If you wish to list items individually within the PayPal payment page then a compromise is as follows:

1. If the customer has 99 items or less, list them individually. If the customer has 100 items or more, combine them into a single line item.

2. Switch to Express Checkout instead.

Below is a very rough example in PHP which shows how to populate a PayPal array based on option 1 above. Please note, this example isn’t complete and your array would need elements in addition to those shown below.

define('PP_ITEM_LIMIT', 99);

if (count($basketitems) <= PP_ITEM_LIMIT) { // If there are PP_ITEM_LIMIT items or less, list them individually
	foreach ($basketitems as $product) {
		$count++;
		$paypal['item_number_' . $count"] = $product['productid']; // Productid
		$paypal['item_name_' . $count"] = $product['productname']; // Product name
		$paypal['amount_' . $count"] = $product['price']; // Price
		$paypal['quantity_' . $count"] = $product['qty']; // Quantity
	}
} else { // PP_ITEM_LIMIT items or more and combine them into a single line
	$subtotal = 0.00;
	foreach ($basketitems as $product) {
		$subtotal += $product['price'] * $product['qty'];
	}
	$paypal['item_name_1'] = 'Website Order';
	$paypal['amount_1'] = $subtotal;
	$paypal['quantity_1'] = 1;
}

Following on from our article How secure are your passwords? we’ve decided to summarise a list of common website vulnerabilities together with preventative measures or recommended fixes. If you’re currently looking for a web designer, it might be worth noting down points from this article and discussing them with a potential supplier to ensure your new website is as secure as possible.

SQL Injection

This is a common website vulnerability often mentioned in the media, although usually no explanation is given as to exactly what it is.

Many websites sit in front of a database which controls the content on some or all of the pages. More often than not such a database would be in MS SQL or MySQL format. Website pages interact with a database using “SQL queries” – these are a collection of formal statements used to select, update or add data. This could include customers placing orders or logging in to amend or retrieve their information.

Certain characters such as a quotation marks and percentage symbols have a special meaning in SQL queries, and if these characters are maliciously input into a website (most commonly via a registration form or such like) they can be used to destroy or steal data.

For example, you might have a contact form on your site that takes a customer’s name and email address and records it in a database. A malicious user could include a quotation mark in the name field, followed by additional code which is then used to hijack the database in a number of different ways.

How to prevent

At the most basic level there are two main ways of preventing SQL Injection:

1) Validate all user input – you wouldn’t normally expect a person’s name to include a quotation mark or other symbols, so data should be validated and rejected before it makes contact with the database. However, sometimes user input can contain characters that are unsafe in a SQL query but are none-the-less legitimate in context. For example, a dating website that asks a user for their height might accept input in the form of 6’2” (six feet and two inches). To overcome this see step 2.

2) Escape data – escaping refers to the process of making data safe before it makes contact with the database. This is different to validating user input in the fact that even valid data can contain unsafe characters. Escaping data doesn’t remove such characters, but rather makes them safe for contact with the database.

At a more advanced level it’s also advisable to ensure that character sets between pages, scripts and databases are consistent. This can help to prevent non-dangerous characters becoming dangerous if data shifts character set.

Cross Site Scripting

Cross Site Scripting or XSS enables attackers to inject client-side script into web pages viewed by other visitors. This can allow an attacker to steal other user’s data or otherwise interfere with their browsing session.

XSS attacks often happen when user input is later output to a webpage without sufficient validation or cleansing. For example, a user might submit a contact form that, upon success, displays the message, “Thank you for your enquiry John – we will contact you back soon.” The problem is, “John” could maliciously enter unsafe characters in his name. On the subsequent success page these characters could be crafted in such a way so as to call external scripts not controlled by the website owner.

Although the above example would not effect anyone other than the attacker himself, a specially crafted link, email or external webpage can be used to direct unsuspecting users to the site in question and affect them via the exploit.

How to prevent

1) The most common way to prevent XSS attacks is to encode any user input that is output to a page. This also includes user data that is stored in a database and output to a page later on (although it’s best to encode data at the point of output rather than the point of storage).

2) Set the HttpOnly flag for cookies which don’t need to be accessed by client-side scripts

Update 3rd Party Applications

Third party applications such as WordPress and phpBB contain thousands of lines of code which are publicly available for scrutinisation. This means that periodically bugs and security exploits are discovered that can put your website at risk.

As a matter of course all such applications should be updated regularly to the latest versions which can help to remove known issues.

Web Hosting

Securing your web hosting is just as important as securing your website, since both work hand-in-hand. Here are a number of things to consider:

1. Close down ports and services that are not used.

2. Restrict database connections to localhost – don’t allow external connections to your database server unless you really need to.

3. Lock services and administration panels to a fixed IP address if you have one. Use HTTPS rather than HTTP where appropriate.

4. Use Secure FTP rather than standard FTP.

5. Use strong passwords and change them regularly.

6. Ensure database and file permissions are set correctly.

Remember that security is a huge and specialised subject – this article covers some of the basic points that affect many websites day-to-day.

Good luck!

We all have them – passwords for our email, Facebook, Twitter and bank accounts.

Some people use the same password for all accounts – something which is inherently insecure because if one system is compromised an intruder will have access to everything.

Choosing different passwords for each account can, however, make them difficult to remember, so often you might rely on your web browser’s “Save Password For Next Time” type of feature. But have you ever considered what might happen if your computer or laptop was stolen? If you run a business online, the consequences of a thief being able to fire up your computer and access your entire empire doesn’t bear thinking about.

The solution

There are a number of ways to tackle this problem, and if you must allow your browser to store your account passwords then Firefox’s Master Password feature is a good solution. This stores all of your web-based account passwords in an encrypted format which can only be unlocked using a Master Password. This means you can have a different password for each web-based account which is remembered by your browser and automatically filled out when required, providing you enter the correct Master Password at the start of your session.

When a Master Password is in use, all of your regular passwords are encrypted using 3DES. If you choose a good, strong password, then this level of encryption is pretty secure and will definitely protect you from the casual thief.

To enable a Master Password in Firefox see this knowledge base article.

Other options

At the time of writing, Internet Explorer doesn’t have a “Master Password” facility like Firefox, so if you use IE you might want to consider alternatives.

One such option is to store all passwords in a text file or Word Processing document ready to cut and paste when required. The implications of this should be fairly obvious. If an unauthorised person steals or opens the file, they will have every single password at their disposal.

You could password protect the document itself, but keep in mind that this level of protection is incredibly insecure when using the Microsoft Office suite (i.e. Word or Excel documents). Applications exist to crack or bypass Microsoft Office passwords within seconds.

OpenOffice is a free, open-source equivalent to Microsoft Office and features more secure password protection of its documents, so might be a better choice. However, an even better option would be to store your password file inside an encrypted file container. An application that makes this very straight-forward is TrueCrypt.

FTP accounts

If you transfer files via FTP using multiple accounts, you’ll possibly face the same issues as those discussed above. Saving the passwords in your FTP client is tempting but open to the same risks as before. In fact, hosting companies are reporting a rise in the number of customers who get infected with viruses or malware and have their account passwords “stolen” from within the saved area of their FTP software. Many of the most common FTP applications such as CuteFTP and Filezilla are known to store passwords in an insecure manner.

WinSCP on the other hand has a similar “Master Password” feature as Firefox and uses a strong AES cipher to to store your account passwords. Again, choosing a secure master passwords is critical to the strength and reliability of this feature.

Choosing a secure password

• Use at least eight characters or more. The longer the password the better.
• Use a random mixture of characters including upper and lower case, numbers, punctuation, spaces and symbols.
• Never use a word found in a dictionary, English or otherwise.

Things to avoid

• Don’t simply add a number or symbol before or after a word. I.e. “goose61″
• Don’t use combinations of dictionary words, I.e. “goosechicken”
• Don’t simply reverse a word, I.e. “esoog”
• Don’t use common key sequences that can easily be repeated. e.g. “qwerty” or “zxcvbnm”.
• Don’t simply garble letters, e.g. converting e to 3, L or i to 1, o to 0. A brute-force attack can substitute such characters.

A reasonably powerful computer can run through every word in the dictionary in a matter of seconds. A brute-force intruder can therefore run an automated process which tries every word in the dictionary against your password, along with combinations of other words, numbers and characters. The longer the process runs for, the more chance that your password will eventually be guessed if it’s based on a dictionary or common word.

Long, totally random passwords are best, and these can be stored securely using the methods outlined at the start of this article.

Keeping your passwords secure

Keeping your computer clean and virus free is also critical to security. Keyloggers, phishing emails and other threats can all impact security.

Don’t assume that your Windows login password will be capable of securing your entire computer.

Try and keep passwords stored in a secure manner (as described above) and delete emails that may contain sensitive information. Run up-to-date virus and spyware software across your network.

Remember, no approach can guarantee 100% security, but a little extra thought and effort can make it easier to sleep at night.

Good luck!

We’d like to take the opportunity to wish all of our clients, staff and suppliers a Merry Christmas and successful New Year.

Our offices will be closed from Saturday 24th December 2011 and will re-open on Wednesday 4th January 2012.

Our systems are monitored out of hours, 24 hours a day, 365 days per year. If, however, you require technical support during this time please email help@1stwebdesigns.com or call 0116 2942021 and leave a message.

Having worked extensively with the limousine and chauffeur industry for a number of years, we were excited to return to our roots when Balmoral Car Hire approached us to develop their web presence.

Promoting wedding car hire in Croydon, the website showcases the company’s fleet of vehicles including their impressive Rolls Royce Silver Spur, and an online form allows prospective clients to obtain a quotation with ease.

The site itself is built using HTML5 – the latest cutting-edge markup language – and is fully optimised for Google and the other search engines.

We are looking forward to working with Balmoral Car Hire throughout 2012 to develop the site on an ongoing basis, driving more visitors, enquiries and leads in their direction.

If you’d like to discuss the development of your own website, please contact us for a free, no-obligation consultation at your convenience.

Following the huge success of EverythingBranded.co.uk – a website designed and built for one of our clients earlier this year – we’re now pleased to announce the launch of their latest micro-site: www.topwristbands.co.uk

Focusing purely on wristband products from the company’s inventory of promotional items, their custom-built product database now controls both sites and provides an easy to use, central area for updating prices, photographs and stock information.

A “Live Chat” facility allows customers to talk online in real-time with a sales representative. Quotation and sample request forms, accessible from all product pages, provide an ideal call-to-action that helps to capture and qualify leads.

As is always the case, one of our primary goals was to not only produce a fantastic looking website, but to also ensure that the individual pages were structured in a search engine friendly manner. Each page was hand-coded to ensure reliability and speed, and to avoid “markup bloat” which is often found on other sites.

As part of our stringent quality control procedures, the website has been tested in over 10 different web browsers. Because not all visitors use Internet Explorer to browse online – many use Firefox, Chrome, Opera and Safari – this last point is crucial. It ensures that the site is compatible, fast and renders consistently for everyone.

This month kicked off to such a busy start that we almost forgot to mention the launch of www.everythingbranded.co.uk

Leicester based company EverythingBranded approached 1st WebDesigns to produce their new website, which offers a range of brand-able promotional items including mugs, pens, keyrings and oyster card wallets.

Having been selected for the project due to our experience with retail and product oriented websites, we set about creating a visually striking homepage concept with links to best selling items and offers.

Search engine friendly design

As usual, one of our primary aims was to not only produce a great looking web site, but to also ensure that the individual pages were fast to load and structured in a search engine friendly manner. Each section of the site was hand-coded to avoid “markup bloat” and ensure reliability.

Our quality control procedures involved testing the site in a range of different web browsers to ensure the end result was compatible and rendered consistently for all visitors, including those who use Internet Explorer, Firefox, Safari, Opera and Chrome.

Editing the website in-house

A custom-built database application allows EverythingBranded to constantly review and expand their product range, in-house and without additional cost. The site also features a helpful “Live Chat” facility that enables customers to communicate directly with a sales representative whilst browsing for products online.

The final word

Paul Rowlett, Managing Director at EverythingBranded said: “We chose 1st WebDesigns because of their experience working with ecommerce sites and online catalogues. We found them to be honest and reliable, and we’re extremely happy with the end result. So far the project has been a huge success, we’ve taken on a new account manager due to the increase in business, and we’re already planning to launch additional micro-websites as a result.”

The advantages

This allows more than one option to be selected if the user holds down the modifier key (the CTRL key in Windows) whilst making their selection. The depth of the select element can also be limited if the list is very long, although generally you’d want more than one option on display.

The disadvantages

However, there did seem to be a couple of disadvantages. Firstly, not all users would be aware of the modifier key or how to use it. Secondly, pre-selected values could inadvertently be unselected if the user makes additional choices without holding down the modifier key. If several options are pre-selected when the page loads this could prove to be a nightmare for the user to untangle.

The solution

Replacing the select element with checkboxes seemed like the obvious choice, but this would take up more space on the screen and potentially look messy. The solution? Checkboxes that are styled to look like somewhat like a multiple select element.

First of all we changed the select element into a series of checkboxes, wrapped in a div with an appropriate class name:

<div class="multiselect">
	<label><input type="checkbox" name="option[]" value="1" />Green</label>
	<label><input type="checkbox" name="option[]" value="2" />Red</label>
	<label><input type="checkbox" name="option[]" value="3" />Blue</label>
	<label><input type="checkbox" name="option[]" value="4" />Orange</label>
	<label><input type="checkbox" name="option[]" value="5" />Purple</label>
	<label><input type="checkbox" name="option[]" value="6" />Black</label>
	<label><input type="checkbox" name="option[]" value="7" />White</label>
</div>

Next we apply some CSS styling to give the desired effect:

.multiselect {
	width:20em;
	height:15em;
	border:solid 1px #c0c0c0;
	overflow:auto;
}

.multiselect label {
	display:block;
}

.multiselect-on {
	color:#ffffff;
	background-color:#000099;
}

The final touch

We can extend this idea using jQuery to highlight the selections. We should of course highlight pre-selected checkboxes when the page first loads, as well as selections that the user makes afterwards. Here’s a function that we knocked together for this purpose:

jQuery.fn.multiselect = function() {
	$(this).each(function() {
		var checkboxes = $(this).find("input:checkbox");
		checkboxes.each(function() {
			var checkbox = $(this);
			// Highlight pre-selected checkboxes
			if (checkbox.attr("checked"))
				checkbox.parent().attr("class","multiselect-on");

			// Highlight checkboxes that the user selects
			checkbox.change(function() {
 				if (checkbox.attr("checked"))
					checkbox.parent().attr("class","multiselect-on");
				else
					checkbox.parent().attr("class","");
			});
		});
 	});
};

We can then apply the functionality to any group of checkboxes inside a container with the classname “multiselect”

$(".multiselect").multiselect();

Here’s the final results:

Christmas Opening Times

Our offices will be closed from 25th December and will re-open on 4th January. Our systems are monitored out of hours, 24 hours a day, 365 days per year. If, however, you require technical support during this time please email help@1stwebdesigns.com or call 0116 2942021.

All messages and emails are checked periodically between these dates.

VAT Increase

As you’re probably aware VAT is due to increase from 17.5% to 20% on 4th January 2011. If you have an e-commerce website, please contact us by this date so that we can make any necessary adjustments.

Over the course of the last few weeks we’ve been busy working with our latest client, Lightmap Ltd, on their new website www.hdrlightstudio.com

The site was launched to coincide with the latest release of the company’s flagship product for interactive image-based lighting, HDR Light Studio version 2.0, which provides computer graphics artists with a fast and efficient way to light a 3D rendered scene with photo-real results.

The web site features high-impact images with individually customised pages, providing an attractive magazine style format with an easy to use navigation system. Each page has been hand-coded, optimised for speed and tested for compatibility in over 10 different web browsers to ensure maximum visibility for all users.

Content Management System – editing the website with ease

1st WebDesigns were also commissioned to design and implement a suitable content management system for the web site, which means Lightmap are able to effortlessly add new pages such as video tutorials, news articles and reviews within a consistent framework.

Mark Segasby, CEO of Lightmap Ltd said: “1st WebDesigns have proven to be a fantastic partner for our web site development and working with them has been a joy. We had lots of ideas and knowledge of how to design good looking web pages, but we didn’t have the technical expertise to produce a site that is compatible with all browsers and ranks well within Google. The quality of our new web site speaks for itself.”

Increased traffic with successful Search Engine Optimisation

Since its launch the site already appears on page 1 of Google for a variety of highly competitive industry search terms as shown in the table below:

If you’re interested in web design Leicester or search engine optimisation for your business, feel free to contact us.