FLIXEY.COM

Sorry I haven’t been posting (if anyone actually reads my posts.) I’ve been plain busy and I have to admit lazy. My AP Calculus exam just ended today and before that I had a lot of work to finish. I’m still being bombarded with work but decided to post after doing nothing for a straight month.

There are many browser-based game, which are most of the time strategic simulation games. These kind of games don’t have too many graphics and consists of mostly static images, but they’re addictive beyond normal games. I’ve recently started one called Tribal Wars, and I’m already addicted to it (before this, I was addicted to o-game) They’re both similar games where you attack, farm, get resources, build stuff, and so on; but their settings are very different. The reason these so-called browser-based games are so addictive is because you don’t play them for hours in a row, but you just access your page for a few minutes whenever you find time. The game lasts for a LONG time: until you get tired of it, or your village gets demolished.

Some people might call these games pointless and an absolute waste of time, but it’s actually fun. You have to have strategy and think a bit. You engage wars with other players and learn to work together with other people. Communication also becomes an important factor once you start engaging wars in groups such as tribes or clans.

The joy of getting resources, gaining points, constructing buildings, attacking, and taking over are felt when playing these games. It’s like warcraft or other simulation games except you play for days, months, or even years. These games are also updated consistantly, and your neighbors develop as well. It might depend on who you are, but these games are so addictive you won’t be able to stop playing and will be attached to your village/planet or whatever you own on the game you play.

(preview)

This is another one of the scripts I wrote quite a while ago. It just wrote it out of pure boredom and actually got somewhere. Korean social securyity numbers have a pattern, consisting of 13 digits segmented into 2 parts of 6 and 7 digits. The first part is like this.

The second part is a bit complicated. It hold information on your gender and which region of Korea you were registered from. The gender codes are 9 for male 0 for female if you were born in the 1800s, 1 and 2 for the 1900s and 3 and 4 for the 2000s. The regional codes are complicated so I’ll pass on that.

The check number is generated by a pattern. The following PHP code calculates it.

function get_check_no($s_no){
　unset($total);
　　
　for($i=0; $i<13; $i++){
　　$s_no[$i] = intval($s_no[$i]); // convert to integer
　}
　
　// calculate social security number
　$total = $s_no[0]*2 + $s_no[1]*3 + $s_no[2]*4 + $s_no[3]*5 + $s_no[4]*6 + $s_no[5]*7 + $s_no[6]*8 + $s_no[7]*9 + $s_no[8]*2 + $s_no[9]*3 + $s_no[10]*4 + $s_no[11]*5;
　$total = $total%11;
　$check_no = 11-$total;
　
　// if the value of the check number exceeds 9, divide by 10 and return remainder
　if($check_no>9){
　　$check_no = $check_no % 10;
　}
　
　return $check_no; // return result
}

So I created the bruteforcer by simply letting someone enter a hash, birthdate, and gender to get a general idea of what the SSN will look like. Then I simply incremented the leftover digits and calcultated the check numbers. I then hashed them and checked them with the entered hash value.

<?php
$b_year = $_POST['b_year'];
$b_month = $_POST['b_month'];
$b_day = $_POST['b_day'];
$gender = $_POST['gender'];
$s_no_hash_str = $_POST['s_no_hash_str'];
$hash_type = $_POST['hash_type'];
// error messages
if(!$b_year){
　echo “* Enter birth year<br />”;
}
if(!$b_month){
　echo “* Enter birth month<br />”;
}
if(!$b_day){
　echo “* Enter birth day<br />”;
}
if(!$gender){
　echo “* Select gender<br />”;
}
if(!$s_no_hash_str){
　echo “* Enter hashed SSN.<br />”;
}
if(!$hash_type){
　echo “* Select hash type<br />”;
}
// if everything is entered, start processing.
if($b_year && $b_month && $b_day && $gender && $hash_type && $s_no_hash_str){
// pad valued with 0
$b_year = str_pad($b_year, 4, ‘19′, STR_PAD_LEFT);
$b_month = str_pad($b_month, 2, ‘0′, STR_PAD_LEFT);
$b_day = str_pad($b_day, 2, ‘0′, STR_PAD_LEFT);
$b_year_det = substr($b_year,0,2);
$b_year = substr($b_year,2,2);
if($b_year_det == “18″){
　if($gender == “1″){
　　$gender = “9″;
　}
　else{
　　$gender = “0″;
　}
}
else if($b_year_det == “19″){
　if($gender == “1″){
　　$gender = “1″;
　}
　else{
　　$gender = “2″;
　}
}
else if($b_year_det == “20″){
　if($gender == “1″){
　　$gender = “3″;
　}
　else{
　　$gender = “4″;
　}
}
// loop misc
for($misc=0;$misc<=99999;$misc++){
　// pad misc
　$misc = str_pad($misc, 5, ‘0′, STR_PAD_LEFT); // pad left with 0’s
　
　// merge valued to form actual s s no
　$s_no_1 = $b_year.$b_month.$b_day;
　$s_no_2 = $gender.$misc;
　
　// get full number including check number
　$s_no_string = $s_no_1.$s_no_2.get_check_no($s_no_1.$s_no_2);
　
　// select hash type and convert
　if($hash_type == “md5″){
　　$s_no_hash = md5($s_no_string);
　}
　else if($hash_type == “sha1″){
　　$s_no_hash = sha1($s_no_string);
　}
　// if the hash matches the processed, return the value and break loop
　if($s_no_hash == $s_no_hash_str){
　　echo ”
　　Done: “.$s_no_string.”(”.$s_no_hash.”)
　　<script type=\”text/javascript\”>
　
　　<!–
　　document.getElementById(’result’).innerHTML = ‘”.$s_no_string.”‘;
　　//–>
　　</script>
　　”;
　　break;
　}
　// if not… just print current value and continue
　else{
　　echo “Processing: “.$s_no_string.”(”.$s_no_hash.”)<br />”;
　}
}
}
?>

After about a weeks planning, I have finally bought the Samsung Syncmaster 245B. It is a 24 inch TN TFT LCD monitor with VGA and DVI input. Its maximum resolution is 1920 x 1200 which gives quite a bit of workspace. Somereviews say the vewing angles aren’t too good, but I couldn’t really tell the difference. Because I hooked it up to a Dell D410 Latitude laptop which uses a graphics accelerator rather than a real graphics card, the pictures might be a bit lower in quality. But since I don’t really game or to any graphics intensive working, it hasn’t been a problem so far.
When I first saw the box, my reaction was “whoa.” The monitor was bigger than I really expected and I had to move alot of things around in my room to make it fit properly. After strugglings with tons of cabling , I finally got to hook the monitor up and turn it on. But there was a problem! My computer was OS-less… The night before I had messed up the OS so I had to reinstall windows before I could check out the monitor. I waited whilst doing some homework and drinking some nice green tea.
After waiting for ever, windows was ready, I installed all the drivers and programs and went through the basic routine when you format a computer. When finally everything was back to normal, I turned on the monitor, and voila, the screen appeared. I had to do adjust the resolution first to 1920 x 1200. The resolution and quality was just awesome. My laptop monitor wasn’t something you could even compare it with. I tried setting the brightness to maximum, but unlike my laptop, the thing got blinding so I had to set it down a bit.
Overall, I am very satisfied with my monitor and am hoping I can get a computer with a proper graphics card so I can use it to its fullest potential.

[Show as slideshow]

I made another program under my friend’s request for it. It’s a RapidShare.com link checker. It checks if links are dead or not then adds up the filesizes. It’s a very simple PHP script. It basically works by opening each HTML document, searching for the string with the memory, storing them into an array, then adding them up. If a filesize is not found, it classified the link as DEAD. It’s a very simple and could use more security like checking if the link is a rapidshare link before opening it and so forth.

Source Code:

<?php
$links = $_POST['links']; // get links from POST
$links = explode(”\n”,$_POST['links']); // explode links
$z = 0;
$filesize = array(); // define array
while($z <= count($links) -1){ // while $z is smaller than the number of links
　$html = $links[$z]; // store link into var
　$html = @file_get_contents($html); // get contents of link
　preg_match(”/\(<b>(.*)<\/b> KB\)/i”,$html,$matches); // pregmatch to get the filesize
　$filesize[$z] = $matches[1]; // store filesize in array
　if(!$filesize[$z]){ // if filesize doesn’t exist
　　$filesize[$z] = 0; // define as zero
　　$links[$z] = $links[$z].” DEAD”; // define as DEAD
　}
　$z++;
}
$filesize[total] = array_sum($filesize); // add all filesized
$filesize[unit] = “KB”; // default unit is KB
if($filesize[total] >= 1024){ // If is more than 1024 KB
　$filesize[total] /= 1024; // divide value with 1024
　$filesize[unit] = “MB”; // define as MB
　if($filesize[total] >= 1024){ // if value it bigger than 1024 again
　　$filesize[total] /= 1024; // divide by 1024 again
　　$filesize[unit] = “GB”; // and define as GB
　}
}
?>
…
<?php
$i = 0;
while($i <= count($links) -1){ // while $i is smaller than the number of links
　 echo $links[$i].” (<b>”.$filesize[$i].”</b>)<br />”; // print them
　 $i++;
}
echo “<b>Total</b>: “.round($filesize[total],2).$filesize[unit]; // print total filesize
?>

SQL injection is a fun thing to do when you’re bored. Just try submitting a typical injection query into a login form, it’ll work some of the time. I was aware if this, but I am still surprised by the stupidity of many institutions and organization that leave their security compromised by simply not escaping meta characters.

The screen-shot on the left is the login form of an administrator panel of a school. I’ve entered a typical SQL injection expression. Let’s see what happens. (Simple SQL injection is explained here)

It actually let me login as admin! I mean, I know programmers can make mistakes and school don’t always hire good programmers, but they should at least try to keep their students’ private data safe. Their whole school data could be erased by a malicious kid who just happened to try SQL injection on their site. A student of that school could even edit his or her own grades, change their own attendance, and lower the grades of someone they don’t like.

I’ve tried this with many other sites and a large portion of them failed to escape characters and allowed me to trick the script into logging me in, usually as an administrator. If you run a site with a custom-built script, you should check for this very simple but critical vulnerability. Who knows, maybe your own school’s administrator panel has this vulnerability.

Although this can turn out to be very chaotic, it actually takes less than a line of code to remedy it. In PHP, the addslashes() function can be used to escape all characters. One function, that’s all it takes to prevent people from viewing your administrative data and mess around with your site. Check some admin panel logins and try this method, a surprising number of them will fall for this trick and you’ll be granted administrator power and be granted to do whatever you want with that site (of course, if you’re caught you’d be sentenced to cyber crime and thus be screwed).

Go around and check. Tell your friend about a security hole in his site (or possible pull a prank first). Tell your school, organization, and just see their reaction. Just be careful not to bug the school administrator too much or you might get in trouble.

A related and funny comic strip (for those of you who know SQL)

I’m releasing my old FLV downloader source. It’s pretty out-dated and doesn’t work at all, but you can look at it and make modifications so that it does. The source is really messy which is one of the reasons I decided to remake it into what I have up now (http://video.flixey.com)

The source is as it was when I used it except I removed my hosting details, adsense, and analytics sources. Don’t hesitate to ask or comment through the guestbook or by just commenting on this post.

Info

• Programming languages used: PHP, Javascript
• PHP Classes used: PEAR HTTP
• Languages available: Korean, Japanese, French, German, English, Polish, Chinese
• Requirements
• Server must support PHP
• Server must support MySQL, or delete the DB related sources
• Server must have URL fopen enabled
• Once again: it won’t work out of the box

Download 1

Download 2

It has been a while since I started to follow web standards and started cross-browser coding (not to be confused to cross-site scripting). I became aware of the importance when I saw the immense number of visitors using Firefox and IE Explorer along with other browsers like Safari and Opera. I even got visitor using the Play Station 3 browser. I figured I couldn’t just ignore people using browsers my site didn’t support, so I learned about the W3C Recommendations and basic cross-browser scripting. I stopped using IE specific functions and properties. A book that helped me is SAMS Teach Yourself JavaScript in 24 Hours. It’s up-to-date and includes information on cross-browser scripting and web standards.

Internet Explorer is still the mainstream browser, but you can see that Firefox is also dominant. In addition, despite having a relatively smaller number of users, Opera and Safari are also a significant segment of the statistics. This table shows the importance of cross-browser coding and web standards.

The first step of following web standards is reading the W3C XHTML recommendations. I suggest using the XHTML Transitional DTD since the Strict DTD is literally strict. A DTD is a Document Type Definition and it basically defines the regulations of web standards and is used to validate your XHTML code. Then you can start validation your websites using the W3C Validator to check whether the document is valid in the DTD you chose.

The second step is to learn how to code your JavasScript to work in all browsers. JavaScript can be scripted to be cross-browser multiple ways, but the most widely used method is by using the try and catch method. The following is an example of a cross-browser AJAX object initialization.

try{
　　// Firefox, Opera 8.0+, Safari, IE7
　　ajaxReq = new XMLHttpRequest();
　　}catch(error){
　　　　// IE5, IE6
　　　　try{
　　　　　　ajaxReq = new ActiveXObject("Msxml2.XMLHTTP");
　　　　　　}catch(error){
　　　　　　　　try{
　　　　　　　　　　ajaxReq = new ActiveXObject("Microsoft.XMLHTTP");
　　　　　　　　　　}catch(error){
　　　　　　　　　　　　return false;
　　　　　　　　　　}
　　　　　　　　}
　　　　　　}
　　　　}
　　}
}

This script tries a method and if an error occurs it detects it and executes the code within the catch expression. There can be a try expression within a catch expression and thus a cross-browser script can be coded this way.

To successfully code in cross-browser format, you should learn what functions or properties are IE or Firefox specific and avoid using them. Web standards are cross-browser coding are becoming more important by the second, so it’s to your benefit to get used to them as apply them when you’re coding.

As some people might have noticed, the whole site including the video downloader were down for quite a bit yesterday. I was moving hosting and had to get used to the different environment. I switched from awardspace to hostican. So far I’m very pleased and think I’ve moved well. Awardspace was always slowing down and had alot of downtimes which frustrated me when i wanted to post or try something out online.

The most significant change is the customer service. Hostican is just absolutely good at handling their customers. They have a ticket system (which most hosting services do), but they reply very fast and send you emails that confirm that your ticket has been submitted. Their phone service is also nice, they pick up quickly and give you friendly replies that actually help. But one of the new things I see is their support over chat. They have a chat window on their website which you can use to gain support, Although the engine itself could use a bit more tweaking, I personally thought it was a great Idea.

The hosting plan I got was their tera-host plan. It has unlimited bandwidth and 1TB of storage. At $93.40 it was a bargain. I used a coupon which was “BestHosting-12″ and that gave me a $50 discount. But before you barge in and try to host a relatively large site, you might want to consider that they are probably overselling. Hosting companies have thousands of customers and giving 1TB to each customer is one hard-drive per person. The following table is the sidebar on cPanel.

Main Domain	flixey.com
Home Directory	-
Last login from	-
Disk Space Usage	34.88/1000000 MB
Monthly Bandwidth Transfer	82.52/∞ MB
Email Accounts	1/∞
Subdomains	3/∞
Parked Domains	0/∞
Addon Domains	2/∞
Ftp Accounts	5/∞
SQL Databases	1/∞
Hosting package	Tera-Host
Server Name	esc12
cPanel Version	11.18.3-RELEASE
cPanel Build	21703
Theme	x3
Apache version	2.2.8 (Unix)
PHP version	5.2.5
MySQL version	5.0.45-community
Architecture	i686
Operating system	Linux
Shared Ip Address	-
Path to sendmail	/usr/sbin/sendmail
Path to PERL	/usr/bin/perl
Kernel version	2.6.9-67.0.4.ELsmp
cPanel Pro	1.0 (RC1)

The cPanel is good, but it doesn’t have the greated system for domain management. What is does is it creates a subdomain for each “add-on domain” and creates a folder within the root folder of your primary domain. Thus, you can access “domain2.com” from “http://domain.com/domain2.com.” I managed to prevent this by using .htaccess rules and a few tricks, but it is quite troublesome.

Another thing I like about this hosting is that it’s pretty flexible. The permissions aren’t totally locked and you can change it but not go above 755. The directory indexing is open at first so you have to close it with an .htaccess file (of course this isn’t too good).

Overall, I’m very pleased with what I have experienced with hostican so far. The strongest pro is their customer support which really helps when you need to know something or get something fixed. Of course I only bought it yesterday and have not experienced everything yet. But I still find it a great hosting and don’t think I’ll run into any huge problems. If you’re interested, you can visit their website.

Ubuntu is an free and open source linux distribution. It can be installed by using their free ship-it service or by downloading. Ubuntu has many features and in some ways is better than windows. It has nice graphical effects using compiz, supports multiple desktop, and has a good design. It’s also very light weight so very good for computers with low-end hardware. Despite these pros, Ubuntu takes forever to set up compared to windows. It took me a few hours just to get the multi-lingual input method working.

Windows is what you’re probably using now. It’s the world’s most renown operating system. Most people now are still using Windows XP but alot of people have already upgraded to Windows Vista. Everyone knows about it, so I’ll just pass here.

When you compare Ubuntu and Windows, Ubuntu is probably better. However, the most major problem is: Ubuntu doesn’t have much software! First of all, for those who have iPods, Ubuntu is nearly hell–especially if you have the new iPod Nano, Classic, or Touch. There are iPod management application for Ubuntu, but they’re not as good as iTunes for actually managing your iPod. It’s difficult to set up your libraries and play lists, videos don’t work most of the time, and Pod Casts aren’t sorted as Pod Casts. OK, if you have the skills, sure, you might get this to work. But it’s really time consuming and you need to know alot about computers before you can.

Another con about Ubuntu is it doesn’t suspend or hibernate properly on certain laptops. There are fixes for this but even those stop working sometimes.

Although Ubuntu might be a bit hard to set up and doesn’t have so much compatability, it’s generally a very good OS. It’s just that not many people use it as much as Windows XP and so there’s not much software for it.

When you use Ubuntu, you’ll feel like your flying–no blue screens of death, no unexpected freezes (ok, some), and generally it gives you a really smooth workspace.

If you want to use Ubuntu, but need to use Windows for certain tasks, you can try dual booting. Before you try this, search for partitioning and see if your motherboard/BIOS supports it.

[Show as slideshow]

SQL Injection is a technique used to exploit security holes in a system using SQLs such as MySQL. This kind of security hole usually occurs when a programmer doesn’t filter quotes or other meta-characters properly. The following code is an example of a such a vulnerability.

if(mysql_query("SELECT * FROM member_tables WHERE id = '".$login_id."' and password = '".$password."'")){
[...code for login...]
}

If quotes aren’t stripped from the variables $login_id or $password, a malicious user can inject SQL functions. They could login as the first user, in most cases the administrator, by typing in something like this into either of the two variables:

s' or 1=1 --

The one line can be catastrophic to a website’s security. If the quote isn’t filtered, the script will read the code like this

if(mysql_query("SELECT * FROM member_tables WHERE id = 's' or 1=1 --' and password = '[password]‘)){
[...code for login...]
}

The or statement makes it so even if only one condition matches, it will return a true value and execute the script. Since 1=1 is always true, the script will launch no matter what. The rest of the SQL statements are commented out by the two dashes (–). Is this the end? Nope.. If the security of the site is so weak, some one could easily delete all the members from the database. It’s just like the one above, but you add a bit of code and do a bit of guesswork.

s' or 1=1;DROP TABLE member_table; --

This would render this in the script

if(mysql_query("SELECT * FROM member_tables WHERE id = 's' or 1=1;DROP TABLES member_table; -- --' and password = '[password]‘)){
[...code for login...]
}

That just deletes the table. End, unless you have backup.

As devastating as this can be, it’s also very simple to prevent. You simply escape or remove quotes from a query using a built in function. In the case of PHP, the addslashes() function does the trick. So, the script above should be fixed to

$login_id = addslashes($login_id);
$password = addslashes($password);
if(mysql_query("SELECT * FROM member_tables WHERE id = '".$login_id."' and password = '".$password."'")){
[...code for login...]
}

This function adds backslashes (\) before metacharacters which lets the character be treated as just a string and not a special one that affects the acting of the query.