I have been using CakePHP for a long time now and enjoy every second. It provides a productive, easy to use and well document platform for PHP application. The key advantages for me are – transparent OR mapping, a strong Model View Controller framework, and tons of extra utilities that make your life better.

I have came across a possible security issue in one of cakePHP code examples. This section of code is responsible to authorize or un-authorize clients access to a certain action (MVC flow)

<?php
    function isAuthorized() {
        if ($this->action == 'delete') {
            if ($this->Auth->user('role') == 'admin') {
                return true;
            } else {
                return false;
            }
        }

        return true;
    }
?>

The major security rule this code is breaking is – never ever have 'return true' as a default for an authorization method.

CakeOTP is a secure, table-less and expirable implementation of One Time Password for the popular CakePHP development framework.

A one-time password (OTP) is a password that is only valid for a single login session or transaction. It is commonly used in the internet for registration and password reminder process in which OTPs are provides to the user in a form of a link that the user uses to access in order to create/reset his password.

The problem is that most one-time password implementation involve maintaining additional database tables and batch process that handle the persistence and expire date of the one time password. This adds complexity and reduces performance.

CakeOTP is a simple and clean implementation of one time password. It reduces complexity by removing the redundant SQL calls and DB batch maintenance while still keeping the one time password secure and expirable.

Download this release here.

Checkout the Online Demo, project page and getting started page.

I have started to implement the algorithm for tableless, secure One time password.

Here is a link to the Demo, and here is a link to the beta release.

The only thing you need to do other then the regular cakePHP setup is to create a user table (used by the CakePHP Auth component):

ThickBox is a cool visualization tool based on Jquery JavaScript library. ThickBox helps you display photos in a cool way and is useful in many web projects.

The problem

ThickBox does not work when the HTML pages has other JavaScript libraries such as Mootools.

Debuging the error reveals this:
$(domChunk) is null

I have recently upgraded my cats idol site to Drupal 6 and enhanced its functionality. I have also created several other sites (including this site) using the following set of useful Drupal modules.

Here is my list of useful (AKA Best IMHO) Drupal modules:

Apache is one of the most popular web servers in the market today. It usually runs on Linux-based machines but lately there are more and more deployments, for development as well as other reasons, of Apache on Windows. Nowadays, running Apache web server on Windows is very common for PHP developers. Many developers develop their PHP application on their home windows or Mac and deploy to a remote Linux server.

The combination of Relational Data (database) and Object Oriented Programming (OOP) is not a match made in heaven. The way we work with objects is totally different than the way we access Data. The problem is that in most projects you need to access data and write Object Oriented Classes to display and manipulate that data.

As a reader of many on line product reviews, I am always interested in the time this review is relevant for. As time pass things change and review get stale.

If you have this need as a webmaster and your review is file based (as appose to DB) you can use the filemtime function to automatically generate the last updated:


$LAST_UPDATED = date ("F d Y", filemtime('review.php'));


Where review.php is the file that holds the product review for example.

Sometimes you want your client to see a different page then the default 404 (page not found)
To do this you just need to add and entry to .htaccess file on your web folder:

ErrorDocument 404 /404err.php

404err.php is an example of the PHP page you want the Apache to serve instead of the apache default.

In my last post I provided an example of PHP calling a .NET windows communication foundation web service. The PHP invoked the .NET service with no parameters, getting the time on server.

Sometime (well, most of the times) you need to pass parameters to the .NET web service. for example you might want to pass a client ID and get back its account balance.

 

Here is what you do: