Category Archives: PHP toolkit for IBM i

PHP IBM i Toolkit – Security Awareness of HTTP transport – Sending UserId and Password in Clear Text

With many open source security exploits coming out (shellshock, Heartbleed and recently Ghost exploits) I decided to look into the open source PHP IBM i toolkit that many people are using to access the IBMi. The whole idea of open source is that by having many eyes looking at something that bugs and security issues would be figured out and new features can be contributed by anyone. The issue I found with the PHP toolkit is that there’s no warning about using the HTTP transport to connect to the iSeries. It’s actually sending your user id and password over the network to the web server in plain text. This is an issue with the XMLService as well. It really should not allow you to connect via HTTP and should force HTTPS connections. I looked into odbc_connect and it appears to me that its doing some type of encryption as I was not able to pick up my username with wireshark. Since IBM_DB2 is using SQLConnect in the php extension i’d assume the same goes for that transport method. Therefore, by default the toolkit appears safe, but if your project requires you to connect via HTTP make sure you refactor the transport to use HTTPS instead.  Also please don’t use the GET method as it puts the parameters (the userid and password) in the url string which is sometimes saved into access logs.

You can see this issue in the send method of httpsupp class

http

To see how to securely create a https request look at the comments from: jrubenstein at gmail dot com and louis dot huppenbauer at gmail dot com on php.net’s stream_context_create

Advertisements

PHP IBM i toolkit – Thoughts on its future development

The PHP IBM i toolkit is a collection of PHP files that interact with XMLSERVICE on the IBM i to give you access to IBM i objects. I’ve been thinking that this approach was probably taken because it opens the doors to any programming language that wants to interact with the IBM i (PHP, Node.js, Ruby, asp.net etc… can all use this API). The problem I see with the current implementation is that requires xml encoding, xml parsing, and function calls that aren’t compiled. I think it makes sense that a PHP extension be written in C with hooks into the IBM i objects, much like how IBM_DB2.so php extension has hooks into Physical files, stored procedures, etc… IBM has C ILE that already can interact with all IBM i objects why not have a direct API to call from your PHP like db2_connect().  Your PHP project would call the compiled C PHP extension.  There’s already a starting point since you can view the source of ibm_db2.so.  Chuk from twitter mentioned creating it myself, which is tempting but unfortunately I’m not that familiar with “under the hood” of the IBM i.

IBM i PHP Toolkit

Is it all about performance? Increase in usability?

  1. There has to be a balance between performance and the ability to get the job done quickly, and easily maintainable in the future.
  2. With the PHP extension it would make it more usable as you won’t have to worry about including the CW.php wrapper.
  3. You can use the function calls provided from the php extension anywhere.
  4. Upgrades are as simple as overwriting the .so file in the php extensions folder.

Why C/C++?

  1. You can extend the functionality and performance of PHP with a compiled PHP extension.
  2. You can create C ILE on the IBM i instead of using RPG ILE.  Chris Hird says he does most of his development in C instead of RPG. If he wants to write an application on Linux he can keep using C.  RPG is proprietary and stuck on the IBM i until IBM decides to open source it.
  3. Its popular based on TIOBE rating

Alternative to toolkit to access RPG, CL programs

  1. You can create external stored procedures that attach to RPG or CL Programs (any language in drop down below)

externalproc

  1. QSYS.QCMDEXC can be called in a Stored Procedure to call CL (not sure about the other languages)
  2. The disadvantage is that you have to write and create the stored procedure for every External program.  Which is not an optimal workflow for PHP development (Write PHP, Write Stored Proc, Create Stored Proc)

What is client IBM_DB2 PHP Extension look like under the hood?

So I looked into the IBM_DB2 c source code and figured out that its more like a wrapper around SQL* ODBC functions with additional specific DB2 features added on.  So I guess that really wouldn’t be a starting point for accessing IBM i programs directly.

Responses from Twitter

TIOBE Rating

tiobeprogramming

Links

XMLSERVICE

PHP IBM i Toolkit Gihub Source

Tutorial to create PHP Extension | Another Article on PHP Extensions | More on PHP Extensions

IBM_DB2 PHP Extension Source from PECL

IBM_DB2 uses some ODBC functions and you can find info on them here

Migrating from Zend Core for I to Zend Server for IBM I – My Experience

I’m currently working on migrating from Zend Core 2.6.0 to Zender Server 5.6  for IBM I.  Big thanks to Alan Seiden who has some very helpful blog posts on this topic.  I’d recommend checking out:

http://www.alanseiden.com/2010/04/21/differences-between-zend-core-and-zend-server-on-ibm-i/

and

http://www.alanseiden.com/2011/02/08/qa-upgrading-from-zend-core-to-zend-server/

Here’s my tip from migrating:

  1. If you were using the I5_* functions for database connections you can continue using AURA equipments toolkit, but I think long term you’d be better off using PHP db2_* functions.  Do not use the Zend Framework’s DB2 class since the db2_bind param doesn’t work.  The ZF team can’t implement it to work correctly right now and probably never will in the future.  I’ve been waiting 3 years now for them to make a change…
  2. Use http://as400:2001/HTTPAdmin to change the apache config for Zend Server and to start/stop the server
  3. You’ll need to trasfer your files from /www/zendcore to /www/zendsrv
  4. Give Permissions to QTMHHTTP.
    Run STRQSH
    cd /www/zendsvr/htdocs
    chmod –R 770
    chown -R qtmhhttp
  5. Modify the http.conf file and compare your old conf file to see if changes need to made
    /www/zendcore/conf/http.conf
    /www/zendsvr/conf/http.conf
  6. #–Check your system CCSID value ( dspsysval qccsid). if the value is 65535 then add the following two directives to Apache configuration file (/www/zendsvr/conf/httpd.conf) and then Stop and Start Apache:
    DefaultFsCCSID 37
    CGIJobCCSID 37
  7. Edit the php.ini file and add a different session path (edit /usr/local/zendsvr/etc/php.ini)
    session.save_path = “/tmp/ZS”
  8. Change scripts that reference www/zendcore to www/zendsvr
  9.  Recreate any NFS mounts since files might have moved into /www/zendsvr
  10. IF your using Zend Framework you might want to continue using the old version that Zend Core had, so modify your php.ini file include path to include it and not include the new version which is currently 1.11.10
    include_path = “.:/usr/local/Zend/ZendFramework/library:/usr/local/zendsvr/share/pear:/usr/local/ZendSvr/share/ToolkitApi”
Benefits of upgrading from Zend Core:
  1. PERFORMANCE!  I’m seeing scripts running between 18%-400% faster.  One script used to take 40 seconds now only takes 8 seconds.
  2. Only 1 apache configuration to worry about now
  3. Latest PHP