We have a customer that is trying to call our web service written in C# from PHP code. The web service call takes a long as parameter.
This call works fine for other customers calling from C# or Java but this customer is getting an error back from the call. I haven't debugged their specific call but I am guessing that the 64bit integer is getting truncated somehow from PHP. The customer says they are just making the web service call with a string but is there a wrapper in PHP that does type conversion. Could this be losing the number information?
Thanks for any info.
Most PHP installations won't support 64 bit integers - 32 is the max. You can check this by reading the PHP_INT_SIZE constant (4 = 32bit, 8 = 64bit) or read the PHP_INT_MAX value.
<?php
echo PHP_INT_SIZE, "\n", PHP_INT_MAX;
?>
If the web service class he is using is trying to type-convert a string representation of a 64 bit integer, then yes, it's mostly likely being truncated or converted into a float. You can sort of see this behavior with this simple test
<?php
echo intval( "12345678901234567890" );
// prints 2147483647, the max value for a 32 bit signed int.
Without knowing the details of his implementation, it's difficult to postulate on what a good solution/workaround might be.
If you absolutely must take a big number like that, make it a string, and convert it to long in your web service.
This will bother your other users a little bit, but would make it more friendly to your PHP-using costumers.
PHP brutally murdered its integer support, to the point where you have no predictable way of knowing it a specific install will handle 32-bit or 64-bit integers.
The easiest way to handle this would be to expose a new endpoint that takes a string, and just cast it on your end.
For reference on PHP's epic fail:
http://www.mysqlperformanceblog.com/2007/03/27/integers-in-php-running-with-scissors-and-portability/
I wrote an article regarding PHP using nuSoap to call a C# web service... Haven't yet encountered the issue with long int conversions, but I will definately be running some tests to see if I should add it into my article. Thanks, Sean
http://seanmcilvenna.com/blog/7-general/24-windows-php-development
Related
I would like to ask how to pass some kind of data, like string to my C# DLL. This questions has been answered for C++: How to pass argument by reference from MQL4 to C++ DLL
However in my case I want my C# code to get this value from MQL4 and then do something with it (so all this while in the C# code).
It's probably a similar approach, but is this still the best way to go, and could someone provide a minimum example of doing this in C#?
The Best Way to go?
My one would be to integrate "over" a principally neutral ZeroMQ channel.
MQL4 will sit on one side, C# or whatever other process ( python, GoLang, Erlang, FORTRAN, MATLAB, ... ) will sit on remote side, each agent-side having a chance to have also an N+M load/balancing or robustness resilience added.
Using the same byte-packing mapper on either side will enforce interoperability, even if MetaTrader Terminal platform will make any next shift of paradagms ( as it did in past, having moved string datatype into actually being a #pragma-decorated struct and similar low level surprises ).
This way one will never have to re-visit the API for any external re-factoring introduced implementation revision for gaining the lost integration back into production.
Minimum Example of doing this?
Feel free to study and re-use many of ZeroMQ examples posted here or the ZeroMQ API documentation and the C# bindings available.
There are three different return/error/status code types I get while calling native function using P/Invoke.
The first one is the usual error code I get by calling Marshal.GetLastWin32Error static method.
The second one is HRESULT I get while calling some COM-helper functions.
And the third one is NTSTATUS I get while calling native apis from ntdll.dll library. I have a loging function that logs the return/error/status code as a hexidecimal number, then when an error is found in the logs I need to use google to find out what the actual error is.
So I'd like to ask if there is a good way to convert these return/error/status codes to string (preferably in English) to log the return/error/status string description instead of a number?
Is there a way to convert between LastError/HRESULT/NTSTATUS codes, so that the semantics of the error message would stay the same?
You can use errorlook tools for this purpose. This link is kind of old, I learned this in my old VC++ days and you can use it as a start point to find modern tools.
As for the logging I would suggest you keep the original error codes. Meaningful error messages are easier to read, but the original error codes are accurate keywords to the search engines.
I wrote some code where I establish a TCPIP-Connection between a server and a client and managed to send data from the client to the server.
Now i want to encrypt the data, with RSACryptoServiceProvider, which will be sent between both, so that the client encrypts the data and the server decrypts it for further work. Unfortunally I don't find anything how to manage this on the internet especially when it comes to the keys, because most of it runs on the same machine inside the same programm. Can somehelp me to solve my scenario in vb.net or c#?
My math teacher gave me something that is very smilar to this but that was in danish and i don't think it's a good idea to let you play with google-translate. But this is just as good :-)
Just note (stolen from my math teather, I'm not sure if the link tells it):
The number that you use need to be really big to get you the security level at a acceptable point. Actually, to be secure, you would need at least 1024 bit (preferably 2048), which corresponds to between 307 and 614 decimals.
Hope that helped :-)
We use Acunetix at work to do security scans on our applications. Recently we came across the following Integer Vulnerabilities error below:
From what I can tell, it looks like the report is telling us that we are not stopping integer overflow attacks within querystrings. While we do use querystrings that eventually resolve to integers, they are first encrypted and then decrypted and converted to int using Convert.ToInt32() before we use them. I know that we should use TryParse() instead, but even if a hacker were to enter an integer value higher than max, they would fail when trying to decrypt before even trying to convert to integer, which is where the integer overflow would occur in my opinion. That is unless the error happens when the decryption fails?
I'm pretty confused about this and google searches haven't been much help as most pertain to unmanaged languages like c++ rather than c# and asp.net. Any help would be much appreciated.
I don't think this is an integer overflow vulnerability, I suspect it refers to integers as this is the type that has been manipulated in the querystring (although I know you said they were encrypted). If you're doing a direct conversion of untrusted user input to an integer and not first validating the type (as you say, TryParse it first), you're probably going to throw an internal error (short of any try/catches) and this is what they're likely picking up on.
Automated scanners go a bit nuts over HTTP 500 errors. They don't know what's actually happening under the covers and how severe the error is so you could argue that it's a false-positive. On the other hand, your security folks will argue that websites readily returning HTTP 500 are more likely to be probed further if a bot picks up that you're regularly throwing these errors out as a result of manipulated querystrings.
Easy answer: "All input must be validated against a whitelist of acceptable value ranges." (from here).
I have developed my programming skills to a point where i can do most everyday stuff quite well and easily, and I thought one day, that making a polymorphic engine would really test my skills, and I was wondering if anybody had any pointers on making a polymorphic engine for a program, where to start, maybe some code examples? really anything would be helpful at this point :)
here are some of my resorces:
http://en.wikipedia.org/wiki/Polymorphic_code <- this is the one im particularly interested in..
http://en.wikipedia.org/wiki/Polymorphic_engine
As I mention in a comment, this is possible in .NET using the magical System.Reflection.Emit namespace. You just create a new DynamicMethod and emit any [valid] opcodes into it, and then call Invoke.
I've spent the last few hours trying to build a simple showcase for a "clean" program that would create new copies of itself with encrypted il code. The approach I went for was having an Exec method, grab the il-bytes (using MethodBase.GetMethodBody), encrypt them and emit a new assembly having the iv+key and the encrypted bytes. The main method would then decrypt, create a new DynamicMethod, call DynamicILInfo.SetCode and hopefully work. It didnt.
The encryption/decryption thingie worked, and my emitted code was correct. However, it seems that you can not take the raw bytes from one assembly and just execute them in another.
Data (from BitConverter.ToString) from run A and run B.
A: 28-01-00-00-0A...
B: 28-11-00-00-0A...
Unless you know the byte values for every opcode, open ILDAsm, choose View > Show bytes. There's also a View > Show token values which also helps debugging. Press ctrl-m for View > MetaData > Show! to resolve tokens and other magical creatures.
"28 01 00 00 0A" -> CALL 0A000001 -> [According to ctrl-m] MethodBase.GetCurrentMethod
These different token values are generated sequentially by the compiler. This means that it's impossible to guarantee that everything will work using raw bytes. Just think of the common case where the compiler only created tokens for every method call require to decrypt your byte array, and you call Console.WriteLine in your encrypted code. No such token is written, and you'll end up with a "BadImageFormatException: Bad binary signature" when invoking your dynamic method.
I leave it as a task for the read (or until I'm bored again) to transform the byte array, during the emitting process, to a format which the decryptor can read and emit to real il bytes. The emitting process will create all necessary tokens, so it should work.
If you want to chicken out from all the awesomeness of emitting opcodes, do some dynamic compilation from code stored as strings (which can of course be encrypted). This, however, lose in both cleverness, coolness and everything else that can be used to measure the pure awesomeness of the developer (YOU!). Check out this tutorial for a quick display of dynamic compilation and execution of C# within strings.
Well, as far as I know a polymorphic engine is just the code you want run encrypted, then pair that with a decryption module. So all you need to do is encrypt your code into a string. Then you write a decypter. I would use a basic symmetric encryption class like hxxp://www.obviex.com/samples/Code.aspx?Source=EncryptionCS&Title=Symmetric%20Key%20Encryption&Lang=C%23
After that, run the code in memory, something like hxxp://support.microsoft.com/kb/304655
EDIT:
If you wanted to get more indepth, you could always write your own encryption/decryption, make it something like base_64 (no key), instead of AES (with a key)
Hope that helps,
Max
Polymorphic code is not possible in C# or managed languages. It requires you to produce assembly code for a specific platform (.NET is not platform-specific) into a buffer or data area, then jump into that buffer or data area. There are many layers of software and hardware in place to stop that happening - see the NX bit on Wikipedia for example.
You can't do it in managed code. You'd have to write it in unmanaged code and call into that.
Hope that helps.
Please see the helpful comment on this answer, as you can dynamically create managed code from managed code; I was considering unmanaged code, as is used on the whole.