[2024-feb-29] Sad news: Eric Layton aka Nocturnal Slacker aka vtel57 passed away on Feb 26th, shortly after hospitalization. He was one of our Wiki's most prominent admins. He will be missed.

Welcome to the Slackware Documentation Project

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
howtos:misc:approach_to_web_development_on_slackware [2020/11/27 20:43 (UTC)] – [Web Dev primarily HTML and PHP] captain_sensiblehowtos:misc:approach_to_web_development_on_slackware [2020/12/01 16:54 (UTC)] (current) – [Structure of HTML & PHP] captain_sensible
Line 7: Line 7:
  
 There will be some embedded information on HTML and PHP, what they do and what they do not do. I will probably throw in some anecdotal  info from my experience. There will be some embedded information on HTML and PHP, what they do and what they do not do. I will probably throw in some anecdotal  info from my experience.
 +
 +==== Structure of HTML & PHP ====
  
      
Line 35: Line 37:
  
 There are many alternatives to working with HTML documents using a text editor, but as good as any in my opinion is geany available from [[slackbuilds.org]].It has basic text highlighting and gets the job done. There are many alternatives to working with HTML documents using a text editor, but as good as any in my opinion is geany available from [[slackbuilds.org]].It has basic text highlighting and gets the job done.
 +
 +
 +==== Using Built in PHP dev Server to render HTML ====
 +
 +
  
 Now, if we were working with geany and saved the above text as a file say  index.html to your  Desktop, you then  have two choices; open and edit with a text editor or open it as intended with a web browser. If you do that, all you will see is "hello world" Now, if we were working with geany and saved the above text as a file say  index.html to your  Desktop, you then  have two choices; open and edit with a text editor or open it as intended with a web browser. If you do that, all you will see is "hello world"
Line 125: Line 132:
  
 Click on the line that says //about_me// and you will see that the HTML document about_me.html is now rendered. You now have the basis for a few pages on your web site. Some will pooh-pooh this, but it's better than the option of no web site, if you are a small business. Without a web site in today's world, you can't be found. Click on the line that says //about_me// and you will see that the HTML document about_me.html is now rendered. You now have the basis for a few pages on your web site. Some will pooh-pooh this, but it's better than the option of no web site, if you are a small business. Without a web site in today's world, you can't be found.
 +
 +
 +==== Making use of HTML presentation but with PHP functionality ====
  
  
Line 160: Line 170:
 Refresh your browser and now what do you see? Quite a lot of information concerning PHP! Refresh your browser and now what do you see? Quite a lot of information concerning PHP!
 When I first did this it demonstrated the potential of PHP.  When I first did this it demonstrated the potential of PHP. 
 +
 +==== Introducing Databases into the mix  ====
 +
 +
 Next we will have a simple look at using a database.When you mention anything about databases most people immediately think MySQl or Maria;so you can't do anything with a database on your Desktop since you need a daemon. Well actually you can since sqlite3 is server-less. Next we will have a simple look at using a database.When you mention anything about databases most people immediately think MySQl or Maria;so you can't do anything with a database on your Desktop since you need a daemon. Well actually you can since sqlite3 is server-less.
 Assuming our Terminal Emulator is in webPlay lets create a database from the command line. Actually lets first check we have the tools in place: Assuming our Terminal Emulator is in webPlay lets create a database from the command line. Actually lets first check we have the tools in place:
Line 251: Line 265:
 which is another approach for working with web development.  which is another approach for working with web development. 
  
 +
 +==== PHP framework ====
  
 Before we look at xampp and apache i'm going to mention composer [[https://getcomposer.org/|composer ]] Before we look at xampp and apache i'm going to mention composer [[https://getcomposer.org/|composer ]]
Line 314: Line 330:
  
 There are pro's and cons. Its doesn't use your system PHP as far as i understand it, so your own PHP might be more up to date than xampp, then there are issues like updating. From my limited understanding a web server does not come as default with other distros, so for them they have the choice: should I install apache or give xampp a go, maybe thinking at least I won't bork my system- its quite understandable. There are pro's and cons. Its doesn't use your system PHP as far as i understand it, so your own PHP might be more up to date than xampp, then there are issues like updating. From my limited understanding a web server does not come as default with other distros, so for them they have the choice: should I install apache or give xampp a go, maybe thinking at least I won't bork my system- its quite understandable.
 +
 +
 +==== Setting up a Development Environment using Apache ====
  
  
Line 335: Line 354:
 # mv CI4.zip /var/www/htdocs  # mv CI4.zip /var/www/htdocs 
 </code> </code>
 +
 +===  Approach To permission problems ===
  
  
Line 408: Line 429:
 secrets when I show you my local WP ;it looks like this: secrets when I show you my local WP ;it looks like this:
  
-{{:howtos:misc:wp_users.jpg?600|}}+{{:howtos:misc:wp_users.png?600|}}
  
 Its an extract of how WP uses Sqlite (yes you can opt for sqlite  instead with WP)   WordPress seems to be poorly written and a word of warning; in a default install its possible to display user login credentials via a simple get request to the domain!So the security of connecting to a database adds nothing to the security of your user credentials with WP Its an extract of how WP uses Sqlite (yes you can opt for sqlite  instead with WP)   WordPress seems to be poorly written and a word of warning; in a default install its possible to display user login credentials via a simple get request to the domain!So the security of connecting to a database adds nothing to the security of your user credentials with WP
Line 484: Line 505:
  
 Note the 127.0.0.9 in address bar and that I can now work with framework and edit as user andrew , without risk of messing up system as root. If you follow this through and you get a problem its probably either your php version is < than 7.3 or I did something somewhere forgot about it and  forgot to mention . Note the 127.0.0.9 in address bar and that I can now work with framework and edit as user andrew , without risk of messing up system as root. If you follow this through and you get a problem its probably either your php version is < than 7.3 or I did something somewhere forgot about it and  forgot to mention .
- 
- 
- 
-== Pen-testing  == 
- 
-One element that can be taken advantage of, having your web development running in Apache web server and viewable via local host is pen-testing. 
-I will for the sake of brevity stick to relevance of pen-testing using Slackware. 
- 
-In today's world its probably naive to just upload you web to your hosting server without some checking. Its much easier to test locally than pen-testing your live web too. 
- 
-Pen-testing puts a load on your server and I once got a warning about bandwidth usage from my hosting provider due to excessive requests on my web probably from a bot or a hacking scan software. Also its much easier to edit any files or test plugins locally than live.  
- 
-I have a default WordPress  install in Apache which I can view from localhost url  http://127.0.0.8/ so I will use that url to do  some basic pen-testing on Slackware.  
- 
- 
-The first test will use software  from OWASP which you can use to  check vulnerability such as CSRF . To get Zap from OWASP go to :   
- 
-[[https://www.zaproxy.org/getting-started|OWASP]] 
- 
-  
-Download th Linux version and unzip it say to Desktop. Open a terminal, cd into ZAP_2.9.0 and then  
-<code> 
- 
-bash-5.0$ ./zap.sh 
- 
-</code> 
- 
-All I have to do is type the url http://127.0.0.8 into the text box , and left click the “attack” button   
- 
-{{:howtos:misc:zap_gui.jpg?900|}} 
- 
- 
-Result was 31 alerts on csrf, 19 XSS 
- 
-The next test will involve wpscan. Now let me just say i’m not giving away any hacking secrets here, more a case of making  those not in the know, aware of how vulnerable there web might be. Wpscan is not avialable on slackbuilds but conrad has the txz package which on my not so current, current (5.4.12)installed and works with no issues:   
-<code> 
- conrad      wpscan-3.8.10-x86_64-1cf.txz         
-</code> 
-To show you how vulnerable your user logins are, I will demonstrate by running  this command     
- 
-<code> 
- 
-bash-5.0$ wpscan  --url http://127.0.0.8      --enumerate u 
-</code> 
-output:  
-<code> 
- 
-[i] User(s) Identified: 
- 
-[+] fredy 
- | Found By: Author Posts - Display Name (Passive Detection) 
- | Confirmed By: Rss Generator (Passive Detection) 
- 
-[+] fred 
- | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) 
- 
-[+] andy 
- | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) 
- 
-</code> 
-If you look at the above output ,you will see users were retrieved from the wp database table "users" . 
-Now the users were designated during setup and install of WP and then I also did a manual edit of the database.  
-The software successfully easily obtained users.Im using sqlite3 as the database with WordPress, if your using MySQL it makes no difference. 
- All hackers have to do is run wpscan using one of user login against password list. WordPress users you have been warned.  
- 
- 
  
  
 howtos:misc:approach_to_web_development_on_slackware ()