Headers Already Sent

<quasi-stealth mode>

Wowee! Three weeks ago myself and Shazz flew to San Francisco and explored the SF Bay Area in the hunt for a bit of dosh for our startup. I’m very pleased to report that we found it, so luckily it wasn’t a wasted trip.

This means that I’ve well and truly said goodbye to the world of academia for the time being as I’ll be heading back out to Mountain View to live for a while at the turn of the year. As dropping out has always been a dream of mine, this suits me down to the ground.

I’d love to share more here but for the time being we’re keeping things quiet. More will be revealed in due course (although probably not before Christmas, I’m rushed off my feet).

Twitter seems to be having a few problems this evening. This is what happened when I pressed update:

Looks like a pretty odd / interesting issue!

I thought that RBS was a bargain a few months ago when it was going for ~165. Looking back now I’m very glad I steered clear!

I’m really getting through books fast at the moment and I’ve just finished another brilliant one - Man’s Search For Meaning by Viktor E. Frankl.

This book is split into two distinct sections. The first is a very touching, inspiring account of the authors time in concentration camps during WW2. I found his analysis of the different psychological stages they went through really fascinating and the modest prose in which he spoke about his experience was humbling.

The second section is a summary of his philosophy of Logotherapy. Although this raised a number of insightful points, towards the end I realised that as I only have a passing interest in real psychology this section was largely wasted on me. Still, it’s not too hardcore and there’s plenty to take away from it.

So if you’re looking for meaning in your life, give it a read!

Just a quick one. I was doing a bit of work earlier today and I needed to store a price like “0000.00″ in a MySQL database. As you can see there are quite a lot of options for numerical data types, and the first thing that came to my mind was FLOAT.

However, I ended up settling on DECIMAL which allows you to set the precision (significant digits) and the scale (digits after decimal point) and this seems to work (as far as I’m aware you can also do this with FLOAT too). So for example I defined my field like so:

DECIMAL(4,2)

I can’t remember off the top of my head what the difference is between FLOAT and DECIMAL. I think it’s to do with the way they are stored internally, with DECIMAL working in the way you’d most often expect. Anybody know any different?

I was having a bit of a “non duality contemplation session” last night and came across a site that really seems to cut the BS and give some answers. You can browse it for yourselves here. All of the other advaita teachers try to make it simple, often saying things like “you are that”, “they seeker is the sought”, “stay with the I am” and so on, but these seemed vague to me and left me with questions. That site lays it down as clearly as “I” could hope for.

Also, found a really amazing video that can be watched here.

Sessions are funny things. Most of the time they work first time and you never have to think about them again. Other times you run into a few issues.

Tonight I thought everything was fine, then I did a simple page redirect. On the other side I tried to read from $_SESSION and everything had disappeared. I spent too long pouring through the code before I realised what was wrong.

Apparently PHP / Apache regards “www” as a subdomain. I was redirecting from http://example.com to http://www.example.com so everything got dropped. A simple mistake to make and easily overlooked. When I figured out the problem I found this post on PHP.net.

Strangely I’ve never noticed this behavior before. I wonder if it has always been there or it varies between Apache 1.3 and 2.

…make sure that it’s “How to Win Friends and Influence People” by Dale Carnegie.

I’ve gobbled this book up in just over a day (against the authors advice) and I have to say it’s one of the best books I’ve ever read.

Go. Read. Now.

PHP really is a smashing language, allowing you to knock out rich applications quickly and easily. As anyone with half a brain will realise though, giving power to people that don’t have a clue is a recipe for a disaster.

This is by no means a comprehensive list, but here are some common security issues that I have encountered with some simple fixes.

1. Use mysql_real_escape_string()

SQL injection can be a big problem, but it is easily defeated. Validating every input into your web application is a must, whether it comes from $_POST or $_GET. If it passes this validation then you should wrap mysql_real_escape_string() around the variable to escape dangerous characters. For example:

$query = “SELECT id FROM logins WHERE username=’”.mysql_real_escape_string($_POST['username']).”‘ AND password=’”.mysql_real_escape_string($_POST['password']).”‘”;

2. XSS protection

Cross site scripting is a real danger, but is something that can be protected against without too much work. Simply remove HTML / Javascript tags from any input by using str_replace or an equivalent. I find that I only need to worry about this when dealing with textareas, because text fields are usually a lot more locked down to the type of data that needs to go into them.

3.URL Manipulation

Web applications typically pass information through URLs. Consider the following link:

view_personal_info.php?my_user_id=123

In this example I think we can probably take “my_user_id” to be my id on the system. So what happens when I go to the URL with id 124 or 125? Will I get information on other users? Probably, and that’s why on every page you need to check that the current logged in user has the correct access to view the information.

This isn’t hard to do, so I’m not going to explain the solution here. However, if you’re passing a lot of information through a URL and want to make sure it’s not tampered with, then there’s a straightforward way to achieve this. Creating a hash of the data with a password only the application knows, passing it in the url  and revalidating it on the target page works a treat.

4. Use forms, not links

I’m guilty of having done this once or twice, mainly due to ignorance, but when you’re doing any database modification it should always happen through a form, not a link. Otherwise people can craft links to pages like delete and trick you into clicking on them. If the pages aren’t properly password protected, then it’s also possible that search engines can crawl your site and wreck your database.

5. Other

There are plenty of other little tweaks you can make to your PHP configuration to improve security, depending on what you’re doing and how locked down you want your server to be. Two little things I do when putting code on a live site are turning error messages off, and moving pages that don’t need to be read directly outside of public_html.

I think the hardest thing about PHP and web application security in general is the range of scope for attack. Every input has to be validated, and in a big application this can be easily overlooked. Unfortunately, it only takes one error to bring your entire application down.