How to execute PHP code on existing html page?

The way to execute PHP on a .html page is to modify your .htaccess file. This file may be hidden, so depending upon your FTP program you may have to modify some settings to see it. Then you just need to add this line for .html:

AddType application/x-httpd-php .html

If you only plan on including the PHP on one page, it is better to setup this way:
<Files abc.html>
AddType application/x-httpd-php .html
</Files>
This code will only make the PHP executable on the abc.html file, and not on all of your html pages.

ApacheSolr Configuration in Ubuntu for Drupal

NOTE:  For installing Apache Solr with Drupal on a Windows machine, pls use following link for the setup http://drupal.org/node/532584; instead of the instructions below. Also see the comments on this link, if you face any issues.

Installing Tomcat
sudo apt-get install tomcat7 tomcat7-admin tomcat7-common tomcat7-user tomcat7-docs tomcat7-examples

Start tomcat by typing
  sudo /etc/init.d/tomcat7 start

Security (Not required if installing on same machine)
If you are using ip-tables and installing Apache Solr on an external server,
modify or add the following line to accept the port 8080
-A INPUT -p tcp -m tcp –dport 8080 -j ACCEPT

After installation type http://localhost:8080 or http://serverip:8080 in your browser.Now you should see tomcat welcome page.

Install Solr
(Check for latest version or nightly build on http://apache.rediris.es/lucene/solr/ orhttp://people.apache.org/builds/lucene/solr/nightly)
wget http://apache.rediris.es/lucene/solr/1.4.1/apache-solr-1.4.1.tgz

unzip apache-solr-1.4.1.tgz
       tar -zxvf apache-solr-1.4.1.tgz

Linking tomcat7 with Apache Solr application

mkdir /usr/share/tomcat7/webapps

This should give you an idea on where your distribution installed tomcat7.
Attention : If your path is different do not forget to also adjust this in the next steps. whereis tomcat7

should show you tomcat7: /etc/tomcat7 /usr/share/tomcat7

copy the war file to the webapps directory

sudo cp apache-solr-1.4.1/dist/apache-solr-1.4.1.war /usr/share/tomcat7/webapps/solr.war

copy the example solr application to a new directory called solr. We will change this example solr application later on to be viable for Drupal 6

sudo cp -R apache-solr-1.4.0/example/solr/ /usr/share/tomcat7/solr/
create our config file
 sudo nano /etc/tomcat7/Catalina/localhost/solr.xml
And fill it with the following configuration :
 <Context docBase="/usr/share/tomcat7/webapps/solr.war" debug="0" privileged="true" allowLinking="true" crossContext="true">
  <Environment name="solr/home" type="java.lang.String" value="/usr/share/tomcat7/solr" override="true" />
  </Context>
Managing tomcat7 application
 We want to see how and/or if our Solr application is running, we can do this by using the manager application. By default you don't have access to this application so we have to modify the permissions.
     sudo nano /etc/tomcat7/tomcat-users.xml

And modify it so it more or less reflects the same information as shown here.

<tomcat-users>
  <role rolename="admin"/>
  <role rolename="manager"/>
  <user username="nick" password="ateneatech" roles="admin,manager"/>
  </tomcat-users>
Drop Tomcat security so Solr can access /usr/share/tomcat7/solr
          sudo nano /etc/default/tomcat7
And modify it so our security is disabled. Be careful if you are running on a server which you do not control 100%!
     tomcat7_SECURITY=no
restart our tomcat service
       sudo /etc/init.d/tomcat7 restart

surf to http://localhost:8080/manager/ and log in with your username and password from above and check if the solr instance is started. If not start and it and check wether or not you receive an error code!
If your application is started, surf to http://localhost:8080/solr/admin and you should see a nice screen!

Linking Drupal 6 with a running Apache Solr
Perform this step if you do not have apache-solr module already enabled i.e. you are adding apache-solr to your app for the first time:

I assume you have Drush installed so we continue with downloading the apachesolr module. Execute this commando in the designated website.
drush dl apachesolr

Perform following steps for all installations of apache solr:
 let's copy our schema that will customize our Apache Solr Instance so it fits the "Drupal" bill.
 sudo cp apachesolr/schema.xml /usr/share/tomcat7/solr/conf/schema.xml

 sudo cp apachesolr/solrconfig.xml /usr/share/tomcat7/solr/conf/solrconfig.xml

Tip: it might be a good idea to use symbolic links so we can easily update our modules and update our schemes if they change …you never know with open source ;-)

Additional : give the folder permissions!
 sudo chown -R tomcat7:root /usr/share/tomcat7/solr/

Enable the module in the modules list and go to the config screen fill in the next parameters:

Host name of your Solr server, e.g. localhost or IP Address or example.com
Solr host name: localhost

Port on which the Solr server listens. Tomcat is 8080 by default.
Solr port: 8080

Path that identifies the Solr request handler to be used.
Solr path: solr

On saving these settings, message “Your site has contacted Apache Solr” will be displayed.
You can now start indexing the existing content on your site using cron and check the amount of indexing done at “admin/settings/apachesolr/index”

PHP: Stopping E-mail Injections

The best way to stop e-mail injections is to validate the input.

<html>

<body>
<?php
function spamcheck($field)
{
//filter_var() sanitizes the e-mail
//address using FILTER_SANITIZE_EMAIL
$field=filter_var($field, FILTER_SANITIZE_EMAIL);
//filter_var() validates the e-mail
//address using FILTER_VALIDATE_EMAIL
if(filter_var($field, FILTER_VALIDATE_EMAIL))
{
return TRUE;
}
else
{
return FALSE;
}
}

if (isset($_REQUEST['email']))
{//if “email” is filled out, proceed

//check if the email address is invalid
$mailcheck = spamcheck($_REQUEST['email']);
if ($mailcheck==FALSE)
{
echo “Invalid input”;
}
else
{//send email
$email = $_REQUEST['email'] ;
$subject = $_REQUEST['subject'] ;
$message = $_REQUEST['message'] ;
mail(“someone@example.com”, “Subject: $subject”,
$message, “From: $email” );
echo “Thank you for using our mail form”;
}
}
else
{//if “email” is not filled out, display the form
echo “<form method=’post’ action=’mailform.php’>
Email: <input name=’email’ type=’text’ /><br />
Subject: <input name=’subject’ type=’text’ /><br />
Message:<br />
<textarea name=’message’ rows=’15’ cols=’40’>
</textarea><br />
<input type=’submit’ />
</form>”;
}
?>

</body>
</html>

In the code above we use PHP filters to validate input:

  • The FILTER_SANITIZE_EMAIL filter removes all illegal e-mail characters from a string
  • The FILTER_VALIDATE_EMAIL filter validates value as an e-mail address

PHP: Preventing Cross-Site Scripting Attacks

Fortunately, as easily as an XSS attack can carried out against an unprotected website, protecting against them are just as easy. Prevention must always be in your thoughts, though, even before you write a single line of code.

The first rule which needs to be “enforced” in any web environment (be it development, staging, or production) is never trust data coming from the user or from any other third party sources. This can’t be emphasized enough. Every bit of data must be validated on input and escaped on output. This is the golden rule of preventing XSS.

In order to implement solid security measures which prevents XSS attacks, we should be mindful of data validation, data sanitization, and output escaping.

Data Validation

Data validation is the process of ensuring that your application is running with correct data. If your PHP script expects an integer for user input, then any other type of data would be discarded. Every piece of user data must be validated when it is received to ensure it is of the corrected type, and discarded if it doesn’t pass the validation process.

If you wanted to validate a phone number, for example, you would discard any strings containing letters, because a phone number should consist of digits only. You should also take the length of the string into consideration. If you wanted to be more permissive, you could allow a limited set of special characters such as plus, parenthesis, and dashes which are often used in formatting phone numbers specific to your intended locale.

<?php
// validate a US phone number
if (preg_match('/^((1-)?\d{3}-)\d{3}-\d{4}$/'$phone)) {
echo $phone " is valid format.";
}

Data Sanitization

Data sanitization focuses on manipulating the data to make sure it is safe by removing any unwanted bits from the data and normalizing it to the correct form. For example, if you are expecting a plain text string as user input, you may want to remove any HTML markup from it.

<?php
// sanitize HTML from the comment
$comment strip_tags($_POST["comment"]);
?>

Sometimes, data validation and sanitization/normalization can go hand in hand.

<?php
// normalize and validate a US phone number
$phone = preg_replace('/[^\d]/'""$phone);
$len strlen($phone);
if ($len == 7 || $len == 10 || $len == 11) {
echo $phone " is valid format.";
}
?>

Output Escaping

In order to protect the integrity of displayed/output data, you should escape the data when presenting it to the user. This prevents the browser from applying any unintended meaning to any special sequence of characters that may be found.

<?php
// escape output sent to the browser
echo "You searched for: " . htmlspecialchars($_GET["query"]);

All Together Now!

To better understand the three aspects of data processing, let’s take another look at the file-based comment system from earlier and modify it to make sure it’s secure. The potential vulnerabilities in the code stem from the fact that $_POST["comment"] is blindly appended to thecomments.txt file which is then displayed directly to the user. To secure it, the$_POST["comment"] value should be validated and sanitized before it is added to the file, and the file’s contents should be escaped when displayed to the user.

<?php
// validate comment
$comment = trim($_POST["comment"]);
if (empty($comment)) {
 exit("must provide a comment");
}

// sanitize comment
$comment strip_tags($comment);
// comment is now safe for storage
file_put_contents("comments.txt"$comment, FILE_APPEND);
// escape comments before display
$comments file_get_contents("comments.txt");
echo htmlspecialchars($comments);

The script first validates the incoming comment to make sure a non-zero length string as been provided by the user. After all, a blank comment isn’t very interesting.

Data validation needs to happen within a well defined context, meaning that if I expect an integer back from the user, then I validate it accordingly by converting the data into an integer and handle it as an integer. If this results in invalid data, then simply discard it and let the user know about it.

Then the script sanitizes the comment by removing any HTML tags it may contain.

And finally, the comments are retrieved, filtered, and displayed.

Generally the htmlspecialchars() function is sufficient for filtering output intended for viewing in a browser. If you’re using a character encoding in your web pages other than ISO-8859-1 or UTF-8, though, then you’ll want to use htmlentities(). For more information on the two functions, read their respective write-ups in the official PHP documentation.

Bare in mind that no single solution exists that is 100% secure on a constantly evolving medium like the Web. Test your validation code thoroughly with the most up to date XSS test vectors. Using the test data from the following sources should reveal if your code is still prone to XSS attacks.