Fireproof Socks

Preparing MySQL statements in PHP 5

admin — Sun, 10 Aug 2008 07:47:43 +0000

This revolves around the PHP mysqli module (for PHP 5). Yeah, I know, it’s in the manual, but the examples aren’t straightforward enough, so here’s a couple of my own.

The idea here is SECURE database interaction. Follow these steps:

1. Create a database user with ONLY the permissions that you need for a given function. E.g. if you have a page that only needs to DISPLAY information, use a database user that only has SELECT privileges.

2. Create your database columns so they can ONLY store the types of information they need. E.g. if the field is for a phone number area code, make the column an INTEGER, not a CHAR, VARCHAR or TEXT field. Nothing bad can end up in an integer column… but if you have a wide open data-type, you could be asking for trouble.

3. Put your database connect functions ABOVE the html root directory. E.g. most web sites should utilize a directory structure with something like the following:
/html (contains all your html pages… this is the document root of the web site).
/lib (contains your database connect function and other PHP code).

4. Use regular expressions to sanitize any user input to a form. Javascript enhances the user experience, but it cannot stop someone from posting data directly to your submission page. E.g. you might have something like this to get only alpha-numeric input:

function get_alphanumeric_regex ($input) { $pattern = '/\W/'; $input = preg_replace($pattern, ' ', $input); return $input; }

5. Finally, use prepared statements… they are MUCH safer than piecing together statements as strings. If someone hijacks your string, then they’ve hijacked your statement. A prepared statement can’t be messed with. With mysqli, they look something like this:

< ?php


/*-------------------------------------------------------------------------*/

define("DATABASE_HOST", 'localhost');

define("DATABASE", 'my_database');
function connect_db ($handle) {

        switch($handle) {

        case 'form_insert':

                $link = new mysqli(DATABASE_HOST, $handle, "some_p@ssword", DATABASE);

                break;

        case 'form_update':

                $link = new mysqli(DATABASE_HOST, $handle, "some_oth3r_p@ssword", DATABASE);

                break;

        case 'form_select':

                $link = new mysqli(DATABASE_HOST, $handle, "ke3p_gues$ing!", DATABASE);

                break;

        case 'form_delete':

                $link = new mysqli(DATABASE_HOST, $handle, "still-KE3p-Gu3ssing", DATABASE);

                break;

        }
        return $link;
}
/*-------------------------------------------------------------------------*/

function insert_something ($input) {

/*

INPUT:

        Hash with values from form, e.g. $input['first_name'].

OUTPUT:

        id from database if successful insert; otherwise null.

*/

        $link = connect_db('form_insert');

        /* check connection */

        if (mysqli_connect_errno()) {

                        printf("Connect failed: %s\n", mysqli_connect_error());

                        exit();

        }
        $sql = "INSERT INTO some_table

        (

        first_name,

        last_name,

        datestamp

        ) VALUES (

        ?,

        ?,

        NOW()

        )";
        $statement = $link->prepare($sql);
        if (!$statement) {

                printf(”Error - SQLSTATE %s.\n”, mysqli_sqlstate($db_connection));

                exit();

        };
        $first_name             = get_name_regex($input[’first_name’]);

        $last_name              = get_name_regex($input[’last_name’]);
        $statement->bind_param(”ss”, $first_name, $last_name);
        $statement->execute();
        $link->close();
        return $result;

}

/*————————————————————————-*/ function get_name_regex ($input) { $pattern = ‘/(;|\||`|=|–|\/|\.|>|< |&|^|"|'."\n|\r".'|{|}|[|]|\)|\(|[0-9])/i'; $input = preg_replace($pattern, ' ', $input); return trim(ucfirst($input)); } ?>

Grandcentral: Phone Number Forwarding

admin — Sun, 16 Mar 2008 02:42:11 +0000

I guess I’m the last one to hear about this awesome free service: Grandcentral.com

Screen Callers
Record calls on the fly and access recordings online
Block Callers
Receive Notifications
One number that rings different phones based on who’s calling
Personalize your voicemail greetings by caller or group
Let people call you from a web page without showing your number
Visual voicemail for your mobile phone
And more!

The Google Gods

admin — Sun, 09 Mar 2008 18:31:27 +0000

Sometimes people ask me why I named my website FireproofSocks… there is an answer for that, and I’ll tell the story if you ask. But what I didn’t foresee in my choice of a name was how poor my Google Ads would be. Usually when I look at my page, I sneer in frustration at the idiotic ads that appear in articles about Perl and MySQL. Safes? Are you serious? Is anyone really surprised when a door-knob has an IQ that is higher than my click-through rate?

The lesson I’ve learned from the Google Gods is that the NAME of your domain trumps your content to a huge degree. Bastards. As Frank Zappa might say “Who’s @#% do you have to suck to get some relevant ads around here?”

Using Javascript document.write for SEO

admin — Sat, 08 Mar 2008 08:30:23 +0000

The idea here is that search-engines read a bunch of text on your page that may not be relevant. You can use javascript to write text to a page on the client-side, and that text won’t be processed by the search-engines, thus achieving Search Engine Optimization (SEO).

There are a couple ways to do this… the easiest is using javascript’s document.write:

This works great for simple little messages, but what if you have a large multi-line text string? What if your text has HTML tags and double quotes in it? Then you’re in for some trouble, because the nice little javascript examples will die on you most ingloriously. PHP to the rescue. Use PHP to replace the spaces (and double-quotes)… you may have to escape your double-quotes in the source text.

Extending that simple little example with some meaty text and some PHP, you end up with something like this:

$text = "

Hello, big, multi-line \"stuff\", watch out!



    ";
    $text = preg_replace("/\s+/"," ",$text);

    $text = preg_replace('/\\"/',"''",$text);     
?>

That solution works (at least, it did before I had to replace all the tags with html entities to make this post). The text gets written at that point in the document once it loads on the client-side. Notice that the regular expressions replace double-quotes with 2 single quotes (tricky, eh?), and any excessive space is replaced. But what if you want something more complicated… what if you don’t like the regular expressions and having to escape your double-quotes? The above method is sorta techie for some, and prone to error. There is another solution: use an Ajax library to pipe HTML directly to a div tag. This solution is more scalable because you can put all the HTML in a separate file, and you don’t have to escape characters.

Download this Javascript library from http://www.prototypejs.org/ and copy the file somewhere in your site’s html directory (here I called it div_updater.js and put it in my js directory). Reference the file in a script tag using the ’src’ element, then use the Ajax.Updater function to specify 1) the div id where the text should be written and 2) the file to be included.

This solution will write the text to where-ever you have the target_div. Just make sure you use give the div an ‘id’ and that its name is referenced correctly by the Updater function. Using one of these solutions, you can utilize javascript to hide text from the search engines.