Last night I read an article exposing a vulnerability in timthumb – an image manipulation script which is used in many wordpress themes.
More details can be found here http://markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/
Summary from Mark Maunder
An image resizing utility called timthumb.php is widely used by many WordPress themes. Google shows over 39 million results for the script name. If your WordPress theme is bundled with an unmodified timthumb.php as many commercial and free themes are, then you should immediately either remove it or edit it and set the $allowedSites array to be empty. The utility only does a partial match on hostnames allowing hackers to upload and execute arbitrary PHP code in your timthumb cache directory. I haven’t audited the rest of the code, so this may or may not fix all vulnerabilities. Also recursively grep your WordPress directory and subdirs for the base64_decode function and look out for long encoded strings to check if you’ve been compromised.
Today, remembering this, I ran a search across the 90 websites hosted on the webserver we use in the office (only 4 or 5 are wordpress installations) and was surprised to find that we were using a theme with timthumb in it!
The command to find all files named timthumb.php in subdirectories of the current directory on linux is
find . -name ‘timthumb.php’
It turned up for us in a theme we had recently modified to suit a new client. The theme is Athena - Athena’s author is on holiday at the moment but I have emailed to ask them to update the version of timthumb to the latest to ensure no one else is vulnerable in this way.
Timthumb’s author has already released a patched version after being subject to the vulnerability being exploited.
After finding any timthumb.php copies, the quick solution is to find an array named $allowedSites and remove any entries from it. This will stop unauthenticated users from being able to download remote files to the timthumb temporary files folder and executing them.
Incidents like this really highlight the (justified) risks one takes in using 3rd party code.
Inspired by http://www.thecolourclock.co.uk/ – I decided to quickly make the CSS3 Javascript HTML5 OMG WTF BBQ version, it can be found here: http://d62.net/demos/js/hex_clock.html
View source on that page to view the full detail, basically, repeated calls to setTimeout are made to update the background colour of the body tag based on the current time padded to 2 figures (15:06:10 at the time of writing this) these are concatenated together to form the hex colour value of #150610
Not being a designer, I had to find a way to add more options to the header of a client’s internal case management system.
I found this and implemented it easily: http://www.jankoatwarpspeed.com/post/2009/01/19/Create-Vimeo-like-top-navigation.aspx
The example given requires no javascript. I’ve amended that with the excerpt below to improve the search functionality (using jQuery):
$('.searchType').click(function(){
$('.searchType').removeClass('activeSearch');
$(this).addClass('activeSearch');
$('#searchField').attr('search_type', $(this).attr('search_type'));
});
$('#searchField').bind('keypress', function(e) {
if(e.keyCode == 13) {
$('#searchClick').click();
}
});
$('#searchClick').click(function(){
$search_field = $('#searchField');
$val = $search_field.val();
$type = $search_field.attr('search_type');
if ($type == 'finance'){
document.location = '/invoiceSearch/q='+$val;
} else if ($type == 'fnol') {
document.location = '/fnolSearch/q='+$val;
} else {
document.location = '/claimSearch/q='+$val;
}
});
});
This highlights the search item selected, I replaced the checkboxes with labels with an attribute named ‘search_type’ which determines which search module is used later.
The search field also accepts the return key to submit it, to allow power-users to keep their hands on the keyboard!
Before:
After:
Shortly before the end of 2010 I set some goals for this year. My first goal deadline is April, My original aims were:
- Deadlift 200kg (from 175kg)
- Squat 160kg (from 130kg)
- Bench 120kg (from 100kg)
Because I hadn’t done enough of these lifts before, consistently, I underestimated how much I could improve through technique improvements alone.
I’ve increased these targets to the following:
- Deadlift 210kg
- Squat 160kg
- Bench 130kg
My current personal bests are:
- Deadlift 200kg
- Squat 135kg
- Bench 120kg
With 2 months to go, my squat progress is very poor compared to everything else, this will be my focus for February.
One thing about the 10kg increase in my bench is that it finally puts me at a > 1000lb total (1001 to be precise!.) That’s pretty weak for a 230lb guy, but hopefully I can continue increasing steadily to get to 1100 by april and 1250 by 2012. Maybe by then I will have the confidence to compete?
Recently I came across a post by Rick Vause demonstrating a simple method for syncing your financial data from sage up onto your webserver. The advantages of this are plenty, most frequently this is required to show live stock and financial data on a web application.
I say simple, because the concept really is obvious once you read the code.
His post is here: sagetomysql
The process is easy to understand:
- Setup a DSN to the sage data, using the sage tool.
- Write a PHP script to connect to the DSN using PHP’s ODBC
- Add a MySQL connection to your PHP script.
- Tell ODBC which table you want to copy across
- Loop through the field names and field types with PHP’s odbc_field_name and odbc_field_type
- Allow the PHP script to create the duplicate table in your MySQL database.
- Copy the data across using php, updating records if this is not the first run
This script works fine for a single table, but it can be improved using odbc_tables().
We can eliminate the process of specifying the sage table name, and get all of the data online in one go. odbc_tables allows us to loop through every table in the Sage data source and pull them through into our initial database.
I’ve made the required modifications to Rick’s script and uploaded it here:
http://d62.net/demos/php/sage_to_mysql.phps
It’s currently untested, but I will be using it in some projects soon, so any required updates will be made then.
It’s worth noting that due to PHP’s large database support, it’s possible to convert it to any of the supported databases just by changing some of the function names used and confirming the CREATE TABLE syntax in those.
With some small modifications to use PEAR::SpreadSheet_Excel_Writer it could even just dump all of the data to an excel file – not very practical, but cool to know it can be done.
After the topic yesterday about using a jQuery UI date picker in Yii forms, i’ll demonstrate a similar method of obtaining a slider form input for the same scenario:
In my example i’m setting the value of employee_holiday_entitlement by dragging a slider.
<div>
<?php echo $form->labelEx($model, 'employee_holiday_entitlement'); ?>
<?php
$this->widget('zii.widgets.jui.CJuiSliderInput', array(
'name' => CHtml::activeName($model, 'employee_holiday_entitlement'),
'value' => $model->attributes['employee_holiday_entitlement'],
// additional javascript options for the slider plugin
'options' => array(
'min' => 0,
'max' => 50,
'change' => 'js:function(){
$("#employee_holiday_entitlement_value").html($(this).slider("value"));
}'
),
));
?>
<span id="employee_holiday_entitlement_value"><?php echo $model->attributes['employee_holiday_entitlement']; ?></span>
<?php echo $form->error($model, 'employee_holiday_entitlement'); ?>
</div>
This will add a slider with an upper limit of 50, the “change” option is specified with a javascript callback to update the span below the slider with the current value. This gives the user an indication of the number they’ve chosen.
I found it pretty difficult to find a reference for how to integrate a jQuery UI date picker in with my CActiveForm view and model.
This is what I found to work correctly for datepicker, for the model field “dob_date”.
<div>
<?php echo $form->labelEx($model, 'dob_date'); ?>
<?php
$this->widget('zii.widgets.jui.CJuiDatePicker', array(
'name' => CHtml::activeName($model, 'dob_date'),
'value' => $model->attributes['dob_date'],
));
?>
<?php echo $form->error($model, 'dob_date'); ?>
</div>
You might need to wrap a function around $model->attributes['dob_date'] to output it as dd/mm/YYYY from a timestamp if that’s the type of field the model attribute represents
Today I had to pull a number of datetime fields from MSSQL and update records in MySQL with them, using PHP.
The most efficient way to convert the date-time field to a unix timestamp for inputting into MySQL was the following:
DATEDIFF(s, "19700101", ro_job_date) as ro_job_date,
In this example the field was ro_job_date
19700101 is the 1st Jan 1970, the “unix epoch”.
I didnt have to convert from unix timestamp to MSSQL datetime, but researching the above turned up this snippet for that:
SELECT DATEADD(s, unix_timestamp, '19700101')
where unix_timestamp is your timestamp field
I’ve been asked a few times how to replicate the expandable social media contacts effect from my contact info on the home page.
It’s a nice effect provided by jQuery and jQuery UI with some CSS bits.
The container for each icon is set to overflow:hidden with a default size of 32px – the same size as the social media icon.
This allows the expansion on hover to happen smoothly with element clipping instead of word-wrap or scrollbars.
While it could be packaged up to be more modular and slick, i’ve put it up as a commented demo here
An important part of this simple script which is often overlooked is the “.stop()” call. This helps halt the current animations and stops the jumpy effect you get when multiple slide animations are “queued”.
For this example I’ve used the icons from here: http://theg-force.deviantart.com/art/Social-Icons-hand-drawned-109467069
