Web developers/ Students don't save your plain password in the database. There exists a chance for HACKING!

Web developers/ Students don't save your plain password in the database. There is a chance for HACKING!

Last week, I had checked a couple of companies website's source codes to shield them from hacking. It  has been seen that, they are using plain password (as shown in the screenshot below) in their database. That is you can see the password of all registered users in the database using any database tool like PHPMYADMIN, SQLYOG etc. It can be noted that many users, using the same username and password for logging into multiple websites like gmail, onlinesbi etc. Thus hackers can easily enter into multiple website using your username and password which was stolen from a less secured website. So I recommend all of my readers to use different usernames and passwords in different websites.

Now we can come to our topic. From time to time, servers and databases are stolen or compromised by hackers all over the world. With this in mind, it is important to ensure that some important user data, such as passwords, cannot be recovered. In this tutorial , I will explain how hash technique helps us to escape from these situations.

What is "hashing"

Before the brief discussion we want to know that what is hashing technique. The theoretical definition of  hashing is given below.

Hashing converts a piece of data (either small or large), into a relatively short piece of data such as a string or an integer.

Normally, all famous hashing algorithms are "one-way" algorithms means, it will convert your information (say password) into a string with some alphanumeric characters. md5(), crc32() etc are widely using hashing functions.

Hashing using PHP, An example! 

In PHP, there are many built in functions for hashing and its format is very simple compared to other programming languages.
An example PHP hash function is md5(). Please use this code for md5 hashing

<?php $info = "PravySoft Calicut"; echo "My information before md5=".$info; $info_hash = md5($info); echo "<br>My information after md5=".$info_hash; ?>  The screenshot below shows typical result of this code

From the screenshot, it is clear that the md5 function will convert the information into 32 character hexadecimal number (Number 0,1,2,3,4,5,6,7,8,9 and characters A,B,C,D,E,F). One hexadecimal character can be represented using 4 bits (ie 1=0001, and A=1010) thus md5 result set dimension is 128 bit.

You cannot reconstruct the original information (pravysoft calicut) from  the result (00d79e8e609cfbdf5b75d80fdef96fb4). 

[Note: Actually there are some hacking strategies to break/interpret md5, but that is out of scope of this tutorial, Ofcourse you can send me a request to know that techniques!!].

User Registration and Login Steps

Now we can check the user registration steps

1. User fills their information in the registration form

2. It is better to use password fields type as password (<input type="password" >)

3. Submitted data is received by the web-server

4. Convert submitted password to md5 code. Discard original password, it will not use anywhere!

5. Save this md5 data in the corresponding field in the database

Now we can check the steps for user login process

1. The registered user now type username and password in the login window.

2. The submitted password is converted to md5 code using md5 function.

3. The code will compare the usernames as well as md5 code based passwords.

5. If they match, it will grant access to the user.

Thus if any hacker stolen the database they will only get Md5 version of the password only. Not their original secret password!!. Thus the users are protected from password hijackers.

But there are also some chances for hacking the password encrypted using hashing algorithm. For showing a demo I am using another hashing function crc32() [md5 code width is 128 character, so for simulation it will take some time, the crc32() use only 32bits for decryption thus its simulation will complete faster]

<?php $info = "PravySoft Calicut";// CONSIDER THIS IS MY LOGIN PASSORD echo "My information before crc32=".$info; $info_hash = crc32($info); echo "<br>My information after crc32=".$info_hash; ?>

The screenshot below shows the result of the above code.

From the screenshot it is clear that, the hash code of the string "PravySoft Calicut" is -332908207. Ofcourse a hacker who has stolen the database cannot recover the string ( "PravySoft Calicut" ) from this number (-332908207). But he can login to the website using another password and that hack is explained below. As you know that cr32 using 32 bit encoding, thus it has only 2 to the power 32 (2^32) combinations only. Thus there is a chance for another string to produce the same hash code i.e -332908207. So if you know any other string which has the same hash code (say a duplicate) can be used to login to the website. Use following code for finding duplicate string

<?php set_time_limit(0); $var = 0; while (true)  //infinite loop {  $current_value=crc32(base64_encode($var));  echo "<br>checking value=".$current_value;     if ($current_value == -332908207)     {         echo "duplicate string is ".base64_encode($var);         exit;     }      $var++; } ?>

 It will take some time to get the duplicate key/string , after getting the duplicate key you can check the hash code of that duplicate key and hash code of your string are equal. (i.e It is same as that of the hash code of the example string "PravySoft Calicut"). Thus you can access to the website using this duplicate key without knowing original string.

How you can escape from this type of hacking. Better idea is to don't use low-range hashing algorithm like crc32. It is better to use Md5() or sha1() algorithms, They have 128 bit and 160 bit hash codes respectively, Thus finding a duplicate key is very difficult and it will take very long time to get duplicate key.

Some hacking sites are keeping large number of duplicate keys to decode the hash code (Hash code database size is in the range of petabyte, ie 1000 terabyte= 1 peta byte). So hackers can find duplicate keys of some hashcodes very easily [ I am not discussing the websites they store this data(I believes that it is unethical )]. It is also a major problem for web developers to protect their website from unauthorized access. So in the next section we will discuss, how you can block duplicate key access to your websites.

It is the time for a small tea!!, I will explain some-other security issues and  ways and means to protect your site from hacking, see you soon in the next post!!

Simple php script for making Excel files

Simple PHP script for making Excel files

This tutorial describes a simple way to generate Microsoft excel file from the php script. As you notice that, there are a lot of complicated external libraries for this purpose (like phpexcel etc.). Here I am describing a simple way to generate excel files without using any external libraries.

Please copy following php code to your web server and run the file. You can see that, a spreadsheet automatically generated there and you can download the same. The contents in the excel file are the same which is given in the code.

---

<?php

            header( "Content-Type: application/vnd.ms-excel" );

            header( "Content-disposition: attachment; filename=spreadsheet.xls" );

            // print here what you want to see in excel for example:

            echo 'First Name' . "\t" . 'Last Name' . "\t" . 'Mobile' . "\n";

            echo 'Praveen' . "\t" . 'Thappily' . "\t" . '999999999' . "\n";

?>

---

I believes that this code is self explanatory. The file name should be given in the second header tag. Here the file name is “spreadsheet.xls”. It can be noted that, for changing excel column, you have to use the tab (\t”) switch and similarly to goto the next row you need to use new line switch  (“\n”) in the code as demonstrated above. Figure below shows typical output excel file.

You can use the same file for making excel file from your database (mysql or mssql), just read it using select query and echo the contents. if any doubt please contact us
info.pravysoft@gmail.com
www.pravysoft.org

Send SMS from JSP ASP and PHP projects

EASY Way to sens message (SMS) from your project

In this post I would like to explain how you can send sms from your web project. You can use any programming language. The method successfully worked out using PHP, JSP and ASP Platforms.

PravySoft SMS senter

Please do following steps

1)First you need an 160by2.com account. 

You will get free 160by2 account from this website

 http://160by2.com

2) Writedown your  username and password
 Normally username would be your Mobile Phone number

3)From your project call this web link with your username password and message as shown below

http://pravysoft.eu5.org/sms.php?username=xxx&password=yyy&button=1&to=zzz&msg=abcd

Please replace
XXX with your username
YYY with password
ZZZ with Mobile number of the recipient
ABCD with your msg.

Example PHP script

This is a simple code for demonstration of the method. Please use url encode function and POST method (to hide username password from url) for implementation.

<?php
$username="your username";              // username you got from 160by2.com website
$password="your password";             //your password
$to="99956xxxxx";                           //Phone number to send msg
$msg="TEST";                //Message to  send you can use url encode function if space exist in your message
echo('<a href="http://pravysoft.eu5org/sms.php?username='.$username.'&password='.$password.'&button=1&to='.$to.'&msg='.$msg.'">SEND SMS</a>');
?>

You can send sms (Text messgaes) using JSP and ASP using similar way.

If you want to know more or need codes please ask to me

info.pravysoft@gmail.com

or visit

http://pravysoft.eu5.org

About me http://pravysoft.eu5.org/praveen

webspider

PHP web spider

Tutorial below shows how to make custom search engine by using yahoo boss api. If you're looking for search engine customization, then building your own search engine is something you'll want to look into. Here we are using an api provided by yahoo search service. Search APIs are nothing new, but typically they've included rate limits, strict terms of service regarding the re-ordering and presentation of results, and provided little or no opportunity for monetization. 

These constraints have limited the innovation and commercial viability of new search solutions. The name of the api is BOSS.

BOSS (Build your Own Search Service) is different; it's a truly open API with as few rules and limitations as possible. With BOSS, developers and start-ups now have the technology and infrastructure to build next generation search solutions that can compete head-to-head with the principals in the search industry.

Now we can go through the code

At first you need to create an HTML web search page as shown below

search

you will get a text box ,shown below

search

Here I am created a text box with name “search” and a submit button. Here I am used POST method for sending form variables. For simple usage action=””, which means post the information on the same page.

Now we can look on the main code for web search engine.

if(isset($_POST['submit']))
{
$search=$_POST['search'];
$request="http://boss.yahooapis.com/ysearch/web/v1/".$search."?format=xml&appid=Uz.......................";
//replace appid with your id
$ch = curl_init($request);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
$xml = simplexml_load_string (curl_exec($ch));
// Display search results - Title, Date and URL.
foreach ($xml->resultset_web->result as $result) {
 print ''.$result->title.'
';
}
}
?>

At first you can see isset($_POST['submit']) code .which checks whether user clicked on the submit button or not. if this function returns 1.that means user clicked on the button.Then read the contents of the text box with the help of POST function.on the next step you have to replace “ appid” with your own BOSS id

You will get api id from yahoo boss web site BOSS web site

after replace the pravysoft appid with your own boss id .you can easily make your own web spider.

Now we can go through the PHP cURl function.cURL is a library which allows you to connect and communicate to many different types of servers with many different types of protocols. Using cURL you can:

• Implement payment gateways’ payment notification scripts.
• Download and upload files from remote servers.
• Login to other websites and access members only sections.

PHP cURL library is definitely the odd man out. Unlike other PHP libraries where a whole plethora of functions is made available, PHP cURL wraps up major parts of its functionality in just four functions.

A typical PHP cURL usage follows the following sequence of steps.

curl_init – Initializes the session and returns a cURL handle which can be passed to other cURL functions.

curl_opt – This is the main work horse of cURL library. This function is called multiple times and specifies what we want the cURL library to do.

curl_exec – Executes a cURL session.

curl_close – Closes the current cURL session.

Please note that our BOSS api returns output as simple xml format.which contains information like click url,title etc.So we have to convert the xml data and to access the click url its better to insert xml parsed datum into an array.

Here I used an array $result to store xml parsed data. Then with the help of foreach loop, I separated each title and click url by giving necessary indexes to the result array and placed necessary places of the HTML page.

Complete code below

if(isset($_POST['submit']))
{
$search=$_POST['search'];
$request="http://boss.yahooapis.com/ysearch/web/v1/".$search."?format=xml&appid=Uz.I................";
$ch = curl_init($request);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
$xml = simplexml_load_string (curl_exec($ch));
// Display search results - Title, Date and URL.
foreach ($xml->resultset_web->result as $result) {
 print ''.$result->title.'
';
}
}
?>

search

asp Vs PHP

ASP vs. PHP
By Praveen Thappily
Hi,You are confused, ASP or PHP is better?
In my opinion it is PHP.because I am familiar with both scripts. But it doesn’t mean ASP is not good for creating dynamic pages. ASP (Active Server Pages) is from Microsoft and is used with IIS (Internet Information Server) that runs on Microsoft Servers. While PHP (PHP: Hypertext Preprocessor) is from Rasmus Lerdorf(Personal Home Page-PHP), who originally designed this parsing language which was later modified by different people. It runs on Unix and Linux servers and it also has an NT server version.
Now we can watch main differences of ASP and PHP
First we can discuss about cost of these scripts. To run ASP programs one need IIS installed on a Windows platform server, which is not free. PHP programs run on Linux, which is free. Even the connectivity of the database is expensive in the case of ASP as MS-SQL is a product of Microsoft that needs to be purchased. PHP generally uses MySQL, which is freely available. There is no hidden cost for PHP .But buying ASP is a bit confusing one. If you need encryption utilities you have to buy ASP Encrypt. If you need email management you have to buy Server Object’s QMail. If you need file uploading you have to buy Software Artisans SA-File Up. All this is built into PHP for free. Means you can directly download PHP from www.php.net with free of cost!!
Now we can discuss about the execution speed of both scripts. If we compare the speed of ASP and PHP then PHP has an upper hand. PHP code runs faster than ASP. ASP is built on COM based architecture, which is an overhead for the server whereas PHP code runs in its own memory space.
Now we can look on Platform Compatibility of both scripts.PHP programs can run on various platforms like Linux, UNIX, Windows and Solaris whereas ASP is mainly associated with Windows platforms. However, ASP can run on a Linux platform with ASP-Apache installed on the server.
In my opinion, for a beginner PHP is most suitable. PHP is really a PERL like language And also loosely typed language. And is based on C++ language and the syntax used in PHP is quite similar to C/C++. C/C++ is still considered the best programming language by many programmers and people who love this language would surely feel more comfortable with the syntax of PHP. ASP on the other hand has a more Visual Basic kind of syntax that again is closely related to only Microsoft products. So, it depends on a person-to-person which language he or she is comfortable
There is a funny think please look on keyboard our php tages < > ? / are situated nearby.but ASP tags < > \ and % are away ….Don’t take it is serious think….



Database Connectivity
PHP, being extremely flexible, can connect to various databases, the most popular being MySQL. ASP mainly uses MS-SQL. I am open source software developer and adviser. So I like Apache, Ubuntu(Linux Os www.ubuntu.com ), PHP(www.php.net) , MySQL(www.mysql.org ), Mozilla Firefox(Great browser) combination. Please use these great tools. Now we can conclude our topic. Both languages have their advantages specific to users... If we talk about developing a discussion board then ASP is equally capable but many feel the best discussion boards are developed in PHP. If a user is looking for some e-commerce application development then many would call ASP the ideal choice. This does not mean that PHP cannot provide e-commerce solutions only that many people choose ASP. So now take a good decision.
IF you find any wrong content in this blog please mail me pravymon@gmail.com .Please comment on this article Praveen Thappily, PravySoft