Deprecated: Assigning the return value of new by reference is deprecated in /home/datafake/public_html/blog/wp-settings.php on line 468

Deprecated: Assigning the return value of new by reference is deprecated in /home/datafake/public_html/blog/wp-settings.php on line 483

Deprecated: Assigning the return value of new by reference is deprecated in /home/datafake/public_html/blog/wp-settings.php on line 490

Deprecated: Assigning the return value of new by reference is deprecated in /home/datafake/public_html/blog/wp-settings.php on line 526

Strict Standards: Declaration of Walker_Page::start_lvl() should be compatible with Walker::start_lvl(&$output) in /home/datafake/public_html/blog/wp-includes/classes.php on line 594

Strict Standards: Declaration of Walker_Page::end_lvl() should be compatible with Walker::end_lvl(&$output) in /home/datafake/public_html/blog/wp-includes/classes.php on line 594

Strict Standards: Declaration of Walker_Page::start_el() should be compatible with Walker::start_el(&$output) in /home/datafake/public_html/blog/wp-includes/classes.php on line 594

Strict Standards: Declaration of Walker_Page::end_el() should be compatible with Walker::end_el(&$output) in /home/datafake/public_html/blog/wp-includes/classes.php on line 594

Strict Standards: Declaration of Walker_PageDropdown::start_el() should be compatible with Walker::start_el(&$output) in /home/datafake/public_html/blog/wp-includes/classes.php on line 611

Strict Standards: Declaration of Walker_Category::start_lvl() should be compatible with Walker::start_lvl(&$output) in /home/datafake/public_html/blog/wp-includes/classes.php on line 705

Strict Standards: Declaration of Walker_Category::end_lvl() should be compatible with Walker::end_lvl(&$output) in /home/datafake/public_html/blog/wp-includes/classes.php on line 705

Strict Standards: Declaration of Walker_Category::start_el() should be compatible with Walker::start_el(&$output) in /home/datafake/public_html/blog/wp-includes/classes.php on line 705

Strict Standards: Declaration of Walker_Category::end_el() should be compatible with Walker::end_el(&$output) in /home/datafake/public_html/blog/wp-includes/classes.php on line 705

Strict Standards: Declaration of Walker_CategoryDropdown::start_el() should be compatible with Walker::start_el(&$output) in /home/datafake/public_html/blog/wp-includes/classes.php on line 728

Strict Standards: Redefining already defined constructor for class wpdb in /home/datafake/public_html/blog/wp-includes/wp-db.php on line 306

Deprecated: Assigning the return value of new by reference is deprecated in /home/datafake/public_html/blog/wp-includes/cache.php on line 103

Strict Standards: Redefining already defined constructor for class WP_Object_Cache in /home/datafake/public_html/blog/wp-includes/cache.php on line 425

Deprecated: Assigning the return value of new by reference is deprecated in /home/datafake/public_html/blog/wp-includes/query.php on line 21

Deprecated: Assigning the return value of new by reference is deprecated in /home/datafake/public_html/blog/wp-includes/theme.php on line 618

Strict Standards: Redefining already defined constructor for class WP_Dependencies in /home/datafake/public_html/blog/wp-includes/class.wp-dependencies.php on line 15

Warning: Illegal string offset 'trackoutbound' in /home/datafake/public_html/blog/wp-content/plugins/google-analytics-for-wordpress/googleanalytics.php on line 489

Warning: Illegal string offset 'trackadsense' in /home/datafake/public_html/blog/wp-content/plugins/google-analytics-for-wordpress/googleanalytics.php on line 501

Strict Standards: call_user_func_array() expects parameter 1 to be a valid callback, non-static method GoogleSitemapGeneratorLoader::Enable() should not be called statically in /home/datafake/public_html/blog/wp-includes/plugin.php on line 311
The Datafake Blog

PHP Security - Avoid SQL Injection and XSS Attacks

October 28th, 2008
  • If using $_GET or $_POST variables in an mysql query, clean them with mysql_real_escape_string.
  • When displaying user submitted content from the database, apply htmlentities before it is displayed.

SQL Injection - mysql_real_escape_string()

Using mysql_real_escape_string stops malicious inputs breaking SQL queries. The quote ‘ is a reserved character in SQL. When it appears as part of a parameter it can break or change the meaning of a query. The mysql_real_escape_string function escapes the quote ‘ so it becomes \’ SQL will not treat the quote as a reserved character and it can safely be used in a parameter usually to insert a quote into the DB.

XSS - Htmlentities()

Htmlentities turns characters into their equivalent html entities. This allows javascript code to be displayed in a page without the browser executing it. If a user enters some javascript into a form on your site and you display it back to them unaltered then the code will execute leaving you open to a scripting attack.

If I enter this into a form field on a web site:

<script>alert(”Your site executed my code. Thanks”);</script>

and the next page displays it without applying htmlentities, the browser will execute it and pop open an alert message box.

The consequences are worse if the input is stored and displayed again to another user. In this example that user would also see the alert message box pop open. The malicious script has access to private data that the browser stores for that user.

An html entity is a representation of a character. for example the < less-than sign’s html entity is &lt;. Applying htmlentities() replaces characters in the above javascript with their equivalent html entities to give.

&lt;script&gt;alert(&quot;Your site executed my code&quot;);&lt;/script&gt;

When the browser encounters this it will decode the characters and display it in its original form but without executing the javascript it represents.

ASP.NET Introduction - Quick Start Tutorial

August 19th, 2008

Hello, this post gives an overview of .NET then describes how to get from nothing to a database enabled web site using .NET in as few steps as possible. The end result will be quite basic, but the aim is write to a series of posts that will compare the minimal get up and go process with other competing technologies such as PHP and Coldfusion.

The intended audience is the mass of PHP developers out there that use LAMP ( Linux, Apache, MySQL and PHP) and want an overview of the .NET thing , anyone who has an interest in .NET but no knowledge might find this post of usefull. Read the rest of this entry »

Full Browser Flash Blog with Five3D

July 11th, 2008

Recently I have been evaluating some of the open source flash 3D engines. I checked out Papervision3D, Sandy3D and Away3D. These are large full featured engines however there is also Five3D which allows you to render smooth shapes and text.

Full Browser 3D with Flash ActionScript3.0

I was thinking about how great it would be to have a full web page that looks just like a normal html page but is infact a full browser 3D flash page. The aim would be to briefly trick an html/css purist before unleashing some 3D trickery. Anyway I downloaded the Five3D library and expanded one of the examples to recreate my blog in 3D. Read the rest of this entry »

The Library, Classes and MovieClips in AS3

July 7th, 2008

This post describes some of the differences I have stumbled over whilst working with actionscript 3.0 and Flash CS3 compared to earlier versions.

It starts with Export for Actionscript

In AS2 if you wanted to access the properties of an instance on the stage from code, you had to ensure that the “export for actionscript” checkbox was selected in the linkage properties for that MovieClip in the library. If it wasnt your code wouldn’t see the instance and would fail silently. This was pretty confusing at first and even once you got used to it there would be times that it would still catch you out. Read the rest of this entry »

AS3 Basic Setup

June 29th, 2008

Writing your first Actionscript 3.0 application with Flash CS3. Here is the quick guide to get the basics set up.

First create a fla. You can name this whatever you like. Maybe myFirstApp.fla. At this point you could start writing code directly into a timeline frame however best practice is to define a document class.

The document class can be specified by entering the name of a class into the property panel for the document. This is the same place where you would specify the size of your swf. Think of a name for your document class, maybe: myFirstApp. The document class doesnt have to have the same name as your main fla there is no link between them. Read the rest of this entry »

My first blog post

June 15th, 2008

Hello, you are reading my very first blog post. Ive just completed the famous 5 minute install of wordpress and it is working. Hurrah!!

Im thinking about updating datafake since it has had the same flash content on it for the last 2 years, currently an AS2 jetsetwilly clone and some other knicknacks.

Am thinking that i would like put up some AS3 thing that will let people litter the site with text, and also make it look nice.