Clean infected PHP files with sed on linux console

So I had one of my wordpress site infected. All php files were injected with bogus commands. For example, it looked like this

Infected PHP

So now what? I kind of panicked and deactivated all of my sites. Fortunately I could restore most of them because I had clean backups. For some I didn’t (probably the site which was hacked first).

The bogus all looks the same though, so it should be easy to clean this up right? When the panic was over I took some more time to get this job done on the console.

Eventually I came up with this command:

find ./ -name '*.php' -exec sed -i 's/<?php $am.*-1; ?>//' {} \;

I still don’t completely understand what’s going on, because when I try the regexp at regexr I should escape characters like ?. But well, this seems to work for this particular string. You can change it a bit to your needs. It should start with the very first characters of the bogus, $am in my case, then it uses .* to catch all characters in between, and then -1; is the end of the bogus string.

Maybe some day I may need more complex regular expressions, but for now I wanted to make sure that I documented this.

Update: As bob states rightfully in the comments; this is not a method to completely scan all of your PHP files on the server and find all backdoors. This is just a way to remove bogus code that you already identified. The signature changes with every hack, and also other techniques may have been used / planted to create a backdoor.

So this is not meant as a virus scanner command, but just a hint to show how simple injections could be removed.

REST dummy server

I must admit; even for the easiest problems I try google first. Those people at stackoverflow seem to have a solution for everything, right?

So I wanted a dummy rest server that would just serve static JSON. I wanted to take my development home, on my local machine. So I thought I’d just save some output from our API to a file, and then put it in a dummy server. This was probably too easy, Google came up with solutions that were more complicated. So for the lazyweb, I will share my solution with you. You’ll be al set in a few minutes!

I assume you already have a VirtualBox running with your LAMP stack, or maybe xampp, wamp or whatever. I used Apache for my solution.

Create a virtualhost

I must say I had some issues with this new Apache 2.4 thing, not accepting my .htaccess rewrite rules. So here is my virtual host config, so you can copy paste, and adjust it to your needs.

.htaccess

I didn’t put the rewrite rules in the VirtualHost config, but added that to my .htaccess in the documentRoot like this:

index.php

The php parses the requests, and loads the json files from disc. Nothing more to it. You could adjust it a bit and maybe mock some auth tokens as well, but for me that wasn’t required in this phase.

As you can see, the path if being converted to a filename by replacing the slashes with dashes. So now you can easily create json files for every request.

http://api-server.local/node is read from node.json
http://api-server.local/node/11 is read from node_11.json
http://api-server.local/node/11/statistics is read from node_11_statistics.json

You get the picture, right? Now, wasn’t that easy?

Alternatives

Of course there are way smarter, probably better alternatives. I tried the JSON Server, which is really cool, because it can handle the requests by a simple database which you define in json as well. But my problem was that not all our resources did have primary keys (id’s), so I didn’t know how it should handle that. Also you would have to JSON code the (piece) of database, while in my case I could just dump some requests to file.

Also, our API required more levels (e.g. /node/11/stats/12) and I didn’t want to spend a lot of time figuring out how this could be done with JSON Server.

Mock-server also looked pretty awesome, but it would probably also take me too much time to figure out how to install and configure the thing.

I kind of stopped my journey looking for dummy rests servers there, because I then realized I could build one myself pretty easy.

And now you can too, without even having to think about it. That’s what I wanted too.

Phinx config for Symfony2

As you may know, you can also use a php file for your phinx config. Just replace the phinx.yml with phinx.php and it should work fine. I like to use phinx in my Symfony2 bundles, because it’s better to use in a vcs like GIT. Also you can do rollbacks, and add the migration scripts to your build script like ant.

Anyways, when using different environments, you probably have different database credentials. I put this little preg_match in the php file to parse the database config from parameters.yml. This phinx.php is located in the bundle, so for example /src/Acme/DemoBundle/phinx.php .. the migrations would then be placed in /src/Acme/DemoBundle/Migrations/ .. Just make sure the location to the parameters.yml is correct at the top of the script. You probably want to use relative paths because otherwise the path is still different in your environments. Your development VM may have different paths than your production server.

 

Prevent double clicks on table rows with click event and anchors

Suppose you have a table, for example to show users, and you want the table row to be clickable. If you click the row, you will go to a page that shows user information. Or maybe edit the user. But the last column of your row also has some action buttons that can delete the user, de-activate it, or whatever. So, for example, something like this:

Now, if you add a click event on the tr, when you click the button, both the button and click event will fire. To prevent this, I found this nice stackoverflow post about it. This answer suited my needs better, because I also had used font awesome icons for my anchors.

I did change it a bit however, because you already know the tr element when it’s being clicked on, right? So I ended up with this javascript code, and it seems to work.

So actually the credits go to Augusto, but I just wanted to make a note her, in case I ever forget. The tagline my external memory is for real you know. My internal memory is not always that reliable ;-)

Use Sublime Text to help you create doctrine Entities part two

In my previous post I wrote about a regexp search and replace to create Doctrine entities easily from a phpmyadmin CSV export. After that post I found myself checking my own website to copy and paste the regexp. Then I tried recording a macro in Sublime, but it turns out sublime doesn’t record search and replace actions.

Then I learnt about the feature to install packages to your sublime install, which has a really cool RegReplace package. Just follow the instructions on that page. I was a bit confused at point three, but turns out I had to go to Package Control: install package. You can go there by pressing cmd+shift+p and then type Package Control. It should appear in the list.

Then this superuser post helped me configuring the RegReplace package. It took me a while to figure out how to use extended back references. But I got it all working now. I use Sublime Text 2, so go to Preferences → Package Settings → Reg Replace → Settings – Default.

Sublime_Reg_Replace

At the replacements section I added this:

Don’t forget to enable “extended_back_reference” at the end of this file.

Then I went to Preferences → Package Settings → Reg Replace → Commands – Default and added this at the end:

Now when I am in my editor and press cmd+shift+p I can just type “Doctrine” and my command shows up. Then it’ll convert the cvs formatted table heads to a nice doctrine entity.

 

Use Sublime Text to help you create doctrine Entities

I don’t know about you, but when working in a projects that already exists, I am afraid to let Symfony extract the entities for my project. I’d rather just define a new entity myself. To get started, Sublime Text is very useful in creating the entity with annotations. Here’s what I do.

First, in phpmyadmin I go to the table I want to create an entity for. I use browse, select the first record, and then export this to CSV. Export to screen, and make sure the headers are in the first row.

Copy the headers to your clipboard, and then paste them in sublime text. Then first replace the comma’d with newlines, which is easy .. just search for , and repalce with \n. Make sure you have the regex function enabled (that’s the .* button).

Now the magic trick so convert the rows with column names to an almost complete entity. Again use the search and replace.

Find What: ^\"(.*)\"$
Replace With: \/\*\*\n \* \@ORM\\Column\(name\=\"$1\", type\=\"\", nullable\=false\)\n \*/\nprivate \$\l\1\;\n

SublimeText

Now you should have something like this:

If course you can alter this any way you like.

Now copy this to your IDE of choice (PhpStorm probably, right?) and finish the details.

WP All Import: calculate discounts using your own function

Using WP All Import, I wanted to use a discount on our prices, but do the math myself. This way I could round the discounts by x.95 or x.45 instead of other weird prices.

The manual suggests you put your function in the functions.php of your theme. But I don’t want the function to be gone when updating the theme, and neither want to create a child theme just to put this one stupid function in. So I thought I’d create a plugin.

This seems to work perfectly. Just put in this code in your /wp-contents/plugins directory. Save this code to, for example, wp-all-import-discount.php.

Now you can easily use it in your import config:

WP All Import discountAs second parameter you can use the discount you want. Use 0.9 for 90%, 0.5 for 50%, etc.

 

Forms in Symfony2: dependent selectboxes

My wish was simple: I wanted to have an extra dropdown box, to be able to filter a table, so the second dropdown box would have less items. So the second dropdown box depends on the first. I found two nice articles about this, but I missed a few things before I got it to work. This post tries to describe what my pitfalls were.

The great articles I found were: Symfony2.4: Dependent Forms and Symfony2 – Dynamic forms, an event-driven approach

The difference with my approach is: building the lists of the selectboxes should be inside the form builder. This way I think it’s more reusable and code is in one place. I don’t want to write extra methods in my controller to fill the selectboxes with javascript. My idea was just to submit the form, and let the form figure out what it should do: save the object, or fill the second list with options.

To describe my pitfall’s, I better first describe my situation. I changed the use case for the sake of this article, but it’s the same with my problem. Suppose you have a Person who can own several cars. On the person edit page, where you can edit his name and other properties, I wanted to add a table with the cars he owns. Under this table I have action buttons for New, Edit and Delete. When you use new, the div on that page is reloaded with the form, so the page isn’t reloaded, you are still on the edit Person page.

This would be my database model:

Forms in Symfony2: model used in this example

The list of cars with all their types would be huge, so I wanted to select the Brand (Opel, Mercedes, BMW) first. This wasn’t a value that I should save to my Person_has_Car model, so I set mapped to false. This was my main problem, because now this value wouldn’t be mapped to the entity, so how should I read it?

Initially I wanted to post the BrandId to the form, and based on this BrandId I wanted to build the select. I found that the PRE_SUBMIT and POST_SUBMIT weren’t called when you don’t submit the entire form. Probably because of CSFR that doesn’t match.

Then after a long search I found that at the PRE_SUBMIT Form Event, the data was just an array instead of an object.

Well, after a few days of frustration, googling, trying, googling and trying, this is what I came up with. Maybe it’s not the best approach, but it seems to work.

So Image that you are on a “User edit” page, and you want to add a car to his account.

Form

My form class PersonHasCarType would be something like this:

Twig template

The (simplified) twig form would look something like this:

The $.parseHtmlBlock is just a little code snippet that replaces HTML based on a json response. It also does some initialisation. The snippet looks like this:

Note the clearOnChange in the javascript that clears the second selectbox (if it exists) with empty values. If I don’t do this, the form has validation errors the second time you change the brand of the car. This was an easy hack to prevent this, and also I think it’s actually not that bad to reset invalid fields.

Controller

Now my controller is something like this:

So basically we now have a form that submits itself whenever the first selectbox changes. The controller checks if the form is fully entered by checking if the car object is set. This approach will probably conflict if you use validation. But for me this seems to work in my application.

Dynamic path tags in twig template

So I wanted to create a twig template that would render a table, just by defining the table headers, and pass an array of entities. The problem was that I also wanted to add action buttons like edit and delete, but the URL should be created dynamically with a changing ID. This is what I came up with.

So along with the array of entities that are passed to the twig template, an array with table Headers is being added too. The array with headers contains the id inside the entity, the name of the header, and the third element is the ‘type’. This way I can render the field as a date/time object. I also use this to set the type to action, which means I have an array with action buttons.

Then in Twig, I render the table like this:

The array with options that is being passed to Twig’s path tag, is being build up in Twig itself.

Active menu determination in Metronic theme

So we bought the Metronic theme from keenthemes. It’s fully featured and packed, but I was wondering how the theme determines what the active link is. Browsing through the comments I found out that we’re supposed to handle this ourselves, server sided. No fancy javascript that handles this from itself.

Fortunately I found a way to determine the route in Symfony. This returns the name of the route, not the result form path. So now it’s easy to compare your current page. All I had to do is put this in Twig:

But if I use submenu’s, how would I know what parent menu should have the active class as well? Easy: just check for the first part of the route (if you set your routes smart enough though). So if you have a menu called “promotion” where you have sub menu’s like “create, list”, you might want to name your routes like _promotion_new and _promotion_list. At the parent menu item promotion you could easily check if the route starts with _promotion_. The substr equivalent is slice. So the HTML for the parent menu item would have something like this:

If you named your router less ‘smart’, you could use a larger OR compare in the if statement.

Easy does it.