Welcome back!, if you’re new please be sure to read Part 1 here.
This tutorial will focus primarily on Security and will touch on how to plan functionality.
Planning out an application and seeing progress regularly is a good strategy as you are most likely to complete your tasks in a timely fashion with this approach.
Ready?, ok let’s jump into it!
DISCLAIMER
We highly recommend that you follow these tutorials on a localhost testing server like Uniserver. Read through Part 1 here to look at our recommendations. These tutorials follow a phased approach and it is highly recommended that you do not make snippets of code live prior to completing this tutorial series.
Where we left off – the serious stuff.
In the previous tutorial we saved variables to the database.
It’s important to note that further steps are needed to ensure that data transactions to / from the database are secure.
A great first step is to ensure that all POST data (data transmitted after a user clicks a form’s submit button) is sanitized.
What we’re trying to prevent
One of the most common exploits is SQL Injection, an attack most commonly used to insert SQL into db queries. POST data that’s not sanitized leaves a huge security hole for malicious exploits. In some cases SQL injection can be leveraged to rage an all out assault on a server’s operating system.
A few examples of a basic version of what this might look like can be seen below.
OUTCOME
This might delete your database table
OUTCOME
This might provide access to the entire user table and the password protected area/dashboard.
***Please note that there are various types of SQL injection techniques and I will delve into this during the course of this series.***
So what exactly is sanitization and what does it do?
When sanitizing POST data, we are essentially looking for any special characters that are often used in SQL injection attacks.
In many ways, this tiny piece of code is the unsung superhero of many database driven applications.
Let’s secure that POST data!
Navigate to your backend folder and open index.php
Locate the following line of code:
$sql = "INSERT INTO content(title,content,author)VALUES ('".$_POST["title"]."', '".$_POST["content"]."', '".$_POST["author"]."')";
Ok, let’s get to work.
Based on what I mentioned a few moments ago, it’s clear that our SQL statement is vulnerable so we need to sanitize the POST data pronto!
The method I will focus on first is $mysqli->real_escape_string. This will escape any special characters found in the POST data.
Did you notice the use of $letsconnect? This was used because of our db connection defined in conn.php.
Our new query will look like this:
$sql = "INSERT INTO content (title,content,author) VALUES ('".$title."', '".$content."', '".$author."')";
Go ahead and replace the old $sql.
Phew!, we can breathe easy now.
Next, let’s lighten things up a bit by focusing on functionality and aesthetics.
A phased approach is the best way to tackle projects of any size.
I tend to jot this down on paper before creating a more legible professional spec!.
Typically the phased approach lends itself to logical progression.
For example, over the next several days I will go over the following:
* Account Access * The login process * The registration process * The password recovery process * Frontend * The look and feel * Menus * Sidebars *Main Content *Footer * Backend * Content Management * Add/Edit/Delete * Security
This will give us a good springboard to delve into more complex functionality.
The aesthetic I have in mind will be barebones at first with clean CSS practices (this will make life a whole lot easier when we have to make changes down the line!).
Challenge :
Plan out your own CMS, think about the user interface and design choices you’d like to implement, and create a phased approach.
Conclusion
I hope this tutorial encouraged you to think about security and understand one of the most common exploits. During the course of this series, you will receive the tools necessary to beef up security while maintaining your sanity!
At Nomad PHP our goal is to empower developers in building a habit of continuous learning - and that means we have a habit of continuous improvement ourselves. Here are just some of the things we've done this year (with much more coming down the road)!
Website Redesign
We've refreshed the look and feel of Nomad PHP to better emphasize the goal of Nomad PHP - to help developers build a habit of continuous learning and grow their careers. This includes numerous usability enhancements as well as a focus on our new book library, blogs, and certification in addition to virtual meetups, workshops, conferences, and on-demand videos.
Free Meetups
As technology has advanced, more and more meetups and usergroups are able to stream their local usergroup meetings.
As our goal has always been to make technology accessible, we are proud to provide free streaming technology for local user groups, and share local user group meetings on our live virtual meetup schedule.
Student and Professional subscribers will continue to have access to our monthly conference level Pro Talks, hands on virtual workshops, and live conference streams in addition to streams by local user groups.
As our mission has evolved from being the meetup for developers without a meetup group to building an inclusive community of PHP developers where you can network, grow your skills, and share your knowledge with others - we are excited to announce our new Free Tier.
To provide the best value, we've also restructured our plans to provide professional online meetings, workshops, and conference streaming to our Student Tier. This will allow students and new developers the chance to learn from the best speakers and top practioners and obtain entry level certifications at the best price possible.
However, with the addition of PHP Books and Magazines, and in order to provide the best value while keeping the Student plan affordable, new Student subscribers will not have access to the PHP Book and Magazine Library, or advanced certifications. These will now require a professional plan.
We're excited to announce that we have expanded our PHP library. In addition to the ability to read the latest issues of php[architect] magazine, Professional subscribers now have access to read PHP and web development books online.
We're excited to announce the availability of Chris Hartjes' bookThe Grumpy Programmer's Guide to Testing PHP Applications, as well as several titles from Notes for Professionals, andUndisturbed REST: a Guide to Designing the Perfect API.
More titles including exclusive titles will be made available for online reading soon.
We've received a lot of feedback on the blog writing process, and have upgraded several aspects of our blogging software. This includes the ability to save drafts prior to publishing, and the ability to upload, edit, and crop images and videos. We've also added some bug fixes for editing and writing code.
We're also excited to share that members with Student and Professional plans can now have their ownVLOG (video blog) with the ability to screencast/ record video from your webcam within the blog.
To see the most recent blog posts, or write your own, visit the Nomad PHP Blogs.
Certification Updates
We've updated our certifications for better usability and readability. We've also reworked some of the code samples and questions in our Level 1 PHP Certification exam.
You can find our available exams, test your skills, and obtain your Nomad PHP certification here.
Team Management
Our new team manager allows you to easily add or remove team members with your Nomad PHP team subscription. You'll also find real time metrics on how your team is using Nomad PHP, who on your team is investing in their growth and streaming meetups, watching videos, reading books, and earning certifications, and the overall content value consumed by your team.
The Team Manager is available to new teams, and will be made available to existing team managers over the next several weeks.
2020 Roadmap
There's still plenty of more great things coming in 2020. Here are the items at the top of our list:
* Mobile app for offline viewing
* Desktop app for offline viewing
* Nomad PHP member only books
* PHP Level 2 Certification
* Interactive tutorials
* Better video support in blogs
* Ability to schedule blog posts
* Meeting software for local usergroups
* Improved plan management for subscribers Of course, what's most important to us is what's most important to you. Leave what you want to see on Nomad PHP in the comments below and if we're able to we'll get it added to our roadmap!