Archive | April, 2003

Using Foreign Keys in MySQL

Posted on 06 April 2003 by Demian Turner

by Great Insanely from Weberdev

If portability is not your biggest concern, ie, you know that your web app is going to reside mainly on a server you control, then you might want to look into using the InnoDB table type in MySQL which allows foreign key relationships. 

Any PHP developer worth his/her salt would jump at the prospect of not having to manage ‘cleanup’ queries after table updates.

Comments (0)

Are Your Login Scripts Secure?

Posted on 06 April 2003 by Demian Turner

due to popular feedback this tip has been updated to compensate for some bad advice I was promoting.  Sorry folks 😉

In summary, to ensure your database cannot be compromised by data from web forms:

  • (obviously) never pass unverified data from a webform to your database
  • if you’re using MySQL use either mysql_escape_string or mysql_real_escape_string to escape a string for use in mysql_query, the latter takes a connection handler and escapes the string according to the current character set
  • if you’re using the PEAR library use DB::quote() to clean your data

Also take a look at the following guidelines from the MySQL manual, general advice can be loosely applied to other databases but watch out for the exceptions (see comments)

When running MySQL, follow these guidelines whenever possible:

  • Do not trust any data entered by your users. They can try to trick your code by entering special or escaped character sequences in web forms, URLs, or whatever application you have built. Be sure that your application remains secure if a user enters something like “; DROP DATABASE mysql;”. This is an extreme example, but large security leaks and data loss may occur as a result of hackers using similar techniques, if you do not prepare for them. Also remember to check numeric data. A common mistake is to protect only strings. Sometimes people think that if a database contains only publicly available data that it need not be protected. This is incorrect. At least denial-of-service type attacks can be performed on such databases. The simplest way to protect from this type of attack is to use apostrophes around the numeric constants: SELECT * FROM table WHERE ID=’234′ rather than SELECT * FROM table WHERE ID=234. MySQL automatically converts this string to a number and strips all non-numeric symbols from it. Checklist:
  • All web applications:
    • Try to enter and in all your web forms. If you get any kind of MySQL error, investigate the problem right away.
    • Try to modify any dynamic URLs by adding %22 (), %23 (#), and %27 () in the URL.
    • Try to modify datatypes in dynamic URLs from numeric ones to character ones containing characters from previous examples. Your application should be safe against this and similar attacks.
    • Try to enter characters, spaces, and special symbols instead of numbers in numeric fields. Your application should remove them before passing them to MySQL or your application should generate an error. Passing unchecked values to MySQL is very dangerous!
    • Check data sizes before passing them to MySQL.
    • Consider having your application connect to the database using a different user name than the one you use for administrative purposes. Do not give your applications any more access privileges than they need.
  • Users of PHP:
    • Check out the addslashes() function. As of PHP 4.0.3, a mysql_escape_string() function is available that is based on the function of the same name in the MySQL C API.

Comments (2)

UK government gives Linux a boost

Posted on 05 April 2003 by Demian Turner

from Yahoo

The organisation responsible for the UK government’s procurement policy has opted for Linux to underpin its new online purchasing system.

The Office of Government Commerce (OGC) hopes the system will allow public sector bodies to buy products more quickly, more easily and more cost effectively.

Called Purchase & Pay, the Linux-based system is being operated by OGCbuying.solutions only for the Department of Work & Pensions (DWP). It is currently used for the purchase of printed forms, stationery and associated items but in the long term is likely to encompass a much wider range of goods and services.

Comments (0)

Get your Personal Copy of PHPkitchen ;-)

Posted on 04 April 2003 by Demian Turner

Thanks goes out to the person from Paris who yesterday pointed his/her screenscraping software (which will remain unnamed to avoid promoting further infamy) at PHPkitchen.com and drained

78 MEGABYTES !!!!!!!!!!!!

off my server. Yes, your IP, 212.234.213.250, has been banned and you have been reported to your ISP and hopefully blacklisted.

It looks like the said software now has an option to override the disallow directive in robots.txt – any other webmasters know how to get around these types of nuisances?

Happy that I upgraded to a 40GB account,

Demian

Comments (5)

Fancy A Trip To NYC?

Posted on 03 April 2003 by Demian Turner

PHPCon is where PHP professionals get together to discuss technology, compare notes, and meet the people changing the industry! Our program includes the top names in PHP development today including:

* Rasmus Lerdorf, Opening Keynote Speaker and Inventor of PHP
* Zeev Suraski, Closing Keynote Speaker and Co-Founder of Zend, Inc.
* J. Scott Johnson, Principal, The Fuzzy Group
* Zak Greant, MySQL Community Advocate
* Shane Caraveo, Sr. Developer, Active State, Inc.
* Authors Luke Welling and Laura Thompson, Tangent Technologies
* George Schlossnagle, Principal, OmniTI
* Authors Sterling Hughes, John Coggeshall, and Christian Wenz
* Marco Tabini, Publisher, PHP|Architect

Comments (0)

Release of Portfolio version 1.0

Posted on 02 April 2003 by Demian Turner

Portfolio version 1.0 is a web-based photo manager written using PHP / MySQL. With Portfolio, you can easily create and maintain albums of photos via a web browser. Photo management includes automatic thumbnail creation, captioning, searching and more.

Portfolio version 1.0 is composed of a administration website, with private access (login / password) ; and a frontoffice API. A demonstration website is included.

Comments (0)

April Fool’s Dog Day

Posted on 01 April 2003 by Demian Turner

from macosxhints

Thanks to djidji for pointing this out in this thread on the macosxhints OS X Developers Forum. It’s completely useless, but it is April 1st, so it seems fitting to publish it here today!

The php developers have a small April Fool’s Day Easter egg hidden in the PHP code. If you have PHP enabled and working, just create a small PHP file that contains the standard “show install information” PHP command:

phpinfo();

Load this file in your browser, and check out the new PHP logo. You’ll only see this, of course, as long as your system shows the date as April 1st.

Comments (0)

Categories

Books

Demian Turner's currently-reading book recommendations, reviews, favorite quotes, book clubs, book trivia, book lists

Facebook