博客园-流云止水布拉阁

最新新闻：
· 美博客列20家值得关注纽约创业企业(2010-03-18 23:49)
· 王建宙：希望在国内销售苹果iPad和iPhone(2010-03-18 22:53)
· 传网易微博20号正式上线门户网站角力微博(2010-03-18 22:48)
· 蓝港CEO王峰谈3年开发感悟：有点唠叨像唐僧(2010-03-18 22:07)
· [视频]想做你的Code(2010-03-18 22:03)

SQLite: Lean, Mean DB Machine

阿木戈多 — Thu, 07 Jun 2007 04:40:00 GMT

阅读: 512 评论: 0 作者: 阿木戈多发表于 2007-06-07 12:40 原文链接

摘自：zend，作者：aschlag

When most of us think of PHP, we think of developing for the web. In most cases we will be using a LAMP-based server setup, with our favorite web scripting language contributing the P. In most cases, the M is filled in with MySQL, although PHP does include support for several other database systems. Is a full-blown database server even necessary for most PHP applications? What about a data-driven website like a blog or a simple family photo album or message board? In these and may other cases, the small, simple, and extremely powerful SQLite may be all you need. Let's take SQLite out for a test drive and see how it performs, find some of the quirks you might run in to, and how to get the most use out of it.

Warming It Up

SQLite has been a PHP staple since version 5, and is available as a PECL extension for PHP 4. There is also SQLite support in PDO; in fact, the PDO SQLite extension is the only way you can get support for SQLite 3. There are already some good articles covering the SQLite 2 extension, so we are going to focus exclusively on PDO. This will also allow us to take advantage of SQLite 3's new features.

Warning: SQLite 3 uses a new (and incompatible) file format to store its databases. You can read SQLite 2 databases with SQLite 3, but the file will be converted to the SQLite 3 format. Once this is done you can't undo it. You have been warned!

PDO is standard in PHP 5.1, so if you're using the latest PHP release you have everything you need. The extension will be built by default, so unless you want Unicode support no extra configure options are needed. There is one caveat to building SQLite with PHP. If you are building the standard SQLite extension alongside PDO SQLite, then you should build them both shared or both not shared since standard SQLite now depends on PDO SQLite for some functionality. You should also enable the PDO extension before the SQLite extension in php.ini (see the SQLite PHP documentation for more details).

SQLite is also light on configuration options, because there aren't any! Two options that may affect you opening or creating a SQLite database file do exist, though. SQLite is safe_mode and open_basedir aware, which means if PHP is restricted by either option within the file system, you may get the following error:

safe_mode/open_basedir prohibits opening /tmp/litedb.sq3

If you ever see this error you will either have to adjust your safe_mode/open_basedir settings or use a different directory/filename for you SQLite database.

Test Drive

Now that we have the configuration basics out of the way, let's connect to a new SQLite database and try it out. PDO provides a standard interface to supported databases, and connecting is no different. The only unique part of connecting to a database is the DSN, which for SQLite consists of the driver prefix sqlite and the path to the database file:

$dbh = new PDO('sqlite:/path/to/my/sqlite.db3');

It doesn't matter what the database file is called (or what extension it has), just as long as PHP/SQLite can find the file and open it. I use the db3 extension to differentiate that this is a SQLite 3 database. No username or password is required here since there is no server to log in to.

(SQLite 2 Users: PHP 5.1 provides a SQLite 2 driver for PDO; just use sqlite2 as the driver prefix instead. This is provided for backwards compatibility when you don't want to convert a database to SQLite 3)

From here you can do anything you would normally do with PDO. If you just created a new database, you probably should create a table to store data in:

$dbh->exec("CREATE TABLE table1 (id INTEGER PRIMARY KEY, col1 TEXT UNIQUE, col2 TEXT)");

Now that we have a table, we can insert some data into our table using a prepared statement:

$stmt = $dbh->prepare("INSERT INTO table1 (col1, col2) VALUES (:col1, :col2)"); $stmt->bindParam(':col1', $col1_val); $stmt->bindParam(':col2', $col2_val); // insert our data $col1_val = "sqlite"; $col2_val = "rocks"; $stmt->execute(); $col1_val = "this needs to be unique"; $col2_val = "this doesn't!"; $stmt->execute();

You can check the results with a simple SELECT query:

foreach ($dbh->query('SELECT * FROM table1', PDO::FETCH_ASSOC) as $row) { print_r($row); }

We now have two rows in our database:

Id
col1
col2

1
sqlite
rocks

2
this needs to be unique
this doesn't

Two things you should notice here if you haven't picked them up already. First, the id column has incremented values. In SQLite, if you set a field to INTEGER PRIMARY KEY, it will automatically be an AUTO INCREMENET column as well. The second thing to notice is the apostrophe for the second row we inserted in col2. PDO automatically did the right thing and made sure the data inserted was properly escaped when the query was executed.

We've covered the basics on creating a SQLite database and how to do a few standard queries, so now let's go over some of the unique features that make SQLite fast...and behave in strange ways if you're not careful.

(Not So) Standard Features

One of the great features of using SQLite for storage instead of a flat file is that you can use standard SQL to manage your data as if you were using a more sophisticated database management system. However, there are some key features of SQL 92 that SQLite does not support. The most obvious is that SQLite lacks most of the standard SQL data types. To keep the library lean and mean, SQLite only supports the most basic data types that would cover all data you would see in a RDBMS. Here is the list of data types SQLite 3 uses:

NULL: the values is simply a null value
INTEGER: a signed integer; it is stored in 8, 16, 24, 32, 48 or 64 bits, depending on the magnitude of the number
REAL: an 64 bit IEEE floating point number
TEXT: any length text string; can be in ISO-8859-1, UTF-8 or UTF-16 encodings (UTF-16 will be either big or little endian, depending on your machine)
BLOB: a standard binary object that is stored exactly as input

Even though SQLite doesn't support all of the standard SQL data types, it does support the syntax of making a column VARCHAR(18), BIGINT, or DOUBLE. Just be aware that internally, SQLite is using one of the five types above to store your data. A column that is VARCHAR(18) is not going to store 18 characters for each row of data, neither will it complain if you insert a 19+ character string. This will also affect how your data is returned in a SELECT query (like the lengths to VARCHAR or NUMERIC) you set will be ignored.

There are some important and powerful SQL commands and statements that aren't supported, either. ALTER TABLE is limited to renaming a table (RENAME TABLE) and adding a column (ADD COLUMN). RIGHT and FULL OUTER JOIN are not implemented, either. More advanced features that are either partially supported or completely missing are foreign key constraints, triggers, nested transactions, and writing to views. GRANT and REVOKE are also missing, since they are unnecessary given SQLite's current implementation (no login required!). For most work though, SQLite is more than powerful enough to handle whatever data you throw at it.

The last feature (or lack thereof) of note in SQLite is its use of manifest typing. Manifest typing keeps the data's type with the data, not with the table column (which is known as static typing). Just as PHP will try and convert values into other types when it is expecting a different type than given, SQLite will try and do the same thing. For example, if we run the insert query above again with the following data:

$col1_val = 50870; $col2_val = 2308.4237988920; $stmt->execute();

The values for $col1_val and $col2_val will be converted in to strings (TEXT type) and stored as such in SQLite. For a numeric column SQLite will try and convert the string into its numeric value. If there are ANY invalid characters in the string, the whole string will be stored as a string instead of a number (unlike PHP, which will convert "15abc" into 15 when expecting and integer). Finally, the only time SQLite will enforce a data type is when a column is declared as INTEGER PRIMARY KEY. Here an integer value is required.

Built for Speed

There are several techniques that you can use to boost the performance of a SQLite database. Some of these may apply to other DBMS' too.

Fire on All Cylinders

SQLite makes use of indexes (no, not indicies!), so use them! If you are going to run a SELECT query using a particular column value (WHERE clause) or are going to perform a JOIN on a specific column, then by all means add an index to that column:

$dbh->exec('CREATE INDEX col2 ON table1 (col2)');

As you can see, you don't need to alter a table to use an index. You can even create indexes on multiple columns if they are going to be used together in a WHERE or a JOIN. The only column you don't want to ever create an index on is a column that is declared INTEGER PRIMARY KEY (such as the column id above). SQLite automatically creates an index on those columns, and adding an additional index would just slow things down. In fact, this is a good rule of thumb for creating indexes in general. Don't use them unless you are going to perform a WHERE or JOIN on them. The overhead of keeping track to too many indexes on INSERT, UPDATE, or DELETE queries may offset the performance gain you would see on SELECT queries.

Give it Some Gas

If you are going to be performing several updates (INSERT, UPDATE, DELETE) to a table at once, bundling them in a transaction will significantly increase the speed of the updates. SQLite will perform a hard disk write for each query that modifies the database, whereas if several updates were performed in a transaction SQLite will perform a single write for the entire transaction. PDO also makes transactions painfully simple. Here is the insert we did before as a transaction:

// insert our data, but use a transaction $dbh->beginTransaction(); $col1_val = "sqlite"; $col2_val = "rocks"; $stmt->execute(); $col1_val = "this needs to be unique"; $col2_val = "this doesn't!"; $stmt->execute(); $dbh->commit();

Not much to it really. Be aware though that if something catastrophic happens before you commit your transaction you will lose all the data you didn't yet save in the database.

Pedal to the Metal

If you have read any of the other articles about PHP and SQLite you are probably familiar with the SQLite unbuffered query functions. Well, lucky for you, PDO uses unbuffered queries by default (just ask Wez). Next!

Get Under the Hood

SQLite supports the PRAGMA statement as a SQL command to set special parameters on the database. There is some great documentation on what you can do with PRAGMA, and there is one (safe) PRAGMA setting that will affect the speed of SQLite:

PRAGMA cache_size =

If you are going to perform quite a bit of UPDATEs or DELETEs, and you don't mind using a bit more memory, increasing cache_size can help speed things up a bit. This setting will reset after the database is closed.

The PRAGMA commands are a great way to query and tweak the internals of SQLite, so check out the documentation if you'd like to learn more.

Reduce Drag

One final way you could potentially get greater speed out of SQLite is by creating an in-memory database. If you specify the path to your SQLite database in the PDO DSN as :memory: the SQLite driver will create an in-memory database instead of one in the file system. This database will be destroyed at the end of your PHP script, but may be useful in some situations where quick, temporary storage is necessary.

Routine Maintenance

Wash and Detailing

By default when you delete data from a SQLite database the space is kept and reused by SQLite, and thus is not available to use for other files. If you would like to free up this "reserved" space, then simply run the query VACUUM. If you desire to have this done for you by default you can set the PRAGMA value auto_vacuum if you haven't added any tables to a database yet.

Tune Up

If you can properly order tables in JOINs and index the proper columns you will get the most performance on your queries. For example, SQLite will translate a JOINs into extra WHERE clauses. For example, the following SELECT statement:

SELECT * from table1 JOIN table2 ON table1.common = table2.common;

Would be translated into this:

SELECT * from table1, table2 WHERE table1.common = table2.common;

You won't see a significant speed increase with simple queries like this one, but if you have several queries that are JOINing tables, then it may not be a bad idea to do this kind of translation yourself.

Also try to have at least one index available when you are performing any kind of JOIN or query on more than one table. The idea here is to reduce the time it takes to iterate through both tables to find the values that meet your JOIN criteria. Try to make sure that the second table you specify is indexed on the column you are JOINing on. If you'd like more details, you can find them in this SQLite Wiki article.

Empty Out the Trunk

Each time you access a SQLite database in your PHP scripts you are reading another file from the filesystem (well, almost every time, but for the sake of argument let's keep it simple, ok?). The more data that is stored in the database, the longer it is going to take to load. So, what can you do about it?

The first rule of thumb is to avoid storing large binary files in your database. Store the path to the file instead, and set up a special directory to hold the files you would have normally stored in the database. For example, if you are developing a photo management system and wanted to have the ability to tag photos and create comments a la Flickr you could store the tags and comments in a SQLite database along with a "link" to where the actual photo is on your local files system.

If you just have a lot of data in general and SQLite is slowing you down, you may want to think about compressing data before it is stored in your database. This would make searching harder, but for fields that contain a significant amount of data compression may be beneficial. What's more, you could define your compress/decompress functions as User Defined Functions and call them through SQL, making the process completely seamless. Before you run off and implement compression though, make sure you test and see if you gain any actual speed improvements since the actual compression/decompression does make a hit on the CPU.

Custom Parts

Two very cool ways to extend your use of SQLite are through the use of User Defined Functions (UDF) and User Defined Aggregate Functions. Both UDFs and aggregate functions allow you to create functions in PHP that you can then call through ordinary SQL statements. So, would you like an example?

User Defined Functions

The sqliteCreateFunction() method contains all the magic to attach a PHP function to SQLite. Let's create a compression function to dynamically compress a large data field, like possibly an article from that new blog system you're working on.

function compress_data($data_string) { return gzcompress($data_string, 6); } $dbh->sqliteCreateFunction('compress', 'compress_data', 1);

We just registered our PHP function compress_data as a new SQLite function compress. We can now use compress in any query we'd like:

$stmt = $dbh->prepare("INSERT INTO articles (auth_id, date, article) VALUES (:auth_id, :date, compress(:article))");

I will leave you to implement a decompress function. :)

User Defined Aggregate Functions

Aggregate functions perform a function over a collection of data, such as the standard SQL functions avg() and stddev(). To operate on a collection of data you need to create two functions. The first function will be called for each individual piece of data. The other function will perform any other actions on the aggregated data and return the result. Here is an example that implements MySQL's GROUP_CONCAT function:

function group_concat_step(&$context, $string, $separator = ',') { $context .= $separator . $string; } function group_concat_finalize(&$context) { return $context; } $dbh->sqliteCreateAggregate('group_concat', 'group_concat_step', 'group_concat_finalize', 2);

To use it you can call group_concat(column, ' * '). This differs slightly from MySQL, where the same function would be called as GROUP_CONCAT(column SEPARATOR ' * ').

Check Engine Light

As great as SQLite is, it may not be the best choice for your needs. SQLite does not handle large numbers of users as efficiently as a client/server RDBMS does. It also doesn't play well with network filesystems. As with any other piece of technology, make sure you evaluate SQLite first to see if it is right for you. You may be surprised.

Finish Line

SQLite provides some very nice features as a zero configuration no overhead database system, and is a great addition to any PHP developer's toolbox. Yes, it may not always be the best tool for the job, but that's why PHP also supports MySQL, PostgreSQL, etc., etc. If you have any personal SQLite hints, tips, or gotchas please post them in the comments for all to share. Drive (and code) safely!

评论: 0　查看评论　发表评论

测试使用windows live write发文章

阿木戈多 — Thu, 31 May 2007 00:51:00 GMT

阅读: 108 评论: 1 作者: 阿木戈多发表于 2007-05-31 08:51 原文链接

测试一下

评论: 1　查看评论　发表评论

男人25岁前的忠告

阿木戈多 — Mon, 12 Mar 2007 11:45:00 GMT

阅读: 579 评论: 3 作者: 阿木戈多发表于 2007-03-12 19:45 原文链接

1. 男人是社会的主体，不管你信或不信。所以男人应该有种责任感。
　　2. 25岁之前，请记得，爱情通常是假的，或者不是你所想象的那样纯洁和永远。如果你过了25岁，那么你应该懂得这个道理。
　　3. 吃饭7成饱最舒服。对待女友最多也请你保持在7成。
　　4. 30岁之前请爱惜自己的身体，前30年你找病，后30年病找你。如果你过了30岁，你自然也会懂得这个道理。
　　5. 事业远比爱情重要。如果说事业都不能永恒，那么爱情只能算是昙花一现。
　　6. 不要轻易接受追求你的女孩。女追男隔层纱。如果你很容易就陷进去，你会发现你会错过很多东西，失去很多东西。
　　7. 请你相信，能用钱解决的问题，都不是问题。如果你认为钱索王道，有钱有女人，没钱没女人，那么。女人不是问题。
　　8 . 请永远积极向上。每个男人都有他可爱的地方，但是不可爱的地方只有不积极面对生活。
　　9. 不要连续2次让同一个女人伤害。好马不吃回头草，是有他道理的。如果认真考虑过该分手，那么请不要做任何舍不得的行动。
　　10. 如果你和你前女友能做朋友，那么你要问自己：为什么？如果分手后还是朋友，那么只有2个可能:。你们当初都只是玩玩而已，没付出彼此最真的感情。或者：必定有个人是在默默的付出无怨无悔！
　　11. 永远不要太相信女人在恋爱时的甜言蜜语。都说女人爱听甜言蜜语，其实，男人更喜欢。
　　12. 请不要为自己的相貌或者身高过分担心和自卑。人是动物，但是区别于动物。先天条件并不是阻挡你好好生活的借口。人的心灵远胜于相貌，请相信这点。如果有人以相貌取人，那么你也没必要太在意。因为他从某种意义来讲，只是只动物。你会跟动物怄气吗？
　　13. 失恋时，只有2种可能，要么你爱她她不爱你，或者相反。那么，当你爱的人不再爱你，或者从来没爱过你时。你没有遗憾，因为你失去的只是一个不爱你的人。
　　14. 请不要欺骗善良的女孩。这个世界上，善良的女孩太少。
　　15. 不能偏激的认为金钱万能，至少，金钱治不好艾滋病。
　　16. 请一定要有自信。你就是一道风景，没必要在别人风景里面仰视。
　　17. 受到再大的打击，只要生命还在，请相信每天的太阳都是新的。
　　18. 爱情永远不可能是天平。你想在爱情里幸福就要舍得伤心。
　　19. 如果你喜欢一个认为别人应该对她好的mm，请尽早放弃。没有人是应该对一个人好的。如果她不明白这个道理，也就是她根本不懂得珍惜。
　　20. 不要因为寂寞而找gf，寂寞男人请要学会品味寂寞。请记住：即使寂寞，远方黑暗的夜空下，一定有人和你一样，寂寞的人不同，仰望的星空却是唯一。
　　21. 任何事没有永远。也别问怎样才能永远。生活有很多无奈。请尽量充实自己，充实生活。请善待生活。

　　男人有很多无奈，生活很累但是因为生活才有意义。当你以为你一无所有时，你至少还有时间，时间能抚平一切创伤。所以请不要流泪!

评论: 3　查看评论　发表评论

闭关修炼了(打算出关了)

阿木戈多 — Mon, 14 Aug 2006 02:28:00 GMT

阅读: 184 评论: 4 作者: 阿木戈多发表于 2006-08-14 10:28 原文链接

很久没上网了，最近一直在进行封闭式培训，有点郁闷。只好暂停更新

评论: 4　查看评论　发表评论

IIS FAQ

阿木戈多 — Fri, 23 Jun 2006 19:34:00 GMT

阅读: 275 评论: 0 作者: 阿木戈多发表于 2006-06-24 03:34 原文链接

1.如何让asp脚本以system权限运行?

　　修改你asp脚本所对应的虚拟目录，把"应用程序保护"修改为"低"....

　　2.如何防止asp木马?

　　基于FileSystemObject组件的asp木马
　　cacls %systemroot%\system32\scrrun.dll /e /d guests //禁止guests使用regsvr32 scrrun.dll /u /s //删除

　　基于shell.application组件的asp木马
　　cacls %systemroot%\system32\shell32.dll /e /d guests //禁止guests使用regsvr32 shell32.dll /u /s //删除

　　3.如何加密asp文件?

　　从微软免费下载到sce10chs.exe 直接运行即可完成安装过程。
　　安装完毕后，将生成screnc.exe文件，这是一个运行在DOS PROMAPT的命令工具。
　　运行screnc - l vbscript source.asp destination.asp
　　生成包含密文ASP脚本的新文件destination.asp
　　用记事本打开看凡是""之内的，不管是否注解，都变成不可阅读的密文了，但无法加密中文。

　　4.如何从IISLockdown中提取urlscan?

　　iislockd.exe /q /c /t:c:\urlscan

　　5.如何防止Content-Location标头暴露了web服务器的内部IP地址?

　　执行cscript c:\inetpub\adminscripts\adsutil.vbs set w3svc/UseHostName True，最后需要重新启动iis

　　6.如何解决HTTP500内部错误?

　　iis http500内部错误大部分原因主要是由于iwam账号的密码不同步造成的。我们只要同步iwam_myserver账号在com+应用程序中的密码即可解决问题。

　　执行cscript c:\inetpub\adminscripts\synciwam.vbs -v

　　7.如何增强iis防御SYN Flood的能力?

　　Windows Registry Editor Version 5.00
　　[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
　　'启动syn攻击保护。缺省项值为0，表示不开启攻击保护，项值为1和2表示启动syn攻击保护，设成2之后
　　'安全级别更高，对何种状况下认为是攻击，则需要根据下面的TcpMaxHalfOpen和TcpMaxHalfOpenRetried值
　　'设定的条件来触发启动了。这里需要注意的是，NT4.0必须设为1，设为2后在某种特殊数据包下会导致系统重启。

　　"SynAttackProtect"=dword:00000002
　　'同时允许打开的半连接数量。所谓半连接，表示未完整建立的TCP会话，用netstat命令可以看到呈SYN_RCVD状态
　　'的就是。这里使用微软建议值，服务器设为100，高级服务器设为500。建议可以设稍微小一点。

　　"TcpMaxHalfOpen"=dword:00000064
　　'判断是否存在攻击的触发点。这里使用微软建议值，服务器为80，高级服务器为400。

　　"TcpMaxHalfOpenRetried"=dword:00000050
　　'设置等待SYN-ACK时间。缺省项值为3，缺省这一过程消耗时间45秒。项值为2，消耗时间为21秒。
　　'项值为1，消耗时间为9秒。最低可以设为0，表示不等待，消耗时间为3秒。这个值可以根据遭受攻击规模修改。
　　'微软站点安全推荐为2。

　　"TcpMaxConnectResponseRetransmissions"=dword:00000001
　　'设置TCP重传单个数据段的次数。缺省项值为5，缺省这一过程消耗时间240秒。微软站点安全推荐为3。

　　"TcpMaxDataRetransmissions"=dword:00000003
　　'设置syn攻击保护的临界点。当可用的backlog变为0时，此参数用于控制syn攻击保护的开启，微软站点安全推荐为5。

　　"TCPMaxPortsExhausted"=dword:00000005
　　'禁止IP源路由。缺省项值为1，表示不转发源路由包，项值设为0，表示全部转发，设置为2，表示丢弃所有接受的
　　'源路由包，微软站点安全推荐为2。

　　"DisableIPSourceRouting"=dword:0000002
　　'限制处于TIME_WAIT状态的最长时间。缺省为240秒，最低为30秒，最高为300秒。建议设为30秒。

　　"TcpTimedWaitDelay"=dword:0000001e

　　8.如何避免*mdb文件被下载?

　　安装ms发布的urlscan工具，可以从根本上解决这个问题。同时它也是一个强大的安全工具，你可以从ms的网站上获取更为详细的信息。

　　9.如何让iis的最小ntfs权限运行?

　　依次做下面的工作:
　　a.选取整个硬盘：
　　system：完全控制
　　administrator：完全控制
　　(允许将来自父系的可继承性权限传播给对象)

　　b.\program files\common files：
　　everyone：读取及运行
　　列出文件目录
　　读取
　　(允许将来自父系的可继承性权限传播给对象)

　　c.\inetpub\wwwroot：
　　iusr_machine：读取及运行
　　列出文件目录
　　读取
　　(允许将来自父系的可继承性权限传播给对象)

　　e.\winnt\system32：
　　选择除inetsrv和centsrv以外的所有目录，去除“允许将来自父系的可继承性权限传播给对象”选框，复制。

　　f.\winnt：
　　选择除了downloaded program files、help、iis temporary compressed files、offline web pages、system32、tasks、temp、web以外的所有目录
　　去除“允许将来自父系的可继承性权限传播给对象”选框，复制。

　　g.\winnt：
　　everyone：读取及运行
　　列出文件目录
　　读取
　　(允许将来自父系的可继承性权限传播给对象)

　　h.\winnt\temp：（允许访问数据库并显示在asp页面上）
　　everyone：修改
　　(允许将来自父系的可继承性权限传播给对象)

　　10.如何隐藏iis版本?

　　一个黑客可以可以轻易的telnet到你的web端口，发送get命令来获取很多信息，iis存放IIS BANNER的所对应的dll文件如下：

　　WEB:C:\WINNT\SYSTEM32\INETSRV\W3SVC.DLL
　　FTP:C:\WINNT\SYSTEM32\INETSRV\FTPSVC2.DLL
　　SMTP:C:\WINNT\SYSTEM32\INETSRV\SMTPSVC.DLL

　　你可以用16进制编辑器去修改那些dll文件的关键字，比如iis的Microsoft-IIS/5.0

　　具体过程如下:
　　1.停掉iis iisreset /stop
　　2.删除%SYSTEMROOT%\system32\dllcache目录下的同名文件
　　3.修改

评论: 0　查看评论　发表评论

快速驱除U盘病毒

阿木戈多 — Fri, 16 Jun 2006 14:00:00 GMT

阅读: 1688 评论: 2 作者: 阿木戈多发表于 2006-06-16 22:00 原文链接

最近U盘病毒泛滥，追其根源其实是病毒寄居在电脑上通过U盘来传播，曾经用网上别人发的工具杀过，作用不大,基本上是治标不治本，只能同过修改注册表来彻底根除，方法如下：

1、打开任务管理器（ctrl+alt+del或者任务栏右键点击也可），终止所有bittorrent.exe(或者ravmone.exe以下类推)的进程

2、进入c:\windows，删除其中的bittorrent.exe

3、开始-->运行,输入regedit进入注册表，在左边依次点开HK_Loacal_Machine\software\Microsoft\windows\CurrentVersion\Run\，在右边可以看到一项数值是c:\windows\bittorrent.exe的，删除掉

4、完成后，病毒就被清除了。

对于U盘(MP3也算)如果中毒，则把文件夹选项中“隐藏受保护的操作系统文件”钩掉，点上“显示所有文件和文件夹”，点击确定，然后在U盘中会看到如下几个文件，autorun.inf，msvcr71.dl，bittorrent.exe这三个全都删除掉一个不剩，有的时候也许会有一个后缀为tmp的文件，也删除，完成后，病毒就清除了。

评论: 2　查看评论　发表评论

去除KMPplayer2.9的驴头提示

阿木戈多 — Mon, 12 Jun 2006 02:59:00 GMT

阅读: 921 评论: 2 作者: 阿木戈多发表于 2006-06-12 10:59 原文链接

改换KMPplayer2.9,感觉好多了。唯一让我不爽的是，每次播放的时候总是出现一个驴头显示。于是鼓捣了一阵，最后终于使之不显示了。方法如下：

1、在插件---常规用途里找到Toaster for winamp classic。
2、双击“Toaster for winamp classic v0.7.4”插件，点显示，将所有的钩全部取消。（如下图）

3、点确定，重新启动KMP，打开一个文件，ok，驴头不出现了。

　　这时，将KMP最小化，又见到以前那个熟悉的右下角图标啦！

评论: 2　查看评论　发表评论

HTTP错误代码解释

阿木戈多 — Sat, 03 Jun 2006 06:45:00 GMT

阅读: 1746 评论: 0 作者: 阿木戈多发表于 2006-06-03 14:45 原文链接

HTTP 400 - 请求无效
HTTP 401.1 - 未授权：登录失败
HTTP 401.2 - 未授权：服务器配置问题导致登录失败
HTTP 401.3 - ACL 禁止访问资源
HTTP 401.4 - 未授权：授权被筛选器拒绝
HTTP 401.5 - 未授权：ISAPI 或 CGI 授权失败 HTTP 403 - 禁止访问
HTTP 403 - 对 Internet 服务管理器 (HTML) 的访问仅限于 Localhost
HTTP 403.1 禁止访问：禁止可执行访问
HTTP 403.2 - 禁止访问：禁止读访问
HTTP 403.3 - 禁止访问：禁止写访问
HTTP 403.4 - 禁止访问：要求 SSL
HTTP 403.5 - 禁止访问：要求 SSL 128
HTTP 403.6 - 禁止访问：IP 地址被拒绝
HTTP 403.7 - 禁止访问：要求客户证书
HTTP 403.8 - 禁止访问：禁止站点访问
HTTP 403.9 - 禁止访问：连接的用户过多
HTTP 403.10 - 禁止访问：配置无效
HTTP 403.11 - 禁止访问：密码更改
HTTP 403.12 - 禁止访问：映射器拒绝访问
HTTP 403.13 - 禁止访问：客户证书已被吊销
HTTP 403.15 - 禁止访问：客户访问许可过多
HTTP 403.16 - 禁止访问：客户证书不可信或者无效
HTTP 403.17 - 禁止访问：客户证书已经到期或者尚未生效
HTTP 404.1 - 无法找到 Web 站点
HTTP 404 - 无法找到文件
HTTP 405 - 资源被禁止
HTTP 406 - 无法接受
HTTP 407 - 要求代理身份验证
HTTP 410 - 永远不可用
HTTP 412 - 先决条件失败
HTTP 414 - 请求 - URI 太长
HTTP 500 - 内部服务器错误
HTTP 500.100 - 内部服务器错误 - ASP 错误
HTTP 500-11 服务器关闭
HTTP 500-12 应用程序重新启动
HTTP 500-13 - 服务器太忙
HTTP 500-14 - 应用程序无效
HTTP 500-15 - 不允许请求 global.asa
Error 501 - 未实现
HTTP 502 - 网关错误

评论: 0　查看评论　发表评论

[翻译] PHP安全

阿木戈多 — Tue, 30 May 2006 12:28:00 GMT

阅读: 417 评论: 0 作者: 阿木戈多发表于 2006-05-30 20:28 原文链接

[  原书信息 ]
《SAMS Teach Yourself PHP in 10 Minutes》
Author: Chris Newman
Publisher : Sams Publishing
Pub Date : March 29, 2005
ISBN : 0-672-32762-7
Pages : 264

[  翻译信息 ]
翻译人员：heiyeluren
翻译时间：2006-3-15
翻译章节：《Lesson 24. PHP Security》
中文名称：PHP安全

PHP勿庸置疑是非常强大的服务器端脚本语言，但是强大的功能总是伴随着重大的危险，在这章里，你将学习到使用PHP的安全模式来阻止一些PHP潜在的危险因素。

【安全模式】

PHP的安全模式提供一个基本安全的共享环境，在一个有多个用户帐户存在的PHP开放的Web服务器上。当一个Web服务器上运行的PHP打开了安全模式，那么一些函数将被完全的禁止，并且会限制一些可用的功能。

[  使用安全模式来强制限制 ]
在安全模式下，一些尝试访问文件系统的函数功能将被限制。运行Web服务器用户ID，如果想要操作某个文件，则必须拥有该文件读取或者写入的访问权限，实现这个限制功能对于PHP来说是没有问题的。

在安全模式开启的时候，尝试读取或者写入一个本地文件的时候，PHP将检查当前访问用户是否是该目标文件的所有者。如果不是所有者，则该操作会被禁止。(写入权限：在较低级别的文件访问权限下，可能会允许读取或者写入系统操作系统的文件，通过PHP的安全模式实现了防止你操作另外一个用户文件的操作。当然，一个Web服务器可能能够访问一个具有全局写入权限的任意文件。)

当安全模式打开的时候，以下函数列表的功能将会受到限制：

chdir , move_uploaded_file,  chgrp,  parse_ini_file,  chown,  rmdir,  copy,  rename,  fopen,  require,  highlight_file,  show_source,  include,  symlink,  link,  touch,  mkdir,  unlink

同样的，一些PHP扩展中的函数也将会受到影响。(加载模块：在安全模式下dl函数将被禁止，如果要加载扩展的话，只能修改php.ini中的扩展选项，在PHP启动的时候加载)

在PHP安全模式打开的时候，需要执行操作系统程序的时候，必须是在safe_mode_exec_dir选项指定目录的程序，否则执行将失败。即使允许执行，那么也会自动的传递给escapeshellcmd函数进行过滤。

以下执行命令的函数列表将会受到影响：
exec, shell_exec, passthru, system, popen

另外，背部标记操作符(`)也将被关闭。

当运行在安全模式下，虽然不会引起错误，但是 putenv 函数将无效。同样的，其他一些尝试改变PHP环境变量的函数set_time_limit, set_include_path 也将被忽略。

[  打开安全模式 ]
打开或者关闭PHP的安全模式是利用php.ini中的safe_mode选项。如果要激活安全模式给当前所有共享Web服务器的用户，只要设置配置选项为：

safe_mode = On

当函数在访问文件系统的时候将进行文件所有者的检查。缺省情况下，会检查该文件所有者的用户ID，当你能够修改文件所有者的组ID(GID)为 safe_mode_gid 选项所指定的。

如果你有一个共享库文件在你的系统上，当你碰到需要include或require的时候，那么你可以使用 safe_mode_include_dir 选项来设置你的路径，保证你的代码正常工作。(包含路径：如果你想要使用 safe_mode_include_dir 选项包含更多的包含路径，那么你可以象 include_path 选项一样，在Unix/Linux系统下使用冒号进行分割，在Windows下使用分号进行分割)

比如你想要在安全模式下包含 /usr/local/include/php 下的文件，那么你可以设置选项为：

safe_mode_include_dir = /usr/local/include/php

如果你的包含的文件是需要执行的，那么你可以设置 safe_mode_exec_dir 选项。比如你需要 /usr/local/php-bin 路径下的文件是可以执行的，那么可以设置选项为：

safe_mode_exec_dir = /usr/local/php-bin

(可执行：如果你执行的程序在 /usr/bin 目录下，那么你可以把这些的二进制文件，连接到你指定选项下能够执行的路径)

如果你想设置某些环境变量，那么可以使用 safe_mode_allowed_env_vars 选项。这个选项的值是一个环境变量的前缀，缺省是允许 PHP_ 开头的环境变量，如果你想要改变，可以设置该选项的值，多个环境变量前缀之间使用逗号进行分割。

比如下面允许时区的环境变量 TZ ，那么修改该选项的值为：

safe_mode_allowed_env_vars = PHP_,TZ

【其他的安全特征】

除了安全模式以外，PHP还提供了许多其他许多特征来保证PHP的安全。

[  隐藏PHP ]
你能够在php.ini里使用 expose_php 选项来防止Web服务器泄露PHP的报告信息。如下：

expose_php = On

利用整个设置，你能够阻碍一些来自自动脚本针对Web服务器的攻击。通常情况下，HTTP的头信息里面包含了如下信息：

Server: Apache/1.3.33 (Unix) PHP/5.0.3 mod_ssl/2.8.16
OpenSSL/0.9.7c

在 expose_php 选项打开以后，PHP的版本信息将不包含在上面的头信息里。

当然，用户访问网站的时候同样能够看到 .php 的文件扩展名。如果你想整个的使用不同的文件扩展名，你需要在 httpd.conf 中找到如下这行：

AddType application/x-httpd .php

你就可以修改 .php 为任何你喜欢的文件扩展名。你能够指定任意多个的文件扩展名，中间使用空格进行分割。如果你想在服务器端使用PHP来解析 .html 和 .htm 文件的时候，那么你设置选项如下：

AddType application/x-httpd .html .htm

(解析HTML：配置你的Web服务器使用PHP去解析所有的HTML文件，但是如果非服务器端代码也需要PHP去解析，会影响服务器的性能。静态页面你可以使用不同的扩展名，这样能够消除对PHP脚本引擎的依赖，增强性能。)

[  文件系统安全 ]

安全模式限制了脚本所有者只能访问属于自己的文件，但是你可以使用 open_basedir 选现来指定一个你必须访问的目录。如果你指定了一个目录，PHP将拒绝访问除了该目录和该目录子目录的其他目录。open_basedir 选项能够工作在安全模式之外。

限制文件系统只能访问 /tmp 目录，那么设置选项为：

open_basedir = /tmp

[  函数访问控制 ]

你能够在 disable_functions 选项中使用逗号分割来设定函数名，那么这些函数将在PHP脚本中被关闭。这个设置能够工作在安全模式之外。

disable_functions = dl

当然，同样的你能够使用 disable_classes 选项来关闭对一些类的访问。

[  数据库安全 ]

假设你的PHP脚本中包含一个基于表单值来执行的Mysql查询：

$sql = "UPDATE mytable SET col1 = " . $_POST["value"] . "
        WHERE col2 = 'somevalue'";
$res = mysql_query($sql, $db);

你希望 $_POST["value"] 包含一个整数值来更新你的列 col1。可是，一个恶意用户能够输入一个分号在表单字段里，接着，是一段他/她想被任意执行的SQL语句。

举例，假设下面是 $_POST["value"] 提交的值：

0; INSERT INTO admin_users (username, password)
VALUES ('me', 'mypassword');

那么当这个查询发送给Mysql查询的时候，那么就变成了下面这条SQL：

UPDATE mytable SET col1 = 0;
INSERT INTO admin_users (username, password)
VALUES ('me', 'mypassword');
WHERE col2 = 'somevalue';

这明显是一个有害的查询！首先这个查询会在 mytable 表里更新 col1。这个并没有什么麻烦的，但是第二个表达式，它将执行 INSERT 表达式来插入一个能登陆的新管理员。第三个表达式就废弃了，但同时SQL解析器将抛出一个错误，这个有害的查询才完成。这个攻击就是大家常说的 SQL injection（注：SQL注入）。

当然，SQL injection 存在一个问题，对方必须了解你的数据库结构。在这个例子中，攻击者是知道你有一个表 admin_users，并且知道包含 username 和 password字段，同时，存储的密码是没有加密的。

除了你自己，一般的网站访问者是不知道这些关于数据库的信息。可是，如果你使用了一个开发源代码的在线电子商务程序，或者使用一个自由的讨论版程序，这些数据表的定义都是已知的，或者有一些用户能够访问到你的数据库。

此外，你的脚本输出会提示一个查询错误，这些信息里包含了很多关于数据库结构的重要信息。在一个正常工作的网站上，你应该考虑设置 display_errors 选项为 off，并且使用 log_errors 来代替 display_errors ，把警告和错误信息插入到文件中。

(数据库权限：它是一个非常重要的东西，你只有正确的权限，才能通过脚本正确的连接数据库。你应该不要在脚本中使用管理员去连接数据库。如果你这么做，那么一个攻击者将可能获取全部的数据库权限，并且包括其他相同服务器的权限。攻击者将可能运行 GRANT 或 CREATE USER 命令来获取更多的访问权限。 )

如果你要防止 SQL injection 攻击，你必须保证用户表单里提交的内容不是一个能够执行的SQL表达式。

前一个例子中，我们使用一个整型值来进行更新。如果在单引号后面跟上一个字符串，这个攻击者在分号之前必须提交一个闭合的引用在整个SQL表达式中。可是，当 magic_quotes_gpc 选项是开启的时候，在Web表单中提交的引号将自动被转义。

为了防止被恶意的攻击者进行 SQL injection攻击，你应该总是确认提交的数据是合法的。如果你需要的是一个整数值，那么你可以使用 is_numeric 函数来测试这个表达值，或者使用 settype 函数来转换为一个数字，清除任何一个傻傻的SQL语句。

如果你开发的程序需要几个提交的值在一个SQL表达式里，你能够使用 sprintf 函数来构建一个SQL字符串，使用格式化字符来指示数据类型的每个值。看下面的例子：

$sql = sprintf("UPDATE mytable SET col1 = %d
                 WHERE col2 = '%s'",
                 $_POST["number"],
                 mysql_escape_string($_POST["string"]));

在上一个例子中，整个Mysql的数据已经被使用，所以这个字符串已经通过 mysql_escape_string 函数进行过滤。对于其他数据库，你可以使用 addslashes 函数进行转义，或者使用其他方法。

评论: 0　查看评论　发表评论