My Twitter

Basic PHP Security

March 27th, 2009

Saying “Don’t trust your users” would be a little over statement, but in the world of programming it’s the best mindset. Here are some really basic tips for programming in general (but mostly focusing on PHP).

Validate All Input

It’s very important to check all input to your script; a client could accidentally put a semi-colon in a field and possibly break your code. Always check that the user is posting what you expect. Here are some simple methods to validate input.

<?php
// Input must be a number
if(is_numeric($input)){
	echo 'Input is a number';
} else {
	echo 'Input is not a number';
}

// Input can only contain numbers and letters.
if(preg_match('/([^A-z0-9])/', $input)){
	echo 'Input does not contain only numbers and letters.';
} else {
	echo 'Input contains only numbers and letters.';
}

// Input must be an email
if(preg_match('/^([a-zA-Z0-9])+@([a-zA-Z0-9_-])+(\.[a-zA-Z0-9_-]+)+/', $input)){
	echo 'Email Is Valid.';
} else {
	echo 'Email Is Invalid.';
}
?>

Hash Passwords

Hashing passwords is mostly important from a privacy view point; if a hacker gets in they could sell your users details.

Use Sessions, not cookies

Never set sensitive data in cookies, users could edit them and potentially cause problems on your website. Instead use Sessions; they are a server side solution which is a little more secure.

<?php
session_start(); // Start the session. Always put this at the top of your html.

// Set some sessions
$_SESSION['name'] = 'Example 1';

// echo session data
echo $_SESSION['name'];
// Would return Example 1
?>

Read the rest of this entry »

No Comments »

Alternatives to CAPTCHA Image Verification

March 25th, 2009

CAPTCHA Image Verification is one of the worst ideas in the world from usability point of view, users with poor vision or who are fatigued may find complex CAPTCHA difficult.

stupid_captcha1The phrase “You what now?” comes to mind.

Here are some alternatives, which are a little more user friendly.

Logic Test

This method essentially asked your users to solve a simple puzzle, which a bot will find difficult, or CPU intensive to solve. In this simplified example, where we are going to ask the colour of the box (or the circle in the box).

logic_test_exampleFew users will find this test hard

The combination of differentiating between shapes and colours is quite easy for a human to do, but a computer can find this quite difficult. On the other hand though, this is quite work intensive for the programmer and unless you create a wide range of questions, you are a little limited.

View Example

Dummy Fields

In a nutshell, this puts a field which is hidden via CSS which requests a common piece of information (such as email, or message). If the field has been filled in, you can assume that a bot is being used.

Unfortunately, some modern browsers sometimes automatically fill in form for the user, which is a moderate problem.

View Example

Response Timer

This is another method which does not involve users having to do anything. The theory behind this method, is to see how long the user takes to submit the form. If the user takes a short amount of time, they are either super human, or bots. This is relatively full proof as most bots will instantly submit a form.

View Example

JavaScript Extra

This technique assumes that most bots are unable to use JavaScript, so making JavaScript write a little extra piece of information to the form should stop bots. According to the W3C 95% of users have JavaScript turned on, which is good.

View Example

Akismet

This is one of the best methods of stopping spam, essentially Akismet compare what your user has posted with other stuff posted all over the internet. For me, it’s never missed any piece of spam.

Conclusion

Is there a single alternative to do it all? No, but with a combination of all the methods we can reduce the overall amount of spam. In the next example I’ve combined all the above methods (minus Akismet) into a single file which assess weather a user is human on a point system (3 out of 4 will assume human). Feel free to copy it.

View Example | View Class File

2 Comments »

Twitter in a Nutshell

March 20th, 2009

twitter_in_a_nutshell

Click here to play Video

No Comments »

Securing Passwords in PHP

March 17th, 2009

Privacy on your website will be paramount to your success. In the world of application development, security can sometimes be overlooked (normally because accessibility is considered more important). Luckily, modern theories in coding mean we now can now be accessible and secure.

Hashing is a really simple technique to hide data using a one way encryption. It’s especially necessary when dealing with users passwords (In a recent study, 60% of respondents use a similar passwords). Here is an example of how to hash using the MD5 function:

<?php
$password = md5('password');
// $password will now return 5f4dcc3b5aa765d61d8327deb882cf99
?>

However, we can improve on this code. Many hackers now use Rainbow tables to reverse the one-way encryption (and thus find out the secret data). Luckily programmers have come up with a new technique to combat this…Adding a pinch of salt to a hash. In programming terms, a salt is essentially an extra piece of information we add to what the user input to make it unusual. Here is an example how to code this:

<?php
$salt = '%$£Salt_Here*(&^';
$password = md5('password'.$salt);
// $password will now return 5747563a265df7a3250884394c0a05e0
?>

Related Posts

PHP Security Consortium: Password Hashing
Essential PHP Security

2 Comments »

5 easy ways to improve the usability of your website

March 13th, 2009

Users are simple folk who are easily confused, as a designer or developer its core to our job to make our websites as easy to understand and use as possible. Here are 5 easy ways to improve the usability of your site.

Be Consistent

Having a similar layout across your website helps with user familiarisation, if the layout drastically changes the user will tend to assume they are on another website (users really are that silly, hence phishing scams doing so well).

An example of where most websites fail to be consistent is in add-on packages such as Blogs and Forums. In a recent survey by Full On Design a very high percentage of websites which used a readymade blog (Wordpress etc) or forum (PHPBB, MyBB etc) did not have a consistent layout.

Don’t send mixed/complex messages

247_support_offline_small24/7 support which is offline, this could confuse users.

As mentioned above, users get confused easily and a confused user is an unhappy user. Putting an excessive amount of information on a single page on a poorly constructed page can make a user think “this is not worth my time” and they will leave.

To fix this, quite simple check how your website reads with a 3rd party and condense your data into as few words as possible (but don’t lose the original message). Really good examples of websites which “get to the point” quickly are Facebook and Apple. Examples of websites which epically fail to get to the point are IBM and Bebo.

Check for errors

Having a big “Error: The code is rubbish” is a big “hack me, I’m an idiot” sign essentially. Make sure your website works the way you intend to before you release the code (This includes cross browser testing). Luckily most server side code has error suppression and client side coding has lots of cheat sheets.

If you are adjusting a large website with a large amount of PHP, consider looking into PHP’s built in Error Handling.

Breadcrumbs

Home page > Section page > Subsection page
Above is an example of breadcrumbs

Breadcrumbs are an easy way to tell users where they are, where they came from and in some cases where they are going. If you use Wordpress there is a really nice plug-in to create breadcrumbs for you.

Be Clear

breadcrumbs_1eBuyer is very clear about how many steps are left when purchasing stuff.

Remove as much clutter as you can and make sure that your website is easily read. Keep in mind; on the web it’s better to have less useful information than more useless information.

Useful Links

50 Web Usability Tips that Help You Attract and Retain Visitors to Your Website
Don’t Make Me Think!: A Common Sense Approach to Web Usability
9 Common Usability Mistakes In Web Design
Breadcrumbs In Web Design: Examples And Best Practices

2 Comments »

« First«89101112»Last »