Monthly Archives: February 2015

Improve Web Security in PHP and/or Apache – Content Security Protocol and X-Frame-Options

To guard against UI-Redressing, Click Jacking or xss you can use the CSP http header which is compatible with newer browsers.  To block iframing of your site in most browsers you can use x-frame-options.  Below is a PHP script to white list the various content that could be used in an attack.  This stopshttp://evilapi.example.com

To apply this in PHP you would just add cspheader.php to the beginning of any script.  Alternatively you could modify your apache config (httpd.conf) restart the server and all pages served up would have this header.  Thirdly you could use a .htaccess file in the root directory of your website and all files and files under child directories would use it.  All depends on how much access you have to your server and site.

More Details/References on CSP

http://content-security-policy.com/

http://www.html5rocks.com/en/tutorials/security/content-security-policy/

Advertisements

Automate Browser refreshes when you save a file in Netbeans IDE (PC only) – Simple AHK Script

Have you ever wanted to refresh your browser after saving a file?  Well now you can with this simple AutoHotKey script that detects if Netbeans is active, then activates firefox and sends CTRL + R to the browser and then returns to Netbeans.  You can modify the script to your needs.

You can download the exe here.   https://drive.google.com/file/d/0B7SPOU6Yj_ubcUFDX0tiSFBOLTQ/view?usp=sharing

If you want to run the script yourself without downloading an exe you’ll have to install autohotkey

PHP DB2 Commitment control isolation levels option doesn’t work, but commitment control does. On Zend Server 5.6, PHP Extension IBM_DB2 1.9.2

I’m pretty sure the PHP extension IBM_DB2 is overriding my commitment control isolation level on Zend Server 5.6, PHP Extension IBM_DB2 1.9.2.  In my PHP I’m running through 10,000 insert statements and then I’m doing a SQL SELECT on that table as a different user in a JDBC connection.  I’m getting dirty reads (getting the inserted rows before the commit) even though i have DB2_I5_TXN_SERIALIZABLE set in my db2_connect.

I’ve looked at the source and I think this is the issue.  On line 1403 and 1410 the IBM_DB2 extension sets the SQL_ATTR_COMMIT to whats passed into the db2_connect option i5_commit (which would be better named as commitment control isolation level).  On 2165 its being overwritten to no commit isolation level if c_i5_allow_commit is non-zero (its set to 1 to allow commits), and rc is non-zero (RC looks to be the result of setting SQL_ATTR_AUTOCOMMIT via SQLSetConnectAttr(), which would be turned off as you dont want to commit the changes until you have all your records done).

CLICK image for full screen

PHP extension uses whats passed into db2_connect

 

does ibm_db2 always uses nocommit2

PHP Extension later on in the code is overriding those options!!!  There’s no way to change it unless you turn i5_allow_commit off (this turns off commitment control and defeats the purpose), or turn off autocommit ( that won’t work either as I want to commit at the end of all my changes).

does ibm_db2 always uses nocommit

Try it yourself

Notes on IBM_DB2 php extension: DB2_I5_TXN_SERIALIZABLE is the same as SQL_TXN_SERIALIZABLE because of #define DB2_I5_TXN_SERIALIZABLE SQL_TXN_SERIALIZABLE. SQL_DEFAULT_TXN_ISOLATION is sent into SQLGetInfo() along with a bitmask. SQL_DEFAULT_TXN_ISOLATION is set in odbc and not in IBM_DB2. In this odbc.c file (which i dont know what obdc.c IBM is using) SQL_DEFAULT_TXN_ISOLATION is set to 26 (http://www.ncbi.nlm.nih.gov/IEB/ToolBox/CPP_DOC/lxr/source/include/dbapi/driver/odbc/unix_odbc/sql.h#L411). I believe the bitmask gets set to the default isolation and then that bitmask is compared using the bitwise AND operator (&) with the various isolation options. If they match UR,CS,RS,or RR is added to array

#ifdef PASE /* i5/OS ISOLATION_OPTION */

rc = SQLGetInfo(conn_res->hdbc, SQL_DEFAULT_TXN_ISOLATION, &bitmask, sizeof(bitmask), NULL);

#else

if( bitmask & SQL_TXN_READ_UNCOMMITTED ) {
add_index_stringl(array, key++, “UR”, 2, 1);
}
add_property_zval(return_value, “ISOLATION_OPTION”, array);

Simulating a file lock while running queries against the #DB2 #PHP #SQL #IBMi #iseries Hint: Commitment Control

UPDATE: I’m currently experiencing issues with commitment control isolation level not working….  It appears to be a problem with a PHP Extension. This should issue should be fixed in newer versions of ZS and ibm_db2. My issues occurred on Zend Server 5.6, PHP Extension IBM_DB2 1.9.2

I was wondering if there was a way to lock a file from being read while i modified the table using PHP and db2_* functions.  This came up because I wanted to modify a table but make sure the users of my application didn’t see a partial list of the data while the data was being inserted via SQL.

The answer is yes there is a way and its very simple!  You use commitment control. By default commitment control is set to Autocommit which means the change applies after you do db2_execute.  Here’s a simple example to show you how to change commitment control and make sure the changes don’t get applied until your ready.

Apparently yo have to change your commitment control in php.ini (/usr/local/zendsvr/etc/php.ini)

add this line:

ibm_db2.i5_allow_commit=1

alternatively you can put it in /usr/local/zendsvr/etc/conf.d/ibm_db2.ini which I think is the “best practice” but can be annoying to find since you usually look in php.ini first.

Here’s the options for commitment control from php.net . Depending on your circumstance you may want to allow the user to read the data while your inserting the new records and they give you various php numeric constant options below.

DB2_I5_TXN_NO_COMMIT – Commitment control is not used. Actual value 1

DB2_I5_TXN_READ_UNCOMMITTED – Dirty reads, nonrepeatable reads, and phantoms are possible. Actual value 2

DB2_I5_TXN_READ_COMMITTED – Dirty reads are not possible. Nonrepeatable reads, and phantoms are possible. Actual value 3

DB2_I5_TXN_REPEATABLE_READ – Dirty reads and nonrepeatable reads are not possible. Phantoms are possible. Actual value 4

DB2_I5_TXN_SERIALIZABLE – Transactions are serializable. Dirty reads, non-repeatable reads, and phantoms are not possible. Actual value 5

You’ll also have to make sure the Physical File is journaled http://www.ibm.com/developerworks/data/library/techarticle/0305milligan/0305milligan.html

Debugging

This will give you everything you want to know about your db2 connection to the IBM i

Notes:

The commitment control only works when PHP is on the IBMi – https://bugs.php.net/bug.php?id=60363

Don’t use this with Persistent connections as you could be rolling back/ committing data from someone sharing the connection.

I was not able to do ini_set(‘ibm_db2.i5_allow_commit’,1);
It came back with false. So either all your apps have to allow commit or not.

Links

IBM_DB2 Runtime Config

Function DB2_Connect

XMLSERVICE

IBM_DB2 PHP extension source

IBM i weird issues with Parameter passing – MUST read for new IBM i devs!

The IBM i likes full strings.  If the field is 10 characters you better pass it 10 characters.  This becomes especially true when you get past 32 characters.  This is because of how memory is allocated, and parameters being passed by reference.  This is very different from PHP development.  You can get the full explanation from this amazing article: http://wiki.midrange.com/index.php/Parameter_passing

I had this issue with a CL program that I was passing a parameter that was greater than 32 characters to a PASE program.  It  was getting garbage onto the end.  To avoid this  you trim your variables and concatenate a null string that’s bigger than the size of the variable to make sure every part of the variable is padded with a value you set.  Example code: https://gist.github.com/phpdave/902debb703aadbe53b07

IBM DB2 SQL – Check SELECT authority to file before calling – QSYS2.SQL_CHECK_AUTHORITY(‘LIBRARY’,’FILE’)

Just found this great SQL UDF (user defined function) QSYS2.SQL_CHECK_AUTHORITY(‘library’,’file’) that IBM put into V7R1. It allows you to check if the current user can select a file. It returns 0 if they are now allowed to query the file otherwise 1. This beats getting the SQL Permissions Error and having to use a try catch block in PHP to capture the naming exception.

SELECT QSYS2.SQL_CHECK_AUTHORITY('LIBRARY','FILE') FROM SYSIBM.SYSDUMMY1