Archive for March, 2006

I decided the other night to brighten up this site. I felt the blue was too dark. I've run through my own photos and intend to rotate randomly through them as and when I get them all set up. The current photo of a sunset was taken when leaving my parents in January this year. The first really clear great photo I took with my new Nikon Coolpix 7900. Admittedly I was hanging out the window as the car drove up to a roundabout and made Dave pause as I took the shot! The full size photo unfortunately gets a couple of electricity poles on the right side, but I like the photo and it reminds me of the months to come.

I've been having fun and games this week optimising none other than an osCommerce Store. Besides playing with my own installation I've never really used osCommerce. When I first started with PHP I was hired to finish a job that another developer had walked away from and most of the shopping cart was in place. Once I'd fixed that site I used the logic behind the shopping cart to recreate my own finely tuned version. It's now a full strict CSS/XHTML shopping cart and I'm just finishing it off now to make it even more lightweight and modular too. It's not something I would release like osCommerce but sell with templates or as an add on to a site off my own business site. So anyhow, a client referred to me by another has an osCommerce store running but is only getting visitors via their adwords campaign. The site has been set up with very little changes to the original code, just a new (orange!) front put on it in. Armed with an osCommerce SEO eBook that I bought off Gary Burton when he first wrote it (at the time for the general SEO info and his spider killer has been utilised a lot since!) I've been running through the site implementing his suggestions and also tinkering with the PHP to extend it further. I've not had time to do much on it yet especially as the original developers were working on the site on the weekend (not helpful when I'm updating older files which I'd downloaded last week!), however next step is to make the code validate – oh that's going to be fun :D Still the eBook has probably saved me so much time and to be fair it's not too hard to edit the files when you know how ;) (So thanks for the book Gary!).

I've recently added a couple more sites to my Omea reader to keep an eye on. The first is Nothing Ventured from Tom, info about his money making schemes, Phudge from Richard about well I'm still working that one out, and Marketing Syndrome. I've also been trying to catch up my reading of The PHP Anthology, the book that Dave bought for me for Christmas. I know the info in it will improve my PHP even more, it's just finding the time when I can read it and concentrate when reading it too. Once that's finished I'll be on to PHP Security another book gathering dust on my shelf.

I'm now counting down the days until our holiday. A week in Lanzarote for Dave and I. Cheap return flights from Manchester Airport. I can't wait. I intend to leave my mobile phone as well as my laptop behind and ignore the world for a week (well besides the waiter bringing my wine and Dave of course!). I'll be away for my birthday which is good too as I always feel deflated on that day, probably because I feel like I should be really enjoying myself and having a good time and usually I'm not. I realise it's just another day really but I guess in my mind I think of it as something else. Still a nice first day in Lanzarote will do for it this year!

I was just running a test on finding a better method for seeing backlinks in Google for a site. The link:www.domain.com option returns results from your own site too which isn't very helpful! So instead I used -site:www.sarahfreelance.co.uk www.sarahfreelance.co.uk which instead brought up 12 links. Now I know this is not true as more people do link to me (thank you!), so it's back to the drawing board on that one. However the few links it did return included a link to Blogshares.com and more specifically to the stock market page for my blog.

I can only presume this is an automatic site as I've never submitted my site to it! However to see the market price of my blog rise over what I can only say is similar to my visitor stats is quite cool. By the way if anyone wants to buy it I wouldn't sell it for $6,700 I don't think. I enjoy posting on it too much :D

I spent the last 1-2 weeks upgrading a site for a client and also securing it. How are a lot of PHP sites compromised? Well the point I'm looking it in this post is via forms and user entered data. There are many other security issues as well, this is just one of them. More commonly known as SQL Injections. PHP.net has a good page on this subject explaining SQL Injection giving real life examples. As per their description:

Direct SQL Command Injection is a technique where an attacker creates or alters existing SQL commands to expose hidden data, or to override valuable ones, or even to execute dangerous system level commands on the database host. This is accomplished by the application taking user input and combining it with static parameters to build a SQL query.

So what does this mean? When you have a form on a page requesting user input and then use this input in MySQL queries you must not rely on what the user has entered. 99% of the time when you ask a user for their username and password, they will enter this. However along comes someone who wants to crack your system, suddenly you won't be receiving a username and password through the form but most likely code aimed to inject extra operations into your MySQL query. Perhaps it's easier to understand by way of example. My own logins usually accept a username and password from a form. The usual method is to accept a username and password and then run a SELECT statement to count the number of records that contain both the username and password. If the result is zero then the username and/or password is of course incorrect. A loosely written PHP script could be:

Insecure code to control user login
  1. $sql = mysql_query("SELECT COUNT(*) FROM users WHERE username = '".$_POST['username']."' AND password = '".$_POST['password']."'");
  2. $count = mysql_fetch_row($sql);
  3. if ($count[0] == 0) {
  4. // user/password combo incorrect
  5. $errormsg = "Your Username and/or Password are incorrect. Please try again";
  6. } else {
  7. // user/password combo correct proceed with login
  8. header("Location:http://www.domain.com/secret/logged-in.php");
  9. exit;
  10. }

As you can see from the above, the user input from the $_POST array is entered straight into the query. Oh and

Insecure code to control user login
  1. $username = $_POST['username'];
  2. $password = $_POST['password'];
  3. $sql = mysql_query("SELECT COUNT(*) FROM users WHERE username = '".$username."' AND password = '".$password."'");

is no different ;)

So how can this be an issue? Well, all of your registered users will most likely enter their username and password. No issue there. Your MySQL statement would look like this:

SQL Statement
  1. SELECT COUNT(*) FROM users WHERE username = 'sarah' AND password = 'sunshine'

However, a visitor wanting to crack your system could enter the following information:

username: sarah
password: ' or '1'='1

Which would give:

SQL Injection Code
  1. SELECT COUNT(*) FROM users WHERE username = 'sarah' AND password = " or '1' = '1'

The above would return the total number of records in the table. So going by the very loosely written PHP script above, the if statement of

IF Statement
  1. if ($count[0] == 0) {
  2. } else {
  3. }

would provide a value from $count[0] to be above zero (providing there were records in the table), thus giving someone a login without a proper username or password.

Okay so yes, the example is a highly unsecure example, but it does happen. Plenty of people believe that providing there is no direct link to a file on a server, it won't be found out. Trouble is it can be. So pulling the above example apart the first steps security would be

1. Ensure all restricted pages check that the member is logged in by using cookies or sessions or both.
2. Switch the if statement to ensure that only one record is found and allow the user to log in from that, otherwise assume the username/password is wrong and prevent the login.
3. Escape the user entered data.

At this point I'll briefly mention Magic Quotes which is a setting in the php configuration file that can be set to on or off. If set to on then it will escape all user entered data, using the same method as the function addslashes(). It was introduced due to the amount of people who don't escape their user entered data, however it causes nightmares for most PHP developers and is even stated on the PHP.net site that most developers will choose to turn it off, preferring to escape the data when required. However on most shared hosting it's not necessarily easy to do this as you have no control over the php.ini file, so the best way is to check to see if Magic Quotes are on, clean the variable if they are (using stripslashes() function) and then escape the variable. The function that I use (courtesey of Khalid is:

escapeString Function
  1. function escapeString($string) {
  2. if (get_magic_quotes_gpc()) $string = stripslashes($string);
  3. return mysql_real_escape_string($string);
  4. }

Here this function uses the mysql_real_escape_string() built in function. The function will add a backslashes to the beginning of any of the characters \x00, \n, \r, \, ', " and \x1a. This will protect you from any SQL injections thus protecting your database.

However don't be fooled into thinking that when I say "user entered data" that I just mean text inputs. Going back to the site I secured last week the original developers had not thought about a couple of issues, which could be have been used in conjunction with one another and allowed someone to wreak havoc on the site or in the database. Considering the site accepted money this is even more important to ensure its security. What was wrong?

Firstly they were storing the user's id and password in cookies. Not necessarily a problem however they were then taking the raw data from the cookies and using it to query the database. Cookies can be edited therefore must be escaped. Then some user entered data was being escaped (but not as securely as the function above will do) but other data wasn't. The site had even had a security update before me and there was still an emerging pattern. When a page had some secured data on it, the unsecured data wasn't secured because the form variables were from checkboxes, radio buttons or a select list. I admit, when I first start out writing PHP I figured that this information couldn't be tampered with therefore didn't require securing. However take a normal form that's there for people to complete and the details go into a database. A questionnaire for example. Plenty of input boxes, radio buttons, check boxes and select lists. The form is submitted to perhaps the same page or another page. We know full well that another completely unrelated site could submit to that php script as well. Take the same form names, which are plain to see in the HTML source, but then instead of a radio button having a prespecified value suddenly someone could submit to the processing script a radio button with their own value.

The simple rule is, never trust data that could have been tampered with. If it's coming from $_GET, $_POST, $_COOKIE or even $_SERVER (after all if the user agent or http referrer can be altered who knows what it would be altered to?) then escape it. These are the 4 I deal with, if there are any further global arrays that should be escaped feel free to add to this list.

For people who use ASP, this Site Point article will be of use.

UPDATE: I've noticed whenever Fasthosts servers go down (and it's quite often) this page gets a major influx of visitors looking for answers and help. So here's a couple
1. Leave Fasthosts! I've seen more people have problems with them than ever! I wholeheartedly recommend SiteHQ, which virtually all of my client sites are hosted on.

2. If you really want to contact Fasthosts then try their Sales helpline on 0870 888 3600, their support section may work at https://www.fasthosts.co.uk/support/ (but I'm guessing their site is down if you're reading this!). Unfortunately I can't login to get their technical support number as I don't have an account with them! (Thank God!!).

— Original Post —

I've heard mixed reviews over Fast Hosts in the past off various forums. I'm usually a person that won't fully make their mind up until they experience something for theirselves. Two clients of mine have accounts with two of the biggest UK hosting providers, 1 & 1 and Fast Hosts. So I figured this opportunity will give me a little experience to see how things move when I transfer their hosting to my own.

Earlier in the week I mentioned a client called me to say his web site was down and their emails weren't working. I checked the site and the nameservers and couldn't get a response from either. I checked the ex-developer's and his site worked fine. Now usually with resellers when they have an account all of their sites are on the same server together, so if one works and another doesn't it's either a DNS issue or the site has been removed. My client hasn't been able to contact the previous developer for over 6 months now so we have been half waiting for this to happen whereby his site was removed. We were hoping to have his new site finished and up and running before the old site went down but various design changes and site changes have delayed us.

So I decided to call Fast Hosts first, just to check to see if it wasn't the server. Perhaps my client's site was on a different server to the developer's site. The first person I spoke to remarked that the site wasn't with Fast Hosts. That would be because the domain is with 123-reg, but still points to Fast Hosts (am a little concerned that their staff presume that the domain must be on the Fast Hosts IPSTAG to have a site with them). So I gave up with her and phoned back and got into the Technical support queue. I knew I was clutching at straws as it's not my site, I don't have an account number with them and to be fair they didn't have to tell me anything. But saying if a server is down or not isn't too hard is it? I chatted to a nice friendly guy who appreciated my position and told me what he could. But when I asked him if the site was down for any reason his response was that the site didn't have any files, it had been removed from the server. With that remark I had to get the nameservers on the domain changed to my reseller account, a holding page up and their MX records updated for their email. Luckily it propogated for them within a couple of hours but of course they'd lost a lot of emails.

The following day I decided to check to see if the domain had propogated for me. Lo and behold the old site appears. I forced refreshes and ran through the site, it was all there. At that point I realised that the technical support had misinformed me saying the site didn't exist when it was just on a server that was offline for whatever reason for 36 hours.

So my experience of Fasts Hosts is that their own technical support can't check or tell if there is a server down. I can't see me recommending them in the future. I'll be transferring from 1&1 this afternoon, we'll see how easy that goes!

What a week it has been last week and set to continue still. I've been juggling work on around 3-4 sites as well as my constant maintenance on a few other sites. I've had no time at all to really stop and think about the various issues that went on last week. Swish World is not back in Google despite Googlebot still visiting. You'd think if they've dropped me they'd stop using my bandwidth too! (Yes I know I can block it). It's a shame but it's not worth enough to really concern myself over. I only made a few dollars a day off Swishworld. Considering today I've actually made £500+ from no work besides 2 emails (it's handy employing someone else) as well as finishing off an upgrade to a client's site, I can't really complain over losing around $75 / £40 a month. Plus I have other sites up my sleeve.

Last week we finished off a site for a friend. Matt owns and runs Mattian which is a community style site allowing you to sign up for a free blog, photo gallery and other features without having to put up with adverts across the site unlike most of these free blogging sites. You can also now sign up and upgrade to a selection of paid for packages such as more space for your photos, I think there's a feature where you can blog from your mobile phone and also another account that lets you use Pod Casting. It's great for people who want to set up their own site, without all of the adverts that usually come, but don't want the hassle of sorting it all out. Anyhow, no I didn't write the software used to run the site but we did redesign it into the funky retro look that was wanted. I've helped Matt fix some of the software too as the new upgrade had a few bugs in it including not updating from the Paypal payments (always handy!). Still it's a good site and if you want to dip your toe in the water it's definitely something to consider. However the new design sparked a major discussion (for what of a better word) on a forum we both frequent as the previous designer wasn't too impressed with the design and sent a couple of unethical messages over it.

I know and realise to succeed in business you need a hard skin, to be able to take it on the chin, to realise it's a hard world out there and to realise that plenty of businesses will forget their ethics at times. I'm really not like that. I have too much of a conscience to try and pull a fast one, to try and put one over on someone else without caring. Today I had a client, who's new redesign we've been finishing off before transferring his domain, who called to say his web site wasn't working and that they'd had no emails all morning. After spending around half an hour on the phone to Fast Hosts, their current host, I discovered that my client's ex-developer had deleted the site with no mention to him whatsoever. My client's been trying to call him but has had no response for the past few months now. It's wrong to do this to a business. Yes whilst you have the right I guess to cancel a contract after the expiry date it's pretty nasty to just delete the site without a warning. The ex-developer hadn't even been told about the new redesign or even new I existed, so he's taken it upon himself to just cancel the web site leaving a busy business who rely on their email to be working, with no site or email. Luckily I could get the nameservers transferred pretty quickly and a holding page with contact details are in place whilst we finish off the new site however the email could take the rest of the week before it works 100% again. This type of transfer needs to be done on a Friday afternoon not Tuesday morning!

I often wonder if people in this business ever think about their actions and knock on effects it has on others. Like the guy I took to court last year over an unpaid invoice. After he'd given me 50% of what he owed (yes I gave in – I'm not a fighter and didn't really fancy court!) a month later I sent him a CD with his web site on plus a warning that his hosting would be cancelled. I gave him 4 weeks notice to find alternative hosting. I moved all of his domains into his own 123-reg account and forwarded login details for the account. To be fair I did more than I had to. He didn't appreciate the knock effect that not paying an invoice of £500 would have. 3 days after the hosting was cancelled I pretty much had them phoning and emailing begging to get the hosting reinstated. I only agreed because I like the employees of the guy and only agreed providing I never have to deal with him ever again. I don't even think the court issue bothered him as he hadn't bothered to read half the paperwork that came through (which I read through with a fine toothcomb to ensure I understood it all!). But the lack of ethics again just puzzles me. I guess I've been brought up to be more respectful to people regardless who they are.

However besides all of my quibbles over ethics today I did have one great remark. The owner of the site I finished off today and did a major security sweep for it too came back and said he was really glad he'd got me to do the job (aww shucks). I know I'm no where near the level of PHP knowledge that I'd like to be, MySQL and AJAX is just even more further in the distance but I do hope that I provide the best service I can. I don't do the whole finish a job and just move on malarky. I'll bend over backwards to help my clients out if i can. The proof I believe is in referrals and repeat business. I've had 3 further job offers through today, 2 off current clients and one via a referral. Now all I need is a freelance PHP developer to help me out (I have one in mind I just need to ask!).

Page 2 of 4«1234»