RubyGeek

ProPHP Security

Published by: Apress

Authors: Chris Snyder and Michael Southwell

Book Site | Sample Chapter: Preventing SQL Injection | Table of Contents

At first, I thought this book was all about cleaning your input variables and filtering your output, XSS attacks, SQL injections but I was most presently surprised to find that it was that and so much more! In fact, I would have called this “ProPHP Security and Administration” instead! It is absolutely fantastic. It really is about security in all of the facets of web development - from server, to code, to database to the system users.

The book is divided into 4 parts:

- Part 1: The Importance of Security

- Part 2: Maintaining a Secure Environment

- Part 3: Practicing Secure PHP Programming

- Part 4: Practicing Secure Operations

Here are some brief overviews of the sections and the tidbits I found interesting:

Part 1:

The first part is the shortest and gives a general overview the what and why of security.

Part 2:

The second is much more hearty and goes into detail about Shared hosts and why they are secure and how to make the more so. It even dips into alternatives for the traditional shared hosts and goes into Virtual Machines. This is valuable to not only to administrators but to PHP Developers. After reading this, I understand the “why” behind many of the things about shared hosting that I found frustrating.

One of the most important things I found in this chapter is how to maintain separate development and production environments. When I was helping to set this up at one of my past jobs it was a topic that I couldn’t find much information about. It also makes mention of version control, using wikis, bug tracking, sandbox and testing! Oh and here’s a concept…. pretend your live system failed — how well does your backup plan work?

How many times have I thought, I should make a cron job to back up my database to my home server every day/week? Have I ever done this? No! But now I have no excuse! Backing up a database and storing remotely is one of the sections in this chapter and code included! Fantastic.

There are chapters about Encryption theory and practice which I read several times to understand. It was interesting but it wasn’t something I have to do right now in my life, but I will return to this book to refresh my memory when I do.

Securing Network connections SSL and SSH, these proved helpful as I have become the “Reluctant System Admin” for one of my projects — partly because if they were to hire a part time person I’d rather they get a CSS person and I’d rather do the sys admin!

The Controlling Access section goes into details about using certificates with php, single sign-on, basic and digest http authentication … whoa this is some deep stuff! But good, when I was looking into this for a project a few years ago I couldn’t find anything helpful. It continues with then permissions and restrictions, a lot about Unix permissions and keeping things running where they should, securing databases and PHP Safe mode!

Part 3

Finally — the stuff that I thought the book would be about - validating user input, filtering output, preventing cross site scripting attempts, remote execution.. so much more to security than I thought! It talks about securing temp files, I always assumed the OS handled this and I didn’t need to worry.

Part 4

Ahh — Practicing Secure Operations… all you ever wanted to know about making sure your users are humans, verifying your users, setting roles for users, logging your users actions, preventing data loss, executing system commands safely, working with webservices and finally Peer Reviews! Sometimes it’s that extra pair of eyes that can see things you miss.

Something I find interesting - in the section about preventing data loss, it talks about setting a flag on records that are “deleted” and then making a db view of the “good” data and using that to select from. One of the things I like in Ruby On Rails is this “acts_as_paranoid” model option that does about the same thing. Neato.

Pro PHP Security is a most excellent read and so much deeper than my brief overview here. It will be a handy book on my shelf to keep me on my toes regarding security in all areas of web development, from the server to the code, to the users, to best practices of security you will find this is a helpful book too!

Hey, I added Feedburner to this site AND to DevChix … still learning about all I can do with it…

I’ve been trying for some time to get a Debian machine configured with Ruby and Rails. I always had problems with ruby-zlib! I tried building from source… finding a package… doing this and that, standing on my head, whatever .. and finally I found this blog that gave step by step instructions on installing Rails on Debian.

I presented some features of XDebug at the February PHP User Group meeting, which we discovered is 5 days away from our “10 year birthday” of the group! If I had realized it earlier, I would have brought a cake!

I talked about installing XDebug, which was sort of a pain at first since this was the first time I installed a PECL module. With debian/ubuntu I found I had to have make, build-essentials, php5-dev (or php4-dev) from the software repository for my linux distribution and of course, Pear needed to be installed. Then I was able to do “pecl install xdebug-beta” and it would install, so it was not so hard once you had the linux stuff installed. Then I had to put “extension=xdebug.so” in my php.ini file. Then, you had to go about adding a config section in your php.ini to turn on the features of XDebug you want to use - debugging (things like glorified var_dump), profiling, and working with a debugging server.

I showed a few of the debugging features like the var_dump like functions, but i mainly focused on profiling and looking at the results both in WinCacheGrinde (windoze) and kCacheGrind (linux). I compared a PHP4 script using pear’s xmlserializer class and PHP5 using the built-in xml extension. The differences were quite noticeable and I may write up something in detail on this at a later time.

Then Rich, the group leader, stole Rasmus’s talk about Getting Rich with PHP5 and showed the slides and talked about how Rasmus used a similar profiling tool and was able to increasingly narrow down the number of servers needed for a particular application. Profiling is a great way to see what parts of your application are worth optimizing. The slides showed output from a different, but similar tool to what I demonstrated and the two talks were great together!

Then, we come to the fun part.. the random sharing of knowledge… I give a very brief demo of selenium before most people got there… I showed the glories of using VMWare player to use one of the ready-made ubuntu machines out there… we talked about Drupal … opensource .. a bit about upcoming PHP-Tek … it was a good time

Rich asked for volunteers for helping with the website — any takers?

Tonight was fantastic! We had Chris McAvoy, fellow language geek as myself, talk about the favorite parts of his languages. He started by stating the criteria for learning a new language - from what I remember he said he likes good documentation and a good interactive console. Ruby has great both, Python too… Perl is a bit lacking in the console but does have an attempt at it using the perl debugger. Its not bad, but compared to Ruby and Python, its not so fun.

He gave brief overviews of the basic syntax and structure as well as talked about the packaging system. It was interesting, I have dabbled in Python, but have decided to master Ruby first. I do love the cleanness of Python — very refreshing after staring at ugliness of PHP all day. PHP is fine, but after looking at ruby, man… I just can’t help it..
I had to leave just when he started talking about Ruby DSLs, something that has me absolutely fascinated the past few weeks as I try to wrap my tiny brain around the concept and track down tutorials and sample code. I may have to track him down for lunch and fill me in ….
Here are links from his talk:

Notes from Meeting - like me, he also dislikes powerpoint. Nothing wrong with just a list of notes!

It seems that some people misunderstand my love for language as having no focus.

I like going to usergroups and meeting fellow geeks - in my free time … I like learning languages - its fun. Some people collect stamps, or thimbles, or pencils! I collect languages.

If there is one thing I learned from perl — is not to be afraid of make! I installed countless perl modules… and when I first started using Linux heavily, I had to compile some apps! Yikes. But not afraid no more…

I go to the RubyOnRails.com download page to see what the latest version of Ruby is, so I can install it on my Ubuntu VM (downloaded from vmware list of virtual appliances, and running with VMWare player). I was pretty sure it was 1.8.4 but I know there is one version that won’t work… and whoa, its version 1.8.5 .. I look in my ubuntu package manager .. and they only have 1.8.4 - always up for a challenge i thought I’d try to compile it myself.

I had to install “build-essential” to get all the goodies “ld” in particular, that it complained about the first time I ran make. Here’s what I did:

Downloaded source from www.rubyonrails.com/down

sudo apt-get install build-essential

tar xvfzp and CD into that dir

sudo ./configure

sudo make

sudo make test

sudo make install

(don’t forget the sudo! or you may get strange errors!)

Then, to double check and revel in your accomplishment do:

ruby -v

Ahh! wham-bam and you are on the latest and greatest release version! Also while I was at it, I peeked at the source, poked around a bit and was thankful there are a great deal of people smarter than I who wrote this wonderful language.

I came to the meeting knowing a bit about capistrano and nothing about starfish and left with a firms grasp of basic concepts of both!
In short:

• Capistrano - A tool for deploying actions on multiple servers. Not necessarily for Rails and you don’t need Ruby on the deployment servers! Presented by Michael H Buselli
• Starfish - Distributed programming in Ruby. Presented by Peter Chan

In Long(er):

Capistrano
Like Rails, this tool relies on convention over configuration and makes some assumptions about your environment such as Rails, Subversion, Apache 1.x and FastCGI. Of course you can override some of these assumptions and even use it with PHP and CVS (yikes). Future versions will be completely separate from Rails. I know people who stiffen at any mention of Rails, but really.. this is how tools are born, out of a need. This one so happened to be a need by Rails developers and thus it makes sense it would be naturally easier to use to deploy a rails site.
Commands
The basic commands are run, sudo (run as root), put, delete, render (returns output from erb template) and get. In addition you can add your own commands.

Tasks:
You group commands similar to a batch file or shell script. And interesting thing is if your task is called “say_hello” … you can also have a task “before_say_hello” and “after_say_hello” that will run before and after respectively. This might be useful for making “changes” to some of the standard tasks that will do any preparation or cleanup without having to hack the code. The question was asked if you could call “before_before_say_hello” and yes, recursive calls that that do work..though I think it could get pretty confusing!

Roles:
Machines are grouped by roles, such as “web”, “db” and you can have multiple machines in those roles. The db role is unique in that you specify one as primary, because thats where the migrations are run (then I’m guessing that the database is just copied to the other database servers?).
Putting them together:
You can specify on the tasks which machine role it is to be used for such as:

task :say_hello_to_webservers, :roles => :web do
run ‘echo “hello world” ‘
end

Anyways thats the basics as I understood. Please correct me if I am off base.
Link to presentation and resources: http://www.cosinewave.net/ruby/cap

Here’s a blog posting that describes how to use Capistrano with Perl or PHP which I bookmarked some time ago, it may be a little out of date but probably has some good information still.
—

Then we had a brief moment of fun as we watched this (which is no joke!)

Erlang - http://tinyurl.com/ytgp27

—

Starfish
This was interesting as I have never done distributed programming or had a need too, but I’m always wondering how things work. The presenter said that he thinks this is one of Google’s secret weapons in making things load faster.
The starfish file consists of two sections — the server and the client. The server section describes the process and the client section describes the output. Once that is set, you run the starfish program and the first time you run it, it starts a client and a server. To start another process, run the starfish command again and this time it sees there’s a server already started and then just starts up another client.
ex:
starfish find_primes.rb #starts server, client
starfish find_primes.rb #sttarts another client
Pretty neat, I had to leave before the end of this talk since I have such a long commute home but I got the jist of what starfish was and know where to look if I need distributed programming in the future!

Links to his demo files: http://oaktop.com/go/starfish/

—

Live in Chicago? Join Chirb, the Chicago Ruby group. Can’t make it downtown? There some individuals starting meetings in the burbs, join the mailing list for details!