RSS
 

want to upgrade php to version 5.2+, here is how

15 Dec

# nano /etc/yum.repos.d/CentOS-Testing.repo

paste this code in it

# CentOS-Testing:
# !!!! CAUTION !!!!
# This repository is a proving grounds for packages on their way to CentOSPlus and CentOS Extras.
# They may or may not replace core CentOS packages, and are not guaranteed to function properly.
# These packages build and install, but are waiting for feedback from testers as to
# functionality and stability. Packages in this repository will come and go during the
# development period, so it should not be left enabled or used on production systems without due
# consideration.
[c5-testing]
name=CentOS-5 Testing
baseurl=http://dev.centos.org/centos/$releasever/testing/$basearch/
enabled=1
gpgcheck=1
gpgkey=http://dev.centos.org/centos/RPM-GPG-KEY-CentOS-testing
includepkgs=php*

save it and

# yum update

# service httpd restart

Now you are there.

 
 

How to install and configure sending and recieving emails on Centos 5.5

30 Jul

ok. I had a hard time installing mail on my fresh server. There are definitely many tutorials out there but they just seem to be designed for advanced users.
after battling for hours, I finally got sendmail uninstalled, my DNS MX and A records updated, postfix installed, dovecot installed, squirrelmail installed and all talking to one another without problems.

i stand to be corrected in case i say what’s not. am still new with linux.

yum install postfix dovecot system-switch-mail system-switch-mail-gnome

next
note that i skipped some settings, those settings skipped should be left the way it is

nano /etc/postfix/main.cf

edit the part below to reflect what is below

myhostname = mail.yourdomain.com

mydomain = yourdomain.com

myorigin = $mydomain

inet_interfaces = all
mynetworks_style=host

mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128

alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases

recipient_delimiter = +
home_mailbox = Maildir/
mydestination = mail.yourdomain.com, localhost.yourdomain.com, , localhost

save that and exit nano

next lets configure dovecot

nano /etc/dovecot/dovecot.conf

edit it to reflect this, if lines are not there check the include fildes. some settings are in it
protocols = pop3 imap
mail_location = maildir:~/Maildir/
pop3_uidl_format = %08Xu%08Xv
imap_client_workarounds = delay-newmail outlook-idle netscape-eoh
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh

now lets set the aliases, that way, when someone sends email to say support@yourdomain.com the root can get it if you want
something like this.

payments: root
accounts: root
billing: root

now who will receive the mails from root has to be set to a user.
in my case i had something like this


root: admin

so after saving and exiting, i had to create a user called admin and give him a password

useradd admin
passwd admin

in case you have another user you want to recieve emails, just ignore my last step

next we need to make dovecot startup as a service

chkconfig --level 345 dovecot on

start the services


service dovecot start
service postfix start

next you have to go over to your DNS host. i mean the host you pointed you domain name to
if you purchase from godaddy and pointed ur NS to rackspace, then you should be going to rackspace to edit your mx records.
my host has a clean interface to do this

i copied this straight from my account with rackspacecloud.com


yourdomain.com xx.xx.xxx.xxx yourdomain.com 300 A
www.yourdomain.com yourdomain.com yourdomain.com 300 CNAME
yourdomain.com yourdomain.com yourdomain.com 300 MX
mail.yourdomain.com xx.xx.xxx.xxx yourdomain.com 300 A

the last 2 entries is what you should be adding (xx.xx.xxx.xxx = ip of server) may take time to propagate thru DNSes
next you need to configure our firewall to kindly open port 25 for mails to come in, then save and restart the firewall


iptables -I INPUT -p tcp --dport 25 -j ACCEPT
service iptables save
service iptables restart

by now you should be able to send and receive emails but reading the emails can be very challenging, so we need squirrelmail.

remove yum so she doesn’t interfere

yum remove sendmail

next, download squirrelmail, i dont know how you have to do this just google and get it on server

extract it
tar -zxvf squirrelmail-webmail-x.x.xx.tar.gz

next move it to a dirrectory accessible on server via http
so that when you type http://yourdomain.com/squirrelmail-webmail-x.x.xx/
you can access it

you will need perl to install squirrelmail
if you dont have it, just

yum install perl
next cd into the squirrelmail dir

run this command

perl conf.pl

or depending on the location of conf.pl

perl config/conf.pl

follow the steps to the end

also note that you will end up creating a directory manually and give the ownership to root:apache

mkdir /var/squirrelmail
mkdir /var/squirrelmail/data
mkdir /var/squirrelmail/attach

chown root:apache /var/squirrelmail
chmod 730 /var/squirrelmail

chown root:apache /var/squirrelmail/data
chmod 730 /var/squirrelmail/data

chown root:apache /var/squirrelmail/attach
chmod 730 /var/squirrelmail/attach

the rest should be a breeze

Sources:
http://www.rackspace.com/knowledge_center/index.php/Postfix_-_MX_Records_and_Receiving_Emails
http://www.linuxmail.info/postfix-smtp-auth-dovecot-sasl/

 
 

learning Red5 and Java.

05 Feb

yea it’s been long i visited my own blog.

All thanks to the series of events i have been experiencing from the 10th of September 2010. I was robbed and lost a 2009 Toyota sienna.  Sorry i didn’t configure an event listener so you didn’t know .

Yea, this.addEventListener(MouseEvent.CLICK, boom);

That’s one of the stuffs am getting addicted to everyday. I had to put PHP aside and pick up java and actionscript

I need both languages for my new project.

It has been a tough curve learning Red5/ Java and understanding AS3.  I will start posting stuffs here as i learn them.

the way i learn is by doing it, getting it wrong, and discovering why i got it wrong. That way, it stick forever.

one quick tip for red5 developers, i set up this .bat file i put on my taskbar.

once am done in netbeans, i hit the compile button, next hit the .bat file on my shortcut. The .bat file fires up the cmd prompt window and says stuff like

that simple copies the .jar file to my red5 webapps folder ,

stop red5, then start it.

Next to it i also have a log.txt shortcut to my red5 installation directory.

I had to come up with my custom log file since red5 log… well, it really doesnt ‘work on my system. so the trick is to have a method in my java that read like so:

public static void error(String err){
try{
// Create file
FileWriter fstream = new FileWriter(“error.txt”,true);
BufferedWriter out = new BufferedWriter(fstream);
out.write(err+”—\n”);
//Close the output stream
out.close();
}catch (Exception e){//Catch exception if any
error(“Error: ” + e.getMessage());
}
}

so it just writes the error to a file and it’s easier having all your tools in one place.

Next to that shortcut, i have another shortcut to a small program i wrote using C++,

…well i copied it from somewhere on the web, tweaked it to my taste and renamed it mine.

it does exactly what my mozilla firefox does, just that the swf debugger in my firefox sometimes decide to go nuts

so i came up with this, the debugger shows up too but better cos it never hangs and testing my apps just got easier. I am going to share the C++ code with you. incase u find errors in the code, notify me, i really dont do C++, it’s very very boring.

#define _WIN32_WINNT 0x0500
#include <windows.h>

LRESULT CALLBACK WndProc(HWND, UINT, WPARAM, LPARAM);

const char g_szClassName[] = “myWindowClass”;
int WINAPI WinMain( HINSTANCE hInstance, HINSTANCE prev,
LPSTR lpCmdLine, int show )
{

FARPROC init = GetProcAddress(LoadLibrary(“atl”),”AtlAxWinInit”);
init();
WNDCLASSEX wc;
HWND hwnd;
MSG msg;

//Step 1: Registering the Window Class
wc.cbSize        = sizeof(WNDCLASSEX);
wc.style         = 0;
wc.lpfnWndProc   = WndProc;
wc.cbClsExtra    = 0;
wc.cbWndExtra    = 0;
wc.hInstance     = prev;
wc.hIcon         = LoadIcon(hInstance,(LPCTSTR)IDI_APPLICATION);
wc.hCursor       = LoadCursor(NULL, IDC_ARROW);
wc.hbrBackground = (HBRUSH)(COLOR_WINDOW+1);
wc.lpszMenuName  = NULL;
wc.lpszClassName = g_szClassName;
wc.hIconSm       = LoadIcon(hInstance,(LPCTSTR)IDI_APPLICATION);

if(!RegisterClassEx(&wc))
{
MessageBox(NULL, “Window Registration Failed!”, “Error!”,
MB_ICONEXCLAMATION | MB_OK);
return 0;
}
hwnd = CreateWindowEx(
WS_EX_CLIENTEDGE,
g_szClassName,
“Kilonsele | Very Addictive…”,
WS_OVERLAPPEDWINDOW,
CW_USEDEFAULT, CW_USEDEFAULT, 1019, 620,NULL, NULL, prev, NULL);

if(hwnd == NULL)
{
MessageBox(NULL, “Window Creation Failed!”, “Error!”,
MB_ICONEXCLAMATION | MB_OK);
return 0;
}

CreateWindow(“AtlAxWin”, “http://localhost/main.swf”,
WS_VISIBLE|WS_CHILDWINDOW,0,0,1000,600,hwnd,0,
(HINSTANCE)GetWindowLong(hwnd, GWL_HINSTANCE),0);

ShowWindow(hwnd, show);
UpdateWindow(hwnd);

while( GetMessage(&msg, NULL, 0, 0)) {
TranslateMessage(&msg);
DispatchMessage(&msg);
}
return (int) msg.wParam;
}

LRESULT CALLBACK WndProc( HWND hwnd, UINT msg, WPARAM wParam, LPARAM lParam )
{

switch(msg)
{

case WM_CLOSE:
DestroyWindow(hwnd);
break;
case WM_DESTROY:
PostQuitMessage(0);
break;
default:
return DefWindowProc(hwnd, msg, wParam, lParam);
}
return 0;
}

 
 

SQL Injection

01 Jul

One of the most common problems with security in web applications is SQL injection. To begin with I will present this comic for you:

The comic clearly illustrates the problems with SQL injection. If you do not get it, do not worry, you will in just a moment.

SQL injections work by injecting SQL into the queries you have already written in your script. Often you will pass some sort of variable data to your queries; this data might be influenced by user input. In the above comment we might imagine that the school had a query that looks something like this:

$sql = "INSERT INTO Students (name) VALUES ('{$_POST['student_name']}')";

The above snippet works. As long as users input data that conforms to an expected format. Now, the mother in the comic did not provide expected data, rather she injected an entire additional query into the existing query. Let’s take a look at how the query looks when we enter the string given by the mother:

INSERT INTO students (name) VALUES ('Robert'); DROP TABLE Students;--')

(Note: PHP does not support stacking queries with all DBMSs. MySQL in particular)

As you probably know, a semi-colon ends a query and most times it is actually required, but PHP just adds it automatically if you omit it. Therefore, by closing the string and finishing the query by entering the closing parenthesis and a semi-colon we will be able to add an additional query that drops the student table. The two hyphens at the end make whatever comes after it a comment, so whatever remaining characters that might have been in the original query will simply be ignored.

It should not take too much brain power to figure out why this is a bad thing. Malicious users will basically be able to execute any kind of queries they would like to. This can be done for various purposes. It could be retrieving confidential information or destroying your data just to name a few.
3.1. Protecting your script from SQL injections

Fortunately, protecting yourself from SQL injections is rather easy. It is just a matter of calling a single function which make data safe for use in a query. How you should do this depends on which PHP extension you are using. Many people use the regular mysql extension, so let us start with that one. That particular extension has a function called mysql_real_escape_string(). Let us take a look at how that one works with a simple example that illustrates its usage:



As you see, doing it is incredibly easy yet many people fail to do this and only find out when it is too late. Other extensions support something called prepared statements. An example of a such extension is PDO (PHP Data Objects). Let us take a look at how that works:

prepare('INSERT INTO Students (name) VALUES (?)');

try {
$stmt->execute(array($_POST['student_name']));
echo 'Success.';
}
catch(PDOException $e) {
echo 'Insertion failed. Please try again.';
}
?>

If you have many fields you need to use in your query then it might be a little difficult remembering the order of all these different question marks which act as place holders for the data. An alternate syntax is using named parameters. In our case it would look like this:

prepare('INSERT INTO Students (name) VALUES (:name)');

try {
$stmt->execute(array('name' => $_POST['student_name']));
echo 'Success.';
}
catch(PDOException $e) {
echo 'Insertion failed. Please try again.';
}
?>

Obviously, in our case this would not have any benefits, but as I said, if you have many parameters then you might find that more useful. There can be other reasons why using prepared statements would be useful, but I will leave that to research for yourself.

The mysqli (MySQL improved) extension has support for prepared statements as well, so if you are using that then check out its documentation to see the syntax.

The golden rule regarding this is that nothing is to be trusted and all data should be escaped.

Additionally, I mentioned earlier that users should not get information from error messages. Not only is it irrelevant, but it may also be information that may aid people with malicious purposes. You may sometimes be told that you should add or die(mysql_error()) to the end of your query calls to functions like mysql_query(). However, you should not do that. By doing that you are no longer using PHP’s error and exception handling functionality and you remove the opportunity to control whether errors should be displayed or not. In my opinion the best solution would be to use PHP’s exceptions. If you do not want to do that then at least do something like or trigger_error(‘Query failed: ‘. mysql_error()). By doing that you are utilizing PHP’s built-in functionality and you will be able to use the methods discussed under Error Reporting. Moreover, ending script execution with die() is simply bad practice. You will not be able to give the user a proper error page and you will not be able to do any cleaning up for the rest of the script.

Credit:http://www.phpfreaks.com/tutorial/php-security