Monthly Archives: December 2015

Run Linux commands on Windows via cmder

I know a lot about Linux commands and run them on Linux and IBM i, but never found a tool that could do it on windows until today.  If you have to run on windows and would like access to :

  • ls, grep, cat, tail, vim, ssh, scp, phpcli (via setting your windows path), etc..
  • history of commands
  • color coded screen
  • full screen

You can download cmder @ http://cmder.net/

I guess I won’t need Putty or Google’s ssh client app anymore and goodbye cmd.exe.

Shout out to @tweetjbh for recommending it

Advertisements

Run #DB2 SQL Scripts added to #IBMi Access

The latest version of IBMi Access released today (Dec 9 2015) now allows you to run SQL scripts!  It also has an improved UI with color coded SQL!

RunSQLIBMiAccessClientSolutionsColorCoded

You can download the latest IBM i Access Client Solutions here: https://t.co/jInoj0OtDX

Big thanks to Jesse Gorzinski’s team and everyone at IBM that made this possible!  We finally aren’t married to the Windows iSeries Navigator for running SQL!  We can now use this tool on Mac, Linux or Windows!

 

Protecting against Session Fixation in PHP on IBMi

After logging a user into your system you should invalidate the previous session identifier so an attacker doesn’t have the chance to steal an authenticated session id. In PHP the PHPSESSID cookie is our session identifier and it should be changed after logging in. Its as easy as running session_regenerate_id()


which will change your PHPSESSID to a different value

If you don’t change the session identifier an attacker may try to set the user’s PHPSESSID cookie to a value they know and then after the user authenticates, the attacker can now do any actions your application allows for authenticated users.

Protecting against SQL Injection in PHP and DB2 on IBM i

With many IBMi developers new to PHP, SQL and the web environment its important to cover a common mistake people make. The mistake is concatenating a value from $_REQUEST, $_GET or $_POST with their SQL statement string. This opens up the possibility for a SQL injection which allows someone to retrieve other data, bypass certain logic by making the statement always true, or worse (dropping a table, altering data, anything you can do in SQL). Below is how you can use a prepared SQL statement to safely execute SQL.

Cross-Site Request Forgery (CSRF) Prevention in PHP

Below is an example of how to prevent cross-site request forgery in PHP. Basically you create a form token tied to the user’s session. When the form is submitted we verify that they have a token and that its the token we issued to the user. If it’s not we don’t process the form and echo out an error message.