Linux quick tips – setting time on Virtual Machine

There are several good reasons why I abandoned solutions such as XAMPP long time ago (more on that in some other post). I now use Debian and Ubuntu virtual machines as my development servers. I use VMware Workstation as my platform and no, I don’t use Vagrant. This setup works great, but it has one particularly annoying drawback.

Each time you put your (host) computer to sleep and turn it back again, the clock on your Linux server will stay on the time it was set when you powered down. It will simply “unfreezes” when you turn on your computer. VMware is supposed to have solution for this – VMware tools works great on Windows virtual machines, but for some reason that solution does not work for Debian and Ubuntu.

Having to run a command such as:

1
sudo date -s "2015-09-30 21:04"

each time you power on your computer is simply unthinkable and so is this:

1
sudo ntpdate pool.ntp.org 

although there is a bit less typing. Once you’ve installed ntpdate you can put the previous command in a script (yes, together with “sudo”) and run that each time, but even that is too tedious. Most of us developers are too lazy for that.

There is one solution that is not too hard. When Bash shell is started, that is when you log on to your Linux server, several scripts are executed, among which are ~/.bash_profile, ~/.bash_login and ~/.profile. The last one is not executed if one of the first two is present in your home folder. Any one of those three is a good place for the “sudo ntpdate pool.ntp.org” command.

There are of course some more advanced, fully automated solutions, such as installing NTP daemon on the Linux server, or querying the Windows host machine via SAMBA, but for me the described solution works. The only downside is having to type in the password twice when logging on (once for logon and once for sudo), but I can live with that (for now).

Read More

Using PHP’s built-in server from other computers

In PHP version 5.4 built in web server was introduced. This cool feature enables serving of PHP, HTML and other files without having a web server installed. It is simple and straightforward to use, just type

1
php -S localhost:8000

8000 here is a port number, you can choose any port that is available on your system. After running this command, you will be able to access this server only from your local machine, it won’t be accessible over network.

The intended usage of this feature is for demonstration and development. It’s not intended to be used in production. Most of the people use it only on their own machines, that is on machines which they use of development and this is probably why most books and tutorials only mention the above given command.

However, there might be a need to be able to access this server from other computers on the network and it is possible to do that as well. You just need to replace ‘localhost’ with the IP address of your network interface, or use ‘0.0.0.0’ to listen on all available networks. So, the command is:

1
php -S 0.0.0.0:8000

For more information see the manual.

Read More

Codeigniter – better way to load views

Codeigniter is great framework, but sometimes it feels like you have to do more work than it would be necessary. For example, loading views at first seems easy and straight forward.

1
$this->load->view('view_file', $data);

However, in a real world project you would rarely use only one view file, each controller would probably have to load views in multiple functions and there would be several controllers. It’s obvious we need something better.

The solution is easy, we need to define a method for loading views and put it in a base class that our controllers would extend. In Codeigniter this is done by creating My_Controller.php file and placing it in application/core/ directory. Our controllers can now extend MY_Controller instead of CI_Controller. All of these names are case sensitive. So, this is how this method looks like:

1
2
3
4
5
6
7
8
9
10
11
12
protected function loadViews($template, $data = null){
        if(!isset($data)){
            $data = $this->_viewData;
        }
        if(!isset($data['urls'])){
            $data = array_merge($this->_viewData, $data);
        }
        $this->load->view('common/header',$data);
        $this->load->view('common/navbar',$data);
        $this->load->view($template, $data);
        $this->load->view('common/footer', $data);
    }

loadViews() method doesn’t need to be public, so making it protected is the best choice. Note that I wasn’t following the Codeigniter naming convention here. All method names are written with underscores, I chose camel case deliberately to make my code distinct, you can make your own choices here.

Whenever we need to load views in our controllers we would simply type:

1
$this->loadViews('view_file', $data);

Now you might be wondering about $_viewData property. Here’s the whole MY_Controller file that I use in my projects:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
class MY_Controller extends CI_Controller {

    protected $_viewData = array();    //holds data that is being passed to view files, read from config file

    public function __construct(){
        parent::__construct();
        $this->config->load('my_config', TRUE);    //my_config is my custom configuration file
        $this->setViewData();
    }

    private function setViewData(){
        $this->_viewData = $this->config->item('my_config');
    }  

        /**
        *    Loads views
        *
        *    @param string $template Name of the template file
        *    @param array $data Data array that is being passed to the views
        */

    protected function loadViews($template, $data = null){
        if(!isset($data)){
                        //if no data is passed, use only $_viewData
            $data = $this->_viewData;
        }
        if(!isset($data['urls'])){
                        //some data is passed, but this is not whole $_viewData array from the config file
                        //$data['urls'] is something I always have in my configuration files
            $data = array_merge($this->_viewData, $data);
        }
        $this->load->view('common/header',$data);
        $this->load->view('common/navbar',$data);
        $this->load->view($template, $data);
        $this->load->view('common/footer', $data);
    }

I use a configuration file to hold basic data such as navigation links, links to files, etc. I load this into MY_Controller and pass that array to views, so whenever I load views I have the same basic set of data, plus the data necessary for the current view. I also have a choice of calling loadViews() in my controllers without passing any data, passing only the data I need for the one specific view, or passing all of the (view) data. Controllers can, of course, override loadViews() method if that is necessary.

Codeigniter is very flexible and people are using it in many different ways. I’d just like to know how many other developers have come up with the same approach as I did.

Read More

Linux quick tips – grep with color

Grep is tremendously useful utility for searching for text strings in files. It is one of those tools which once you learn how to use, you wonder how did you ever managed without it. However, grep can do more than just display the desired output, it can display it with colors. This may sound trivial, but depending on what you search, you can end up with a lot of content crammed up in your terminal window with no line breaks or indentation to help you read the text.

So, to make the output more readable, simply add –color option.

If you like this option so much that you start using it every time and like most people you don’t feel any pleasure in pounding your keyboard unnecessarily, you can add this alias to your ~/.bashrc (that is the .bashrc in your home directory):

1
alias grep='grep --color=auto'

Some Linux distributions (like Debian) already have this line, but it is commented. After you edit your .bashrc file you will need to log off and log in back again to activate these changes.

Read More

More about passwords

In my previous post I said that proper password hashing is not harder to code than MD5 and here I’m going to demonstrate that. Here’s how it works:

 

1
2
3
4
5
6
7
8
9
10
11
//calculate hash from cleartext $password
$hash = password_hash($password, PASSWORD_BCRYPT, array('cost' => 12));
//now store it in database

//when registered user wants to log in
if(password_verify($password, $hash){
    //OK, password is valid
}
else{
    //wrong password
}

This is it in its simplest form. The second argument here specifies the algorithm used. PASSWORD_DEFAULT uses bcrypt and it will change over time, so the hash string length might change. PASSWORD_BCRYPT uses CRYPT_BLOWFISH and it will always produce 60 character long hash, however it will only process first 72 characters of the input and discard the rest. Optional third argument specifies salt and cost. If salt is omitted, random salt will be generated and stored in the hash string. This is intended mode of usage. The beauty of password_hash() is that it stores algorithm and cost in the hash, so you don’t have to worry about these things when you are using password_verify()

Cost is more interesting option, it specifies the cost in terms of CPU cycles needed to calculate the hash. Values must be in range of 04-31 and this is logarithmic (base 2) scale, meaning that each step is 2 times slower (as you go up) or slower (as you go down). Default value for cost is 10, which is good baseline value, but you should experiment with your server to see what suits you. Here’s a simple benchmark test:

1
2
3
4
5
$start = microtime(true);
$hash = password_hash('test', PASSWORD_BCRYPT, array('cost' => 11));
$end = microtime(true);
$time = $end - $start;
echo "Elapsed time: $time\n";

I also spoke of password entropy. Entropy is a measure of password strength expressed as base 2 logarithm of the number of guesses it would take to break the password. For example 30 bit password has 230 possible combinations. So, how do you calculate this, most calculators don’t base 2 log and how do you calculate password strength in the first place?

Password strength is calculated as the number of characters in the character set used raised to the power of password length. So, if we use password with 8 characters and it has lowercase letters and numbers, password strength is (26+10)8. This is theoretical value assuming that the password is random, which is never the case, but that’s another story. Base 2 log of number N is easily calculated by using base 10 log or natural logarithm (ln) like this: log10(N)/log10(2), or ln(N)/ln(2).

And finally, here’s snippet of jQuery code I use on my Numbers Relay Page to calculate password strength on registration. This gives only an approximate value.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
var password = $('#regPassword').val(); //grab password from the form
var chBase = 0; //initialize counter to 0
if(password.match(/[a-z]/g)){
    chBase += 26; //if password contains lowercase letters increase counter by 26
}
if(password.match(/[A-Z]/g)){
    chBase += 26;  //the same for uppercase letters
}
if(password.match(/[0-9]/g)){
    chBase += 10; //digits
}
if(password.match(/[^a-zA-Z0-9]/g)){
    chBase += 32;  //standard US keyboard has 32 non-alphanumeric characters
}

var entropy = Math.round(Math.log(Math.pow(chBase, password.length)) / Math.log(2));

If you want to find out more about this topic I suggest you start with an excellent Wikipedia article.

Read More

Hashing passwords properly

Hopefully everyone knows that storing passwords in plain text is very bad idea. That one should be obvious. What’s not so obvious is that not all hashing algorithms are safe.

One of the least safe and unfortunately the most widely used is MD5. SHA1, although in theory a little safer is just as bad. The problem with these algorithms is that they are fast, they are designed that way, but unfortunately many books and tutorials still use them. For example, an average computer with fast GPU could crack about 8 billion MD5 hashes or 3 billion SHA1 hashes each second. To put this into perspective, a 6 character password made of random letters, single case, has about 300 million possible combinations.

There are techniques used to make these insecure algorithms more secure. Adding salt for example is good protection against rainbow tables, but it does little to protect against brute force attacks. Key stretching and peppering appear to be better, but in the field of security appearances are not good enough. As Bruce Schneier said:

“Anyone, from the most clueless amateur to the best cryptographer, can create an algorithm that he himself can’t break.”

Reinventing the wheel is bad, especially in cryptography. Hash functions were designed for signing and they are designed to be fast. Implementing them for hashing passwords is therefore bad idea even if peppering is applied. GPU attacks are one of the reasons for this, they can calculate hashes fast, but they are not effective with bcrypt.

To store passwords securely, use Password Hashing API. It is available since PHP 5.5 and it’s easy to use. Bare in mind that the 60 character long hash string may expand in future and that manually specifying salt will be deprecated in PHP 7.0.

Now, why is this so important? You might be thinking that your database is secure and that by imposing password length and complexity requirements, you made your users use secure passwords. The problem is that no database is perfectly safe and more importantly – we humans can’t generate secure passwords. Even something like a passphrase made of 5 random words has only 30 bits of entropy which is really insecure. And finally, if you are thinking that you don’t have to worry about your users’ passwords being cracked because your web service is not very important, think again. Password reuse is a big problem, many of your users will be using the same password for their email and other important accounts.

Read More

Introduction

This blog is going to be devoted to PHP and other Web Development technologies. There are two main reasons why I decided to start it. First of all, I learned a great deal from various sites and forums, possibly more than from books. I hope I can give something back. My second reason for starting this blog is to help myself to keep better organized notes.

So, you can expect to find articles about PHP, MySQL/Sqlite, Codeigniter, Git, Linux, HTML, CSS, Less, Bootsrap, Javascript, jQuery and more.

Read More