The Datafake Blog

• If using $_GET or $_POST variables in an mysql query, clean them with mysql_real_escape_string.
• When displaying user submitted content from the database, apply htmlentities before it is displayed.

SQL Injection - mysql_real_escape_string()

Using mysql_real_escape_string stops malicious inputs breaking SQL queries. The quote ‘ is a reserved character in SQL. When it appears as part of a parameter it can break or change the meaning of a query. The mysql_real_escape_string function escapes the quote ‘ so it becomes \’ SQL will not treat the quote as a reserved character and it can safely be used in a parameter usually to insert a quote into the DB.

XSS - Htmlentities()

Htmlentities turns characters into their equivalent html entities. This allows javascript code to be displayed in a page without the browser executing it. If a user enters some javascript into a form on your site and you display it back to them unaltered then the code will execute leaving you open to a scripting attack.

If I enter this into a form field on a web site:

<script>alert(”Your site executed my code. Thanks”);</script>

and the next page displays it without applying htmlentities, the browser will execute it and pop open an alert message box.

The consequences are worse if the input is stored and displayed again to another user. In this example that user would also see the alert message box pop open. The malicious script has access to private data that the browser stores for that user.

An html entity is a representation of a character. for example the < less-than sign’s html entity is &lt;. Applying htmlentities() replaces characters in the above javascript with their equivalent html entities to give.

<script>alert("Your site executed my code");</script>

When the browser encounters this it will decode the characters and display it in its original form but without executing the javascript it represents.

Hello, this post gives an overview of .NET then describes how to get from nothing to a database enabled web site using .NET in as few steps as possible. The end result will be quite basic, but the aim is write to a series of posts that will compare the minimal get up and go process with other competing technologies such as PHP and Coldfusion.

The intended audience is the mass of PHP developers out there that use LAMP ( Linux, Apache, MySQL and PHP) and want an overview of the .NET thing , anyone who has an interest in .NET but no knowledge might find this post of usefull. Read the rest of this entry »

Recently I have been evaluating some of the open source flash 3D engines. I checked out Papervision3D, Sandy3D and Away3D. These are large full featured engines however there is also Five3D which allows you to render smooth shapes and text.

Full Browser 3D with Flash ActionScript3.0

I was thinking about how great it would be to have a full web page that looks just like a normal html page but is infact a full browser 3D flash page. The aim would be to briefly trick an html/css purist before unleashing some 3D trickery. Anyway I downloaded the Five3D library and expanded one of the examples to recreate my blog in 3D. Read the rest of this entry »

This post describes some of the differences I have stumbled over whilst working with actionscript 3.0 and Flash CS3 compared to earlier versions.

It starts with Export for Actionscript

In AS2 if you wanted to access the properties of an instance on the stage from code, you had to ensure that the “export for actionscript” checkbox was selected in the linkage properties for that MovieClip in the library. If it wasnt your code wouldn’t see the instance and would fail silently. This was pretty confusing at first and even once you got used to it there would be times that it would still catch you out. Read the rest of this entry »

Writing your first Actionscript 3.0 application with Flash CS3. Here is the quick guide to get the basics set up.

First create a fla. You can name this whatever you like. Maybe myFirstApp.fla. At this point you could start writing code directly into a timeline frame however best practice is to define a document class.

The document class can be specified by entering the name of a class into the property panel for the document. This is the same place where you would specify the size of your swf. Think of a name for your document class, maybe: myFirstApp. The document class doesnt have to have the same name as your main fla there is no link between them. Read the rest of this entry »

Hello, you are reading my very first blog post. Ive just completed the famous 5 minute install of wordpress and it is working. Hurrah!!

Im thinking about updating datafake since it has had the same flash content on it for the last 2 years, currently an AS2 jetsetwilly clone and some other knicknacks.

Am thinking that i would like put up some AS3 thing that will let people litter the site with text, and also make it look nice.