If you’ve published your email address on your website, you know it can be caught by automated scripts that crawl the web to find potential mailboxes to spam.

So how can you publish your email while hidding it from spammers? The answer is easy: simply use some Javascript to break your email address into multiple lines of code so it won’t be caught by those malicious scripts.

Here’s an example:

<script type=”text/javascript” language=”javascript”>
document.write(‘<a href=”mailto:johndoe’);
document.write(‘@nowhere.com”>Send me an email</a>’);
</script>

Inserting this code in your web page would display an email link that is invisible to search engines since they do not support client-side scripting.

I used to use phpDig a lot but since it hasn’t been updated since 2005, so I need to find an alternative. I’ve found out about Sphider, a free PHP crawler, so we’re going to try it out today.

Installing Sphider

This is a quick and dirty guide to installing Sphider.

1. Grab yourself a copy of Sphider.
2. Extract the content from the archive and upload it to your web server. For my part, I’ve uploaded it into http://www.mydomain.com/search
3. Unless you want to use an existing MySQL database, create a new one.
4. From your Sphider directory, edit settings/database.php and set the connexion parameters for your database. Save the file and exit the editor. Upload the file to your web server.
5. Again from the Sphider directory, edit admin/auth.php and set the username and password you want to access the administration interface. Save the file and exit the file editor.
6. Open your browser and point it to http://www.yourdomain/search/admin/install.php (or whatever directory you installed Sphider into).
7. The database tables should’ve been created successfully at this point. If not, verify your connexion settings in settings/database.php
8. Click on the admin.php link, it will take you to the administration interface.
9. Under the Site tab, click on Add Site and enter the information for the web site you wish to index.
10. Click on the Reindex All link. This may consume a lot o resource though, make sure you don’t get your hosting account suspended.
11. Once the indexing process is completed, open your browser at http://www.yourdomain.com/search/search.php and try searching your website. I was impressed, Sphider seems pretty fast considering I had over 1000 pages to index.

So that’s pretty much it, you now got a local search engine on your website. Here are a few tips to make it better:

Disallow Indexing Of Unwanted Directories

Create a robots.txt file a the root of your website and include the following content to disallow spidering of unecessary folders:

User-agent: *
Disallow: /admin
Disallow: /go
Disallow: /oa
Disallow: /search
Disallow: /visit
Disallow: /feed

Setup A Scheduled Task To Reindex Your Website Automatically

Use CRON (on Linux-based servers) to schedule a reindexing task. If you’re running a dedicated server and that your control panel does not allow you to manage cron tasks, create a file named sphider.sh in /etc/cron.daily and insert the following content:

#!/bin/sh
/path/to/php /path/to/sphider/admin/spider.php -all >> /dev/null

This will reindex all websites everyday. Of course you could set a different indexing cycle and set different spidering options.

If you are using cPanel, here’s how to setup a cron job to execute spider.php once a day at 1am:

Change the default search page

Instead of using http://www.yourdomain.com/search/search.php, you can make the search page the default page. Simply rename /search/search.php to /search/index.php and replace all occurences of search.php by index.php in /search/templates/search_form.php.

Of course if you use another template than the standard one, you’ll have to modify it too.

This may be useful but if you need a little more control, here’s how to dynamically add pages to your WordPress sitemap:

1. Edit /wp-content/plugins/google-sitemap-generator/sitemap.php

2. Find the line that reads:

$this->AddElement(new GoogleSitemapGeneratorXmlEntry(“</urlset>”));

3. Just before this line, insert:

include(“mysitemap.php”);

4. Create a new empty file into /wp-content/plugins/google-sitemap-generator/ and save it as mysitemap.php.

5. Insert the following content into your newly created file:

<?php

$this->AddElement(new GoogleSitemapGeneratorXmlEntry(” <url>”));

$this->AddElement(new GoogleSitemapGeneratorXmlEntry(“\n <loc>http://www.yourdomain.com/document.html</loc>”));

$this->AddElement(new GoogleSitemapGeneratorXmlEntry(“\n <changefreq>weekly</changefreq>”));

$this->AddElement(new GoogleSitemapGeneratorXmlEntry(“\n <priority>0.5</priority>”));

$this->AddElement(new GoogleSitemapGeneratorXmlEntry(“\n </url>\n”));

?>

6. Once your done, upload sitemap.php and mysitemap.php to your web server.

Of course the iteration process has to occur between the <url> and </url> entries (the part identified in red). You can dynamically add pages using an SQL query for example.

The sitemap.xml and sitemap.xml.gz files will automatically be updated with your dynamic entries next time your rebuild your sitemap.

For my part, I like to use Notepad++, an open-source editor way more powerful than Notepad.

Here’s how to change the default source code viewer for Internet Explorer in Windows XP (it might work for 2000 and Vista as well):

1. Download and run TweakUI from Microsoft’s PowerToys.
2. Expand the “Internet Explorer” section and click on “View Source”

   

3. Hit the “Change Program” button and select the desired viewer.
4. Click on OK and relaunch Internet Explorer.

That’s it! No more Notepad to view the source code of a web page.

Personnally I’ve been using CodeCharge Studio from YesSoftware for about four years (since version 2) to develop PHP websites. While I haven’t used any other programming languages it offers, here are its possibilities:

• PHP 4/5
• ASP 3.0
• ASP.NET C#
• ASP.NET VB
• CFML 4.01/MX
• JSP 1.1 JDK 1.3
• Perl 5.0
• Servlets 2.2 JDK 1.3

CodeCharge Studio allows you to create multilingual applications by storing text content in a language file. This way you can even have contributors translating your application in various languages. CodeCharge supports most open source and commercial database formats.

Enough talk, let me show how you fast it can create a record form to manage data from a MySQL table. For this video, I’ve used the database from this post. The only thing I’ve created in advance is the ODBC link and the folder on my webserver.

Watch CodeCharge Studio demo here (can take a while to load)

This is not a tutorial, it just goes to show you how much time you can save with CodeCharge Studio.

Time spent developing: 7:25 minutes. 

I also love the fact that I can learn to use a single development environment for multiple programming languages.

So suppose usually that you would have charged $70 for this two-hour project, you would have made $35 an hour for coding this from scratch. Using CodeCharge, you could’ve done it in half an hour, charged your client $60 (to be slightly cheaper than your competitors) and you would have made $120 an hour.

That’s a 343% increase in profitability.

If you’re not a programmer and you’re hiring someone to do that, maybe you want to see how they’re coding and where goes your money.

Click here to visit CodeCharge website.

At the time of this writing, the current version of nUbuntu is based on Ubuntu 6.10 - Edgy Eft. Some of the better known tools are:

• Nmap – A network exploration and security auditing tool.
• Yersinia – Network tool designed to take advantage of some weakeness in different network protocols.
• Ettercap – A sniffer for switched LANs.
• Kismet - A 802.11 layer2 wireless network detector, sniffer, and intrusion detection system
• Dsniff – Collection of tools for network auditing.
• Wireshark – Network protocol analyzer examination of data from a live network, or from a capture file on disk.

Listing the /tools directory shows us available tool categories: bluetooth, cisco, database, enum, exploit, forensics, fuzzers, passwords, and scanners.

Test Your Webserver’s Vulnerability With BED v0.5

Some of the included need to be executed as root. In this case, use sudo [command]. Change directory to /tools/fuzzers/bed and run sudo ./bed.pl to see its usage feedback. Suppose you’d like to test for buffer overflow on a particular host, use:

# sudo ./bed.pl -s HTTP -t 192.168.0.1

Of course, change the IP to the one of the server you want to test.

There is also the DNS Enum tool you might want to check out for testing your name resolution system. A well-managed domain won’t give up too much information or a zone transfer. To launch DNS Enum, change directory to /tools/enum/dnsenum and enter:

# ./dnsenum.pl [domain] [dns.txt]

If you’d like to know more about nUbuntu, visit http://www.nubuntu.org. Other security distros can be found through http://www.securitydistro.com.

How many of you have stored their database password into an includable PHP configuration file? And how many of you are using the same password for more than one database? Well let me tell you, chances are, if you are running a WordPress blog, you’ve already got a password stored into wp-config.php. Now what if your webserver’s configuration got messed up and started serving PHP files as plain text instead of parsing them?

And believe me it can happen, I once moved a website to somebody else’s server which wasn’t configured properly and it showed the content of PHP scripts!

Encrypting Your PHP Scripts

Encrypting PHP files does not only protect your passwords, it also protects your intellectual property. Sure, open-source is a beautiful thing but let’s say you’ve develop this awesome PHP application and you distribute it for free. What’s the best way to find it’s vulnerability? Just go through the source code and find out!

There are a bunch of commercial softwares that allow you to encrypt your PHP files:

• Zend Guard : Previously known as Zend Encoder, Zend Guard protects your commercial PHP 4 and PHP 5 applications from reverse engineering, unauthorized customization, unlicensed use and redistribution. Encrypted files require Zend Optimizer (free) to be installed on the webserver. Yearly license: $995 USD.
• SourceGuardian For PHP : PHP Encoder : Best know as PHP Encoder SourceGuardian is an advanced package with a long list of features for making the resulting code as hard to read as possible. There are no requirements as to running encrypted PHP scripts on a webserver. Full license: $250 USD.
• ionCube PHP Encoder : ionCube provides PHP file encryption through a software or online on a pay-per-download basis. This entry-level encryption application is more affordable than its two competitors. Pricing : $199 USD.

There are also some open-source encryption softwares available for free but they haven’t been updated in awhile (over 3 to 4 years ago!) so I don’t recommend them. However you can try them out if you really want to:

• Turck MMCache for PHP : While it requires to install additional software on the server, it is also compatible with Zend Optimizer.
• PHP Obfuscator (POBS) : POBS is written in PHP and is to be used online from your webserver.

If you know of any other method of protecting / encrypting PHP scripts, let us know!

Email form injection is what we’ll be discussing about today. This form of attack is mainly used to send spam mail through the exploited server. We’ll see what precaution we can take by validating the input before it is sent to server and after it is being sent but just before processing it.

Let’s say we want to secure this simple email form:

Client-Side Protection

There are a some precautions you can take on the client-side (before the form is submitted) in order to avoid email form injection:

• Limit the maximum length of each field so that it may be harder to inject malicious instructions (while still not totally impossible);
• Add an additional field to require an anti-spam question (like 2+3=?) to ensure it’s being accessed by a human and not a script;
• Replace text fields by dropdown menus or checkboxes where possible (does not apply for the above form example);

Server-Side Protection And Validation

In order to prevent form injection, let’s start by validating the sender’s email address using the preg_match function. The following would prevent an email to be sent if the sender’s email address format is incorrect:

<?
$email_pattern = ‘/^[^@\s]+@([-a-z0-9]+\.)+[a-z]{2,}$/i’;

if (!preg_match($email_pattern, $sender_email)){
  die(“Your email address is incorrect”);
}
?>

Next we could filter out carriage returns from text fields (but not text areas of course):

<?
if (eregi(“(\r|\n)”, $subject))
     die(“Form injection detected”);
?>

Making sure that the validation script is being sent data from a browser will also rule out some bots:

<?
if(!isset($_SERVER['HTTP_USER_AGENT'])){
   die(“Forbidden – You are not authorized to view this page”);
   exit;
}
?>

There are also a few strings you may want to make sure they aren’t passed to your script:

$badstrings = array(“Content-Type:”,
                     “MIME-Version:”,
                     “Content-Transfer-Encoding:”,
                     “bcc:”,
                     “cc:”);

foreach($_POST as $key => $value){
   foreach($badstrings as $badstring){
       if(strpos($value, $badstring) !== false){
          die(“Forbidden – You are not authorized to view this page”);
          exit;
       }
   }
}

I’ve got another post where you can learn more on how to send emails with PHP.

Here’s the basic mail() function syntax:

mail ( string $to, string $subject, string $message [, string $additional_headers [, string $additional_parameters]] )

A good knowledge of mail headers is required in order to achieve advanced results. Fortunately there are easier ways of sending emails with PHP.

Introducing The PHPMailer Class

PHPMailer is a full featured email transfer class for PHP. Here are a few features:

• Can send emails with multiple TOs, CCs, BCCs and REPLY-TOs
• Redundant SMTP servers
• Multipart/alternative emails for mail clients that do not read HTML email
• Support for 8bit, base64, binary, and quoted-printable encoding
• Uses the same methods as the very popular AspEmail active server (COM) component
• SMTP authentication
• Word wrap
• Address reset functions
• HTML email
• Tested on multiple SMTP servers: Sendmail, qmail, Postfix, Imail, Exchange, etc
• Works on any platform
• Flexible debugging
• Custom mail headers
• Multiple fs, string, and binary attachments (those from database, string, etc)
• Embedded image support

How To Use PHPMailer

First get your copy of PHPMailer from SourceForge or you can get it here too. Extract the phpmailer folder from the archive and upload it to the root of your website. You can delete the following files / folders:

• /phpmailer/test
• /phpmailer/ChangeLog.txt
• /phpmailer/docs
• /phpmailer/phpdoc
• /phpmailer/LICENCE
• /phpmailer/README

Now let’s create a php file named sendemail.php at the root of your website. At this point you should have a file / folder structure like this:

• http://www.yourwebsite.com/phpmailer
• http://www.yourwebsite.com/sendemail.php

Here’s the content of sendemail.php:

<?
error_reporting(E_ALL);

require(‘phpmailer/class.phpmailer.php’);

$mail = new PHPMailer();

$mail->Host = “localhost”;
$mail->Mailer = “smtp”;

$mail->From = “my@email.com”;
$mail->FromName = “Bill Gate”;
$mail->Subject = “How are you?”;

$htmlmsg = “Hey there,<br><br>What have you been up to lately?<br>Waiting for your news!<br><br>” .
  ”See you soon,<br>Your friend”;
$txtmsg = str_replace(“<br>”, “\n”, $htmlmsg);

$mail->Body = $htmlmsg;
$mail->AltBody = $txtmsg;

$mail->AddAddress(myfriend@hotmail.com, “Joe”);
$mail->AddAddress(“myotherfriend@gmail.com”, “Jack”);

if($mail->Send())
 echo “Email sent successfully”;
else
 echo “Email has not been sent”;
?>

Of course, there is a lot more you can do with PHPMailer like embedding images, sending attachments, etc. Have a look at “docs\extending.html” from the PHPMailer archive.

Conversion to PHP 5 has been really slow. According to Nexen.net for August 2007, 78% of websites are still using PHP 4. PHP 4.4.7 is still the popular choice while PHP 5.2.3 is good second.

PHP.net has a migration guide for PHP4 to PHP5 as well as guides for PHP 5.0 to 5.1 and PHP 5.1 to 5.2.

If you are using CentOS 4, I’ve written an article about migrating from PHP 4.3.9 to 5.1.6.