|
Joomla Training
|
|
Written by Daryl Baratta
|
|
Thursday, 20 September 2007 |
Magic quotes are a controversial feature of the PHP scripting language, intended to help prevent inexperienced developers from writing code which is vulnerable to SQL injection attacks.
ConceptThe rationale behind magic quotes is to "help code written by beginners from being dangerous."[1] Single quotes, double quotes, backslashes and null characters in all user-supplied data all have a backslash prepended to them before being passed to the script in the $_GET, $_POST and $_COOKIE global variables. Developers can then in theory use string concatenation safely to construct SQL queries with data provided by the user.
CriticismMagic quotes are enabled by default in new installations of PHP, and since their operation is behind the scenes and not immediately obvious, developers may be unaware of their existence and the potential problems that they can introduce. The PHP documentation points out several pitfalls and recommends that, despite being enabled by default, they can be disabled.[2] Problems with magic quotes include: - Not all data that is supplied by the user is intended for insertion into a database. It may be rendered directly to the screen, stored in a session, or previewed before saving. This can result in backslashes being added where they are not wanted and being shown to the end user. This bug often creeps in even in widely used software.[3]
- Not all data that is supplied by the user and used in a database query is obtained directly from sources protected by magic quotes. For instance, a user-supplied value might be inserted into a database -- protected by magic quotes -- and later retrieved from the database and used in a subsequent database operation. The latter use is not protected by magic quotes, and a naive programmer used to relying on them may be unaware of the need to protect it explicitly.
- Magic quotes also use the generic functionality provided by PHP's
addslashes() function, which is not Unicode aware and still subject to SQL injection vulnerabilities in some multi-byte character encodings. Database-specific functions such as mysql_real_escape_string() or, where possible, prepared queries with bound parameters are preferred.[4][5] - Portability is an issue if an application is coded with the assumption that magic quotes are enabled and is then moved to a server where they are disabled.
- Adding magic quotes and subsequently removing them where appropriate incurs a small but unnecessary performance overhead.
- Magic quotes do not protect against other common security vulnerabilities such as cross-site scripting attacks or SMTP header injection attacks.
In November 2005 the core PHP developers decided on account of these problems that the magic quotes feature would be removed from PHP 6.[6]
Other approaches- Some languages such as Perl[7] and Ruby[8] opt for an approach involving data tainting, where data from untrusted sources, such as user input, is considered "tainted" and can not be used for dangerous operations until explicitly marked as trustworthy, usually after validation and/or encoding. Since the construction of SQL queries is considered "dangerous" in this context, this forces the programmer to address the problem. Tainting does not solve the problem, but it does highlight those instances where there is a problem so that the programmer is able to solve them appropriately.
- Joel Spolsky has suggested using a form of Hungarian notation that indicates whether data is safe or unsafe.[9]
- Modern database engines and libraries use parametrised queries to pass data to the database separately from SQL commands, greatly reducing the need to escape data before constructing the queries.
See also
External links
References
|
|
|
Joomla Registration Problem Broken Email |
|
Joomla Training
|
|
Written by Daryl Baratta
|
|
Saturday, 08 September 2007 |
|
A user trying to register at one of my sites forwarded his registration email to me this morning. It was not showing any personalization, NAME was like this [NAME] and the validation link was blank. The email was broken so I started looking for the problem. After a few hours of checking the site and doing some test sign-ups I was not able to find the problem so I upgraded the whole site to the newest Joomla and all the latest Community Builder extension and it's extra plugins, captcha etc.
Well that didn't change anything, the registration process was still sending out broken emails with no link to confirm and validate the registered users email address, plus no personalization. After an hour of searching Community Builders forum boards I was 'stumbled' across a post about the problem I was having. Its not easy to find a problem like this when you are using 'Registration problem' as your search string. This words bring back a huge number of topics.
Finally I spotted my exact issue 'Broken Email'. It turned out to be the Jom Comment component that was breaking the Joomla registration process, it had nothing to do with Community Builder. After downloading the newest version of Jom Comment (Pro in my case) the registration process works correctly again!
If you end up with registration emails being sent out that look like the one below, you may have the same issue and need a new Jom Comment component.
Example of Problem Registration Email
Greetings [NAME],
Thank you for applying for registration with us. We have received your request and we will process it as soon as you confirm your email address by clicking on the following
hyperlink:
[CONFIRM]
Once your email address is confirmed our moderators will be notified to continue the activation process.
You will be notified by email of the progress of the process.
[DETAILS]
Kind Regards,
Website Administration
NOTE: This email was automatically generated
One major headache solved! Now on to the next.
|
|
|
Hosting for Joomla-Get it Right |
|
Joomla Training
|
|
Written by Daryl Baratta
|
|
Monday, 18 June 2007 |
|
Over the last year I have seen some interesting but crazy hosting panels. It is very important to get your Joomla hosting right from the start. You may assume that all hosting companies offer the same thing. They are not all created equal and some hosting panels, if you can even call them a hosting panel, are just not worth the hassle they can put you through.
There is no need now a days to be using a hosting company with a home made panel. Don't get me wrong, some custom made hosting panels are just fine while others are just not enough for the average person to use. I actually installed Joomla at a customers hosting account and found that they did not even offer a file browser! That is just not acceptable for the year 2007.
A few developers I have talked to seemed to think it costs a great deal to have Plesk or Cpanel, the industry standards for hosting panels. This is simply not the case at all. You can find thousands of hosting companies that offer Plesk or Cpanel and either one will make your life alot easier. With either one you can easily set up a database, email addresses and manage your own files. Without a good, simple hosting panel, you will always be looking for support. Visit the following hosting company and combine excellent cost with quality service.
If you don't have a good hosting panel to work with you will be calling your hosting company on a regular bases and it may include a cost. Dealing with an HTACCESS file without a good file system to access at your host, on a different IP address, can be a nightmare to say the least. The htaccess file is what you use to make search engine friendly URL's. This file also does many other important tasks for you. If your hosting company already has some features set, you are going to need to make changes to the htaccess file until you figure out what they have set already.
The process of dealing with the htaccess file will get very stressful if you are only using FTP to make changes. The site will disappear on you and you may even loose the Joomla admin panel, so working in JoomlaExplorer is out of the question. Besides, JoomlaExplorer will not always work. You can still have file permission issues when using Joomla Explorer to manage your files from the back-end of your Joomla site.
You want to work with the htaccess file from your hosting panels file system. I was really shocked to find that in 2007 there are still hosting packages that do not offer access to a file system! You want your hosting panel to be running on a different IP address. If your site goes down you can continue to work on it from your hosting panel file system. Without this you may run into trouble that ends up costing you money.
There really is no need to settle for any less than the industry standards for hosting panels. Plesk or Cpanel are the most widely used and they are available at most hosting companies. You can expect to have either one of these panels and host your Joomla site for less than $10.00 per month.
You would be wise to be using a Linux/Unix type server also. Joomla is opensource software and so is Linux. Joomla will run on a Windows server but you are going to run into roadblocks like when you try to have search engine friendly URL's. Again, there is no need to be putting yourself through the hassle of dealing with a 'Windows Server'.
For the newbies that are reading this, a Windows server has nothing to do with your windows operating system on your computer. You can use your windows operating system on your computer just fine. Its the hosting of your website that you want to be on a Linux type server. Most of use that are using Joomla are also using Microsoft windows on our personal at home or office computer.
Some of use will be using Mac's, and that's not a problem either, as long as you use the right browser. If your on a Mac and you don't have the right browser you not likely be able to upload pictures with the JCE advanced editor. Safari has been known to causes problems uploading pictures using a Mac. As of June 2007, Windows XP works just fine in regards to dealing with Joomla and working with Fire Fox or Internet Explorer 7.
However, Windows Vista may be an issue for some users of Joomla and accessing features of the browser. Not sure exactly what is happening, I only know that a few customers are not seeing the same things I see at their sites. This may or may not be related to the new Vista operating system. I will report more about these issues once I have been into the store and tested a new computer with Vista, IE and Firefox and see what is going on.
The most resent issue I ran into with hosting that was not able to handle Joomla was the lack of ZLIB on the host server. You wouldn't be able to install a template or components from your Joomla back-end without ZLIB. It's not usual to expect to have zlib on your hosts server. After over 50 installation of Joomla on numerous hosting accounts, I have never seen this one missing yet. Article by Baratta Design and should not be copied.
|
|
|
Joomla Training
|
|
Written by Daryl Baratta
|
|
Monday, 11 June 2007 |
|
I have been using Joomla for a year now and I am still learning daily. Normally I spend at least 8 hours a day on-line working with numerous Joomla installations. It would not be unusual to do an 18 hour day just researching and installing different extensions. One thing is for sure, its not all that easy!
Most people I talk to and that includes customers, are new to Joomla the content management system. They believe it will be easy to use because thats what they have read about Joomla and other content management systems also. Database driven websites were once only something a large corporation could afford to own and operate. Although everyone can have one now, it still takes the 'operating part' to make it all work.
The truth is you are going to have to spend time learning how to use the system. You can have someone set it all up for you by naming your sections, categories and adding in your first content item. You could also have your menu names done for you. You can have your template installed and custom logo inserted into the header. It can all be ready to go.
Now most customers of mine want to make changes to module positions and an assortment of features that can be used. If you want it to be easy from the start you will need to let someone set up the basics for you. Then all you do is find the new content button, click it, and enter your article. Learn how to publish first and get right to the most important part of your site, the content.
The only other method to starting a Joomla powered site is to spend the time necessary to learn how to use the system. I can tell you from experience that after one year of use and over 50 installations of Joomla and hundreds of extensions, I am still learning daily. It all changes at a high rate of speed and requires that you stay on top upgrades and new components. It is a daily job researching upgrades and bug fixes.
I would suggest that you decide before you start what your plan will be. Do you want to spend a few months learning the ropes or do you want to get started with your content, products or service? Most people I talk to had expected it to be very simple to use and everything would be 'plug and play'. Sorry, that is not likely going to be the case for most Newbies. The upside is a large community of Joomla users around for help and of course its what I do.
What I think is meant when you read about Joomla being easy is that you can manage the daily needs of your website. That means most people should be able to use the editor and enter content. This was always a question I would get years ago when I built HTML websites. The customer would always ask "can I change some words or add in some content", well sorry no you likely can not. You would have to know either HTML or how to use the same software I used to make the site.
So what someone is saying when they claim Joomla is easy, is they mean it will be easy for you to manage your content on a daily bases. They did not mean it would be easy to install components and move modules around. Although doing these things may become easy, that will not be the case for a newbie.
|
|
|
