Categories
Programming

Making Database Queries More Secure with PDO

Part of the work I do here is building custom web applications that users can interact with. A recent one is a simple feedback form that enables visitors to a client’s website to send quick suggestions. It looks like this:

suggestions comments

 

Once someone enters their suggestion and clicks “Send,” I use Jquery and Ajax to submit the message to a PHP script which then processes the message, saves it to a MySQL database for later review, and emails it to my client. In just a few weeks, my client has received hundreds of highly valuable and actionable suggestions ranging from praise to notices about serious bugs.

Whenever you allow visitors to submit text through your website, security is a concern that must be dealt with. If you simply grab the message the user submits and send it to your database as-is, you leave an open door to SQL injection where a malicious user can include tricky code in their message that makes your database do nasty things.

Enter PHP Data Objects (PDO) and Prepared Statements. The beauty of these is that malicious visitors can include all the nasty tricky code they want in their message, but the database will never try to execute it because the message is kept completely separate from the commands. The best plain English explanation I’ve seen comes from an answer to a stackoverflow.com question and reads as follows:

When a query is sent to a data base, it’s typically sent as a string. The db engine will try to parse the string and separate the data from the instructions, relying on quote marks and syntax. So if you send “SELECT * WHERE ‘user submitted data’ EQUALS ‘table row name’, the engine will be able to parse the instruction.

If you allow a user to enter what will be sent inside ‘user submitted data’, then they can include in this something like ‘…”OR IF 1=1 ERASE DATABASE’. The db engine will have trouble parsing this and will take the above as an instruction rather than a meaningless string.

The way PDO works is that it sends separately the instruction (prepare(“INSERT INTO …)) and the data. The data is sent separately, clearly understood as being data and data only. The db engine doesn’t even try to analyze the content of the data string to see if it contains instructions, and any potentially damaging code snipet is not considered.

So great, you are thinking, if I use this complicated PDO thing with database queries I can make my website really secure and no longer have to use a bunch of cumbersome data sanitizers. Thats exactly where I was not long ago, but then I found a great series of videos on YouTube that showed exactly how it all works. The only gripe I had with the series is that it was hard to figure out which order to view them in, so with that in mind, here they are in order:

Categories
Founder Thoughts

I’ve been a web marketer for 25+ years?!

Greetings and welcome to the Collins Harris LTD blog. We officially got started in 2012 when we incorporated in Nevada, but founder Nick Harris (me) has been active and successful in web marketing since the late 1990s.

That actually reminds me of one of my first web marketing projects that I started and ran back in high school:  a cell phone customization website called celltonez (now defunct). Looking back on it evokes about the same mixture of embarrassment and pride that looking back at ones high school yearbook photo does. But the site actually generated a lot of traffic (upwards of 2,000 unique visitors daily) and I managed to make a pretty sizable amount of ad revenue. Some of the details about how I managed to generate that level of traffic are pretty hilarious/quasi-shady… ask me over a beer sometime and maybe I’ll share! Weekends were especially lucrative, and I remember returning from soccer practice or windsurfing with my dad on Saturdays and Sundays to see what at that time seemed like ridiculous amounts of cash in my advertiser account. Here is a screenshot from early 2001 of celltonez.com, a babe as part of my logo and all!

What founder Nick Harris was up to back in his high school days
What founder Nick Harris was up to back in his high school days

I’m actually kind of shocked to realize that I’ve been involved in web marketing for a quarter of a century now. But at the same time, my early success with celltonez proved to me that there was and still is a vast opportunity to utilize the internet to sell products and services.

I’ve launched and run a number of companies in the years since, but the one thing I’ve always excelled at is driving traffic and revenue with online marketing.  It has never been just about creating a website for me; it is always first about figuring out who the customer is, what they want, and then how to create a website that caters towards them and produces results.

In recent years, some of my most successful work has been driving traffic via a combination of inbound marketing techniques and business development. One client had seen stagnant traffic and declining sales for several years, and then I got involved in the middle of 2011 and over the course of several months managed to do this:

Nick's impact on traffic for a client

 

Sales and profits are up nearly 3x for this client since I first became involved and we continue to launch new traffic and conversion increasing initiatives. The arrangement has worked out so well that we only charge them based on performance, and everyone is quite pleased.

So this brief history of my life as a web marketing professional leads up to where I am and we are as a company now. We’ve got successful projects accomplished and under way, but are striving to go a whole lot further. Launching new world-changing companies, partnering in success with awesome entrepreneurs, and continually learning are the future I envision. The purpose of this blog is to share what I learn along the way. With that, I conclude this first post and look optimistically towards the future.