First of all, http://ubuntuforums.org/showthread.php?t=786095 is a great tutorial for installing FFMPEG. In my case, it was actually installed on Debian through SSH.

Also, http://www.kilobitspersecond.com/2007/05/24/ffmpeg-quality-comparison/ does a very good job of looking into the different qscale options.

For a video, I chose my friend Ron’s video named “potter” which is about 5 minutes long, 720p, and around 450MB in size before any sort of compression. Note that this takes a while to convert if you don’t have a very fast server.

The code:

ffmpeg -i /path/potter.mp4 -qscale {QSCALE} -ar {ARATE} -ac 2 -acodec {ACODEC} -vcodec {VCODEC} -ab {ABITRATE} -f flv -s 1280x720 /path/potter_{ARATE}_{ABITRATE}_720p.flv

After a few tests with different video codecs, I chose libx264. After messing with a different video from Ron, I was very happy with the results.
Before conversion: http://localhostr.com/files/F6c63r0/capture.png (29.3 MB)
After conversion: http://localhostr.com/files/RufUdEt/capture.png (6.7 MB)

The converted file’s size was only 23% of the original file’s size with an audio rate of 22050 Hz, video codec libx264, and the audio codec libfaac.

More Tests (audio)

I tried 22050 and 44100 as the audio rates and 196k and 256k as the audio bit rates and LAME MP3 and AAC as the audio codecs.
The results were quite similar to each other.

gamevue:/path# du potter*
121596  potter_22050_196k_720p.flv
124824  potter_22050_196k_LAME_720p.flv
121596  potter_22050_256k_720p.flv
124824  potter_22050_256k_LAME_720p.flv
124528  potter_44100_196k_720p.flv
126016  potter_44100_196k_LAME_720p.flv
124528  potter_44100_256k_720p.flv
128408  potter_44100_256k_LAME_720p.flv

The quality difference in audio was not very much going from LAME to AAC, but it did shave off almost 4MB on the higher quality audio file.
Audio Codec chosen: AAC (libfaac)
Video Codec chosen: x264 (libx264)
Audio Rate chosen: 44100
Audio Bit Rate chosen: 256k

Part List (view below for more info):

• 2x OCZ Vertex 3 120GB SSDs
• Intel Core i7 2600k Sandy Bridge (3.4GHz)
• GIGABYTE Intel Z68 USB 3.0 SATA III
• Microsoft Windows 7 Professional 64-bit
• 4x G-Skill Ripjaws X series GB DDR3 1333
• GeForce GTS 450 (Fermi) 1GB 128-bit GDDR5
• Coolmax 700W ATX 12V v2.2
• APEVIA full tower case

First of all, it needed to be capable of SATA III and USB 3 for speed reasons (most mobos these days are either both or neither, so that part wasn’t hard), so I got the latest core i7 quad core (N82E16819115070)with a Gigabyte Z68 (N82E16813128507) combo ($470).

He wanted a really fast boot up so I got two OCZ Vertex 3 120GB SATA III SSDs (N82E16820227706) and put them in RAID 0 (read more about this later). This was very pricey, costing a solid $380.

For extreme multitasking capabilities, I got a total of 16GB G-Skill Ripjaws X series DDR3 1333 (PC3 10666) (2x N82E16820231426) ram for $60.

He also wanted to be able to run business programs well and handle multiple monitors with ease, so I splurged a little and got a GeForce GTS 450 (Fermi) 1GB 128-bit GDDR5 (N82E16814134119) for $110. This may be a little bit of overkill for a Business computer but I figured by the time Windows 8 gets replaced, this thing will be getting ancient. Plus, it has 3D vision capabilities and such, which I’m hoping will be the norm in the near future.

Because it’s a business computer that probably wouldn’t be overclocked, I didn’t need a fancy case, so I got an APEVIA full tower (N82E16811144202) for $70 (+$20 shipping).

Windows 7 pro system builder was $140, and a generic CD/DVD burner was $18.

The total cost turned out to be $1335, which is an extremely low price for how fast this computer is.

The Tech Details

First of all, the case was not as good as I hoped in many cases. The default SSD 2.5″ to 3.5″ adapter that came with the vertex didn’t work at all with the “easy to use” no-tools mounting system (which was nice once I grabbed an extra adapter I had laying around). Additionally, these plastic mounting pieces were very fragile.  Quite frankly, I don’t completely trust them to hold in a hard drive. The back of the case is VERY flimsy (it’s aluminum), making changing ram sticks surprisingly annoying because the part that the motherboard is screwed into kept bending back and forth while pushing. Other than that, the case was pretty good. The lighting was good looking (not gaudy or anything), and the built-in fan controller was pretty cool (no pun intended). My final take on the case: great deal for the price, which was only $70 + $20 shipping when I got it. Not too great build quality, but I have a feeling Apevia will be pretty good once they fix some of these design issues.

The PSU I got was obviously made for a mid-tower case. There were not many 4-pin fan plugs and the wires were pretty short (I had to put my SSDs on the top part of the drive bay, otherwise the cords would not have reached). It was a surprisingly small PSU (considering I’m used to working with significantly larger ones) which was not a bad thing. The optional plugins are handy, but the fact that there were only three was weird, and one is taken if you want to have a graphics card (there is no graphics power plugin by default, you have to add the SLI optional plug). Even with all of the optional plugs, I had to double up on some of the fan plugs (plug two into one). My take on this PSU: great for a mid-tower but not for a full tower. I would buy it again if I were buying a mid-tower for sure.

This motherboard was great. It fit right into the case, boots up pretty fast, and has a lot of features (which I will go over soon). It has a total of four SATA III and four SATA II connections, which is more than enough in my case. The first thing I did when I booted up was look through the BIOS which was very promising. It had a lot of Overclock settings for the faint of heart or even the experts, with pre-defined settings or manually set options. Changing the RAM clock took almost no time at all. Driver install for this thing was incredibly easy. I popped the CD in, checked which things I wanted to install, and clicked Install, then it lead me to more additional drivers I could choose from. Their Smart 6 tool is awesome. You can choose from different BIOS settings with different users/passwords and different settings, overclock the processor (with a GUI and everything), and more. The Smart 6 overclock tool is really simple, you just click which setting of overclock you want, and it does it and applies the setting at restart. Also, the Intel Smart Response Technology (ISRT) that the motherboard installed was really nice for RAID management. It let me set up new raid volumes, manage drives, change the RAID type of predefined RAID volumes (I sent it right from RAID 1 to RAID 0 with no difficulty), and more with a nice GUI too. My final take on the motherboard: great deal for any one! I would certainly buy one again.

As usual G-Skill is awesome. I’ve had over 60 GB worth of 4GB sticks from them and haven’t had a problem with any of them yet.

Now for the fun part: the SSDs. These things are FAST. They worked right out of the box (no firmware updates or anything). I set them up in RAID 1 (changed later) at first for redundancy, which gave me ~112GB of disk space, and when I ran Crystal Disk Mark, I was pretty happy with the results: 700MB/s seq read and 133MB/s seq write. Note that in RAID 1, the total disk space is the size of the highest disk size (112GB), but if one drive fails, the other can keep going. Then I switched them to RAID 0 for speed, which gave me a good 224GB of disk space and rocked a solid 815MB/s seq read and 322MB/s seq write! While installing Windows 7, the “Copying Windows Files” section went straight from 0% to 100% hitting no point in between in a split second. I thought that was pretty amusing.  With no software optimization (e.g. registry edits) Windows went from BIOS to login in 8 seconds flat (the average windows installation usually takes about 20 seconds).

Windows Experience Index:
Processor: 7.6 (before any overclock)
Memory: 7.6 (before any overclock)
Graphics: 7.0
Gaming Graphics: 7.0
Primary Hard Disk: 7.9

Windows Experience Index measures performance on a scale of 1.0 to 7.9

Overall: loved the build! Crazy fast, no problems with setups. The bottleneck: graphics (not a problem in this case).

He’s running dual monitors right now, but I might add a second graphics card (probably just a $50 generic one) for another two (total of four).

Zero Remorse's new template

Zero Remorse, a professional Australian gaming team,  has asked for a complete reconstruction of their website. I’m developing the PHP and MySQL server-side and the XHTML, CSS, JS, jQuery, and AJAX client-side. This includes incorporation into a PHPBB forums system, a recent, upcoming, and current matches feature, and much more.

Well, this is posted a few months after the actual completion and launch of EoReality‘s new template. This template was designed by sYnergy Forge (check them out, my favorite game/clan template designer I’ve ever seen) and coded in XHTML/PHP/CSS and some jQuery/Javascript/AJAX.

About EoReality:

By providing the highest quality performance servers in the industry, EoReality has gained the trust of top teams, organizations, and players. EoReality runs its highly optimized servers on premium networks to ensure the lowest possible pings, best trace routes and accurate hit registration. What are you waiting for? Stop playing and start gaming. End of Reality.

EoReality now provides hosting for my server(s), which allows upload speeds of up to 1gbps (as if that high is even needed) because it runs on Google Fiber’s new super-fast network.

Note: EoReality will be replacing the template I developed with a new one in the near future, so sorry if mine isn’t there any more.

]]> http://zanehooper.com/blog/eorealitys-new-website.html/feed 0 http://zanehooper.com/blog/php-security-part-2-protecting-vulnerable-files.html http://zanehooper.com/blog/php-security-part-2-protecting-vulnerable-files.html#comments Mon, 12 Jul 2010 03:01:29 +0000 Zane Hooper http://zanehooper.com/?p=25 While developing, a lot of files are files you don’t want users to see – whether they are admin, config, or page files – should be well secured.

Admin Files

You’re administrative home page (if you have an administration panel) should require the user to be of a certain level (state, whatever you want to call it) or in a certain user group. This value SHOULD NOT be stored in a cookie. Cookies can be modified too easily, and a nosy hacker would be able to be in your admin panel in seconds.

If you have properly secured your admin panel so that a regular user cannot access it, the next step is to secure the files (assuming you’re using a paged interface, which I will explain here).

A paged interface is one in which there is a home page that includes files in a pages folder of some sort. There are multiple insecurities that I will cover with this:

1. Users accessing the directory of the pages
2. Users accessing other directories through this system

1. Users accessing the directory of the pages

This can happen through multiple ways. One thing you must do is make sure that the file exists using if( file_exists( $file_name ) ), otherwise a user could enter an incorrect value and PHP will try to include a page that doesn’t exist. This step covers up your tracks for hiding the directory.

Next, you want to protect the files of the directory. My favorite way to do this is through a .htaccess file (for apache users). In the pages directory, add a .htaccess file with the contents:

This protects the path and sends the user to the specified path. This could be a home page, a 404 error, page, or whatever you want. I do know that some people don’t like this method, or don’t have Apache, so the other way would be to use define( ‘SITE’, true ); in your index page and then add at the beginning of everyone of your pages, add if( !defined(‘SITE’) ) die( ‘Hey! You\’re not supposed to be here!’ );

These methods protect your pages directory from direct access but still allow use of PHP’s include(  ), include_once(  ), require(  ), and require_once(  ) functions.

2. Users accessing other directories through this system

This is a pretty simple hack that I found once while testing out the security of my files. I thought “Well, if I can access anything in the pages directory, what’s to keep me from accessing other directories?”

This hack is quite simple actually, and allows the hacker to figure out entire directories of a website and generate plenty of errors. As I said in Part 1, to be good at security you need to learn to hack first. So here’s how the hack works:

[Some Website]/index.php?page=ucp

Seems pretty simple right? That’s how links work. The PHP script then performs include( ‘pages/ucp.php’ ), but what if we change UCP?

[Some Website]/index.php?page=../index

Hmm… PHP interprets this as include( ‘pages/../index.php’ ), which includes the index page again. Now we start getting errors. Actually, now it includes the index page over and over until the page breaks. Now the user can do some snooping around, with things like:

[Some Website]/index.php?page=../admin/delete_user&id=1

Using things like this the user can access admin/delete_user.php?id=1 and wreak havoc on the website. The simplest protection ever can fix this:

$page = str_replace( ‘../’, ”, $page );

And you’re done!

Up Next: PHP Security: Part 3 – XSS Worms/Hacks

One of the best ways I find to be able to make a secure website is to try and find possible insecurities in OTHER websites (AKA, hacking). Try and go to a website and put a few hours into finding a security problem. Maybe your website isn’t secure against this?

Part 1 – SQL Injections

SQL Injections are one of a programmer’s biggest nightmares. SQL Injections can be used to steal, delete, or edit data that is supposed to be protected. Like you can use SQL for your websites, SQL might also be able to be injected into your code. Let’s take a normal login form, for instance:

<form method="post">
<label for="username">Username:</label><input type="text" name="username" id="username" />
<label for="password">Password:</label><input type="password" name="pass" id="password" />
</form>

This simple little script will give us a login form. Now the PHP side of things will do something like so:

<?php

$username = $_POST['username'];

$password = $_POST['pass'];

$user = mysql_fetch_array( mysql_query( "SELECT `id` FROM `users` WHERE `username` = '{$username}' AND `password` = '{$password}' LIMIT 1" ) );

?>

Simple enough, right? Maybe you encrypt your password (which we will talk about in another part), but that’s beside the point.

The Problem:

Now a hacker would enter something like this into the username field: ‘ OR ’1′ = ’1′# and then the query would look like so:  SELECT `id` FROM `users` WHERE `username` = ” OR ’1′ = ’1′#’ AND `password` = ‘{$password}’ LIMIT 1

This would allow the hacker to access accounts without even having a password to the account. The # escapes the rest of the query so that SQL doesn’t take it into account.

The Fix

Now to fix this problem we have to “escape” the data. In PHP, a “\” before an apostrophe. I use a global clean so I don’t forget to clean out any inputs. This cleans out ALL cookie, session, POST, GET, and REQUEST data.

The Function:

function Clean( $var )
{
if( is_array( $var ) )
{
foreach( $var as $key => $val )
{
$var[$key] = $this->Clean( $val );
}
}
elseif( is_string( $var ) )
{
$var = str_replace( '\&', '&', escapeshellcmd( htmlentities( $var ) ) );
}
else return;
return $var;
}

This function grabs $var and cleans all of its values, returning the sanitized variable. The escapeshellcmd(  ) function cleans different SQL-dangerous values,while the htmlentities(  ) function cleans things like “<” or “>” (HTML Entities). The use of the Clean(  ) function:

$check = array(
	'_ENV',
	'_GET',
	'_POST',
	'_FILES',
	'_COOKIE',
	'_REQUEST',
	'_SESSION'
);


foreach( $check as $key => $elm )
{
	${$key} = Clean( ${$key});
}


This example will clean all inputs to DB friendly values! This also cleans out things like <script> or <a> that could possibly lead to dangerous outputs.

Up Next: PHP Security: Part 2 – Protecting vulnerable files

1. Allowing a background to be set with CSS or a transparent background
2. Removing borders from around the iframe (they look like crap)

The Background

In Internet Explorer, if you try to add a background (or have a transparent background) with your page’s CSS it doesn’t work. Instead, it keeps a white, boring background from the iframe (assuming the iframe has no background set). This little code will fix this problem, allowing transparent or colored backgrounds to be set through CSS.

Inside of your <body> tag in the HTML of the iframe, set the background style to “inherit” (<body style=”background:inherit;”>) and you can have a background using CSS from your page. It’s that simple.

Note: If you are making a transparent background, you need to add allowtransparency=”true” to the <iframe> tag as one of its attributes.

Note: If you want to make this iframe of a page that you cannot edit, look into using PHP to modify the <body> tag.

The Border

This one is just as simple, and can be done straight from the HTML. Add to the <iframe>’s attributes the following: frameborder=”0″

My Jobs:

• Javascript/AJAX for an interactive front/back -end interface
• PHP/MySQL for a secure but fast server
• CSS/XHTML for a dazzling look

Expect more updates on WGCup in the future.

Zane

I hope to install (or create) some good addons for WordPress pretty soon.

Zane