I was listing to a Security Now pod cast on the long drive home. The topic was SQL injection threats. It was the first time I heard about it but it is cleariy something I need to consider on our webpages that take user input.

Basically what it is that a portion of a SQL statement is used for user input. A simple example would be a log in form that askes for a user name and password. Let’s say that those two fields are used to see if there is a matching recording in a login MySQL database. The SQL statment might be something like this using a form input:

Here is a sample basic HTML form with two inputs, login and password.

<form method=”post” action=”http://mywebiste.com/login.php”>
<input name=”UserName” type=”text” id=”UserName”>
<input name=”UserPass” type=”password” id=”UserPass”>
</form>

If for the user name they enter “Bill” and for the password something like this: ‘anything’ OR ‘x’='x’

The SQL statement might make this check

SELECT FROM * WHERE UserName=Bill AND UserPass = anything OR ‘x’='x’;

By using a SQL command in the data filed the query is changed in a way never expected.

On some SQL servers such as MS SQL Server any valid SQL command may be injected via this method, including the execution of multiple statements. The following value of “UserName” in the statement below would cause the deletion of the “users” table as well as the selection of all data from the “data” table (in essence revealing the information of every user):

a‘;DROP TABLE users; SELECT * FROM data WHERE name LIKE ‘;

There is no patch on a MySQL database or any firewall that will stop this type of attach. What is needed is a check of the data. I will write more about that after dong some additional research.

Categories: Web Development
No Comments »

In the prior entry I discussed using an include() PHP command to use a single instance of the Spry horizontal menu on all webpages.

In addition I have switched to using Cascading Style Sheets exclusively. One item that was causing me a big of a problem was that I had one column heading style set as white on dark blue. If I tried to make that a link, it would change to the link color. The answer was to create a new style called “white”

a.white:visited {
color: #FFFFFF;
}

The when I create a column heading that is also a link I apply the style “white” and the one for the column heading as follows:

<td bgcolor=”#26354A”><div align=”center”><a class=”white” href=”http://www.sports.franzkelsch.com”><span class=”colHeading”>Introduction</span></a></div></td>

The link has both the style “white” and “colHeading”.

The later set the color for the white text on dark blue and the style “white” overrides the setting I have for the a:link style.

This file will show you what it looks like.

http://www.franzkelsch.com

The column headings are white on dark blue but are still a click-able link.

Categories: Web Development
No Comments »

For my websites I have been using the Spry Horizontal menu system. Although this makes it easy to add in menu items and links, as with any menu system, if it is in every webpage that becomes a burden if you should need to make a change to a single menu item. That would require making the same change on every page.

I also wanted to have a separate image header at to top of the webpage that changes with the section I am in.

I accomplished both things by using this approach. For reference go to the website http://www.ultracycle.net

In the main folder I have these files

1. index.php
2. header.php
3. header.jpg
4. footer.php

The header.php is the file that contains the HTML code for the image at the top of the page (using a relative address) and all the code needed for the Spry Menu. The header.php file has no <HEAD> tag, just the lines of HTML that are needed. I started with a full page with the <html> <head> and <body> tags, and started to delete all lines of code that were not clearly needed and I ended up with header.php.

The index.php file uses an include command as follows:

include (“header.php”)

The header.php file already has a link to the local header.jpg file. I use a similar approach to include the footer.php file.

For each section I created a separate folder. One is called “train” for long distance cycling training webpages.

In there are these files.

1. header.jpg
2. index.php
3. individual pages, all php files.

The index.php (and the other files there) all use the same include command but in this case it is:

include (“../header.php”)

and

include (“../footer.php”)

Not that this header.php will use the jpg file found in /train/header.jpg since in that file I use no relative reference. So when I run the file \train\index.php it accesses the header.php file in the root, which uses the local JPG file, and then of course has the body of what desired for that page. It also uses the footer.php file.

The index file looks like this:

<html>
– usual stuff here
<head>
– usual stuff here
</head>
<body bgcolor=”#64748B”>
<?
php
include (“../header.php”) ;
?>
—- then the code for the page —-
include (“/footer.php”)
</body>
</html>

By using this approach I only need to change the content that is unique to that page, which goes between the include for the header.php file and the include for the footer.php file.

I believe this approach will make it much easier to create new content and keep existing content up to date. To create a new page I have a template that has the includes to the header.php and footer.php file and a table in between the two. I just paste the new content on table. It will use the appropriate JPG header image, depending on which folder it is placed in. By using this approach I have reduced the create of new webpages to be only content that is unique to that page and yet when the page is viewed in the browser it has the header image, the Spry menu, and the footer images and links.

This file will show you what it looks like.

http://www.ultracycle.net/monitor/hrm.php You will see different header image than if you go to the main index page at:

http://www.ultracycle.net And yet both pages are using the same header.php file included in the code.

I plan to use this approach on other websites. It takes a bit of work up front but saves a lot of time going forward.

Categories: Web Development
No Comments »

The superiority of the Mac operating system continues to impress me. Having been a long term user of Windows, back from version 1.0, I have all but abandoned it for the Mac. I have used my Mac Book Pro for over one year now and have no intention to return to Windows. I do website programing in PHP and wanted to install PHP locally so I can do testing without the need to FTP files to the web server. I found out that Mac OS X 10.5 (Leopard) comes with both Apache 2.2.6 and PHP 5.2.4 pre-installed, but they’re not enabled by default. I found these instructions from Foundation PHP on how to get it up and running.

The first step was to download the free text editor TextWrangler (a free, cut-down version of BBEdit available from www.barebones.com). Using this editor I made one change in a single file. Next the instructions required use of the terminal to copy the php.ini default file, then I could use TextWrangler to edit it with a single change. In the Mac system prefrences I then enabled web services and was done. I created a test PHP file and ran it in the browser as follows to verify both Apache and PHP were working.

http://localhost/test.php .

The PHP information page came with this header.

The instructions were easy to follow. At this same site are some other tutorials. I plan to buy the book written by the author of this site called “The Essential Guide to Dreamweaver CS3 with CSS, Ajax, and PHP” because the author shows how to use an include for the Spry horizontal menu. One issue we have in a complex website is how to have one source for the menu system so changes made in one place will appear on all pages.

Categories: Web Development
No Comments »

In my prior post I discussed moving my WordPress blog for endurance sports off of the main domain to a subdomain. That allowed me to use the main domain franzkelsch.com for a website. In the past I had used websites for some of my main domains, including this one as well as kelsch.com.

The problem with personal websites is they get out of date and updating them with current information often gets neglected. An example of this is my other family website kelsch.org which needs an overhaul.

Because of this issue of personal websites getting out of date I have moved to using blog software, such as this post, to make new entries. I use WordPress software on my personal domains for that purpose and I had converted the URL franzkelsch.com to a blog focused on my endurance sports and kelsch.com to a blog about the family. That has worked well, but I still missed the ability to format a website and add in links and other information that does not need to be updated frequently.

After some experimenting with work I was doing on the bicycle club website, I realized I could create a website and use RSS feeds from my blogs to keep the website up to date. So I moved my blog to a subdomain and created a brand new website on franzkelsch.com that takes RSS feeds from four blogs.

I used the same technicquite with a RSS feed from our photo galleries at SmugMug.

Now I now longer need to maintain this website, and just let it be populated with the feeds. As I create a blog entry, such as this one, or create new photo galleries, my personal website will always be up to date.

As part of this overhaul I decided to segregate my posts into four different blogs, family, endurance sports, computer and photography. It may be a bit of overkill, but it does replicate what I use to do in terms of personal websites when I had one for each of those categories. I still maintain other personal websites dealing with endurance sports. One is swim2bike2run.net and the other is ultracycle.net. I need to decide what to do with these.

Categories: Web Development
No Comments »