Database Connections Outside of Webroot

For extra security many often store their database connection credentials outside of the web root. This is fairly easy to achieve without to much work.

For those of you who are unsure how to store database connection credentials in a separate file please refer to my article on Connecting to MySQL with PHP

Once you have your connections in a php file (this is also relevant to other languages such as asp etc) you need to store it somewhere on your server outside of the web root. In this example we will call the file MyCat.php.

Linux Systems

Put this file outside of the web root eg in /home/myuser/ the web root for example (where all your web files are stored) may well be /home/myuser/htdocs/

Now to include this file into your script use the following:-

include("/home/myuser/MyCat.php");

This will call the file from outside of the webroot.

Windows Systems

This is very similar to above. Place the MyCat.php file in the root of the C drive in a directory called MyInclude eh C:MyInclude

Now to include this file into your script use the following:-

include("C:MyIncludeMyCat.php");

Getting The Last Auto Increment Field With PHP

On many occasions you need to find the value of the last auto increment field inserted into a MySQL table. For example within my Content Management System if someone creates a new web page and saves it the user is taken back to edit this new page. In order to do this I must retrieve the value of the last auto increment field inserted into the database.

To do this I use the php mysql_insert_id(); function.

You can add this value to a variable by using the following code:-

$MyValue = mysql_insert_id();

So with this variable you could select an item from a database eg:

$MyQuery = "SELECT * FROM MyTable WHERE UniqueField = $MyValue";

Of course you should always check that $MyValue is numeric for security so we don’t break the query. For this we could use the php intval function.

intval($MyValue);

Detecting Mobile Devices with PHP

I have been using a great function written by Andy Moore on one of my personal sites that I run for my friends to detect Mobile Phones with php which worked a treat until a friend of mine bought himself a nice shiny iTouch and found the site still redirected him to the sites dedicated mobile pages. After the jealously of finding out my friend had a nice iTouch subsided I set to work to implement the detect iPhone function.

I used the following in my header file to detect mobile and iPod devices:

// detect and redirect mobile browsers
if(detect_mobile_device()){
header('Location: /mobile/'); // Direct Mobiles to Mobile Site
exit;
}

//send iphone to specific site
if(detect_iphone()){
  header('Location: /'); //Direct iPhone to normal Site
  exit;
}

What I got was a continuous loop as both the detect_mobile_device() function and the detect_iphone() function were both returning true – Ouch!

I used this work around to great effect: –

// Send ihone to specific home
  if(eregi('iPhone',$_SERVER['HTTP_USER_AGENT'])
or eregi('iPod',$_SERVER['HTTP_USER_AGENT']))
    {
        $set = 1;
    }

if ($set !=1)
    {

        if(detect_mobile_device())
            {
                  header('Location: /mobile/');
                  exit();
            }
    }

This worked a treat with iTouch and iPhones being left to go to my homepage whilst mobile browsers being pushed to the mobile page. This works because $set is only equal to 1 if an iPhone or iTouch is detected in which case the detect_mobile_device() is not run. If the device is not a iPhone or an iTouch then detect_mobile_device() is called to test for a mobile browser.

Trojanised WordPress

As a daily reader of The Register website I was auite concerned when I came accross this article on a Trojanised version of WordPress doing the rounds on a fake site.

Apparently this fake site – Wordpresz.org is offering the ‘latest version’ which is apparantly 2.6.4. However the latest official version from WordPress is 2.6.3 which I upgraded two blogs to yesterday (Wednesday 5th November 2008). Although I was sure (as I always am) to double check that the download was from the official URL it didn’t stop me panicking so off I went to check on the two blogs that I had upgraded just in case.

The difference is a Trojanised version of pluggable.php and Sophos has since detected the malicious code as WPHack-A Trojan. According to posters on Craig Murphy’s Blog the Trojanised version of pluggable.php attempt to steal users cookies if you have five or more users. I should imagine further analysis pluggable.php may yeild additional code but until then watch this space!

Anyway all was well with my blogs but it does make you think always double check the URL of the links that you are clicking on. Are they what they appear to be?!