PHP Security

There are many PHP users out there who probably don’t come from a computer science background; after all, it is probably the most accessible server-side technology out there so why shouldn’t more people have access to building dynamic, data-driven web sites/applications? However combine this with the very nature of the PHP rapid application development model and various PHP frameworks/content management systems and there are possible (and well documented) security issues. My guess is that some people are just not aware of these issues due to inexperience, others overlook them in their rush to get the job done quickly and some might even think because they are using a pre-built framework/CMS that the issues have already been taken care of. Classic asp had similar issues which were dealt with in the rollout of asp.net (particularly v2.0 onwards).

I’m not going to list all the issues (well known ones include cross-site scripting vulnerabilities, SQL injection and session hijacking) but suffice to say there is much online discussion (some productive and some not so) and additionally a rather decent book: ‘Essential PHP Security’ by Chris Shiflett available from Amazon and other good bookstores.

This post was written by Kirsten on March 19, 2009 at 12:52 pm

CMS Vs Framework

About a year ago we decided to add to our development offerings and move into PHP based web development. Up until then we had predominantly used windows based server side technology (classic asp and then asp.net, c# etc) mainly because a good number of our customers were using Windows hosting (IIS) and required us to follow suit. We’ve been happy to do this and still have many clients running web sites and applications utilising the .net framework. However, it came to be for several key reasons that adding PHP to our key skills made sense for our business and for our clients. Here’s just a few:

• Recruitment: the majority of web design / new media courses include server side modules and universities tend to use PHP; therefore it’s easier to recruit and employ a graduate who has already received some formal training and doesn’t require re-skilling
• Open standard: with plenty of support and knowledge available plus with cost benefits which we can pass onto our customers
• Hosting: cost effective web and database hosting
• Rapid development: with the multitude of support and understanding out there we can quickly build upon others peoples ideas and knowledge

I’d be interested in other’s opinions / additions to this list. I am sure there are many.

Once we’d made the decision, we mulled over several options. One was to source a pre-made content management system and the latter a PHP framework. Having looked at various CMS we installed and trialed DRUPAL (http://drupal.org/). Our initial thoughts were that we could release CMS driven sites pretty quickly and easily and concentrate on the UI design and front end design aspects. However, it became clear that for a business so used to providing bespoke builds with initial business analysis and design that we were not comfortable with having too much of the development control taken out of our hands – and that is how it seemed with DRUPAL. Additionally, DRUPAL is all things to all men in the CMS world but our belief is that our customers would prefer a little less complexity: we are used to building CMS from the ground up to enable our customers to perform the tasks they require easily and with minimal training. Our worry was that we would potentially be delivering something that performed the task but was not quite what our customers were envisaging. I’d also say that there was a potential danger in us losing part of what makes us good at what we do – sitting down with a customer and listening to what it is they want and then suggesting a solution with impartiality (ie: using the best technology for the job).

So our search moved on and we researched several PHP frameworks in the belief that we could find a happy medium between – from the ground up – development and using an off the shelf CMS, providing us the flexibility and freedom to offer fully bespoke, customised solutions but allowing us to build rapidly and effectively using pre-built modules that can be plugged into your own business entities. Based on several recommendations and a good few months trialing we have settled on using CodeIgniter (http://codeigniter.com/) and have begun to build our own CMS around the framework. Thus far I am happy to report it is just the job and we have had a great deal of success. Soon we will post some more specific information about the projects involved.

Edit: Please note that we are now well into our first iteration of our CMS and our framework of choice is Zend (version 1.11 so far). For reasons out of scope for this post Zend ticked far more boxes.

This post was written by Kirsten on February 18, 2009 at 6:00 pm

New employee

On the 15th January 2009 we finally found a new member of staff after 9 months of rigorous interviews. We have been waiting 1 month for him to work his notice period but our new developer- Vandon – started work for us today. He’s doing remarkably good for someone with slightly less experience than we had originally been looking for.

This post was written by Kirsten on February 13, 2009 at 8:43 pm

Friday feeling (x52)

Everyone must have had that project? The one that keeps on trukin right through the project deadline, right through the next week and for whatever reason (and there are numerous legitimate ones) right through to a point when you don’t remember a time without it? I *think* we have just completed one of those projects and somehow, although there is relief that we may well get paid for our hard work, it’s left a hole where once it existed as wee bit of code!

Anyhow, the project is pretty decent, it’s built as an actionscript project using Flex to compile and an example of it is posted online here.

This post was written by Kirsten on December 5, 2008 at 7:18 pm

One World, One Browser?

We are currently working on some CSS for a client who requested the site be created to Triple-A Conformance to Web Content Accessibility Guidelines 1.0. For those who wish to know this is a guideline by the W3C and conformance to Priority 1, Priority 2, and Priority 3:

‘Conformance to these Guidelines will help make the Web more accessible to users with disabilities and will benefit all users.’

The site contains quite a bit of complexity and rich content and we have also built an interactive Flash component in AS3 for part of the site which requires alternative content.

We like to think we are pretty good at CSS and have built the site with all the pre-requisites. The only trouble is that when it came to releasing a test version of the site to the client, he was using Internet Explorer 6 (at the time of posting this accounts for 25% of all web browsers so not to be ignored).

We have spent the day painstakingly going through the site page by page to make it look and function just as it does in Internet Explorer 7, Firefox (of course) and Safari.

This got us thinking about starting a campaign: “One World, One Browser”

(and of course let it be Firefox*)

You may well say that this is dictatorial, anti-competitive, unimaginative even. But after tonight, who cares.

JOIN US. WE ARE ONE.

PS: More info on Accessibility on W3C here

*nb: update; I’m told now let it be Chrome.

This post was written by Kirsten on September 23, 2008 at 8:31 pm

Tracking with Google Analytics from Flash

Just a quick update on the Google Analytics work I have been doing in-amongst writing a desktop application to detect proxy settings (maybe more on that later).

I have completed the move from development to live server and have implemented some code for Flash banners to call the Google Analytics JavaScript _trackPage function. Its really simple stuff but as I have done 2 examples (one in Actionscript 2 and one in Actionscript 3) for the client to be able to supply the creative departments of advertisers (as they usually create the banners and supply .gif or in this case .swf files) I thought I might as well post the examples. For those people trying to find there way with Actionscript 3, a button click action is now triggered by an Event (MouseEvent.CLICK) and interestingly a call to some JavaScript in the page that embeds the Flash file is now called using the ExternalInterface class (it won’t work with the old method of calling the function from the getURL method). For example:

ExternalInterface.call("pageTracker._trackPageview('/clks/adv/insert-name-here')");

Replaces:

getURL("javascript:pageTracker._trackPageview('/clks/adv/insert-name-here');");

Anyways, here are the examples for download.

It’s basic but it might help someone

This post was written by Kirsten on August 22, 2008 at 12:52 pm

Switching from Webtrends to Google Analytics

We have been working with a client on a website (www.modernselling.com) for sales focused users for several years and have built a system to turn dynamically driven urls (such as news.apx?pageid=xx) into SEO friendly urls (such as news/sales-news-headlines/insider-trading-arrests.aspx).

The client has spent hundreds of hours (and therefore thousands of pounds) struggling with the behemoth otherwise known as Webtrends 8a in order to filter out the chaff traffic (robots and the like) from the valued traffic (actual users, referrals and actual advertising click rates). I won’t bore you with too much information but Webtrends is ultimately an enterprise piece of software and for smaller sites/start-ups and those with less time/budget (most of us) it’s analogous with using a sledge hammer to crack a nut! One example being that the installation documentation and support staff (US based) stress the application must run on its own server and has a recommended RAM size of 4GB. This might be OK for some large businesses but usually one dedicated server (hosting the website) is stretching the budget far enough for the aforementioned clientele without the associated costs of managing, maintaining and purchasing/renting a further server simple to do a bit of traffic analysis!*

So for the past 6 months we have been assessing and testing what the FREE Google Analytics (www.google.com/analytics/) has to offer. I have to say that I am impressed! Instead of tediously running pre-set up profiles and reports (hours of setting up and hours of laborious database churning) AKA the Webtrends Model we can report on everything we need by utilising the JavaScript functions available within the latest Google Analytics script (ga.js). By using pre-defined rules for advert impressions, advert click-throughs and editorial outbound links and applying them through pageTracker._trackPageview() we can record all the statistics we need.

The good news is that the client can now simply search for a string in Google Analytics (such as ‘advert-name-click’) and it will return all the statistics related to click-throughs for that advert. He can then calculate his conversion rates, see which section of his website is most effective for a particular advert and use the system to bill his clients who are all happy with the statistics and reports because they come through Google.

Remember if you are using pageTracker._trackPageview() multiple times on the same page that you must apply a filter to Google Analytics to ensure that your overall page impression statistics are not skewed – you must filter out anything other than the page impression.

More to follow on the detail…

*Note: in order for the client to return the required statistics though Webtrends we first had to write an asp.net desktop application to parse the raw log files to remove anything that looked like suspicious/robot traffic, he then set up some filters and rules in Webtrends (one for each advertising campaign) and ran the parsed logs through

This post was written by Kirsten on July 31, 2008 at 2:18 pm