Trusting the Internet

In light of recent events (heartbleed and *cough* NSA *cough*), we now live in a world where the people you thought you could trust aren’t as trustworthy as we expect them to be.

One of the things that we lay our trust in every day are Certificate Authorities. These are the people with the power to issue SSL certificates, which are used when you use online banking, search google, access your email and other sensitive information over the internet. It can be identified with a either a padlock symbol, or simply ‘https’. You’ll notice that my blog is encrypted, and you can get details of this by clicking the padlock in the top right in Chrome and Firefox, or the padlock at the end of the address bar in internet explorer.

For this example I will use Firefox:

SSL Overview

You can see that the connection is secure. Wonderful!

What good is it however to have an encrypted connection, when it could be anyone in the world.
That’s where the trust part comes into it.

You can see that the certificate has been verified by GoDaddy.com, Inc. Clicking ‘More Information…’, ‘View Certificate’ and going to the ‘Details’ tab will take you to this screen:

SSL Overview

Here you can see the trust tree. This is the chain that lets firefox know that the certificate is one that it can trust.

Think of it this way, you’re having a party, and a guy enters. You don’t know him, and therefore don’t want him in your house, but he says he is friends with another guy, who you don’t know and ring up, but he says he’s friends with another guy, who you don’t know and ring up, who says he’s friends with one of your close friends, who confirms that he is indeed his friend, and he can vouch for his friend, his friend’s friends, and his friend’s friend’s friend who is at your front door.

From this you can trust all of his friends into your house. If one of them steals/breaks/otherwise vandalises your house, you can go back to your friend and either say ‘these guys did bad things to my house’, and he will revoke their friendship, or you can choose not to be friends with this guy who let idiots into your house anymore.

In this case, the guy at your door is ‘*.wordpress.com’, his unknown friends are ‘Go Daddy Secure Certificate Authority – G2’ and ‘Go Daddy Root Certificate Authority – G2’, and the friend you trust is ‘Go Daddy Class 2 CA’

This root level of trust is built into the web browser (or in the case of Internet Explorer, Windows itself), and you can choose to revoke or add authorities at your will, but be warned: revocation is a drastic measure which will limit access to a number of sites and compromise your security at the same time. If a website does something bad, the best course of action is to take it up with the certificate authority which issued that website’s certificate and let them revoke it. Details for this can usually be found under the page linked in the ‘Subject’ field

Subject field

Visiting the site will usually give details on what to do if you suspect a certificate has been compromised or if the legitimate owner is performing malicious activity with it

Next up will be how to run your own certificate authority!

Advertisements

Using MySQL with PHP

Today I shall discuss a subject that took me ages to get my head around. It took me an incredibly long time to understand how to access SQL data within PHP.

Hence why I wish to make it easier for anyone else who is struggling to understand it.

To begin with you need a MySQL database (and a table to help speed things up). This post assumes you know how to do this for brevity’s sake. Now you need to access the database from within PHP:

This example is written in the procedural style. The object oriented style is written differently!

<?php
$db = new mysqli('server','user','password','database');

$people = $db->query("SELECT * FROM people WHERE gender='female'");
while($person = $people->fetch_assoc()) {
echo $person['name'].'<br />';
}

This code fetches all the names of people in the table 'people' who are female. Let me explain:

$db is how the script accesses the server. You can have more than one server instance. For example, I may have one accessing a database on an old server, to be moved to a database on a new server, or another database on the same server. new mysqli creates a new instance of server access. 'server' is the server address, which in most cases is either localhost or 127.0.0.1. 'user' is the username of a user who has permission to view the tables on the server. 'password' is obvious. It is the password of the aforementioned user. 'database' is the name of the database that this script uses.

I, for example may use
$db = new mysqli('localhost','ben','12345','friends');

Next is $people. This contains the query to be sent to the server to get all the records in the table 'people'. $db->query tells the server to query the database instance $db with the query to be mentioned next.

"SELECT * FROM people WHERE gender='female'" is the sql query. It is sent to the server to make it ‘do’ stuff. SELECT tells the database to fetch records from the server. ‘*’ tells the database to fetch all the columns, for example name, address, date of birth, gender, etc. FROM people tells the server to fetch all columns of information from the table called 'people'. WHERE gender='female' tells the server to fetch all columns of all records that match the WHERE clause, which in this case is records where the specified gender is female.

'while($person = $people->fetch_assoc())' Is the start of what PHP does with the data. $people is only a query, and it doesn’t contain any information. $person = $people->fetch_assoc() creates a new ‘person’ object which contains the data of the first record associated with the query contained in $people. You may have noticed that only the first record is selected, but the next records are selected when the while statement loops back, and so on until there are no more records left to process. Simple, right? 😉

After the while statement, there is then echo $person['name'].'<br />'; inside two curly braces. The curly braces define what code the while statement runs each time it loops. echo tells the script to print some stuff to the browser. Remember that the browser does not get to see any of this code, and so this line will be the first line sent to the browser. $person['name'] contains the content in the ‘name’ column of the record being currently processed. It can be changed to other names, such as $person['address'], $person['date_of_birth'], $person['gender'], etc. and it will echo different things. the dot in between the variable and <br /> tells the script to join something on. <br /> tells the browser to create a new line. Without this line, all the names would be printed in one long line.

The output of this could be:

Janet
Michelle
Emily
Susan

Changing the $person['name'] variable to $person['gender'] would be guaranteed to display:

female
female
female
female

This is because of the WHERE clause I wrote about earlier.

Of course, questions are welcome in the comments, which will be answered and included in this post!

Hardening WordPress plugins

I write code.

Yes, most of you know this, but what most of you don’t know is:

I didn’t write secure code, until now.

Let me explain: It is no good building a website for a client and going “Hey! Here’s a new site I’ve built you. It’s super secure!”, when you haven’t given one thought the people on the dark side (of the planet and of the force), and allowed for SQL injection attacks.

SQL injection attacks are where people ‘inject’ code into your site. Imagine this scenario:

A good person goes onto the website and enters ‘Josh’ into a box called ‘username’.

The PHP for this database query looks as so:

$age= $_POST['username'];
$db->query("SELECT name FROM people WHERE username='".$username."'");

This code inserts $username into the mysql query. The query that is sent to the database looks as follows:

SELECT name FROM people WHERE username='Josh';

So what happens if someone injects SQL into this query?

Say Mr Baddie comes along and enters Josh'; DELETE FROM people into the ‘username’ box, the query sent to the database will be:

SELECT name FROM people WHERE age='Josh'; DELETE FROM people;' Note the apostrophe at the end!

Or

SELECT name FROM people WHERE age='Josh';
DELETE FROM people;'

A lovely list of people with the username Josh will be returned. Before promptly deleting everything from the table ‘people’.

Oh Dear. I hope someone remembered to take a backup of that database.

Once people have been observed throwing insult-ridden shouts across the office at each other, blaming each other for the incident; and the boss has been to throw his own insults; and the site has been down for a week; and the head office has held a conference call to throw their own insults, it is finally time to sit down and work out what went wrong and how it can be prevented in the future.

Option 1: Delete the site and pretend none of this ever happened.

Option 2: Use different users for fetching and writing data to the database.

Option 3: ‘Sanitise’ the code to prevent SQL injection attacks.

I suggest Option 1 if you want a 100% guarantee that this will never happen again, but a compromise is required for those who don’t want to/can’t take it that far.

I suggest Option 2 & 3 for the near best you can get. I will explain Option 3 only.

The process of sanitisation not only protects against code injection, it also protects against the good guys potentially accidentally breaking your server.

There are different ways of sanitising user input for each language. I will demonstrate how to sanitise input for a mysql database through php.

It’s a function called mysqli_real_escape_string

So, instead of putting the given input straight into the sensitive belly of the database, I need to sanitise it.

Here’s the code instead.

$age = $db->real_escape_string($_POST['username']);
$db->query('SELECT name FROM people WHERE age=".$username');

So when Mr Baddie inputs Josh'; DELETE FROM people into the ‘username’ box, the content is sanitised and the day is saved.

The End.