After a long internal debate and a lot of work I’ve recoded this site from scratch to replace the WordPress engine I’ve been using since this blog started. There were three main reasons why I decided to do this, none of which were in any way related with dissatisfaction with WordPress. In fact, I’ve been thoroughly impressed at the quality of the WordPress system and it ends up being the first thing I recommend to people looking for a blog or an easy way to publish news on their site. "So what were the reasons?" you may ask, well allow me to explain!

Would you like some SPAM with that?

The first big reason was the spam, oh dear God the spam! The comments table for this blog racked up over 32,000 comments and a grand total of 31 of those were actually legitimate. All I have to say is thank goodness Akismet is preinstalled, but even with that I still kept getting slammed with dozens of bogus comments a day. So I thought I’d add the reCAPTCHA captcha system to see if that’d help some. It did, but it was only successful at curbing the spam by half. Not great by any standards. So a custom solution was the best option, if no one knows what you’re running under the hood chances are they’re not going to (easily) know how to get around that system that’s in place.

I think I can, I think I can, I think I can

I’m no stranger to large development projects, i’ve built a custom (albeit fairly simplified) CMS and even an eCommerce engine designed specifically for artwork prints, but I’ve never created a full blog system. So naturally I thought it’d be a cool side project to work on during my free time. I gotta say that as I was coding along I realized countless little things that I didn’t consider when I started but that’s how it usually goes isn’t it? All in all I think it turned out pretty well. Still a few things I need to work on but the majority of it is functional and (hopefully) rock solid.

One cog in the gear

Perhaps the biggest reason I custom coded this is because I envision it eventually being a part of a bigger system of sites I have brewin in the ol’ noggin. Customization and reusability is a crucial aspect of my plans and what better way to go than to create the foundation myself from scratch. This way I know every digital inch of my site and will be able to integrate it infinitely better than I would a packaged solution.What sites you may ask? Well i’m not going to tell just yet, but rest assured it’s BIG!

So that’s it in a nutshell, just me tinkering away on my little corner of the web. Hopefully i’ll be able to get more and more added as time goes on, that’s the plan anyway.

I never even heard of a coding ‘framework’ until I found out about the multitude of lightweight and powerful frameworks for javascript such as jQuery and Prototype. So it goes without saying that when I found out there were some for PHP too my mind was sufficiently blown. After looking through a few different types I settled on trying one called Code Igniter because it looked to have the smallest footprint and was among the easiest to learn. There are several different reasons i’ve used CodeIgniter ever since I found out about it a few months ago. Following is a few examples of why this framework is priceless to me and my productivity. One is the structure it forces upon you (in a good way) namely the Model-View-Controller dev pattern. Right out of the box I found myself writing code more segmented and documented, which is excellent for those functions that are reusable in future projects like image processing and user logging. Also I love the way the URLs are designed to be search-engine and human friendly right out of the box. For example instead of a URL like artwork.php?piece=23&order=ASC it could end up more like /artwork/23/asc/. One thing I’ve noticed regarding this URL rewriting is that it makes it a little bit more challenging to integrate it into other script packages like WordPress that have their own rewriting method. Finally, there’s a ton of common functions, classes and helpers that range from form validation to email to sessions. It’s all been battle tested and works as you would expect them to every time. I apologize for how broad this is but it’s just too huge of a reason to explain in detail, if you’re interested in reading more about these there’s a detailed user manual online here and it’s all in HTML so it’s also included in the zip when you download the framework. I’ve created about 6 sites with this framework and can’t count the number of times I was able to go back to a previous site and reuse a function that not only saved me time in development but also in testing because it was all done already. All in all I think the fact that I feel I’m more productive, efficient and create all around cleaner and more documented code is the reason I love using this framework the most.

I recently had the opportunity to delve deeper into MySQL and how to optimize and generally better my database structure and queries. There’s a lot of information on this topic so I thought i’d share the top ten things that matter to me when creating and querying databases.

1. Make the fields of your tables as small as possible, if you know a varchar field is never going to need a value more than 10 characters, set it to varchar(10).
2. Always use auto Increment IDs in your tables, even if you don’t expect you’ll need them now they always seem to come in handy.
3. Index all the fields you will be querying directly, especially those that you know an exact value for.
4. Normalize the data structure as much as possible, duplicate data is just more for the server to wade through when running a query.
5. If you’re querying something against a number e.g.( WHERE x = 12 ) there’s no need to use quotes around the number value, this actually slows down the query because it needs to convert from a string to a number.
6. Limit the use of LIKE and the % wildcard e.g.(WHERE userName LIKE %Woods%) as this slows the query considerably. If you know that the value is always going to be at the beginning of a field, be sure to only use the wildcard at the end to speed up the query e.g.(WHERE userName LIKE Woods%).
7. Multiple field indexes are good at speeding up queries but be aware that the first field in the index must be the first item from that index searched in the query or the whole thing won’t be used the way you intended.
8. Be aware that there is a cost to indexing, both in time and space. Indexes speed up select queries but slow down deletes and inserts and basically any other queries that involve writing to the DB. The more indexes a table has the slower these write queries will be because the indexes have to be changed with the data. The indexes also take up disk space which may cause a database to reach its disk limit more quickly. The practical implication of both these factors is that if you don’t need a particular index to help queries perform better, don’t create it.
9. Use the EXPLAIN keyword with your query to get important information on the query including the possible keys and estimated rows that will need to be searched to find a result. Especially handy with multiple table queries with joins.
10. Be careful with joins, if used incorrectly they can slow down a query considerably. Values from the preceding table (as listed in the output of EXPLAIN) are used to find rows in the current table. So if you have three tables each with 1000 rows to search you’re actually returning 1,000,000,000 rows of data. Obviously this is too many and indexes should be employed to reduce this number to something more manageable.

I came back to work today after the weekend “fall back” and noticed that my Dreamweaver CS3 was starting to act up. Ever since we got it it’s been running like a champ so I googled “dreamweaver CS3 crashes” and lo and behold one of the first results is a TechNote posted today on adobe.com that links the frequent crashes on the DST ending. Of all the things I thought it could be, changing the clocks back an hour wasn’t even considered. That’s why i’m posting this in the attempts to spread the word about this odd error. Here’s a quote of the Issue as explained in the Technote.

Adobe Dreamweaver CS3 crashes when working with certain PHP or ASP files in Code view or Design view after the clock goes back one hour, when Daylight Savings Time ends. The crashes only occur when selecting certain lines in Code view, or selecting certain objects in Design view. The crashes only occur in files that have PHP or ASP code, intermingled with HTML code. The crashes do not occur in Dreamweaver 8 or earlier (Ref. 229536).

Click Here to read more and to find out how to fix this issue.

Site Pro just released a new design for their site - http://www.sitepronews.com/ A cool resource for web scripts - http://protolize.org/ A free audio editor, anything this cool that’s free is pretty sweet - http://audacity.sourceforge.net/

I’ve recently discovered the single best PHP mail script ever. Some of you may have heard of PHPMailer but for those of you that haven’t, you must go over to http://phpmailer.sourceforge.net/ and get it. It wasn’t the fact that it’s all wrapped up in one neat and tidy folder that intrigued me, it wasn’t even the ease of use and multitude of options. The thing that impressed me is its ability to not only deliver html and plaintext emails but somehow deliver them reliably. Whenever i try to create a web email form it always seems to deliver to the Junk Email folder in my tests. I don’t know how they did it, maybe there’s some additional headers in there or something. But maybe that’s another reason I like it, I don’t have to know how they did it, just that it really works.

Absolutely loving all the links over at http://www.kayodeok.btinternet.co.uk/favorites/webdesign.htm. It seems that some were broken when I tried but all in all another great bookmark resource!

MySQL 5 has finally arrived with new features including Stored Procedures, Triggers, Views, Information Schema and Archive Storage Engine! Check out their site and read up on the awesomeness.

Just found a pretty neat FREE store locator script, the site has versions you can purchase for more features but the free version is plenty for most of us. Check it out! www.yourphppro.com

I recently rediscovered these two sites that I used to visit more often and I must say that both are still doing rather well… GFXArtist.com WebMaster Talk

In my relatively short career I’ve found that the best e-Commerce engine out there free or not has to be ZenCart. This open source cart system has everything you can ask for and more, from custom product options to a completely customizable template. Go check it out and let me know what you think. I’d especially like to hear if you disagree with me, can’t get too many opinions!

I feel so stupid for NOT knowing these sooner, it would have made troubleshooting much easier in the past. Magic constants are predefined constants usable just about anywhere. Here are the main 5 that I saw…

Name	Description
__LINE__	The current line number of the file.
__FILE__	The full path and filename of the file. If used inside an include, the name of the included file is returned.
__FUNCTION__	The function name. (Added in PHP 4.3.0) As of PHP 5 this constant returns the function name as it was declared (case-sensitive). In PHP 4 its value is always lowercased.
__CLASS__	The class name. (Added in PHP 4.3.0) As of PHP 5 this constant returns the class name as it was declared (case-sensitive). In PHP 4 its value is always lowercased.
__METHOD__	The class method name. (Added in PHP 5.0.0) The method name is returned as it was declared (case-sensitive).

LINE and FILE are the two major ones i’m definitely going to use when troubleshooting. In a well placed error message they’d provide you with the exact line of code and file you’re having trouble with. A quick note about these constants is that they can’t be included in a quoted string E.G. echo "This is the filename: __FILE__"; will return exactly what’s typed above. echo "This is the filename: {__FILE__}"; will also return what’s typed above. The only way to get magic constants to parse in strings is to concatenate them into strings: echo "This is the filename: ".__FILE__; I figured someone out there might also find this bit useful!

So you’ve mastered the ifs thens and whiles, you’re the king of loops and you can honestly call MySQL your bitch, but what’s the point if everything you code is insecure and full of holes? PHP security is something not many people are worried about and even less know how to implement it. This artile will attempt to describe a few common mistakes and ways to work a round them…

Data Filtering

Data filtering is one of the cornerstones of secure application development. It involves the mechanism by which you determine the validity of data that is entering and exiting the application, and a good software design can help developers to:

• Ensure that data filtering cannot be bypassed
• Ensure that invalid data cannot be mistaken for valid data, and
• Identify the origin of data.

As described in the PHP Security Guide, there are two general methods of data filtering, The Dispatch Method and The Include Method.

The Dispatch method

One method is to have a single PHP script available to the web and have every other module included with the include or require functions. This method usually calls for a GET variable to be passed with every URL that identifies the task. This method uses the GET variable to ‘dispatch’ or send the page to the desired location. Two main reasons this method is popular is because it allows the developer to implement global security measures on one single script and ensure that it cannot be bypassed. Second, one could easily see that data filtering takes place when necessary, by focusing on the control flow of a specific task. It should be noted that if this method were combined with mod_rewrite, the user wouldn’t even know that such a method was in action, for example, http://www.sleepingawake.net/index.php?do=printcould end up looking like http://www.sleepingawake.net/app/print

The Include Method

The second approach is to have a single include that is responsible for the security of each document. This module is included at the top of each script that’s accessiblr through the web.

With either of these methods, it’s important to remember to filter all data that comes from the user. Be sure that the submitted email is in fact an email address, be sure that every integer variable returns an interger, and if there’s a finite list of possibilities for a variable (perhaps from a dropdown list or a Yes/No) that only one such possibility is returned. This not only strengthens security but also improves overall accuracy of the data.

Form Processing

Spoofed Form Submissions

One common practice for hackers is to view the source of your forms and copy them elsewhere where they can easily be manipulated. They can change limited possibility dropdown lists into textboxes, where they’d then be able to submit any content they want to your site using an absolute URL in the action attribute.

Spoofed HTTP Requests

Another more advanced (and therefore less used) method is Spoofed HTTP requests. These requests can be sent from a telnet source or via a PHP script and basically does the same as the method above. For a more detailed description of HTTP Requests, visit the HTTP Request section over at W3.org and/or the articleUnderstanding HTTP by Perlfect Solutions.

Databases and SQL

Exposed Access Credentials

A VERY common mistake (one that I was guilty of for a while) is to provide your database access credentials in one single .inc file in the root directory. Although this method is quite simple, it’s full of more holes than swiss cheese. You see, .inc files by nature are displayed as plaintext in browsers so if someone bychance found out the file path to it your database security would be compromised. One common remedy is to rename your .inc file, for example, from db.inc to db.inc.php. This simple practice hides the content of the file from showing via a browser. Another even more secure method is to place the file in a folder that is not accessable via a browser and calling the actual filepath in the PHP scripts. For more advanced information on this subject visit Exposed Access Credentials in the PHP Security Guide

SQL Injection

SQL injection attacks are extremely simple to defend against, but many applications are still vulnerable. This is another one I was guilty of for a long time. Using variables directly from forms with no data filtering in place can cause horrible problems. A sneaky user can go so far as to send multiple queries to the database server in a single call. Worse still, a user can potentially terminate the existing query with a semicolon and follow this with a query of the user’s choosing. The good news is that Data Filtering as explained above can prevent or even eliminate the possibility if this happening. Another useful tidbit is to put single quotes around all values in your SQL statements, regardless of the data type. That and escaping your data using mysql_escape_string() or addslashes() will also help prevent unwanted SQL results.

Sessions

Session Fixation

Session security is a fairly advanced topic, which is why it’s widely exploited. Mose session attacks involve impersonation, where an attacker gains access to someones session identifier. There are three common methods used to obtain a valid session identifier:

• Prediction
• Capture
• Fixation

This topic can be seen in more detail over at the PHP Security Consortium under Sessions.

Early in this article I raved about the simplicity of using include. Well there’s yet another step you can take to ensure your site’s safety with regards to these include files. The script below (graciously taken from the folks over at phpfreaks.com) will stop your files being directly accessed. Place This At The Begging Of The File Your Going To Include: <?php
     if ( !defined(’IN_VALID’) )
     {      die("<Center><B>Error: This File Cannot Be Accessed Directly</B><BR>To Return To The Main Site <a href=\"#\">Click Here</a></Center>");
     }
?>

For example, say the file with the above code is now in is called menu.php, we have to specify IN_VALID so you can include it: <?php
     define(’IN_VALID’, true);
     include("menu.php");
?> Ultimately the user will not know what’s required in order to view the include and therefore allows the contents of it to remain hidden

I hope this wasn’t too confusing to read, if you have any questions regarding this post let me know and I will do my best to make it easier to understand. I’d like to thank PHPFreaks, The W3C, the PHP Security Consortium and Perlfect Solutions for their (albeit unintentional) participation in the making of this article.

If this appeals to anyone there is a job opening at an established design firm in Mt. Prospect / Des Plains, IL. PHP Programmer / Web Developer. If interested please send resume to info@chamerlik.com. http://www.chamerlik.com/ They might be interested in some SEO work as well. Just passing on the info. Kevin