Tuesday, May 26, 2009

Security concern over PHP page access control

Under normal model-view-controller (MVC) design pattern, controller is a good mediator between the server and the client while the server can keep some secrets about how it redirects various requests with one single point of intact. It fits Java pretty well, so how about PHP?

Without MVC, PHP page redirection is fairly easier, but with a little bit out of control. The user may try hacking into a web application by sniffing the url. Somehow, this violates the workflow among the pages. Web developer may try their best to hide the url from the users. However, it's not quite practical as nowaday browsers always keep up-to-date to have new features to protect the user's interest, i.e., disclosing as much information as they can from the web site. At least, you can't suppress the url bar on IE7.

The enclosed link was originally the problem on a forum about how to prevent direct downloading of javascript source code from the web server. Someone gives out a good example. The thoery behind this is based on using PHP MD5 checksum to generate unique ID session for the calling page and then use it as input parameter to verify the access right on the target page by comparing the ID session object and the input parameter.

Let's have a enhanced version for PHP pages.

Example:





From this example, only the user clicking the link can access page1.php. When trying to access the main content of page1.php by typing url directly, no one will succeed. A warning message will be shown instead. Simple, but useful ;-)




Friday, May 15, 2009

Get cursor position within Textarea

Thanks to someone sharing the javascript code for getting curssor position within web component like Textarea on both IE and Firefox browser. The code would look like this:

function doGetCaretPosition(ctrl) {
var CaretPos = 0;
// IE Support
if (document.selection) {
// The current selection
var range = document.selection.createRange();
// We'll use this as a 'dummy'
var stored_range = range.duplicate();
// Select all text
stored_range.moveToElementText( ctrl );
// Now move 'dummy' end point to end point of original range
stored_range.setEndPoint( 'EndToEnd', range );
// Now we can calculate start and end points
CaretPos = stored_range.text.length - range.text.length;
}
// Firefox support
else if (ctrl.selectionStart ctrl.selectionStart == "0")
CaretPos = ctrl.selectionStart;
return (CaretPos);
}


It does it's job very well, except when you press the navigation keys like arrow keys or even [Shift] key inside Textarea. In IE (only in IE), the cursor position will always shift to the end of the string after you press keys like those metioned above. To make it better, we can avoid any action taken when those problematic keycodes are detected.

var intKey = 0;
if (!is_gecko){
var evnt = window.event;
intKey = parseInt(evnt.keyCode);
}
// Process only if key code is not in ignore list (Fix IE bug)

//Firefox will pass this condition
if (intKey!=8 && intKey!=16
&& intKey!=17 && intKey!=18
&& intKey!=33 && intKey!=34
&& intKey!=37 && intKey!=38
&& intKey!=39 && intKey!=40) {

var posStart = doGetCaretPosition(elm);
...processing string and move caret if you like

}

Firefox is always fine with this, it won't reset the cursor positon when you call selectionStart property. Therefore, we only need to be aware of IE's wired behaviour;-)

Thursday, May 14, 2009

A long way to go

It has been a couple of years since I started to think about how E-Health System should be evolved in such a niche market - short of funding and support. Although the Government has been aware of doing something in E-Health service, there is no clear objectives on what has to be done. Most of the things are still happening on the paper.

We know that there is a market among the hospitals. The medical staff at the front end are suffering from the paperwork which should have been replaced long time ago since the great inventions of computer and Internet existed. The jargon to make a hurdle for somebody to step in E-Health industry is "Patient's privacy".

What we can do is to struggle between opening information to the expertise and guarding the patient's privacy.