Posted: October 14, 2006 at 3:36 pm |
(4) Comments
The error reporting built into PHP is crude, at best. Be it a parse error, the infamous “headers already sent,” or a “call to undefined function,” what you’ll see is the error type and filename in bold, some technical jargon, and a line number that may or may not be correct.
But you don’t have to rely upon PHP’s error handling style. For a while now, PHP has allowed you to define your own error handler, such as:
1
2
3
4
5
| function my_error_handler ($number, $message, $file, $line) {
// Match the formatting, CSS, etc., for your site's style!
echo 'The following error occurred at line ' . $line . ' of file ' . $file . ': ' . $message;
echo 'The existing variables are:' . print_r($GLOBALS, 1);
} |
Then you tell PHP to use your handler and not the default one by calling the set_error_handler() function.
1
| set_error_handler('my_error_handler'); |
From this point in your script forward, most errors will be handled by your function (there are some exceptions, including parse errors, which will still be handled the old way). With my example, the message is printed out with a little HTML formatting and, more importantly, all of the existing variables are printed within pre tags.
You might be thinking that I didn’t really do anything novel with print_r() in my error handler. True, but I could just as easily build up a detailed error message that is then e-mailed to me should a problem occur on a live site (when you shouldn’t display this information to the site’s user).
Just in case that technique is a bit of a yawner to you, I’ll also mention this: Along with the many new features in PHP 5, another method of error handling has been introduced, in keeping with C++/Java/C# style. This format uses the try-catch syntax:
1
2
3
4
5
6
7
| try {
if (!@mysql_connect('localhost', 'username', 'password'))
throw new Exception (mysql_error());
} catch (Exception $e) {
echo 'Could not connect to the database because: ' . $e->getMessage();
}
?> |
Of course that’s just a basic example; there’s a lot more than you can do with this method of error handling. In particular, if you’re comfortable with object oriented programming (OOP), you can define and use your own Exception class. Or you can have multiple catch statements, each catching a different type of exception.
Posted: September 24, 2006 at 4:31 pm |
(3) Comments
PHP is a very easy language to learn and many people without a big knowledge in programming are learning it to make their sites more interactive. Unfortunately, there is a big percentage of those who are unaware of the security risks. Here are most common ones:
Never trust any users on your site
Never, Ever, Trust Your Users. Assume every single piece of data your site collects from a user contains malicious code. Always. That includes data you think you have checked with client-side validation, for example using JavaScript. If you can manage that, you’ll be off to a good start. If PHP security is important to you, this single point is the most important to learn.
register_globals
If you’re an advanced PHP programmer, you’ll most probably know about this. register_globals makes every variable that comes into the script global. (ex: my page is index.php and a visitor visits index.php?p=3. my $p variable is 3.)
1
2
3
4
5
6
| if ($password == "mypassword") {
$authorized = 1;
}
if ($authorized == 1) {
echo "my important area";
} |
If your server or PHP install has
on then anyone accessing your page:
will gain access to it.
There are two ways to fix a problem like this:
1. Create a .htaccess file & put the following:
1
| php_flag register_globals off |
. However; take note that if you have coded your script in an enviroment with register_globals (where
,
,
is not used). It will break your script.
2. Simply insert a $variable = 0 before you utilize your variable which means if anyone tried using
then it would be automatically unset.
Error Messages
Errors are a very useful tool for both programmer and hacker. A developer needs them in order to fix bugs. A hacker can use them to find out all sorts of information about a site, from the directory structure of the server to database login information. If possible, it is best to turn off all error reporting in a live application. PHP can be told to do this through the .htaccess or php.ini, by setting “error_reporting” to “0″. If you have a development environment, you can set a different error reporting level for that. You can also write
in the beginning of your script.
SQL Injection
One of PHP’s greatest strengths is the ease with which it can communicate with databases, most notably MySQL. Many people make extensive use of this, and a great many sites, rely on databases to function.
However, as you would expect, with that much power there are potentially huge security problems you can face. Fortunately, there are plenty of solutions. The most common security hazard faced when interacting with a database is that of SQL Injection – when a user uses a security glitch to run SQL queries on your database.
Let’s use a common example. Many login systems feature a line that looks a lot like this when checking the username and password entered into a form by a user against a database of valid username and password combinations, for example to control access to an administration area:
$check = mysql_query(“SELECT Username, Password, UserLevel FROM Users WHERE Username = ‘”.$_POST['username'].”‘ and Password = ‘”.$_POST['password'].”‘”);
If I enter the following into the “username” input box in the form and submit it:
‘ OR 1=1 #
The query that is going to be executed will now look like this:
SELECT Username, Password FROM Users WHERE Username = ” OR 1=1 #’ and Password = ”
The hash symbol (#) tells MySQL that everything following it is a comment and to ignore it. So it will actually only execute the SQL up to that point. As 1 always equals 1, the SQL will return all of the usernames and passwords from the database. And as the first username and password combination in most user login databases is the admin user, the person who simply entered a few symbols in a username box is now logged in as your website administrator, with the same powers they would have if they actually knew the username and password.
With a little creativity, the above can be exploited further, allowing a user to create their own login account, read credit card numbers or even wipe a database clean.
Fortunately, this type of vulnerability is easy enough to work around. By checking for apostrophes in the items we enter into the database, and removing or neutralizing them, we can prevent anyone from running their own SQL code on our database. The function below would do the trick:
1
2
3
4
| function make_safe($variable) {
$variable = addslashes(trim($variable));
return $variable;
} |
Instead of using _POST variables as in the query above, we now run all user data through the make_safe function, resulting in the following code:
1
2
3
4
| $username = make_safe($_POST['username']);
$password = make_safe($_POST['password']);
$check = mysql_query("SELECT Username, Password, UserLevel FROM Users
WHERE Username = '".$username."' and Password = '".$password."'"); |
If a user entered the malicious data above, the query will look like the following, which is perfectly harmless. The following query will select from a database where the username is equal to “\’ OR 1=1 #”.
SELECT Username, Password, UserLevel FROM Users WHERE Username = ‘\’ OR 1=1 #’ and Password = ”
Unless you happen to have a user with a very unusual username and a blank password, your malicious attacker will not be able to do any damage at all. It is important to check all data passed to your database like this, however secure you think it is. HTTP Headers sent from the user can be faked. Their referral address can be faked. Their browsers User Agent string can be faked.
File Manipulation
Some sites currently running on the web today have URLs that look like this:
index.php?page=contactus.html
The “index.php” file then simply includes the “contactus.html” file, and the site appears to work. However, the user can very easily change the “contactus.html” bit to anything they like. For example, if you are using Apache’s mod_auth to protect files and have saved your password in a file named “.htpasswd” (the conventional name), then if a user were to visit the following address, the script would output your username and password:
index.php?page=.htpasswd
By changing the URL, on some systems, to reference a file on another server, they could even run PHP that they have written on your site. Fortunately, again, this is reasonably easy to protect against. First, make sure you have correctly set “open_basedir” in your php.ini file, and have set “allow_url_fopen” to “off”. That will prevent most of these kinds of attacks by preventing the inclusion of remote files and system files. Next, if you can, check the file requested against a list of valid files. If you limit the files that can be accessed using this script, you will save yourself a lot of aggravation later.
Using Defaults
When MySQL is installed, it uses a default username of “root” and blank password. SQL Server uses “sa” as the default user with a blank password. If someone finds the address of your database server and wants to try to log in, these are the first combinations they will try. If you have not set a different password (and ideally username as well) than the default, then you may well wake up one morning to find your database has been wiped and all your customers’ credit card numbers stolen. The same applies to all software you use – if software comes with default username or password, change them.
Leaving Installation Files Online
Many PHP programs come with installation files. A number of these are self-deleting once run, and many applications will refuse to run until you delete the installation files. Many a times, the install files are still online. If they are still online, they may still be usable, and someone may be able to use them to overwrite your entire site.
_______________________________________________________________
Original article by Dave Child. Released under a Creative Commons License.
Posted: September 4, 2006 at 9:27 am |
(20) Comments
Getting traffic to new websites was always hard thing to do. Waiting for site to be indexed and getting high position on google and others “big” search engines takes months, but there are some things that help you with this. One thing is good website (well optimized, valid, made for spiders…) and the other thing is getting a lot of quality backlinks and one of “backlink” possibilities are directories. Finding a directories with high page rank (PR) is not very hard but unfortunately most of the require payment for submision. Deffinitly biggest and best two directories are two PR9 directories DMOZ and YAHOO but reviewing on those two websites can take months sometimes might even take a year. There are many others free high PR directories but it is very hard to find them.
So what does a backlink do ? Backlink specialy will first provide you with traffic from that website, second it will bring crawlers to your site so your website will have much better chance to be indexed by google or any other search engine and third thing is that it will improve your PR which will get you higher position on search engines and so more traffic. A guy once made a research where he showed how many links and what PR should they be to make your PR higher. So if you want PR5 for example you would need 101 PR5 links or 19 PR5 links… So getting few links from web directories with high PR might improve your PR drasticly. So here are the links to some PR7+ free web directories:
http://www.dmoz.org PR9
http://dir.yahoo.com PR9
http://www.stpt.com PR8
http://www.open-site.org PR8
http://www.Thomasnet.com PR8
http://www.polishworld.com PR7
http://www.dirone.com/ PR7
http://www.2rss.com PR7
http://www.exactseek.com PR7
_______________________________________________________________
vexxhost web hosting team
Quality & Affordable Web Hosting.
As low as $2.55, as much as 10GB Space, 300GB transfer!
Unlimited add-on domains, free domain included and no setup fees!
Posted: August 30, 2006 at 11:52 am |
No
Comments
The Theory
There has been a theory floating around that Google is now imposing some kind of penalty on brand new web sites or sites that seem to acquire a large amount of links from other sites in a relatively short period of time. It is being discussed on all the search engine marketing forums. Many articles have been written about it. Even several live examples have been presented by frustrated web site owners and managers who can’t seem to understand why their sites will not rank well in the Google search engine results pages (SERPs).
The so-called “sandbox” theory suggests that new sites will be added to the Google index and may even show up for obscure searches such as the company/web site name but will not show well for other phrases that are relevant to the site. It doesn’t matter if the site is optimized for the search engines either. In fact, those who have optimized their sites can drive themselves crazy making change after change but to no positive avail.
This theory also suggests that established sites who all of a sudden obtain hundreds or even thousands of links from other sites can be sent to the Google sandbox. Obtaining links in these type of quantities is typically the result of either participating in some sort of link trading scheme or buying multitudes of text links on other sites for the sole purpose of obtaining some of the PageRank value they might pass. This type of scenario goes against the natural process of people linking their web site to another site because they see it as a valuable resource or a favorite site to visit.
Sandbox or Aging Filter?
So if a site is sent to the sandbox by Google either because it is new or it is participating in mass link building, what is the time frame that must pass before the site is allowed out of the box? Most search engine marketers that have been discussing and analyzing this say about 6-8 months. As for myself, I don’t actually believe that Google is sending new sites to a “sandbox” but rather they may be applying some sort of aging filter.
How Do I Play?
So now that we have come to the conclusion that this sandbox, aging filter or whatever you want to call it, actually seems to exist, what can one do that has been affected by it? The answer is “absolutely nothing”. That surely is not what many people want to hear and possibly even you the reader question the reasoning of writing an article on the subject if there are no solutions. But wait a minute, there is a solution! It is called patience. Sure that might not be a definite solution to getting one’s self out of the sandbox or out from underneath an aging filter. However it will allow them to keep their sanity and in doing so, to look at some alternatives to marketing their sites until the time period lapses. Let us take a look at some of those alternatives.
Pay Per Click
There of course is AdWords, Google’s pay per click advertising program. If you have a new site and are finding yourself caught in that aging filter to where your site will not show well in the Google SERPs, why not put aside a budget for an AdWords program? With AdWords, you can instantly gain exposure on Google as well as many search and contextual partner sites. This can bring traffic to your site as a direct result of people searching at Google or one of their search partners such as Ask Jeeves, Netscape, AOL as well as others that display AdWords on their sites.
Sure these will not be the free listings you may get from the organic results of Google but if you watch your bottom line and conversions, you might find that AdWords will bring about a very good ROI. Later on when you start to see your site showing well in the organic results, you can begin to back off of your AdWords campaign. Of course if AdWords is effective for you, you may just well continue both.
Other Search Engines
Don’t discount traffic from other search engines such as Yahoo, Ask Jeeves and MSN. If you only focus on Google in your SEO strategy, you might miss valuable traffic that you can receive from these other sites, all of which do not seem to have any type of aging filters. Besides that, sites that have good “on the page” search engine optimization seem to do very well in these engines. Now Ask Jeeves is typically very slow to update its index but Yahoo and MSN are lighting fast about finding new or updated content and including it in their index.
Therefore do not neglect optimizing the various elements of you site’s pages that these engines factor in to their algorithms – title tags, meta description tags and the actual html text on your pages. If you optimize these elements properly, you will most likely experience very good placement in these engines and as such will gain a good quantity of visitors.
Take Advantage of Established Sites
One thing we have recently began to test with new sites that we are providing marketing services for is to develop a profile page or pages that will give a brief summary of the client and their product and/or service. These are also optimized to target some of their most important keywords. We will then place this page or pages on an established site such as a directory we own or a case study section on our site – somewhere where it has the possibility of ranking well and sending the client some traffic. When they do finally begin to rank well in Google with their own site, the page or pages are no longer needed and can be removed.
A word of caution here – in doing this we are careful not to simply place duplicate content on another domain. I say that because I don’t want people to think I am endorsing duplicate content or mirror sites. The pages or pages that are created need to be unique and not just copies of their own content.
It is still too early in our testing stage to know how effective this will be. However in the recent past I have seen listings in the SERPs that come from the “Current News” section of our corporate site where we announce new client relationships or directory listings within our own directories. These listings actually show up better than the client’s site itself! Most likely, this is a direct result of the fact that our sites are more established than theirs. Of course, this is a temporary solution… not even really a solution but rather a band aid.
Patience Is A Virtue
All in all, be patient. Don’t continue to tweak and adjust your site hoping that you changes will thrust you on to the first page. Don’t pull all the hair out of your head, cursing Google because they won’t allow your site to rank well. Simply accept the fact that if you have a new site, it will take quite awhile before it will rank well in Google. This will allow you to be more at peace with your marketing efforts as well as have the foresight to look at other alternatives.
_______________________________________________________________
vexxhost web hosting team
Quality & Affordable Web Hosting.
As low as $2.55, as much as 10GB Space, 300GB transfer!
Unlimited add-on domains, free domain included and no setup fees!
Posted: August 29, 2006 at 12:32 pm |
(2) Comments
Mastering Enterprise JavaBeans 3.0
Published in July 2006, Mastering EJB is now in its 4th edition including chapters on session beans and message-driven beans, EJB-Java EE integration and advanced persistence concepts. Java Persistence API and using POJO entities with EJB is also covered extensively. This book aims you give you a deep understanding of EJB 3.0.
Path: Ways of working in photography
Most photography books concentrate on the optical, mechanical, electronic, and chemical tools of photography. This book is about the most important factor in your photography: you.
Advanced Programming Language Design
This book stems in part from courses taught at the University of Kentucky and at the University of Wisconsin–Madison on programming language design. There are many good books that deal with the subject at an undergraduate level, but there are few that are suitable for a one-semester graduate level course. This book is my attempt to fill that gap. The goal of this course, and hence of this book, is to expose first-year graduate students to a wide range of programming language paradigms and issues, so that they can understand the literature on programming languages.
How to Build a Successful Website
Due to the many news stories in recent years about big corporate websites going bankrupt it is a common misconception today that all or most websites are unprofitable and will not make their owners money. This assumption is based on the idea that if big corporations like Disney fail at making a website then your average guy on the street must fail horribly, of course that assumption is wrong. In the case of content driven websites the smaller independent operation often has the advantage over large corporate entities. While an individual or a small group does not have the resources of the large corporation, they also do not have the overhead. If you run a website out of your basement or your bedroom your overhead is already significantly smaller than that of a major corporation because you’re not running your website out of a brand new state-of-the-art office building. Additionally if you only have one employee, yourself, you’re also reducing your overhead compared to corporations who have to pay for workers who do the same things you do, but also management, building management, building security, maintenance, marketing consultants, development consultants, secretaries, and a myriad of other positions that by keeping your operation small you don’t need. The only advantage a corporation has over an individual is that they can afford to pay for gross amounts of advertising both online and off, whereas the typical individual cannot.
PNG: The Definitive Guide
Targeted at graphic designers and programmers, PNG: The Definitive Guide is the first book devoted exclusively to teaching and documenting this important new and free image format. It is an indispensable compendium for Web content developers and programmers and is chock full of examples, sample code, and practical hands-on advice.
Machine Learning, Neural and Statistical Classification
This book is based on the EC (ESPRIT) project StatLog which compare and evaluated a range of classification techniques, with an assessment of their merits, disadvantages and range of application. This integrated volume provides a concise introduction to each method, and reviews comparative trials in large-scale commercial and industrial problems. It makes accessible to a wide range of workers the complex issue of classification as approached through machine learning, statistics and neural networks, encouraging a cross-fertilization between these discplines.
Essential Skills for Agile Development
Agile Development, in particular, eXtreme Programming (XP), has been gaining a lot of momentum because it can effectively address the problems plaguing software development such as mis-understanding customers’ requirements, missing deadlines, over-budget, conflicts between customers and developers and poor maintainability of legacy systems.
FreeBSD Handbook
The FreeBSD newcomer will find that the first section of this book guides the user through the FreeBSD installation process and gently introduces the concepts and conventions that underpin UNIX. Working through this section requires little more than the desire to explore, and the ability to take on board new concepts as they are introduced. Once you have traveled this far, the second, far larger, section of the Handbook is a comprehensive reference to all manner of topics of interest to FreeBSD system administrators. Some of these chapters may recommend that you do some prior reading, and this is noted in the synopsis at the beginning of each chapter.
Object-oriented system development
This book is intended to help the reader better understand the role of analysis and design in the object-oriented software development process. Experiments to use structured analysis and design as precursors to an object-oriented implementation have failed. The descriptions produced by the structured methods partition reality along the wrong dimensions. Classes are not recognized and inheritance as an abstraction mechanism is not exploited. However, we are fortunate that a multitude of object-oriented analysis and design methods have emerged and are still under development. Core OO notions have found their home place in the analysis phase. Abstraction and specialization via inheritance, originally advertised as key ingredients of OO programming, have been abstracted into key ingredients of OO analysis (OOA). Analysis-level property inheritance maps smoothly on the behavior inheritance of the programming realm.
Programmer’s Introduction to PHP 4.0
This book from APress is available for sale, but the author and the publisher decided to post the contents online as well. Look for the sidebar on the right for freely available chapters in PDF format.
Version control with Subversion
This is the online home of Version Control with Subversion, a free book about Subversion, a new version control system designed to supplant CVS. As you may have guessed from the layout of this page. this book is published by O’Reilly Media. This is a place to read HTML and PDF versions of the book (although you can certainly buy a copy if you’d like to). We’ll do our best to keep the site up-to-date. As Subversion development continues, the product will continue to grow new features, and we plan to continue documenting those changes.
_______________________________________________________________
vexxhost web hosting team
Quality & Affordable Web Hosting.
As low as $2.55, as much as 10GB Space, 300GB transfer!
Unlimited add-on domains, free domain included and no setup fees!
Email Us
