Protecting Your PHP/MySQL Queries from SQL Injection

SQL injection is a serious concern for webmasters, as an experienced attacker can use this hacking technique to gain access to sensitive data and/or potentially cripple your database. If you haven’t secured your applications, I implore you to get yourself familiar with the following method and grind it into your coding routine. One unsafe query can result in a nightmare for you or your client.

I’ve read through a lot of guides, and they tend to over complicate this, so I’ll be as straight forward as possible. In PHP the easiest way is to pass your data through the mysql_real_escape_string function. By escaping special characters on fields where the user can manipulate the database, you will avoid being vulnerable. Take a look below at the example of what to do and what not to do.

// This is a vulnerable query.
$query = "SELECT * FROM products WHERE name='$productname'";
mysql_query($query);
// This query is more secure
$query = sprintf("SELECT * FROM products WHERE name='%s'",
mysql_real_escape_string($productname));
mysql_query($query); 

Since I primarily code in PHP, I can’t confidently provide techniques for other programming languages. The most important part of protecting yourself is stopping users from being able to pass unaltered database manipulative special characters, like single quotes.

Read More......

CSS Controlled Web Design - Tables are for sitting at...

By now, most web designers are aware of the many benefits of using CSS (Cascading Style Sheets) to control the formatting and appearance of text elements within their web pages.
Indeed, if applied as outlined in one of my articles from 2006 ( CSS - Weight-Loss for your Code), Cascading Style Sheets can substantially cut down the amount of code needed to present a web page in a polished and professional manner.

What few designers realise however, is that CSS is capable of so much more than just handling a page's text formatting.

If used to its fullest capability, the Style Sheet is capable of controlling just about every aspect of page layout and presentation, even to the extent of replacing a Hyper-Text document's traditional table-based design structure.
Quite aside from saving the web developer a substantial amount of coding time, this approach also cuts down the amount of code needed to display a web page properly to an absolute minimum. So much so that in the recent redesign of one of our web sites, the use of CSS controlled HTML cut the average document size from 24kb to less than 5kb.

The key to designing CSS controlled web pages, rests in the use of DIV Tags and DIV IDs.

For example, a traditional table structure would look something like this:
Please note that angle brackets have been replaced by square brackets to display the following code correctly.

[table width="800" align="center" cellpadding="0" cellspacing="0"]
[tr]
[td width="560" align="left" class="one"][h1]Example Text[/h1][/td]
[td width="240" align="left" class="two"] [img xsrc="images/exampleimage.jpg" width="200" height="100" alt="Example Image"][/td]
[/tr]
[/table]

With CSS control, exactly the same look and feel can be achieved by the following two DIV Tags:

[div id="content"][h1]Example Text[/h1][/div]
[div id="image"][img xsrc="images/exampleimage.jpg" width="200" height="100" alt="Example Image"] [/div]

The DIV ID passes control of layout and appearance to the CSS, which handles it as follows:

#content {
position:absolute;
width: 560px;
height: 100px;
;top: 10px;
left: 100px;
font-family: Arial, Helvetica, sans-serif;
font-size: 12px;
font-weight: normal;
color: #000000;
background-color: #FFFFFF;
}

#image {
position:absolute;
width: 240px;
height: 100px;
top: 10px;
left: 660px;
font-family: Arial, Helvetica, sans-serif;
font-size: 12px;
font-weight: normal;
color: #000000;
background-color: #FFFFFF;
}

On the face of it, it may seem like this entails some extra work on the designer's part, but don't forget that at the same time as controlling the DIV Tag's position and appearance, the CSS also handles all text formatting, and that the above Style Sheet will only need to be written once in order to control an entire web site.
Then of course there is the fact that the above example is an immensely simple one. Imagine for a moment, the sheer amount of code which is saved by using CSS over the course of writing an in-depth web page.

The end result is an HTML document which has been stripped of all unnecessary code and is consequently extremely 'light-weight' and easily indexed by search engines.

Additionally, it is also possible to radically alter a page's appearance at the click of a button without ever changing any of its HTML code. This approach is very capably demonstrated at the CSS Zen Garden, where more information about the power of CSS controlled web design can be found.

Furthermore, like HTML, CSS is undergoing constant revisions and will doubtlessly grow to play an even more important part in web design during years to come. Therefore, now may be a good time to further acquaint yourself with the full functionality of this essential web design element.

Read More......

JavaScript + CSS + DOM Magic

JavaScript + CSS + DOM Magic has directly applicable projects with step-by-step instructions showing you how to master a feature and adapt it according to their own needs and creativity. The wealth of graphics will make this book easy to read and visually appealing. This book makes JavaScript, CSS and DOM easy to understand by providing directly applicable models to readers' web sites. The book opens with a primer, giving context to the technologies, and then jumps into over 25 step-by-step, directly applicable projects. You will learn the most desired web functionalities, including: frames, mouse-overs, windows, forms, CGI, style sheets, dynamic positioning, and SSI. Reviewers have called this book an unprecedented practical and comprehensive DHTML guide. The CD contains complete working scripts, all images from the book's examples, bonus graphics, trial version of leading text editors (BBEdit Lite, Homesite).

Chapter 12: Transitional CSS and JavaScript Strategies

"In life, always do right. This will gratify some people and astonish the rest."
—Mark Twain

A Tabbed Interface

Creating web sites that take advantage of the CSS and JavaScript capabilities of modern browsers, while still accommodating older browsers, is a headache faced by every site creator. In this project we'll explore some ways of dealing with this issue.

PROJECT 12: TRANSITIONAL CSS AND JAVASCRIPT STRATEGIES

Web site navigation interfaces that use a tab metaphor are very common. (Perhaps the best-known site that uses a tab-navigation interface is Amazon.com.) Yet in most cases, the navigation tabs are merely graphical links that load other pages from the server.

In this project, we show you how to create a tabbed "index-card" type of interface using a combination of CSS and JavaScript. All of the "pages" are actually contained in the one page; once the whole page is loaded into the browser, the user can very quickly "flip" through each "page" without having to reload content from the server.

Because we are using CSS and JavaScript, which are only recognized by the newer browsers, we've also taken steps to ensure that the page is still readable in older browsers.

Here are the main points we'll cover in this project:

* Creating "gracefully degrading" pages using a combination of CSS and JavaScript
* Modularizing the code
* Using arrays to streamline the script
* Manipulating the stacking order, or z-index, of elements

Gracefully Degrading Pages - The latest advanced graphical browsers offer a wealth of JavaScript and CSS features that were previously unavailable or too buggy to be practical. What's more, these modern browsers finally (in large part) follow a common set of standards as specified by the World Wide Web Consortium. This is a great development for those of us on the creative side of the World Wide Web.

There's still one thorny problem to face, however: How do you take advantage of these new methods and features but still accommodate users of version 4 and older browsers? Statistics for browser usage are in a constant state of flux, but as of this writing, a small yet still significant number of web surfers are using version 4 browsers.

Up until now, you have probably been accommodating users of older or alternate browsers using "browser sniffing" methods to redirect them to other pages, writing alternate content onto the page, and so on. However, this can greatly increase the time and cost needed to create and maintain a site.

In extreme cases, you may even have closed off users of older and alternate browsers by telling them that your site can only be accessed with certain browsers. This only invites resentment from your site visitors, who may never return to your site.

The method introduced in this project is called graceful degradation. Essentially, this means that you while you may design your page so that it's optimized for modern browsers, at the same time you ensure that the content of your site is viewable in older or non-graphical browsers. The goal is to make the same pages viewable and useable by the widest audience. See the "How It Works" sidebars at the end of this project to see how this is accomplished.

Read More......