Saying “Don’t trust your users” would be a little over statement, but in the world of programming it’s the best mindset. Here are some really basic tips for programming in general (but mostly focusing on PHP).
Validate All Input
It’s very important to check all input to your script; a client could accidentally put a semi-colon in a field and possibly break your code. Always check that the user is posting what you expect. Here are some simple methods to validate input.
<?php
// Input must be a number
if(is_numeric($input)){
echo 'Input is a number';
} else {
echo 'Input is not a number';
}
// Input can only contain numbers and letters.
if(preg_match('/([^A-z0-9])/', $input)){
echo 'Input does not contain only numbers and letters.';
} else {
echo 'Input contains only numbers and letters.';
}
// Input must be an email
if(preg_match('/^([a-zA-Z0-9])+@([a-zA-Z0-9_-])+(\.[a-zA-Z0-9_-]+)+/', $input)){
echo 'Email Is Valid.';
} else {
echo 'Email Is Invalid.';
}
?>
Hash Passwords
Hashing passwords is mostly important from a privacy view point; if a hacker gets in they could sell your users details.
Use Sessions, not cookies
Never set sensitive data in cookies, users could edit them and potentially cause problems on your website. Instead use Sessions; they are a server side solution which is a little more secure.
<?php
session_start(); // Start the session. Always put this at the top of your html.
// Set some sessions
$_SESSION['name'] = 'Example 1';
// echo session data
echo $_SESSION['name'];
// Would return Example 1
?>
CAPTCHA Image Verification is one of the worst ideas in the world from usability point of view, users with poor vision or who are fatigued may find complex CAPTCHA difficult.
The phrase “You what now?” comes to mind.
Here are some alternatives, which are a little more user friendly.
Logic Test
This method essentially asked your users to solve a simple puzzle, which a bot will find difficult, or CPU intensive to solve. In this simplified example, where we are going to ask the colour of the box (or the circle in the box).
Few users will find this test hard
The combination of differentiating between shapes and colours is quite easy for a human to do, but a computer can find this quite difficult. On the other hand though, this is quite work intensive for the programmer and unless you create a wide range of questions, you are a little limited.
In a nutshell, this puts a field which is hidden via CSS which requests a common piece of information (such as email, or message). If the field has been filled in, you can assume that a bot is being used.
Unfortunately, some modern browsers sometimes automatically fill in form for the user, which is a moderate problem.
This is another method which does not involve users having to do anything. The theory behind this method, is to see how long the user takes to submit the form. If the user takes a short amount of time, they are either super human, or bots. This is relatively full proof as most bots will instantly submit a form.
This technique assumes that most bots are unable to use JavaScript, so making JavaScript write a little extra piece of information to the form should stop bots. According to the W3C 95% of users have JavaScript turned on, which is good.
This is one of the best methods of stopping spam, essentially Akismet compare what your user has posted with other stuff posted all over the internet. For me, it’s never missed any piece of spam.
Conclusion
Is there a single alternative to do it all? No, but with a combination of all the methods we can reduce the overall amount of spam. In the next example I’ve combined all the above methods (minus Akismet) into a single file which assess weather a user is human on a point system (3 out of 4 will assume human). Feel free to copy it.
Privacy on your website will be paramount to your success. In the world of application development, security can sometimes be overlooked (normally because accessibility is considered more important). Luckily, modern theories in coding mean we now can now be accessible and secure.
Hashing is a really simple technique to hide data using a one way encryption. It’s especially necessary when dealing with users passwords (In a recent study, 60% of respondents use a similar passwords). Here is an example of how to hash using the MD5 function:
<?php
$password = md5('password');
// $password will now return 5f4dcc3b5aa765d61d8327deb882cf99
?>
However, we can improve on this code. Many hackers now use Rainbow tables to reverse the one-way encryption (and thus find out the secret data). Luckily programmers have come up with a new technique to combat this…Adding a pinch of salt to a hash. In programming terms, a salt is essentially an extra piece of information we add to what the user input to make it unusual. Here is an example how to code this:
<?php
$salt = '%$£Salt_Here*(&^';
$password = md5('password'.$salt);
// $password will now return 5747563a265df7a3250884394c0a05e0
?>
Users are simple folk who are easily confused, as a designer or developer its core to our job to make our websites as easy to understand and use as possible. Here are 5 easy ways to improve the usability of your site.
Be Consistent
Having a similar layout across your website helps with user familiarisation, if the layout drastically changes the user will tend to assume they are on another website (users really are that silly, hence phishing scams doing so well).
An example of where most websites fail to be consistent is in add-on packages such as Blogs and Forums. In a recent survey by Full On Design a very high percentage of websites which used a readymade blog (WordPress etc) or forum (PHPBB, MyBB etc) did not have a consistent layout.
Don’t send mixed/complex messages
24/7 support which is offline, this could confuse users.
As mentioned above, users get confused easily and a confused user is an unhappy user. Putting an excessive amount of information on a single page on a poorly constructed page can make a user think “this is not worth my time” and they will leave.
To fix this, quite simple check how your website reads with a 3rd party and condense your data into as few words as possible (but don’t lose the original message). Really good examples of websites which “get to the point” quickly are Facebook and Apple. Examples of websites which epically fail to get to the point are IBM and Bebo.
Check for errors
Having a big “Error: The code is rubbish” is a big “hack me, I’m an idiot” sign essentially. Make sure your website works the way you intend to before you release the code (This includes cross browser testing). Luckily most server side code has error suppression and client side coding has lots of cheat sheets.
If you are adjusting a large website with a large amount of PHP, consider looking into PHP’s built in Error Handling.
Breadcrumbs
Home page > Section page > Subsection page Above is an example of breadcrumbs
Breadcrumbs are an easy way to tell users where they are, where they came from and in some cases where they are going. If you use WordPress there is a really nice plug-in to create breadcrumbs for you.
Be Clear
eBuyer is very clear about how many steps are left when purchasing stuff.
Remove as much clutter as you can and make sure that your website is easily read. Keep in mind; on the web it’s better to have less useful information than more useless information.
The phrase “You what now?” comes to mind.
Few users will find this test hard
24/7 support which is offline, this could confuse users.