The web design and development blog Smashing Magazine published an article today about a problem when using a Subversion checkout to deploy files to a live webserver. In short, anyone could browse to a directory on your website, and see all the source code, including database connection information. (Don't worry, at SiteCrafting we don't do this. We have a much better system.)
The Smashing Magazine article includes tips on how to secure common web servers. Here's another way to secure a site using two simple htaccess rules.
Read more →
Why yes, you can log in with an invalid username
Stefan over at
Suspekt brought up some
interesting security vulnerabilities based on MySQL's column truncation tendencies (when not in
strict mode), so I thought I'd add my own to the pile, this one right in the grant tables.
MySQL's user table restricts
user names to 16 characters (and hosts to 60). Any attempt to create a user with a longer login results in an error. However, unlike Stefan's example where a field is compared, then truncated and then inserted, MySQL actually truncates a login attempt before processing it.
Read more →
Google cache as quick fix backup
No matter how protected your website may be, sometimes you still need a helping hand when an accident happens. Delete a page while fumbling with FTP? Someone else in your office write over your work on a webpage? Heck, maybe your entire site is down! Google Cache may be able to help.
Read more →
Use open-source with more confidence
When meeting with prospective new clients, we tell them that SiteCrafting uses PHP and MySQL as the development platform. Invariably this leads some of them to ask us what PHP and MySQL are and if they are safe and fast. Sometimes, this can lead to interesting conversations, where we explain to them why we think PHP and MySQL are safe and fast.
Occasionally, there's a client who remembers reading an article 4 or 5 years ago about PHP 3 having some security issues. We refer them to current articles on PHP and mention our own experiences, but the latter argument can come across as "Because we say so," which isn't a good way to get the point across.
Read more →
Advertising Gone Wrong
I've been a Facebook user for quite some time - even before they had the facebook.com domain. One thing that I absolutely love about it is the control they give you to limit what other people see about you. I've adopted a very serious set of controlls that limits only people I actually know to see anything about me. However, this is a false sense of security. Everything I post online that anyone besides me can access is inherently public. This is what initially drew myself and countless other people to Facebook.
However, their new advertising platform - Beacon - throws all this out the window. Beacon is a system that allows Facebook to track what you do
on other websites. Let me reiterate that: Facebook tracks what you do online. They don't just track what you say you like on your profile, for example what movies you like; with Beacon they can track
what movies you're actually renting.
Read more →
Take control from domain slammers and scammers
It begins with a letter or maybe even an "
invoice". It ends with the transfer of your domain to another registrar and in some cases even the loss of your domain entirely. The term for this is
Domain Slamming.The practice preys upon unsuspecting people who want to pay their bills and keep their domain names current. After all, we have our domain name printed on every invoice, business cards, painted on our trucks, and we advertise with Google Adwords, we don't want our domain to expire. This is exactly what they count on.
Read more →
