Uncategorized

PHP NONCE Library

By michael  |  August 12th, 2009  |  Published in Blogging, Uncategorized  |  23 Comments

[Download our nonce library]

We’ve recently developed our own PHP NONCE library for use with custom programming. Our version is loosely based on the implementation found inside the core WordPress software.

What is an NONCE?

Literally, the term refers to a number used once. In software development, it is often used as a security measure to ensure that certain links or forms are only available once, thereby preventing malicious attacks against the system. Read More

Where would I use an NONCE

An NONCE offers an additional level of security where sensitive actions may take place within your application. Take the following line of code as an example:

<a href="delete_post.php?post=003">Delete Post</a>

This link was poorly thought out if the application has no other security measures in place. Anyone could begin deleting posts by simply pointing their browser at the above link and changing the post number.

Well designed applications would only make that link available if the user was logged into the system with appropriate permissions. Furthermore, the delete_post.php script would ideally check to see if the user was logged into the system and if the user had appropriate permissions to delete that post. Is this enough security though?

Here are just two scenarios that could circumvent the above security measures:

  1. Depending on how the application’s user authentication works, it is certainly possible for a malicious user to spoof an authenticated user or to otherwise crack the authentication.
  2. Additionally, if you are a legitimate admin of the above mentioned application it would be possible for me to trick you by sending you a link or to this script. Once you clicked it, the post would be deleted.

How an NONCE prevents the above attacks

An NONCE is successful as an additional layer of security because it prevents actions initiated by links or REQUESTS from being used more than once. Every time a link or a form is printed on the screen, your NONCE functionality embeds a key / value pair to be sent to the receiving script. Every time that script is called, it checks for the key / value pair and then authenticates it on a pass / fail basis. If it passes, the action is performed, if it fails, the action is not performed.

The above link with an NONCE applied to it would resemble something like the following:

<a href="delete_post.php?post=003&_nonce=9c5fbfabb1">Delete Post</a>

The receiving script would then do the following:

  1. Check to see if the user is logged in with appropriate permissions (standard security)
  2. Check to make sure the NONCE key / value is set
  3. Authenticate the received NONCE using a library of functions.

How does an NONCE create and authenticate its key / value pairs?

While there are no hard and fast rules for creating an NONCE, most libraries will include the following components when generating an NONCE:

  • A secret key or ‘salt’ stored only on the server
  • A user ID (optional – makes the NONCE only work with a specific user)
  • An action name: ie: ‘delete-post’
  • A timestamp (allowing the NONCE to expire if never used)
  • A database of used NONCEs (optional and not used in our library)

Using all of the above components, an NONCE may be generated like this: secret-salt + user ID + action-name + timestamp. All of this is thrown into a hash that the receiving script can unpack and authenticate (Most of the time, the timestamp will be modified before being included and hashed).

The receiving script doesn’t actually ‘unpack’ the received key, rather it recreates it and compares. For instance, the delete_post script would combine the secret salt (which it knows) , the current users’s ID , use the delete-post action name, and a timestamp (modified appropriately). If any one of those components are off, the NONCE value generated by the receiving script will not match the one sent by the initial script and the NONCE will fail to authenticate.

How to use our NONCE library

  1. Download the zip file and unpack
  2. Include ft-nonce.php inside all your applications pages
  3. Embed one of our two generating functions in your links or forms
  4. Call the validating function at the top of your receiving scripts and do as you wish based on the validity of the NONCE.

If you need further example, you can check out the example here. The PHP file source file is included in the zip .

Feedback

We’ve only deployed this once and value your feedback. We will be more than happy to modify, enhance, and correct bugs as reported.

Twitter Post

By michael  |  July 4th, 2009  |  Published in Uncategorized  |  103 Comments

With Twitter Post every author of your blog can have their own Twitter information stored under the User’s section. Whenever they post to your blog it will automatically tweet a message to the admin twitter accoutn as well as their own twitter account. The admin can also choose to send a tweet to all authors twitter accounts whenever anyone publishes a post.

With Twitter Post you can…
choose which categories are included or excluded
exclude individal posts from being tweeted before you publish them
retweet a published post*
choose to tweet to all authors
customize the tweet format, including the post title and post URL (using the custom tags %TITLE% and %URL%, respectively)**

Currently Twitter Post supports two URL shortening services. TinyURL is the default shortener, Twitter Post will attempt to get permalink of your post shortened by TinyURL. If it is unable to, it will use the regular site URL. The other shortener you can use is a WordPress plugin called Twitter Friendly Links. If Twitter Friendly Links is installed and activated on your website then Twitter Post will use it as the default shortener.

* Twitter no longer allows the ability to tweet the same exact message more than once. This is an attempt to reduce SPAM in their system. I am not trying to encourage SPAM with the ReTweet feature, but I felt like it was an important feature to include. Because of the limitation imposed by Twitter, I had to add a random element to each ReTweet. Currently a random digit between 10 and 99 will be appended to a ReTweet. Also, you will only see the ReTweet option for published posts.

** Twitter allows a maximum of 140 characters per tweet. If your custom format is too long to accommodate %TITLE% and/or %URL% then this plugin will cut off your title to fit and/or remove the URL. URL is given preference (since it’s either all or nothing). So if your TITLE ends up making your Tweet go over the 140 characters, it will take a substring of your title (plus some ellipsis).

Download

Latest Version (Tested on WordPress 2.9.1 but should work on 2.6 and up)

ChangeLog
1.5.5

  • Fixed exclude post issue.

1.5.4

  • Removed link to survey.

v1.5.3

v1.5.2

  • Fixed bug introduced in WordPress 3.0 with publishing pages

v1.5.1

  • Fixed case sensitivity issue in tweet format
  • Added ability to ReTweet a published post
  • Removed and cleaned up some code
  • Cleaned up some validation techniques for test tweet feature

v1.5.0

  • Added ability to send a test tweet to Twitter (to verify everything is working); this bumps the support up to start at WP2.8 but will allow me to add a “re”-tweet feature in a later version.
  • Made some efficiency fixes
  • Made some styling changes to match current WordPress styling
  • Setup partial error reporting (as part of the test tweet) which I will extend into a debugging feature in a later version

v1.4.1

  • Fixed issue with not stripping slashes properly from default tweet format option
  • Removed unneeded option code for efficiency
  • Updated str_ireplace function for better PHP4 compatibility

v1.4.0

  • Discovered WP_Http class (since WP2.7) which makes life much easier for everyone, but this bumps the support up to start at WP2.7)
  • Removed cURL requirement, switched to WP_Http API
  • Removed Twitter API Classes, switched to WP_Http API
  • Changes in cURL requirement required modification of init() function

v1.3.5

  • Moved URL shortening functionality for improved efficiency

v1.3.4

  • Moved exclusion check for efficiency
  • Fixed bug in scheduled posts, if a secondary account schedules a post and logs out, it would not have tweeted the message

v1.3.3

  • Had a typo when checking the PHP Version for PHP5 functionality

v1.3.2

  • Fixed bug that prevented TwitterPost from tweeting when setting a custom tweet on a Post page

v1.3.1

  • Fixed bug with category exclusion logic… accidentally brought it back in with version 1.3.0

v1.3.0

  • Cleaned up and remove 139 lines of code
  • Fixed second bug with category exclusion logic

v1.2.2

v1.2.1

  • Fixed PHP cURL Requirement Error Message
  • Added PHP cURL Requirement skip if Twitter Friendly Links is already installed.
  • Added ability for WP Admin to set Twitter Post to tweet from all Author accounts whenever a post is published.

v1.2.0

  • Changed default tweet from “Blogged %TITLE%: – %URL%” to “Blogged %TITLE%: %URL%”.
  • Added check to make sure PHP Curl is installed.
  • Fixed bug that caused Twitter Post to tweet when adding new page.
  • Added ability to specify which categories to include/exclude in tweet.
  • Added ability to exclude a post before publishing it.
  • Added support for using Twitter Friendly Links instead of TinyURL links when TFL plugin is activated.
  • Added support for multiple author twitter accounts and default twitter account.

v1.1.1

  • Fixed support URLs

v1.1.0

  • Fixed Default Tweet typo (“blogged” instead of “bloggged”).
  • No longer publishes to twitter when you update/edit an old post.
  • Added feature to customize tweet per post using Custom Fields.
  • Changed project URL to http://fullthrottledevelopment.com/ – my new business venture.

v1.0.0 – Initial release

  • Allows custom tweet formatting with %TITLE% and %URL% tags.

Installation

  1. Upload `rf-twitterpost` directory to the `/wp-content/plugins/` directory
  2. Activate the plugin through the ‘Plugins’ menu in WordPress
  3. Update Twitter Post Options with your twitter username, password, and the tweet format.
  4. Next time you publish a new post it will update twitter.

Possible Future Features

  • Ability to add post excerpt to tweet.
  • Possibly switch to Twitter’s OAuth API.
  • And as always, we listen to your requests…

Creating Dependent WordPress Plugins

By michael  |  June 11th, 2009  |  Published in Uncategorized  |  8 Comments

This script was generated in response to a thread on the wp-hackers mailing list.

The question at hand is how to make one plugin dependant on another plugin’s installation and activation while maintaining the use of the register_activation_hook() function.

The following code is a proof of concept. It can be improved and will be improved after I get through with WordCampRDU this weekend. I slapped it out while on a 2 1/2 hour phone call with a client and only had time to confirm it works and post it here.

How to use this proof of concept:

  1. Copy the code below and paste it into the top of “Hello Dolly”
  2. Try to activate “Hello Dolly” without “Akismet” activated.
  3. Activate “Akismet” and try to activate “Hello Dolly”
  4. Deactivate “Akismet” and confirm that “Hello Dolly” has been deactivated

Still To Do:

  1. Investigate the active plugins option to see if I can prevent hardcoding the plugin’s file location
  2. Enable a way to notify the admin that a dependent plugin has been deactivated at the same time the required plugin was deactivated.
  3. Copy the WordPress Core’s implementation of deactivating a plugin to allow for multiple dependencies and to take advantage of existing action hooks.

The Code: ( a modified hello.php )

Recent Sites 2

By michael  |  June 9th, 2009  |  Published in Uncategorized  |  Comments Off

Danielle Brown – Testimony

By michael  |  May 30th, 2009  |  Published in Uncategorized  |  Comments Off

Working with FullThrottle Development has been an absolute pleasure. This is by far the best development experience I’ve ever had. Delivery time and quality are 100% top-notch. In fact, it’s above and beyond what I could have ever expected. I highly recommend them and will continue to use them for all of my projects.

Recent Sites 1

By michael  |  May 29th, 2009  |  Published in Uncategorized  |  Comments Off

Example E-Card

By michael  |  February 11th, 2009  |  Published in Uncategorized  |  Comments Off

This is an example e-card enabled post. I created it by uploading photos to the post and by inserting the wpecards shortcode [wpecards] above. You can obviously use more or less pictures at bigger or smaller sizes.


[wpecards]

David Bisset – Testimony

By michael  |  January 30th, 2009  |  Published in Uncategorized  |  Comments Off

FullThrottle Development has been a dependable and highly recommended source for my needs in WordPress plugin development. FullThrottle is responsive to quick changes in functional specs, and has taken rare initiative in proposing better solutions for complex problems. I would highly recommend them for any serious (and not so serious?) plugin work.