I was developing a website on my testserver, which both myself and my client accessed through client.jeffkee.com subdomain. Throughout development, there were a lot of AJAX modules to be put in - AJAX modules that should not be hacked.

Basically the best way to check for the header is to use the $_SERVER['HTTP_REFERER'] variable, and make an if() statement to ensure that the server-side PHP file pertaining to the AJAX module was called by a file within my own server. The $sitepath variable was set to http://client.jeffkee.com/ for match verification.

Once it was moved to the real server, www.clientserver.com (hypothetically let’s say that was the domain), this caused some problems. Some clients had accessed the site without the www. in front. That means that http://clientserver.com will NOT match the $sitepath variable (which was now set to http://www.clientserver.com/. Options to fix this were the following. And as you can imagine, out of the 3 options I skimmed through in my head over a minute or so, the 3rd one was the charm.

1. Make an alternate $sitepath variable. Make $sitepath2 = http://clientserver.com, and make an if statement with the || (means “or” in PHP) so that either one can satisfy the security measurements.The problem with this method is, obviously, it’s time consuming. I had a few AJAX modules, and to change them all would be a hassle, and when adding new AJAX module I would always have to remember to add the alternate variable to the if() statement.
2. All the internal links should be re-written with the $sitepath variable put in, so that as soon as you leave to another page it links to http://www.clientserver.com/

   Once again. Very time consuming, probably worse than the above option. Also, if one of the AJAX-employing files were to be bookmarked on the client’s side without the www., it would still not work.

3. Use an .htaccess file to re-write the URL automatically for any of the files in that location to append to have the www.

   This method was the obvious winner. It only took 6 lines of code, not to mention it did not require me to modify any of my other files whatsoever.

Here’s how this works.

The .htaccess file is a method that ONLY works on Apache servers. If you’re on a Windows server, this tutorial won’t help you.

Options +FollowSymLinks
RewriteEngine on
RewriteCond %{HTTP_HOST} ^clientserver.com [NC]
RewriteRule ^(.*)$ http://www.clientserver.com/$1[L,R=301]

RewriteCond %{HTTP_HOST} http://clientserver.com [NC]
RewriteRule ^(.*)$ http://www.clientserver.com/$1[L,R=301]

I’m going to be honest with you, I don’t know what all the lines mean, and all I know is that it works.  This way, whether the website is typed in as clientserver.com on the URL field or http://clientserver.com, it will automatically re-route via a 301 redirection to http://www.clientserver.com.

Of course, if you want to use this code, you should change the clientserver to whatever server you are working on. Oh, and the .htaccess file should be placed in the folder where you want this to apply, and it will automatically apply to all sub-folders as well!

I found Jeremy’s blog through random chances (he replied to a blog post on another blog which linked back to my post about iFags, which I found searching myself on Google), and his most recent post caught my attention for sure.

He got an email from Koffi Anan, the ex secretary general of the United Nations.

It made me completely speechless - the stupidity behind this is simply awe-striking. Who would have thought?

“It bugs me more than ever when I see a registration email coming from a website I just registered to, saying “Hello, your password is xxxxxxx”. This is just wrong. I do not want my password written ANYWHERE in the world. That tells me that the website is not secure, and the web developers obviously did not do their due diligence.”

First of all, if you do not know what an MD5 Hash concept is, read this description I found on the Wikipedia page for MD5 :

MD5 processes a variable-length message into a fixed-length output of 128 bits. The input message is broken up into chunks of 512-bit blocks; the message is padded so that its length is divisible by 512. The padding works as follows: first a single bit, 1, is appended to the end of the message. This is followed by as many zeros as are required to bring the length of the message up to 64 bits fewer than a multiple of 512. The remaining bits are filled up with a 64-bit integer representing the length of the original message.

The main MD5 algorithm operates on a 128-bit state, divided into four 32-bit words, denoted A, B, C and D. These are initialized to certain fixed constants. The main algorithm then operates on each 512-bit message block in turn, each block modifying the state. The processing of a message block consists of four similar stages, termed rounds; each round is composed of 16 similar operations based on a non-linear function F, modular addition, and left rotation. Figure 1 illustrates one operation within a round. There are four possible functions F; a different one is used in each round:

So, MD5 basically is a hashing algorithm that changes a regular string into a long garble of strings. For example, here’s what MD5 will do for you :

The 128-bit (16-byte) MD5 hashes (also termed message digests) are typically represented as a sequence of 32 hexadecimal digits. The following demonstrates a 43-byte ASCII input and the corresponding MD5 hash:

 MD5("The quick brown fox jumps over the lazy dog")
  = 9e107d9d372bb6826bd81d3542a419d6

Even a small change in the message will (with overwhelming probability) result in a completely different hash, e.g. changing d to c:

 MD5("The quick brown fox jumps over the lazy cog")
  = 1055d3e698d289f2af8663725127bd4b

The hash of the zero-length string is:

 MD5("")
  = d41d8cd98f00b204e9800998ecf8427e

As you can see, MD5 is quite a complicated algorithm that will switch any string to a 32 character hexadecimal string that you cannot recognize. This is commonly used to verifiy the validity of downloaded files, and ALSO used for website passwords!

When I create a website where peopel can log in (I’m sure Wordpress uses the similar method), the actual password is NOT stored on ther server side.

if($_POST['pwd1']==$_POST['pwd2'])
{
// If password patches, process teh entry
$insert = “INSERT INTO username (username, pwd) VALUES (’$_POST['username']‘,’”.md5($_POST['pwd']).”‘)”;
// set the SQL so that the md5′d version of the pwd is inserted
mysql_query($insert);
}
else
{
// process output saying the password confirmation did nto match
echo “Your password did not match. Please try again.”;
}

That’s how it enteres the database. The actual password, that way, is not even visible to the administrator. This is the only way I feel fully secure.

When the login is being verified, the similar process goes through. They don’t compare the password - the compare the MD5 Sum of the password entered versus the MD5 Sum of the existing hash.

It bugs me more than ever when I see a registration email coming from a website I just registered to, saying “Hello, your password is xxxxxxx”. This is just wrong. I do not want my password written ANYWHERE in the world. That tells me that the website is not secure, and the web developers obviously did not do their due diligence. What the hell kind of bullsh*t is that? I deleted that email right away and emptied it. My password is often used on different applications with slight twists at the end of it - I can’t have different passwords for all the websites I need to log onto. And if one password is compromised, the next could be my web hosting, my blog, etc.

MD5 hashing of passwords is a common practice that just about any website should employ. Now you ask - what if I lose my password? The passwords should not be given back - it should be reset by the server, and sent back to you. Period.

If you are a rookie web developer, remember this lesson - the website owner should NOT be able to see the password registered by their users, and the password should not be sent back by email in any case. Make it impossible to do so by using the md5 function! And if you are a business owner and you hire web designers to do that stuff - make sure they build your sites that way. If they don’t, fire them, and call me.

Tyler, who visited my blog recently, mentioned that he’s having issues with caching of the files when he uses AJAX. Basically, the result called in from the AJAX code from the php (or could be ASP or any other server-side scripting file, or even an HTML file) would often be a repeat of the last call, resulting in a wrong output. He figured it was an IE cache issue and was attempting to fix it that way.

” . . . the server side file does NOT ever have direct contact or exposure to the client side - only the AJAX code does. Hence, AJAX caching is a server-side issue, not a client-side issue.”

However, you must remember that AJAX calls go to the server. The Javascript file is run on the client-side, and it hits the server with either a GET or a POST type call. When it does that, the server-side file responds in a certain way, and then ONLY the result string is sent back via headers. In this process, the server side file does NOT ever have direct contact or exposure to the client side - only the AJAX code does. Hence, AJAX caching is a server-side issue, not a client-side issue. The server does caching of the files sometimes (I don’t know a lot about the behaviour, how often it does it etc. but I know how to prevent it).

In most AJAX calls, the variables are sent this way : serversidefile.php?name=Jeff&phone=604xxxxxxx&gender=male

(more…)

Maybe this makes me sound like some kind of a nazi or a communist bastard promoting some crap, but it’s really not. The truth is, whenever a friend of mine joined facebook and added me as a friend, I’d write on their walls, “Welcome to the Facebook Revolution!” And there is so much truth to that statement.

I already wrote a lengthy post about why the facebook user interface is so much more superior to that of MySpace or Nexopia or any other social community websites. And I also wrote a post about the new Facebook Toolbar for Firefox that I installed. Today, I would like to explore a larger aspect of it - the open source concept using their API that Facebook is promoting with their stuff. For detailed documentations on the Facebook API system, click here.

(more…)