Trusting anything the client sends is a bad idea. ALWAYS assume the worst and sanitise GET or POST variables before using in an SQL call. Below is an example of some code that you may use when a user logs in:

1
2
3
4
5
6
7
8

$username = $_POST['username'];
$password = $_POST['password'];
 
$sql = "SELECT id FROM users WHERE username='$username' AND password='$password' ";
$query = mysql_query($sql);
$id = mysql_fetch_array($query);
 
if($id) {...

The code above compares the username and password (submitted from a standard HTML form) to the database. If both match, then the script would go on to log the user in. The actual SQL call made to the database may look something like this:

1

SELECT id FROM users WHERE username='johnsmith' AND password='mypass'

Now, rather than ‘johnsmith’, should the username contain the following…

1

johnsmith'#

The entire SQL call made to the database would look like so…

1

SELECT id FROM users WHERE username='johnsmith'#' AND password='mypass'

Since MySQL treats everything after the hash (#) symbol as a comment, it’s actually only checking the username and not the password. The hacker can now log in as John without knowing the password! Even worse, the hacker need only guess the username of the administrator to log in as him too!

This is SQL injection in it’s most basic form. It can easily be worked on to spit out sensitive data to the screen, insert new rows (user accounts), delete data, edit data and more.

A simple solution to this problem would simply be to use PHP’s addslashes() function like so:

1

$sql = "SELECT id FROM users WHERE username='". addslashes($username) ."' AND password='". addslashes($password) ."' ";

Share

If you forget your admin password when developing an app and haven’t coded a ‘reset your password’ part yet (I always code these boring bits last!) you have 2 choices. You can create a new MD5 hash and replace the one in the database, or you can ‘crack’ the hash to find out your password. But how?

Enter Cloud Cracker, the free online MD5 hasher/cracker. This nifty little tool will take any password and give you it’s MD5 hash. It will also attempt to ‘crack’ an entered hash and show you the plaintext password.

Click Here to check out Cloud Cracker now. and feel free to hit the ‘Digg’ button if you like it.

Share

If you’ve had an auto-suggest bubble pop up as you’re searching, or if you’ve seen form sub-sections magically appear as you choose options, then you have already used AJAX. Slow, static web pages have given way to speedy, animated interfaces with more nifty features.

Some examples of what you can achieve with AJAX include:

• Auto-suggest popups
• Form elements appearing/hiding as you complete the form
• Slider controls
• Draggable/droppable content

The term AJAX stands for ‘Asynchronous Javascript And XML’. Technically, AJAX is when javascript sends requests back to the server, receives a response in XML and acts upon it. These days though, AJAX is used more of a blanket term of for anything interactive which uses javascript.

If you have been developing PHP and looking to take your applications to the next level of interactivity, then check out some of the nifty AJAX Javascript frameworks out there that do all the hard work for you:

• jQuery
• Mootools
• Prototype

Share

I think we’re all agreed on the fact that relevant, contextual links from related so-called ‘authority’ sites are good stuff. Generous use of your keywords through your title tag, header tags and page content are also top of the list in our SEO agendas.

Well, what then? What else can we do to be Google’s best friend? Some recent theories have been thrown about such as:

• Get contact us, terms and about us pages
• Add a quick blog to your site and other ‘bulking’ things
• Put your keywords into image ALT tags

But I’ve never heard anyone state the importance of making your sites (X)HTML compliant. I am confident that the big ‘G’ sees this as a big deal, but Nobody seems to have noticed. Just look how clear Google makes this point in their webmaster guidelines:

Check for broken links and correct HTML

Easy to overlook, but even easier to adhere to. Simply let the W3C’s free online validator take a look at your page and tell you how to fix it. Job done!

And in case you’re wondering, of course I have

Share

First, you need to receive an email each time you make a sale. If your affiliate network will do this, then the first bit is already done. If not, copy the script below into a php file called something like  ‘xml-to-email.php’ and upload it to your web server. Full instructions are in comments at the top of the file. You will most likely have to change the regex variable to work with your affiliate network’s own feed format.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81

<?php
 
/* #########################################################
 
Email When You Make a Sale
Developed by Hayden Kibble July 2009
Hayden@HaydenKibble.com
www.HaydenKibble.com
 
Install instructions:
1. Put your affiliate network login and your email details into the variables below
2. You will probably have to edit '$regex_saletime' to match the sale time/date for your paticular aff networks xml feed
2. Upload this file to your web server.
3. Create a file called 'sales.txt' in the same directory as this script and make sure it has read/write permissions
4. Visit the page and it should show a blank page. An email will probably be sent as it picks up all your recent sales
5. Set a cron job up on your web server to run this script every 10 mins or so
6. If you have problems with any of the above, Google is your friend!
 
######################################################### */
 
$base_url = "https://www.affilliate-network.com/myfeed.xml";
$feed_user = "USERNAME-HERE";
$feed_pass = "PASSWORD-HERE";
$regex_saletime = "/<date>(.*)<\/date>/U";
 
$email_from = "from@address.com";
$email_to = "to@address.com";
$email_subject = "You Made a Sale!";
 
// ##### Do Not Edit Below This Line! #####
 
$ch = curl_init();
 
curl_setopt($ch, CURLOPT_URL, $base_url);
 
// Set your login and password for authentication
curl_setopt($ch, CURLOPT_USERPWD, $feed_user . ':' . $feed_pass);
 
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_ANY);
 
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
 
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
 
// get the data and close the session
$data = curl_exec($ch) or die("Error Getting Feed.");
curl_close($ch);
 
$dates = array();
 
preg_match_all($regex_saletime,$data,$dates);
 
// Read previous sales times from database
$fileData = array();
$myFile = "sales.txt";
$fh = fopen($myFile, 'r');
$fileData = fread($fh, filesize($myFile));
fclose($fh);
 
// Split the file into lines
$fileLines = explode("\n",$fileData);
 
$newsale = false;
 
$fh = fopen($myFile, 'a') or die("can't open file");
 
// See if this sale has already been logged. If not, log it and set 'new sale' variable
foreach($dates[1] as $date){
if (!in_array($date,$fileLines)){
$newsale = true;
$sale_time = $date;
fwrite($fh, $date . "\n");
}
}
fclose($fh);
 
if ($newsale){
mail($email_to,$email_subject,"You have made a sale.\nSale Time: ".$sale_time,"From: " . $email_from);
}
 
?>

To test, empty the  sales.txt file you created and run (access) the script. It will see your recent sales have not been logged and fire off the email. Make sure the email does not go to your junk folder.

If you want your computer to play a ‘kerching’ upon making a sale, you can simply set up a rule in Microsoft Outlook to play the sound upon receiving an email with ‘Payment Received’ in the subject. You get the idea.

For those of you who want the full-on portable cash register, continue on to create a gmail account with a difficult to guess name just for these emails. If you share this address anywhere it will get spammed. We do not want this as you will start hearing an awful lot of incorrect kerching’s!

You now need to set your phone up to use your gmail account. Make it check for new emails every 10 mins or so (depending on how often you set your cron job to run the script) and set this kerching wav as your notification sound.

You are now set! When the php script runs intermittently on the cron job, it parses the feed for new sales. When it finds a new sale it sends an email to your phone, which plays a ‘kerching’ sound on receipt!

Share

99% of affiliate marketers don’t track which of their adwords ads are profitable and which are losing them money. That’s why 99% of affiliate marketers fail.

In theory, Adwords conversion tracking is the perfect solution. It allows you to track not just what adgroups or ads are converting, but even the keywords leading to sales. I fell in love with Adwords conversion tracking as I knew it would lead to my success. The reality, however, is that it does not manage to register every conversion every time. In fact, in my experience, it only manages to register 50%. This is due to a number of reasons, which include:

• Adwords uses Javascript to track conversions.
• Not everyone has javascript enabled or even installed.
• Adwords uses a 30 day cookie. If your affiliate network uses a 45 or 60 day cookie, it will not track conversions after the 30 days. Similarly, if your affiliate network uses a short cookie like, Adwords will track extra conversions
• The visitor may close the ‘purchase complete’ page with the tracking code installed before it has fully loaded. Adwords won’t catch the sale.
• A customer could bookmark the page with the tracking code installed, causing it to be fired when they return

Suddenly, it seems that beautiful dream of knowing the exact ROI of each ad group, ad and keyword may be just another busting bubble in the over-hyper affiliate marketing world. Well, I’m ecstatic to announce that you can still track this stuff. It just takes a little bit more work. And for near-perfect tracking, it is worth every second.

The trick is to append a variable to all of your ad URLs. Then you have your landing page attach the variable to your affiliate link. The affiliate network should then display the variable in your conversion report. After a couple of months or so you can check how much an ad has made you in sales, then subtract the cost of clicks for that ad over the same period. If you’ve paid a lot more on clicks than that ad made you in sales, bin it. If it cost a little more, drop your CPC and bring it into profitability.

Most affiliate networks have different rules regarding the variables they show on your stats. For instance, some may require that you give your variable a certain name. Look through their help pages for more info on what you should call the variable, or whether they allow you to create different ‘hop links’ or aliases for different ads etc.

Let’s say I want to track which ads for blue widgets are profitable. I could create an ad with the following URL:

1

http://www.widgets.com/landingpage.php<strong>?ad=myad1

Then in the source code of the landingpage.php file, I would add this at the top:

1
2
3
4
5

<?php 
 
$affurl = "http://widget.myaffnetwork.com/?ad=" . $_GET['ad'];
 
?>

Now the ‘ad’ variable would be passed all the way from my advert to my affiliate network. So they would see:

1

http://widget.myaffnetwork.com/?ad=myad1

You’d now see ad=myad1 in your sales report next to any sales when happened as a result of someone clicking on that ad.

Share

After over 10 years of software development, I have finally taken it upon myself to set my IDE background to black. I have tried this a couple of times over the years, but have immediately changed it back due to it looking ‘wierd’. I had just become too accustomed to the colour coding scheme PHP uses and found it extremely difficult to re-adjust.

After a scour on the internet for some sort of ‘theme’, I came across this excellent color scheme.

I’ve now applied this colour scheme to the three PCs I develop on and two weeks down the line I’m really getting used to it. I think it will take another couple of weeks before the colours become second nature to my brain, but it’s worth it in the long run.

Share