Nowadays requests are not only from standard computers but also from many types of mobile devices like smart cards, mobile phones, laptops etc. So, using Open Authentication can make these devices  strong authentication devices.

What is the need for Oauth?

If it is possible to implement an authentication protocol for less than $10 then it will reduce the possibility of credit card fraud, it can reduce the cost of merchants, card associations and finally consumers.

It will increase user privacy by providing unique credentials without reentering the name or security number etc. Open Authentication means authenticate system which will allow users to share their private resources without sharing the user name/password/account details.

Vision for Oauth

The vision of Oauth concentrates on three important areas. They are

Credential and Security Devices – (SIM based, Public Key and OTP).
Authentication protocol framework
Credential provisioning and validation

The primary aim is to provide an all-in-one-security device, which can embed many basic authentication methods (for example authentication, encryption, signing, secure storage and physical access)

In the above mentioned methods, OTP is used in web applications for communication remote web services. For example Google Accounts, Facebook, Twitter, LinkedIn  social networks can be accessed through Oauth.

In future Oauth maybe the only option for remote application access instead of conventional API methods. It is more advantageous than the API method of contacting the remote application. In API methods, different applications will follow different standards and authentication procedures and the password or access id will last only for a limited period. But in Oauth, there is a single standard for all types for report application access and one time registering and life long access id and secret key. Now most of the open applications and social networks give provision for Oauth.

Magento – Overview: Multiple website concept is the soul feature of Magento. Multiple websites can be controlled from one administrative panel using a single database.  It allows store owners to maintain stores on different URLs and display the same products in all the URLs or site specific products.

Magento provides the option to let customers compare products in order to buy the most suitable one. Design can be easily integrated in Magento, which is developed using Zend framework for code effectiveness.

There are many Open Source extensions available for Magento. Each extension needs a key to be installed. We can extend the system by using Magento connect through the admin panel.

How to create multiple websites using Magento

To create multiple websites and stores, we need to create a website, a store and store view for each website using system configuration. Each website should have the unique code and enabled store views will be displayed in websites. We can set the base URL for each store for viewing it in different sub domains.
Magento Features

• Can control multiple websites/stores from one administrator panel
• Content Management System provided for static pages such as About Us, FAQ etc
• Multiple Currency Support
• Multi-lingual Support
• Newsletter Management
• Batch Import/Export of product updates
• SSL security support
• Customer Support and Order Inventory system
• SEO Friendly URLs are inbuilt in Magento
• Web services API with any third party integration
• In-built iPhone customized theme available
• Ability to assign the design for Category/Product level

Zikula and PostNuke: Originally,  Zikula was known by the name – PostNuke. Version 8 of PostNuke was released as Zikula Version 1 in July 2008.  The latest stable release in Zikula is Zikula V 1.2.3 – this was released on April 20, 2010.

Zikula – Features: Zikula can be used to develop just about any kind of website, right from a standalone weblog to a  multi-featured website like an e-commerce site.  A salient feature of the Zikula framework is its clear-cut distinction between content and design, which cuts down the development time for a website, thereby making it a cost-effective solution that delivers a quality product (website) for a low price.

The design (look/feel) of the website can be controlled through Zikula’s simple and elegant theme system, which allows the site-administrator to control and maintain the design by modifying only the relevant HTML code. The PHP code need not be touched/modified at all!

Additional functionalities and features can be easily added to any Zikula-based website. These features are readily available as extensions and plugins which can be downloaded and integrated into the website seamlessly. The plug-and-play nature of these extensions allows administrators to easily enable / disable the features in the website and thus give them control over how they wish their website to work.

Highlights of Zikula:

• Ease of Installation & Set up
• Comprehensive administrator panel
• Quick and easy development of websites
• Good Security & Performance
• Flexibility and Scalability of use
• Easy to use Template Management System
• Availability of Open Source Modules & Plugins in Zikula Community
• A helpful User Community

PHP is the most popular web programming languages in use today due in large part to the fact that it is a highly flexible syntax that can perform many functions while working flawlessly in conjunction with HTML. It is relatively easy to learn for beginners and is also powerful enough for advanced users. It works exceptionally well with open source tools, such as the Apache web server and MySQL database. In other words, its versatility is unsurpassed when compared to other scripting languages, making it the language of choice for many programmers.

There are various types of attacks that PHP is particularly vulnerable to. The two main types of attacks are human attacks and automated attacks, both of which can potentially devastate a website. The goal of PHP security is to minimize, and ultimately eliminate, the potential for both human and automated attacks by putting into place strategic lines of defense to eliminate access to your site by unverified users. The way you go about doing this is to target the most common types of PHP security breaches first, so that you can guard your website against malicious attacks. So what are the most common types of PHP security breaches?

Most Common PHP Security Vulnerabilities

1. Register_Globals

Register_Globals makes writing PHP applications simple and convenient for the developer, but it also poses a potential security risk. This setting is located in PHP’s configuration file, which is php.ini, and it can be either turned on or off. When turned on, it allows unverified users to inject variables into an application to gain administrative access to your website. Most, if not all, PHP security experts recommend turning register_globals off.

So instead of relying on register_globals, you should instead go through PHP Predefined Variables, such as $_REQUEST. To further tighten security, you should also specify by using: $_ENV, $_GET, $_POST, $_COOKIE, or $_SERVER instead of using the more general $_REQUEST.

2. Error Reporting

Error reporting is a great tool for diagnosing bugs. It allows you to fix bugs quicker and easier, but also poses a potential security threat. The problem occurs when the error is visible to others on-screen, because it reveals possible security holes in your source code that a hacker can easily take advantage of. If display_errors is not turned off, or has a value of “0?, the output will appear on the end user’s browser – Not good for security! If you want to set log_errors to on, then indicate the exact location of the log with error_log.

3. Cross-site Scripting (XSS)

Cross-site scripting, or XSS, is a way for hackers to gather your website’s user data by using malicious markup or JavaScript code to trick a user, or their browser, to follow a bad link or present their login details to a fake login screen, which, instead of logging them in, steals their personal information. The best way to defend against XSS is to disable JavaScript and images while surfing the web, but we all know that’s nearly impossible with so many websites using JavaScript’s rich application environment these days.

Useful for protecting against XSS is a useful PHP function called htmlentities(). This simple function works by converting all characters in html to their corresponding entities, such as “<” would convert to “<” (without the quotes).

4. Remote File Inclusion (RFI)

This type of attack is relatively unknown amongst developers, which makes it an especially damaging threat to PHP security. Remote file inclusion, or RFI, involves an attack from a remote location that exploits a vulnerable PHP application and injects malicious code for the purpose of spamming or even gaining access to the root folder of the server. An unverified user gaining access to any server can wreak major havoc on a website in many different ways, including abusing personal information stored in databases.

The best way to secure your site from RFI attacks is through php.ini directives – Specifically, the allow_url_fopen and the allow_url_include directives. The allow_url_fopen directive is set to on by default, and the allow_url_include is set to off. These two simple directives will adequately protect your site from RFI attacks.

Other PHP Security Tools

- PhpSecInfo

This useful tool reports security information in the PHP environment, and best of all, it offers suggestions for improving the errors. It is available for download under the “New BSD” license, and the PhpSecInfo project is always looking for more PHP developers to help improve this tool.

- PHP Security Scanner

This is a tool used to scan PHP code for vulnerabilities, and it can be used to scan any directory. PHP Security Scanner features an useful UI for better visualization of potential problems, and it supports basic wild card search functionality for filtering directories or files that are to be searched.

- Spike PHP Security Audit Tool

The Spike PHP Security Audit Tool is an open source solution for doing static analysis of PHP code. It will search for security exploits, so you can correct them during the development process.

Here, we have given some basic coding standard for setting up database configuration. This is very simple one without implementation of any framework. We have given it to explain how can we convert a normal code to a standard code.

$mysql = mysql_connect(‘localhost’, ‘test’, ‘test’);
mysql_select_db(‘sample’) or die(“cannot select DB”);

Trying a DRY approach

$db_host = ‘localhost’;
$db_user = ‘test’;
$db_password = ‘test’;
$db_database = ‘bwired’;

$mysql = mysql_connect($db_host, $db_user, $db_password);
mysql_select_db($db_database);

As the values normally don’t change, we can use constants

define(‘DB_HOST’, ‘localhost’);
define(‘DB_USER’, ‘test’);
define(‘DB_PASSWORD’, ‘test’);
define(‘DB_DATABASE’, ‘sample’);

$mysql = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD);
mysql_select_db(DB_DATABASE);

After years of changing the values every time, you upload something to the live server

define(‘LIVE_ENV’, true);

if(LIVE_ENV) {
define(‘DB_HOST’, ‘localhost’);
define(‘DB_USER’, ‘test’);
define(‘DB_PASSWORD’, ‘test’);
define(‘DB_DATABASE’, ‘bwired’);
} else {
define(‘DB_HOST’, ‘testserver.com’);
define(‘DB_USER’, ‘testuser’);
define(‘DB_PASSWORD’, ‘test’);
define(‘DB_DATABASE’, ‘sample’);
}

$mysql = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD);
mysql_select_db(DB_DATABASE);

Even better would be this

if ($_SERVER["HTTP_HOST"] == ‘www.domain.com’)  // remote live environment
{ … }
else // localhost test environment
{ … }

PHP5 procedural approach using the new mysql extension

$link = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_DATABASE);
if (!$link) {
printf(“Connect failed: %s\n”, mysqli_connect_error());
exit();
}

printf(“Host information: %s\n”, mysqli_get_host_info($link));
mysqli_close($link);

Some factors to take into account while choosing a CMS are :

• Simple Installation
• User friendly and comprehensive admin panel
• Availability of plugins and modules for extended functionality
• Simple template manipulation
• Helpful user community

Why Joomla? Joomla is designed in such a way that it can be set up easily even by a novice user. All credits to its  simple and quick  installation process, Joomla is the best recommended CMS for anyone who wants to build a site in just a few minutes. This CMS offers a large number of extensions that are available to users from the Joomla Extension Directory, considered to be the true power of Joomla.

Joomla is game for anything: Joomla is one most flexible CMS that can be used by users around the globe to build websites of all shapes and sizes. Whether it be an eCommerce website, or a community website, a government application website, a community-based portal, or a corporate website or a normal personal website , Joomla  is game for anything. The CMS is a powerhouse of capabilities that can help users in any kind of website building. Its powerful features have earned it tremendous recognition from users.

Joomla features even mummies would love: Joomla provides many features such as User Management, Content Management, Banner Management, Template Management, Web link Management, Newsfeed Management, Polls, Search, Web services and a lot more.

The latest version of Joomla 1.5 supports Template Over-riding, where one can control and change the look and layout of the output of Joomla Modules and Extensions without disturbing the core Joomla code. This feature gives website designers a certain level of control over the layout and the design of the website.

In this post, we are going to discuss about safety updates with MySQL and using that with PHP.

For beginners, a useful startup option is ‘safe updates’ (or –i-am-a-dummy, which has the same effect).

This option was introduced in MySQL 3.23.11. It is helpful during situations wherein you might have issued a “DELETE FROM tbl_name” statement but forgotten the WHERE clause. Normally, such a statement deletes all rows from the table. With ‘safe updates’, you can delete rows only by specifying the key values that identify them. Hence, this helps prevent accidental deletions.

When you use the ‘safe updates’ option, MySQL issues the following statement when it connects to the MySQL server:

SET sql_safe_updates=1, sql_select_limit=1000, sql_max_join_size=1000000;

The SET statement has the following effects:

You are not allowed to execute an UPDATE or DELETE a statement unless you specify a key constraint in the WHERE clause or provide a LIMIT clause (or both). For example:

UPDATE tbl_name SET not_key_column=val WHERE key_column=val;

UPDATE tbl_name SET not_key_column=val LIMIT 1

The server limits all large SELECT results to 1,000 rows unless the statement includes a LIMIT clause.

These are the options available with MySQL.

Now, we can use this in our coding by doing a small trick.

When you use the ‘safe updates’ option and connect MySQL at command prompt, MySQL issues the following statement when it connects to the MySQL server:

SET sql_safe_updates=1, sql_select_limit=1000, sql_max_join_size=1000000;’

So, we can use this “SET sql_safe_updates=1″ query in our PHP coding. After connecting with the server and selecting the db, we need to execute this query so that safety update will affect all the other queries executed thereafter. This will ensure that no updates or delete operations perform without the WHERE clause.

This is an useful and important safety measure which can be used in our projects to avoid accidental deletion of all records in a table.

<?
// This is will be useful to avoid sql injection which may delete all rows of a table

// http://dev.mysql.com/doc/refman/4.1/en/mysql-tips.html

error_reporting(E_ALL);

$con= mysql_connect(“localhost”,”sorna”,”password”);
mysql_select_db(“test1″,$con);
mysql_query(“SET sql_safe_updates=1″);

mysql_query(“DELETE FROM register”); // This line won’t delete the table since we have turned on the safe updates mode. It won’t execute the delete query when it doesn’t have where clause
mysql_query(“DELETE FROM register WHERE id=6″); // This line will delete the record in which id is 6
mysql_close();

?>

Please refer to code samples before moving to the explanation.

Cross-site scripting (XSS) allows code injection of harmful web users in the web pages used by other users. Attackers can do it by using client-side scripts which help them to exploit browser details.

Attackers mainly use this method to hack a site when users browse/enter sensitive data like username, password, bank account number etc. Everything seems fine to the end-user while entering crucial data, but they maybe subject to unauthorized access i.e. they might become a victim of hacking, whereby all their important data are given away to the hackers. This leads to financial and critical data loss.

Here is a solution called Session which can circumvent such hacking problems. Session code is set on the server-side. We can generate a random session key by using md5 for encryption so that the session code is never repeated and stands unique. This code is set as a hidden value in the page which is being browsed by the user. Session codes are never the same. They keep changing with the browser.

This session code can be submitted through URL or as a hidden field. As shown in the code, we check for the session code generated and submitted from the key session. If the person trying to hack the site tries to manipulate user data and submit it, the session code will be different or there will not be any session code. From this, we can check for user intrusion/hacking and stop such hackers from proceeding further.

Using session not only prevents intrusion, but also theft of crucial data by attackers/hackers. Above all, it ensures complete security to end-users.

Why this Whitelist?

• This is for security purposes and prevents site hacking and intrusion.
• This is used instead of Captcha where the user sometimes feels difficult to enter the Captcha code.
• Hidden fields are given in the form along with the required details fields.
• If any extra request comes from the form (user), there is an error saying that the site is being hacked.
• This way a site can be protected from SPAM and hacking. The security key, session key etc used here also helps against site hacking.

Below is an example code on how to achieve this:

Example Code

if(isset($_REQUEST['btn_submit'])){
if(isset($_SESSION['secure_key'])) //check the session form key
{
if($_SESSION['secure_key']==$_POST['form_key']) //check the form key
{
$white_list = array(‘tbx_field1′,’tbx_field2′,’tbx_field3′,’tbx_field4′); // List of submitting form possible fields.
foreach($_POST as $key=>$item){
//Check if the values posted by the form is in par with the white list array, if not error msg to hacker
if(!in_array($key, $white_list)){
$error_log = “You are trying to hack the site”;
}
}
}else{
$error_log=”Invalid form key”;
}
}else{
$error_log=”Session has expired”;
}
}
}