Tag Archives: php

Execute SQL remotely on an IBM i via PHP’s PDO ODBC from a Windows or Linux

You’ll first have to configure an ODBC connection “System DSN”/”System Data Source” via the “iSeries Access ODBC driver” or it might be call the IBM i Access driver which you can learn how to download and install here:

http://www-01.ibm.com/support/docview.wss?uid=nas8N1010355

Here’s some of the ways to configure the odbc connection

https://godzillai5.wordpress.com/2015/07/08/setting-a-default-sql-library-and-library-list-on-a-odbc-connection-for-a-ibmi-db2-connection-in-windows-and-linux/

Once you have the ODBC connection setup you can use it in PHP and here’s a Simple Example on how to execute SQL remotely and safely on an IBM i via ODBC.  Note you won’t want to dump the error info in production its there to alert you about errors.

Here’s an example on how to run a SQL extenal stored procedure

 

Make sure to enable SSL to encrypt your SQL statements that are sent

 

Windows

Run C:\Windows\SysWOW64\odbcad32.exe and edit connection options and make sure ssl is selected or IBM i navigator is defaulted to sslodbc windows secure.png

Linux 

Setup stunnel

guide is here: under 2.6 Encrypt the connection with Secure Sockets Layer

Other References:
Windows: http://www-03.ibm.com/systems/power/software/i/access/windows.html
Linux: http://www-03.ibm.com/systems/power/software/i/access/linux.html

Advertisements

Protecting against Session Fixation in PHP on IBMi

After logging a user into your system you should invalidate the previous session identifier so an attacker doesn’t have the chance to steal an authenticated session id. In PHP the PHPSESSID cookie is our session identifier and it should be changed after logging in. Its as easy as running session_regenerate_id()


which will change your PHPSESSID to a different value

If you don’t change the session identifier an attacker may try to set the user’s PHPSESSID cookie to a value they know and then after the user authenticates, the attacker can now do any actions your application allows for authenticated users.

Protecting against SQL Injection in PHP and DB2 on IBM i

With many IBMi developers new to PHP, SQL and the web environment its important to cover a common mistake people make. The mistake is concatenating a value from $_REQUEST, $_GET or $_POST with their SQL statement string. This opens up the possibility for a SQL injection which allows someone to retrieve other data, bypass certain logic by making the statement always true, or worse (dropping a table, altering data, anything you can do in SQL). Below is how you can use a prepared SQL statement to safely execute SQL.

Cross-Site Request Forgery (CSRF) Prevention in PHP

Below is an example of how to prevent cross-site request forgery in PHP. Basically you create a form token tied to the user’s session. When the form is submitted we verify that they have a token and that its the token we issued to the user. If it’s not we don’t process the form and echo out an error message.

Defending against Click-jacking and UI redress attacks in PHP and HTML

Below is small snippet on how you can defend against click-jacking and UI redress attacks using the x-frame-options response header for browsers that support it.  It also has css and javascript that blocks the page from being shown unless it is the top page.  If you’re not familiar with Click-jacking,  they basically embed an invisible layer on top of the visible layer of a webpage.  This invisible layer will take the user’s clicks and entered information and possibly do malicious things.  They could have you enter the information into an input box that is 1 layer above the actual input box, making you follow someone on twitter, like a Facebook page, clicking a google ad, etc…

Who is Rogue Wave Software?

Well that’s the first question that came to my head when i found they were going to acquire Zend.  Below are some links to dive deeper into understanding what they do and offer.  It looks like they are a real good fit for PHP’s future and High-Performance computing.

Website: http://www.roguewave.com/

Wiki: https://en.wikipedia.org/wiki/Rogue_Wave_Software

Crunchbase: https://www.crunchbase.com/organization/rogue-wave-software#/entity

Andi Guttman’s Linkedin message: https://www.linkedin.com/pulse/big-news-enterprise-php-andi-gutmans

Acquisitions

Klockwork – tool helps “developers create more secure and reliable software by analysing source code on-the-fly, simplifying peer code reviews, and extending the life of complex software.” – https://en.wikipedia.org/wiki/Klocwork
IBM’s ILOG Visualization for C++ Productshttp://www.roguewave.com/company/news/2012/rogue-wave-software-acquires-ilog-visualization
Acumem – “performance tuning tools for single- and multi-threaded applications”  – http://www.theregister.co.uk/2010/10/04/rogue_wave_acumem/
TotalView Debugger – insights into debugging high-performance computing (HPC) and supercomputing applications. – http://www.roguewave.com/products-services/totalview
Visual Numerics: advanced analytics software

Zend Acquisition PR

Geek Time’s Article