Having a box sitting on your network and offering up terabytes of storage is a lovely thing, but it's even lovelier when that box can kind of take care of a variety of other problems as well. Such is Digital Cowboy's DC-MCNAS1, a case with dual 3.5-inch SATA bays into which you can slot whatever volume of storage your budget allows. Once connected to your network (over gigabit Ethernet) it can serve up MySQL instances, accept files over FTP/SSH, manage your printers, and of course handle however many torrents you can throw at it. The box ships to Japanese buckaroos next week and, while there's no price set on this one yet, hopefully it won't break the bank. Gallery: DC-MCNAS1 Movie Cowboy NASDC-MCNAS1 Movie Cowboy NAS will wrangle your torrents, herd your HDDs originally appeared on Engadget on Fri, 23 Apr 2010 10:26:00 EST. Please see our terms for use of feeds.Permalink Akihabara News  |  Digital Cowboy  | Email this | Comments

Original Source: Engadget

Continue Reading »

Data validation and sanitizing is extremely important in all server-side scripting languages. It protects the database from malicious website attacks as well as unintentional/unexpected errors for website visitors. This article is in no way all-inclusive, but will provide a couple tips on how you can better protect your database.

First, it’s important that you check that the data that is provided by he site visitor matches the data format that is expected. For this, I suggest using sprintf(), a built-in PHP function. You can use regular expressions to check data format, but this, I’ve found is a safe method to validate data formats.

Sprintf() works as follows:
$my_text = “The quick brown fox jumps over the lazy dog.”;
$letters_in_alphabet = “26″;
Sprintf(“The following text uses all %d letters of the alphabet: %s”, $letters_in_alphabet, $my_text);
In the previous example, you provide the string and all of the % indicators will be replaced with the following variables in the order they appear. With this in mind, the %d validates that digits are being placed in that position of the string. The %s does the same, but validating that the provided data is a string.

The above example doesn’t interact with a database, so I’ll provide another that does:
$sql_text = sprintf(“SELECT * FROM tbl_users where username = ‘%s’ AND user_id = %d;”, $_POST);
The above $sql_text variable replaces the %s and %d with the corresponding values in the value list. So there are the basics of the Sprintf() function.

The above illustrates the data validation part of protecting the database. The following will briefly provide instruction on how to sanitize the database. For the purpose of the following examples, we’ll assume your using MySQL. PHP offers a variety of sanitization methods based on the database technology being used.

mysql_real_escape_string() escapes the MySQL reserved characters, such as apostrophes, quotes, @, etc. For example:

User types:That’s great, he said, “This is a good example.”

When the above is sent to a MySQL database, the apostrophe or quotes could cause MySQL errors. It’s important that we escape the reserved characters to allow it to be entered into the database as the user typed it. The above example would be replaced as follows:
User types: That’s great, he said, “This is a good example.”
$user_data = $_POST; (we are assuming that user_text is the name of the user populated form field)
$safe_data = mysql_real_escape_string($user_data);

echo($safe_data); // displays: That\’s great, he said, \”This is a good example.\”
The backslashes protect the database to prevent malicious or unintentional database errors related to user provided input. If you put bothof the security measures in place, you substantially improve the stability of your database and the security of your data. Lastly, I’ve provided an example utilizing both methods:
$user_data = $_POST;
$safe_data = mysql_real_escape_string($user_data);
$note_id = $_GET; // we’ll assume the value of id in the url is 4
$sql_statement = sprintf(“UPDATE tbl_notes SET body = ‘%s’ where id = %d;”, $safe_data, $note_id);
echo($sql_statement); // displays: UPDATE tbl_notes SET body = ‘That\’s great, he said, \”This is a good example.\’ where id = 4;
Again, by no means is this article intended to be all-inclusive of database security but is a great addition to any website to improve stability. Hopefully, this will help to better secure some of the websites out there. If you have any questions or additional suggestions, feel free to leave a reply.

Continue Reading »

I have written a function to make it easier to execute queries against a MySQL server. I’m posting it here with the hope that it may help other developers that are either learning or looking for a more efficient way to execute SQL statements. I may convert this to a class in the near future, although there isn’t much of an advantage to this from what I’ve seen.

Continue Reading »