It’s been a while since my last blog. I have had a lot of work with assignments and other project which I have been snowed under with.
The topic for today is SQL injection with PHP.
SQL injection is a big problem for everyone and if your using databases you will have to more than likely have to deal with it at some time in your life. You see it all the time when you go onto a website you always use and someone has left a message as the administrator saying they have the user database and full control of the forum. We as developers have a responsibility to prevent this were ever possible. There is no sure fire way to stop SQL injection as a good cracker will always find a way round your security measures.
This website runs mainly off an MySQL database. When I was rebuilding a while ago I reused a lot of code from my old website models which I had wrote. All of my old code was PHP 4 and needed updating (Which you will already know if you have read my previous blogs). By doing this many security threats which I was too naive and not technically minded enough to understand were taken away. I could have kick myself with some of the holes within my website even the navigation system left a large hole into my database. Without doing into too much depth about how my website is coded. (If people can’t see what there trying to crack it makes it a lot harder) I had my MySQL login as a full rights user which could drop tables and so on. This alone was a large threat. Then I notices I was passing RAW data from the url into an SQL query. I might have well just uploaded a form with a blank query connected to my database.
A few quick notes to finish:
+ Remember always process any data which you enter into a database.
+ Forms, urls are holes make sure you escape any queries which are entered into these.
+ Use REGEX and pattern matching to reduce the risk.
+ Add slashes to quotes
+ Always code defensively if theres a hole in your system the wrong person will find it
.NET mag is a magazine which I but every month. Well calling it a magazine makes it sound cheap and tacky and it is anything but that. .NET is mainly aimed at the web development/design community and is always full of rich content. Don’t mistake this with an advertisement as its not what I do. As you may know if you have read any of my previous blogs one of my main interests in web development is Accessibility and Usability.
This months issue contained a 7 page article by Dr Jacob Nielsen who is a very respected Accessibility and Usability expert. This article is pure gold it goes into many areas of usability. One of the areas Nielsen talks about how people view screens. This does not simply mean using their eyes.
It is talks about eye tracking. Where you look on a web page when you first look at it. Nielsen explains about most people look view websites in a F shape. they Read the top banner followed by the line below it and look down the left side. This is why most websites have navigation horizontally across the top or to the left.
Some interesting statistical figures some up in the article. 64% of the usability issues on websites are because of Findability, Page Design and Information Architecture. These are all things we as developers have full control over and it is us who make the decisions about these areas. I know sometimes we are forced to make bad ones because our clients are set on having a website in a certain way but we should use our knowledge of the web to encourage them to help them self. A very common mistake is using technical terms for navigation. Language you use isn’t likely to be the same language a client uses to try to find an item on your site.
Heres an example: You sell DIY products online someone is looking for wallpaper paste. You may store this under adhesives but a customer would be more than likely be looking for a wallpapering section then a paste section.
Obviously if you were developing an Intranet for your company this would not apply as your staff would be expected to know these technical terms.
Accessibility is becoming a bigger and bigger issue on the web. For years websites have been getting away with discrimination on the internet but this is coming to a halt. Currently their is a Law Suit in America with a large e-commerce website being sued by a blind person on behalf of all the people in America who are blind. This type of lawsuit is going to become more an more common. But we as web developers/designers need to remember a disability isn’t just being in a wheel chair or a clear noticeable disability. Something as simple as being colour blind can be a disability and restrict a person from viewing a badly designed website.
References:
.NET MAG
USA Today Article
I am very interested in accessibility and making the web accessible for all. One of my first units of my degree (Bsc hons Web Technology) got me interested and made me realize how bad most of the websites on the Internet are. Even large websites run by big companies don’t apply the most simple techniques to provide access for people with disabilities.
The biggest problem is that its a very gray area within the law. There is no set law which says a website must provide access for someone who is blind or can’t use a mouse.
But this is where the companies and big websites will get caught out if they don’t act quickly there is a disability discrimination act. If a person went onto a website and couldn’t use it because it didn’t accommodate to their disability the website/company is discriminating against that person and that disability which is illegal and the person could take the company/website owner to court over it.
I would have thought companies would be responding quicker as we are becoming more and more of a suing/lawsuit culture.
In my opinion I think it will take a high profile case with a large organization getting their fingers and pocket burnt to make other companies to review there websites usability and accessibility.
I personally always work to make my websites a minimum of WAI - AA (The link is at the bottom of the page in the footer). I also take into account some of the more achievable WAI - AAA checkpoints.
I believe in accessibility on the Internet to the extent that I am writing my final year dissertation on accessibility. I am still refining my research question from such a broad area tho.