Code, Security and Server Stuff

Views are my own and not my employer's.

Personal Development Blog...

Coding for fun since 1996, Learn by doing and sharing.

Buy a domain name, then create your own server (get $25 free credit)

View All Posts.

Code

How to code PHP on your localhost and deploy to the cloud via SFTP with PHPStorm by Jet Brains

by

This is a quick guide that will show you how you can connect to a cloud server via SFTP with the PHPStorm IDE from Jet Brians and deploy files from your localhost to the cloud. This is my opinion, I am not paid to promote PHPStorm or UpCloud.

Advertisement:



Pre-Requisites/Assumptions

This guide will assume you already have (or know how to)..

I am using Windows 10 Home (with IIS Web Server (document root redirected to S:\Code\) and a pre built Ubuntu Cloud servers.

IIS pointing to S:\Code

Why no FTP? I do not create FTP servers on my serves to increase security and I only access servers via SSH via white-listed IP’s and then authenticate with hardware 2FA keys from YubiCo (read me 2FA guide here and also how to secure *nix servers and WordPress with 2FA).

Background

2 years ago I used to use the Cloud 9 IDE to connect to, and code files on cloud servers and life was good. I could configure and connect to servers, drag and drop files, run bash scripts from a web page and close the Cloud 9 browsers tabs, travel hundreds of kilometres and log back into C9 and all code and bash scripts would reappear.

Here is the Cloud 9 IDE showing code on the left and a Browser on the right.

C9.IDE showing code on the left and web page on the right

With Cloud 9 code could be easily accessed, edited and run.

See screenshot of code running from a Cloud 9 hosted server with properties windows on the right.

C9 IDE showing a bash terminal windows and code

Advertisement:



Regrettably, I cancelled my $9/m subscription to Cloud 9 after a minor stroke and since then I have gone back to a terminal screen to code and transfer files. In the last 2 years.

Screenshot of the putty program connected to a Ubuntu box editing a file with nano

Uploading and downloading files on mass is painful via pure SSH.

AWS has since purchased Cloud 9 and I am not sure if it will ditch support of non-AWS servers in the future. AWS is good but servers are very expensive for what you get IMHO. I have found Disk IO on UpCloud is awesome (also UpCloud support is great (I am not paid to say that)).

PHPStorm IDE?

A quick Google of IDE’s like Cloud 9 mentioned PHPStorm from Jet Brains. I have used IntelliJ IDEA from Jet Brains before and PHPStorm seems to be very popular.

Go to
https://www.jetbrains.com/phpstorm/ and see the features of PHPStorm

Watch PHPStorm in action

Whats new in PHPStorm 2019.1

Advertisement:



Install PHPStorm

Visit https://www.jetbrains.com/phpstorm/download/ and download and install PHPStorm (free trial 30 days)

System requirements

  • Microsoft 10/8/7/Vista/2003/XP (incl. 64-bit)
  • 2 GB RAM minimum
  • 4 GB RAM recommended
  • 1024×768 minimum screen resolution

Pricing

PHPStorm is $8.90/m for individual use (or $19.90/m commercial). For the first 12 months of uninterrupted subscription payments qualify you for receiving a perpetual fallback license (20% discount for an uninterrupted subscription for a 2nd year, 40% discount for an uninterrupted subscription for 3rd year onwards).

PHPStorm work on Windows, OSX or Linux. This great an I use Windows locally and Linux remotely but I’m keen to use Linux locally to match local and remote dev environments.

Official PHPStorm Pricing Page:
https://www.jetbrains.com/phpstorm/buy/#edition=commercial

fyi: Jet Brains has free licencing for individual use for Students and faculty members.

Creating a Project

Open PHPStorm and select “Create New Project”.

Create New Project screen

Advertisement:



Choose a project type on the left (e.g “PHP Empty Project“) and choose a location to save too (I chose “S:\code\php001) on my local machine. I chose “S:\code\php001” on my local machine.

New Project screenshot asking for a name and save location

Choose a folder to save to.

Choose a project and location to save to locally

Click “OK” to create the project.

PHPStorm will have created a project for you. You will notice a “.idea“folder under the location you saved with these files.

  • misc.xml
  • modules.xml
  • php001.xml
  • wordspace.xml

Do not delete these files.

Advertisement:



Creating your first PHP file

You can right click on the project root and select New then PHP File

Right click on the root in the tree view then new PHP File

Or clicking the File then New menu choosing PHP File.

File new PHP File dialog

Name the file (e.g index.php)

Naming a file index.php

The file has been created and its available in my localhost web server.

Screenshot showing PHPStorm with index.php, S:\Code showing index.php and http://localhpst/php001/index.php loading

Advertisement:



Creating a Deploy Target

Now we need to specify a deploy target in PHPStorm to push the file changes to the cloud. Backup your server (yes backup your server just in case).

Open your PHPStorm project and click Tools, Deployment and then Configuration.

Click Tools, Deployment and then Configuration.

Click the plus icon near the top left and choose SFTP

Screenshot showing add new deployment server (SFTP)

Advertisement:



Name the deployment target (e.g “server (project)”)

Screenshot of an input box showing a server name
  • Enter your “server name” or IP and port
  • Enter your “ssh username” (ensure the SSH user had write access to the wwwroot folder and the web server can read the files written by this user)
  • Under password I chose “Key pair OpenSSH or Putty (as I had SSH details already setup in Putty details
  • You can add your ppk private key from Putty (use the puttygen program to conbvert ssh public and private kets to ppk format)
  • If you have a passphrase on your SSH key add it now
  • Enter your web servers remote path (for the project)
  • Enter your web server URL
Screenshot showing a server name, port, username, password, ssh file passphrase, root path and web server url.

I did SSH to my remote server and created the destination folder. This will ensure I can deploy code here (PHPStorm does not create the remote path fpor you ).

mkdir /wwwroot/php001
chown -R www-data:www-data /wwwroot/php001/

Advertisement:



Click Test Connection

Test Successful screenshot

No we need to click the Mappings tab and add a mapping.

  • Local path is your local path
  • Deployment path is / (the web root path is carried forward from the previous tab)
  • Web path is the web path that is entered in the browser
Screenshot showing a manual file mapping of local and remote file locations

Click Add New Mapping. Now we are ready to deploy

Deploying code to the cloud

I right clicked on the root note in PHPStorm and created an index.php file.

Creating an index.php file by file new

Advertisement:



I edited the index.php on my local machine and then click the Tools then Deployment and choose “Upload to fearby.com (php001)” menu.

Manual upload available in Tools menu then Deployment menu

The File Transfer output window showed the transfer progress.

Screenshot showing the file transfer window output saying the file uploaded.

I loaded https://fearby.com/php001/index.php in Google chrome. It worked.

Screenshot showing https://fearby.com/php001/index.php loaded in a bowser

Advertisement:



Don’t forget to turn off Automatic uploads under Tools, Deployment menu.

'Screenshot showing Automatic updated turned on

Now when I create new files or change existing files they will auto upload.

Sourc Control

I will add this soon.

Shell Command

You can also open an SSH console to the server and run commands

e.g zip files

zip -r backup.zip .

I can also open a folder window in PHPStorm and show all remote files by clicking Tools then Deployment then Show Remote Files, Zip files can be easily downlaoded or other files uploaded. Nice.

Screenshot showing remote files

Linux Client

I will review the Linux PHPStorm client soon.

Advertisement:



Troubleshooting

Watch the Official guide on Deployment and Remote Hosts in PhpStorm – PhpStorm Video Tutorial

Good Luck. I hope this guide helps someone.

Version

1.2 Removed advertisements

1.1 Minor Updates

1.0 Initial Version

Useful Java FX Code I use in a project using IntelliJ IDEA and jdk1.8.0_161.jdk

by

This is some useful Java FX Code I use in a project using IntelliJ IDEA and jdk1.8.0_161.jdk. I am sharing this code here for the #100DaysOfCode readers and people looking for code answers.

Advertisement:



Aside

If you have not read my previous posts I have now moved my blog to the awesome UpCloud host (signup using this link to get $25 free UpCloud VM credit). I compared Digital Ocean, Vultr and UpCloud Disk IO here and UpCloud came out on top by a long way (read the blog post here). Here is my blog post on moving from Vultr to UpCloud.

Buy a domain name here

Domain names for just 88 cents!

As promised, Java code.

Background

I am developing a Java (Windows/Mac/Linux) JavaFX app to assist me (and others) click their way through a Server deployment (domain name purchase, email setup, DNS etc) to the configuration (server host, operating, web server, database etc) to securing (DNSSEC, SPF, DMARC, Firewall etc).

I want to automate much of what I have learned over the last 2 years building apps and services (see all blog DevSecOps posts here: https://fearby.com/all/ ) on a self-managed Linux stack. I love the lower cost, higher security and flexibility of deploying self-managed servers on Linux (I love UpCloud) but not the command line interactions (that’s why I am learning Java, I do not want to develop another web-based GUI as I find them less secure than a good SSH connection). I have been developing on Windows since 1999.

Now show me Jave code.

Save date-time variables in Controller Initialize event to use in Logging

I like to log console events to a filename that is the date-time an app was started.  Add this to “public class Controller implements Initializable”

public Date todaysDateTime = new Date();
DateFormat datetimeFileNameCompatible = new SimpleDateFormat("dd-MMM-yyyy HH-mm-ss.S");
public String strLogFileTimeFilename = "zAPPDISCO - " + datetimeFileNameCompatible.format(todaysDateTime);

Now the log filename can be used below in a log function (DoLog).

Advertisement:



Read Ini File

Download http://ini4j.sourceforge.net/ (binary files) and add ini4j-0.5.4.jar to your source folder (or use Maven etc to download the package)

Import the ini4j class to your Controller.

import org.ini4j.Ini;

Sample appname.ini file

# Ini file comment goes here

[config]
forceoffline = false
log = true

[settings]
checkipatstartup = true
checkinternetconnectionatstartup = true

[app]
name=blah blah app name
app_major = 1
appminor = 0
apprevision = 18

[mainwindow]
mainwidth = 1619.0
mainheight = 1119.0
mainleft = 147.0
maintop = 44.0

[settingswindow]
settingswidth = 1286.0
settingsheight = 1010.0
settingsleft = 9.0
settingstop = 153.0

Load an Ini file

objIni = new Ini();
System.out.println("  - Opening app.ini" );
try {
    objIni.load( new FileReader("src/appname/appname.ini"));
    System.out.println("   - Loaded INI (OK)" );

} catch (IOException ex) {
    System.out.println("   - Error Loading appname.ini ( " + ex.toString() + ")");

}

Now we are ready to load values from the loaded Ini file.

Load a Boolean from Ini file

I like to set if an app can talk to the net (by checking an Ini file to see if a user does not want online activity).

private Boolean FORCE_OFFLINE = false;
FORCE_OFFLINE = objIni.get("config","forceoffline",boolean.class);

Load String from an Ini File

System.out.println (" - App Name: " + objIni.get("app","name"));

Global Variables Class

package appname;

public class GlobalVariables {

    public int APP_MAJOR = 0;
    public int APP_MINOR = 0;
    public int APP_REVISION = 18;

    //etc
}

Advertisement:



Copy the global variables class in a new controller, add the following code to your new controller’s “public class Controller implements Initializable” function

GlobalVariables global = new GlobalVariables();

Read the constants in the global variable class (copy)

DoLog("Started App Disco (v" + global.APP_MAJOR + "." + global.APP_MINOR  + "." + global.APP_REVISION + ") - https://fearby.com");

Log function that writes to the stdout console and physical log file if desired (set in the ini file)

private void DoLog(String logThis) { 
    // Log to std out
    System.out.println(logThis); 

    // Write to log file
    try{
    	// Declare a new Ini object
        objIni = new Ini();

        System.out.println("  - Opening appname.ini" );
        try {
            objIni.load( new FileReader("src/appname/appname.ini"));
            System.out.println("   - Loaded INI (OK)" );
        } catch (IOException ex) {
        	// Error
            System.out.println("   - Error Reading from appname.ini ( " + ex.toString() + ")");
        }

        // Check the ini file and see if the user wants to out output a log file.
        System.out.println("    - Reading [config] section in Ini file" );

        Boolean DO_LOG;
        DO_LOG = objIni.get("config","log",boolean.class);
        System.out.println("     - DO_LOG = " + DO_LOG.toString() );

        // Does the use want the console to be logged to a date stamped file too?
        if (DO_LOG == true) {
            
            // Append To File
            FileWriter fstream = new FileWriter( strLogFileTimeFilename.toString() + ".log", true);
            BufferedWriter out = new BufferedWriter(fstream);

            // Get Latest Time to prefix to the log entry
            Date todaysDateTimeLog = new Date();
            DateFormat datetimeHumanReadableFormat = new SimpleDateFormat("dd/MM/yyyy HH:mm:ss");
            String strLogFileTimeHuman = datetimeHumanReadableFormat.format(todaysDateTimeLog);

            // Log Desired Line
            String strLogThisTS = strLogFileTimeHuman.toString() + " = " +  logThis;
            out.write(strLogThisTS + "\n");

            //Close the output stream
            out.close();

        } else {
            //System.out.println("      - Skipping logging as set in the ini file.." );
        }


    } catch (Exception e){
    	//Catch exception if any
        // todo: Need to write to System.out.printl to prevent loop
        System.out.println ("Error: " + e.getMessage());  
        
    }
}

Advertisement:



Get Contents from URL

private static String getContentsFromURL(String theUrl)
{
    StringBuilder content = new StringBuilder();

    try
    {
        // create a url object
        URL url = new URL(theUrl);

        //todo: Add Newwor check code
        
        URLConnection urlConnection = url.openConnection();
        BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(urlConnection.getInputStream()));

        String line;

        while ((line = bufferedReader.readLine()) != null)
        {
            content.append(line + "\n");
        }
        bufferedReader.close();
    }
    catch(Exception e) {
        e.printStackTrace();
    }

    return content.toString();
}

Test the internet connection by downloading the contents of a URL

String isup = getContentsFromURL("https://audit.fearby.com/isup/");
System.out.println( "Is UP: " + isup.trim().toUpperCase().toString());

Get the IPV4 address of the calling client

String isup = getContentsFromURL("https://audit.fearby.com/ip/");
System.out.println( "Is UP: " + isup.trim().toUpperCase().toString());

The IP page contains

<?php
echo htmlspecialchars($_SERVER['REMOTE_ADDR'], ENT_QUOTES, 'UTF-8');
?>

 

SSH to a server and run a command

This is handy for connecting to a server via SSH (and using an SSH passphrase, not a system username password). This is using the Jsch library from http://www.jcraft.com/jsch/

try {
    JSch jsch = new JSch();

    String user = "sshusername";
    DoLog("User: " + user);

    String host = "yourserver.com";
    DoLog("Host: " + host);

    int port = 22;
    DoLog("Port: " + port);

    String privateKey = System.getProperty("user.dir") + "/" +  "yourserver.rsa";
    DoLog("Private Key: " + System.getProperty("user.dir") + "/" +  "yourserver.rsa");

    String sshPassPhrase = "@dd-y0ur-really-str0ng-ssh-pa$$word-h3r3";

    DoLog("Adding ssh key passphrase to session");
    jsch.addIdentity(privateKey, sshPassPhrase);
    DoLog("Private Key added to ssh session");

    Session session = jsch.getSession(user, host, port);
    DoLog("Session Created");

    java.util.Properties config = new java.util.Properties();
// see http://stackoverflow.com/questions/30178936/jsch-sftp-security-with-session-setconfigstricthostkeychecking-no

    DoLog("SSH Config: StrictHostKeyChecking: no");
    config.put("StrictHostKeyChecking", "no");
    session.setConfig(config);

    DoLog("Connecting");
    session.connect();

    DoLog("Preparing Remote Command");
    String command = "uptime";

    Channel channel = session.openChannel("exec");
    ((ChannelExec)channel).setCommand(command);
    channel.setInputStream(null);
    ((ChannelExec)channel).setErrStream(System.err);

    InputStream input = channel.getInputStream();
    channel.connect();

    try {
        InputStreamReader inputReader = new InputStreamReader(input);
        BufferedReader bufferedReader = new BufferedReader(inputReader);
        String line = null;
        while((line = bufferedReader.readLine()) != null){
            System.out.println(line);
        }
        bufferedReader.close();

        inputReader.close(); }
    catch (IOException ex) {
        ex.printStackTrace();
    }
    channel.disconnect();

    session.disconnect();
    DoLog("SSH session disconnected.....");


} catch (Exception e) {
    System.err.println(e);
}

Output:

16:32:06 up 7 days, 14:59, 1 user, load average: 0.08, 0.02, 0.01

Read more on RSA keys here.

Generate an RSA key here.

Advertisement:



Upload a file to a server via SCP over SSH

try {
    JSch jsch = new JSch();

    String user = "sshusername";
    DoLog("User: " + user);

    String host = "yourserver.com";
    DoLog("Host: " + host);

    int port = 22;
    DoLog("Port: " + port);

    String privateKey = System.getProperty("user.dir") + "/" +  "yourserver.rsa";
    DoLog("Private Key: " + System.getProperty("user.dir") + "/" +  "yourserver.rsa");

    String sshPassPhrase = "@dd-y0ur-really-str0ng-ssh-pa$$word-h3r3";
    DoLog("Adding ssh key passphrase to session");
    
    jsch.addIdentity(privateKey, sshPassPhrase);
    DoLog("Private Key added to ssh session");

    Session session = jsch.getSession(user, host, port);
    DoLog("Session Created");

    java.util.Properties config = new java.util.Properties();

    //session.setConfig(
    //        "PreferredAuthentications",
    //        "publickey,gssapi-with-mic,keyboard-interactive,password");

    // disabling StrictHostKeyChecking may help to make connection but makes it insecure
    // see http://stackoverflow.com/questions/30178936/jsch-sftp-security-with-session-setconfigstricthostkeychecking-no

    DoLog("SSH Config: StrictHostKeyChecking: no");
    config.put("StrictHostKeyChecking", "no");
    session.setConfig(config);

    DoLog("Connecting");
    session.connect();


    DoLog("Preparing SFTP");
    Channel channel = session.openChannel("sftp");
    channel.setInputStream(System.in);
    channel.setOutputStream(System.out);
    channel.connect();

    ChannelSftp c = (ChannelSftp) channel;
    String fileName = "upload.txt";
    DoLog("Uplaoding file: " + fileName + " to " + "/");
    c.put(fileName, "/");
    c.exit();
    DoLog("Done Uploading File");
    channel.disconnect();



} catch (Exception e) {
    System.err.println(e);
}

On the server:

cat /upload.txt
>Hello World

 

Advertisement:



Encrypt Text (AES/CBC/PKCS5/SHA-256)

public static byte[] encrypt(String strInput, String strPasswordKey) throws Exception {
    System.out.println("\n\nEncrypt()");
    byte[] clean = strInput.getBytes();

    // Generating IV
    int ivSize = 16;

    byte[] iv = new byte[ivSize];
    SecureRandom strRandom = new SecureRandom();
    
    strRandom.nextBytes(iv);
    IvParameterSpec ivParamSpec = new IvParameterSpec(iv);
    
    // Hashing key
    MessageDigest strDigest = MessageDigest.getInstance("SHA-256");
    
    strDigest.update(strPasswordKey.getBytes("UTF-8"));
    byte[] keyBytes = new byte[16];
    
    System.arraycopy(strDigest.digest(), 0, keyBytes, 0, keyBytes.length);
    SecretKeySpec secretKeySpec = new SecretKeySpec(keyBytes, "AES");
    
    // Encrypt
    Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
    
    cipher.init(Cipher.ENCRYPT_MODE, secretKeySpec, ivParamSpec);

    byte[] encrypted = cipher.doFinal(clean);
    
    // Combine IV and encrypted part
    byte[] encryptedIVAndText = new byte[ivSize + encrypted.length];

    System.arraycopy(iv, 0, encryptedIVAndText, 0, ivSize);
    
    System.arraycopy(encrypted, 0, encryptedIVAndText, ivSize, encrypted.length);

    String senctext = new String(encrypted, StandardCharsets.UTF_8);

    System.out.println("   encrypted: " + senctext.toString() + ", encryptedIVAndText: " + encryptedIVAndText.toString() + ", size: " + ivSize + ", length: " + encrypted.length);

    return encryptedIVAndText;
}

Decrypt Text (AES/CBC/PKCS5/SHA-256)

public static String decrypt(byte[] encryptedIvTextBytes, String strPasswordKey) throws Exception {
    System.out.println("\n\ndecrypt()");
    int ivSize = 16;
    int keySize = 16;

    // Extract IV
    byte[] iv = new byte[ivSize];
    System.arraycopy(encryptedIvTextBytes, 0, iv, 0, iv.length);
    IvParameterSpec ivParamSpec = new IvParameterSpec(iv);

    // Extract encrypted part
    int encryptedSize = encryptedIvTextBytes.length - ivSize;
    byte[] encryptedBytes = new byte[encryptedSize];
    System.arraycopy(encryptedIvTextBytes, ivSize, encryptedBytes, 0, encryptedSize);

    // Hash key
    byte[] keyBytes = new byte[keySize];
    MessageDigest strDigest = MessageDigest.getInstance("SHA-256");
    strDigest.update(strPasswordKey.getBytes());
    System.arraycopy(strDigest.digest(), 0, keyBytes, 0, keyBytes.length);
    SecretKeySpec secretKeySpec = new SecretKeySpec(keyBytes, "AES");

    // Decrypt
    Cipher cipherDecrypt = Cipher.getInstance("AES/CBC/PKCS5Padding");
    cipherDecrypt.init(Cipher.DECRYPT_MODE, secretKeySpec, ivParamSpec);
    byte[] decrypted = cipherDecrypt.doFinal(encryptedBytes);

    return new String(decrypted);
}

Input Dialog and Display the Input text in a Dialog

// Input Dialog
TextInputDialog dialog = new TextInputDialog("Simon");
dialog.setTitle("Text Input Dialog");
dialog.setHeaderText("Look, a Text Input Dialog");
dialog.setContentText("Please enter your name:");
Optional<String> result = dialog.showAndWait();
System.out.println("Dialog Result: " + result);
Alert alertinputdialog = new Alert(AlertType.INFORMATION);
alertinputdialog.setTitle("Input Result");
alertinputdialog.setHeaderText(null);
if (result.isPresent()) {
    alertinputdialog.setContentText( "Result: " + result.get().toString());
} else {
    alertinputdialog.setContentText("Result: ");
}
alertinputdialog.showAndWait();

Input:

Java Input Box

GUI Output:

Java Dialog

Standard Message Box

// Standard Message Box
Alert alertmessagebox = new Alert(AlertType.INFORMATION);
alertmessagebox.setTitle("Base64 (Style 1/2)");
alertmessagebox.setHeaderText(null);
alertmessagebox.setContentText("About to convert '" + result.get().toString() + "' to Base64");
alertmessagebox.showAndWait();

Output:

Standard Message Box

Detailed Message Box

// Detailed Message Box
Alert alertwarning = new Alert(AlertType.WARNING);
alertwarning.setTitle("Base64 (Style 2/2)");
alertwarning.setHeaderText("About to convert '" + result.get().toString() + "' to Base64");
alertwarning.setContentText("Base64 strings can be reversed");
alertwarning.showAndWait();

GUI Output:

Detailed Java Message Box

Advertisement:



Exception Dialog

//Exception Message Box
Alert alertexception = new Alert(AlertType.ERROR);
alertexception.setTitle("Exception Dialog");
alertexception.setHeaderText("Look, an Exception Dialog");
alertexception.setContentText("Could not find file blablah.txt!");
Exception ex = new FileNotFoundException("Could not find file blablah.txt");
// Create expandable Exception.
StringWriter sw = new StringWriter();
PrintWriter pw = new PrintWriter(sw);
ex.printStackTrace(pw);
String exceptionText = sw.toString();
Label label = new Label("The exception stacktrace was:");
TextArea textArea = new TextArea(exceptionText);
textArea.setEditable(false);
textArea.setWrapText(true);
textArea.setMaxWidth(Double.MAX_VALUE);
textArea.setMaxHeight(Double.MAX_VALUE);
GridPane.setVgrow(textArea, Priority.ALWAYS);
GridPane.setHgrow(textArea, Priority.ALWAYS);
GridPane expContent = new GridPane();
expContent.setMaxWidth(Double.MAX_VALUE);
expContent.add(label, 0, 0);
expContent.add(textArea, 0, 1);
// Set expandable Exception into the dialog pane.
alertexception.getDialogPane().setExpandableContent(expContent);
alertexception.showAndWait();

GUI Output:

Exception dialog with a label textbox, textfield and button.

Close Application

Platform.exit();
System.exit(0);

Close Child Windows

  1. Add Label to the scene (so we can get the parent scene later)
  2. Declare the label in the Controller initialize function ( “public Label lblTitle;”)
  3. Close the stage
Stage stage = (Stage) lblTitle.getScene().getWindow();
stage.close();

Handle Listview Item Select

try{
	DoLog("Selected Server: " + lvwServers.getSelectionModel().getSelectedItem().toString() );
} catch( java.lang.NullPointerException null_error ) {
	return;
}

Open URL in Browser

try {
    Desktop.getDesktop().browse(new URI("https://fearby.com"));
} catch (IOException e1) {
    e1.printStackTrace();
} catch (URISyntaxException e1) {
    e1.printStackTrace();
}

Ask for Input, Add to listview and soft the listview

// Get Parent Stage (use existing label in scene)
Stage stage = (Stage) lblTitle.getScene().getWindow();

// Input Dialog
TextInputDialog dialog = new TextInputDialog("Apple");
dialog.setTitle("Enter a Fruit");
dialog.setHeaderText("Enter a Fruit");
dialog.initOwner(stage.getScene().getWindow());
dialog.initModality(Modality.APPLICATION_MODAL);
dialog.setResizable(Boolean.FALSE);
dialog.setContentText("e.g enter a long description here...");

Optional<String> result = dialog.showAndWait();

if (result.isPresent()) {
    System.out.println( "Fruit: " + result.get());
    lvwFruit.getItems().add(result.get());
} else {
    System.out.println("Result: ");
}

// Sory Listview
lvwFruit.getItems().sorted();

 

Open FXML Scene File and Modal Child Window

        try {
            FXMLLoader fxmlLoader = new FXMLLoader(getClass().getResource("childscene.fxml"));
            Parent root1 = (Parent) fxmlLoader.load();
            Stage stage = new Stage();
            stage.initModality(Modality.APPLICATION_MODAL);
            stage.initStyle(StageStyle.UNDECORATED);
            stage.initStyle((StageStyle.UTILITY));
            stage.setTitle("Child Scene Window Title");
            stage.setScene(new Scene(root1));
            stage.show();
        }
        catch(IOException e) {
            e.printStackTrace();
        }

 

Base64 Encode and Decode

// Base 64
String sString = result.get().toString();
System.out.println("String sString: " + sString);
try {
    byte[] sbString = sString.getBytes("UTF-8");
    System.out.println("Byte Array - sbString: " + sbString);

    for(byte b : sbString){
        System.out.println(b);
    }
}
catch (Exception ex2)
{
    ex2.printStackTrace();
}
String sbbase64EncodedString = Base64.getEncoder().encodeToString(sString.getBytes());
System.out.println("Base64 Encoded - base64EncodedString: " + sbbase64EncodedString);
byte[] sbbase64DecodedString = Base64.getMimeDecoder().decode(sbbase64EncodedString);
String sbase64DecodedString = new String(sbbase64DecodedString);
System.out.println("Base64 Decoded - sbase64DecodedString: " + sbase64DecodedString);

// Message Box Result of Base64
Alert alertresult = new Alert(AlertType.INFORMATION);
alertresult.setTitle("Base64");
alertresult.setHeaderText("Input String: " + sString);
alertresult.setContentText("Base64 Encoded: " + sbbase64EncodedString + "\nDecoded Base64: " + sbase64DecodedString);
alertresult.showAndWait();

CLI Output:

> Base64 Encoded – base64EncodedString: U2ltb24=
> Base64 Decoded – sbase64DecodedString: Simon

GUI Output:

Message box with base64 text

Advertisement:



OK and Cancel Confirmation Box

// MessageBox with Buttons
Alert alert = new Alert(AlertType.CONFIRMATION);
alert.setTitle("Confirmation Dialog");
alert.setHeaderText("Look, a Confirmation Dialog");
alert.setContentText("Are you ok with this?");

Optional<ButtonType> result2 = alert.showAndWait();
if (result2.get() == ButtonType.OK){
    System.out.println("OK Clicked");
} else {
    System.out.println("Other Clicked");
}

GUI Output:

OK Cancel Dialog Box

Confirmation Box with four options

// Messagebox with many buttons
Alert alertmessaegmanyoptions = new Alert(AlertType.CONFIRMATION);
alertmessaegmanyoptions.setTitle("Confirmation Dialog with Custom Actions");
alertmessaegmanyoptions.setHeaderText("Look, a Confirmation Dialog with Custom Actions");
alertmessaegmanyoptions.setContentText("Choose your option.");
ButtonType buttonTypeOne = new ButtonType("Ubuntu", ButtonData.HELP_2);
ButtonType buttonTypeTwo = new ButtonType("Debian");
ButtonType buttonTypeThree = new ButtonType("Windows");
ButtonType buttonTypeCancel = new ButtonType("Cancel", ButtonData.CANCEL_CLOSE);
alert.getButtonTypes().setAll(buttonTypeOne, buttonTypeTwo, buttonTypeThree, buttonTypeCancel);
Optional<ButtonType> result3 = alert.showAndWait();
if (result3.get() == buttonTypeOne){
    System.out.println("Ubuntu Clicked");

} else if (result3.get() == buttonTypeTwo) {
    System.out.println("Debian Clicked");

} else if (result3.get() == buttonTypeThree) {
    System.out.println("Windows Clicked");

} else if (result3.get() == buttonTypeCancel) {
    System.out.println("Cancel Clicked");

} else {
    System.out.println("Nothing Clicked");
}

GUI Output:

Confirmation box with four choices

Encrypt, Base64, AES/CBC/SHA-256 Encryption and Decrypt

fyi: Encrypt and Decrypt functions are above.

String sInputString = result.get().toString();
String sInputStringBas64 = Base64.getEncoder().encodeToString(sInputString.getBytes());
String sEncryptionKey = "pa$$w1rd1";

try {
    byte[] encrypted = encrypt(sInputStringBas64, sEncryptionKey);

    String sEncryptedText = new String(encrypted, StandardCharsets.UTF_8);
    System.out.println(sEncryptedText);

    try {
        String sDecryptedText = decrypt(encrypted, sEncryptionKey);
        System.out.println("decrypted: " + sDecryptedText);

        byte[] sbbase64EncryptedDecodedString = Base64.getMimeDecoder().decode(sDecryptedText);
        String sbase64EncryptedDecodedString = new String(sbbase64EncryptedDecodedString);

        // Encryption Message Box
        Alert encryptionmessagebox = new Alert(AlertType.INFORMATION);
        encryptionmessagebox.setTitle("Encryption");
        encryptionmessagebox.setHeaderText(null);
        encryptionmessagebox.setContentText("Input String:\n" + sInputString
                        + "\n\n  Input as Base64:\n   " + sInputStringBas64
                        + "\n\n  Encryption Key:\n  " + sEncryptionKey
                        + "\n\n  Encryption Method:\n  AES/CBC/PKCS5Padding SHA-256 IV"
                        + "\n\n    Encrypted Text:\n    " + sEncryptedText
                        + "\n\n  Decrypted Text:\n  " + sDecryptedText
                        + "\n\nDecoded Base64:\n" + sbase64EncryptedDecodedString
        );
        encryptionmessagebox.showAndWait();
    }
    catch (Exception ee)
    {
        ee.printStackTrace();
    }
}
catch (Exception ex2)
    {
        ex2.printStackTrace();
    }

GUI Output:

Encrypt and decrypt

 

 

Advertisement:



Credits 

Encryption Help: https://proandroiddev.com/security-best-practices-symmetric-encryption-with-aes-in-java-7616beaaade9

Dialogue Help: https://code.makery.ch/blog/javafx-dialogs-official/

General JavaFX Help: http://tutorials.jenkov.com/javafx/index.html

Ini File Help: Simple Java API Windows style .ini file handling. Also provide Java Preferences API
functionality on top of .ini file. https://sourceforge.net/projects/ini4j/

SSH JScH Help – JSch is a pure Java implementation of SSH2: http://www.jcraft.com/jsch/

JSch 0.0.* was released under the GNU LGPL license. Later, we have switched
over to a BSD-style license.

——————————————————————————
Copyright (c) 2002-2015 Atsuhiko Yamanaka, JCraft,Inc.
All rights reserved.

Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in
the documentation and/or other materials provided with the distribution.

3. The names of the authors may not be used to endorse or promote products
derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESSED OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL JCRAFT,
INC. OR ANY CONTRIBUTORS TO THIS SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA,
OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
——————————————————————————

 

——————————————————————————

I hope this guide helps someone.

Please consider using my referral code and get $25 UpCloud VM credit if you need to create a server online.

https://www.upcloud.com/register/?promo=D84793

Ask a question or recommend an article

[contact-form-7 404 "Not Found"]

Revision History

v1.0 Initial Post

Using OWASP ZAP GUI to scan your Applications for security issues

by

OWASP is a non-profit that lists the Top Ten Most Critical Web Application Security Risks, they also have a GUI Java tool called OWASP Zap that you can use to check your apps for security issue.

Advertisement:



I have a number of guides on moving hosting away form CPanel , Setting up VM’s on AWS, Vultr or Digital Ocean along with installing and managing WordPress from the command line. It is important that you always update your site and software and test your sites and software for vulnerabilities. Zap is free and completely open source.

Disclaimer, I am not an expert (this Zap post and my past Kali Linux guide will be updated as I learn more).

OWASP Top 10

OWASP has a top 10 list of things to review.

OWASP Top 10

Download the OWASP 10 10 Application security risks PDF here form here.

Using the free OWASP Zap Tool

Snip from https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers*. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. It’s also a great tool for experienced pentesters to use for manual security testing.

Zap Overview

Here is a quick demo of Zap in action.

Do check out the official Zap videos on youtube: https://www.youtube.com/user/OWASPGLOBAL/videos if you want to learn more.

Installing Zap

Download Zap from here.

Download Zap

Download Options

Download

Download contents

Run Install

Copy to the app to the OSX Application folder

Installing

App Installed

App Insatalled

Open OSX’s Privacy and Security screen and click Open Anyway

Open Anwway

OWASP Zap is now Installed

Insallled

Ready for a Scan

Blind Scan

But before we do let’s check out the Options

Options

OWASP Zap allows you to label reports to ad from anyone you want.

Report Label Options

Now let’s update the program and plugins, Click Manage Add-ons

Manage Adons

Click Update All to Update addons

Updates

I clicked Update All

Plugins

Installed some plugins

Marketplace

Zap is Ready

Zap

Add a site and right click on the site and you can perform an active scan or port scan.

Right click Zap

First Scan (https failed)

https failed

I enabled unsafe SSL/TLS Renegotiation.

Allow Unsafe HTTPS

This did not work and this guide said I needed to install the “Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files” from here.

Cryptography Files OSX

The extract files to /Library/Java/JavaVirtualMachines/%your_jdk%/Contents/Home/jre/lib/security

Extract

I restarted OWASP Zap and tried to scan my site buy it appears Cloudflare (that I recently set up) was blocking my scans and reported error 403. I decided to scan another site of mine that was not on Cloudflare but had the same Lets Encrypt style SSL cert.

fyi: I own and set up the site I queried below.

Zap Results

OWASP Zap scan performed over 800 requests and tried traversal exploits and many other checks. Do repair any major failures you find.

Zan Scan

Generating a Report

To generate a report click Report then the appropriate generation menu of choice.

Generate Report

FYI: The High Priority Alert is a false positive with an HTML item being mistaken for a CC number.

I hope this guide helps someone. Happy software/server hardening and good luck.

More Reading

Check out my Kali Linux guide.

Ask a question or recommend an article

[contact-form-7 404 "Not Found"]

Revision History

V1.3 fixed hasting typo.

v1.2 False Positive

v1.1 updated main features

v1.0 Initial post

PHP 7 code to send object oriented sanitised input data via bound parameters to a MYSQL database

by

Sanitising user input is a golden rule with web developing (see https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet ), here is my code snippet to sanitise and parameterise MySQL queries in PHP 7.0.

Advertisement:



First, watch and follow @jawache (Asim Hussein) demo how common hacks happen and why you should update and patch software often, sanitise user data and set up a firewall.

I have blogged before on how to set up a Vultr server and configure it, How to secure Ubuntu in the Cloud, How to run an Ubuntu System Audit and Beyond SSL with Content Security Policy, Public Key Pinning etc but a 100% secure server is impossible as  zero-day exploits and flaws (e.g WPA WiFi) reminds us how limited technology lifespans can be. Yes, you can setup firewalls on Ubuntu and WordPress but you are only one exploit away from being hacked.Below is my code snippet (in PHP) to sanitise incoming data, query a MySQL database with object-oriented calls in PHP 7.0 and return data in variables. I have set up a firewall to block access to MySQL and non-essential ports (use https://www.shodan.io/ to test your server’s ports). I was using older deprecated PHP 5 era database calls and I researched newer calls available in PHP 7.0.

When you log in to an Ubuntu server and it says the following you should update

Also update software, node, npm etc

This code outputs too much information but will help you setup and get data on your servers (as long as you replace your database, table and field names).

<?php
echo "Last modified: " . date ("F d Y H:i:s.", getlastmod()) . "<br /><br />";
date_default_timezone_set('Australia/Sydney');

$dbhost = '127.0.0.1';
$dbusername = 'themysqlaccount';
$dbpassword = 'themysqlpassword';
$dbname = 'thedatabasename';
$con = mysqli_connect($dbhost, $dbusername, $dbpassword, $dbname);

//Debug stuff
//echo var_dump($con);
//printf(" - Error: %s.\n", $stmt->error);

if($con->connect_errno > 0){
    printf(" - Error: %s.\n", $stmt->error);
    die("Error: Unable to connect to MySQL (E001)");
} else {
 echo "Charset set to utf8<br />";
 mysqli_set_charset($con,"utf8");
}

if (!$con) {
    echo "Error: Unable to connect to MySQL (E002)" . PHP_EOL;
    echo "Debugging errno: " . mysqli_connect_errno() . PHP_EOL;
    echo "Debugging error: " . mysqli_connect_error() . PHP_EOL;
    exit;
} else {
    echo "Database Connection OK<br />";

    echo "&nbsp; Success: A proper connection to MySQL was made! The my_db database is great." . PHP_EOL . "<br />";
    echo "&nbsp; &nbsp;- Host information: " . mysqli_get_host_info($con) . PHP_EOL . "<br />";
    echo "&nbsp; &nbsp;- Server Info: '" . mysqli_get_server_info($con) . "'<br />";
    echo "&nbsp; &nbsp;- Server Protocol Info : ". mysqli_get_proto_info($con) . "<br />";
    echo "&nbsp; &nbsp;- Server Version: " . mysqli_get_server_version($con) . "<br />";
    //echo " - Server Connection Stats: " . print_r(mysqli_get_connection_stats($con)) . "<br />";
    echo "&nbsp; &nbsp;- Client Version: " . mysqli_get_client_version($con) . "<br />";
    echo "&nbsp; &nbsp;- Client Info: '" . mysqli_get_client_info() . "'<br />";

echo "Ready to Query the database '$dbname'.<br />";

// Input Var's that are parameterized/bound into the query statement
// I pre fill three vaiables with known fields in my users table
// Goot article in manual sanitization of strings in PHP http://php.net/manual/en/filter.filters.sanitize.php
    $in_username = mysqli_real_escape_string($con, 'FearTec');
    $in_f_guid = mysqli_real_escape_string($con, '5161a571-4a51-468d-9e96-6a5db5d35b1c');
    $in_mobile = mysqli_real_escape_string($con,'0456629533');

// Output Var's that the query fills after querying the database
// These variables will be filled with data from the current returned row
    $out_id = "";
    $out_f_guid = "";
    $out_username = "";
    $out_mobile = "";

echo "1. About to query the database: '$dbname'<br />";
$stmt = mysqli_stmt_init($con);
if (mysqli_stmt_prepare($stmt,"SELECT id, username, guid, user_mobile FROM thedatabasename WHERE username = ? AND guid = ? AND user_mobile = ?")) {

        echo "2. Query Returned<br />";

        /*
            Type specification chars
            Character   Description
            i   corresponding variable has type integer
            d   corresponding variable has type double
            s   corresponding variable has type string
            b   corresponding variable is a blob and will be sent in packets
        */
        mysqli_stmt_bind_param($stmt, 'sss', $in_username, $in_guid, $in_mobile);

        mysqli_stmt_execute($stmt);

        mysqli_stmt_bind_result($stmt, $out_id, $out_username, $out_guid, $out_mobile);

        mysqli_stmt_fetch($stmt);

        // Do something with the 1st returned row        
        echo " - Row: ID: $out_id, GUID: $out_guid, USR: $out_username, MOB: $out_mobile";//
        // Do we have more rows to process
        while($stmt->fetch()) { 
                // Deal with other rows
                echo " - Row: ID: $out_id, GUID: $out_f_guid, USR: $out_username, MOB: $out_mobile<br />";
        }
        mysqli_stmt_close($stmt);
        
        echo "c<br />";
    }
     else {
        echo "3. Error Querying<br/>";
        printf(" - Error: %s.\n", $stmt->error);
    }

}    

?>

Returned Data

Last modified: November 01 2017 16:43:01.
Charset set to utf8
Database Connection OK
  Success: A proper connection to MySQL was made! The my_db database is great. 
   - Host information: 127.0.0.1 via TCP/IP 
   - Server Info: '5.7.19-0ubuntu0.16.04.1'
   - Server Protocol Info : 10
   - Server Version: 50719
   - Client Version: 50012
   - Client Info: 'mysqlnd 5.0.12-dev - 20150407 - $Id: b5######################## $'
Ready to Query the database 'thedatabasename'.
1. About to query the database: 'thedatabasename'
2. Query Returned
- Row: ID: 1, GUID: 0000000-0000-0000-0000-000000000001, USR: Bob, MOB: 1234567890
- Row: ID: 2, GUID: 0000000-0000-0000-0000-000000000002, USR: Joe, MOB: 1234567891
- Row: ID: 3, GUID: 0000000-0000-0000-0000-000000000003, USR: Jane, MOB: 1234567892

Variable Bind Parameter Types

When you bind an incoming variable you can inform MySQL what the data type is expected to be.

mysqli_stmt_bind_param: Type specification chars
Character   Description
i   corresponding variable has type integer
d   corresponding variable has type double
s   corresponding variable has type string
b   corresponding variable is a blob and will be sent in packets

Debug Options

Errors Enabled: Turn on PHP Debug Errors On

Turning on errors on production servers is bad but on on development.

First, find php.ini files

Edit your appropriate PHP file

And turn on Error reporting.

Restart PHP and NGINX

If you need to view your active php.ini file or see php configuration settings, add this to a .php file on your web server and view it’s contents.

<?php
phpinfo()
?>

It is amazing how clear errors can be

PHP Error

Dump Connection Vars: PHP mysqli_connect: var_dump($con)

echo var_dump($con);

Output:

  public 'affected_rows' => int 0
  public 'client_info' => string 'mysqlnd 5.0.12-dev - 20150407 - $Id: b5###############################3 $' (length=79)
  public 'client_version' => int 50012
  public 'connect_errno' => int 0
  public 'connect_error' => null
  public 'errno' => int 0
  public 'error' => string '' (length=0)
  public 'error_list' => 
    array (size=0)
      empty
  public 'field_count' => int 0
  public 'host_info' => string '127.0.0.1 via TCP/IP' (length=20)
  public 'info' => null
  public 'insert_id' => int 0
  public 'server_info' => string '5.7.19-0ubuntu0.16.04.1' (length=23)
  public 'server_version' => int 50719
  public 'stat' => string 'Uptime: 1828089  Threads: 1  Questions: 15702  Slow queries: 0  Opens: 1529  Flush tables: 1  Open tables: 1461  Queries per second avg: 0.008' (length=142)
  public 'sqlstate' => string '00000' (length=5)
  public 'protocol_version' => int 10
  public 'thread_id' => int 7367
  public 'warning_count' => int 0

Show Environment Vars: mysqli_get_host_info, mysqli_get_proto_info, mysqli_get_server_version, mysqli_get_client_version and mysqli_get_client_info.

echo "&nbsp; Success: Database connection OK." . PHP_EOL . "<br />";
echo "&nbsp; &nbsp;- Host information: " . mysqli_get_host_info($con) . PHP_EOL . "<br />";
echo "&nbsp; &nbsp;- Server Info: '" . mysqli_get_server_info($con) . "'<br />";
echo "&nbsp; &nbsp;- Server Protocol Info : ". mysqli_get_proto_info($con) . "<br />";
echo "&nbsp; &nbsp;- Server Version: " . mysqli_get_server_version($con) . "<br />";
//echo " - Server Connection Stats: " . print_r(mysqli_get_connection_stats($con)) . "<br />";
echo "&nbsp; &nbsp;- Client Version: " . mysqli_get_client_version($con) . "<br />";
echo "&nbsp; &nbsp;- Client Info: '" . mysqli_get_client_info() . "'<br />";

Output:

  Success: Database connection OK. 
   - Host information: 127.0.0.1 via TCP/IP 
   - Server Info: '5.7.19-0ubuntu0.16.04.1'
   - Server Protocol Info : 10
   - Server Version: 50719
   - Client Version: 50012
   - Client Info: 'mysqlnd 5.0.12-dev - 20150407 - $Id: b5######################################## $'

Show errors in failed if  statements: mysqli_stmt_prepare else

printf(" - Error: %s.\n", $stmt->error);

Output:

Error: Table 'thedatabasename.invalidtablename' doesn't exist.

Debugging is your friend.

 

More to come..

 

Donate and make this blog better


Ask a question or recommend an article
[contact-form-7 404 "Not Found"]

V 1.0 initial post

Short (Article):