Tag Archives: Code

You Did What?

Today’s topic is kind of short, but a very important one. If you are not living under a rock, then you know about Sony’s problem with their Playstation online services getting hacked and being down for some time. A new concern now is that this has exposed the credit card numbers of the membership. Something that can definitely cost some good will and trust. However, Sony is a major corporation, and can recover from this. Can your business, if something like this were to happen?

I still see multiple instances of applications (And not just PHP applications) where carelessness has overtaken common sense. The web is no longer just a set of reading materials. It is now more than that with interactive applications and a flow of data that travels in all directions. So why is it that a huge problem is a lack of security for this interaction? The biggest thing I still see is with forms. Multiple sites ask to sign up for something, like a list, and email notification, account to get in to the site, etc. And one of the most powerful things today is information. And this does not mean just credit cards and government identification numbers. These can include names, emails, addresses, cities, passwords, secret phrases for confirmation, etc. Harvesting this can lead to identity fraud, selling to spam lists, etc. Secure your forms! It does not take much time, and can pay off, especially for the small businesses who will not have the money or name recognition of the larger corporations.

Easier said than done, I suspect some are saying. Well, yes and no. This should not be an after thought it should be first. In the PHP language, functions exist to help in this. Some ideas for securing forms: mysql_real_escape_string, pg_escape_string. In fact, if you are using PHP, then make sure to understand the different options available for your database.

That is not all though. You should also use a parametrized approach for inserts and updates. A quick example of this:

$sql = "UPDATE sometable SET somefield = ? WHERE value=?";
$parameters = array($_POST['data1'], $_POST['data2']); 
$dbo->query($sql, $parameters);

Now that was not too hard was it? However, security is not something to pass over. You should understand what data you are collecting, and validate the data, and then securely save the data. Validating it can be as easy as making sure it is an integer value, email, certain number of characters. Items like that can go a long way to verify what you are getting is what you need, and will not harm your application. For example, if a form had a field for first name, last name, country, email address, you can safely validate those fields. First name, last name should only be characters. Those fields should not have special characters, numbers, etc. Email address should be validated against a regular formed email address. You can even go one step further to verify it is a valid email address and exists somewhere out in the cloud.

Big lesson though, secure the data. Secure your application. Do not let a shortcut become your Sony Playstation meltdown.

Focus on the result

I have been taking the last week to review my posts and see what I have written. And I must say I am really long winded at times. So in an effort to make more posts, and to keep them more targeted, I am going to do my posts with a clear focus on what I want to convey. No more side trips. I will explain things, but keep it a little simple as well. I am also going to focus on a few new topics. I have mainly focused on PHP items, and will still do that. I am also going to branch more into the social and digital marketing areas. In my current occupation, and career path, I am still doing code, but I am seeing the code I am writing with a little more focus. What I am writing goes directly to some kind of marketing, whether it be subliminal marketing, or superliminal marketing, the applications I am writing all go into that. So I have been exploring the different areas more and more.

One area is the social aspect that can be built in to the applications. Do these even work, or is it worth it. This focus will be mainly on the applications like Facebook, Twitter and Foursquare. At times I will also examine other areas, but those will be the main focus. Some will be about code and integrating the Graph API into sites. This is ongoing right now with my name site (www.stephenhird.com). In this application, I am building a basic online resume that can be updated via an admin inteface, and then connect the jobs, interests, and schools with the Facebook API. This is an example site, and the actual real world application of this theory is highly unlikely. When I was thinking of this, I really thought of how many people are on Facebook. If I were to link my previous employers, schools, interests it may help. It will only allow those who link to my application to connect, but it can show prospective employers, headhunters, etc a list of their network that may have worked with me, gone to the same school, etc. Yes this is a double edged sword, as some connections of this person viewing my resume may not be a good reflection. But, if you have nothing to hide from your previous work or school history, it should be fine. And as this is just an example exercise that I am posting about, it will give ideas and different methods to help integrate the Graph API with a code base.

So with this in mind, I have linked my Hirdweb application on the menu. But please also check out the Hirdweb Page on Facebook:
http://www.facebook.com/home.php#!/pages/Hirdweb/140356864345

Please visit this and interact, I am always looking for some good ideas, and feedback. I will never claim to be an expert in anything. I will only give you what I know, and sometimes I may be wrong (just ask my wife). But I will always be honest and if I am wrong I will say I am wrong. And now, I will also start focusing on the result of the post, the message of the post and the idea being conveyed.

Resetting the passwords

In some applications on the web, you are required to log in to view content, post content, or any other sort of thing. With this, there will be times when a member of the site/application/whatever will forget the password they used, and it will have to be reset for them. So there are different methods of doing this, and different ideas behind what should make this work. I am going to give you one that I use, which will use a close to random method for resetting the passwords.

Continue reading Resetting the passwords

Ghost Town

I did not post on Monday, which I really wanted to do. I am studying for the Zend Certification, but may have to put it off based on work load, and family obligations. Do I think I can just take the exam and pass it? Well, I am not that conceited, but I am sure I may be able to pass it on a good day. However, test taking is not one of my strengths, so even if I knew everything on the test, I may still fail the test. So studying really helps me go through the exam work, and then helps me to get through the anxiety of tests.

And there is also new work things I am doing on the side. Most involve CakePHP, some involve just doing some very basic PHP work. So I am doing those and having less time to actually blog. And let’s not forget football season is now in full swing, so I spend a good portion of my Saturday afternoons watching college football and doing some studying.

Hopefully next week I can make a couple of posts, and hopefully I will make a couple of posts per week.

The next post will probably deal with more of the CakePHP work I am doing. (Working on a “social” calendar, like there isn’t already 2000 of them already).

Access Control Lists (ACLs) Part 3

In the first part, the idea and theory behind an ACL was discussed. In part 2, the set up of AROs, ACOs, and ACLs via the command line was shown. Now in part three, we look at why this is so important. Because an interactive site with memberships should never be static, what happens when a new member signs up? What happens when a member is promoted to an “admin” level? And what happens when users change? This can all be happened via ACLs.

In part 2, existing member were set up as AROs. And with user accounts, we also have to set those up as ACOs. Then those AROs (people) need to have permissions set for the CRUD actions. (Create, Read, Update, Delete). These actions are specific to the ACO, or object they are trying to manipulate. So if a user wants to edit their own account, do they have permission? If a user wants to delete another person’s account, do they have permissions to? With setting up ACLs, this can be checked. But what do we do when a new person signs up for an account? We need to create the code to do this.

In the Users Controller, we need to make sure we use the ACL component is included. So include this in the controller:

class UsersController extends AppController {
	var $name = 'Users';
	var $components = array('Acl');

Also remember that the Auth and Security components are also very powerful components and should be included as well, but the above only shows where to include the components. Now with this in place, we can no address the add (or register) function of the controller.

Continue reading Access Control Lists (ACLs) Part 3

Queries using CakePHP find()

CakePHP now has deprecated some queries. The findALL, findCount, etc etc etc. This now uses the find() method for all of these, and has a basic syntax for this. If it is basic, why blog about it then? Good question. The documentation is there in the API, and is there in the Cookbook, it took me some time to really get a good idea on an applicable example and took many times of “trial and error” to help me get along. Because finding is good, and will give you all the information you need, if it is a simple, 1 table find. If you need to query two or three tables, how does this work. So this will go into those as well.

The basic idea of find, as listed by the API is this:

find(
	array $conditions, 
	array $fields, 
	string $order, 
	int $recursive
);

This will find one record based on conditions, return the desired fields (or all of them if nothing is specified), order the results, and go so many levels deep (-1 for just the current table).
Continue reading Queries using CakePHP find()

AJAX and YUI

With the sensationalized aura surrounding this “web 2.0” myth, there is more and more of a call for AJAX enabled sites. This demand gets higher due to sites like Facebook, MySpace, Twitter, and so forth. So when going forward with a design to implement AJAX libraries, which one is the best. The answer: Whichever one fits the job at hand. There are good points to Scriptaculous, jQuery DoJo and others. There is a good list of some of these with pros and cons at The Chandler Project, and a further list of other libraries at eDevil’s Weblog.

The one I am going to cover is a newer one, and one that is hosted elsewhere, which has its own pros and cons, and that is the Yahoo User Interface, or YUI. The documentation, the downloads (if you desire), tutorials and other information is located at http://developer.yahoo.com/yui/ and is very extensive for the different aspects it can do. What I am going to cover is something useful for long pages of content on the web, Tabbed Viewing.

Continue reading AJAX and YUI

Don’t forget the basics

There was something I was asked to troubleshoot between two different environments. Most reputable places will give at least 2 different environments for application development, the best is to have at least three, development, stage, and production areas. I was asked resolve and fix an issue in the stage area, but it was not happening in the development area. Normally, I follow a few simple rules to get through this type of troubleshooting. Today, for some reason, I blew those off. Now this is not an end all be all type of list, and I use what is good for me and what I have learned. Other people may find different ways to do this, and find ways that work for them more. Here are some of the major items I check for with web applications in PHP.

  • Check the Apache services, connection, or anything that would lead to just no resulting page whatsoever.
  • Check the DB server, make sure the server is working, the connection is good, the data flow is there
  • Check the permission of the database, the tables, the sequences, etc. Whatever is needed from the database, make sure the caller has permissions to do that task
  • Check the code objects/PEAR packages/framework extensions are installed. If you have a recent version of PHP, then you should be good for PEAR, and if you have the most recent framework version (like Symfony, CakePHP or Zend) that should house them all, but never hurts to check
  • Check instantiated objects, function calls, object variables, etc. Most of the time it could be a spelling error, or the call is made before the object is created
  • I check the data being returned and the statements making the calls. What I am calling for may not be listed, or I may need to grab data from another table. This sometimes creates errors for other functions expecting an array and getting a character value.
  • Dump the session, maybe the session variable was never set, or never started.
  • Form data and POST variables are always good to give a good ol’ var_dump() or print_r().

Obviously this is not all of them, nor is this just a quick checklist. Some of these may take a while to go through, and may have a lot of details to peruse through to find the answer. This will not always give the answer the quickest ways, nor will it ever just shine the answer down to you. But it helps to isolate issues starting form the global level, work down to the application level, and then down to the code level. Plus, it helps eliminate the obvious problems first, so that when someone asks “is the printer is turned on?”, I don’t sit there looking stupid because “it is turned off” and I just never looked. But that is what happens at times.

Today, I completely forgot about permissions on a database. Sure, the code works in development, I have my hands all over that environment. But when it does not work in the staging area, I should have checked permissions instead of just lopping off my hand with endless queries to try and see where the code went wrong. Just one simple act of a GRANT permission to the application user calling the query would have fixed it. But I was forgetful and should have checked that first. Sometimes developers go down the wrong path. To stay down the wrong path, well, you can finish that one on your own.