SQL Injection

As part of our assessment it was required for our CMS system to be ‘hack proof’, this means that it had to be written in a way that made sure it was not susceptible to SQL injection. To understand how I can make my CMS system SQL injection proof I first had to understand what was incorporated in SQL injections. After googling a bunch of websites I have a basic understanding  of how it works. The most helpful piece of information that I found was this infographic:

The website went on to say that SQL injection is a query that goes through an input field to the database. It can cause a lot of damage to your system from deleting entire tables to writing in a script tag that creates an action that can ether trigger an action that can break the database or the website.

The php manual defines SQL injection in  much the same way however I found it easier to understand.

“Direct SQL Command Injection is a technique where an attacker creates or alters existing SQL commands to expose hidden data, or to override valuable ones, or even to execute dangerous system level commands on the database host.”

A common injection that can be used to break the database ‘id’ field. If out type ‘1=1’ in to an input field it will:

“the reply to the query will expose all IDs in the database, since the condition ‘1=1′ is always true” – Veracode

        $(document).ready(function() {
           location.reload(); 
        }));

This function allows the window to load and then reload when the page loads ultimately creating an infinite refresh loop and you can’t do anything to it. I found this out accidentally last year when I was trying to trigger a reload function to animate text at a certain point of the screen so that it would write itself when you scrolled to certain point of the page.

CMS Systems

To understand CMS Systems and how they worked I first had to understand what they composed of. After looking at many different definitions and three class discussions I understood the connect of how they worked and they connected with a database. To my understanding a CMS system is restricted section on a website that allows a user to edit delete or add pages that are linked to a database. This database can either be created in a Localhost SQL site or you can create a database on the from scratch and just save if in a separate folder and link all your files to it.

Assessment

The first assessment for this semester we were asked to create a CMS system that allowed the user to change the content,  background colour and text colour. For this to work we had to connect the CMS to a database and ‘talk’ to it using the SELECT, UPDATE and INSERT SQL queries.

When we were given this task I had no clue  where to even start so I did what any other person would do and I googled it. After a few trail and errors a youtube site was suggested that went through the whole process of adding, editing and deleting pages which was wonderful and was easy to follow along with. However, I found some of the methods he used to be either hard to follow or just not compatible with my computer software.

For example he used a line of code called PDO : :  when he was connecting his CMS to his database.  For this code I would have needed to download multiple different applications for my computer to read it, so I had to think of another way for my database tot link to my  CMS. I did this by creating a bind-paramatta and executing all of my specific variables.

From here I was able to connect to the database as well as display any information that may have been in the database.

One thing that I can criticise about this tutorial is that the way the developer organised his files was confusing. He separated his code into files that only communicated with the database and other files that displayed the information form the database. Which in it self made sense that way its easy to keep track of, however the files were named the same in both files and it sometimes was hard to tell which one he was working on and which one he wasn’t and I in turn got confused with which files I was working on. This was easily solved by changing the names of each file.

One of the main problems I experienced while creating the CMS was near the middle of the project where nothing I was typing in was working there would always be an error and many variables kept being ‘already defined’. After some nitpicking and looking through each line I discovered that I had somehow managed to interlink every file I had to each other, which created an infinite loop around every file. To fix this I had to find out which files didn’t need to link back to each other and which files could have the same information as the linked file so that I didn’t need to link it together.

After many problems and trail and errors I am proud to say that I managed to create a working CMS system that allows the user to change the content,  background colour and text colour. Although the whole process of creating this CMS system was a challenge during the creation of the system it was rewarding at the end to see that it worked.

Working with Living Style Sheets

While in class last we were shown something called a ‘Living Style Sheet’ which was really cool (I thought). It basically was a way to keep your style sheet information in one fluid document with having to constantly  scroll through a powerpoint or PDF while having the opportunity to see the specific CSS item in real time and having the code underneath it as well so that way you will always know what the CSS or Html coding is for them. Which is not only helpful but a time saver as you are able to give a client the link to the style guide and just update it from there instead of giving them many marginally different PDF documents.

In order to understand more about this ‘online style sheet’ I decided to google reviews on them to see what others thought of them as what was the best one to use, or whether I should make my own. The consensus was that Github was one of the better options (one of the many sites that I went on was Wireframes Magazine) . I tried looking trough it seemed easy to use  I will be able to test later on this evening to better determine how easy it is to use.

KSS was another style sheet template guide that I found expect I found it very confusing to use I didn’t really understand what was going on or how it was supposed to work. Down the page there was also examples of how to use KSS at the bottom of the page which didn’t really clear anything up, but it did help me to understand how the style guide template fit in with ‘my potential’ style guide which was helpful.

Another blog that I found was by Technology at GDS talked about the style guide as being a front end toolkit rather than a style guide which I thought was a great way of explaining how it worked. The blog also went on to list the advantages and limitations of using a style guide that was from a template guide and one that they created themselves. I found this interesting as they both had similar limitations, but different advantages.

Overall I am looking forward to experimenting with this idea further and being able to wrap my head around this ides in order to create my own living style guide.