Hayden Kibble

In my time I’ve seen a few pieces of insecure code. Considering what clients can pay for a bespoke eCommerce or CMS solution, you’d expect at least a basic level of security. Unfortunately there’s one oversight that crops up time and again. The SQL Injection vulnerability. Despite being a huge threat to your security, SQL injection holes are simple to prevent.

Trusting anything the client sends is a bad idea. ALWAYS assume the worst and sanitise GET or POST variables before using in an SQL call. Below is an example of some code that you may use when a user logs in:

1
2
3
4
5
6
7
8

$username = $_POST['username'];
$password = $_POST['password'];
 
$sql = "SELECT id FROM users WHERE username='$username' AND password='$password' ";
$query = mysql_query($sql);
$id = mysql_fetch_array($query);
 
if($id) {...

The code above compares the username and password (submitted from a standard HTML form) to the database. If both match, then the script would go on to log the user in. The actual SQL call made to the database may look something like this:

1

SELECT id FROM users WHERE username='johnsmith' AND password='mypass'

Now, rather than ‘johnsmith’, should the username contain the following…

1

johnsmith'#

The entire SQL call made to the database would look like so…

1

SELECT id FROM users WHERE username='johnsmith'#' AND password='mypass'

Since MySQL treats everything after the hash (#) symbol as a comment, it’s actually only checking the username and not the password. The hacker can now log in as John without knowing the password! Even worse, the hacker need only guess the username of the administrator to log in as him too!

This is SQL injection in it’s most basic form. It can easily be worked on to spit out sensitive data to the screen, insert new rows (user accounts), delete data, edit data and more.

A simple solution to this problem would simply be to use PHP’s addslashes() function like so:

1

$sql = "SELECT id FROM users WHERE username='". addslashes($username) ."' AND password='". addslashes($password) ."' ";

Share

Being the egotistical git I am, I wanted my phone to make a ‘kerching’ sound each time I made an affiliate sale. Nothing beats dozing off on a lazy Sunday evening and hearing your cash register ring out. Here’s how I made it happen…

First, you need to receive an email each time you make a sale. If your affiliate network will do this, then the first bit is already done. If not, copy the script below into a php file called something like  ‘xml-to-email.php’ and upload it to your web server. Full instructions are in comments at the top of the file. You will most likely have to change the regex variable to work with your affiliate network’s own feed format.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81

<?php
 
/* #########################################################
 
Email When You Make a Sale
Developed by Hayden Kibble July 2009
Hayden@HaydenKibble.com
www.HaydenKibble.com
 
Install instructions:
1. Put your affiliate network login and your email details into the variables below
2. You will probably have to edit '$regex_saletime' to match the sale time/date for your paticular aff networks xml feed
2. Upload this file to your web server.
3. Create a file called 'sales.txt' in the same directory as this script and make sure it has read/write permissions
4. Visit the page and it should show a blank page. An email will probably be sent as it picks up all your recent sales
5. Set a cron job up on your web server to run this script every 10 mins or so
6. If you have problems with any of the above, Google is your friend!
 
######################################################### */
 
$base_url = "https://www.affilliate-network.com/myfeed.xml";
$feed_user = "USERNAME-HERE";
$feed_pass = "PASSWORD-HERE";
$regex_saletime = "/<date>(.*)<\/date>/U";
 
$email_from = "from@address.com";
$email_to = "to@address.com";
$email_subject = "You Made a Sale!";
 
// ##### Do Not Edit Below This Line! #####
 
$ch = curl_init();
 
curl_setopt($ch, CURLOPT_URL, $base_url);
 
// Set your login and password for authentication
curl_setopt($ch, CURLOPT_USERPWD, $feed_user . ':' . $feed_pass);
 
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_ANY);
 
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
 
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
 
// get the data and close the session
$data = curl_exec($ch) or die("Error Getting Feed.");
curl_close($ch);
 
$dates = array();
 
preg_match_all($regex_saletime,$data,$dates);
 
// Read previous sales times from database
$fileData = array();
$myFile = "sales.txt";
$fh = fopen($myFile, 'r');
$fileData = fread($fh, filesize($myFile));
fclose($fh);
 
// Split the file into lines
$fileLines = explode("\n",$fileData);
 
$newsale = false;
 
$fh = fopen($myFile, 'a') or die("can't open file");
 
// See if this sale has already been logged. If not, log it and set 'new sale' variable
foreach($dates[1] as $date){
if (!in_array($date,$fileLines)){
$newsale = true;
$sale_time = $date;
fwrite($fh, $date . "\n");
}
}
fclose($fh);
 
if ($newsale){
mail($email_to,$email_subject,"You have made a sale.\nSale Time: ".$sale_time,"From: " . $email_from);
}
 
?>

To test, empty the  sales.txt file you created and run (access) the script. It will see your recent sales have not been logged and fire off the email. Make sure the email does not go to your junk folder.

If you want your computer to play a ‘kerching’ upon making a sale, you can simply set up a rule in Microsoft Outlook to play the sound upon receiving an email with ‘Payment Received’ in the subject. You get the idea.

For those of you who want the full-on portable cash register, continue on to create a gmail account with a difficult to guess name just for these emails. If you share this address anywhere it will get spammed. We do not want this as you will start hearing an awful lot of incorrect kerching’s!

You now need to set your phone up to use your gmail account. Make it check for new emails every 10 mins or so (depending on how often you set your cron job to run the script) and set this kerching wav as your notification sound.

You are now set! When the php script runs intermittently on the cron job, it parses the feed for new sales. When it finds a new sale it sends an email to your phone, which plays a ‘kerching’ sound on receipt!

Share

If, like me, you spend all day staring at a Dreamweaver code screen, you may have given thought to your eyesight and the steps you take to preserve it.

After over 10 years of software development, I have finally taken it upon myself to set my IDE background to black. I have tried this a couple of times over the years, but have immediately changed it back due to it looking ‘wierd’. I had just become too accustomed to the colour coding scheme PHP uses and found it extremely difficult to re-adjust.

After a scour on the internet for some sort of ‘theme’, I came across this excellent color scheme.

I’ve now applied this colour scheme to the three PCs I develop on and two weeks down the line I’m really getting used to it. I think it will take another couple of weeks before the colours become second nature to my brain, but it’s worth it in the long run.

Share