- weblog of Mizanur Rahman
I have attached my yesterday’s presentation on PHP and web application security at PHPXperts Current Trends seminar at Brac University.
Have you faced difficult questions in your interview?
Are you planning for certification exams and you have questions unanswered?
do you want to correct your reasoning?
Then add questions to this post and you can add as many questions as you want. Every week I will answer or compile the answer for the questions. So lets make the question bank a bigger one.
Many times I asked this particular question in the interview session and many people failed to answer. This is just to see the analytic ability of a candidate and how dynamic thinking they have. The logic is same for all programming language, so if you have the logic right then you can answer it for any particular language such as PHP, JAVA, C++, C etc. but in this tutorial We will use PHP
What if we can use the third variable:
$a = 100;
$b = 200;
now we need to swap the values so that $a becomes 2oo and $b becomes 1oo.
the basic technique is to introduce a third variable $tmp
$tmp = $a;
$a = $b;
$b = $tmp;
isn’t it straight forward. introducing a third variable it is so easy. but what will be our approach if there is no third variable? is it possible?
The answer is a big YES. There are several ways and they fall in two types of solution.
1. Arithmetic operation
2. Bitwise operation.
we can use addition-deduction and multiply-division method to solve the problem.
let’s see how addition - deduction method works.
$x = 10;
$y = 20;
$x = $x+$y;
$y = $x - $y;
$x = $x - $y;
it is also very simple, isn’t it. first we are adding the two numbers and keeping the result in one of the variable. in the above example its $x and it contains $x+$y. in the second operation, we are deducting $y from $x and assigning it to $y. now lets break the equation logically
$y = $x - $y => $x + $y - $y => $x // [ since $x = $x+$y ]
cool, we swapped one of the variable. and following the same operation we are swapping the second one in the third line. so that’s it. It is so easy but just requires some logical thinking. do not try to memorize it rather than understand the simple logic here.
now the multiply-division method:
$x = 10;
$y = 20;
$x = $x*$y;
$y = $x / $y;
$x = $x / $y;
it is same as the addition-deduction method and logic is similar.
now do we see any problem in the above logic? that is the question i ask if someone can answer the question correctly and show me the above solution.
the answer for that is very simple, it is the number overflow as we always have upper limit for integers. so when we add or multiply two big numbers then the result can cause overflow and might not show desired results.
so what can be a good solution with keeping the overflow fact in mind? the answer is bitwise operation
in order to swap two values we can use the XOR bitwise operator.
Note: A bitwise exclusive or takes two bit patterns of equal length and performs the logical XOR operation on each pair of corresponding bits. The result in each position is 1 if the two bits are different, and 0 if they are the same
the algorithm is
x = x XOR y
y = x XOR y
x = x XOR y
if we write them in computer language using caret (^) then it will look like
x = x ^ y
y = x ^ y
x = x ^ y
in shorter version:
x ^= y
y ^= x
x ^= y
in one line
x ^= y ^= x ^= y
so here is the command in php:
$x ^= $y ^= $x ^= $y
now how it works:
so now we know how to swap two values without using a third variable. ask me any questions you have
Did you try to run php from command line and faced with php exception like safe mood is on, memory limit exceeded, maximum execution time exceeded etc. A general solution is to edit the php.ini and made those changes and restart apache server. At least i found these solutions online
But that is not gonna solve your problem. when you are running CLI or shell_exec in *nix environment, php uses a different php.ini file located inside CLI folder. until you edit that the problem wont be solved. So if you are constantly getting errors after altering your php.ini file used by your web server then you should try your CLIs’ php.ini file for any issues regarding cron/CLI.
Many of us faced the problem of running CodeIgniter controllers from Cron or from Command Line. usually we write the following codes to run a php file from cron/CLI.
but if we give CodeIgniter Controller path here it will not work since CodeIgniter will fail to initialize its core classes. A work around of this is running the script using CURL
the problem with the above command is that it takes too much CPU resources .
Today my collegue Hasan showed me a nice way of doing it, just write the following codes in a php file in your root folder. here is the way to go
$_GET["/external/do_cron"] = null;
note: here “external” is the controller name and “do_cron” is the function name that you want to execute.
now save this file to any name you want (eg. mycron.php) and run the script using
[here it is php /var/www/mywebsite/mycron.php]
if the above code does not work, you can try the following one. (thanks to sucio)
I was working with MediaWiki Gallery extension named “Smooth Gallery” which is based on JonDesign’s SmoothGallery . It was almost the thing i was looking for but not the exact one for my purpose. As a result I had to hack the code and modify it to fit my needs. You can download the extension and install it for your purpose. I have named it as WikiGallery as lots of things has been changed in this extension. This extension supports external images as well and hence give you more options to create a nice gallery.
Details of the extension is given below:
Requirements: Mediawiki 1.9.0 and above [ I have not tested with earlier versions. ]
$wgWikiGalleryExtensionPath = “/mediawiki/extensions/wikigallery”;
$wgWikiGalleryDelimiter = “\n”;
Now the extension is ready and we can use it to our wiki pages. Edit a wiki page and add the following tag with image names delimited by the wikigallery delimiter as mentioned on LocalSettings.php file (in this case its \n , but it can be , # etc). For local files (uploaded in the wiki), we do not have to put anything. but for external images the http:// must be there.
Now save and check your page , you will see the gallery is there.
In web development, we do face the issue of running a query few thousands to million times everyday. If your website traffic is small then the impact of such queries is not noticed. but if your site attracts lots of users and the query requires to run a good number of time, it might hurt your database performance. every query we run goes through a rigorous cycle to produce the desire result. it goes from parsing, optimizing, executing and returning the result. once a query is written and ran correctly for the first time then the steps of parsing and optimization is not necessarily requires as it is already been parsed and optimized. for the same query it is kind of redundant efforts going on. but what if we can just execute the query and get the result and bypass few of the early steps? well it’s possible and that is where the concept of Stored Procedure and Prepared statements come from. now let’s look at the detail of it
Prepared statements are the ability to set up a statement once, and then execute it many times with different parameters. They are designed to replace building ad hoc query strings, and do so in a more secure and efficient manner. A typical prepared statement would look something like:
SELECT * FROM table WHERE column = ?
? is what is a called a placeholder. When you execute the above query, you would need to supply the value for it, which would replace the
? in the query above.
as from Harrison Fisk article on prepared statement
Prepared statements can help increase security by separating SQL logic from the data being supplied. This separation of logic and data can help prevent a very common type of vulnerability called an SQL injection attack. Normally when you are dealing with an ad hoc query, you need to be very careful when handling the data that you received from the user. This entails using functions that escape all of the necessary trouble characters, such as the single quote, double quote, and backslash characters. This is unnecessary when dealing with prepared statements. The separation of the data allows MySQL to automatically take into account these characters and they do not need to be escaped using any special function.
The increase in performance in prepared statements can come from a few different features. First is the need to only parse the query a single time. When you initially prepare the statement, MySQL will parse the statement to check the syntax and set up the query to be run. Then if you execute the query many times, it will no longer have that overhead. This pre-parsing can lead to a speed increase if you need to run the same query many times, such as when doing many
following image will illustrate the fact
A stored procedure is a precompiled executable object that contains one or more SQL statements. Hence you can replace your complex SQL statements with a single stored procedure. Since, stored procedures are precompiled objects they execute faster at the database server. For the consecutive run it will run from the compiled stage and hence boost performance.
Note: You have to choose the when to use to use what. certainly not every query should be transformed to prepared statement or stored procedures.
I am thinking of introducing new Bangla based services for the web. here are few of my ideas which will go development phase very soon
1. bangla spell checker
2. bangla wysiwyg editor (probably tinymce)
3. bangla translation
4. bangla unicode pdf
5. bangla universal writing panel with keyboard support (from somewhereinblog write panel)
if you have some cool idea, you can share with me and also you can participate in any of the projects above if you want to.
I had started writing my new book for Packt Publishing titled “Wordpress Plugins Development”. But I decided to take the back step as I was very busy with my projects at office and couldn’t manage good amount of time for the book. I believe in quality rather than quantity. So, as i am getting bit free time now, I want to finish the book with a modified outline and publish it online. So that people can review and give me necessary feedback to make it a good one. May be later I will try to publish it but i want to focus on the writings for right now.
Every 2/3 weeks a new chapter will be uploaded online with all the codes and graphics so that user can read and apply the things they will learn. I hope to upload the first chapter in the first week of April.
Recently I have completed my Certified Scrum Master training from Pete Deemer of Good Agile (http://www.goodagile.com). I have attended the 14 hour training program along with my colleague N.H.M Tanveer Hossain Khan on 5th March, 2008 in New Delhi, India. It’s been a nice experience for us and we believe it will be very helpful for us to implement a good scrum oriented development all over the organization. Thanks to Arild for this opportunity and We hope to deliver the expected result to him.
Me and Hasan is also trying to organize a Scrum Master Training in Bangladesh for the first time in this year. So anybody interested to attend the course can drop me a line.