PHP Funda

How to use a CIDR netmask to block an IP address range using .htaccess

noreply@blogger.com (Unknown) — Tue, 1 Nov 2011 00:03:00 -0700

This article explains why you must sometimes use CIDR netmask notation to ban an IP address range using Apache .htaccess, and how to do it. It is intended to supplement the basic Apache information about mod_access in the documentation at http://httpd.apache.org/docs/1.3/mod/mod_access.html.

An IP address is a 32-bit binary number that uniquely identifies a computer on the internet

32-bit binary is hard to remember : 11000000010000000000000000000000

Decimal notation isn't much easier: 3225419776

So it is usually written like this : 192.64.0.0

You get this "dotted-quad notation" by breaking the 32 bits into 4 groups of 8 and then converting each group to decimal:

11000000	01000000	00000000	00000000
192	64	0	0

192.64.0.0

That makes it easier to remember, but it creates problems if you try to use it for calculations.

An IP address contains two pieces of information:

The leftmost binary digits are the unique ID of the network (usually your Internet Service Provider, ISP) through which you are connected to the internet.

The remaining binary digits are your unique ID as an individual user on that network.

The number of leftmost digits used for network ID is not the same for every network. In CIDR notation, the /nn part says how many of the leftmost bits indicate the network.

If the network uses exactly the leftmost 8, 16, or 24 bits for its ID, then the dividing line between network and user falls on one of the period boundaries of the dotted-quad notation, and one of the partial IP notations will work:

.htaccess partial IP address	Equivalent CIDR
deny from 192	deny from 192.0.0.0/8
deny from 192.64	deny from 192.64.0.0/16
deny from 192.64.0	deny from 192.64.0.0/24

Each quad that you don't specify is treated as a wildcard that can take any value from 0 to 255. So the first example bans any IP address that starts with 192., followed by anything.

When to use CIDR notation

If the network doesn't use exactly 8, 16, or 24 bits for the network part of the IP address, the dividing line between network and user does not fall on a period boundary of dotted-quad notation, and you need to use a CIDR netmask.

Example CIDR/netmask:

192.64.0.0/10

This says the base address of the network is 192.64.0.0 and the first 10 bits are the network:

192 64 0 0 = 11000000 01000000 00000000 00000000

192 is the first 8 bits, but two more bits are part of the network ID, too. The 9th bit is 0 and the 10th is 1, and that is where the 64 comes from.

The full range of this network in quad notation is 192.64.0.0 - 192.127.255.255. Note that the 64 in the second position doesn't remain constant. The first 2 bits are always the same, but the righthand 6 will be different for different users.

The simple notations for an .htaccess ban won't work. Why not?

deny from 192 would ban the range 192.0.0.0 - 192.255.255.255, which will ban some users that are not coming from this network.

deny from 192.64 would ban the range 192.64.0.0 - 192.64.255.255, which is insufficient to ban all the users that are coming from this network.

So the answer is CIDR notation and an .htaccess line that says:

deny from 192.64.0.0/10

This says the base address is 192.64.0.0, and the first 10 bits identify the network (those are always the same for all users who are on that network).

To ban a specific IP range in htaccess

Figure out, from your website access logs or elsewhere, the IP addresses you want to ban. Look them up in a WhoIs database such as http://whois.domaintools.com/.

Determine whether you need to use a CIDR netmask. If the IP address range in the report looks like one of these, with each quad after the leading one(s) showing a rull range of 0-255, then you can use one of the simpler methods:

192.0.0.0 - 192.255.255.255 -- Use deny from 192

192.64.0.0 - 192.64.255.255 -- Use deny from 192.64

192.64.128.0 - 192.64.128.255 -- Use deny from 192.64.128

For anything else, you need CIDR. At Domain Tools, the CIDR netmask is sometimes shown in the report for that IP address, several lines down in the report. If it is, that's all you need. You're ready to create the line in your .htaccess file. Go to Step 5.

If the CIDR wasn't given, you can calculate it yourself with a netmask calculator such as http://jodies.de/ipcalc.

a) Enter the base (lowest) address.

b) You can simply determine the netmask (the /nn part) by trial and error, or you can calculate the minimum size to start with: take the rightmost nonzero quad of the base address and convert it to binary in your head or in Windows Calculator. Find the rightmost "1". The netmask will have to be sufficient to include all of the previous quads (at 8 bits each), plus all the digits in this quad up to its rightmost "1". That's the minimum. But it might include some of the trailing zeroes, too.

c) Keep using trial and error for the netmask until HostMin and HostMax match the IP address range you saw in the Domain Tools report.

Note that final quads of 0 and 255 are reserved, so:

The calculated HostMin will be nnn.nnn.nnn.1, not nnn.nnn.nnn.0

The calculated HostMax will be nnn.nnn.nnn.254 not nnn.nnn.nnn.255

The Hosts/Net line tells you how many users this network might have, which can help decide whether you really want to ban the entire range.

Edit your public_html/.htaccess file to add the "deny from" line:

Go to cPanel > File Manager.

Navigate to the file public_html/.htaccess.

Click on its file name (not the icon next to it).

In the upper right corner of the screen, click Edit File.

Make a backup copy: Copy all the text in the file, and save it into a file on your local computer so you can put it back into .htaccess if something goes wrong.

Backup made? Ok, now you can edit the file. On a blank line in a part of the file that is not between HTML-style tags like <tag></tag>, type the line:

deny from nnn.nnn.nnn.nnn/nn

Replace the nnn's with the IP/netmask you calculated for this range.

Further explanation: some lines of your .htaccess file might be contained between tags that look like HTML tags where the opening tag looks like <tag> and the closing tag looks like </tag>. Insert this new line in a part of the file that is not between any of these pairs of tags.

Depending on what is in your .htaccess, you might need to use your judgment whether to use the order and allow directives that are also provided by mod_access. See the link to Apache at the top of this article for more information. That is beyond the scope of this article, and it will require your judgment. I'd suggest adding only the "deny from" line at first and seeing if it works as expected. What is expected: you can access your website; most other people can, too; when the denied party tries, your logs will show a result code of 403 Forbidden.

Magento Template Path Hints For Admin side

noreply@blogger.com (Unknown) — Tue, 9 Aug 2011 00:29:00 -0700

If you love template path hints in Magento for quickly figuring out which template file or block you need to edit or override and have a requirement for some admin side coding, you are going to love this.

You might not have thought it was possible to enable template path hints in admin, but it is!

Just run this query:

SQL:

INSERT INTO core_config_data (scope, scope_id, path, value)
VALUES ('default', 0, 'dev/debug/template_hints', 1),
('default', 0, 'dev/debug/template_hints_blocks', 1);

To disable them again, run this query

SQL:

UPDATE core_config_data SET value = 0 WHERE scope = 'default' AND scope_id = 0 AND path ='dev/debug/template_hints'

To enable again run this query

SQL:

UPDATE core_config_data SET value = 1 WHERE scope = 'default' AND scope_id = 0 AND path ='dev/debug/template_hints'

Back Up and Restore a MySQL Database

noreply@blogger.com (Unknown) — Sat, 10 Oct 2009 01:01:00 -0700

Back up From the Command Line (using mysqldump)

If you have shell or telnet access to your web server, you can backup your MySQL data by using the mysqldump command. This command connects to the MySQL server and creates an SQL dump file. The dump file contains the SQL statements necessary to re-create the database. Here is the proper syntax:

$ mysqldump --opt -u [uname] -p[pass] [dbname] > [backupfile.sql]

[uname] Your database username

[pass] The password for your database (note there is no space between -p and the password)

[dbname] The name of your database

[backupfile.sql] The filename for your database backup

[--opt] The mysqldump option

For example, to backup a database named 'Tutorials' with the username 'root' and with no password to a file tut_backup.sql, you should accomplish this command:

$ mysqldump -u root -p Tutorials > tut_backup.sql

This command will backup the 'Tutorials' database into a file called tut_backup.sql which will contain all the SQL statements needed to re-create the database.

With mysqldump command you can specify certain tables of your database you want to backup. For example, to back up only php_tutorials and asp_tutorials tables from the 'Tutorials' database accomplish the command below. Each table name has to be separated by space.

$ mysqldump -u root -p Tutorials php_tutorials asp_tutorials > tut_backup.sql

Sometimes it is necessary to back up more that one database at once. In this case you can use the --database option followed by the list of databases you would like to backup. Each database name has to be separated by space.

$ mysqldump -u root -p --databases Tutorials Articles Comments > content_backup.sql

If you want to back up all the databases in the server at one time you should use the --all-databases option. It tells MySQL to dump all the databases it has in storage.

$ mysqldump -u root -p --all-databases > alldb_backup.sql

The mysqldump command has also some other useful options:

--add-drop-table: Tells MySQL to add a DROP TABLE statement before each CREATE TABLE in the dump.

--no-data: Dumps only the database structure, not the contents.

--add-locks: Adds the LOCK TABLES and UNLOCK TABLES statements you can see in the dump file.

The mysqldump command has advantages and disadvantages. The advantages of using mysqldump are that it is simple to use and it takes care of table locking issues for you. The disadvantage is that the command locks tables. If the size of your tables is very big mysqldump can lock out users for a long period of time.

Back up your MySQL Database with Compress

If your mysql database is very big, you might want to compress the output of mysqldump. Just use the mysql backup command below and pipe the output to gzip, then you will get the output as gzip file.

$ mysqldump -u [uname] -p[pass] [dbname] | gzip -9 > [backupfile.sql.gz]

If you want to extract the .gz file, use the command below:

$ gunzip [backupfile.sql.gz]

Restoring your MySQL Database

Above we backup the Tutorials database into tut_backup.sql file. To re-create the Tutorials database you should follow two steps:

Create an appropriately named database on the target machine

Load the file using the mysql command:

$ mysql -u [uname] -p[pass] [db_to_restore] < [backupfile.sql]

Have a look how you can restore your tut_backup.sql file to the Tutorials database.

$ mysql -u root -p Tutorials < tut_backup.sql

To restore compressed backup files you can do the following:

gunzip < [backupfile.sql.gz] | mysql -u [uname] -p[pass] [dbname]

If you need to restore a database that already exists, you'll need to use mysqlimport command. The syntax for mysqlimport is as follows:

mysqlimport -u [uname] -p[pass] [dbname] [backupfile.sql]

Disable the Enter key on HTML form

noreply@blogger.com (Unknown) — Sat, 10 Oct 2009 00:53:00 -0700

How to disable the Enter key on HTML form

Normally when you have a form with several text input fields, it is undesirable that the form gets submitted when the user hits ENTER in a field. Some people are pressing the enter key instead of the tab key to get to the next field. They often do that by accident or they are accustomed to terminate field input that way. If a browser regards hitting ENTER in a text input field as a request to submit the form immediately, there is no sure way to prevent that.

Add the below script to the <head> section of your page. The following code disables the enter key so that visitors of your web page can only use the tab key to get to the next field.

Flash image upload with PHP

noreply@blogger.com (Unknown) — Wed, 7 Oct 2009 05:53:00 -0700

Flash Code

System.security.allowDomain("www.tshirtsetc.co.uk");  import flash.net.FileReference;    // The listener object listens for FileReference events.  var listener:Object = new Object();    listener.onSelect = function(selectedFile:FileReference):Void {      upWin._x = 200;    selectedFile.upload("./upload.php");  };    // the file is starting to upload.  listener.onOpen = function(selectedFile:FileReference):Void {    _root.upWin.results_txt.text = String("Uploading " + selectedFile.name + "\n");  };    listener.onHTTPError = function(file:FileReference, httpError:Number):Void {      _root.upWin.results_txt.text = String("HTTPError number: "+httpError +"\nFile: "+ file.name);  }    listener.onIOError = function(file:FileReference):Void {   _root.upWin.results_txt.text = String("IOError: "+ file.name);  }    listener.onSecurityError = function(file:FileReference, errorString:String):Void {      _root.upWin.results_txt.text = String("SecurityError: "+SecurityError+"\nFile: "+ file.name);      }    listener.onProgress = function(file:FileReference, bytesLoaded:Number, bytesTotal:Number):Void {   upWin.loadBar._width = Number(bytesLoaded)/Number(bytesTotal)*300;  }    // the file has uploaded  listener.onComplete = function(selectedFile:FileReference):Void {    upWin.results_txt.text = String("Upload finished.\nNow downloading " + selectedFile.name + " to player\n");        if(position_txt.text == String("Front")){    attachMovie("trans", "transHolder", -16161, {_x:150, _y:120});     downloadImage1(selectedFile.name);    }else{    if(position_txt.text == String("Back")){     attachMovie("trans2", "transHolder2", -16162, {_x:450, _y:120});       downloadImage2(selectedFile.name);    }else{    if(position_txt.text == String("LSleeve")){     attachMovie("trans3", "transHolder3", -16163, {_x:150, _y:120});       downloadImage3(selectedFile.name);    }else{    if(position_txt.text == String("RSleeve")){     attachMovie("trans4", "transHolder4", -16164, {_x:450, _y:120});       downloadImage4(selectedFile.name);    }    }    }    }    Itotal_txt.text = Number(3.00);    _root.upWin._x = 2000;  };    var imageFile:FileReference = new FileReference();  imageFile.addListener(listener);     imageMovie.uploadBtn.onPress = uploadImage;  imageMovie.uploadBtn2.onPress = uploadImage;  imageMovie2.uploadBtn3.onPress = uploadImage;  imageMovie2.uploadBtn4.onPress = uploadImage;    // Call the uploadImage() function, opens a file browser dialog.  function uploadImage(event:Object):Void {    imageFile.browse([{description: "Image Files", extension: "*.jpg;*.gif;*.png"}]);  }    // If the image does not download, the event object's total property  // will equal -1. In that case, display am error message  function imageDownloaded(event:Object):Void {    if(event.total == -1) {      _root.upWin.results_txt.text = String("error");        }  }    // show uploaded image in scrollPane  function downloadImage1(file:Object):Void {   transHolder.umbongo.loadMovie("./uploaded/" + file);  }    // show uploaded image in scrollPane  function downloadImage2(file:Object):Void {   transHolder2.umbongo2.loadMovie("./uploaded/" + file);  }    // show uploaded image in scrollPane  function downloadImage3(file:Object):Void {   transHolder3.umbongo3.loadMovie("./uploaded/" + file);  }    // show uploaded image in scrollPane  function downloadImage4(file:Object):Void {   var randomNum:Number = Math.round(Math.random()*(10000-0))+0;   transHolder4.umbongo4.loadMovie("./uploaded/" + file);  }

Server Side - PHP Code

<?php    move_uploaded_file($_FILES['Filedata']['tmp_name'], './uploaded/'.$_FILES['Filedata']['name']);  copy('./uploaded/'.$_FILES['Filedata']['name'], './timeStamped/'.time().$_FILES['Filedata']['name']);    ?>

For more information goto http://livedocs.adobe.com/flash/9.0/main/wwhelp/wwhimpl/common/html/wwhelp.htm?context=LiveDocs_Parts&file=00001054.html

Understanding mod_rewrite Directives Convertion

noreply@blogger.com (Unknown) — Tue, 6 Oct 2009 03:14:00 -0700

Converting mod_rewrite directives

Overview

The URL Rewriting engine in Abyss Web Server is comparable to the mod_rewrite module in Apache. Both offer similar features but they are not fully equivalent.

This article explains how to convert mod_rewrite directives to URL Rewriting parameters in Abyss Web Server. In most cases, the conversion straightforward. But in some rare cases, and for some of the most obscure features of mod_rewrite, conversion is possible provided that you change or rewrite the rules.

mod_rewrite directives syntax

mod_rewrite directives are put in .htaccess files (in subdirectories) or in the main configuration file httpd.conf.

The following directives are related to mod_rewrite and will be used for conversions:

RewriteBase

RewriteCond

RewriteRule

A typical configuration of mod_rewrite looks as follows:

# Some comments

RewriteBase PATH

RewriteCond %{VARIABLE1} CONDITION1

RewriteCond %{VARIABLE2} CONDITION2

RewriteRule REGEX REPLACEMENT [FLAGS]

RewriteBase is optional. By default, the base path is the current location of the directory where the .htaccess file is. Each time a RewriteRule is found, the base path is updated with the parameter following the directive. The base path is useful when processing RewriteRule parameters.

RewriteCond is also optional. 0 or more RewriteCond directives can precede a given RewriteRule declaration.

RewriteRule is mandatory and ends the declaration of a rule. More sequences of RewriteBase/RewriteCond/RewriteRule could follow to define other rules.

Lines which start with # are comments and should be ignored. Lines referencing other directives are also to be ignored during the conversion as they are not related to mod_rewrite.

Starting the conversion

For each RewriteRule directive, you should create a URL Rewriting rule.

Locate the RewriteRule you'll convert.

Locate all the RewriteCond directives that precede it directly (there are 0 or more of them).

Locate the last RewriteBase directive preceding the RewriteRule you'll convert. You may not find a RewriteBase in some cases.

If you've found a RewriteBase directive, the base path of the current rule will be the path that is referenced in that directive. Otherwise, the base path is the virtual path of the directory where the .htaccess file you're converting is located. For example, if there is no RewriteBase, if the .htaccess file you're converting is inside C:\sites\firstsite\forum, and if your Documents Path is C:\sites\firstsite\, then the base path is /forum.

Now open Abyss Web Server console, press the Configure associated with the host you'll add the URL rewriting rules to, and select URL Rewriting.

Press Add in URL Rewriting rules table to create a new rule.

Conversion of the RewriteRule directive

The RewriteRule directive has the following syntax:

RewriteRule REGEX REPLACEMENT [FLAGS]

[FLAGS] is optional an may not be always present.

REGEX is a regular expression. If it starts with ^ but the next character is not /, the regular expression is referencing a relative path. In such a case, you must prepend it with the base path of the rule before using it in Abyss Web Server.

For example, if the base path is /forum and the RewriteRule directive is:

RewriteRule ^test/(.*)$ index.php?testId=$1

then the regular expression we'll use will be:

^/forum/test/(.*)$

If REPLACEMENT does not start with / and is not full URL (starting with http:// or similar), the base path should be prepended too. In the above example, the REPLACEMENT that must be taken into account is:

/forum/index.php?testId=$1

In the Abyss Web Server console, enter in Virtual Path Regular Expression the regular expression used in RewriteRule (after prepending it with the base path if it starts with ^ but the next character is not /).

Enter in Redirect to the replacement string used in RewriteRule (after prepending it with the base path if it does not start / and is not full URL).

If the RewriteRule directive has flags, convert each one of them as explained below:

chain/C (chained with next rule)

From Apache manual: "This flag chains the current rule with the next rule (which itself can be chained with the following rule, and so on). This has the following effect: if a rule matches, then processing continues as usual - the flag has no effect. If the rule does not match, then all following chained rules are skipped." No direct conversion is possible unless you reorder your URL Rewriting rules and correctly set the Next Action in Abyss Web Server for each rule.

cookie/CO=NAME:VAL:domain[:lifetime[:path]] (set cookie)

No equivalent in Abyss Web Server.

env/E=VAR:VAL (set environment variable)

No equivalent in Abyss Web Server.

forbidden/F (force URL to be forbidden)

Set If this rule matches to Report an error to the client and set Status Code to 403 - Forbidden.

gone/G (force URL to be gone)

Set If this rule matches to Report an error to the client and set Status Code to 410 - Gone.

last/L (last rule)

Set Next Action to Stop matching

next/N (next round)

Set Next Action to Stop matching.

nocase/NC (no case)

Uncheck Case Sensitive

noescape/NE (no URI escaping of output)

Uncheck Escape Redirection Location.

nosubreq/NS (not for internal sub-requests)

Uncheck Apply to subrequests too.

proxy/P (force proxy)

No equivalent in Abyss Web Server.

passthrough/PT (pass through to next handler)

No equivalent in Abyss Web Server.

qsappend/QSA (query string append)

Check Append Query String.

redirect/R[=code] (force redirect)

Set If this rule matches to Perform an external redirection and set Status Code to the value of code if available or to 302.

skip/S=num (skip next rule(s))

From Apache manual: "This flag forces the rewriting engine to skip the next num rules in sequence, if the current rule matches." No direct conversion is possible unless you reorder your URL Rewriting rules and correctly set the Next Action in Abyss Web Server for each rule.

type/T=MIME-type (force MIME type)

No equivalent in Abyss Web Server.

Conversion of the RewriteCond directives

Now it's time to convert the RewriteCond directives associated with the RewriteRule we're working on. Remember that only the RewriteCond immediately preceding the RewriteRule are to be taken into account. If there are no RewriteCond directives, conversion is over.

A RewriteCond directive has the form:

RewriteCond %{VARIABLE} COND [FLAGS]

If the first argument of the RewriteCond you're converting contains a string which is not conforming to the syntax %{VARIABLE}, it will be impossible to convert the mod_rewrite rule to an Abyss Web Server URL Rewriting rule.

[FLAGS] are optional and may not be always present.

For each RewriteCond, press Add in the Conditions table and enter the value of VARIABLE in the Variable field.

If COND is a regular expression preceded by !, select Does not match with in Operator. If it is a regular expression not preceded by !, set Operator to Matches with. Next enter the regular expression in Regular Expression field.

Otherwise, COND is one of the following tests:

<VALUE (lexicographically precedes)

Set Operator to < and enter VALUE in the field Value.

!<VALUE

Set Operator to >= and enter VALUE in the field Value.

>VALUE (lexicographically follows)

Set Operator to > and enter VALUE in the field Value.

!>VALUE

Set Operator to <= and enter VALUE in the field Value.

=VALUE (lexicographically equal)

Set Operator to = and enter VALUE in the field Value.

!=VALUE

Set Operator to Is different from and enter VALUE in the field Value.

-d (is directory)

Set Operator to Is a directory.

!-d

Set Operator to Is not a directory.

-f (is regular file)

Set Operator to Is a file.

!-f

Set Operator to Is not a file.

-s (is regular file, with size)

Set Operator to Exists and is not an empty file.

!-s

Set Operator to Does not exist and is an empty file.

-l/!-l (is/isn't symbolic link)

No equivalent in Abyss Web Server.

-F/!-F (is/isn't existing file, via subrequest)

No equivalent in Abyss Web Server.

-U/!-U (is/isn't existing URL, via subrequest)

No equivalent in Abyss Web Server.

If FLAGS are present, their conversion should be done as follows:

nocase/NC (no case)

Uncheck Case Sensitive.

ornext/OR (or next condition)

The only case where a direct conversion is possible is when you have two or more consecutive RewriteCond operating on the same variable. In such a case, the regular expressions of each condition have to be concatenated with a | sign. For example:

RewriteCond %{HTTP_USER_AGENT} Mozilla [OR]

RewriteCond %{HTTP_USER_AGENT} Opera [OR]

RewriteCond %{HTTP_USER_AGENT} Lynx

could be combined in a single RewriteCond:

RewriteCond %{HTTP_USER_AGENT} Mozilla|Opera|Lynx

and thus it suffices to have a single condition on variable HTTP_USER_AGENT which checks if its value matches with Mozilla|Opera|Lynx.

Mod-Rewrite Tricks and Tips - .Htaccess rewrites rules

noreply@blogger.com (Unknown) — Mon, 5 Oct 2009 03:56:00 -0700

If you really want to take a look, check out the mod_rewrite.c and mod_rewrite.h files.

Be aware that mod_rewrite (RewriteRule, RewriteBase, and RewriteCond) code is executed for each and every HTTP request that accesses a file in or below the directory where the code resides, so it’s always good to limit the code to certain circumstances if readily identifiable.

For example, to limit the next 5 RewriteRules to only be applied to .html and .php files, you can use the following code, which tests if the url does not end in .html or .php and if it doesn’t, it will skip the next 5 RewriteRules.

RewriteRule !\.(html|php)$ - [S=5]  
RewriteRule ^.*-(vf12|vf13|vf5|vf35|vf1|vf10|vf33|vf8).+$ - [S=1]

.htaccess rewrite examples should begin with:

Options +FollowSymLinks     
RewriteEngine On  RewriteBase /

Require the www

Options +FollowSymLinks 
RewriteEngine On  
RewriteBase /  
RewriteCond %{HTTP_HOST} !^www\.yourdomain\.com$ [NC]  
RewriteRule ^(.*)$ http://www.yourdomain.com/$1 [R=301,L]

Loop Stopping Code

Sometimes your rewrites cause infinite loops, stop it with one of these rewrite code snippets.

RewriteCond %{REQUEST_URI} ^/(stats/|missing\.html|failed_auth\.html|error/).* [NC]  
RewriteRule .* - [L]     
RewriteCond %{ENV:REDIRECT_STATUS} 200  
RewriteRule .* - [L]

Cache-Friendly File Names

This is probably my favorite, and I use it on every site I work on. It allows me to update my javascript and css files in my visitors cache’s simply by naming them differently in the html, on the server they stay the same name. This rewrites all files for /zap/j/anything-anynumber.js to /zap/j/anything.js and /zap/c/anything-anynumber.css to /zap/c/anything.css

RewriteRule ^zap/(j|c)/([a-z]+)-([0-9]+)\.(js|css)$ /zap/$1/$2.$4 [L]

SEO friendly link for non-flash browsers

When you use flash on your site and you properly supply a link to download flash that shows up for non-flash aware browsers, it is nice to use a shortcut to keep your code clean and your external links to a minimum. This code allows me to link to site.com/getflash/ for non-flash aware browsers.

RewriteRule ^getflash/?$ http://www.adobe.com/shockwave/download/download.cgi?P1_Prod_Version=ShockwaveFlash [NC,L,R=307]

Removing the Query_String

On many sites, the page will be displayed for both page.html and page.html?anything=anything, which hurts your SEO with duplicate content. An easy way to fix this issue is to redirect external requests containing a query string to the same uri without the query_string.

RewriteCond %{THE_REQUEST} ^GET\ /.*\;.*\ HTTP/  
RewriteCond %{QUERY_STRING} !^$  
RewriteRule .* http://www.askapache.com%{REQUEST_URI}? [R=301,L]

Sending requests to a php script

This .htaccess rewrite example invisibly rewrites requests for all Adobe pdf files to be handled by /cgi-bin/pdf-script.php

RewriteRule ^(.+)\.pdf$  /cgi-bin/pdf-script.php?file=$1.pdf [L,NC,QSA]

Setting the language variable based on Client

For sites using multiviews or with multiple language capabilities, it is nice to be able to send the correct language automatically based on the clients preferred language.

RewriteCond %{HTTP:Accept-Language} ^.*(de|es|fr|it|ja|ru|en).*$ [NC]  
RewriteRule ^(.*)$ - [env=prefer-language:%1]

Deny Access To Everyone Except PHP fopen

This allows access to all files by php fopen, but denies anyone else.

RewriteEngine On  
RewriteBase /  
RewriteCond %{THE_REQUEST} ^.+$ [NC]  
RewriteRule .* - [F,L]

If you are looking for ways to block or deny specific requests/visitors, then you should definately read Blacklist with mod_rewrite. I give it a 10/10

Deny access to anything in a subfolder except php fopen

This can be very handy if you want to serve media files or special downloads but only through a php proxy script.

RewriteEngine On  
RewriteBase /  
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /([^/]+)/.*\ HTTP [NC]  
RewriteRule .* - [F,L]

Require no www

Options +FollowSymLinks  
RewriteEngine On  
RewriteBase /  
RewriteCond %{HTTP_HOST} !^yourdomain\.com$ [NC]  
RewriteRule ^(.*)$ http://yourdomain.com/$1 [R=301,L]

Check for a key in QUERY_STRING

Uses a RewriteCond Directive to check QUERY_STRING for passkey, if it doesn’t find it it redirects all requests for anything in the /logged-in/ directory to the /login.php script.

RewriteEngine On  RewriteBase /  
RewriteCond %{QUERY_STRING} !passkey  
RewriteRule ^/logged-in/(.*)$ /login.php [L]

Removes the QUERY_STRING from the URL

If the QUERY_STRING has any value at all besides blank than the?at the end of /login.php? tells mod_rewrite to remove the QUERY_STRING from login.php and redirect.

RewriteEngine On  RewriteBase /  
RewriteCond %{QUERY_STRING} .  
RewriteRule ^login.php /login.php? [L]

Fix for infinite loops

An error message related to this isRequest exceeded the limit of 10 internal redirects due to probable configuration error. Use 'LimitInternalRecursion' to increase the limit if necessary. Use 'LogLevel debug' to get a backtrace.or you may seeRequest exceeded the limit,probable configuration error,Use 'LogLevel debug' to get a backtrace, orUse 'LimitInternalRecursion' to increase the limit if necessary

RewriteCond %{ENV:REDIRECT_STATUS} 200  
RewriteRule .* - [L]

External Redirect .php files to .html files (SEO friendly)

RewriteRule ^(.*)\.php$ /$1.html [R=301,L]

Internal Redirect .php files to .html files (SEO friendly)

Redirects all files that end in .html to be served from filename.php so it looks like all your pages are .html but really they are .php

RewriteRule ^(.*)\.html$ $1.php [R=301,L]

block access to files during certain hours of the day

Options +FollowSymLinks  
RewriteEngine On  
RewriteBase /  
# If the hour is 16 (4 PM) Then deny all access  
RewriteCond %{TIME_HOUR} ^16$  
RewriteRule ^.*$ - [F,L]

Rewrite underscores to hyphens for SEO URL

Options +FollowSymLinks  
RewriteEngine On  
RewriteBase /     
RewriteRule !\.(html|php)$ - [S=4]  
RewriteRule ^([^_]*)_([^_]*)_([^_]*)_([^_]*)_(.*)$ $1-$2-$3-$4-$5 [E=uscor:Yes]  
RewriteRule ^([^_]*)_([^_]*)_([^_]*)_(.*)$ $1-$2-$3-$4 [E=uscor:Yes]  
RewriteRule ^([^_]*)_([^_]*)_(.*)$ $1-$2-$3 [E=uscor:Yes]  
RewriteRule ^([^_]*)_(.*)$ $1-$2 [E=uscor:Yes]     
RewriteCond %{ENV:uscor} ^Yes$  
RewriteRule (.*) http://d.com/$1 [R=301,L]

Require the www without hardcoding

Options +FollowSymLinks  
RewriteEngine On  RewriteBase /  
RewriteCond %{HTTP_HOST} !^www\.[a-z-]+\.[a-z]{2,6} [NC]  
RewriteCond %{HTTP_HOST} ([a-z-]+\.[a-z]{2,6})$     [NC]  
RewriteRule ^/(.*)$ http://%1/$1 [R=301,L]

Require no subdomain

RewriteEngine On  
RewriteBase /  
RewriteCond %{HTTP_HOST} \.([a-z-]+\.[a-z]{2,6})$ [NC]  
RewriteRule ^/(.*)$ http://%1/$1 [R=301,L]

Require no subdomain

RewriteEngine On  
RewriteBase /  
RewriteCond %{HTTP_HOST} \.([^\.]+\.[^\.0-9]+)$  
RewriteRule ^(.*)$ http://%1/$1 [R=301,L]

Redirecting Wordpress Feeds to Feedburner

RewriteEngine On  
RewriteBase /  
RewriteCond %{REQUEST_URI} ^/feed\.gif$  
RewriteRule .* - [L]     
RewriteCond %{HTTP_USER_AGENT} !^.*(FeedBurner|FeedValidator) [NC]  
RewriteRule ^feed/?.*$ http://feeds.feedburner.com/apache/htaccess [L,R=302]     
RewriteCond %{REQUEST_FILENAME} !-f  
RewriteCond %{REQUEST_FILENAME} !-d  
RewriteRule . /index.php [L]

Only allow GET and PUT Request Methods

RewriteEngine On  
RewriteBase /  
RewriteCond %{REQUEST_METHOD} !^(GET|PUT)  
RewriteRule .* - [F]

Prevent Files image/file hotlinking and bandwidth stealing

RewriteEngine On  
RewriteBase /  
RewriteCond %{HTTP_REFERER} !^$  
RewriteCond %{HTTP_REFERER} !^http://(www\.)?askapache.com/.*$ [NC]  
RewriteRule \.(gif|jpg|swf|flv|png)$ /feed/ [R=302,L]

Stop browser prefetching

RewriteEngine On  
SetEnvIfNoCase X-Forwarded-For .+ proxy=yes  
SetEnvIfNoCase X-moz prefetch no_access=yes     
# block pre-fetch requests with X-moz headers  
RewriteCond %{ENV:no_access} yes  
RewriteRule .* - [F,L]

27 Apache Request Methods for rewritecond in htaccess

noreply@blogger.com (Unknown) — Mon, 5 Oct 2009 03:55:00 -0700

Introduction

The Request Method, as supplied in the REQUEST_METHOD meta-variable, identifies the processing method to be applied by the script in producing a response.

The script author can choose to implement the methods most appropriate for the particular application.

If the script receives a request with a method it does not support it SHOULD reject it with an error.

List of the 27 Request Methods Recognized by Apache

POST

DELETE

CONNECT

OPTIONS

TRACE

PATCH

PROPFIND

PROPPATCH

MKCOL

COPY

MOVE

LOCK

UNLOCK

VERSION_CONTROL

CHECKOUT

UNCHECKOUT

CHECKIN

UPDATE

LABEL

REPORT

MKWORKSPACE

MKACTIVITY

BASELINE_CONTROL

MERGE

INVALID

GET

The GET method indicates that the script should produce a document based on the meta-variable values. By convention, the GET method is ’safe’ and ‘idempotent’ and SHOULD NOT have the significance of taking an action other than producing a document.

The meaning of the GET method may be modified and refined by protocol-specific meta-variables.

POST

The POST method is used to request the script perform processing and produce a document based on the data in the request message-body, in addition to meta-variable values. A common use is form submission in HTML [18], intended to initiate processing by the script that has a permanent affect, such a change in a database.

The script MUST check the value of the CONTENT_LENGTH variable before reading the attached message-body, and SHOULD check the CONTENT_TYPE value before processing it.

HEAD

The HEAD method requests the script to do sufficient processing to return the response header fields, without providing a response message-body. The script MUST NOT provide a response message-body for a HEAD request. If it does, then the server MUST discard the message-body when reading the response from the script.

OPTIONS

The OPTIONS method represents a request for information about the communication options available on the request/response chain identified by the Request-URI. This method allows the client to determine the options and/or requirements associated with a resource, or the capabilities of a server, without implying a resource action or initiating a resource retrieval.

Responses to this method are not cacheable.

If the OPTIONS request includes an entity-body (as indicated by the presence of Content-Length or Transfer-Encoding), then the media type MUST be indicated by a Content-Type field. Although this specification does not define any use for such a body, future extensions to HTTP might use the OPTIONS body to make more detailed queries on the server. A server that does not support such an extension MAY discard the request body.

If the Request-URI is an asterisk (“*”), the OPTIONS request is intended to apply to the server in general rather than to a specific resource. Since a server’s communication options typically depend on the resource, the “*” request is only useful as a “ping” or “no-op” type of method; it does nothing beyond allowing the client to test the capabilities of the server. For example, this can be used to test a proxy for HTTP/1.1 compliance (or lack thereof). If the Request-URI is not an asterisk, the OPTIONS request applies only to the options that are available when communicating with that resource.

A 200 response SHOULD include any header fields that indicate optional features implemented by the server and applicable to that resource (e.g., Allow), possibly including extensions not defined by this specification. The response body, if any, SHOULD also include information about the communication options. The format for such a body is not defined by this specification, but might be defined by future extensions to HTTP. Content negotiation MAY be used to select the appropriate response format. If no response body is included, the response MUST include a Content-Length field with a field-value of “0″.

The Max-Forwards request-header field MAY be used to target a specific proxy in the request chain. When a proxy receives an OPTIONS request on an absoluteURI for which request forwarding is permitted, the proxy MUST check for a Max-Forwards field. If the Max-Forwards field-value is zero (“0″), the proxy MUST NOT forward the message; instead, the proxy SHOULD respond with its own communication options. If the Max-Forwards field-value is an integer greater than zero, the proxy MUST decrement the field-value when it forwards the request. If no Max-Forwards field is present in the request, then the forwarded request MUST NOT include a Max-Forwards field.

PUT

The PUT method requests that the enclosed entity be stored under the supplied Request-URI. If the Request-URI refers to an already existing resource, the enclosed entity SHOULD be considered as a modified version of the one residing on the origin server. If the Request-URI does not point to an existing resource, and that URI is capable of being defined as a new resource by the requesting user agent, the origin server can create the resource with that URI. If a new resource is created, the origin server MUST inform the user agent via the 201 (Created) response. If an existing resource is modified, either the 200 (OK) or 204 (No Content) response codes SHOULD be sent to indicate successful completion of the request. If the resource could not be created or modified with the Request-URI, an appropriate error response SHOULD be given that reflects the nature of the problem. The recipient of the entity MUST NOT ignore any Content-* (e.g. Content-Range) headers that it does not understand or implement and MUST return a 501 (Not Implemented) response in such cases.

If the request passes through a cache and the Request-URI identifies one or more currently cached entities, those entries SHOULD be treated as stale. Responses to this method are not cacheable.

The fundamental difference between the POST and PUT requests is reflected in the different meaning of the Request-URI. The URI in a POST request identifies the resource that will handle the enclosed entity. That resource might be a data-accepting process, a gateway to some other protocol, or a separate entity that accepts annotations. In contrast, the URI in a PUT request identifies the entity enclosed with the request — the user agent knows what URI is intended and the server MUST NOT attempt to apply the request to some other resource. If the server desires that the request be applied to a different URI, it MUST send a 301 (Moved Permanently) response; the user agent MAY then make its own decision regarding whether or not to redirect the request.

A single resource MAY be identified by many different URIs. For example, an article might have a URI for identifying “the current version” which is separate from the URI identifying each particular version. In this case, a PUT request on a general URI might result in several other URIs being defined by the origin server.

HTTP/1.1 does not define how a PUT method affects the state of an origin server.

PUT requests MUST obey the message transmission requirements.

Unless otherwise specified for a particular entity-header, the entity-headers in the PUT request SHOULD be applied to the resource created or modified by the PUT.

DELETE

The DELETE method requests that the origin server delete the resource identified by the Request-URI. This method MAY be overridden by human intervention (or other means) on the origin server. The client cannot be guaranteed that the operation has been carried out, even if the status code returned from the origin server indicates that the action has been completed successfully. However, the server SHOULD NOT indicate success unless, at the time the response is given, it intends to delete the resource or move it to an inaccessible location.

A successful response SHOULD be 200 (OK) if the response includes an entity describing the status, 202 (Accepted) if the action has not yet been enacted, or 204 (No Content) if the action has been enacted but the response does not include an entity.

If the request passes through a cache and the Request-URI identifies one or more currently cached entities, those entries SHOULD be treated as stale. Responses to this method are not cacheable.

TRACE

The TRACE method is used to invoke a remote, application-layer loop- back of the request message. The final recipient of the request SHOULD reflect the message received back to the client as the entity-body of a 200 (OK) response. The final recipient is either the origin server or the first proxy or gateway to receive a Max-Forwards value of zero (0) in the request (see section 14.31). A TRACE request MUST NOT include an entity.

TRACE allows the client to see what is being received at the other end of the request chain and use that data for testing or diagnostic information. The value of the Via header field (section 14.45) is of particular interest, since it acts as a trace of the request chain. Use of the Max-Forwards header field allows the client to limit the length of the request chain, which is useful for testing a chain of proxies forwarding messages in an infinite loop.

If the request is valid, the response SHOULD contain the entire request message in the entity-body, with a Content-Type of “message/http”. Responses to this method MUST NOT be cached.

CONNECT

This specification reserves the method name CONNECT for use with a proxy that can dynamically switch to being a tunnel e.g. SSL tunneling.

PHP Fatal error : Out of memory Problem

noreply@blogger.com (Unknown) — Wed, 2 Sep 2009 23:24:00 -0700

PHP Fatal error: Out of memoryProblem. Let see how to solve this problem using various techniques.

The first thing I could think of was to restart the Apache httpd service. This immediately solved the issue. but I knew this is not a permanent fix for the issue. When I researched further, I got to know that the
error comes when certain PHP scripts require more memory than PHP was allowed by default.

So the solution is to increase the memory allocated for

PHP. How to do that? There are 4 possible ways -

1. Try looking for the php.ini file. You might find some redundant php.ini files, so make sure you have got the one which is actually being read by PHP. o be sure, create a new php file in your root folder, say “check.php” and have phpInfo(); within the php open and close tags. Execute this file to get the information on where the php.ini is residing. Normally it will be in /usr/local/lib/php.ini

Open the php.ini file in a text editor like TextPad (not in Notepad) and change the values for memory_limit. By default you should see memory_limit = 8M. Try changing it to 12M. If it doesn’t work, increase it to 16M or even 24M and so on.

2. In case you can’t find the php.ini file or do not have access to it, then open up the file which was throwing the error (test.php in my case) and add a line below just after ini_set(’memory_limit’, lsquo;12M’);

3. You can even consider adding a line in .htaccess file which will resolve the issue.
php_value memory_limit 32M

4. Or else, Try adding this line to your wp-config.php file:

Increasing memory allocated to PHP
define('WP_MEMORY_LIMIT', '32M');

If none of the above things solve your issue, then talk to you host.

Note: I am now worrying on which PHP script required an increase in memory allocation. The analysis won’t be so easy though.

Optimize MySQL response time Techniques

noreply@blogger.com (Unknown) — Sun, 16 Aug 2009 21:43:00 -0700

High loaded / Heavy Traffic website can get slow to respond when a lot of different visitors visit sites querying the same mysql database server, making it slow to respond.

There is many ways you can improve mysql server response time:

- by modifying the cache size
- stopping dns resolution ....

Let's see how to implement that.

Sometime it may happen when we got troubles with our databases system. The mysql servers were slow to respond, but when we were logging into those machines, the load was fine, there were quite a few queries going on, but mysql didn't report it was overwhelmed.

1. Disable DNS Hostname Lookup

After seeking out the reason why the traffic wasn't going flawlessly, we determine that the mysql server was doing loads of name resolution queries!!!! What for? Why would that machine to a hostname resolution when only local network machines connect to it.

Seeking out in mysqld manual page, we found that this could be disabled by adding the --skip-name-resolve switch.

Under debian based system, such as ubuntu, knoppix ... and on most linux distribution, mysql configuration files are located in /etc/mysql/my.cnf.

In order to apply the --skip-name-resolve switch when you start mysqld, simply add:

[mysqld]
.....
......
skip-name-resolve

NOTE: When this option is activated, you can only use IP numbers in the MySQL Grant table.

With DNS hostname resolution:

date; mysql -u root -h 192.168.1.4 ; date
Fri Jul 21 23:56:58 CEST 2006
ERROR 1130 (00000): Host '192.168.1.3' is not allowed to connect to this MySQL server

Fri Jul 21 23:57:00 CEST 2006

it take 2-3 seconds before the server reply that the client IP is not allowed to connect.

Once DNS hostname lookup is disabled:

date; mysql -u root -h 192.168.1.4 ; date

Fri Jul 21 23:56:37 CEST 2006

ERROR 1130 (00000): Host '192.168.1.3' is not allowed to connect to this MySQL server

Fri Jul 21 23:56:37 CEST 2006

The server is replying instantly.

2. Activate Query Cache

After we resolved that issue, we started seeing the database server load increasing, the response time was good after the previous change, but now, we had to lighten a bit the mysql database server's load.

By checking the Query cache memory:

mysql> SHOW STATUS LIKE 'Qcache%';

we could see that no query cache memory was left. It was neccessary to increase the query cache size.

To get an overview of your query_cache variables state, use the following syntax:

mysql> SHOW VARIABLES LIKE '%query_cache%';

You need to have the query cache enabled in the first place (have_query_cache | YES) and make sure that query_cache_type is set to ON. This is usually activated by default on most linux distribution.

Now, you can increase the query cache size (let say you want 50M) using:

mysql> SET GLOBAL query_cache_size = 52428800;

If you want this setting to be kept when restarting mysql, add:

[mysqld]
...
...
query_cache_size = 52428800;

query_cache_type = 1

3. Summary:

After doing those changes, there were much more queries resolved from the cache, the effect was that the server was responding quickly without calculating too much has most of the queries where cached.

Protecting Script using SQL injection For MySQL with PHP

noreply@blogger.com (Unknown) — Wed, 10 Jun 2009 06:03:00 -0700

If you are running a dynamic website coded in PHP, chances are you'll be using
MySQL for storing content or information.

MySQL is very well suited for running anything from small personal websites to large corporate
systems, as it is both simple to use and scalable. However, it is easy to overlook potential
security problems, especially if you don't have much experience.

Example

For instance, you may have a login script for a secure page of your site:

<?php # Database connection code here $result=mysql_query('select * from users where user="'.$_POST['username'].'" and pass="'.$_POST['password'].'"'); if(mysql_num_rows($result)==0): # Username or password incorrect exit; endif; # Send user protected page ?>

So for instance, if somebody sent " or ""=" for the username and the password,
the SQL query sent to the database would read: select * from users where user="" or ""="" and pass="" or ""="", which would allow access to the protected page without a
valid username or password. This method is called SQL Injection.

Escaping

To prevent this from happening, the data provided by the user need to be 'escaped' - this means
putting backslashes in front of quotes, backslashes and other special characters.

This means that the MySQL engine will recognise that the quotes are part of the string, which
prevents SQL injection.

PHP has a built in function that is intended for escaping strings, called addslashes().

For instance, passing the form data from our example through addslashes would result in select * from users where user="\" or \"\"=\"" and pass="\" or \"\"=\"" being passed to the database, which can
be correctly interpreted by MySQL.

Magic Quotes

PHP has a feature called 'Magic Quotes', which automatically escapes get, post and cookie data, as if
addslashes had been called on them. The idea of this is to prevent scripts written by
inexperienced coders being vulnerable to SQL injection.

However, there are several problems with this feature:

Addslashes doesn't escape data exactly right for MySQL databases. (The MySQL function
MySQL_real_escape_string() should really be used instead)

Magic quotes can give programmers a false sense of security, and makes scripts completely
vulnerable if the option is turned off.

It has the irritating side effect that form inputs used in other parts of scripts have slashes added to
them, which can be very puzzling for beginners, and adds extra coding to remove them again.

Because of these reasons, magic quotes are turned off by default in PHP 5, although they are on
by default in PHP 4.

Best Practice

To keep your code portable and protected against vulnerabilities whether Magic Quotes is enabled or not,
it is best to use a function similar to the one below:

<?php function proper_escape($datastring) { # Strip slashes if data has already been escaped by magic quotes if(get_magic_quotes_gpc()): $datastring=stripslashes($datastring); endif; # Escape string properly & return return mysql_real_escape_string($datastring); } ?>

Call this when sending input data to the MySQL database like: proper_escape($_POST['username']).

MySQL Regular Expressions - Part 3

noreply@blogger.com (Unknown) — Tue, 20 Jan 2009 04:11:00 -0800

What are Regular Expressions?

The term regular expressions is one of those technical terms where the words do very little to explain what the technology does. regular expressions are a feature common to many programming languages and are a topic on which entire can, and indeed, have been written. Fortunately (or unfortunately depending on your perspective), MySQL does not provide as extensive support for regualr expressions as some other programming languages. This is good in that it makes the subject area easier to learn, but may be frustrating if you are already proficient with the rich regular expression syntax available in other languages.

Regular expressions are essentially a set of instructions using a predefined syntax for matching text in a variety of flexible ways. For example, you might want to extract all the occurrences of a particular word sequence from a block of text. You might also want to perform a search for a particular piece of text and replace it with some alternate text.

Regular Expression Character Matching

In order to introduce the REGEXP operator, we will begin by looking at a use of regular expressions that could similarly be used with the LIKE operator. As in the previous chapter we need to retrieve rows from a table taking into consideration the difference in spelling of the color gray (grey). To perform this retrieval we will use the regex dot character matching (.). Rather like the LIKE underscore wildcard, this character indicates that any character in this position in the text will be considered a match. For example:

 
mysql> SELECT * FROM product WHERE prod_name REGEXP 'Gr.y Computer Case';
+-----------+--------------------+-------------------+
| prod_code | prod_name          | prod_desc         |
+-----------+--------------------+-------------------+
|        11 | Grey Computer Case | ATX PC CASE       |
|        12 | Gray Computer Case | ATX PC CASE (USA) |
+-----------+--------------------+-------------------+
2 rows in set (0.05 sec)

So far we haven't done anything that could not have been achieved using wildcards. Regular expressions, however, do not stop here.

Matching from a Group of Characters

One problem with the approach outlined above is that any letter between the 'Gr' and the 'y' would have registered as a match. In reality we are only interested in words that contain either an 'a' or an 'e' in that location. Fortunately, regular expressions allow us to specify a group of acceptable character matches for any character position. The syntax for this requires that the characters be places in square brackets at the desired location in the match text. For example:

 
mysql> SELECT * FROM product WHERE prod_name REGEXP 'Gr[ae]y Computer Case';
+-----------+--------------------+-------------------+
| prod_code | prod_name          | prod_desc         |
+-----------+--------------------+-------------------+
|        11 | Grey Computer Case | ATX PC CASE       |
|        12 | Gray Computer Case | ATX PC CASE (USA) |
+-----------+--------------------+-------------------+
2 rows in set (0.00 sec)

Use of this syntax ensures that only the words 'Grey' and 'Gray will match the search criteria. There is no limit to the number of characters that can be grouped in the brackets when using this filtering technique.

Matching from a Range of Characters

The character group matching syntax can be extended to cover range of characters. For example, instead of declaring a regular expression to cover the letters between A and F as [ABCDEF] we could simply specify a range of characters using the '-' character between the upper and lower ranges [A-F]. We could, for example, list a product based on certian model numbers which begin with numbers ranging from 1 to 6:

 
mysql> SELECT * FROM product WHERE prod_name REGEXP 'CD-RW Model [1-6]543';
+-----------+------------------+-----------+
| prod_code | prod_name        | prod_desc |
+-----------+------------------+-----------+
|         1 | CD-RW Model 4543 | CD Writer |
|        14 | CD-RW Model 5543 | CD Writer |
|        15 | CD-RW Model 6543 | CD Writer |
|        16 | CD-RW Model 2543 | CD Writer |
+-----------+------------------+-----------+
4 rows in set (0.00 sec)

Handling Special Characters

As you have seen, regular expressions assign special meaning to particular characters. For example the dot (.) and square brackets ([]) all have special meaning. Those who studying critical thinking at college will already be questioning what to do if the character sequence that is the subject of a search contains one or more of these characters. Obviously if you are are looking for the following text that looks like a regular expression, the text for which you want to search is, itself, going to be viewed as regular expression syntax.

To address this issue, a concept known as escaping is used. In SQL, escaping involves preceding any characters that may be mis-interpreted as a regular expression special character with double back slashes (\\). For example, suppose we have a row in our product table which reads as follows:

 
+-----------+--------------------+-----------+
| prod_code | prod_name          | prod_desc |
+-----------+--------------------+-----------+
|        17 | CD-RW Model [7543] | CD Writer |
+-----------+--------------------+-----------+

If we were to search for this without regard to the fact that the prod_name value contains regular expression special characters we will not get what we wanted:

 
mysql> SELECT * FROM product WHERE prod_name REGEXP 'CD-RW Model [7543]';
+-----------+------------------+-----------+
| prod_code | prod_name        | prod_desc |
+-----------+------------------+-----------+
|         1 | CD-RW Model 4543 | CD Writer |
|        14 | CD-RW Model 5543 | CD Writer |
+-----------+------------------+-----------+
2 rows in set (0.00 sec)

The cause of the problem is that the regular expression has been interpreted as a search for any entries that read 'CD-RW Model' followed by either a 7, 5, 4 or 3. Clearly, what we wanted was the actual text [7543]. If instead we escape the brackets with the \\ escape sequence we get the result we want:

 
mysql> SELECT * FROM product WHERE prod_name REGEXP 'CD-RW Model \\[7543\\]';
+-----------+--------------------+-----------+
| prod_code | prod_name          | prod_desc |
+-----------+--------------------+-----------+
|        17 | CD-RW Model [7543] | CD Writer |
+-----------+--------------------+-----------+
1 row in set (0.00 sec)

Regular Expressions and Whitespace Characters

Regular expression syntax also provides a mechanism to reference whitespace characters such as tabs, carriage returns and line feeds. These are referenced in a regular expression using metacharacters. These metacharacters are outlined in the following table:

Metacharacter	Description
\\n	New line (line feed)
\\f	Form feed
\\t	Tab
\\r	Carriage return
\\v	Vertical tab

Matching by Character Type

Another useful regular expression trick is to match characters by type or class. For example we might need to specify that a character must be a letter, a number or a alphanumeric. This involves the use of some special class definitions outlines in the following table. Some examples of these special classes in action follow the table:

Class Keyword	Description of Matches
[[:alnum:]]	Alphanumeric - any number or letter. Equivalent to [a-z], [A-Z] and [0-9]
[[:alpha:]]	Alpha - any letter. Equivalent to [a-z] and [A-Z]
[[:blank:]]	Space or Tab. Equivalent to [\\t] and [ ]
[[:cntrl:]]	ASCII Control Character
[[:digit:]]	Numeric. Equivalent to [0-9]
[[:graph:]]	Any character with the exception of space
[[:lower:]]	Lower case letters. Equivalent to [a-z]
[[:print:]]	Any printable character
[[:punct:]]	Characters that are neither control characters, nor alphanumeric (i.e punctuation characters)
[[:space:]]	Any whitespace character (tab, new line, form feed, space etc)
[[:upper:]]	Upper case letters. Equivalent to [A-Z]
[[:xdigit:]]	Any hexadecimal digit. Equivalent to [A-F], [a-f] and [0-9]

Let's now look at some examples. Suppose in our product database we have two products with similar names, the 'One&One VoIP Headset' and the "One2One USB Hub'. In order to retrieve the 'One2One' product we would use the [:digit:] character class:

 
mysql> SELECT * FROM product WHERE prod_name REGEXP 'One[[:digit:]]One';
+-----------+-----------------+----------------+
| prod_code | prod_name       | prod_desc      |
+-----------+-----------------+----------------+
|        19 | One2One USB Hub | 4 Port USB Hub |
+-----------+-----------------+----------------+
1 row in set (0.00 sec)

Similarly, to extract the 'One&One' product we would use the [:punct:] class:

 
mysql> SELECT * FROM product WHERE prod_name REGEXP 'One[[:punct:]]One';
+-----------+----------------------+----------------+
| prod_code | prod_name            | prod_desc      |
+-----------+----------------------+----------------+
|        18 | One&One VoIP Headset | Stereo Headset |
+-----------+----------------------+----------------+
1 row in set (0.02 sec)

Regular Expression Repetition Metacharacters

In addition to allowing searches on single instances, regular expressions can also be written to look for repetition in text. this is achieved using a set of repetition metacharacters:

Metacharacter	Description
*	Any number of matches
+	One or more matches
{n}	n number of matches
{n,}	Not less than n number of matches
{n1,n2}	A range of matches between n1 and n2
?	Optional single character match (character my be present or not to qualify for a match)

As always, example do a much better job of demonstrating a concept than data in a table. Let's begin by searching for all 4 digit number sequences in our prod_name column:

 
mysql> SELECT * FROM product WHERE prod_name REGEXP '[[:digit:]]{3}';
+-----------+---------------------+-----------------+
| prod_code | prod_name           | prod_desc       |
+-----------+---------------------+-----------------+
|         1 | CD-RW Model 4543    | CD Writer       |
|         2 | EasyTech Mouse 7632 | Cordless Mouse  |
|         3 | WildTech 250Gb 1700 | SATA Disk Drive |
|         7 | Dell XPS 400        | Desktop PC      |
|        14 | CD-RW Model 5543    | CD Writer       |
|        15 | CD-RW Model 6543    | CD Writer       |
|        16 | CD-RW Model 2543    | CD Writer       |
|        17 | CD-RW Model [7543]  | CD Writer       |
+-----------+---------------------+-----------------+
8 rows in set (0.00 sec)

In the above example we have indicated that we are looking for any sequence of 3 digits by using the digit:{3} regular expression. In this case we have picked up entries with both 3 and 4 digits in a sequence. Suppose, instead we wanted only 4 digit sequences:

 
mysql> SELECT * FROM product WHERE prod_name REGEXP '[[:digit:]]{4,}';
+-----------+---------------------+-----------------+
| prod_code | prod_name           | prod_desc       |
+-----------+---------------------+-----------------+
|         1 | CD-RW Model 4543    | CD Writer       |
|         2 | EasyTech Mouse 7632 | Cordless Mouse  |
|         3 | WildTech 250Gb 1700 | SATA Disk Drive |
|        14 | CD-RW Model 5543    | CD Writer       |
|        15 | CD-RW Model 6543    | CD Writer       |
|        16 | CD-RW Model 2543    | CD Writer       |
|        17 | CD-RW Model [7543]  | CD Writer       |
+-----------+---------------------+-----------------+
7 rows in set (0.00 sec)

Here we see that our Dell XPS 400 is no longer listed because it has only 3 digits.

The '?' metacharacter is particularly useful when we need to allow for plural words. For example, we may want to list any product descriptions where the word Drive or Drives is used. To achieve this we simply follow the 's' with a '?', thereby making the trailing 's' optional for a match:

 




mysql> SELECT * FROM product WHERE prod_desc REGEXP 'Drives?';
+-----------+------------------------+--------------------+
| prod_code | prod_name              | prod_desc          |
+-----------+------------------------+--------------------+
|         3 | WildTech 250Gb 1700    | SATA Disk Drive    |
|        20 | MasterSlave Multi-pack | 5 SATA Disk Drives |
+-----------+------------------------+--------------------+
2 rows in set (0.00 sec)

Matching by Text Position

The final area of regular expressions to cover in this chapter involves matching based on the location of text in a string. For example, we may want to find a particular match that requires that a word appears at the beginning or end of a piece of text. Once again, this requires the use of some special metacharacters:

Metacharacter	Description
^	Beginning of text
$	End of text
[[:<:]]	Start of word
[[:>:]]	End of word

For example, to search for text that begins with a digit:

 
mysql> SELECT prod_desc FROM product WHERE prod_desc REGEXP '^[[:digit:]]';
+--------------------+
| prod_desc          |
+--------------------+
| 4 Port USB Hub     |
| 5 SATA Disk Drives |
+--------------------+
2 rows in set (0.00 sec)

Similarly, to search for text which ends in the word 'Phone':

 
mysql> SELECT prod_desc FROM product WHERE prod_desc REGEXP 'Phone$';
+--------------+
| prod_desc    |
+--------------+
| Smart Phone  |
| Mobile Phone |
+--------------+
2 rows in set (0.00 sec)

We can also find instances where string of characters are a separate word. For example if we search for the word 'one' we might get the following:

 
mysql> SELECT prod_name FROM product WHERE prod_name REGEXP 'one';
+----------------------+
| prod_name            |
+----------------------+
| Apple iPhone 8Gb     |
| One2One USB Hub      |
| Level One Firewall   |
+----------------------+
3 rows in set (0.00 sec)

As we can see from the above example, because the word 'Phone' contains the word 'one' we have retrieved more rows than we anticipated. Using the beginning and and end of word metacharacters we can isolate the instances of 'one' which are a standalone word:

 
mysql> SELECT prod_name FROM product WHERE prod_name REGEXP '[[:<:]]One[[:>:]]';
+----------------------+
| prod_name            |
+----------------------+
| Level One Firewall   |
+----------------------+
1 row in set (0.00 sec)

MySQL Regular Expressions - Part 2

noreply@blogger.com (Unknown) — Tue, 20 Jan 2009 02:14:00 -0800

Regular Expressions in MySQL

Introduction

A very interesting and useful capability of MySQL is to incorporate Regular Expressions (regex) in SQL queries. The regular expression support in MySQL is extensive. Let's take a look at using Regular Expressions in queries and the supported metacharacters.

Using Regular Expressions in queries

A simple example of using Regular Expressions in a SQL query would be to select all names from a table that start with 'A'.

Code: SQL

SELECT name FROM employees WHERE name REGEXP '^A'

A slight modification in the above example to look for names starting with 'A' or 'D' or 'F' will look like this.

Code: SQL

SELECT name FROM employees WHERE name REGEXP '^(A|D|F)'

If we want to select all names ending with 'P', then the SQL query goes like this

Code: SQL

SELECT name FROM employees WHERE name REGEXP 'P$'

We can use much complex patterns in our SQL queries, but first let's have a look at various MySQL Regular Expression metacharacters.

Regular Expression Metacharacters

*

Matches zero or more instances of the string preceding it

Matches one or more instances of the string preceding it

Matches zero or one instances of the string preceding it

Matches any single character, except a newline

[xyz]

Matches any of x, y, or z (match one of enclosed characters)

[^xyz]

Matches any character not enclosed

[A-Z]

Matches any uppercase letter

[a-z]

Matches any lowercase letter

[0-9]

Matches any digit

Anchors the match from the beginning

Anchors the match to the end

Separates alternatives

{n,m}

String must occur at least n times, but not more than m times

{n}

String must occur exactly n times

{n,}

String must occur at least n times

[[:<:]]

Matches beginning of words

[[:>:]]

Matches ending of words

[:class:]

match a character class i.e.,

[:alpha:] for letters

[:space:] for whitespace

[:punct:] for punctuation

[:upper:] for upper case letters

Extras

MySQL interprets a backslash (\) character as an escape character. To use a backslash in a regular expression, you must escape it with another backslash (\\).

Whether the Regular Expression match is case sensitive or otherwise is decided by the collation method of the table. If your collation method name ends with ci then the comparison/match is case-insensitive, else if it end in cs then the match is case sensitive.

Examples

Checking only for numbers

Code: SQL

SELECT age FROM employees WHERE age REGEXP '^[0-9]+$'

/* starts, ends and contains numbers */

Contains a specific word, for example the skill PHP in skill sets

Code: SQL

SELECT name FROM employees WHERE skill_sets REGEXP '[[:<:]]php[[:>:]]'

Fetching records where employees have entered their 10-digit mobile number as the contact number.

Code: SQL

SELECT name FROM employees WHERE contact_no REGEXP '^[0-9]{10}$'

For more information refer http://dev.mysql.com/doc/refman/5.1/en/regexp.html

MySQL Regular Expressions - Part 1

noreply@blogger.com (Unknown) — Tue, 20 Jan 2009 02:02:00 -0800

A regular expression (regex) is a powerful way of specifying a complex search.

MySQL uses Henry Spencer's implementation of regular
expressions, which is aimed at conformance with POSIX
1003.2. MySQL uses the extended version.

This is a simplistic reference that skips the details. To get more exact
information, see Henry Spencer's regex(7) manual page that is
included in the source distribution. See section C Credits.

A regular expression describes a set of strings. The simplest regexp is
one that has no special characters in it. For example, the regexp
hello matches hello and nothing else.

Non-trivial regular expressions use certain special constructs so that
they can match more than one string. For example, the regexp
hello|word matches either the string hello or the string
word.

As a more complex example, the regexp B[an]*s matches any of the
strings Bananas, Baaaaas, Bs, and any other string
starting with a B, ending with an s, and containing any
number of a or n characters in between.

A regular expression may use any of the following special
characters/constructs:

^

Match the beginning of a string.

 
mysql> SELECT "fo\nfo" REGEXP "^fo$";           -> 0
mysql> SELECT "fofo" REGEXP "^fo";              -> 1

$

Match the end of a string.

 
mysql> SELECT "fo\no" REGEXP "^fo\no$";         -> 1
mysql> SELECT "fo\no" REGEXP "^fo$";            -> 0

.

Match any character (including newline).

 
mysql> SELECT "fofo" REGEXP "^f.*";             -> 1
mysql> SELECT "fo\nfo" REGEXP "^f.*";           -> 1

a*

Match any sequence of zero or more a characters.

 
mysql> SELECT "Ban" REGEXP "^Ba*n";             -> 1
mysql> SELECT "Baaan" REGEXP "^Ba*n";           -> 1
mysql> SELECT "Bn" REGEXP "^Ba*n";              -> 1

a+

Match any sequence of one or more a characters.

 
mysql> SELECT "Ban" REGEXP "^Ba+n";             -> 1
mysql> SELECT "Bn" REGEXP "^Ba+n";              -> 0

a?

Match either zero or one a character.

 
mysql> SELECT "Bn" REGEXP "^Ba?n";              -> 1
mysql> SELECT "Ban" REGEXP "^Ba?n";             -> 1
mysql> SELECT "Baan" REGEXP "^Ba?n";            -> 0

de|abc

Match either of the sequences de or abc.

 
mysql> SELECT "pi" REGEXP "pi|apa";             -> 1
mysql> SELECT "axe" REGEXP "pi|apa";            -> 0
mysql> SELECT "apa" REGEXP "pi|apa";            -> 1
mysql> SELECT "apa" REGEXP "^(pi|apa)$";        -> 1
mysql> SELECT "pi" REGEXP "^(pi|apa)$";         -> 1
mysql> SELECT "pix" REGEXP "^(pi|apa)$";        -> 0

(abc)*

Match zero or more instances of the sequence abc.

 
mysql> SELECT "pi" REGEXP "^(pi)*$";            -> 1
mysql> SELECT "pip" REGEXP "^(pi)*$";           -> 0
mysql> SELECT "pipi" REGEXP "^(pi)*$";          -> 1

{1}

{2,3}

The is a more general way of writing regexps that match many
occurrences of the previous atom.

a*: Can be written as a{0,}.
a+: Can be written as a{1,}.
a?: Can be written as a{0,1}.

To be more precise, an atom followed by a bound containing one integer
i and no comma matches a sequence of exactly i matches of
the atom. An atom followed by a bound containing one integer i
and a comma matches a sequence of i or more matches of the atom.
An atom followed by a bound containing two integers i and
j matches a sequence of i through j (inclusive)
matches of the atom.

Both arguments must be in the range from 0 to RE_DUP_MAX
(default 255), inclusive. If there are two arguments, the second must be
greater than or equal to the first.

[a-dX]

[^a-dX]

Matches
any character which is (or is not, if ^ is used) either a, b,
c, d or X. To include a literal ] character,
it must immediately follow the opening bracket [. To include a
literal - character, it must be written first or last. So
[0-9] matches any decimal digit. Any character that does not have
a defined meaning inside a [] pair has no special meaning and
matches only itself.

 
mysql> SELECT "aXbc" REGEXP "[a-dXYZ]";         -> 1
mysql> SELECT "aXbc" REGEXP "^[a-dXYZ]$";       -> 0
mysql> SELECT "aXbc" REGEXP "^[a-dXYZ]+$";      -> 1
mysql> SELECT "aXbc" REGEXP "^[^a-dXYZ]+$";     -> 0
mysql> SELECT "gheis" REGEXP "^[^a-dXYZ]+$";    -> 1
mysql> SELECT "gheisa" REGEXP "^[^a-dXYZ]+$";   -> 0

[[.characters.]]

The sequence of characters of that collating element. The sequence is a
single element of the bracket expression's list. A bracket expression
containing a multi-character collating element can thus match more than
one character, for example, if the collating sequence includes a ch
collating element, then the regular expression [[.ch.]]*c matches the
first five characters of chchcc.

[=character_class=]

An equivalence class, standing for the sequences of characters of all
collating elements equivalent to that one, including itself.

For example, if o and (+) are the members of an
equivalence class, then [[=o=]], [[=(+)=]], and
[o(+)] are all synonymous. An equivalence class may not be an
endpoint of a range.

[:character_class:]

Within a bracket expression, the name of a character class enclosed in
[: and :] stands for the list of all characters belonging
to that class. Standard character class names are:

Name	Name	Name
alnum	digit	punct
alpha	graph	space
blank	lower	upper
cntrl	print	xdigit

These stand for the character classes defined in the ctype(3) manual
page. A locale may provide others. A character class may not be used as an
endpoint of a range.

 
mysql> SELECT "justalnums" REGEXP "[[:alnum:]]+";       -> 1
mysql> SELECT "!!" REGEXP "[[:alnum:]]+";               -> 0

[[:<:]]

[[:>:]]

These match the null string at the beginning and end of a word
respectively. A word is defined as a sequence of word characters which
is neither preceded nor followed by word characters. A word character is
an alnum character (as defined by ctype(3)) or an underscore
(_).

 
mysql> SELECT "a word a" REGEXP "[[:<:]]word[[:>:]]";      -> 1
mysql> SELECT "a xword a" REGEXP "[[:<:]]word[[:>:]]";     -> 0

 
mysql> SELECT "weeknights" REGEXP "^(wee|week)(knights|nights)$"; -> 1

Date Diffrence In Days

noreply@blogger.com (Unknown) — Wed, 26 Nov 2008 04:26:00 -0800

Introduction

This code will give you the diffrence between the two dates in days.Some time it is required in the program to get diff. between two dates.It is so small and very efficient code.


//

// Any source code blocks look like this

//


        t1="10/10/2006" ;

        t2="15/10/2006";

 
   //Total time for one day

        var one_day=1000*60*60*24; 

//Here we need to split the inputed dates to convert them into standard format

for furter execution
        var x=t1.split("/");     
        var y=t2.split("/");
  //date format(Fullyear,month,date) 


        var date1=new Date(x[2],(x[1]-1),x[0]);
  
        var date2=new Date(y[2],(y[1]-1),y[0])
        var month1=x[1]-1;
        var month2=y[1]-1;
        
        //Calculate difference between the two dates, and convert to days


               
        _Diff=Math.ceil((date2.getTime()-date1.getTime())/(one_day)); 
//_Diff gives the diffrence between the two dates.

Mod Rewrite Tips and Examples

noreply@blogger.com (Unknown) — Fri, 22 Aug 2008 04:13:00 -0700

For example, to limit the next 5 RewriteRules to only be applied to .html and .php files, you can use the following code, which tests if the url does not end in .html or .php and if it doesn’t, it will skip the next 5 RewriteRules.

RewriteRule !\.(html|php)$ - [S=5]

RewriteRule ^.*-(vf12|vf13|vf5|vf35|vf1|vf10|vf33|vf8).+$ - [S=1]

.htaccess rewrite examples should begin with:

Options +FollowSymLinks

RewriteEngine On

RewriteBase /

Require the www

Options +FollowSymLinks

RewriteEngine On

RewriteBase /

RewriteCond %{HTTP_HOST} !^www\.askapache\.com$ [NC]

RewriteRule ^(.*)$ http://www.askapache.com/$1 [R=301,L]

Loop Stopping Code

Sometimes your rewrites cause infinite loops, stop it with one of these rewrite code snippets.

RewriteCond %{REQUEST_URI} ^/(stats/|missing\.html|failed_auth\.html|error/).* [NC]

RewriteRule .* - [L]

RewriteCond %{ENV:REDIRECT_STATUS} 200

RewriteRule .* - [L]

Cache-Friendly File Names

RewriteRule ^zap/(j|c)/([a-z]+)-([0-9]+)\.(js|css)$ /zap/$1/$2.$4 [L]

SEO friendly link for non-flash browsers

RewriteRule ^getflash/?$ http://www.adobe.com/shockwave/download/download.cgi?P1_Prod_Version=ShockwaveFlash [NC,L,R=307]

Removing the Query_String

RewriteCond %{THE_REQUEST} ^GET\ /.*\;.*\ HTTP/

RewriteCond %{QUERY_STRING} !^$

RewriteRule .* http://www.askapache.com%{REQUEST_URI}? [R=301,L]

Sending requests to a php script

This .htaccess rewrite example invisibly rewrites requests for all Adobe pdf files to be handled by /cgi-bin/pdf-script.php

RewriteRule ^(.+)\.pdf$ /cgi-bin/pdf-script.php?file=$1.pdf [L,NC,QSA]

Setting the language variable based on Client

For sites using multiviews or with multiple language capabilities, it is nice to be able to send the correct language automatically based on the clients preferred language.

RewriteCond %{HTTP:Accept-Language} ^.*(de|es|fr|it|ja|ru|en).*$ [NC]

RewriteRule ^(.*)$ - [env=prefer-language:%1]

Deny Access To Everyone Except PHP fopen

This allows access to all files by php fopen, but denies anyone else.

RewriteEngine On

RewriteBase /

RewriteCond %{THE_REQUEST} ^.+$ [NC]

RewriteRule .* - [F,L]

Deny access to anything in a subfolder except php fopen

This can be very handy if you want to serve media files or special downloads but only through a php proxy script.

RewriteEngine On

RewriteBase /

RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /([^/]+)/.*\ HTTP [NC]

RewriteRule .* - [F,L]

Require no www

Options +FollowSymLinks

RewriteEngine On

RewriteBase /

RewriteCond %{HTTP_HOST} !^askapache\.com$ [NC]

RewriteRule ^(.*)$ http://askapache.com/$1 [R=301,L]

Check for a key in QUERY_STRING

Uses a RewriteCond Directive to check QUERY_STRING for passkey, if it doesn’t find it it redirects all requests for anything in the /logged-in/ directory to the /login.php script.

RewriteEngine On

RewriteBase /

RewriteCond %{QUERY_STRING} !passkey

RewriteRule ^/logged-in/(.*)$ /login.php [L]

Removes the QUERY_STRING from the URL

If the QUERY_STRING has any value at all besides blank than the?at the end of /login.php? tells mod_rewrite to remove the QUERY_STRING from login.php and redirect.

RewriteEngine On

RewriteBase /

RewriteCond %{QUERY_STRING} .

RewriteRule ^login.php /login.php? [L]

Fix for infinite loops

RewriteCond %{ENV:REDIRECT_STATUS} 200

RewriteRule .* - [L]

External Redirect .php files to .html files (SEO friendly)

RewriteRule ^(.*)\.php$ /$1.html [R=301,L]

Internal Redirect .php files to .html files (SEO friendly)

Redirects all files that end in .html to be served from filename.php so it looks like all your pages are .html but really they are .php

RewriteRule ^(.*)\.html$ $1.php [R=301,L]

block access to files during certain hours of the day

Options +FollowSymLinks

RewriteEngine On

RewriteBase /

# If the hour is 16 (4 PM) Then deny all access

RewriteCond %{TIME_HOUR} ^16$

RewriteRule ^.*$ - [F,L]

Rewrite underscores to hyphens for SEO URL

Converts all underscores “_” in urls to hyphens “-” for SEO benefits… See the full article for more info.

Options +FollowSymLinks

RewriteEngine On

RewriteBase /

RewriteRule !\.(html|php)$ - [S=4]

RewriteRule ^([^_]*)_([^_]*)_([^_]*)_([^_]*)_(.*)$ $1-$2-$3-$4-$5 [E=uscor:Yes]

RewriteRule ^([^_]*)_([^_]*)_([^_]*)_(.*)$ $1-$2-$3-$4 [E=uscor:Yes]

RewriteRule ^([^_]*)_([^_]*)_(.*)$ $1-$2-$3 [E=uscor:Yes]

RewriteRule ^([^_]*)_(.*)$ $1-$2 [E=uscor:Yes]

RewriteCond %{ENV:uscor} ^Yes$

RewriteRule (.*) http://d.com/$1 [R=301,L]

Require the www without hardcoding

Options +FollowSymLinks

RewriteEngine On

RewriteBase /

RewriteCond %{HTTP_HOST} !^www\.[a-z-]+\.[a-z]{2,6} [NC]

RewriteCond %{HTTP_HOST} ([a-z-]+\.[a-z]{2,6})$ [NC]

RewriteRule ^/(.*)$ http://%1/$1 [R=301,L]

Require no subdomain

RewriteEngine On

RewriteBase /

RewriteCond %{HTTP_HOST} \.([a-z-]+\.[a-z]{2,6})$ [NC]

RewriteRule ^/(.*)$ http://%1/$1 [R=301,L]

Require no subdomain

RewriteEngine On

RewriteBase /

RewriteCond %{HTTP_HOST} \.([^\.]+\.[^\.0-9]+)$

RewriteRule ^(.*)$ http://%1/$1 [R=301,L]

Redirecting Wordpress Feeds to Feedburner

Full article:Redirecting Wordpress Feeds to Feedburner

RewriteEngine On

RewriteBase /

RewriteCond %{REQUEST_URI} ^/feed\.gif$

RewriteRule .* - [L]

RewriteCond %{HTTP_USER_AGENT} !^.*(FeedBurner|FeedValidator) [NC]

RewriteRule ^feed/?.*$ http://feeds.feedburner.com/apache/htaccess [L,R=302]

RewriteCond %{REQUEST_FILENAME} !-f

RewriteCond %{REQUEST_FILENAME} !-d

RewriteRule . /index.php [L]

Only allow GET and PUT Request Methods

Article: Request Methods

RewriteEngine On

RewriteBase /

RewriteCond %{REQUEST_METHOD} !^(GET|PUT)

RewriteRule .* - [F]

Prevent Files image/file hotlinking and bandwidth stealing

RewriteEngine On

RewriteBase /

RewriteCond %{HTTP_REFERER} !^$

RewriteCond %{HTTP_REFERER} !^http://(www\.)?askapache.com/.*$ [NC]

RewriteRule \.(gif|jpg|swf|flv|png)$ /feed/ [R=302,L]

Stop browser prefetching

RewriteEngine On

SetEnvIfNoCase X-Forwarded-For .+ proxy=yes

SetEnvIfNoCase X-moz prefetch no_access=yes

# block pre-fetch requests with X-moz headers

RewriteCond %{ENV:no_access} yes

RewriteRule .* - [F,L]

Make a prefetching hint for Firefox.

Header append Link "

</index.htm>

; rel=prefetch"

This module uses a rule-based rewriting engine (based on a regular-expression parser) to rewrite requested URLs on the fly. It supports an unlimited number of rules and an unlimited number of attached rule conditions for each rule, to provide a really flexible and powerful URL manipulation mechanism. The URL manipulations can depend on various tests, of server variables, environment variables, HTTP headers, or time stamps. Even external database lookups in various formats can be used to achieve highly granular URL matching.

This module operates on the full URLs (including the path-info part) both in per-server context (httpd.conf) and per-directory context (.htaccess) and can generate query-string parts on result. The rewritten result can lead to internal sub-processing, external request redirection or even to an internal proxy throughput.

Further details, discussion, and examples, are provided in the detailed mod_rewrite documentation.

Ebook Of Open Source CMS

noreply@blogger.com (Unknown) — Thu, 14 Aug 2008 04:59:00 -0700

Apress.Building.Online.Communities.With.Drupal.phpBB.and.WordPress.Dec.2005

Free Ebook for Apress Building Online Communities With Drupal phpBB and WordPress Dec 2005 Please Download this ebook freely and learn.

Dowanload Link :- Click here

Free e-book Pro Drupal Development (John K. VanDyk and Matt Westgate)

Download Link :- Click Here

PDF Protection

noreply@blogger.com (Unknown) — Fri, 13 Jun 2008 01:14:00 -0700

Informations

Author: Klemen Vodopivec

License: Freeware

Description

This script allows to protect the PDF, that is to say prevent people from copying its content, print it or modify it.

SetProtection([array permissions [, string user_pass [, string owner_pass]]])

permissions: the set of permissions. Empty by default (only viewing is allowed).

user_pass: user password. Empty by default.

owner_pass: owner password. If not specified, a random value is used.

The permission array is composed of values taken from the following ones:

copy: copy text and images to the clipboard

print: print the document

modify: modify it (except for annotations and forms)

annot-forms: add annotations and forms

Remark: the protection against modification is for people who have the full Acrobat product.

If you don't set any password, the document will open as usual. If you set a user password, the PDF viewer will ask for it before displaying the document. The master password, if different from the user one, can be used to get full access.

Note: protecting a document requires to encrypt it, which increases the processing time a lot. This can cause a PHP time-out in some cases, especially if the document contains images or fonts.

Source

<?php

/****************************************************************************

* Software: FPDF_Protection                                                 *

* Version:  1.02                                                            *

* Date:     2005/05/08                                                      *

* Author:   Klemen VODOPIVEC                                                *

* License:  Freeware                                                        *

*                                                                           *

* You may use and modify this software as you wish as stated in original    *

* FPDF package.                                                             *

*                                                                           *

* Thanks: Cpdf (http://www.ros.co.nz/pdf) was my working sample of how to   *

* implement protection in pdf.                                              *

****************************************************************************/

require('fpdf.php');

class FPDF_Protection extends FPDF

{

    var $encrypted;          //whether document is protected

    var $Uvalue;             //U entry in pdf document

    var $Ovalue;             //O entry in pdf document

    var $Pvalue;             //P entry in pdf document

    var $enc_obj_id;         //encryption object id

    var $last_rc4_key;       //last RC4 key encrypted (cached for optimisation)

    var $last_rc4_key_c;     //last RC4 computed key

    function FPDF_Protection($orientation='P',$unit='mm',$format='A4')

    {

        parent::FPDF($orientation,$unit,$format);

        $this->encrypted=false;

        $this->last_rc4_key='';

        $this->padding="\x28\xBF\x4E\x5E\x4E\x75\x8A\x41\x64\x00\x4E\x56\xFF\xFA\x01\x08".

                        "\x2E\x2E\x00\xB6\xD0\x68\x3E\x80\x2F\x0C\xA9\xFE\x64\x53\x69\x7A";

    }

    /**

    * Function to set permissions as well as user and owner passwords

    *

    * - permissions is an array with values taken from the following list:

    *   copy, print, modify, annot-forms

    *   If a value is present it means that the permission is granted

    * - If a user password is set, user will be prompted before document is opened

    * - If an owner password is set, document can be opened in privilege mode with no

    *   restriction if that password is entered

    */

    function SetProtection($permissions=array(),$user_pass='',$owner_pass=null)

    {

        $options = array('print' => 4, 'modify' => 8, 'copy' => 16, 'annot-forms' => 32 );

        $protection = 192;

        foreach($permissions as $permission){

            if (!isset($options[$permission]))

                $this->Error('Incorrect permission: '.$permission);

            $protection += $options[$permission];

        }

        if ($owner_pass === null)

            $owner_pass = uniqid(rand());

        $this->encrypted = true;

        $this->_generateencryptionkey($user_pass, $owner_pass, $protection);

    }

/****************************************************************************

*                                                                           *

*                              Private methods                              *

*                                                                           *

****************************************************************************/

    function _putstream($s)

    {

        if ($this->encrypted) {

            $s = $this->_RC4($this->_objectkey($this->n), $s);

        }

        parent::_putstream($s);

    }

    function _textstring($s)

    {

        if ($this->encrypted) {

            $s = $this->_RC4($this->_objectkey($this->n), $s);

        }

        return parent::_textstring($s);

    }

    /**

    * Compute key depending on object number where the encrypted data is stored

    */

    function _objectkey($n)

    {

        return substr($this->_md5_16($this->encryption_key.pack('VXxx',$n)),0,10);

    }

    /**

    * Escape special characters

    */

    function _escape($s)

    {

        $s=str_replace('\\','\\\\',$s);

        $s=str_replace(')','\\)',$s);

        $s=str_replace('(','\\(',$s);

        $s=str_replace("\r",'\\r',$s);

        return $s;

    }

    function _putresources()

    {

        parent::_putresources();

        if ($this->encrypted) {

            $this->_newobj();

            $this->enc_obj_id = $this->n;

            $this->_out('<<');

            $this->_putencryption();

            $this->_out('>>');

            $this->_out('endobj');

        }

    }

    function _putencryption()

    {

        $this->_out('/Filter /Standard');

        $this->_out('/V 1');

        $this->_out('/R 2');

        $this->_out('/O ('.$this->_escape($this->Ovalue).')');

        $this->_out('/U ('.$this->_escape($this->Uvalue).')');

        $this->_out('/P '.$this->Pvalue);

    }

    function _puttrailer()

    {

        parent::_puttrailer();

        if ($this->encrypted) {

            $this->_out('/Encrypt '.$this->enc_obj_id.' 0 R');

            $this->_out('/ID [()()]');

        }

    }

    /**

    * RC4 is the standard encryption algorithm used in PDF format

    */

    function _RC4($key, $text)

    {

        if ($this->last_rc4_key != $key) {

            $k = str_repeat($key, 256/strlen($key)+1);

            $rc4 = range(0,255);

            $j = 0;

            for ($i=0; $i<256; $i++){

                $t = $rc4[$i];

                $j = ($j + $t + ord($k{$i})) % 256;

                $rc4[$i] = $rc4[$j];

                $rc4[$j] = $t;

            }

            $this->last_rc4_key = $key;

            $this->last_rc4_key_c = $rc4;

        } else {

            $rc4 = $this->last_rc4_key_c;

        }

        $len = strlen($text);

        $a = 0;

        $b = 0;

        $out = '';

        for ($i=0; $i<$len; $i++){

            $a = ($a+1)%256;

            $t= $rc4[$a];

            $b = ($b+$t)%256;

            $rc4[$a] = $rc4[$b];

            $rc4[$b] = $t;

            $k = $rc4[($rc4[$a]+$rc4[$b])%256];

            $out.=chr(ord($text{$i}) ^ $k);

        }

        return $out;

    }

    /**

    * Get MD5 as binary string

    */

    function _md5_16($string)

    {

        return pack('H*',md5($string));

    }

    /**

    * Compute O value

    */

    function _Ovalue($user_pass, $owner_pass)

    {

        $tmp = $this->_md5_16($owner_pass);

        $owner_RC4_key = substr($tmp,0,5);

        return $this->_RC4($owner_RC4_key, $user_pass);

    }

    /**

    * Compute U value

    */

    function _Uvalue()

    {

        return $this->_RC4($this->encryption_key, $this->padding);

    }

    /**

    * Compute encryption key

    */

    function _generateencryptionkey($user_pass, $owner_pass, $protection)

    {

        // Pad passwords

        $user_pass = substr($user_pass.$this->padding,0,32);

        $owner_pass = substr($owner_pass.$this->padding,0,32);

        // Compute O value

        $this->Ovalue = $this->_Ovalue($user_pass,$owner_pass);

        // Compute encyption key

        $tmp = $this->_md5_16($user_pass.$this->Ovalue.chr($protection)."\xFF\xFF\xFF");

        $this->encryption_key = substr($tmp,0,5);

        // Compute U value

        $this->Uvalue = $this->_Uvalue();

        // Compute P value

        $this->Pvalue = -(($protection^255)+1);

    }

}

?>

Example

This example shows how to allow only printing.

<?php

define('FPDF_FONTPATH','font/');

require('fpdf_protection.php');

$pdf=new FPDF_Protection();

$pdf->SetProtection(array('print'));

$pdf->Open();

$pdf->AddPage();

$pdf->SetFont('Arial');

$pdf->Write(10,'You can print me but not copy my text.');

$pdf->Output();

?>

View the result here.

Download

ZIP | TGZ

Get metadata on MySQL databases

noreply@blogger.com (Unknown) — Tue, 10 Jun 2008 03:39:00 -0700

Getting information about databases if essential if you want to write generic and scalable applications. This code shows you how to get information such as all databases on the server, all tables in each database and all field and field info for each table. Even if you do not need to build on this code, you might want to copy the code which prints out all databases, tables and field information plus examples. Its a great way to get an overview of the tables you are working on for a project.

<?

//getting metadata on MySQL databases

//output the structure of a table

$connection_1 = mysql_connect("localhost");

$fields = mysql_list_fields("cmphp","rights");

for($i=0;$i<mysql_num_fields($fields);$i++) {

echo mysql_field_name($fields,$i)." (".mysql_field_len($fields,$i).") - ".mysql_field_type($fields,$i)."<br>";

}

mysql_close;

//show the structure of ALL tables in ALL databases on the server

$server_connection_1 = mysql_connect("localhost");

$databases = mysql_query("SHOW DATABASES");

while($database = mysql_fetch_row($databases)) {

echo '<h2>DATABASE: '.$database[0].'</h2>';

$database_connection_1 = mysql_select_db($database[0]);

$tables = mysql_query("SHOW TABLES");

while($table = mysql_fetch_row($tables)){

echo '<table border="1" cellpadding="5" width="500">';

echo '<tr><td colspan="3" bgcolor="silver">TABLE: '.$table[0].'</td></tr>';

$fields = mysql_list_fields($database[0],$table[0]);

for($i=0;$i<mysql_num_fields($fields);$i++) {

echo '<tr>';

echo '<td>'.mysql_field_name($fields,$i)."</td>";

echo '<td>'.mysql_field_len($fields,$i)."</td>";

echo '<td>'.mysql_field_type($fields,$i)."</td>";

echo '</tr>';

}

echo '</table><br>';

}

}

mysql_close;

//show the nice structure of a particular database

$server_connection_1 = mysql_connect("localhost");

$the_database = "cmphp";

echo '<h2>DATABASE: '.$the_database.'</h2>';

$database_connection_1 = mysql_select_db($the_database);

$tables = mysql_query("SHOW TABLES");

while($table = mysql_fetch_row($tables)){

echo '<table border="1" cellpadding="5" width="600">';

echo '<tr><td colspan="4" bgcolor="silver"><b>TABLE: '.$table[0].'</b></td></tr>';

echo '<tr><td bgcolor="silver">NAME</td><td bgcolor="silver">SIZE</td><td bgcolor="silver">TYPE</td><td bgcolor="silver">EXAMPLE</td></tr>';

$fields = mysql_list_fields($the_database,$table[0]);

for($i=0;$i<mysql_num_fields($fields);$i++) {

echo '<tr>';

echo '<td>'.mysql_field_name($fields,$i)."</td>";

echo '<td>'.mysql_field_len($fields,$i)."</td>";

echo '<td>'.mysql_field_type($fields,$i)."</td>";

$rows = mysql_query("SELECT ".mysql_field_name($fields,$i)." FROM ".$table[0]." LIMIT 1");

$row = mysql_fetch_array($rows);

echo '<td bgcolor="eeeeee">'.$row[0].' </td>';

echo '</tr>';

}

echo '</table><br>';

}

mysql_close;

?>

This Article is taken from http://www.developerfusion.co.uk/show/3945/

Sams Red Hat Enterprise Linux 5 Administration Unleashed Apr 2007

noreply@blogger.com (Unknown) — Fri, 16 May 2008 00:44:00 -0700

Sams Red Hat Enterprise Linux 5 Administration Unleashed Apr 2007 - Upload a doc

Agile web-crawler : design and implementation

noreply@blogger.com (Unknown) — Thu, 15 May 2008 23:35:00 -0700

Agile web-crawler : design and implementation - Upload a doc

Search Engine Optimization (SEO) Glossary

noreply@blogger.com (Unknown) — Tue, 22 Apr 2008 05:29:00 -0700

Search Engine Optimization (SEO) Glossary

Definitions to the terms used to describe actions and event in the world of Search Engine Marketing. Search Terms
The words or phrases used by people when performing searches in search engines. Also called keywords, query terms or query.

Ad Pimp
A website that has too many ads on it in an obvious attempt to monetize the site.

Ad Rank
Google AdWords multiplies Quality Score (QS) and the maximum CPC (Max CPC) to reach an Ad Rank for each ad.

Added Value Affiliates
Provide a value-added service to visitors in addition to affiliate links and affiliate content.

AdSense Arbitrage
The process of buying traffic with pay-per-click programs, sending traffic to highly optimized Adsense pages and collecting the difference.

AdSense Link Clicking Bots
Automated programs that try to spoof random IP addresses to click through AdWords displayed on a site.

Adwords
Google’s - Cost Per Click (CPC) based advertising system.

Affiliate Sniper
People who save money on purchases by switching your affiliate ID with their own.

Agent Name
An agent name is the name of the software accessing a web page.

Aggregator
Software that lets you automatically download content to your computer

AIDA
Attention, Interest, Desire, Action: A term used to describe a formula to increase conversions.

Algorithm
A mathematical formula used to determine the value of a page when compared against others.

AlltheWeb
Second Tier search engine.

ALT Text
The text that appears when you put your mouse on top of an image or a picture.

AltaVista
Used to be the #1 search engine until Google came along.

Anchor Text
Also known as Link Text, the clickable text of a hyperlink.

AOL
America On-Line - Great for novice users, uses Google as part of it's search results.

API
Application Programming Interface.

ASCII
American Standard Code for Information Interchange

Ask
Trying to be considered as one of the "Top Dogs" along with Yahoo and MSN, following Google.

ASP
Dual meanings: Microsoft Active Server Pages (filename.asp) or Application Service Provider (e.g. a provider of web based applications)

Astroturfing
The practice of faking, pushing or help to mold a “grass roots” movement.

ATF (Above the Fold)
This is the part of the user's screen that is always displayed.

Audioblog
An audio web log in MP3 format and available for download to an MP3 player or a computer.

Authority Site
A site that has many In-Bound links coming to it, and very little outbound links.

Back link
A text link to your website from another website.

Banned
A term that means a site has been removed from a search engine's index.

Banner Blindness
The act of web visitors to ignoring advertisements on the site whether it is a graphic or text ad.

BAP (Blog and Ping)
A method (ab)used to get the search engines to quickly index your blog's content.

Black Hat SEO
A term referring to the practice of “unethical” SEO. These techniques are used to gain an advantage over your competition.

Blind Traffic
This is traffic that is extremely low quality often by low relevance pages.

Blog
A "Web Log" that is updated frequently and is usually the opinion of one person. Also joking stands for Better Listing on Google.

Blogged
Term referring to have bookmarked a blog in your browser.

Blogola
The emerging practice of giving free stuff (from tote bags to travel junkets) to bloggers, in return for a sympathetic review.

Blook
A book that is serialized on a blog site. Chapters are published one by one as blog posts.

Bot
Short for robot. Often used to refer to a search engine spider.

Browser
Software application used to browse the internet - Mozilla Firefox and Internet Explorer are the 2 most popular browsers.

BTF (Below the Fold)
This is the part of the user's screen that is hidden unless the user scrolls down on the page.

C Class IP
This is the third block of numbers found in an IP Address.

Cache
A copy of web pages stored within a search engine's database.

CAPTCHA
Stands for : Completely Automated Public Turing test to tell Computers and Humans Apart

Catablog
A blog that describes products for sale.

Click Arbitrage
Purchasing PPC ads and hoping that traffic leaves with a click on your ads.

Click Distance
The minimum number of clicks it takes a visitor to get from one page to another.

Click Flipping
The process of identifying and maximizing, multiple profit pathways, using PPC traffic and converting that traffic with Cost Per Action offers.

Click Pirates
Peuple who click on ads, knowingly and proudly, stealing from advertisers, as they encourage others to join with them in this quest.

Click Poison
The process of using blatant phrases such as "Cool New Idea" and "Click here for Travel Tips" to get a site buried on sites such as digg and netscape.

Click Through
The process of clicking through an online advertisement to the advertiser's destination.

Clickprint
Derived from the amount of time a user spends on a Web site and the number of pages viewed, a clickprint is a unique online fingerprint that can help a vendor identify return visitors, curb fraud, and collect personal information for "customer service." aka invasive marketing

Cloaking
A technique that shows keyword stuffed apges to a search engine, but a real page to a human user.

Clustering
In search engine search results pages, clustering is limiting each represented website to one or two listings.

Collabulary
A collaborative vocabulary for tagging Web content. Like the folksonomies used on social bookmarking sites like del.icio.us, collabularies are generated by a community. But unlike folksonomies, they're automatically vetted for consistency, extracting the wisdom of the crowds from the cacophony.

Content Networks
A nicer way to say Link Farm.

Content Repurposing
A nicer way to say scraping a site for content.

Contextual Link Inventory (CLI)
Text links that are shown depending on the content that appears around them.

Conversion Optimization
Transforms your site into a selling tool - your site logically leads visitors through the sales cycle and closes sale.

Conversion Rate
The number of visitors to a website that end up performing a specific action that leads to a conversion. This could be a product purchase, newsletter sign up or anything where information is submitted.

Converting Search Phrase
A phrase that converts traffic into money.

Cookie
Information stored on a user's computer by a website.

Copy
Text found on a web page.

Cost per Thousand
The cost for each thousand impressions of your ad.

CPA - (Cost Per Action)
The price paid for each visitor's actions from a paid search.

CPC (Cost Per Click)
The amount it will cost each time a user selects your phrase or keyword.

Crawler
A bot from a search engine that reads the text found on a website in order to determine what the website is about.

Cross Linking
Having multiple websites linking to each other.

CSS (Cascading Style Sheets)
Used to define the look and navigation of a website.

CTR (Click Through Rate)
The value associated to the amount of times a paid ad is viewed.

Cybrarian
A person who finds, collects, and manages information available on the Internet.

Dangling Link
This term is applied to a web page with no links to any other pages. Also known as an Orphan Page.

Dead Link
A hyperlink pointing to a non-existent URL.

Deep Crawl
Once a month, Googlebot will crawl all of the links it has listed in it's database on your site. This is known as the Deep Crawl.

Deep Link
A link on a website that is not reachable from the home page.

Delisting
When a site gets removed from the search index of a search engine.

Deliverable
In a contract, these are the expected results of the services provided.

diggbait
Purposely creating content to get traffic from digg.com

Directory
Usually human edited, a directory contains sites that are sorted by categories.

DMCA (Digital Millennium Copyright Act)
A declaration that protects digital works found online.

DMOZ
Also known as the Open Directory Project.

DNO
Domain Network Optimizers

DNS (Domain Name System)
A protocol that lets computers recognize each other through an IP Address, whereas the human sees a website URL.

Dooced
Fired for negative blogging about the company you work for.

Doorway Page
A web page designed to draw in Internet traffic from search engines, and then direct this traffic to another website.

Dynamic Site
A site that uses a database to store it's content and is delivered based on the variable passed to the page.

EPC (Earnings Per Click)
How much profit is made from each click from a paid ad.

EPV (Earnings Per Visitor)
The cost it takes to make profit from a site's total number of visitors.

Error 404
When a hyperlink is pointing to a location on the web that doesn't exist, it is called a 404 error.

Everflux
A term associated with the constant updating of Google's algorithm between the major updates.

External Link
A link that points to another website.

FAQ (Frequently Asked Question)
Commonly found on websites, FAQs answer questions that many users generally have about a product or service.

FFA (Free For All)
A site where anyone can list their link. Don't waste any time submitting your site to these places.

Filter Words
Words such as is, am, were, was, the, for, do, ETC, that search engines deem irrelevant for indexing purposes. Also known as Stop words.

Flog
A fake blog, a website pretending to be a blog but actually the creation of public relations firms, the mainstream media, or professional political operatives.

Folksonomy
The construction of open-ended organization systems that allow multiple internet users to sort web sites and their elements.

Frankenbuild
Pirated software cobbled together from beta versions and early releases.

Fresh Crawl
Utilizes FreshBot to review already indexed pages and any pages where the content has been updated.

FreshBot
A sister to GoogleBot, this spider crawls highly ranked sites on a very frequent basis.

FTP (File Transfer Protocol)
Technology that allows file transfers from a local machine to a remote host.

Geo Targeting
A very tactful way to employ cloaking.

GFNR
Google First Name Rank.

Google
Currently, the world's #1 search engine.

Google AdWords
Google's PPC program.

Google Bombing
A technique where using the same text anchor links, many people link to a certain page, usually of irrelevant content.

GoogleBot
The spider that performs a deep crawl of your site.

Googlebowling
To nudge a competitor from the serps.

Googlephobia
The fear of Google taking over everything.

Googlewashing
When your content is copied and inserted into someone else's site without permission or credit.

GOOGOL
This is the term that inspired the creators of Google to use this name - it means: 10100 = 1 followed by 100 zeros

Heading Tag
Tag that designates headlines in the text of a site.

Hidden Text
Text that can't be seen normally in a browser.

Hit
A single access request made to the server.

Hoax Marketing
The creation of false stories to drive traffic to a site.

htaccess
.htaccess is an Apache file that allows server configuration instructions.

HTML
HyperText Markup Language - the basics for all web coding.

HTTP (Hypertext Transfer Protocol)
It is a generic, stateless, protocol which can be used for many tasks.

HTTPS (HyperText Transfer Protocol Secure)
It is a generic, stateless, protocol which can be used for many tasks, but has security features enabled to protect sensitive data.

Hub
A site that has many outbound links, and few sites linking back.

IBL (In-Bound Link)
A link residing on another site that points to your site.

ICRA (Internet Content Rating Association)
The Internet Content Rating Association (ICRA) is an international, non-profit organization of internet leaders working to make the internet safer for children, while respecting the rights of content providers.

IM (Instant Messaging)
As the name implies, this protocol allows for extremely fast communication over the Internet

Index
A term used to describe the database that holds all the web pages crawled by the search engine for each website.

Indexing Assistance
An even more advanced form of cloaking.

Information Architecture
The gathering, organizing, and presenting information to serve a purpose.

Informational Query
A query about a topic where the user expects to be provided with information on the topic.

Internal Link
A link that points to another page within the same site. Most commonly used for navigation.

Internet
An interconnected system of networks that connects computers around the world via the TCP/IP protocol.

Internet Traffic Optimizer (ITO)
A broader term for a person who optimizes not only for search engines but to get traffic from other sources such as blogs, RSS feeds and articles.

Interstitials
Loads a commercial in the background of a Web page. When the user exits the page, the user gets served a full-page, between-page advertisement in Flash, an animated gif or other rich media.

Invisible Web
Web Pages that are not reachable by search engines.

IP (Internet Protocol)
This protocol allows for machines to communicate to each other via the Internet.

IP Address (Internet Protocol Address)
how data finds its way back and forth from your computer to the internet.

IP Spoofing
A method of reporting an IP address other than your own when connecting to the internet.

js (JavaScript)
A scripting language that provides browser functionality.

Keyword Density
A ratio of the number of occurrences of a keyword or "keyword phrase" to the total number of words on a page.

Keyword Effectiveness Index (KEI)
The KEI compares the number of searches for a keyword with the number of search results to pinpoint which keywords should be the most effective for your campaign.

Keyword Phrase
A group of words that form a search query.

Keyword Stuffing
Using a keyword or "keyword phrase" excessively in a web page, perhaps in the text content or meta tags.

Klog
The term used when weblogs are used in knowledge management use cases.

KW (Key Words)
Used to define the terms a user might enter into a search engine to find information on their query.

Landing Page
Usually used in conjunction with a PPC campaign, they are call-to-action pages that prompt the user to engage the site.

Link
Also known as a hyperlink, it is the "clickable" area of text or image that allows for navigation on the Internet. Also the name of the main character og the Legend of Zelda video games.

Link Bait (Linkbaiting)
The process of getting users to link to your site.

Link Farm
A site that features links in no particular order which are totally unrelated to each other.

Link Maximization
The method of getting popular sites in your industry to link to your website.

Link Partner
A website who is willing to put a link to your site from their website. Quite often link partners engage in reciprocal linking.

Link Popularity
How many sites link to your website.

Link Text
The clickable part of a hyperlink. Also known as Anchor Text or Anchor Link.

Linkerati
People who are the target of linkbait - bloggers, forum users, social taggers, etc.

Listings
The results that a search engine returns for a particular search term.

Mashups
Commonly thought of as a way of merging two different items, or scraping more than one source.

Meta Description Tag
Hold the description of the content found on the page.

Meta Keywords Tag
Holds the keywords that are found on the page.

Meta Search Engine
A search engine that relies on the meta data found in meta tags to determine relevancy.

Meta Tag Masking
An old trick that uses CGI codes to hide the Meta tags from browsers while allowing search engines to actually see the Meta tags.

Meta Tags
Header tags that provide information about the content of a site.

Metadata
META Tags or what are officially referred to as Metadata Elements, are found within the section of your web pages.

Metajacking
The use of copyrighted names and slogans in META tags.

MFA (Made For AdSense)
A term that describes websites that are created entirely for the purpose of gaming Google Adsense to make money.

MFD
Made For Digg - Similar to MFA (Made for AdSense) sites, these sites try to get traffic from digg by having entire sites full of funny images or postings.

Microchunk
To split up a product or service sold traditionally as a package, offering each piece to buyers a la carte.

MicroFormats
Designed for humans first and machines second, microformats are a set of simple, open data formats built upon existing and widely adopted standards. Instead of throwing away what works today, microformats intend to solve simpler problems first by adapting to current behaviors and usage patterns (e.g. XHTML, blogging). - taken from (http://microformats.org/about/)

Mirror Sites
A mirror site is a site that exacltly duplicates another site.

Mobisode
TV shows shot exclusively for mobile phones.

MoBlog
Short for "My Mobile Blog", a service from Blogger that when you send an email to go@blogger.com from your cellphone, it automatically creates a new blog.

Mociology
The study of how people adapt and use wireless technologies.

Most Wanted Response (MWR)
This is what you want your customer to do on your site.

Mowser
Short for Mobile Browser.

MP3
Stands for “MPEG Third Layer.” A standard for storing and transmitting music in digital format across the Internet.

MSN (MicroSoft Network)
Microsoft's search engine.

Narrowcasting
Creating a program aimed at a small and specific niche or group of people.

Natural Listing
A listing that appears below the sponsored ads, also known as Organic Listings.

Navigational Query
A query that normally has only one satisfactory result.

NDA (Non-Disclosure Agreement)
Usually required as part of a contract to protect the company engaging in services.

Necroing
The act of posting to old threads to bring them back up. Also known as "bumping".

Niche
A specialized segment of a market that is usually geared towards one specific purpose.

Niche Aggregators
Another way of saying Spam site.

NOFOLLOW
An attribute used in a hyperlink to instruct search engines not to follow the link. (And pass PageRank)

Off-Page Factors
Factors that alter search engine positions that occur externally from other website's. By having many links from other sites pointing to yours is an example of Off-Page Factors.

On-Page Factors
Factors that determine search engine positions that occur internally within a page of a website. This can include site copy, page titles, and navigational structure of the site.

OOP (Over Optimization Penalty)
A theory that applies if one targets only 1 keyword or phrase, and the search engines view the linking efforts to be spam.

OpenRank (Open Source PageRank)
A suggestion to make a web-wide ranking system as opposed to Google's Pagerank.

Opt-In
When a user willing joins a subscription to a newsletter or some other service.

Organic Listing
The natural results returned by a search engine.

Orphan Page
A page that has a link to it, but has no links to any other sites.

Outbound Link
A link from your site to any other site.

Page View
Anytime a user looks at any page on a website through their browser.

PageMatch
A cost-per-click advertising program that serves your site's ad on a page that contains related content.

PageRank Drain
When a page has no outbound links, it causes pagerank drain because it cannot pass any value to another web page.

Paid Inclusion
A submission service where you pay a fee to a search engine and the search engine guarantees that your website will be included in its index. Paid inclusion programs will also ensure that your website is indexed very fast and crawled on regular basis. It can also be used as a term to include fee based directory submission.

Pay-Per-Click Management
Strategy, Planning and Placement of targeted keywords in the paid search results.

PFI (Pay For Inclusion)
A system in which a site pays to get a guaranteed listing.

PFP (Pay For Performance)
A system in which payment for services is only made when a conversion takes place.

Podcasting
A Podcast is just an audio file that is syndicated via an RSS feed, that is downloaded and listened to with a computer or a portable device such as an iPod.

Podcatching
The process of subscribing to podcasts.

PPC (Pay Per Click)
A technique where placements are determined by how much id bid on a particular keyword or phrase. Can become very expensive.

PR (Google's PageRank)
Google's unique system of how it tries to predict the value of a pages rank.

Pro Blogging
A person who makes a living by blogging.

Query
An inquiry that is entered into a search engine in order to get results.

Rank - Ranking
The actual position of a website on a search engine results page for a certain search term or phrase.

Reciprocal Link
When two sites link to each other.

Redirects
Either server side or scripting language that tells the search engine to go to another URL automatically.

Referral Spam
Sending multiple requests to a website spoofing the header to make it look like real traffic is being sent to another site.

Referrer
A referrer is the URL of the page that the visitor came from when he entered a website.

Relevance Rank (RR)
A system in which the search engine tries to determine the theme of a site that a link is coming from

Relevancy
Term used to describe how close the content of a page is in relation to the keyword phrase used to search.

Results Page
When a user conducts a search, the page that is displayed, is called the results page. Sometimes it may be called SERPs, which stands for "search engine results page."

RFP (Request for Proposal)
Used to send out to multiple companies in order to get a list of services to be delivered and at what cost.

Rich Internet Applications (RIA)
Applications such as Ajax and Flash that provide a better user experience by delivering content in an on-demand web environment.

Robot
Often used to refer to a search engine spider.

ROC (Return on Customer)
The value each customer brings.

ROI (Return on Investment)
The cost it takes to in order to see success on your marketing investment.

RSS Feed (Rich Site Summary or Rich Site Syndication)
RSS feeds use an XML document to publish information.

Scope Creep
When the contracted amount of work to be completed changes because of client changes or technology advances.

SE (Search Engine)
A web based information retrieval program.

Search Engine
Best described as a database of websites users can search using search terms. Every search engine has its own algorithm which defines how the results are displayed.

Search Engine Marketing (SEM)
The practice of getting a website found on the internet

Search Engine Optimization (SEO)
The act of altering code to a website to have optimum relevance to a search engine spider.

Search Friendly Optimization (SFO)
As the term implies, this is the process of making a website search engine friendly.

Search Query
The text entered into the search box on a search engine.

SEOlebirty
Famous people in the world of search.

SERP (Search Engine Results Page)
The results that are displayed after making a query into a search box.

SFO
Search Friendly Optimization.

Sitemap (Site Map)
A page that lists all of the critical navigation points of a website.

Slurp
The name of Yahoo's Search Engine Spider.

Smishing
Phishing via text message. Smishers bombard cell phones with SMS versions of standard phishing solicitations, directing victims to Web sites that install spyware on their computers.

Snippet
The text displayed from a search query.

Social Media Poisoning
A technique where unscrupulous marketers will try to sabotage a competitor's web site by engaging in social media communications and link seeding/spamming tactics that they hope will spark a rash of bad publicity, and maybe even trigger some sort of rankings and/or reputational search penalty against their competitor.

SPAM
Unwanted email or irrelevant content delivered. (or as some say, Site Placed Above Mine)

Spam Cannon
A term used in conjunction with sites that use email sign-ups for spamming purposes - the latimes.com is an example.

Spamming
The act of delivering unwanted messages to the masses.

Spamouflage
The method or result of concealing or disguising search engine spam to make it appear to be legitimate.

Spider
The software that crawls your site to try and determine the content it finds.

Spiderbaiting
A technique that makes a search engine spider find your site.

Splash Page
A page displayed for viewing before reaching the main page.

Stemming
The main part of a word to which affixes are added.

Stickiness
How influential your site is in keeping a visitor on your page.

Stop Word
A stop word is a "common word" which is ignored in a query because the word makes no contribution to the relevancy of the query.

Stop Word
Stop words are very common words such as ‘a, the, and & that’ and are filtered out of your search query. Search engines do this in order to try to serve the best results for a user query.

Strategic Linking
A thought out approach to getting websites to link to your site.

Submission
The process of submitting URL(s) to search engines or directories.

SWOT
A methodic way of identifying your Strengths and Weaknesses, and of examining the Opportunities and Threats you face.

Syntax
The proper use of language when coding a website.

Tag Soup
Tag soup is HTML code written without regard for the rules of HTML structure and semantics.

The Deep Web
The content in databases that rarely shows up in Web searches. It is estimated that there are 500 billion Web pages that could potentially be hidden.

Theme
What the site's main topic is about.

Thin Affiliates
Doorways that send visitors to affiliate programs, earning a commission for doing so, while providing little or no value-added content or service to the user.

Title Tag
It should be used to describe the web page using targeted keywords using no more that 60 characters, including spaces.

TLD (Top Level Domain)
Most commonly thought of as a ".com", also includes ".org" and ".edu"

TOM (Tactical Online Marketing)
The process of informing the customer of your services from various sources.

TOS (Terms of Service)
Usually found in a contract, also known as the contracts "deliverables".

Tracking URL
Usually used in PPC campaigns, it is a URL that has special code added to it so that results can be monitored.

Traffic
The number of visitors a website receives over a given period. Usually reported on a monthly basis.

Transactional Query
A query where the user expects to conduct a transaction.

Trusted Feed
A form of paid inclusion which uses bulk a XML feed to directly send website content to search engines for indexing. The feed can be optimized so that your website can take advantage better rankings and therefore more traffic

TrustRank
A method of using a combination of limited human site review in conjunction with a search engines algorithm.

Typosquatting
Relies on typographical errors by users to serve up websites that look like Google to launch viruses and trojans to unsuspecting users.

Unique Visitor
When a user visits a website, his/her IP address is logged so if he/she returns later on that day, the visit won’t be counted as a unique visit but as a page impression.

Universal Search
Launched on May 16, 2007, this is Google's attempt to deliver the best result from the web. This can include video, images, news, podcasts or any other form of digital content.

URL (Uniform Resource Locator)
Commonly referred to as the domain name, this is how humans navigate through the Internet, whereas computers use IP addresses.

User Agent
A User agent name is the name of the software accessing a web page. (Another term for Agent Name)

USP (Unique Selling Proposition)
Sometimes mistakenly defined as Unique Selling Point. The Unique Selling Proposition concept was first developed by Rosser Reeves of the Ted Bates Agency. Basically, it's what sets you apart from your competition.

VEO
Visitor Enhanced Optimization

VoIP (Voice Over Internet Protocol)
VoIP converts the voice signal from your telephone into a digital signal that travels over the internet then converts it back at the other end so you can speak to anyone with a regular phone number.

Web Saturation
How many pages of your site are indexed by the search engines collectively.

Webneck
Slang term for a person who spends most of their time on the internet, most of their friends are netpals, and they are uncomfortable if they can't get online.

White Hat SEO
A term that refers to ethical practice of SEO methodologies that adhere to search engine Terms of Service.

White Paper
A White Paper is your statement about how a problem should be solved.

Whois Data
Registration data such as the company name, address and telephone number when registering a domain name.

Whore Trains
A list of people on MySpace that you add yourself to and keep reposting the list so that you can get a lot of people requesting to be your friends.

Wi-Fi (certification mark)
Used to certify the interoperability of wireless computer networking devices.

WikiSoldiers
Users who enjoy the process of building and defending wikipedia.

Wilf
What was I looking for?

WWW (World Wide Web)
Another term to describe the Internet.

XML (Extensible Markup Language (filename.xml))
A scripting language that allows the programmer to define the properties of the document.

Yahoo!
The #2 Search Engine in the world.

Zeitgeist (Google Zeitgesit)
A service provided that shows snippets of the emerging and declining trends of what people are searching for through the Google search engine.

Search Engine Optimization - SEO Workout

noreply@blogger.com (Unknown) — Tue, 22 Apr 2008 05:24:00 -0700

What is Search Engine Optimization? (SEO)

Search Engine Optimization is the process of making changes to the coding of a website in order to rank better in the search engine results page. There are many steps involved in the process, many of which include the following:

W3C Validation
Proper naming structure of files for search engines
Proper phrasing of the page title
Inclusion of a robots.txt file
Creation of a sitemap
404 error handling page
Meta tags
Relevant site copy to page title
Site navigational structure

While this is a short list, there are many considerations that have to accounted for when optimizing your website. A knowledgeable Search Marketer should be able to determine what would be the best process to get your site coded in a search engine friendly fashion.

What is Search Engine Marketing? (SEM)

Search Engine Marketing is the process of getting targeted traffic to your site by getting exposure of your site through various channels. Here are some examples of getting exposure for your site:

Press Releases
Article Writing
Blogs
Engaging in a link campaign
Directory Submission
Purchasing Text Links
PPC Campaigns
Banner Advertising
RSS/XML Feeds

A knowledgeable Search Marketer should be able to determine what would be the best process to market your site and get the most of your marketing budget.

Google Tricks

Enter just the word http for your search to find the top 1000 PageRanked sites.

Enter only www in your search to see how Google ranks the top 1,000 sites.

Manually type the following prefixes and note their utility:

link:url Shows other pages with links to that url.

related:url same as "what's related" on serps.

site:domain restricts search results to the given domain.

allinurl: shows only pages with all terms in the url.

inurl: like allinurl, but only for the next query word.

allintitle: shows only results with terms in title.

intitle: similar to allintitle, but only for the next word. "intitle:seoforgoogle google" finds only pages with seoforgoogle in the title, and google anywhere on the page.

cache:url will show the Google version of the passed url.

info:url will show a page containing links to related searches, backlinks, and pages containing the url. This is the same as typing the url into the search box.

spell: will spell check your query and search for it.

stocks: will lookup the search query in a stock index.

filetype: will restrict searches to that filetype. "-filetype:pdf" to remove Adobe PDF files.

daterange: is supported in Julian date format only. 2452384 is an example of a Julian date.

maps: If you enter a street address, a link to Yahoo Maps and to MapBlast will be presented.

phone: enter anything that looks like a phone number to have a name and address displayed. Same is true for something that looks like an address (include a name and zip code)

site:www.somesite.net "+www.somesite.+net" - (tells you how many pages of your site are indexed by google)

allintext: searches only within text of pages, but not in the links or page title

allinlinks: searches only within links, not text or title

Search Engine Optimization (SEO) Resources

A free listing of SEO Resources that will help you get your site ranked in the search engines.
As always, if you know of a resource that you think should be on this page, drop me a line, and if it's up to snuff, it will get listed.

Make Money From Google

Press Release & Article Sites

Press Release Tips

Buy Text Links

Traffic Generating Sites

Security Corner: SQL Injection

noreply@blogger.com (Unknown) — Mon, 17 Mar 2008 22:06:00 -0700

Welcome to another edition of Security Corner. This month's topic is SQL injection, an attack vector that frequents the minds of PHP developers, but for which there is a shortage of good documentation.

Most web applications interact with a database, and the data stored therein frequently originates from remote sources. Thus, when creating an SQL statement, you often use input in its construction. A typical SQL injection attack exploits this scenario by attempting to send fragments of valid SQL queries as unexpected values of GET and POST data. This is why an SQL injection vulnerability is often the fault of poor filtering and escaping, and this fact cannot be stressed enough.

This article explains SQL injection by looking at a few example attacks and then introducing some simple and effective safeguards. By applying best practices, you can practically eliminate SQL injection from your list of security concerns.

SQL Injection

For a moment, place yourself in the role of an attacker. Your goal is initially simple. You want to get any unexpected SQL statement executed by the database. You're only looking to get something to work, because that will reveal the fact that the application has a potential vulnerability. You have as many chances as you want, and you have a lot of information to work with. For example, consider the simple authentication form shown in Figure 1.

Figure 1:

In order to get more information about this form, you view the source:

<form action="/login.php" method="POST">  <p>Username: <input type="text" name="username" /></p>  <p>Password: <input type="text" name="password" /></p>  <p><input type="submit" value="Log In" /></p>  </form>

<form action="/login.php" method="POST">

<p>Username: <input type="text" name="username" /></p>

<p>Password: <input type="text" name="password" /></p>

<p><input type="submit" value="Log In" /></p>

</form>

You can already make a very educated guess about the type of SQL statement that this application might use to verify the access credentials. It will most likely be a SELECT statement. You can also make a guess about the naming convention used in the database table, because it probably matches the simple names used in the HTML form. (It's also possible that you can cause an error that reveals this information to you.) Because this form is for authentication, there is probably WHERE clause that uses $_POST['username'] and $_POST['password'].

From all of this, you might predict the following:

<?php $sql = "SELECT count(*) FROM users WHERE username = '{$_POST['username']}' AND password = '...'"; ?>

<?php

$sql = "SELECT count(*)

FROM users

WHERE username = '{$_POST['username']}'

AND password = '...'";

Assuming this guess is correct, what can you do to manipulate this query? Imagine sending the following username:

chris' /*

chris' /*

The SQL statement becomes the following:

SELECT count(*) FROM users WHERE username = 'chris' /*' AND password = '...'";

SELECT count(*)

FROM users

WHERE username = 'chris' /*'

AND password = '...'";

In this example, /* is used to begin a multi-line comment, effectively terminating the query at that point. This has been tested successfully with MySQL. A standard comment in SQL begins with --, and it's trivial to try both.

This query suggests a successful authentication attempt as long as the chris account exists, regardless of the password. This particular attack is frequently used to steal accounts. Of course, any username can be used (admin is a popular target). Thus, by sending a malformed username, you can manage to log in without having a valid account.

Keep in mind that creativity plays a large role in most attacks. In the previous example, the attack is limited by the type of query (SELECT) and in the way the username and password are used. In other words, as an attacker, you are somewhat bound, and your attacks must try to exploit the situation within these bounds. Other types of queries present new opportunities, and the best practices mentioned in this article apply to all SQL injection attacks.

WHERE Hacking

The WHERE clause is used to restrict the records that a particular query matches. For a SELECT statement, it determines the records that are returned. For an UPDATE statement, it determines the records that are modified. For a DELETE statement, it determines the records that are deleted. If a user can manipulate the WHERE clause, there are many opportunities to make drastic changes - selecting, updating, and deleting arbitrary records in the database.

Imagine a SELECT statement intended to fetch all credit card numbers for the current user:

<?php $sql = "SELECT card_num, card_name, card_expiry FROM credit_cards WHERE username = '{$_GET['username']}'"; ?>

<?php

$sql = "SELECT card_num, card_name, card_expiry

FROM credit_cards

WHERE username = '{$_GET['username']}'";

In this particular case, the application might not even solicit the username but instead provide it in a link:

<a href="/account.php?username=shiflett"> Credit Card Information </a>

<a href="/account.php?username=shiflett">

Credit Card Information

</a>

If a user can have multiple cards, the application might loop through the results of a database query, displaying the card number, name on the card, and expiration date for each card.

Imagine a user who visits the following resource:

/account.php?username=shiflett%27+OR+username+%3D+%27lerdorf

/account.php?username=shiflett%27+OR+username+%3D+%27lerdorf

This submits the following value for the username:

shiflett' OR username = 'lerdorf

shiflett' OR username = 'lerdorf

If used in the previous SQL query, $sql has the following value:

SELECT card_num, card_name, card_expiry FROM credit_cards WHERE username = 'shiflett' OR username = 'lerdorf'

SELECT card_num, card_name, card_expiry

FROM credit_cards

WHERE username = 'shiflett' OR username = 'lerdorf'

Now the user sees a list of all credit cards belonging to either shiflett or lerdorf. This is a pretty major security vulnerability. Of course, a larger vulnerability exists in this particular example, because a user can arbitrarily pass any username in the URL. In addition, a username that causes the WHERE clause to match all records can potentially expose all records:

shiflett' OR username = username

shiflett' OR username = username

Imagine if this particular username is stored in the database (using a separate SQL injection attack) as the attacker's own username. Every query that is restricted by a WHERE clause in order to only apply the user's own record can potentially apply to all records instead. This is not only extremely dangerous, but it also makes further attacks very convenient.

Input Filtering

This article assumes magic_quotes_gpc is disabled. If it is enabled, you can disable it or use the fix_magic_quotes() function to repair the input.

There are best practices that you should follow to prevent SQL injection attacks, and these offer a very high level of protection. The most important step is to filter all input (data that comes from a remote source). This includes $_GET, $_POST, $_COOKIE, etc. To help clarify this, consider the following HTML form:

<form action="/receive.php" method="POST"> <select name="color"> <option value="red">red</option> <option value="green">green</option> <option value="blue">blue</option> </select> <input type="submit"> </form>

<form action="/receive.php" method="POST">

<select name="color">

<option value="red">red</option>

<option value="green">green</option>

<option value="blue">blue</option>

</select>

<input type="submit">

</form>

Clearly, the expected values are red, green, and blue. So, the input filtering should verify this:

<?php $clean = array(); switch ($_POST['color']) { case 'red': case 'green': case 'blue': $clean['color'] = $_POST['color']; break; default: /* Error */ break; } ?>

<?php

$clean = array();

switch ($_POST['color']) {

case 'red':

case 'green':

case 'blue':

$clean['color'] = $_POST['color'];

break;

default:

/* Error */

break;

}

This code uses a separate array ($clean) to store the filtered data. It is a good idea to choose a naming convention that will help you identify potentially tainted data. In this example, $clean['color'] can be trusted to contain a valid color, because it is first initialized and then only assigned the value of $_POST['color'] if that value passes the test.

The two most important points for input filtering are:

Only accept valid data rather than trying to prevent invalid data.

Choose a naming convention that helps you distinguish tainted data from filtered data.

Escaping Output

With properly filtered input, you're already pretty well protected against malicious attacks. The only remaining step is to escape it such that the format of the input doesn't accidentally interfere with the format of the SQL statement. If you are using MySQL, this simply requires you to pass all data through mysql_real_escape_string() prior to use:

<?php $mysql = array(); $mysql['color'] = mysql_real_escape_string($clean['color']); $sql = "SELECT username FROM users WHERE favorite_color = '{$mysql['color']}'"; ?>

<?php

$mysql = array();

$mysql['color'] = mysql_real_escape_string($clean['color']);

$sql = "SELECT username

FROM users

WHERE favorite_color = '{$mysql['color']}'";

In this case, assuming $clean['color'] is created by the previous example, you can be sure that the color only contains alphabetic characters. (It's one of red, green, or blue.) Thus, the escaping might seem superfluous, and it is. However, it is still a good habit to always escape data. This practice will help you avoid forgetting this crucial step, and it adheres to the principle of defense in depth, which stresses the importance of redundant safeguards.

Until Next Time...

Preventing SQL injection is easy, but it is one of the most common web application vulnerabilities. Hopefully you will now always adhere to the following guidelines:

Filter input.

Escape output.

NYPHP has a helpful resource that explains SQL escaping.

I hope you can now safely protect your applications against SQL injection attacks. Until next month, be safe.

URL Rewriting

noreply@blogger.com (Unknown) — Wed, 6 Feb 2008 00:10:00 -0800

The Apache server’s mod_rewrite module gives you the ability to transparently redirect one URL to another, without the user’s knowledge. This opens up all sorts of possibilities, from simply redirecting old URLs to new addresses, to cleaning up the ‘dirty’ URLs coming from a poor publishing system — giving you URLs that are friendlier to both readers and search engines.

An Introduction to Rewriting

Readable URLs are nice. A well designed website will have a logical file system layout, with smart folder and file names, and as many implementation details left out as possible. In the most well designed sites, readers can guess at filenames with a high level of success.

However, there are some cases when the best possible information design can’t stop your site’s URLs from being nigh-on impossible to use. For instance, you may be using a Content Management System that serves out URLs that look something like

http://www.example.com/viewcatalog.asp?category=hats&prodID=53

This is a horrible URL, but it and its brethren are becoming increasingly prevalent in these days of dynamically-generated pages. There are a number of problems with an URL of this kind:

It exposes the underlying technology of the website (in this case ASP). This can give potential hackers clues as to what type of data they should send along with the query string to perform a ‘front-door’ attack on the site. Information like this shouldn’t be given away if you can help it.

Even if you’re not overly concerned with the security of your site, the technology you’re using is at best irrelevant — and at worst a source of confusion — to your readers, so it should be hidden from them if possible.

Also, if at some point in the future you decide to change the language that your site is based on (to » PHP, for instance); all your old URLs will stop working. This is a pretty serious problem, as anyone who has tackled a full-on site rewrite will attest.

The URL is littered with awkward punctuation, like the question mark and ampersand. Those & characters, in particular, are problematic because if another webmaster links to this page using that URL, the un-escaped ampersands will mess up their XHTML conformance.

Some search engines won’t index pages which they think are generated dynamically. They’ll see that question mark in the URL and just turn their asses around.

Luckily, using rewriting, we can clean up this URL to something far more manageable. For example, we could map it to

http://www.example.com/catalog/hats/53/

Much better. This URL is more logical, readable and memorable, and will be picked up by all search engines. The faux-directories are short and descriptive. Importantly, it looks more permanent.

To use mod_rewrite, you supply it with the link text you want the server to match, and the real URLs that these URLs will be redirected to. The URLs to be matched can be straight file addresses, which will match one file, or they can be regular expressions, which will match many files.

Basic Rewriting

Some servers will not have » mod_rewrite enabled by default. As long as the » module is present in the installation, you can enable it simply by starting a .htaccess file with the command

RewriteEngine on

Put this .htaccess file in your root so that rewriting is enabled throughout your site. You only need to write this line once per .htaccess file.

Basic Redirects

We’ll start off with a straight redirect; as if you had moved a file to a new location and want all links to the old location to be forwarded to the new location. Though you shouldn’t really ever » move a file once it has been placed on the web; at least when you simply have to, you can do your best to stop any old links from breaking.

RewriteEngine on

RewriteRule ^old\.html$ new.html

Though this is the simplest example possible, it may throw a few people off. The structure of the ‘old’ URL is the only difficult part in this RewriteRule. There are three special characters in there.

The caret, ^, signifies the start of an URL, under the current directory. This directory is whatever directory the .htaccess file is in. You’ll start almost all matches with a caret.

The dollar sign, $, signifies the end of the string to be matched. You should add this in to stop your rules matching the first part of longer URLs.

The period or dot before the file extension is a special character in regular expressions, and would mean something special if we didn’t escape it with the backslash, which tells Apache to treat it as a normal character.

So, this rule will make your server transparently redirect from old.html to the new.html page. Your reader will have no idea that it happened, and it’s pretty much instantaneous.

Forcing New Requests

Sometimes you do want your readers to know a redirect has occurred, and can do this by forcing a new HTTP request for the new page. This will make the browser load up the new page as if it was the page originally requested, and the location bar will change to show the URL of the new page. All you need to do is turn on the [R] flag, by appending it to the rule:

RewriteRule ^old\.html$ new.html [R]

Using Regular Expressions

Now we get on to the really useful stuff. The power of mod_rewrite comes at the expense of complexity. If this is your first encounter with regular expressions, you may find them to be a tough nut to crack, but the options they afford you are well worth the slog. I’ll be providing plenty of examples to guide you through the basics here.

Using regular expressions you can have your rules matching a set of URLs at a time, and mass-redirect them to their actual pages. Take this rule;

RewriteRule ^products/([0-9][0-9])/$ /productinfo.php?prodID=$1

This will match any URLs that start with ‘products/’, followed by any two digits, followed by a forward slash. For example, this rule will match an URL like products/12/ or products/99/, and redirect it to the PHP page.

The parts in square brackets are called ranges. In this case we’re allowing anything in the range 0-9, which is any digit. Other ranges would be [A-Z], which is any uppercase letter; [a-z], any lowercase letter; and [A-Za-z], any letter in either case.

We have encased the regular expression part of the URL in parentheses, because we want to store whatever value was found here for later use. In this case we’re sending this value to a PHP page as an argument. Once we have a value in parentheses we can use it through what’s called a back-reference. Each of the parts you’ve placed in parentheses are given an index, starting with one. So, the first back-reference is $1, the third is $3 etc.

Thus, once the redirect is done, the page loaded in the readers’ browser will be something like productinfo.php?prodID=12 or something similar. Of course, we’re keeping this true URL secret from the reader, because it likely ain’t the prettiest thing they’ll see all day.

Multiple Redirects

If your site visitor had entered something like products/12, the rule above won’t do a redirect, as the slash at the end is missing. To promote good URL writing, we’ll take care of this by doing a direct redirect to the same URL with the slash appended.

RewriteRule ^products/([0-9][0-9])$ /products/$1/ [R]

Multiple redirects in the same .htaccess file can be applied in sequence, which is what we’re doing here. This rule is added before the one we did above, like so:

RewriteRule ^products/([0-9][0-9])$ /products/$1/ [R]

RewriteRule ^products/([0-9][0-9])/$ /productinfo.php?prodID=$1

Thus, if the user types in the URL products/12, our first rule kicks in, rewriting the URL to include the trailing slash, and doing a new request for products/12/ so the user can see that we likes our trailing slashes around here. Then the second rule has something to match, and transparently redirects this URL to productinfo.php?prodID=12. Slick.

Match Modifiers

You can expand your regular expression patterns by adding some modifier characters, which allow you to match URLs with an indefinite number of characters. In our examples above, we were only allowing two numbers after products. This isn’t the most expandable solution, as if the shop ever grew beyond these initial confines of 99 products and created the URL productinfo.php?prodID=100, our rules would cease to match this URL.

So, instead of hard-coding a set number of digits to look for, we’ll work in some room to grow by allowing any number of characters to be entered. The rule below does just that:

RewriteRule ^products/([0-9]+)$ /products/$1/ [R]

Note the plus sign (+) that has snuck in there. This modifier changes whatever comes directly before it, by saying ‘one or more of the preceding character or range.’ In this case it means that the rule will match any URL that starts with products/ and ends with at least one digit. So this’ll match both products/1 and products/1000.

Other match modifiers that can be used in the same way are the asterisk, *, which means ‘zero or more of the preceding character or range’, and the question mark, ?, which means ‘zero or only one of the preceding character or range.’

Adding Guessable URLs

Using these simple commands you can set up a slew of ‘shortcut URLs’ that you think visitors will likely try to enter to get to pages they know exist on your site. For example, I’d imagine a lot of visitors try jumping straight into our stylesheets section by typing the URL http://www.yourhtmlsource.com/css/. We can catch these cases, and hopefully alert the reader to the correct address by updating their location bar once the redirect is done with these lines:

RewriteRule ^css(/)?$ /stylesheets/ [R]

The simple regular expression in this rule allows it to match the css URL with or without a trailing slash. The question mark means ‘zero or one of the preceding character or range’ — in other words either yourhtmlsource.com/css or yourhtmlsource.com/css/ will both be taken care of by this one rule.

This approach means less confusing 404 errors for your readers, and a site that seems to run a whole lot smoother all ’round.