. Very useful tool for small to medium sized websites. Free for the first 1,500 pages.

From HPs website:

Technical details for Scrawlr

  • Identify Verbose SQL Injection vulnerabilities in URL parameters
  • Can be configured to use a Proxy to access the web site
  • Will identify the type of SQL server in use
  • Will extract table names (verbose only) to guarantee no false positives

Scrawlr does have some limitations versus our professional solutions and our fully functional SQL Injector tool

  • Will only crawls up to 1500 pages
  • Does not support sites requiring authentication
  • Does not perform Blind SQL injection
  • Cannot retrieve database contents
  • Does not support JavaScript or flash parsing
  • Will not test forms for SQL Injection (POST Parameters)

It’s worth trying out.

–aj

Mailing List Registration in CodeIgniter : Part 1

Posted on by

Greetings! 

As you are probably already familiar with, website owners have some responsibilities with regards to sending out news updates. You cannot just send out email news to anyone or else they will be tagged as Spam (and you don’t want that to happen). That’s why you have to make your website enticing enough that your target audience will be the ones to volunteer signing up to your Mailing List. Ok, assuming your audience is already enticed enough and wants to sign-up to your Mailing List (if it exists). Your next step would be to create a Mailing List system. The goal of this tutorial is to help you learn how to create a Mailing List Registration System using PHP, MySQL and implementing CodeIgniter MVC Framework. The tutorial is divided into parts so you have time to digest. 

Since this is the first time I am posting on this blog site, I will not keep you waiting ages until I figure out how to format all the notes and transfer them here. So what I’m gonna do now is point you to the existing tutorial, which I will eventually copy here in the coming days.  

You can check out the Part 1 of the tutorial by following this link.

The 7 Habits for Exceptional Performance

Posted on by

The 7 Habits for Exceptional Performance

January 7, 2008

Source

In July 2007 I took over the reins from Steve Souders (my former boss, performance co-hort, and someone I greatly respect) as manager of Yahoo!’s Exceptional Performance team. I was humbled and excited about the opportunity to lead Yahoo!’s now worldwide effort on accelerating the user experience and making our products faster, better, and more efficient.

Improvements in web site performance are similar to improvements in energy or fuel efficiency. We make good progress yet we continue to consume more, which reverse the results of our improvements. The net effect is that optimizing performance is an on-going battle. To ring in the New Year, the Exceptional Performance team would like to share our 7 Habits for Exceptional Performance:

1. LOFNO – Look out for number one, that is, your users. Be an advocate for your users. You do control the user experience, so don’t settle for excuses and don’t make excuses. A lot of people shift the blame towards things they don’t control. The truth is that even if it’s slow ads or the framework that’s slowing down your site, chances are there are still things you can do personally to optimize performance for your users. Has every image been optimized? Have you evaluated whether users really use that feature you pushed so hard for? Did you run YSlow? Have you set the right tone and leadership so that others know performance is a top priority for your product? Focus on what you can do, not what you can’t do. Leave no stone unturned.

2. Harvest the low hanging fruit – Find the optimizations that give you the biggest bang for your buck. If your web site has many pages, prioritize the pages. Look first at pages with higher traffic since those are the ones your users visit most. Identify strategic pages, ones that are important for the business. Create a list of performance optimizations and then prioritize that list starting with what will improve performance most. Then prioritize the same list again based on how much effort is required. Remember that removing just one image can often improve the user’s perceived response time by as much as an entire rewrite of the backend. Implement the Rules for High Performance Web Sites (aka YSlow Rules). These rules were identified at Yahoo! as the low hanging fruit for making web sites faster without compromising design or features.

3. Balance features with speed – Exceptional performance is a cross-team discipline. Our performance golden rule tells us that 80-90% of the time a user waits for a page to load is spent on the front-end. This makes the decision about what goes into the product (design, features, etc.) a major chunk of the time a user spends waiting for the components (images, JavaScript, CSS, etc.) to come down the wire. Think Yin and Yang, a constant flux of alternating forces. Designers add visual appealing elements. Product managers add functionally rich features. Engineers add flexible frameworks. All this equates to more time a user waits for your page to load. Remove images, eliminate features, compress components – all that equates to less time a user waits. Faster response time reduces site abandonment and increases usability. Less abandonment and better usability increases page views. And hey, you’ll also have a happier, less frustrated user.

4. Start early and make performance part of the process – Don’t wait until right before your product is about to be launched to discover that your product performs badly. By then, it’ll be too late. Incorporate performance into the product roadmap at design time and requirements gathering. Make performance part of the process early in the development cycle. Run performance tests at every major milestone. Every feature has a performance cost associated with it. Develop a test methodology and measure that cost. If your website requires a login, profile your most-valued users and create test accounts with the features you anticipate them to use. If your most-valued users are on dialup or broadband bandwidth speeds, make sure you run performance tests over these types of bandwidth speeds.

5. Quantify and track results – Let’s face it, we all want recognition for good work. There are lots of things we can do to improve the user’s experience. It’s more rewarding when we can quantify those optimizations. Have a portfolio of tools. Quantify performance so that it matches the experience of your users. Understand the differences between the various methodologies and tools your organization uses. If you don’t see an improvement after implementing an optimization, it could be a bad measurement methodology. There are many tools out there and different tools can show you different results. Make sure you are comparing apples to apples. Each tool has its differences, but together they can provide you a complete picture of how your product performs.

6. Set targets – Once you’ve established a methodology to quantify results, set and agree upon a target. Look at your competitors to help you determine a target. Better yet, look at the performance of pages where your users came from. From a quantitative perspective, two pages might take the same amount of time to load but qualitative research has shown us that users’ perception can vary depending on the performance of pages that load right before. Aim high and set a winning target for you, your team, and more importantly, your users.

7. Ask questions and challenge answers – Even smart people make assumptions or repeat incorrect statements. The best thing you can do is ask lots of questions, challenge answers, and if you have time verify the answers yourself. There’s no such thing as a bad question, but there are bad answers. Ask questions that give you the high-level overview. Ask questions that allow you to probe beneath the surface. Where did the information come from? How old is the data? What method was used to obtain the data? What alternative methods were considered and why weren’t they chosen? What assumptions were made? What were the drawbacks to an approach? If there was more time, what else might you have tried? Ask questions before hastily drawing a conclusion.

8. (Bonus) Run YSlowYSlow analyzes web pages and tells you why they’re slow. Download today and run YSlow on all the pages you visit!

Happy Optimizing and Happy New Year!

[Tenni Theurer is a Product Optimization Manager and manages Yahoo!’s Exceptional Performance team. Tenni has spoken at several conferences including Web 2.0 Exp, The Ajax Experience, The Rich Web Experience, AJAXWorld, BlogHer, and CSDN-DrDobbs. She also blogs regularly on Yahoo! Developer Network and Yahoo! User Interface Blog.]

HowTo: Eclipse 3.2 + PHPEclipse + Subclipse in Ubuntu Feisty Fawn

Posted on by

This HowTo are for those who would like to participate in the upcoming PHPUGPH PMS Project. It’s just a HowTO to help anyone who would want to try Eclipse with PHPEclipse and Subclipse.

Install Eclipse

1. Open your terminal.

sudo apt-get install eclipse

2. Install Sun JRE:

sudo aptitude install sun-java6-jre sun-java6-plugin sun-java6-bin sun-java6-fonts

3. Make Sun’s JVM default:

sudo update-alternatives --config java

4. Choose the line that says.

/usr/lib/jvm/java-6-sun/jre/bin/java

5. Edit the JVM Configuration file:

gksudo gedit /etc/jvm

# This file defines the default system JVM search order. Each
# JVM should list their JAVA_HOME compatible directory in this file.
# The default system JVM is the first one available from top to
# bottom.

/usr/lib/jvm/java-6-sun
/usr/lib/jvm/java-gcj
/usr/lib/jvm/ia32-java-1.5.0-sun
/usr/lib/jvm/java-1.5.0-sun
/usr

6. Next, we need to tell Eclipse to use this JVM as well. This can be done on systemlevel or userlevel.

gksudo gedit /etc/eclipse/java_home

# This file determines the search order the Eclipse Platform uses to find a
# compatible JAVA_HOME. This setting may be overridden on a per-user basis by
# altering the JAVA_HOME setting in ~/.eclipse/eclipserc.

/usr/lib/jvm/java-6-sun
/usr/lib/jvm/java-gcj
/usr/lib/kaffe/pthreads
/usr/lib/jvm/java-1.5.0-sun
/usr/lib/j2se/1.5
/usr/lib/j2se/1.4
/usr/lib/j2sdk1.5-ibm
/usr/lib/j2sdk1.4-ibm
/usr/lib/j2sdk1.5-sun
/usr/lib/j2sdk1.4-sun

7. User:

gedit ~/.eclipse/eclipserc

JAVA_HOME=/usr/lib/jvm/java-1.5.0-sun/

Install PHPEclipse

An automated installation of PHPEclipse is available via the Eclipse Update Manager.

1. Click on Help->Software Updates->Find/Install from file menu in Eclipse.
2. Select the radio button labeled, “search for new features to install”.
3. Click on the “New Remote Site” button.
4. Enter the name PHPEclipse, and the URL: http://phpeclipse.sourceforge.net/update/releases

Name: PHPEclipse
URL: http://phpeclipse.sourceforge.net/update/releases

5. Click on “Finish”.
6. A list of features will be presented, open the list and check the one labeled “phpeclipse”.
7. Click on “Next”
8. Follow the onscreen instructions to finish the automatic install.

Install Subclipse in Eclipse 3.x

1. Begin the installation from the Eclipse Help menu item.
2. This screenshot show the screen as it initially comes up. In this case you will need to change the radio button to indicate that this is a new install.
3. This screen will vary depending on the features you have installed already. You want to click on the New Remote Site button. If you are behind a proxy and the Eclipse install mechanism does not work, then you can download a zipped version of the update site and then click the New Local Site button instead.
4. This screen is showing the New Remote Site dialog, filled in with the correct information to install Subclipse

Name: Subclipse 1.2.x (Eclipse 3.2+)
URL: http://subclipse.tigris.org/update_1.2.x

5. When you first come back to this screen, the site you added will NOT be selected. Be sure to select it before clicking Next.

NOTE:
If you are unable to proceed in the installation during the checking of site try to uncheck all Mylar option.

6. This next screen shows all of the features that are available to install.
7. Click the button to accept the license agreement.
8. Confirm the install location
9. There is an Eclipse preference to turn off this next dialog. I have never seen a signed feature. Not even Eclipse.org nor IBM sign their features.
10. A dialog box of the in-process installation.
11. Eclipse needs to be restarted after installing Subclipse.
12. Finally, after restarting Eclipse, the first thing you will typically want to do is open the Subclipse Repository perspective where you can define your repositories. Be sure to also check the online help as well as the Subclipse preferences located under Team -> SVN.

Eclipse Mylyn formerly known as Mylar is a task-focused UI that reduces information overload and makes multi-tasking easy. It does this by making tasks a first class part of Eclipse, and integrating rich and offline editing for repositories such as Bugzilla, Trac, and JIRA. Once your tasks are integrated, Mylyn monitors your work activity to identify information relevant to the task-at-hand, and uses this task context to focus the Eclipse UI on the interesting information, hide the uninteresting, and automatically find what’s related. This puts the information you need to get work done at your fingertips and improves productivity by reducing searching, scrolling, and navigation. By making task context explicit Mylyn also facilitates multitasking, planning, reusing past efforts, and sharing expertise.

On Frameworks: The Glue VS The Stack

Posted on by

During my daily routine to read news about what is happening in the world of PHP. I found an interesting read regarding about frameworks. I just like to share it you guys because anytime soon we will be dealing with frameworks because some of us at PHPUGPH.COM are trying to collaborate on doing open source projects to help develop each other to become better developers. Okay now for the glue and the stack explanation.

A glue framework provides you with a bunch of components that you can use together, but don’t necessarily have to. Zend Framework is a PHP glue framework, as it comes with all these cool components that you can pick and choose depending on what you need done. You’re not forced to use them, and this appeals to certain programmers who have fallen in love with their own quirky set of libraries and methodologies.

A full stack framework gives you everything you need to create your web app, and pretty much forces you to use it. CakePHP is a full-stack framework. It has a bunch of conventions, and you must follow them or die. Okay, maybe you won’t die but your application will never work properly if you don’t understand the conventions.

Overall this will help us on what kind of framework is applicable to certain projects.

Well that’s it for my first post here. \m/(^o^)
You can read the whole article here.