Hayden Kibble

In my time I’ve seen a few pieces of insecure code. Considering what clients can pay for a bespoke eCommerce or CMS solution, you’d expect at least a basic level of security. Unfortunately there’s one oversight that crops up time and again. The SQL Injection vulnerability. Despite being a huge threat to your security, SQL injection holes are simple to prevent.

Trusting anything the client sends is a bad idea. ALWAYS assume the worst and sanitise GET or POST variables before using in an SQL call. Below is an example of some code that you may use when a user logs in:

1
2
3
4
5
6
7
8

$username = $_POST['username'];
$password = $_POST['password'];
 
$sql = "SELECT id FROM users WHERE username='$username' AND password='$password' ";
$query = mysql_query($sql);
$id = mysql_fetch_array($query);
 
if($id) {...

The code above compares the username and password (submitted from a standard HTML form) to the database. If both match, then the script would go on to log the user in. The actual SQL call made to the database may look something like this:

1

SELECT id FROM users WHERE username='johnsmith' AND password='mypass'

Now, rather than ‘johnsmith’, should the username contain the following…

1

johnsmith'#

The entire SQL call made to the database would look like so…

1

SELECT id FROM users WHERE username='johnsmith'#' AND password='mypass'

Since MySQL treats everything after the hash (#) symbol as a comment, it’s actually only checking the username and not the password. The hacker can now log in as John without knowing the password! Even worse, the hacker need only guess the username of the administrator to log in as him too!

This is SQL injection in it’s most basic form. It can easily be worked on to spit out sensitive data to the screen, insert new rows (user accounts), delete data, edit data and more.

A simple solution to this problem would simply be to use PHP’s addslashes() function like so:

1

$sql = "SELECT id FROM users WHERE username='". addslashes($username) ."' AND password='". addslashes($password) ."' ";

Share

If you’ve ever worked with a PHP/MySQL application which handles user logins, then you will have worked with MD5 Hashes. An MD5 is a one-way encryption algorithm commonly used by web applications to store passwords.
When a new user creates an account, their password is ‘hashed’ using MD5 and the hash is stored along with their username in the database. When they attempt to login in the future, their entered password is hashed and compared to the hash in the database. If they match, they are authenticated. This is great as the password does not have to be visible in the database.

If you forget your admin password when developing an app and haven’t coded a ‘reset your password’ part yet (I always code these boring bits last!) you have 2 choices. You can create a new MD5 hash and replace the one in the database, or you can ‘crack’ the hash to find out your password. But how?

Enter Cloud Cracker, the free online MD5 hasher/cracker. This nifty little tool will take any password and give you it’s MD5 hash. It will also attempt to ‘crack’ an entered hash and show you the plaintext password.

Click Here to check out Cloud Cracker now. and feel free to hit the ‘Digg’ button if you like it.

Share

What is AJAX?
If you find yourself asking this question then you’re either new to PHP/Javascript or you have been hiding under a rock for the past three years.
Since around 2006, the term/buzzword ‘AJAX’ has been thrown around like a frisbee in a playground. So what exactly is AJAX?

If you’ve had an auto-suggest bubble pop up as you’re searching, or if you’ve seen form sub-sections magically appear as you choose options, then you have already used AJAX. Slow, static web pages have given way to speedy, animated interfaces with more nifty features.

Some examples of what you can achieve with AJAX include:

• Auto-suggest popups
• Form elements appearing/hiding as you complete the form
• Slider controls
• Draggable/droppable content

The term AJAX stands for ‘Asynchronous Javascript And XML’. Technically, AJAX is when javascript sends requests back to the server, receives a response in XML and acts upon it. These days though, AJAX is used more of a blanket term of for anything interactive which uses javascript.

If you have been developing PHP and looking to take your applications to the next level of interactivity, then check out some of the nifty AJAX Javascript frameworks out there that do all the hard work for you:

• jQuery
• Mootools
• Prototype

Share

Being the egotistical git I am, I wanted my phone to make a ‘kerching’ sound each time I made an affiliate sale. Nothing beats dozing off on a lazy Sunday evening and hearing your cash register ring out. Here’s how I made it happen…

First, you need to receive an email each time you make a sale. If your affiliate network will do this, then the first bit is already done. If not, copy the script below into a php file called something like  ‘xml-to-email.php’ and upload it to your web server. Full instructions are in comments at the top of the file. You will most likely have to change the regex variable to work with your affiliate network’s own feed format.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81

<?php
 
/* #########################################################
 
Email When You Make a Sale
Developed by Hayden Kibble July 2009
Hayden@HaydenKibble.com
www.HaydenKibble.com
 
Install instructions:
1. Put your affiliate network login and your email details into the variables below
2. You will probably have to edit '$regex_saletime' to match the sale time/date for your paticular aff networks xml feed
2. Upload this file to your web server.
3. Create a file called 'sales.txt' in the same directory as this script and make sure it has read/write permissions
4. Visit the page and it should show a blank page. An email will probably be sent as it picks up all your recent sales
5. Set a cron job up on your web server to run this script every 10 mins or so
6. If you have problems with any of the above, Google is your friend!
 
######################################################### */
 
$base_url = "https://www.affilliate-network.com/myfeed.xml";
$feed_user = "USERNAME-HERE";
$feed_pass = "PASSWORD-HERE";
$regex_saletime = "/<date>(.*)<\/date>/U";
 
$email_from = "from@address.com";
$email_to = "to@address.com";
$email_subject = "You Made a Sale!";
 
// ##### Do Not Edit Below This Line! #####
 
$ch = curl_init();
 
curl_setopt($ch, CURLOPT_URL, $base_url);
 
// Set your login and password for authentication
curl_setopt($ch, CURLOPT_USERPWD, $feed_user . ':' . $feed_pass);
 
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_ANY);
 
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
 
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
 
// get the data and close the session
$data = curl_exec($ch) or die("Error Getting Feed.");
curl_close($ch);
 
$dates = array();
 
preg_match_all($regex_saletime,$data,$dates);
 
// Read previous sales times from database
$fileData = array();
$myFile = "sales.txt";
$fh = fopen($myFile, 'r');
$fileData = fread($fh, filesize($myFile));
fclose($fh);
 
// Split the file into lines
$fileLines = explode("\n",$fileData);
 
$newsale = false;
 
$fh = fopen($myFile, 'a') or die("can't open file");
 
// See if this sale has already been logged. If not, log it and set 'new sale' variable
foreach($dates[1] as $date){
if (!in_array($date,$fileLines)){
$newsale = true;
$sale_time = $date;
fwrite($fh, $date . "\n");
}
}
fclose($fh);
 
if ($newsale){
mail($email_to,$email_subject,"You have made a sale.\nSale Time: ".$sale_time,"From: " . $email_from);
}
 
?>

To test, empty the  sales.txt file you created and run (access) the script. It will see your recent sales have not been logged and fire off the email. Make sure the email does not go to your junk folder.

If you want your computer to play a ‘kerching’ upon making a sale, you can simply set up a rule in Microsoft Outlook to play the sound upon receiving an email with ‘Payment Received’ in the subject. You get the idea.

For those of you who want the full-on portable cash register, continue on to create a gmail account with a difficult to guess name just for these emails. If you share this address anywhere it will get spammed. We do not want this as you will start hearing an awful lot of incorrect kerching’s!

You now need to set your phone up to use your gmail account. Make it check for new emails every 10 mins or so (depending on how often you set your cron job to run the script) and set this kerching wav as your notification sound.

You are now set! When the php script runs intermittently on the cron job, it parses the feed for new sales. When it finds a new sale it sends an email to your phone, which plays a ‘kerching’ sound on receipt!

Share

If, like me, you spend all day staring at a Dreamweaver code screen, you may have given thought to your eyesight and the steps you take to preserve it.

After over 10 years of software development, I have finally taken it upon myself to set my IDE background to black. I have tried this a couple of times over the years, but have immediately changed it back due to it looking ‘wierd’. I had just become too accustomed to the colour coding scheme PHP uses and found it extremely difficult to re-adjust.

After a scour on the internet for some sort of ‘theme’, I came across this excellent color scheme.

I’ve now applied this colour scheme to the three PCs I develop on and two weeks down the line I’m really getting used to it. I think it will take another couple of weeks before the colours become second nature to my brain, but it’s worth it in the long run.

Share