Midwest Web Development: Professional Web Developer's blog

AuthName "whatever"
AuthType Basic
<Limit GET POST>
order deny,allow
deny from all
allow from [whatever ip address]
</Limit>

Today I was working on a project for my day job which involved an ajax call to a database. A user inputs a zip code into a form text box and once 3 digits are entered, Javascript fires off a request to a PHP script which fires off a call to a MySQL database to see if there is a match.

I decided to look around the Internet for some example code to jump start. I found the following PHP code.  Seeing sample code like this makes me not only cringe, but makes me want to reach out and slap the developer that wrote it.

if(isset($_POST[queryString]))
{
  $queryString = $_POST[queryString];
  if(strlen($queryString) >0)
  {
    $query = "SELECT blog_tags FROM blog_entry WHERE blog_tags LIKE $queryString% LIMIT 10";
    $result = mysql_query($query) or die("There is an error in database please contact support");
    while($row = mysql_fetch_array($result))
    {
      echo $row[blog_tags];
    }
  }
}

This code would allow any attacker to inject SQL code into the query string, thus allowing them to run commands in your MySQL database.  They can do so simply by sending POST data like:

' OR 1; SELECT * FROM mysql.User

Scary, eh?  Using this code I can easily view all users in your MySQL database.

#1 Rule of Web Application Programming:  NEVER trust user input.
This includes POST data, GET data, COOKIES, etc --- basically anything that your script is reading from the client side.

SQL injection is simple to protect against.  PHP has built in functions to do so (addslashes(), mysql_real_escape_string(), etc.)  PHP also has the ability to use prepared statements, which automatically escape/filter any user input.

Simply put, if you take on the mindset that any one sending any sort of data to your program is a potential hacker, you will write more secure code.

More information on SQL injections can be found at OWASP's website
 

You can buy Go Daddy SSL certificates for only $12.99/year by using this link. This is by far the most inexpensive SSL certificate I've found anywhere

The best way to keep a spammer from getting your email address is to not put your email address on your website.  So best case scenario --- use a contact form.  And use one that doesn't require you to put your email address in a hidden input field.  And even more important, make sure it has protection from email header injection.

If you absolutely must use mailto: addresses, here's a little trick;  write it out to the page using Javascript.  I wrote a Perl script a few years back which will do just that.  Type in your email address and it will spit out a few lines of document.write which will obfuscate your address.  You can then place this into an external .js file and reference it anywhere on the page that you want your mailto: to appear.  It isn't fancy, but it does the trick.

http://projects.ajmconsulting.net/mailto/

I just stumbled upon this today ... free open source disk encryption software that supports virtual disk encryption, partition or storage device encryption, and even drive encryption.

In short, you can setup an encrypted virtual drive, you can encrypt a USB flash drive, or you can encrypt your entire system drive.

Supported operating systems: include Windows Vista/XP/2000, Mac OSX and Linux. 

Encryption algorithms include AES-256, Serpent and Twofish.

http://www.truecrypt.org/

This is a small collection of antivirus, spyware, firewall and security software that I have used with great success. Some include paid versions with additional features that you may find useful, but all have free versions which are fully functional and extremely useful.

AVG Anti-Virus
This is one of the best free anti-virus programs I have found. It has kept all the PC's in my home virus-free for years. The paid version is reasonably priced and includes anti-spyware, root exploit protection, a firewall, and more.

Zone Alarm
The best free PC firewall program I have used. It will block any and all programs from accessing the internet until you explicitly allow/deny them otherwise. It will also block unwanting incoming traffic. Again, the paid version includes additional features. However the free version is sufficient for most users and is extremely useful.

Spybot Search & Destroy and Ad-Aware
These two programs are made by two completely different companies. They both detect and remove spyware from your computer and are free. The reason that I mention them together is they complement each other quite well. While they both detect most of the same thing, they each detect some spyware that the other does not. I highly recommend using them both.

SpywareBlaster
This is a handy program which helps to prevent spyware from installing in the first place.

OpenDNS
OpenDNS is a web based service which allows you to use their DNS servers as a replacement for your own ISP's. You can create an account with them and control various aspects, including restricting certain sites which computers on your home network can access. This includes known phishing sites, adult sites, illegal sites, even custom lists. Or you can not block any content and just enjoy the increased speed of your connection as the time it takes to lookup a domain name decreases dramatically.

PeerGuardian 2
This is simply an IP blocker for Windows.  Unlike a full fledged firewall, it allows you to block specific IP's or ranges of IP's from accessing your computer.  It supports multiple lists, list editing, automatic updates, and blocking all of IPv4 (TCP, UDP, ICMP, etc), making it the safest and easiest way to protect your privacy on P2P.  If you run peruse torrent sites for programs such as OpenOffice, it is a very good idea to use this program.

 http://www.aprilwinchell.com/2008/11/05/tuesday/

I finally jumped on the bandwagon and created a Flickr account.  I take a lot of photos, so I guess it makes sense.

After playing around a bit with the Flickr API, I now have a live feed of some of the most recent photos added to the account.  See link at very top of this page.  You can sort the photos by newest first, or in random fashion.

API's are cool.