Posts from — April 2009

1) CodeColorer

Features

• line numbers
• automatic links to the documentation inserting
• code block intelligent scroll detection (short code would have short block, for long one block height would be fixed and scrollbar would appear)
• predefined color themes (Slush & Poppies, Blackboard, Dawn, Mac Classic, Twitlight, Vibrant Ink)
• syntax colors customization in CSS file
• syntax highlighting of the code in comments
• code protect from mangling by Wordpress (for example, quotes, double-dashes, etc would look just right as you entered)

2) Raw html

This plugin lets you use raw HTML or any other code in your posts. One way to use it is to wrap a part of your post in special tags (below) to prevent WordPress from converting newlines to HTML paragraphs, escaping apostrophes and so on. This is very useful if you need to add a CSS block or JavaScript to your post.

3) SyntaxHighlighter Plus

It supports the following languages:

• Bash — bash, sh
• C++ — cpp, c, c++
• C# — c#, c-sharp, csharp
• CSS — css
• Delphi — delphi, pascal
• Diff — diff
• Groovy — groovy
• Java — java
• JavaScript — js, jscript, javascript
• Perl — perl, pl
• PHP — php
• Plain text — plain, text
• Python — py, python
• Ruby — rb, ruby, rails, ror
• Scala — scala
• SQL — sql
• VB — vb, vb.net
• XML/HTML — xml, html, xhtml, xslt

4) SyntaxHighlighter Evolved

SyntaxHighlighter Evolved allows you to easily post syntax-highlighted code to your site without loosing it’s formatting or making any manual changes. It uses the SyntaxHighlighter JavaScript package by Alex Gorbatchev and a bit of code by Automattic.

5) FV Code Highlighter

Features:

• Renders XHTML, CSS, XML and PHP
• Default look: Dreamweaver style
• Customizable look of codes and code box

PHP is a great language. However, there are a few problems with the language that need to be fixed.

1) register_globals (this will be removed in php 6)

The idea behind register_globals is simple: to make it easier to access POST, GET, and session variables within a PHP script.

Here is an example of why it is bad:

if register_globals is enabled, someone could go to the following url: login.php?is_admin=true, and the variable will get overwritten. This essentially allows any user to dynamically generate variables in your php scripts.

2) goto

This one, I just don’t understand. Goto was never in the PHP language and now it is being added to version 5.3 (more information here).

Here is an example of usage:

Goto makes it very easy to create unmaintainable and messy code.

3) magic_quotes (removed in php 6)

Magic quotes was designed to escape $_POST and $_GET variables automagically…to prevent sql injection attacks.

Here are the problems:

• Not every piece of escaped data is inserted into a database, there is a performance loss for escaping all this data. Simply calling on the escaping functions (like addslashes()) at runtime is more efficient
• Not all data needs escaping, it’s often annoying to see escaped data where it shouldn’t be. For example, emailing from a form, and seeing a bunch of \’ within the email. To fix, this may require excessive use of stripslashes().
• Many novice programmers assumed that magic_quotes was enabled on all PHP installations and released php scripts that were vulnerable to SQL injection attacks

4) Recursion

PHP 4 and 5 uses the stack for intensive data, rather than using the heap. That means that recursive functions is significantly limited (because the stack is usually a very small amount of memory). Every nested (recursive or otherwise) function call counts towards a limit of 2000 nested calls. PHP will die if that count is ever reached.

5) 64-bit integer support

PHP is not able to handle unsigned integers, and converts values over 2^31 to signed. So if your IDs go slightly over 2 billion, and PHP decides to treat them as integers, you will have a problem.

However, the people over at the mysqlperformance blog have come up with a solution

ReactOS is a free and open-sourced operating system based on the Windows NT architecture, providing support for existing applications and drivers, and an alternative to the current dominant consumer operating system. The interesting part about this open source project is that unlike applications like Wine, it is an operating system completely re-written from the ground up, with windows binary compatibility in mind.

History

ReactOS has been written from scratch since 1996, a rock solid NT re-implementation, and therefore a reliable and robust operating system for tasks ranging from embedded micro computer to personal computer, workstations to server cluster, mainframes and super computers. It incorporates many design decisions from other operating system families like UNIX, VMS, OS/2 and of course NT and is meant as ‘the’ new platform that serves all.

Screenshots

The following are screenshots of reactOS running some popular windows apps.

(Winrar)

(Quake 1)

(Unreal Tournament)

Installation

I decided to give reactOS a shot. I didn’t want to re-partition my harddrive or format, so I downloaded the virtual machine version that you can run within windows (it includes the reactOS image and virtual machine software to run it).

Installation (if you can call it that) was seamless. I just downloaded the zip file, extracted it and ran boot.exe. Within a few seconds, it booted into the OS on the virtual machine.

Looking around, the gui needs some work. There are also a few useful applications pre-installed: remote desktop, solitare, minesweeper (what OS is complete without minesweeper), and reactOS explorer (I was able to get onto the Internet through an automatic download of the Mozilla ActiveX plugin).

I was able to install the latest version of Firefox, which installed without any issues. However, when I tried to launch it, I got some strange font/graphic issues.

ReactOS has a lot of promise. Once it is out of an alpha/pre-beta state and supports more hardware, it could be serious competition for Microsoft.

You can try it yourself by going to the reactOS website: Here

If you are having any speed issues, you can install an accelerator for the virtual machine here (Under the section “Accelerators”)

Another good tool to install is here. It allows you to mount the virtual hard disk in your Windows system.

I wrote a previous article about improving wordpress security (here), which lists wordpress extensions that can help you improve the security of your blog.

The following is a list of some additional changes that you can make to improve the security of your wordpress installation (Backup wp-config.php and your db tables before trying the following):

Wordpress tables

Change the default table prefix. Many times, attackers can get information from your database because they know the exact names of the tables. Use a random table prefix that can’t easily be guessed.

If you already have a wordpress blog, you can follow the following steps:

1) Choose a random table prefix (example: 78erx2)
2) Open wp-config.php
3) Find $table_prefix = ‘wp_’; and change it to: $table_prefix = ‘78erx2_’; (This will be the prefix that was chosen above)
4) Execute the following SQL commands (in your favorite mysql client..I prefer SQLYog):
RENAME TABLE wp_categories TO 78erx2_categories
RENAME TABLE wp_comments TO 78erx2_comments
RENAME TABLE wp_link2cat TO 78erx2_link2cat
RENAME TABLE wp_links TO 78erx2_links
RENAME TABLE wp_options TO 78erx2_options
RENAME TABLE wp_post2cat TO 78erx2_post2cat
RENAME TABLE wp_postmeta TO 78erx2_postmeta
RENAME TABLE wp_posts TO 78erx2_posts
RENAME TABLE wp_usermeta TO 78erx2_usermeta
RENAME TABLE wp_users TO 78erx2_users

UPDATE 78erx2_options SET option_name=’78erx2_user_roles’ WHERE option_name=’wp_user_roles’

5) You may or may not have to execute this (it’s only if it exists in your DB):

In wp_usermeta, wp_autosave_draft_ids and wp_user_level for the field meta_key need to be changed to 78erx2_autosave_draft_ids and 78erx2_user_level.

Install WP-Scanner

WordPress scanner is a free online resource that blog administrators can use to provide a measure of their wordpress security level.

You first need to download the activator plugin Here. This plugin adds a simple piece of text to your blog to verify that you own the blog. After this is installed, you can scan your wordpress installation here.

Also remember to deactivate the plugin after you are finished scanning or other people will also be able to scan your installation.

File Security

The root Wordpress directory: all files should be writable only by your user account.
(The exception is .htaccess if you want WordPress to automatically generate rewrite rules for you)

wp-admin – All files should be writable only by your user account.
wp-includes – All files should be writable only by your user account.
wp-images – All files should be writable only by your user account.
wp-content – Should be writable by all (owner/user, group, and public).
wp-content/themes – If you want to use the built-in theme editor, all files need to be group writable. If you do not want to use the built-in theme editor, all files can be writable only by your user account
wp-content/plugins – All files should be writable only by your user account.

Many companies have tried to sell “free” software, with disastrous results (Here is a website dedicated to gnu license violations). There are some companies that willfully violate free software licenses, however, there are others that just don’t understand the license that was used and how it may effect future distribution.

The following is a list of the 3 most common open source licenses and a simple explanation of your distribution rights. This should give you an idea on if you are going to violate one of these distribution licenses, but you should always consult a lawyer if you are unsure.

BSD License

This is the most liberal license of them all and is very friendly regarding proprietary applications. If you get source code distributed under the BSD license, you can sell it in a proprietary application or redistribute your changes in an open source application.

There are a few variants of this license, but the following are the only requirements:

• A copy of the original license must be included
• The name of the author may not be used to endorse or promote products
  derived from this software without specific prior written permission

LGPL (GNU Lesser public license)

The LGPL is similar to the GPL, but allows you link to the licensed code from a proprietary application without having to give out all of the source code from the proprietary app. The only way you have to give out source code is if you modify the source of the original licensed code. This works well with libraries.

GNU License

you are allowed to use, redistribute, and change the software, but any changes you make must also be licensed under the GPL. This means that if you are using any GNU licensed code in your proprietary application, the source code of that application must also be released.

However, this does not mean you cannot make money with gnu licensed code.

Here are some ways:

• Give away the software and charge for support
• Use a free version (GNU licensed) as marketing for a paid version with more features
• Sell it, but only give the source away to anyone that purchases it (this can be considered a transfer fee).

One drawback with the last two methods is that your customers are legally allowed to redistribute/share your software and there isn’t much you can do about it.