Tag: php

How to secure your PHP Web App with a simple Firewall

How to secure your PHP Web App with a simple Firewall

I was trying to find a simple way to secure my PHP Web App when I realized how difficult it could be. Securing it the easy way cost more money than I’m willing to spend, so I decided to build my own solution.

old school firewall

What are your options?

Compiling nginx with ModSecurity isn’t easy, and I don’t think your WAF (Web Application Firewall) should be tied into your web server. If you want to simplify things, you could use Cloudflare or Sucuri, but that can be expensive. While Cloudflare works great and is fast, shouldn’t you have your own WAF? These services do offer more than just a WAF, so be sure to do your own research before committing to any one solution.

Elite Hacker desktop

PHP Web App Firewall

I’m writing my PHP WAF in Go. The criteria I set for this project is fairly simple.

Criteria

  • It needs to be uber fast
  • Handle XSS and SQL Injections
  • Work with Docker

The Journey

Two weeks ago I sketched the idea out on the back of an envelope. If nginx could talk to my Go service, and my Go service could talk to PHP-FPM, then this might be a pretty easy solution. I know that nginx has the proxy_pass config option and that Go can handle HTTP traffic. But how can Go talk to PHP-FPM? I did some research and tried out a few different FastCGI client packages for Go until I found one that suited my needs. Now I have two ends of the stick figured out, but I’ve yet to even think about what happens in the middle.

I ended up finding a Go package that does an excellent job at filtering XSS. I then wrote some middleware for HTTP and used that Go package to filter any requests that contain an XSS attempt.

But what about SQL injection? Well, I found some regular expressions that match common SQL injection and implemented those into my HTTP Request analyzer. If any SQL injection is detected, it kills the request and your PHP Web App never sees it. At the time of writing this, I still need to implement more security measures.

I’ve also built a Docker container that runs this Go app as a service and is pretty easy to set up. While I haven’t used this for anything in production, I have tested it and it was able to handle several thousand requests a second.

Conclusion

This code should actually work with any language that can use FastCGI as a means of communication, but I haven’t tested it. I’m looking for people to help me finish this project since I’m just now learning Go. Please feel free to fork my repo if you can contribute in any way.

github.com/levidurfee/gowafp

Docker Explained for PHP Developers in 2018

Docker Explained for PHP Developers in 2018

This post assumes you have a basic understanding of Docker. But what is a basic knowledge? If you aren’t sure, I suggest you read the Get Started docs, and then you will have a basic understanding of Docker.

I’ve read a few posts on Docker for PHP developers. However, it was the same tutorial on different sites, so I’m not going to copy what they did. I’ll explain the concepts that I struggled with learning.

My objective with Docker is to develop locally and deploy to a Swarm. I hope to have a fast site with high-availability that can be updated and deployed quickly.

Developing Locally

I was recently working on a project that uses SOAP hosted on a slow connection. Instead of hitting that API each page load, I decided to store the results in Redis, and load them from there. This helped speed up the pages that needed to access the data from the remote API. Installing Redis on my local system wasn’t what I wanted to do, so I simply added a Redis service to my “docker-compose.yml” file, and it worked great. You can easily add new services to your stack while developing locally with Docker.

Being able to edit your code, with all the services running, and see the changes immediately is very valuable. I like to develop on Windows, OSX, and Linux, so my environment is drastically different on each machine. It would be very time consuming if I had to have Redis running on each of my dev environments. Having Docker running the same services locally on my dev machines as what is running in production is priceless.

Priceless

The Docker Compose file

You will need two use two “docker-compose” files, one for local development, and one for deploying to your swarm. The main file, “docker-compose.yml,” will be used when deploying to your production environment. And “docker-compose.override.yml” will be used when developing locally. You want to copy your PHP code into the container when you are deploying to production. When you’re developing locally, you want your code outside of the container, so we mount it with volumes in the override file.

Docker Swarm explained in a drawing

You can use Volumes in production, but you will need to copy the files to the node where the container will live. That can be complicated and in my opinion, isn’t ideal. It does work well when developing locally and your computer is the node since the files are already on it.

Docker Services and etc

All of these terms can become confusing, at least they were to me, but I hope to explain them shortly. We used to refer to a “web server” as a server that ran everything a website needed. Even though it was a server running daemons like Apache’s httpd.

Now we have stacks, containers, node, swarms, services, and a lot more words to describe things. Communication is important when speaking with others about the approach you wish to use when solving problems. Understanding what you’re saying is even more important. I’m going to try and define these terms myself.

A service is a piece of software written that we will use to help us accomplish our goals. MySQL, nginx, Apache, PHP, node, and etc are all services we can use with Docker.

Your stack is essentially a list of the services being used for the app. For this example, I’m using haproxy, nginx, and PHP-FPM.

A container is a way to virtualize the service(s) on the computer. FreeBSD has had this ability for a long time with Jails, but Docker has made it much easier. Containers can’t access other resources running on the server.

A node is a single instance of an Operating System. Your computer could be a node, as well as a Virtual Private Server or a Virtual Machine or an entire bare metal server. Node’s run an Operating System that runs the containers.

Swarms are really awesome! They are a collection of nodes and can distribute the containers across them as needed. They can have their own private network and do load balancing.

Swarm

Conclusion

This app is using haproxy, nginx, and PHP-FPM. I’m passing SSL through haproxy so nginx can handle SSL termination because I’m not sure how to do it with haproxy. The load balancer, haproxy, passes the request off to one of the web services. One of the web services, nginx, then connects to a PHP-FPM service to process the PHP.

Be sure to check out the levilol/php-docker repo on Github.

Docker is an excellent tool that I hope to learn more about this year. Other’s have predicted it will get much more attention in 2018 and I agree. I’m going to end this post with my simplified description of Docker.

Imagine if you could compile your app with all the required services and end up with one binary file that contains everything – that is Docker.

Please leave any feedback below in the comments section.

DigitalOcean Spaces – Learn how to use Spaces with PHP

DigitalOcean Spaces – Learn how to use Spaces with PHP

Using DigitalOcean Spaces with your next PHP project is a beautiful idea. Spaces will give you all the hard drive space that you could ever need. This post can help you build your next PHP project with DigitalOcean Spaces. Building out an infrastructure can be a difficult job for anyone, but DigitalOcean’s services make it a bit easier.

Mounting Object Storage

You could upload directly to S3 compatible storage using a PHP package, but it is easier to mount a bucket and let the file system handle the rest. Read my post on Mounting Object Storage if you need help getting started.

By mounting your bucket to your local file system, it will allow you to have nearly unlimited storage space for your app. In addition to storing uploaded files to object storage, you could also save backups, log files, and anything else you could imagine.

PHP Uploading to DigitalOcean Spaces

Your code will probably be a lot more complicated than the example below. However, I think the code below will suffice for this blog post.


<?php
$message = '';
if(!empty($_FILES['uploaded_file'])) {
  $path = 'uploads/';
  $path = $path . uniqid('u', true) . '-' . basename($_FILES['uploaded_file']['name']);

  if(move_uploaded_file($_FILES['uploaded_file']['tmp_name'], $path)) {
    $message = 'The file ' . basename( $_FILES['uploaded_file']['name']) . ' has been uploaded';
  } else {
    $message = 'There was an error uploading the file, please try again!';
    $message .= $_FILES['uploaded_file']['error'];
  }
}
?>
<!DOCTYPE html>
<html>
<head>
  <title>Upload your files</title>
</head>
<body>
  <?php echo $message; ?>
  <form enctype="multipart/form-data" action="upload.php" method="POST">
    <p>Upload your file</p>
    <input type="file" name="uploaded_file"></input><br />
    <input type="submit" value="Upload"></input>
  </form>
</body>
</html>

The code in the example above shows you how to upload a file to a folder. You will need to change the path to where you mounted your bucket. Of course, you will need to make sure you validate the file type and restrict it to users who are logged in.

Conclusion

Digitalocean Spaces is the best object storage service currently available. While they might not have as much space available as AWS, it is compatible with S3, easy to use, and has a better UI.

Please don’t store any sensitive or confidential information in your buckets. If you must, then please make sure you have the proper settings and those files aren’t publicly exposed.


Image Credit DigitalOcean.

Skeleton Repo for PHP, JavaScript, and SCSS

Skeleton Repo for PHP, JavaScript, and SCSS

I work on a lot of different projects, and each one is unique in its own way. I often find myself installing packages manually and then configuring them. It seems like I repeat myself quite a bit, but the requirements of each project vary ever so slightly. In an attempt to prevent myself from repeating the same tasks over and over, I’ve started working on a skeleton repo that contains nearly everything I would need.

What I was doing

Most of my projects are built in PHP and augmented with JavaScript and SCSS. Occasionally I’ll make a project solely with JavaScript. So I would have to run the following commands:

  1. composer init
  2. composer require silex\silex illuminate\database
  3. npm init
  4. yarn add webpack babel-core … and many more

Then I would have to do the following:

  • Configure my composer.json to use PSR-4 autoload for my namespace
  • Create my folder structure
  • Create some interfaces, classes, and models
  • Configure webpack to use my folder structure
  • Import my SCSS

Doing all of this over and over is a waste of time.

Creating a skeleton repo

My decision to create a light skeleton repo has saved me time. Since it is light, it is very easy to scale it back to what I need. However, if I need to add more, I can do so easily. It turns out that I’m quite good at creating a skeleton repo since I’ve done it so many times. By carefully planning and using the steps above, I had one created in about a day. I’ve continued to refine it and add more features.

Conclusion

I’m sure there are some very elegant solutions on there that do what I need, but I enjoy creating these solutions for myself. Perhaps I’ll end up using something someone else created, but I hope that I’ll have a greater understanding of what they’ve done.

Silex

Silex

This year I’ve continued to try different PHP frameworks. The ones I’ve tried are well written and have a fantastic community. I can see how some people may need to rely on a framework that does everything, but I like having control. And I prefer to add things instead of removing them.

Silex has been enjoyable to use while building web applications. I have a skeleton repo that has everything I need. This repo has webpack for SCSS, JS, and injecting assets into HTML. The folder structure is organized and easy to understand. The organized code is easier to maintain and debug.

Short Post

Short Post

It’s been a little while since I’ve posted anything, so here is a quick update.

Website

I finally pulled the trigger and implemented AMP. All the pages are now Accelerated Mobile Pages. I didn’t have to sacrifice anything, but I also didn’t spend very much time on the design or presentation. I’ll pretend that I was going for a “less is more” approach. Most visitors come from mobile, so they didn’t get to see any of the fancy stuff that was only for the desktops. I hope to post more often, they’ll be a lot shorter, so come back soon.

Programming

I continue to write stuff in PHP, C, JavaScript, and TypeScript. I’ve been slowly learning Angular and I like it. I’ve also been toying around with Firebase a bit more lately. Firebase is great for anyone who doesn’t want to deal with servers. Cloud Functions are really neat and I hope I get some more time to write something cool.

Primes

I might start finding primes again. The math behind it is interesting and educational.

PHP Adapter Design Pattern – Learn How It Can Help You

PHP Adapter Design Pattern – Learn How It Can Help You

When I think of an adapter, I think of the three prong to two prong electrical outlet thing. It allows me to plug in an electrical device that has three prongs (one with a ground) into a two prong outlet that doesn’t have a ground. The interface of the outlet is two holes and the interface of the device it has three prongs, so we need an adapter to help us. The PHP adapter pattern utilizes this very concept.

PHP Adapter Example

I’m going to keep going with the electrical outlet idea. Hopefully, this makes a little bit of sense.


<?php

interface ProngInterface {
	public function __construct();
}

interface TwoProngInterface {
	public function __construct(ProngInterface $prongOne, ProngInterface $prongTwo);
	public function plugTwoIn();
}

interface ThreeProngInterface {
	public function __construct(ProngInterface $prongOne, ProngInterface $prongTwo, ProngInterface $prongThree);
}

class Prong implements ProngInterface {
	public $prong;
	public function __construct() {
		$this->prong = '|'; // that is a prong
	}
}

class TwoProng implements TwoProngInterface {
	public $prongOne;
	public $prongTwo;
	public function __construct(ProngInterface $prongOne, ProngInterface $prongTwo) {
		$this->prongOne = $prongOne;
		$this->prongTwo = $prongTwo;
	}

	public function plugTwoIn() {
		echo 'both plugged in.' . "n";
	}
}

class ElectricalOutlet {
	public function __construct(TwoProngInterface $twoProng) {
		echo $twoProng->prongOne->prong . ' ' . $twoProng->prongTwo->prong . "n";
		$twoProng->plugTwoIn();
	}
}

// Our TV *should* have a ground.
class Television implements ThreeProngInterface {
	public $prongOne;
	public $prongTwo;
	public $prongThree;
	public function __construct(ProngInterface $prongOne, ProngInterface $prongTwo, ProngInterface $prongThree) {
		$this->prongOne = $prongOne;
		$this->prongTwo = $prongTwo;
		$this->prongThree = $prongThree;
	}
}

// Here is where the magic happens.
class TwoProngAdapter {
	public $twoProng;
	public function __construct(ThreeProngInterface $threeProng) {
		$this->twoProng = new TwoProng($threeProng->prongOne, $threeProng->prongTwo);
	}
	public function get() {
		return $this->twoProng;
	}
}

$tv = new Television(new Prong, new Prong, new Prong);
// we use the TwoProngAdapter to shave off one of the TV's prongs.
$adapter = (new TwoProngAdapter($tv))->get();
// It'll now work in our two prong electrical outlet!
$outlet = new ElectricalOutlet($adapter);

// we can also plug our two prong toaster into the two prong outlet!
$toaster = new TwoProng(new Prong, new Prong);
$outlet = new ElectricalOutlet($toaster);

Explanation

If you’ve read my other posts, I hope you understand some of the above code. If you’re lost, at least read Classes in PHP and PHP Type Hinting, those should help a little bit.

In the example, the ElectricalOutlet only accepts a device that implements the TwoProngInterface. We really want to watch TV, but it implements the ThreeProngInterface, and we can’t plug it directly into the EletricalOutlet, poop. Now your mom is yelling at you, she really wants to watch Wheel of Fortune, but the TV still has no power.

Luckily, we developed an adapter! The TwoProngAdapter accepts a device that implements the ThreeProngInterface and then returns a TwoProngInterface object. We can now plug in our TV and watch Wheel of Fortune! Congrats! You saved the day and your mother still loves you.

Advice

Read through the code above and see if you can follow the logic in your head. It might help if you read it from top to bottom then bottom to top. If you’re still struggling with it, try typing it up yourself and maybe modify it a little. Learning takes time and you shouldn’t get upset if you don’t understand it right away. It sometimes takes me days, weeks, and sometimes months to understand a concept. Always take a break.

Conclusion

Feel free to comment below. Please comment below. Or email me? Someone has to need some help. If you do ask for help, please share with me all your code and not a sliver of it. I need to see everything that is happening. Sometimes your problem is outside the scope you are focused on.

For those of you who know me, the Wheel of Fortune story never happened, it was made up. I was always prepared.

Disclaimer

Don’t try plugging anything with three prongs into a two prong outlet. I don’t care if you do have an adapter, it is a bad idea. The third prong is for the ground, which can help protect your device from being ruined.

Relationship Models for PHP and MySQL

Relationship Models for PHP and MySQL

Want to be in a relationship with a model? If that has always been a dream of yours, then I might be able to help. I firmly believe if you read this blog post, you’ll be able to attract any person you desire. Intelligence is an aphrodisiac.

This post is really about how I developed my own model capable of handling relationships in a database. That said, it is probably going to get more technical and longer than my other posts.

I wanted to create my own model instead of using a pre-existing solution because I needed a very simple solution. You may use the argument, “don’t reinvent the wheel,” and I will usually agree with you, but not this time. My simple solution did get a little more complicated when I wanted to add another feature. I kept adding features until it could do nearly any type of query that I may find myself using. Reinventing is a method of teaching myself new concepts that I may not normally have discovered.

How I Started

I first created an abstract class that all other models would extend. I chose an abstract class so I could write the logic in the methods and so no one should be able to instantiate it. A model only needs to extend the abstract class to be able to do any CRUD query.

Looking up synonyms for “model” on Google, I found the word “Illustrative” and thought it sounded cool. The name of my base model is called Illustrative. Next, I created a Person class that extends Illustrative. I then started adding some simple methods to the Illustrative class and using them on the Person class. A basic query is a “SELECT” statement so I started with that. I had my database credentials hardcoded in my Illustrative class and created a method to retrieve all the rows from the table. Instead of hardcoding the table name, I decided to make it the plural form of the class name, so “SELECT * FROM persons” was the query that was getting run.

At this point, I hadn’t done anything that excited me so I had to keep going.

Static Methods

When using a static method, you don’t need to instantiate the class, which is the way I like to do it. It really comes down to preference, as do most things, so do what you like.

A newly instantiated class is returned when you call one of the static methods that the model inherits from Illustrative. This gets things started and allows you to use method chaining to build your entire query. Below are two examples of how it can be used for instantiating and method chaining.


$result = Person::fetch()->order('id', 'desc')->get();
$result = Person::fetch()->order('id', 'desc')->limit(1)->get();

As long as I thoroughly document all the methods and their parameters, this will help someone who isn’t familiar with SQL retrieve rows from the database. I think it is verbose enough to English vernacular to make it seem familiar.

Saving Records

While your program should probably read from the database more than it writes, it still needs to be able to create new rows. Assuming the Baller class extends the Illustrative class, you could do something like below.


$p = new Baller;
$p->name = 'alex';
$p->save();

This allows you to dynamically assign new properties to the class and then run the save method to add the new row. Some people aren’t a fan of dynamically adding properties, so I made another way to do it. The other way is shown below.


Baller::insert(['name' => 'levi']);

In case you are wondering, yes, Alex and I are ballers.

Finding Certain Rows

At first, I retrieved all the rows from the database and filtered the results based on the parameters. I knew this wasn’t a good way to do it, but I did it anyway. I later went back and corrected it. It now uses SQL to limit the results from the database.


$rows = User::fetch()->where(['name', '=', 'levi'])->get();

The example above is using the User model and running the static method fetch. By that, I hope you can deduce we are fetching a user. Instead of getting all of the users, we specify the where the method and pass an array to it. In that example, we are looking in the name field that is equal to “levi.”

While most of your queries may be simple, sometimes you have normalized your database and need to get information from multiple tables. I was a bit hesitant to move onto defining relationships, but I did, and I believe that is what makes this package useful.

Relationships

Writing a query that includes a JOIN isn’t very difficult, but writing a method in PHP to accomplish this was a little challenging. I’ve used frameworks that can handle this, but I’ve never tried to figure out how they do it. I dug into some code written by others and I turned up with nothing.

I eventually got the logic worked out, but my query results weren’t matching what I expected. I was getting a little frustrated, so I decided to sleep on it and let my diffused mode thinking take over. I woke up the next day with a fresh outlook on the project and found my mistake. I also redid some of the logic of the other methods.


$r = Post::fetch()->users()->where(['name', '=', 'levi'])->get();
var_dump($r);

Conclusion

I am not claiming to be intelligent. My opening paragraphs are usually my attempt at humor, and as poorly done as they may be, I don’t think I’m going to stop.

You can’t force yourself to see what is wrong. Take a break. Go for a walk, take a nap, talk to a friend, or do something other than work on that project. You could also switch to another project. Doing these things allows your brain to go into the diffused mode and work on the problem. Even though you aren’t actively thinking about it, your brain is looking at the problem from a wider perspective. That doesn’t mean your brain stopped.

I still need to add an update method, but you can check out the Illustrative repo.

Interface or Abstract Class

Interface or Abstract Class

I was recently working on a project, and I found myself adding the @property DocBlock to an interface. I knew it wasn’t good practice, but the class that is implementing that interface will provide those properties. I tried to convince myself it was okay.

Interface

Yes, it is a good idea to have your concrete classes implement an interface. It helps you plan how the class should work. Another benefit is using the interface as a type hint, you can then pass your concrete class as the parameter. This also allows someone to create their own implementation of the interface and pass it as a parameter.

An interface is essentially a signature. It can’t really do anything except provide a skeleton of what the class has to implement. You can’t declare properties, you can’t write any logic, and it can’t cook you breakfast. Although it can’t do much, you’ll usually use an interface instead of an abstract class.

Since an interface can’t define properties, what I was doing, was wrong. There was no agreement between the interface and the concrete class that said it must implement those properties. It is undefined behavior and would cause headaches down the road.

Example


<?php

interface CreateDropletRequestContract {
	public function __construct($name, $region, $size, $image);
}

class CreateDropletRequest implements CreateDropletRequestContract {
	// . . .
	private $name;
	private $region;
	private $size;
	private $image;

	public function __construct($name, $region, $size, $image) {
		$this->name = $name;
		$this->region = $region;
		$this->size = $size;
		$this->image = $image;
	}
	// . . .
}

Abstract Class

An abstract class can not be instantiated. With an abstract class, you don’t implement it, you extend it. Since the abstract class can provide logic, you must extend it to keep the logic. When you implement something, that means you are going to write the logic for it. Abstract classes can also define properties, which was I needed to do for my project.

A concrete class can only extend one class, but it can implement many interfaces. So when you are thinking everything out, try to plan ahead, even if it’s hard or you end up being wrong. The more you plan, the better you’ll get at doing it, and the easier it will become.

Example


<?php

abstract class CreateDropletRequestContract {
	private $name;
	private $region;
	private $size;
	private $image;

	public function __construct($name, $region, $size, $image) {
		$this->name = $name;
		$this->region = $region;
		$this->size = $size;
		$this->image = $image;
	}
}

class CreateDropletRequest extends CreateDropletRequestContract {
	// . . .
	// Most of the code could already be written in the abstract class.
	// . . .
}

Conclusion

I might ditch the abstract class and only implement the concrete class since it is only a data transfer object without an interface. Feel free to send me an email if you have any questions.

Example


<?php

class CreateDropletRequest extends RequestContract {
	// . . .
	private $name;
	private $region;
	private $size;
	private $image;

	public function __construct($name, $region, $size, $image) {
		$this->name = $name;
		$this->region = $region;
		$this->size = $size;
		$this->image = $image;
	}
	// . . .
}
Perceptual Hashing

Perceptual Hashing

Disclaimer: This is not a post about how you can get high and see things in a new light. Or is it?

You may assume that computers know everything and they don’t need people to do anything. We have assistants on our phones that we can talk to and ask questions, so who cares about how things actually work. Well, I do care, and I think this is pretty nifty.

I was recently tasked with writing a program to find duplicate images. I thought, no big deal, I’ll use a cryptographic hash and find the duplicates that way. And that way would work, but what about images that are similar to each other? Unfortunately using a cryptographic hash, like MD5 or SHA512, wouldn’t help you. The cryptographic hash algorithms use a waterfall effect to make the result completely different when only a few bits are changed in the source file.

After a little bit of research, I decided to use perceptual hashing.

What is Perceptual Hashing?

A perceptual hash is made up of a sample of the data from the original file. If you were to examine two pictures like you would read a book (from the top down and left to right), stopping every inch and recording the color; you would be creating a perceptual hash for that image. To keep it short, let’s say you end up with:

  • Blue
  • Blue
  • Blue
  • Yellow
  • Green
  • Green

Then if we examined another picture that is similar to the first, we might get:

  • Blue
  • Blue
  • Blue
  • Yellow
  • Orange
  • Green

As an intelligent human person, you can obviously tell they are similar. Now you can also use a systematic way to tell they’re similar since you can say there is only one color different. Of course, actual pictures are made up of a lot more pixels and colors.

Hamming Distance

Just how similar are they? Are they close? Are they the same? How would you measure the similarity? Well, you can use the Hamming distance. You would first XOR the two perceptual hashes; then you would count the number of ones in that binary string. That will give you the Hamming distance. Some people may say the Levenshtein distance would work better, but I’ll disagree. I’m not going to put an example of finding the Hamming distance on here because I don’t want to get too technical in this post.

Conclusion

These explanations may not be 100% accurate, but it is how I decided to explain them. I feel as if they accurately represent the underlying foundation of the concepts. If you would like to see how to measure the Hamming distance, send me an email, and I’ll send you some code I wrote along with an explanation. I’m okay if you want to create a new email address and pretend to be someone else ;).

I went ahead and wrote a function in C that finds the Hamming distance and I put it in a Github Gist. I’m not sure it is working correctly, so don’t use it for anything in production. I have PHP version that is working if you would like to see it.