jump to navigation

Type Casting In PHP To Prevent XSS and SQL Injection March 14, 2010

Posted by chris in : rant , add a comment

Lots of developers think the best way to prevent XSS and SQL injection attacks are by passing all user input through a filter function. If you’re one of these developers don’t worry, you’re still right. There is a better (less code and less CPU cycles) way to do this on certain user inputs though. Type casting to integers should be used on all user inputs that should be a numeric value. This ensures that a valid data type is being used and it automatically converts any strings to an integer. This effectively prevents any SQL injection or XSS attacks.

$customer_id = (int) $_POST['customer_id']

This automatically prevents someone from being able to pass in something like:

1' OR 1='1

or

window.location 'aol.evilcloneofaol.com'

So What Is The Difference Between Web Developers and Web Designers? February 24, 2010

Posted by chris in : rant , add a comment

I get asked this question one way or another all the time. Either its someone actually trying to understand the difference (and there is a huge difference) or by people I am introducing myself to when they ask me what I do for a living. In the later sense they usually respond with “Oh so you know how to build web pages.” This doesn’t bother me, but I’m still a little dumbfounded with the prevalence of obvious web applications like facebook, myspace, and twitter in peoples lives.

We’re all guilty of this though, right? I have a friend who is a plumber and he had to explain the difference between commercial and residential plumbing to me, and even within those branches of plumbing there are specialties but we won’t go into those today.

I was explaining the difference to my girlfriend the other night. I was a bit intoxicated so I came up with an over the top analogy of the Sistine Chapel. The way I broke it down was you can liken the architect and the builders to web developers and Michelangelo and the painters as the web designer. So the web developer gives a website functionality. Its the web developer that enables you to submit your latest tweet, update your facebook status, and add all those images to myspace. Its the web designer who makes it look good. Now I over simplified the web designers job, they need to know a lot about how users view a page, how to catch a users eye, and web designers are usually damn good in PhotoShop (which has gotten pretty complex).

Another example is the engine and drivetrain in an automobile (web developers) versus the body, interior, and paint job (web designer). These two analogies are fairly accurate. Thoughts?

MySQL engines, InnoDb versus MyISAM for web developers February 23, 2010

Posted by chris in : SQL, php , add a comment

Let me start out by saying I think MyISAM sucks. I hate it. It’s the default MySQL database engine, but its non-relational so a lot of people just start using it without exploring the other options. Hey thats okay, I did the same thing until some smart guys over at my last job introduced be to InnoDb. MyISAM is probably the best way to go for newer web developers just trying to cut their teeth on web application development. At some point its time to a pick up a book and learn how InnoDb can save you time, save you headaches, reduce the amount of code you write, and make the world a better place (okay that last one is a reach).

The best part about InnoDB is that its relational. Its transaction-safe too, but I’ll just focus on the relation side of things for now. What is a relation? A relation joins two tables together on a common value. Typically this is a parent-child relationship known as a one-to-many, but it can be a one-to-one relation too. Lets look at three tables.

tbl_profile
—————
profile_id
profile_name

tbl_profile_setting
———————–
profile_setting_id
profile_setting_name

tbl_profile_has_setting
—————————
profile_id
profile_setting_id

We have a profile table for storing whatever, then a profile can have settings. It doesn’t really matter what these settings are for the purpose of this article, but a profile can have multiple of these settings. You could have this same structure in MyISAM, but you would have to store the relations in your code. Your code is prone to errors. It happens, in fact is happens enough that I try to write as little code as possible. My goal is to leverage as much pre-written code as possible, because its been reviewed by more people and if I’m using that code I likely trust the source. InnoDB is an awesome example of this. Its widely deployed and written by people with more skills than me. No inferiority-complex here, thanks InnoDB.

For creating a relation. We’ll use phpMyAdmin. MySQL Administrator works great too and if your nutty enough you can look up the SQL for doing it in the mysql command line console. Go into the tbl_profile_has_setting table. In the structure tab you will see a link called Relation View. Click on this. You’ll notice a drop down next profile_id and profile_setting_id (these will only appear if you made these primary keys). You’ll need to create indexes on these two columns in the tbl_profile_has_setting table as well. Select the tbl_profile.profile_id and tbl_profile_setting.profile_setting_id for their respective columns. For the On Delete drop down select cascade.

What you’ve just done is create relations that have the following rules enforced by the database engine.

  1. When you delete a profile, its corresponding record(s) in tbl_profile_has_settings is deleted automajically
  2. When you delete a profile setting, its corresponding record(s) in tbl_profile_has_settings is deleted automajically
  3. When you add a record to tbl_profile_has_setting the profile_id and profile_setting_id must exist in their respective tables

Guess what, you don’t have to verify that the setting exists anymore when inserting into tbl_profile_has_setting and you don’t even need to worry about the profile existing. MySQL will return an error if these rules are violated. You now have referential integrity, clean data, and happy reports. You made all this possible just by creating the relation. So what did the cascade option do? That created rule 1 and 2 above. The auto-delete. Cascade should be used wisely as it can have devastating consequences (you records are automatically deleted), but when you implement a cascade this is normally what you want.

So why doesn’t everyone use InnoDb over MyISAM. There are several reasons:

  1. You need to be more knowledgeable to use it. This isn’t just throw data in grab it out anymore. It takes more thought and for bigger projects you’ll want to create ER diagrams to flowchart out your database.
  2. Performance penalty. Since you’ve offloaded the work to the database engine your database now runs slower. I scoff when people use this as an argument against InnoDb. If your application has gotten to be so successful that InnoDb is the sole reason of your slow down then congratulations, not many people are as successful as you. Plus InnoDb operates in a lower level language that is faster than the PHP code you are writing. Also most of your slowdowns in PHP web applications can be attributed to poorly written queries, bad database design to begin with, and lack of innovation to come up with solutions to improve speed.
  3. Harded to backup. Yes you can still use the mysqldump to backup your data, but you can’t copy the actaul database file like you could with MyIsam. This is a crappy form of database backup anyways. If you’re big enough to wear the mysqldump is no longer a sane method of doing backups then just stop being cheap and go buy the enterprise software to manage your data. Your data is important to you right?

Hope this helps some people and I hope it offends some people as well. This is one of those things that I cannot find common ground on, its debated often between me and co-workers. On a side note, don’t let your domain expire while on vacation. You’ll lose your SERPs fast.

Twittrash – Twitter Trash and Other Scum on the Internet February 17, 2010

Posted by chris in : rant, seo , add a comment

So I recently started using twitter and you can follow me by going to http://www.twitter.com/cnizzdotcom. I had long been opposed to twitter because I thought it was useless. Of course I was initially opposed to myspace and facebook as well which I am currently using on or have used at one point. I guess I am sometimes a bit reactionary when it comes to knew things. Not just technology, but even certain technologies and methodologies in programming. This is a dangerous thing in my field, but I’m getting more progressive by the day. I laugh thinking about how years ago I stated to a co-worker “extending classes is a horrible idea.” Hey, if we were never wrong, then we’d never improve, right? So I take comfort in my opinions evolving as I become more knowledgeable.

So about a month ago I began using twitter. My use of twitter is really just an exercise in marketing my most important product across the internet, which is me! What I’ve learned in my month with twitter is that twitter is not much different than SEO blackhat, whitehat, and greyhat that you see with ranking in Google. In the SEO world you have scum that write bots (actually they are quite easy to write) which like graffiti in parks (the trashy kind) spam blogs and forums in an effort to win backlinks.

In the twitterverse its the same. You have twitbots, employed by twittrash that will follow someone for a few hours, maybe a few days (its hard to tell) and then unfollow them. All this is done automatically so the twittrash doesn’t have to do it manually. You’ve probably noticed this before. I noticed it right away and assumed it was some bot, but it was confirmed while reading a forum post over at DP. The poster advised another poster to “use a twitter automation program to auto follow then unfollow after time has passed and they don’t follow back.” The term twittrash immediately popped into my head.

There are legitimate ways of winning followers in twitter. It’s hard starting from ground zero and doing things legit (trust me I’m doing it now) but it can be done.

  1. Find people you know and start following them

    2. If you already know the person and they know you are now following them its likely they will reciprocate.

  2. Use hashtags to reach a broader audience

    3. When you use a hash tag such as #php or #embarassing it reaches everyone else listening for that hashtag. Of course spammers use these as well, but you glance over the spam and find the good stuff just like with anything else on the web.

  3. Write good twits and links to quality content

    4. This is a no brainer and its the exact same thing you do when optimizing for google.

  4. Include links to your twitter page everywhere

    5. Add a link to your twitter page on your facebook, myspace, blog, and to forum signatures

On the web and in life, when ever something good comes a long there will be [insert prefix here]-trash to try and ruin it. Twittrash is no different than snake oil salesman, politicians, and blog spammers. Thanks for reading.

How To Write a Page Controller in PHP for Dynamic Content February 6, 2010

Posted by chris in : php, seo , add a comment

This how to will cover the topic of creating a dynamic content system. It’s a well known fact that when you come across a site like wikipedia that they don’t have an html file for each article. That would be insanity. It would be nearly impossible to display the file tree in an IDE and cumbersome to search through even with an OS that has a slick file system and powerful shell like Linux. Trust me, I worked on a site that created a unique page for each product on their site (they’ve since gotten with the times). So how can web browsers access a page like http://en.wikipedia.org/wiki/Mike_Tyson, when that file doesn’t exist. The application uses a combination of server-side code, database storage, and apache htaccess magic. Here’s how to do this.

Apache HTACCESS
This is the most important part of redirecting dynamic content. The .htaccess file is what makes the magic happen. What happens is a user requests http://en.wikipedia.org/wiki/Mike_Tyson, apache goes to process the request and does its thing. Normally apache would redirect this to a 404 error page because the file does not exist, but if it see’s the .htaccess file in the directory, then apache will follow the rules we defined in the htaccess. Our rule will tell apache that if the file is not found, to go to some other file. We will call this file mycontroller.php (because its the controller in our ModelViewController). Below is some example code to get your started:

Options -Indexes
Options +FollowSymLinks
DirectoryIndex index.php
ErrorDocument 404 /404.php

<IfModule mod_rewrite.c>
  RewriteEngine on
  RewriteCond %{REQUEST_FILENAME} !-f
  RewriteCond %{REQUEST_FILENAME} !-d
  RewriteCond %{REQUEST_URI} !=/favicon.ico
  RewriteRule ^(.*)$ mycontroller.php [L,QSA]
</IfModule>

Recap:
1. We have /public_html/mydomain.com/wiki/.htaccess
This overwrites the Apache Web Servers default operating procedures.

2. We redirect the request to /public_html/mydomain.com/wiki/mycontroller.php
This contains the server side code that will handle our request for the Mike Tyson article.

The Database
Going in detail on this topic is beyond the scope of this article, but you’ll need some sort of database management system to store your article on Mike Tyson and the thousands of other articles. Of course there are other options like an XML file, but a database such as MySQL is the sanest approach for most sites.

Server Side Code
You’ll need some sort of server-side code running whether is ASP, JSP, or PHP. I’m a bit partial to PHP so lets roll with that. In mycontroller.php your code might look something like this:

$uriArr = explode('/',$_SERVER['REQUEST_URI']);
$article = $uriArr[2];
$article = urldecode($page); // in this case the article equates to Mike_Tyson

$sql = "SELECT * FROM article WHERE name = '$article'";
$result = mysql_query($sql);
if(mysql_num_rows($result) == 1){
	$page = mysql_fetch_assoc($result);
	header('HTTP/1.1 200 OK');
	header('Connection: close');
	include_once 'mytemplatepage.php';
DIE():
}
else{
	header('HTTP/1.1 404 Not Found');
	header('location: /404.php');
	header('Connection: close');
DIE();
}

This is asking our database for any records it has on the request Mike_Tyson. If a row is returned than we know we’ve found our article. We tell the browser that this is a 200 OK request. Then we include a file called mytemplate.php (this file is never actually seen by the browser). We set the record in the database to a variable array called $page. Our mytemplate.php file will look for this variable and begin populating the article. Lets see $page contains the following data: Title, Body, Image, and References. The mytemplate.php file might look something like this:

$title = $page['title '];
$body = $page['body '];
$image = $page['image '];
$references = $page['references '];
echo "<html><head><title>$title</title></head><body>";
echo "<h1>$title</h1>";
echo "<div class="mainImage">$image</div>";
echo "<p>$body</p>";
echo "<p>$references</p>";
echo "</body></html>";

Sweet! We can use the same template for a bunch of different articles, without having to create multiple files. Now if the user had searched for the following url: http://en.wikipedia.org/wiki/Mike_TysonIsEvil, we wouldn’t have an article on that. So instead the code would tell the browser this is a 404 Error and route the browser to the 404.php page.

This is an over simplified version of a dynamic content system, but it would work. If I was developing one of these on a professional level it would be complete with objects to handle requests, string cleaners to protect against SQL injection and XSS attacks, error logging, and the works! Let me know if you have questions I can answer and thanks for reading.

Optimizing Cnizz.Com For Page Speed and SEO February 3, 2010

Posted by chris in : seo , add a comment

This is the first installment of my SEO category. I’ve dabbled in SEO here and there every since I ran a semi-successful (but not successful enough) music site through 2006-2008. The site actually ranked highly for a few good SERPs and received over 10,000 unique visits per month. Though the site is a shell of its former self I still run adsense on it which brings in about $20 a month. Sighh, what could have been. In any case, I feel I’m qualified to talk about SEO to the limited audience this blog attracts.

I was just reading over @ SEOmoz that in 2010 page speed may be considered when ranking SERPs. I downloaded the google page speed for firefox plugin and decided to see where my domain sucked. The results are in:

google page speed for firefox plugin results

86 out 100 isn’t too bad, at least its better than what my grades looked like in high school. Lets see what kind of optimizations I can make based off of Googles suggestions.

Image Optimizations
When the plugin says “Specify image dimensions” it’s just telling you that instead of having html for an image that is 50 x 50 like this: img src=”myimage.png” to instead specify its dimensions like this: img src=”myimage.png” height=”50″ width=”50″. Google also says serving scaled images is a no-no. Google become a bit angry because one of my images was 100×100, but I was scaling it in the HTML to be 50×50. Just open up your image editor (I use da GIMP cause I’m on Linux) and scale it to the dimensions you want. After these few modifications I reanalyzed my page and the plugin had bumped up my score to 90 out of 100. Woot! Thats an “A-” grade.

The next image optimization listed was the actual optimization of image compressions. Luckily the plugin will give you the optimized version and tell you how much space it will save. Just expand the “Image Optimization” box, click on the image, save it, and upload it to your server. This moved cnizz.com up to 91 out of 100.

Remove unused CSS
A lot of designers put their CSS into single file. Google advises against this and told me I could reduce the size of my CSS file by 19% (510 bytes) by removing CSS that was not used on the index page. Then something strange happened. Creating a second CSS file and only including that on pages were those classes were used caused by score to go down to 88 (remember I was at 91). Google penalized me for having multiple CSS files! I threw my hands up in the air on that one, marked it as nit-picky, and reverted back to my original CSS structure.

Leverage browser caching
This is the big one. I expect most sites to suffer from this. Its easy to resolve through the use of an HTACCESS file. I threw in the following code:

<FilesMatch ".(flv|gif|jpg|jpeg|png|ico|swf|css)$">
Header set Cache-Control "max-age=3600"
</FilesMatch>

This bumped me up to 94 out of 100. I could obtain 98 out of 100, by increasing the max-age to an insane amount of time. However on sites were the front page changes frequently such as a high volume e-commerce sites index page this is likely to be a bad idea. Just imagine if those thousands of users that just clicked through your adwords campaign were seeing last weeks special offers, yikes! However caching images that you know will not change unless there is a major site redesign is a good idea.

Conclusion
The google page speed plugin for firefox certainly gives you some great ideas for increasing the speed of your site and reducing the amount of bandwidth being pushed through your pipe. Lots of these suggestions can be implemented in a very short one day to one week project (depending on the size of your site). My advise is run the tool, but be cautious about the changes you make. Remember, you’re using this tool to potentially increase your listings for your targeted SERPs, but more importantly, this is a tool that should improve the experience of your sites users. As always there is balancing act between performance and features.

I welcome your comments

well my word press theme got hosed February 3, 2010

Posted by chris in : rant , add a comment

I upgraded word press, thinking to myself “wow, this wordpress updater is really awesome.” Next thing I know the costume theme I created for my site was just gone. This really sucks and I don’t have time to fix it. So this blog will look like crap for a while. I don’t like how it doesn’t match the rest of the site now. Anyways one of my goals is to redesign this site anyways so this is just more motivation to do so. Now on to the blog post I was working on….arggh.

Multiple Monitor Software January 4, 2010

Posted by chris in : rant , add a comment

Check out http://www.mediachance.com/free/multimon.htm

Goals for the year December 31, 2009

Posted by chris in : rant , add a comment

What are your goals for the year. We all like to make resolutions, I’ll just make goals, that way I don’t feel bad if I don’t make them. In no particular order I’ll list some goals I want to accomplish this year:

Become Zend Certified
I read over the certification guide and I am confident I could pass 80% of the test, it will look good on a resume (and for this site), and will just be kinda cool to say “yeah, I’m Zend Certified.”

Redesign Cnizz.com
Yup it could use a more modern personalized look. Same with this blog, but I won’t worry about that for a while.

Spend less
I went over my expenses and I have way too much frivolous spending. I’d like to cut this rampant expenditures by $100.00 per month and put that money in my savings account.

Get my side projects up
I have two of them. One is a lead generation site and the other is helping my friends with their online retail site.

Pay Off Debt
Luckily I don’t have a lot, just student loans and a car loan, but I would really like to pay off (or at least make a huge dent) in my car loan.

Take Guitar Lessons
I have an old acoustic, but don’t know many songs or chords. Would love to be able to play it more often.

How about you?

MooTools Table Sorter added to MooTools Plugin Repo December 23, 2009

Posted by chris in : rant , add a comment

I’ve added my mootools table sorter to the newly created plugin repo created by mootools called, mootools forge. I’ll be enhancing the documentation over the holidays and adding much needed updates to the code. If you’re a mootools user or have been thinking about using mootools this is a huge step forward for the team over at mootools. The plugin site is much better than JQuery’s.

I’m also on twitter now.