I was just sent a link from Wiley to the web site for my upcoming book. You can pre-order the book as well as find out more information about it. Also, for the first time, here is the cover. It is interesting to see your name on a picture of the cover of the book, I can only imagine what it feels like to see it in person.
Once the book is released (in May) I will post a more in depth overview, as well as take the time to thank the group of people that made this all possible.
Also, before I forget about it, PhotoshopWorld is fast approaching but there is still time to register. I do not gain any advantage to letting you know about the show, just know first-hand it is a great event with many awesome people.
The topic of security in PHP is a long standing one in the developer community. Often times you will find security is simply overlooked. The most recent example (that I found) is the Untraceable movie web site interactive puzzle game. Once you complete the game your time and name is entered into the database to be displayed on the high score screen.
Here is an example of that easy to modify URL (removed the full path)
http://…/score.php?score=02%3A41&name=JAMES%20B%2E
As you can see the time and username are clearly visible in the URL, which in this example is 2 minutes & 41 seconds.
Now that you can see the issue, lets look at how to stop this basic modification ability. This example will use ActionScript 3 and the MD5 library provided by Adobe’s AS3CoreLib.
import com.adobe.crypto.MD5;
var salt:String = "439df098";
function sendScore(name:String, score:String):void
{
var scoreHash:String = MD5.hash(salt + score);
var query:String = "?n=" + name +
"&s=" + score +
"hash=" + scoreHash;
var req:URLRequest = new URLRequest("score.php" + query);
var urlLoader:URLLoader = new URLLoader();
urlLoader.addEventListener(Event.COMPLETE, scoreSent);
urlLoader.load(req);
}
sendScore("James", "2:41");Once the ActionScript is developed, the next step is to work out the PHP.
The PHP will take the same salt (which would be private) and test the hash to determine if the entry is valid.
<?php
// connection to database goes here
$salt = "439df098";
$name = $_GET['n'];
$score = $_GET['s'];
$hash = $_GET['hash'];
if($hash == md5($salt + $score))
{
// Valid score submission.
// enter score in database at this point.
}
else
{
// error, log IP address for security purposes
}
?>As you can see this code is not very advanced, but easily protects your score submitting or any type of form submission from fraudulent entries.
After a long day of compiling PHP, Apache, Imap, Mailman… and the list goes on I have the Zend Framework all setup. Haven’t ran any stress tests or long term analysis on the framework, but so far I am happy.
One super simple example is this Flickr Compositor which takes your search and creates a pretty neat composite image. There is also a bunch of other demos so in a matter of minutes you can really get an idea how powerful the Zend Framework is.
At the moment I have this system pretty feature packed, with apps such as:
When I get some more time I am going to be adding the Zend Framework to my development toolkit. I also plan to test out CakePHP and come up with a “best of” kit. The question is what do you prefer to use in your development?
