Carter Cole's Blog

The XSS hole I found in Google Analytics

2011-12-12T10:19:00.001-08:00

So it looks like Google has patched this hole so ill run though what I did where it was and how they could have prevented it. It all comes down to one rule. Sanitize all user inputs no matter what. This persistent XSS hole I found was in the protocol field... you can see how I was able to inject an unauthorized protocol for the sites profile

The exposure of this attach was very minimal... they didnt validate the protocol against the list of options provided. Even though this has been fixed I still have a profile that has chromes special protocol on the analytics of one of my extensions

By using the chrome developer inspector you can modify the option list and add any protocol you want, well at least when it worked

Now that they have fixed it this is the message that the ui shows when you try and send the unsupported prototcol

Github badges the easy way

2011-12-12T08:48:00.001-08:00

I have a big problem with scope creep... its one of the things ive been trying to work on as a developer but its just funny to me that I would have scope creep on a blog post. This entire post came out as scope creep of my previos post because I wanted an easy way to add one of the Github ribbons that say "fork this repo". My problem came when i tried to use the code from this page on github blog but it didnt work unless it was injected into the body... so i decided to write a simple script to inject the badge with javascript so all you have to do is include a little script tag with your username, the repo and what color and it would automatically drop it on the page

These are the options you can pass in the querystring to change how it will be rendered &usr= This is your github username
&repo= This is the repo to link to
&side= What side ['left' or 'right']
&color= The color of the ribbon ['red','orange','dblue','lgrey','green','white']

If you want to implement something thats not cross browser then you should check this out. I really like what this guy did with his css3 version that has a special message when you mouseover

And just so you can see what gets onto the pages... you can choose left or right the colors are the same

Spelling in Node just got easier with gSpell

2011-12-10T22:46:00.001-08:00

I've been doing alot of programming in node.js and I like to play with undocumented APIs so it seems natural when I needed to do some spell checking I decided to use the undocumented XML API that Google uses to do spell-checking in the firefox toolbar. I published the package into npm (the package manager for node.js) so to install all you have to do is

npm install gspell

and its easy to check any text and it seems to be able to process pretty long strings the script below shows how to check a string of text it returns the result as the second argument to the callback function. Heres a JSON dump of the object it returns. in the array c there is an object for each spelling mistake. Ive actually augmented the results the api returns to add the word it found that it thinks was mispelled I used xml2js to parse the XML the REST API returns and request to make the http calls. If you know of any changes that should be made just fork the repo and make a pull request

Godaddy Extortion for a Wordpress Install

2011-12-07T09:14:00.000-08:00

I want this post to be a quick one but I hope it points out the type of crap companies do to try and grab money. Most cPanel (its the most common hosting control panel) installations have some kind of autoinstaller for open source packages, and wordpress itself is a super easy install but some hosting companies try and get you to pay for more than you need. Most hosting bandwidth for small sites is never used... they buy too big a package and the truth is its best to start small and upgrade when you need to.

Godaddy seems to be getting into this practice of overselling services... I understand the upsell when im checking out but the truth is for most domains I dont need to buy the common spelling mistakes for my domain or every single ccTld but hey you try and sell and we decline that fine. When I saw this I was just kinda sick, I can do a Wordpress install in less than 10 min but most users cant so what does Godaddy do? They make it so the novice users has to pay more to install something that super easy anyways and has many tools that allow it to be auto-installed. There is no reason Godaddy to charge extra for installing the application, it costs them absolutely nothing to host those tiny Wordpress blogs and they are just doing a money grab and adding no value...

SO if you need a Wordpress blog fast and cheap just go here and send me 5 bucks... ill get you setup for a one time fee and you wont have to keep paying those hosting companies for a bunch of bandwidth you dont need just so you can install Wordpress easily

Get Wordpress setup for 5$

Google gets graphing (and copies Bing / Wolfram Alpha)

2011-12-05T12:09:00.001-08:00

One of the things Bing first did while they were trying to catch up with Google was partner with Wolfram Alpha the computational knowledge engine and it gave them the ability to graph math functions and such... it was actually pretty cool. I was like hey now i have a reason to go do a Bing query... so i had a little giggle today when i read the post on their blog "Showing some love to math lovers" where they are now doing graphs just like bing has (with the Google rainbow logo colors of course )

its actually pretty cool im looking for more cool equations so comment if you know any good ones... and with that i leave you with the idea that the big g can now graph love

How to "Hack the vote"

2011-12-05T10:28:00.000-08:00

I often like to tinker with computer security, it provides alot of cool problems to solve and when im able to figure something out im excited because beyond script kiddie SQL injection (on my own databases) and some XSS im a pretty tame "hacker" (i did find a hole in Wells Fargo) so I happen upon a online voting contest running locally in Houston and I assumed they built their own voting system and i wanted to know what precautions they took against cheating. Its a hard problem to solve, i mean "click fraud" by Google made Bing look foolish and then there are things like astorturfing with mechanical turk so its a hard problem to solve and might not be the best case for "roll your own"

So anyways these CultureMap guys wrote a post about how they caught a cheater... The funny thing is I had already asked my boss if we wanted to cheat at this... and i was going to cheat the right way. (so it all looks natural and you dont get caught) As I dug into reverse engineering their system it turns out they used a simple GET request for voting which brings up some interesting issues. First if its a simple GET request is all you need then you can make a webpage that makes people autovote by dropping the vote url into the src of an image element (then when it tries to load the image it autovotes) you also run the risk of GoogleBot crawling and voting... this was a big problem in the early days where the "delete" link in some admin dashboard somehow was publicly crawled and everything got deleted as google crawled each delete link. Same thing happened to their system... you can see in this google query all the "Thanks for voting" messages google saw and indexed. That means that google got its say in who won the contest :) and another issue with this voting thank you page is that anything you put into the url is written directly to the page.We call that an XSS or Cross Site Scripting attack... that will let me craft urls to do all kinds of fun stuff like make you link to me or steal the login cookies to your admin section. Heres just one example of what you can do injecting stuff into a page

One way you can try and cut down on cheating is to block votes from same ip but then everyone in a office only get one vote (because they all use the same ip) This is what another contest I decided to play a little dirty in did. So how did i get around the ip based block? Proxies Proxies Proxies! after geocoding Im able to choose which proxies to use and send request in a random way so it all looks like normal traffic. You can see my blog in the site entries list i was down by hundreds and caught up in just a few hours... probably raised some flags for the people running the contest :)

So what are the takeaways?

If your running the contest

Use a form POST to make the vote it will be harder to trigger and google wont be voting in your contest
Geocode requests to make sure they are from the right region, this will help you detect somebody using proxies all in china
Have some type of ip based reporting so you can try and catch big blatant offenders

If your "hacking" (or cheating) at a contest

Sniff the http traffic so you can know how to spoof the request identically to the original
Geocode the proxies you use and make sure they are coming from a county thats allowed to participate
If they use a GET request to vote laugh about it and post the auto-vote url everywhere (posting to twitter will get about 20 random crawler to hit the link an vote as soon as the tweet is made)

Heres yet another sneak peek of the new Facebook Timeline

2011-12-04T20:55:00.001-08:00

Facebooks about to have another big facelift and not one like giving you an email address im talking a whole profile redesign, i cant wait until i see the "Facebook turn back the Timeline" group. Everything is becoming objects and actions and so special events are brought out with special attention (Like life events, job changes or marriage) but you can also make up actions. So to get the Facebook Timeline Profile before anyone else you need to trick them into thinking your a developer who wants to build something for the new system. So first go and signup to be a Facebook developer, if you do anything with Facebook pages you probably already have done this. From the Developer Dashboard you add a new application and name it some gibberish to to the open graph section it looks like this

filling out the form with whatever and giving it an action. This is the new functionality timeline provides and what will get you invited early.

Go through the steps until the application is created

When you go back to your homepage you will see a little alert like below, if you dont see it right away dont worry it will show up eventually. Accept the dialog and it will take you through a tour of the new profile. I think they are doing this to try and sell the new look to the users as they have just made the sweeping change without notice without and explanation

Ok now lets go through the tour although it really is just a big waste of time. Its all pretty self explanatory but w/e its cool to get it early

So first they tell you about this new cover thing thats like a big picture to explain yourself in a giant banner type thing but theres still a profile picture is just a separate cutout over your cover

and then we have the dont worry all your stuff is still here its just in a different place thats even better step to explain that its all still ok

Then you got the all activity button that shows everything from the beginning of your birth all the way to your death unabridged including all that has been redacted from public view

And then they explain how you should love them forever for giving you access to your whole life all over again. I know im getting just a touch sarcastic but really whats the purpose of this tour?

And their tools for searching timeline for what you want to redact seems pretty sucky... there may be potential for a application right there. So after all that they dump you here and let you decide when you want to push your timeline profile public

Software engineers by the numbers [infographic]

2011-12-02T07:35:00.001-08:00

I dont want to make it a regular thing just to republish other peoples infographics but this one was really cool to me. I may start to republish some of these with some more commentary I really like to do stuff for conversion rate optimization... Im finally getting some clients who can really benefit from it so we are getting to do alot more. (No im not jumping topics talking about CRO this infographic is from the CRE guys)

Rule the browser creating google chrome extensions

2011-11-28T17:38:00.000-08:00

So i guess its a little late but I gave my first real talk at a conference... I think i may have gone too technical and I was so nervous if you decided to turn this into a drinking game ever time I said like or um you are probably likely to get alcohol poisoning but practice makes perfect I guess. I wanted for everyone to see how easy it was to get started creating google chrome extensions so this video could probably be called a crash course and hello world all rolled into one. I created a mind map you can use to navigate around and ive made all the code used in the video available on github so you can download the code and follow along. you can get the code from here its the

Git Repository (Source Code)

or Download the Zip

And all that remains is me talking like a total nerd for an hour about programming an extension so heres the video If you have any feedback for how I can improve my speaking or any comments on the code I would love to hear from you or just bother me on twitter im @cartercole

Google Wave Sunsetting in 2012

2011-11-23T15:28:00.001-08:00

So Google has finally announced exactly when it plans to kill wave. It seems to be in alignment with their recent push to show a cohesive design in all their products and taking a much more focused vision... i mean they are shutting down google labs... crazy. so anyways heres the email

Dear Wavers,
More than a year ago, we announced that Google Wave would no longer be developed as a separate product. At the time, we committed to maintaining the site at least through to the end of 2010. Today, we are sharing the specific dates for ending this maintenance period and shutting down Wave. As of January 31, 2012, all waves will be read-only, and the Wave service will be turned off on April 30, 2012. You will be able to continue exporting individual waves using the existing PDF export feature until the Google Wave service is turned off. We encourage you to export any important data before April 30, 2012.
If you would like to continue using Wave, there are a number of open source projects, including Apache Wave. There is also an open source project called Walkaround that includes an experimental feature that lets you import all your Waves from Google. This feature will also work until the Wave service is turned off on April 30, 2012.
For more details, please see our help center.
Yours sincerely,
The Wave Team
© 2011 Google Inc. 1600 Amphitheatre Parkway, Mountain View, CA 94043
You have received this mandatory email service announcement to update you about important changes to your Google Wave account.

talk about it cry i mean we use it all the time at my office so i guess we will be setting up our own wave server... i never got into building one of the plugins (othello) but w/e

Google Detects SERP hijacking on your computer

2011-07-25T13:11:00.000-07:00

So search engines have been working more and more on security (im mostly taking about the big G and B) they both actually will alert you when they detect weird stuff on your domain or hacker scripts and Google will let you know you need to update wordpress so i think this is way cool... we have seen virus that rewrite all the search results but now Google can detect the SERP hijacking and warn you about it with a little message at the top. Super cool! I just want to know how they detect the request is begin made from malware... is it only detect one kind or is it a generic heuristic based solution?

The Google Wonder Wheel has disappeared!

2011-07-03T14:44:00.000-07:00

After the new Google Plus update it seems that some SEO's favorite related keywords tool is gone... I had just finished a wonder wheel scraper so i went and got the url that wonder wheel used to be at. When i run a search I get this error message:

"The search option you have selected is currently unavailable"

So i guess its good that it says its currently unavailable because that implies that it may be back soon... some people were thinking that they had just left it off the UI accidentally, but the exact same thing happened around the last "Instant" update where you had to turn it off to see the option

Im starting a petition to tell Google to bring it back... click the link to sign the twitter petition to Google.

Sorezki SEO Plus stole its code from SEO Site Tools... and heres the proof

2011-05-19T09:05:00.000-07:00

Roi Sorezki has contacted me and said that the code was copied by a developer and that the copied portions of code would be removed.

Imitation is the sincerest form of flattery... unless they are stealing your code

Hey there! I'm Carter Cole, the developer of the wildly popular SEO Site Tools Google chrome extension. It's currently boasting a little over 34,000 active users and it's my 2nd most pride and joy (I've got a son, Seth). My extension took a lot of hard work and time to create and today I found someone had stolen my work and reskinned it, calling it their own, adding only minimal changes to the ui and almost no functionality. As a kind of counter, to hopefully shame the person who stole my code, I'm going to run through all my code. How it works, the history of how I created it, then im going to show the copied UI elements and finally I'm going to show the copied code stolen from my extension.

Skip to copied code or Skip to copied UI (warning i kinda go on a rant to explain why I care so much about this little tool).

I like to think of my tool as the Borg of SEO tools. I first got the idea to build it when I heard SeoMoz had a free API. I hoped to create a 1 to 1 copy of the SeoMoz extension for Firefox as a Google Chrome extension and give it to SeoMoz to try and give credibility to get a job there and also to take credit for the chrome version. They didn't want to go for that and were going to keep it in-house but would help and give feedback. After my first prototype it felt like something was lacking. There were so many more data sources that the moz tool didnt show... So I downloaded every Firefox and chrome SEO Extension I could find and started sniffing the API calls they made (or scraped off serps, the best way to do this is with something like Fiddler). By combining only the metrics that really matter and adding in a few of my own ideas I had something awesome. Thats why I call it the Borg, it was made by replicating the best parts and as soon as another extension (in this case that was "Chrome SEO") created a new feature I would replicate (but not steal) the functionality and add it to my tool. I was doing almost weekly update and the user-base was growing like crazy. Then I got a new job and things stagnated. My extenstion is run on almost 10k pages a day and because of scope creep I've lost sight of my original goals and haven't made an update in months. I really need to block out time to make updates. My tool getting stolen has been a rude awakening that I need to get coding again. So enough about why this matters so much to me. I'll get into how they stole my tool.

Now, because of the nature of Google Chrome extensions (they are all just HTML and JavaScript) it's quite difficult to protect your source code so you expect it to be seen. Knowing this, I didn't even try to obfuscate the code because its pretty easy to reverse and if they really want the code they will get it. But there are some trade secrets you want to keep so you do them in a way that's not that hard to figure out but will trick a few. One of the problems I identified with SeoQuake (my closely following competitor) was that they only hit one Google datacenter, that caused there pagerank queries to look automated and thus get the violation of tos message. Google has tons of datacenters and I figured not all of them are telling each other who's asking for pagerank, so if we loop through all of them then we will have a kinda snowshoe that will let us make as many pagerank queries as we want without hitting those rate limiters. Cool, eh? Well, here they are, all the Google Datacenter IPs DWORD encoded to try and help hide what they were. They appear in my SEO Site Tool like this: and here is the stolen copy... on his server. Hmm, those kinda look the same... that's a little weird! But hey, I mean, that's just some regex and IP constants. There's nothing really magic in there right? Not so bad.
Then we look at the gwebtools.js. It's obfuscated on his server, where it's here gwebtools-remote.js but that packer is easily defeated by the JS Beautifyer and we find that its an exact copy. Except, he removed my branding logo.

OK, so there are giant portions of code that are copied from your tool and obfuscated on a remote server where he AJAXes it in to be evaled so none of the code he stole shows up in his tools file.

Here's how his eval function works executing my code... he ajaxes it in and executes it. I can keep showing example after example of copied function names and entire scripts that run different enhancements I wrote, but what made it so blatantly obvious that it was mine was the layout and display. I mean, it's all also copied. I even found a file they distributed with the extension called changesList.txt that had this in it. They took my code and just started Frankensteining it with their branding. But let's get to that stolen UI.

So, they actually AJAX in the HTML from my page from this url indexhtml-remote.html when the popup loads. I used the google chart API to make my link pie chart... heres theres (as blue).

They even copied the tooltip help stuff. I mean, it's like they didn't even care to try and hide it.

The way it shows the views of the elements is the same too, just some changes to my stylesheet is all it took.

Heres another example of exact copies of my tool compared to theirs (I'm showing theirs then mine).

...and here is my version: the original.

Same tools same copy same html table to resize the window... the function calls are the same all of it, along with the string tools (which were really added in there for me but i got some good ideas from ontolo tools so ill add those to the list of things to build)
Again im showing his copy and then my original...
Copy:

Original:

And finally, they copied all my automated SEO advice... something I actually hate to do because you get some users that fight to get all green and its not really the best use of their SEO time, but thats a whole different issue.

One more time... heres there copy:

...and the same exact results in the same order as my tool just different colors.

I've worked hard to create my tool and you have only begun to see the cool ideas I have planned. Hopefully I won't need to keep fighting my code being stolen, but I've worked too hard to see all my intellectual property stolen and do nothing about it.

I'm tired and wasted my night writing this whole rant. I just want credit for one of my best pieces of work, and if you want an SEO extension send me an email. I've built them for other firms and if the partner is right I see no reason why I wouldn't license the code out (the whole point is bragging rights and finding a way to make a little money), petty? I guess, but itss my code and I'm gonna fight to keep it.

The MozCation should definitely add Houston, TX to its list of stops

2011-05-17T20:24:00.000-07:00

SeoMoz should definitely make its way to Houston, TX we are the forth largest city in the us and have a large techie/nerd population, there's great food and honestly there are a few SEO meetups that have stagnated and we need your help to get the excitement for optimizing websites and producing great content.
You should hurry up... i think Roger the MozBot is already on his way :)

Miles: 0.00

ReTweets help nominate houston

I nominate Houston, TX http://seomz.me/lap1tm for an @SEOmoz #MozCation - More info here: http://seomz.me/mozcationless than a minute ago via web RetweetCarter Cole
CarterCole

What it looks like if Google detects an exploit on your domain

2011-05-16T08:49:00.000-07:00

I recently did a post on the lisamoon SQL injection attack and one of the cool things about it was that google detected the attack, showed where it was living on the domain and processed the reconsideration request very promptly

When you enter into Google Webmaster Tools and they have detected a malicious script or exploit on your domain they will show you a red alert warning you of the infection

When you click to the "Malware" section of the "Diagnostics" section of WMT you get a list of infected urls, what the malicious script looks like and the date it was found. Google notices that the same script is repeated numerous times on the page and assumes its infected database tables

After you have gone and and cleaned everything up and hopefully closed any of the SQL injection holes their malicious hacker crawler found then you can tell Google to stop showing that giant red warning when people are going to pages that were infected

The alert seems to be generated automatically so im pretty sure it reruns the automated scan that detected the problem in the first place. But based on the response time Im gonna say there is no human verification of the removal of the malicious code.

Some things to note while you working on getting it clean if that the big red warnings that try to send users away are created at a url or folder level so by renaming files you can make the warning go away even before Googles security bot has checked for infection again

The easiest way to do the renaming would probably be using the .htaccess file and rewriting the url to a new name and adding a canonical tag to the page

Google's little 404 page helper and dangers of soft 404s

2011-03-29T21:05:00.000-07:00

Making sure your pages are returning proper http codes is important to your SEO efforts... (especially with redirects) but another problem that can use up your crawl quota with googlebot is an infinite space problem... these pages can be driven from a database but are often soft 404s or pages that dont exist but still return a 200 code

You should make sure your pages are returning proper 404's alot of webmasters choose to add some little joke to break the users frustration of missing a page but while digging around in google's help docs i came across a little script they wrote to include pages urls who may be the correct version of the wrong url

Just drop this code on your 404 page and be sure to change the domain name to match your own

<script type="text/javascript">
  var GOOG_FIXURL_LANG = 'en';
  var GOOG_FIXURL_SITE = 'http://www.cartercole.com';
</script>
<script type="text/javascript"
  src="http://linkhelp.clients.google.com/tbproxy/lh/wm/fixurl.js">
</script>

and another cool trick i just though of would be to add something like this to the page aswell

<script type="text/javascript">
  _gaq.push(["_trackEvent", "SEO", "404 Error", document.location]);
</script>

then you can see any 4040 errors that your getting and figure out what you need to redirect to so any link love the url may have doesn't get lost

PS:

The LizaMoon SQL Injection Attack

2011-03-29T19:03:00.000-07:00

Ok so i ran into this SQL injection attack today and I wanted to throw up some info on how to clean your database, what the code probably looked like and what you need to do to protect yourself in the future... this is the little code snippet that is injected onto all the string columns in the database you can see how they use the </title> to try and jump out of the title tag (if a column is title tag) so the script would be run in the head. it also doesnt check for previos infections so you can see on some sites its strung 2 or 3 times
]]>
based on what ive seen and found Im gonna take an educated guess and say that this is a hackers spider that has been designed to look for fingerprints of exploitable code and automates the hacking. doing a google search for the string it drops you can find pages of results that have been compromised. here are some of the victims of the attack

http://www.cmobjects.com/default.asp?ID=09984D98CB604C0B8A69566F9145173E
http://www.cheerextreme.com/toast/toast.asp
http://www.ybm.org.il/hebrew/Article.aspx?Item=1139

and not only that there arent many people talking about it... apparently it made it to itunes at some point and other people have mentioned it on forums so who knows how many domains have been affected... ill update this soon with a removal stored procedure... i forgot the code at the office

AOL Way - PDF copy of the leaked master plan

2011-03-23T08:12:00.000-07:00

AOL is working to make a comeback... they have a new logo and are trying to make the push back into the market after failing with all those free CDs. SO here are some of their aspirations:

He wants pageviews per story to jump from 1,500 to 7,000.
He wants video stories to go from being 4% of all stories produced to 70%.
He wants the percentage of stories optimized for search engines to reach 95%.

Where did we get all this? the people over at Business Insider found it for us :) then i went and dug up the PDF version and posted it to SlideShare for everyone

some people are already asking on Quora if this type of leak should be legal... well some people better keep hold of their docs a little better i guess

oh and if you cant get it from slideshare heres another copy of the leaked AOL document on Google Docs

a review of dragon dictation for iPad written using dragon dictation for iPad

2011-03-12T13:53:00.000-08:00

This is a review of Dragon dictation as transcribed by dragon dictation so I'm still at this thing run I'm going to go and talk about everything that I want to talk about that he needs to do ugly little bit about the history of voice recognition and we'll see how it does so voice recognition is kind of one of the really cool things of the new computer age and out used to suck and Google is getting a lot back a lot better at it and so like voice recognition software is really being for like hands free and mobile devices so they rather than interacting with the user interface through sunscreen application I can use voice haven't read to them there by e-mail or things like that there's much different stuff eggs and used in fire aircraft video games all kinds of different things and so there's a couple different ways that they can do it there's dynamic time for being speech recognition Markov chain models and all this stuff it does text to speech so anyways now I'm on the iPad and I'm using dragon dictation to see if it's viable to try and write a blog post just by dictating cause I second typing it's really one of my failures as a nerd I need to really put in some work and trying get my words per minute up but anyways so I remember reading to my computer table 2 cities and reading it all this stuff so if you get my voice and now Google stuff is b*dass it's a lot better at recognizing all kinds different words this one seems like it's doing pretty well I mean I guess you will be the judge of it reading this blog post that I'm in a post straight out of this recording and ohsaa recording it's will this dictation to Dragon dictation so anyways hope you're like this post I think it's kind of a clever thing to do and we'll see how it does and if you have a questions or know of any other good dictation program so you think we should try Island love to hear about them alright until next time this is Carter Krolls signing off from Carter's technology blog. Thank you and goodbye

Carter Cole
Never send a human to do a computers job
http://cartercole.com

Anti-Abortion sites create a Google Bomb for murder

2011-02-25T07:29:00.000-08:00

"Google Bombs" are when a number of sites all link to a certain site with exact anchor text (like carter) to cause the search giant to move a page onto a SERP where it would usually never show. Some of the bigger ones was choosing "im feeling lucky" for "French military victories" would show "did you mean French military defeats" but now anti-abortion e-protesters have caused abortion to show under murder SERP using SEO to make a statement about their political views. It will be interesting to see if Google takes any action to move it out of that position. When George Bush was Google bombed for "miserable failure" they removed the bomb so it may make a political statement based on what they do (or dont do)

Google Murder

Do you know of any other bombs that still exist?
Id love your help to get me to rank on the first page for "carter" that president is killing me with his domain authority. to help me drop a link for me on something you control
Isnt SEO funny? Ill let yall know when im ranking for "carter"

Calculating business days between dates in SQL (a datediff function without weekends)

2011-02-24T12:08:00.000-08:00

Im having to kinda roll my own simplest cms in the world for a customers contact script and they want to know how many business days are between the customer contact and when they responded. After some digging and optimization this is the DATEDIFF sql function I came up with that excludes weekends...

SET ANSI_NULLS ON
GO
SET QUOTED_IDENTIFIER ON
GO

CREATE FUNCTION BDATEDIFF
(
 @startdate as DATETIME,
 @enddate as DATETIME
)
RETURNS INT
AS
BEGIN
 DECLARE @res int
 
SET @res = (DATEDIFF(dd, @startdate, @enddate) + 1)
  -(DATEDIFF(wk, @startdate, @enddate) * 2)
  -(CASE WHEN DATEPART(dw, @startdate) = 1 THEN 1 ELSE 0 END)
  -(CASE WHEN DATEPART(dw, @enddate) = 7 THEN 1 ELSE 0 END)
  
 RETURN @res

END
GO

Ill add holiday support if i have time but it shouldn't be tough at all just select count of holidays that fall between the dates and subtract it from the total. Hope someone finds this usefull :)

Easy pdf download event tracking with jQuery and Google Analytics

2011-02-22T06:58:00.000-08:00

Quick tip:
One of the things we wanted to add was a generic script to track pdf downloads as events in GA so i wrote this real quick... ill probably add in some other flavors based on prototype or another library later but for now this is a quick and easy post to try and get me in the habit of publishing again

you can easily modify this to also look for powerpoint or txt file whatever... just change the extension in the jQuery selector

Do you have any cool Google Analytics scripts you use around your sites? Id love to hear about some other ideas for what to track

My new shortener is CCole.tk, heres how to get your own, for free

2010-11-16T21:30:00.000-08:00

I started playign with Bit.ly again tonight, i got access to the Pro Beta awhile ago and after setting up my domain cartercole.com I never added in the A records for a true shorter url. (you can get the pro signup here)

Then i remembered about my new best buddies over at .tk and went and got ccole.tk (prettymuch anything over 4 letters is fair game and free) so im kinda cheap and while im working on changing my mindset i still like to use free services where I can so i hit up the free dns service and pointed my A record to the bit.ly ip

so once the domain was registered and pointed all using free services i got all these pretty charts and my tweet of victory

Now when sharing from my bit.ly dashboard I get my custom domain and all kinds of neato stats aswell

http://ccole.tk/9w4rnT zOmg check out that sweet new url shorter :)less than a minute ago via bitlyCarter Cole
CarterCole

Have yall got your beta invites yet? What do you think about the .tk tld? Stupid Blackbird Pie tweet embed extension doesn't recognize ajaxy urls... what gives with that? Talk in the comments, i dare ya

oh and for a free name to use just get a free .tk

Google's new preview very Bing-esk but even better

2010-11-11T09:06:00.000-08:00

I thought i was in another preview but from what i can tell the new page screenshot features are going live to all datacenters. Their preview is different (and better) than what other search engines have implemented in the past because their content previews show real text and show where its found on the page...

Something I think this helps prove to me (although I already really believed it was being done) is that Google at least is in fact able to interpret and understand the complex positioning of elements and that footer link detection is probably trivial to them

It will be interesting to see how hidden text appears in these previews and if spam results are easier to spot in SERPS. Something to note is that flash is broken in the previews so if your site uses flash and cares about the preview that much they may want to have styles that unhide the flash and have a static picture that can stand in so the entire site doesnt look broken do to the thumbnail not rendering the content for that embedded movie

What implications do you think the new preview has for SEO and SERPs? Do you think the big G is doing too much to copy Bing's tools? It seems like they found another tool that may be effective and updated it to the level that we have come to expect from Google.

Heres how you could do the alt HTML for a java applet

Proxies proxies everywhere and all for free

2010-10-24T20:28:00.000-07:00

SEO Site Tools has gone into an intensive development kick working to get everything ready for v3.0 framework upgrade and more features like export and reporting as well as more metrics and integration to some other services (Google Analytics, Webmaster Tools), but some of this data cant be gathered by the extensions and IP based API rate limit how much data you can pull, so thats where proxies come in, they let you mascaraed as other IPs from other places... I need a big list of proxies to do the dirty work and by modifying a few open source projects ive built my list to 1505 open proxies in just a couple days. Heres how my dealie works...

First i took an open source uptime monitor and created my own plugin to test HTTP proxies using cUrl and PHP

Heres my proxy checker plugin code...

I found it could only connect out port 80 (firewall i guess) so I built my script to only check those it finds with valid ports

heres a shot of my dashboard

1505 proxies up what what

I changed the code that runs the template so i can pass an API parameter to pull xml or json proxy list and status as well as hacking some code so my proxy scraper could add items (and password protection)... oh heres a sample return from my proxy tester API (returns XML for simple parsing)
That lets me simplexml_load_string to test and see what level proxy it is... they go something like

Elite Proxy, connection looks like a regular client
Anonymous Proxy, no ip is forworded but target site could still tell it's a proxy
Transparent Proxy, ip is forworded and target site would be able to tell it's a proxy

and are graded by how and what headers are returned by the proxy (ill upload my proxy judge code later if anyone wants it) so then to make the process even easier i decided i would use some crowd sourcing techniques, i made a script to scrape proxies from text using regex and then made a page to test proxies... then i test the proxies and add the good ones to my database :) i also found a few proxy lists on google and setup a cron job to run and scrape their proxies every few hours...

if you have any questions feel free to bother me... thats what im here for