Posts Tagged PHP

Synology Antivirus Essential detects PHP.Exploit.CVE_2015_2331-3

Today my DiskStation emailed me about detecting malware in the system files. When I looked at the log, I saw this:

Antivirus Essential detects Php.Exploit.CVE_2015_2331-3 in zip

Antivirus Essential detects Php.Exploit.CVE_2015_2331-3 in zip

It appears this is a false positive in the ClamAV database.

Further reading: https://www.clamxav.com/BB/viewtopic.php?f=1&t=4186&hilit=php.exploit

If your Synology reports the same, simply restore the quarantined file, update virus definitions, and re-scan. It should come up clean. If you had configured Antivirus Essential to automatically delete files, you may have to restore the DSM OS to get the file back.

Advertisements

,

2 Comments

Determine if current user is an admin in WordPress using PHP

You can determine if the current logged-in WordPress user is an admin and take a certain action in WordPress using PHP. If you’re using a PHP widget plugin, you can use this code in a PHP widget to show or do something if the current user is an admin. You can also use this to limit the display of a block you might be working on to only admin users while you’re working on it.


This method is ideal because only admins have the manage_options capability.

Comments are welcome below. Thank you.

,

Leave a comment

How to create an unfiltered input type in Drupal 7

The default input types in Drupal strip out unapproved HTML tags and optionally format links with tags. If you’re creating a block for some more advanced purpose, such as the insertion of JavaScript or other HTML that you don’t want stripped, you will likely want an input type with no filters.

Note that an unfiltered input type will not support PHP; you must enable the PHP module for this. Once you enable the PHP module, it will create an input type specifically for PHP. The PHP block will allow unfiltered HTML, but may present an unnecessary security risk.

To create an unfiltered input type in Drupal 7, do this:

Go to Configuration > Content Authoring > Text Formats

You should see the default text formats appear.

Click add new text format and give your new text format a name, such as “Unfiltered HTML.” Choose the roles that will be allowed access to this input type. Be aware that allowing untrusted users access to an unfiltered input type may have security implications. Don’t check anything under Enabled Filters. Click Save Configuration.

That’s it. Your input type is now ready for use.

Now, if you want to create a block with unfiltered content, such as the display of JavaScript code, simply choose “Unfiltered HTML” as the input type of the block.

,

Leave a comment

How to generate a unique time-based hash in PHP

This PHP code is especially handy if you want to generate a time-based hash for some security purpose. You can adjust the code to generate hashes every month, every day, or down to every second if that’s what you want. These can be used to generate automatically-changing passwords, password salts, time-based challenges, etc.

NOTE: This is example code only and shouldn’t be copy/pasted for use in a production environment. Instead, modify the code below and change the hash function, the date string, and maybe add your own customizations. See the PHP date() and hash() manual pages for reference.

<?php
// length of hash to generate, up to the output length of the hash function used
$length = 12;
// The following should retrieve the date down to your desired resolution.
// If you want a daily code, retrieve only the date-specific parts
// For hourly resolution, retrieve the date and hour, but no minute parts
$today = date("m.d.y"); // e.g. "03.10.01"
$out = substr(hash('md5', $today), 0, $length); // Hash it
echo "$out";
?>

I’m sure there are plenty of other ways, but this is a code snippet that I used. Feel free to share your thoughts on this in the comments below, thanks!

Leave a comment

WordPress 3.2 admin area display errors under suPHP

If you do the automatic upgrade to the recently-released WordPress 3.2 and notice the admin area displays incorrectly, you may need to reset some file permissions.

Simply run the following from your web root:

chmod -R g+r,o+r *

Should be all set.

, ,

Leave a comment

Integrating Smart 404 into the Suffusion WordPress theme

By default, WordPress does very little for a user who lands on a 404 or ‘Not Found’ page. The WordPress Smart 404 plugin can help with this, by attempting to match terms from the URL to published articles. This is something you want especially if you change your categories or tags because your old tag- and category-based URLs will not display anything useful to your visitors. Instead of losing them to a 404 page, show them what they’re looking for — or at least come close.

I use the Suffusion theme here on my blog, and I know it’s a very popular plugin as well, so here’s how to integrate Smart 404 nicely within Suffusion.

Obviously make sure you have both the Suffusion theme and the Smart 404 plugin installed and activated.

Open the theme editor by going to Appearance > Editor and load the 404.php file, change it to include the smart404_suggestions PHP function call as follows:

  
+ &lt;?php
+ if (function_exists('smart404_suggestions')) {
+ echo &quot;<br /><br />Here's some posts that may be close to what you were looking for:";
+ smart404_suggestions();
+ echo "<br /><br />You might also try searching.";
+ }
+ ?&gt;
  </p>
  </div><!--/entry -->

This wraps the smart404_suggestions function nicely in a PHP function_exists call, which will prevent PHP errors if you later decide to uninstall the plugin.

Be aware that if you update your theme at any point, you may have to redo this edit.

Questions, comments, and feedback about this are welcome and appreciated. Thank you!

,

Leave a comment

My suggestions for WordPress plugins

Here’s my suggestions for a great set of WordPress plugins. The descriptions provided here are from the plug-ins themselves, and the links go to the plugin page on WordPress.org. You can also go to your ‘Plugins’ area in your WordPress dashboard to search for and install any of the below plugins easily.

Bad BehaviorDeny automated spambots access to your PHP-based Web site.

Contextual Related PostsShow user defined number of contextually related posts.

Fast Secure Contact Form – Fast Secure Contact Form for WordPress. The contact form lets your visitors send you a quick E-mail message. Super customizable with a multi-form feature, optional extra fields, and an option to redirect visitors to any URL after the message is sent. Includes CAPTCHA and Akismet support to block all common spammer tactics. Spam is no longer a problem.

Fluency Admin – Give your WordPress admin the Fluency look, Fluency 2.4 is the latest update and is compatible with WP 3.1.x.

Google XML Sitemaps – This plugin will generate a special XML sitemap which will help search engines like Google, Yahoo, Bing and Ask.com to better index your blog.

Jetpack by WordPress.com – Bring the power of the WordPress.com cloud to your self-hosted WordPress. Jetpack enables you to connect your blog to a WordPress.com account to use the powerful features normally only available to WordPress.com users.

Simple Facebook Connect – Simple Facebook Connect is a series of plugins that let you add any sort of Facebook Connect functionality you like to a WordPress blog.

Simple Twitter Connect – Makes it easy for your site to use Twitter, in a wholly modular way.

WP-PageNavi – Adds a more advanced paging navigation to your WordPress blog

What plugins do you use on your WordPress-powered blog? Have any to recommend? Are you a plugin author and want to “plug” your plugin? :) Please feel free to leave a comment below!

, , , , ,

Leave a comment

Bad Behavior on Drupal 7

Bad Behavior is a set of PHP scripts that is designed to keep your blog or forum clean from spam by taking a much different approach than typical solutions. While I could go into a big explanation, you can read all about it here

That said, Drupal 7 is available for download, but the Drupal 6 Bad Behavior module has not yet been ported to Drupal 7. These instructions will help you get a very crude installation of Bad Behavior protecting your Drupal 7 site, albeit in the “no logging” mode, which is not the preferred method. If you’re familiar with Drupal 7 enough to attempt a port, I would ask that you please visit the Drupal 6 module and contact the developer. The Drupal community would greatly appreciate it.

These instructions are based on the Bad Behavior Porting Guide.

First, download Bad Behavior from http://bad-behavior.ioerror.us/download/

When you unzip it, you should have a folder called bad-bahavior.

Upload that folder somewhere to your web root, so that bad-behavior-generic.php is accessible as http://example.com/bad-behavior/bad-behavior-generic.php (These are sample instructions only, advanced users are encouraged to place the scripts wherever they like.)

edit bad-behavior-generic.php

Locate the following line:

'httpbl_key' => '',

Input your http:BL API key from Project Honey Pot. If your API key is ‘exampleAPIkey’, you’ll have this:

'httpbl_key' => 'exampleAPIkey',

edit drupal index.php

Right below the opening <?php tag, insert the following line, making sure it has the correct relative location of bad-behavior-generic.php:

require_once("bad-behavior/bad-behavior-generic.php");

That’s it!

Questions, comments, and feedback are always welcome and appreciated.

 

,

Leave a comment

Giving up the fight against spam

Spammers are clever, alright. They seem to get through captchas, cookie checking, PHP session checking, and when you ban one IP address or range, they come at you with 20 more.

I’ve been getting hundreds of spam comments per day.  It’s almost to the point where spam checking has started to interfere with the normal users. They’re getting sick of the captchas and constant hoops they have to jump through just to post a legitimate comment.

So I’m making a decision: I’ve spent enough of my time dealing with them and I have better things to do

So from now on comments will be completely open. That’s right — no spam checking, no captchas, nothing. Now I can free up my time and move on to other things, such as writing new articles.

For a little more information on what led to this decision, check out this article.

5 Comments

Get your Feedburner follower count in PHP

Important: Please see the update at the bottom of this post.

If you use Feedburner for RSS circulation, here’s a handy ready-to-go way of getting your Feedburner follower counts using PHP. This requires that you have the Feedburner Awareness API enabled for your feed.

Note that the code below uses PHP’s file_get_contents() rather than the preferred cURL function, but it does work. You may also want to cache your result to prevent hitting any API limitations.

function GetFeedburnerFollowerCount($feed){
$feedburner_xml = file_get_contents("http://feedburner.google.com/api/awareness/1.0/GetFeedData?uri=".$feed);
$xml = new SimpleXmlElement($feedburner_xml, LIBXML_NOCDATA);
$new_feedburner_followers= $xml->feed->entry['circulation'];
return $new_feedburner_followers;
}

You can also substitute ‘hits’ or ‘reach’ for ‘circulation’ in the example code.

Update: The Google Feedburner API is no longer available.

Comments are welcome, as always.

Leave a comment