Svetoslav Marinov’s Blog

RedirectMatch permanent /old-location/.* http://sub.domain.com

Related

• http://johnbokma.com/mexit/2006/08/18/
• http://httpd.apache.org/docs/2.0/mod/mod_alias.html

A quote from http://www.uploadify.com site.

Uploadify is a jQuery plugin that allows the easy integration of a multiple (or single) file uploads on your website.  It requires Flash and any backend development language.  An array of options allow for full customization for advanced users, but basic implementation is so easy that even coding novices can do it.

This article assumes that you've already read the Uploadify docs and tried to integrate it.

Everything is pretty simple however you need to overcome one obstacle with flash and cookies.
More on the flash and cookies topic go to http://swfupload.org/forum/generaldiscussion/383

My Solution:

This article can be downloaded (TXT format)

Here is how to use the uploadify
I use a variable called "__tkn" in the url to pass the session variable.
Some of you may try to use 'scriptData' which didn't work for me.

<script type="text/javascript">
jQuery(document).ready(function() {
if (jQuery("#upl_feed_file_progress")) {
jQuery("#upl_feed_file_progress").uploadify({
'uploader': '/site/share/jquery/plugins/jquery.uploadify-v2.1.0/uploadify.swf',
//                'cancelImg': '/site/share/jquery/plugins/jquery.uploadify-v2.1.0/images/cancel.png',
'script': '/mymodule/mycontroller/myaction/__tkn/<?php echo Zend_Session::getId(); ?>',
'multi': false,
'simUploadLimit': 1,
'fileExt': '*.csv;*.txt',
'fileDesc': 'Feed Files (*.csv;*.txt)',
/                'fileDataName' : 'upl_feed_file', // in $_FILES
//                'scriptData': {'PHPSESSID' : '<?php echo Zend_Session::getId(); ?>'}, // This didn't work for me.
'height': 24,
'auto': true,
'onCancel' : function (event, queueID, fileObj, data) {
alert('Error: You have cancelled the file upload.');
},
'onError' : function (event, queueID, fileObj, errorObj) {
alert('Error during file upload. Maybe the file is too big ? Size: ' +  fileObj.size + ' Error:' +  errorObj.info());
},
'onComplete' : function (event, queueID, fileObj, response, data) {
if (response == '' || response == 0 || response == "0") {
alert('Error during with the upload');
} else {
perf_error('Success!');
}
}
});
}
});

</script>

This one goes in the template ..

....
<div id="upl_feed_file_progress">You have a problem with your javascript</div>
....

Insert this in the boostrap (usually index.php) file
It should be inserted before "Zend_Session::start();"

// ------------------------------------------ START -------------------------------------------

$sessName = "PHPSESSID";
$sessOptions = array('name' => $sessName);

// Flash has problems with cookies so we pass the PHPSESSID variable via get
// it'll be injected if it doesn't exist in _SERVER["HTTP_COOKIE"] e.g. '; PHPSESSID=hdi5u83hfnu7ltlvp5q3bb53k4'
if ((stripos($_SERVER['REQUEST_URI'], '__tkn') !== false)
//    && preg_match('#^[a-z\d]{25,30}$#si', $_GET[$sessName])
&& preg_match('#__tkn/([a-z\d]{25,30})#si', $_SERVER['REQUEST_URI'], $matches)
&& (stripos($_SERVER["HTTP_COOKIE"], $matches[1]) === false)) {
$sid = $matches[1];

$prefix = '';
if (!empty($_SERVER["HTTP_COOKIE"])) {
$prefix = '; ';
}

$_SERVER["HTTP_COOKIE"] .= $prefix . $sessName . '=' . $sid;
$_COOKIE[$sessName] = $sid;

Zend_Session::setId($sid);
}

Zend_Session::setOptions($sessOptions);
// ------------------------------------------ END -------------------------------------------

Your 'myaction' (/mymodule/mycontroller/myaction) should return 0 or 1.

The following code should be useful.

$viewRenderer = Zend_Controller_Action_HelperBroker::getStaticHelper('viewRenderer');
$viewRenderer->setNoRender();

// Skipping the templates
Zend_Layout::getMvcInstance()->disableLayout();

Please share your thoughts.
Are there any security holes in this approach ?

Related Resources

• http://uploadify.com
• http://uploadify.com/forum/viewtopic.php?f=5&t=43&p=3754#p3754
• http://www.uploadify.com/forum/viewtopic.php?f=5&t=43&p=3754&hilit=zend+framework#p3754
• https://bugs.adobe.com/jira/browse/FP-1044

Sometimes we are required to do some troubleshooting on a production site.
In order to do that *safely* we'll show debug information only for us.
This could be put into a safe_debug function for later use by the way.
On development/staging servers I recommend installing debuggers such as Zend Debugger, xdebug etc and enabling errors (E_ALL).

if ($_SERVER['REMOTE_ADDR'] == '1.2.3.4' || preg_match('#^192\.#', $_SERVER['REMOTE_ADDR'])) {
echo "Dev dump";
echo "<pre>";
var_dump($params);
echo "</pre>";
echo __FILE__ . ':' . __LINE__;
}

Of course one should be extra careful for opening and closing php tags otherwise this will product fatal errors.

Happy debugging!

Here is how to (always) get your server's a IP address. Works on Unix/Linux.

<?php
if (empty($_SERVER['SERVER_ADDR'])) {
$server_host = `hostname -f`;
$server_ip = `host $server_host`;

if (preg_match('#(\d+\.\d+\.\d+\.\d+)#', $server_ip, $matches)) {
$server_ip = $matches[1];
} else {
$server_ip = '127.0.0.1';
}
} else {
$server_ip = $_SERVER['SERVER_ADDR'];
}

echo $server_ip;
?>

This is so common situation when somebody decides to copy a directory that contains SVN files which also has locally modified files.
Therefore a clean export won't do the job.
Here is what I do to clean up the new folder from the SVN files.

This command will display all the .SVN folders starting from the current folder.

Be yourself i.e. not root just in case.

find . -type d -name '*.svn' -print

Example Output:

./js/.svn
./templates/.svn
./.svn
./css/.svn
./images/.svn

What I do is check the folders visually and then use my editor to search & replace:
"./" and replace it with "rm -rf ./"

Result:

rm -rf ./js/.svn
rm -rf ./templates/.svn
rm -rf ./.svn
rm -rf ./css/.svn
rm -rf ./images/.svn

Then I paste this in the console window.

rm is a dangerous command so be careful!
Your precious work could be gone in a fraction of a second!

In order to find the currently installed flash player version go to http://kb2.adobe.com/cps/155/tn_15507.html

Here is an explanation about brute force attack from Wikipedia

In computer science, brute-force search or exhaustive search, also known as generate and test, is a trivial but very general problem-solving technique that consists of systematically enumerating all possible candidates for the solution and checking whether each candidate satisfies the problem's statement.

Donncha O Caoimh's posting has 2 really good ideas.

1) Use a small script to log some *unusual* POST requests
By using the script Donncha was notified when somebody was trying to get into his wordpress blogs.

Credits: Donncha O Caoimh

if ( ( isset( $HTTP_RAW_POST_DATA ) || !empty( $_POST ) ) && $_SERVER[ 'REQUEST_URI' ] != '/wp-cron.php?doing_wp_cron' && $_SERVER[ 'SCRIPT_NAME' ] != '/wp-comments-post.php' && substr( $_SERVER[ 'REQUEST_URI' ], -10 ) != '/trackback' && substr( $_SERVER[ 'REQUEST_URI' ], -11 ) != '/trackback/' ) {
mail( "MYEMAIL@gmail.com", $_SERVER[ 'HTTP_HOST' ] . " POST request: " . $_SERVER[ 'REMOTE_ADDR' ], "URL: {$_SERVER[ 'REQUEST_URI' ]}\nPOST: " . print_r( $_POST, 1 ) . "\nCOOKIES: " . print_r( $_COOKIE, 1 ) . "\nHTTP_RAW_POST_DATA: $HTTP_RAW_POST_DATA" );
}

2) Use the limit login attempts Wordpress plugin

Here is some info about the plugin
Limit Login Attempts blocks an Internet address from making further attempts after a specified limit on retries is reached, making a brute-force attack difficult or impossible.

I've just received an invitation to check Google Voice BUT it's not available outside the US .....

I should have been notified when Google Voice is available in my country.

I just visted an interesting site and I decided to check its WHOIS info.

Here is what I've found.

The registrar or the owner have entered information about their services in the domain's WHOIS info.

Click the image below.

To read more about domain WHOIS information go to http://en.wikipedia.org/wiki/WHOIS

Today I will be commenting on OpenSRS downtime notifications.

I like the message structure very much.

Please note that we will be conducting the following network maintenance at our data center:

Date: Sunday, July 19, 2009
Time: 03:00 - 07:00 UTC
Duration: 4 hours
Your local time:
http://opensrs.info/July19start to http://opensrs.info/July19end

Service Impact:

We will use this time to upgrade our core routers to accommodate 10 Gigabit cards. To minimize the impact on your services, traffic will be routed through secondary routers. This action should limit
the actual down time to approximately 15 minutes within the 4 hour window.

The following OpenSRS Services will be briefly affected:

* OpenSRS Provisioning and Management (includes the RWI: ordering, renewals, transfers, deletion and management of domain names.)
* Storefront (includes ordering, renewals, deletion and management of domain names.)
* Provisioning of Digital Certificates (SSL) and Managed DNS
* Blogware
* Website Builder

All domains will continue to resolve.

As always, we will keep you informed of any changes through System Status (http://status.opensrs.com/).

Thank you for your continued support of OpenSRS.

Rasons
#1 The first thing it answers different questions
what will change and what it will affect,
When will it happen, the duration etc.

#2 Local time links
the links http://opensrs.info/July point to http://www.timeanddate.com/worldclock/fixedtime.html?month=7&day=19&year=2009&hour=3&min=0&sec=0&p1=0
which gives you a table and you can find your time

#3 Status page where users can see which services are running at the moment.
http://status.opensrs.com/

Good job.

P.S.

I have decided to post this article because several months ago I criticised OpenSRS about the look of the reseller control panel.
It looks so 90s by the way.
They promised that they would skip web 2.0 and would go straight to 3.0 by the end of the year (2009)
That was quite funny actually.
With this article I want to show that I can see the good things as well