Author Archives: Mike Conley

SQL Injection Prevention in PHP – Tip 1

It’s amazing – I’ve been going around, Googling for anything with “index.php?id=”…and that’s really all it takes.  Now, granted, SQL Injection isn’t new, and a lot of the top hits have taken some steps to protect themselves, but if you go deep – like, Google search page 23 deep – you’ll find ones that break if you put a semi-colon after the id # – and if it breaks, it’s vulnerable.

So, here’s my first tip on preventing SQL Injection – when you’re asking for an ID number, make sure it’s a number, and nothing else. Also consider using prepared statements – database wrappers like MDB2 for PHP make this easy.

Check this out – this might be how I would have done it 3 years ago:

<?php
  //Assume we're already connected to a MySQL database...
  $id = $_GET['id'];

  $result = mysql_query('SELECT * from pages where id='.$id);
  if (!$result) {
     die('Invalid query: ' . mysql_error());
  }
  ... //Code to print out my result to the page
?>

I’d do it this way now:

Note: My use of MDB2 might be a little rusty – I haven’t tested this code, and I usually compose RowDataGateway objects with MDB2 to represent my data.  So pay more attention to the structure than the actual syntax.

<?php
  require 'View.php';
  require 'MDB2.php';  //An excellent DB layer from the PEAR libs

  //Code to set $mdb2 as our DB connection variable
  //See http://pear.php.net/package/MDB2 for details
  $id = $_GET['id'];

  try {
    if(!is_int($id)) {
      //ID wasn't an int, it's no good, let's bail
      throw new Exception('Could not recognize the id that you passed');
    }
    //ID was an int, let's see if we can find the record
    $sql = 'SELECT * from pages where id=:id";
    $statement = $mdb2->prepare($sql);
    $statement->bindParam('id', $id);
    $result = $statement->execute();
    if(PEAR::isError($result)) {
      //Uh oh - our result was an error on the PEAR library level
      throw new Exception('There was an error communicating with the database');
    }
    //Insert the database result into the view, render, and die.
    $content = new View('templates/page.tpl', array('page' => $result->fetchOne()));
    $content->render();
    die;
  }
  catch(Exception $e) {
    //We must have caught an exception - put this into our
    //error page template with the error message, render, die.
    $content = new View('templates/error.tpl', array('message' => $e->getMessage()));
    $content->render();
    die;
  }
?>

Yes, it’s quite a bit more code. But I feel safer just looking at it.
Did I miss anything on this? Please post a comment if you  notice that I’ve left a gaping hole.  Learning is good.

Yearly Reading List

Someone recommended a book to me recently, and I told them I’d add it to my “to read” list.

But there’s a little problem:  that list is massive.  Impossibly massive.

Not to mention that some of my year is dedicated to re-reading old favourites.  Call it a tradition, a habit, whatever – each year, I re-read (or try to re-read) the same set of books.  And, every now and then, I’ll read a new book that gets added into that set.

So, here’s the set as it stands:

  • Brave New World by Aldous Huxley
  • One Day in the Life of Ivan Denisovich by Aleksandr Solzhenitsyn
  • Rendezvous with Rama by Arthur C. Clarke
  • The Black Hole by Alan Dean Foster
  • The Man Outside by Wolfgang Borchert
  • The Burglar in the Library by Lawrence Block
  • One Flew Over the Cuckoo’s Nest by Ken Kesey

I’m sure I’m not the only one with yearly reads.  Anyone else?

The Best Teachers…

I like the TED talks.  A lot.  When I was working at the school board, I wasted many a lunch hour going through the TED video library.

This guy, Barry Schwartz, makes a plea for common sense over bureaucratic rigidity in modern society.  He also sums up the qualities of every single teacher that I’ve ever had, who I considered “amazing”.

Pretty inspiring stuff.

See Barry Schwartz’s talk here.

What’s Google’s slogan?  “Don’t be evil”? Whoever I end up working for, I hope I go home every day feeling like I’ve really done a good thing, as opposed to feeling like I just made a few bucks from somebody.

Some things I’ve learned from Movement and Voice class…

At the University College Drama Program, if you’re taking a Performance course, then you’re taking Voice and Movement.  They go hand in hand.  This is my third year taking Performance at the UCDP, and so this is also my third year with Voice and Movement.

I’ve learned a lot over the past 3 years in V/M.  Though they’re really two separate courses, there is plenty of overlap.  One of the most interesting things about these courses is their similarity to physiotherapy.  In these classes, we’re challenged to become more articulate with muscles that most people take for granted, or don’t even know they have.

So how do you get students to discover new muscles?  This is the challenge I didn’t understand two years ago – the challenge that the instructor has in guiding students to these areas of the body/brain.  Every student is different, and each could have their own way of understanding the mechanical workings of their own bodies – it’s really hard to tell.

So how did they do it?

Metaphors, believe it or not.  Images and metaphors.  I remember thinking that these classes were really…kind of strange, with all of the speaking in metaphors and images…

“Now, imagine that your soft pallate is like one of those automatic-pop-up tents….now POP it open!”

“Imagine more space in your hip flexor…breathe into that space…”

It might sound spacey, or floaty, or like nonsense, but believe it or not, this stuff works.

Probably the best example was in my voice class this year, when the instructor was getting us to find ways of getting our voice over obstructions in our mouths.  In this case, our obstruction was our own tongues – we had placed the tip of our tongue against the lower portion of our bottom teeth, and were pushing the middle of our tongue out of our mouths.

Now try to get sound out.  It might sound like you’re talking into a tin can.

The instructor then got us to try and “arc” our voices out of our mouths – and here’s where the really interesting part came in – he got us to arc our arms forward at the same time.  And it worked.

He said that there are many ways of communicating with the brain, and that one of them – that is often overlooked by academics – is through the body.  It’s called kinesthetic learning.  By arcing our arms away from our body, we were reinforcing the feeling of what he wanted us to do with our voices.

And in doing this, I actually discovered new muscles in my throat.  No joke.  They don’t move much, and they’re very subtle, but they’re there, and they affect sound, and those are what he was trying to get us to find.

Awesome.