Response times, availability, and stability are vital factors to bear in mind when creating and maintaining a web application. If you’re concerned about your web pages’ speed or want to make sure you’re in tip-top shape before starting or launching a project, here’s a few useful, free tools to help you create and sustain high-performance web applications.

I’ve tried to include a wide variety of tools that are easy to use, and have tried to keep them as OS and technology-independent as possible so that everyone can find a tool or two.

1. YSlow for Firebug

YSlow grades a website’s performance based on the best practices for high performance web sites on the Yahoo! Developer Network. Each rule is given a letter grade (A through F) stating how you rank on certain aspects of front-end performance. It’s a simple tool for finding things you can work on such as reducing the number of HTTP request a web page makes, and compressing external JavaScript and CSS files. A worthwhile read is the Ajax performance analysis post on IBM developerWorks that outlines practical ways of using YSlow in your web applications.

2. Firebug

Firebug is an essential browser-based web development tool for debugging, testing, and analyzing web pages. It has a powerful set of utilities to help you understand and dissect what’s going on. One of the many notable features is the Net (network�) tab where you can inspect HTML, CSS, XHR, JS components.

3. Fiddler 2

Fiddler 2 is a browser-based HTTP debugging tool that helps you analyze incoming and outgoing traffic. It’s highly customizable and has countless of reporting and debugging features. Be sure to read the “Fiddler PowerToy - Part 2: HTTP Performance� guide on the MSDN which discusses functional uses of Fiddler including how to improve “first-visit� performance (i.e. unprimed cache), analyzing HTTP response headers, creating custom flags for potential performance problems and more.

4. Cuzillion

Cuzillion is a cool tool to help you see how page components interact with each other. The goal here is to help you quickly rapidly check, test, and modify web pages before you finalize the structure. It can give you clues on potential trouble-spots or points of improvements. Cuzillion was created by Steve Saunders, the ex-Chief Performance at Yahoo!, a leading engineer for the development of Yahoo’s performance best practices, and creator of YSlow.

5. mon.itor.us

monitor.us is a free web-based service that grants you a suite of tools for monitoring performance, availability, and traffic statistics. You can establish your website’s response time and set up alerts for when a service becomes unavailable. You can also set-up weekly, automated benchmarks to see if changes you’ve made impact speed and performance either positively or negatively.

6. IBM Page Detailer

The IBM Page Detailer is a straightforward tool for letting you visualize web components as they’re being downloaded. It latches onto your browser, so all you have to do is navigate to the desired site with the IBM Page Detailer open. Clicking on a web page component opens a window with the relevant details associated with it. Whenever an event occurs (such as a script being executed), the tool opens a window with information about the processes.

7. Httperf

Httperf is an open-source tool for measuring HTTP server performance running on Linux. It’s an effective tool for benchmarking and creating workload simulations to see if you can handle high-level traffic and still maintain stability. You can also use it to figure out the maximum capacity of your server, gradually increasing the number of requests you make to test its threshold.

8. Pylot

Pylot is an open-source performance and scalability testing tool. It uses HTTP load tests so that you can plan, benchmark, analyze and tweak performance. Pylot requires that you have Python installed on the server - but you don’t need to know the language, you use XML to create your testing scenarios.

9. PushToTest TestMaker

PushToTest TestMaker is a free, open-source platform for testing scalability and performance of applications. It has an intuitive graphical user interface with visual reporting and analytical tools. It has a Resource Monitor feature to help you see CPU, memory, and network utilization during testing. The reporting features let you generate graphs or export data into a spreadsheet application for record-keeping or further statistics analysis.

10. Wbox HTTP testing tool

Wbox is a simple, free HTTP testing software released under the GPL (v2). It supports Linux, Windows, and MacOS X systems. It works by making sequential requests at desired intervals for stress-testing. It has an HTTP compression command so that you can analyze data about your server’s file compression. If you’ve just set up a virtual domain, Wbox HTTP testing tool also comes with a command for you to test if everything’s in order before deployment.

11. WebLOAD

WebLOAD is an open-source, professional grade stress/load testing suite for web applications. WebLOAD allows testers to perform scripts for load testing using JavaScript. It can gather live data for monitoring, recording, and analysis purposes, using client-side data to analyze performance. It’s not just a performance tool – it comes with authoring and debugging features built in.

12. DBMonster

DBMonster is an open-source application to help you tune database structures and table indexes, as well as conduct tests to determine performance under high database load. It’ll help you see how well your database/s will scale by using automated generation of test data. It supports many databases such as MySQL, PostgreSQL, Oracle, MSSQL and (probably) any database that supports the JDBC driver.

13. OctaGate SiteTimer

The OctaGate SiteTimer is a simple utility for determining the time it takes to download everything on a web page. It gives you a visualization of the duration of each state during the download process (initial request, connection, start of download, and end of download).

14. Web Page Analyzer

The Web Page Analyzer is an extremely simple, web-based test to help you gain information on web page performance. It gives you data about the total number of HTTP requests, total page weight, your objects’ sizes, and more. It tries to estimate the download time of your web page on different internet connections and it also enumerates each page object for you. At the end, it provides you with an analysis and recommendation of the web page tested – use your own judgment in interpreting the information.

15. Site-Perf.com

Site-Perf.com is a free web-based service that gives you information about your site’s loading speed. With Site-Perf.com’s tool, you get real-time capturing of data. It can help you spot bottlenecks, find page errors, gather server data, and more - all without having to install an application or register for an account.

More Tools and Related Resources

• Apache JMetera Java-based desktop application for performance testing Apache servers.
• The Grinderan open-source load testing framework that intends to make automated tests simpler.
• OpenWebLoad yet another excellent open-source load testing tool for web applications.
• “Optimizing Page Load Timeâ€�an article on improving page load time.
• “What the 80/20 Rule Tells Us about Reducing HTTP Requestsâ€�a blog post on the YUI blog explaining the precedence of front-end performance for optimal response times.

If you have a favorite web performance tool that wasn’t on the list, share it in the comments. Would also like to hear your experiences, tips, suggestions, and resources you use.

Courtesy: sixrevisions

Back in 1984, Apple was on top of the computing world with top-notch sexy hardware and it partnered with Microsoft for some top-notch [not so] sexy practical software. It was a winning combination for both Apple and Microsoft. Microsoft’s strategy in 1984 was hardware agnostic making its software available on any popular platform. Apple’s strategy in 1984 was holistic. We’ll call the period between 1984 and 2000, Round 1.

In Round 1, it turned out that Microsoft’s strategy was the clear-cut winner. By being hardware agnostic, hardware vendors competed with one-another to drive down the price of hardware much faster than anyone could have imagined. Clone prices fell so fast and so much lower than the price of a Macintosh that it simply became impractical to own a Mac. Software vendors also took note and quickly the non-Mac-PC became the standard. Apple nearly died.

2007 set off Round 2. This time around it’s in the cell phone business. Once again, Apple is on top of the Cell Phone game with top-notch sexy hardware and it has partnered with Google this time for some top-notch [not so] sexy practical software (think Google Maps, YouTube and other web-based Google Apps for the iPhone). Once again, it’s a winning partnership for both Apple and Google. And Once again, Google’s strategy is exactly the same to that of Microsoft in 1984: stay hardware agnostic. Apple’s strategy is also identical to its own strategy back in 1984: stay holistic. Round 2 has begun.

The similarities are eery. In 1984, while Microsoft was building the most popular application software on the Mac, it had begun a similar hardware-agnostic operating system (Windows) on its own. In 2007, while Google has some of the most popular application software on iPhone, it has begun a similar hardware agnostic Cell-Phone operating system (Android) on its own. Apple’s strategy has not changed a single bit. It refuses to license its operating system or any other technology while it continues to want more and more control over the entirety of the experience. The iPhone in 2007 has set off a brand new race much like the original Macintosh did in 1984. Interestingly, 24 years later, the strategies are still identical on both sides.

So will Round 2 end in the same way with Google’s Android prevailing due to exceptionally cheap phones that are sure to emerge using Android? Maybe not. There is one key difference between Round 1 & Round 2: Steve Jobs. Steve didn’t get to finish fighting the strategy that he helped establish for Apple in Round 1. He left Apple in 1985. So there’s no telling how things would have turned out. The fact that Apple lost round 1 may have taught everyone a lesson and it might falsely embolden Google to think Microsoft’s winning strategy was the better strategy. After all, Google’s chief, Eric Schmit, has been learning from (and losing to) Microsoft for 20+ years. Eric is now using Microsoft’s own strategy to successfully beat them. Google is the new Microsoft.

But this time around Steve is much smarter than he was in 1984. So smart in fact, that he’s resurrected Round 1 from the dead and may still pull off a win (the Mac is coming back). It’s possible that Steve & Apple’s holistic approach will still be the winning approach for Round 1, assuming you extend round 1 to at least 2015. But in Round 2 Apple’s chances are a lot better. Everybody is at the beginning of the race. There are no clear winners and just like in 1984, Apple has a major lead. It’ll be interesting to see what happens.

I’m curious to know your thoughts on:

• Who you think will win Round 2: will it be Google with its Android or Apple with its iPhone?
• Is Round 1 over in your view or will the Mac eventually beat out Windows-based PCs in market share?
• Is Microsoft even a player in Round 2? (I would never recommend a current Windows-Mobile phone to my worst enemy - so do they even stand a chance?)

Relational Database Design is one of the most powerful ways to ensure data integrity and a great way to kick-off any project. Very often the first thing developers do when starting a new project, or stub-project, is to design the database. This way the structure of the application is already in place and we just have to fill in the pieces with some server-side code. I’ve found when adding relational constraints to your database design you add in a very powerful error reporting tool that will let you know during the development process that you have allowed something to happen that shouldn’t have. In this article, I go through, step by step, showing how to set up a simple relational database and discuss the benefits that are enjoyed.

Let’s take a step back and describe what a relational database looks like. In any normal database design there are fields in one table that reference another table. For example, a books table might have a field labeled author_id which is meant to come from a table named authors. Creating hard-coded relations solidifies these associations and actually returns a MySQL error if violated.

As I hinted in the opening I have found this to be invaluable during the development and testing process as MySQL will immediately let me know that I have made a glaring error that otherwise may not have been noticed until after the service has launched. At that point the data could be irreparably corrupt and forced to start from scratch.

So let’s get right to it. For the purposes of this article, I’m going to pretend I’m creating a simple Books and Authors website with a simple 2-table setup. The first step is to create our tables.

CREATE TABLE `library`.`books` ( `id` INT UNSIGNED NOT NULL AUTO_INCREMENT , `name` VARCHAR( 150 ) NOT NULL , `author_id` INT UNSIGNED NOT NULL , PRIMARY KEY ( `id` ) , INDEX ( `author_id` ) ) ENGINE = InnoDB

CREATE TABLE `authors` ( `id` int(10) unsigned NOT NULL auto_increment, `name` varchar(50) collate utf8_bin NOT NULL, PRIMARY KEY (`id`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_bin

Nothing too fancy here. Couple things to notice:

1. Each table MUST be using the InnoDB storage engine. InnoDB is currently the only main-stream storage engine offered by MySQL to support relational design. More on this in my article: MyISAM vs InnoDB
2. The `author_id` field in the `books` table MUST be indexed and the same datatype as the `id` field in `authors`.

The next step is to set up the relations. Open the `authors` table and take a look at the view. Under the table there should be a link titled ‘Relation View’ - Click it.

phpMyAdmin has a great gui for setting up relations and actions. If the `author_id` row below doesn’t look like mine, make sure you have it indexed.

Here, I’ve setup a link on the `books` table and the `author_id` field. This will enforce the fact that any value inserted in this field MUST be present in the `authors.id` table as well. But what about these other settings?

ON DELETE:

• CASCADE:
  • This means if an author is deleted from the authors table, all of his books will also be automatically deleted.
  • This option is great to keep your data clean and reduce the number of delete quieries required when deleting an author.
• SET NULL:
  • Instead of deleting the book record when an author is deleted, books.author_id is set to NULL, effectively orphaning the book.
  • This feature is great if you want to be able to keep the books and come back at a later time to reassign them. Otherwise, without this feature, the books would still be referencing an author_id that doesn’t exist.
  • Note: If you try to set this option and phpMyAdmin tells you to check your datatypes, make sure the field is allowing null values.
• NO ACTION:
  • When a delete query is issued on an author that has books, MySQL will not allow this and return a Foreign_Key Constraint error.
  • It could be nice to identify this and re-word it to let the user know that if they would like to delete this author they need to re-assign his books or delete them all-together.
  • Note: If you use this option please remember to re-word the MySQL error to something the user can easily understand.
• RESTRICT:
  • Same as NO ACTION
  • From MySQL Manual: Some database systems have deferred checks, and NO ACTION is a deferred check. In MySQL, foreign key constraints are checked immediately, so NO ACTION and RESTRICT are the same.

ON UPDATE:

• For the most part the options described above are going to act in the same manner they did for ON DELETE as they will with ON UPDATE. I’ll just run through some examples real quick.
• CASCADE:
  • If, for some reason, an author’s id gets updated than CASCADE will update all his corresponding books with the new value. Extremely handy.
• SET NULL
  • Same as CASCADE except instead of updating it with the new value, it will set it to null. I’m sure there is a perfectly good use for this but I haven’t run into it yet. If anyone can enlighten me please do
• NO ACTION / RESTRICT:
  • Same as ON DELETE, will throw an error if you try to update an author_id. I’m also having trouble finding a real-world example of when this could be useful

Once we have our simple relational database configured try to add a book with an author_id that doesn’t exist. MySQL should give you an error like this:

Cannot add or update a child row: a foreign key constraint fails (`library/books`, CONSTRAINT `books_ibfk_1` FOREIGN KEY (`author_id`) REFERENCES `authors` (`id`) ON DELETE CASCADE ON UPDATE CASCADE)

On Monday, November 12, 2007, Google released Android, a complete Linux based software stack aimed directly at the cell phone marketplace. I’ll let others talk about what it means for other players in the marketplace, the intricacies of GPL2 vs the Apache License, etc. This article dives straight into the heart of the SDK and API itself, summarizing some of the documentation provided by Google, then jumping into building an application using Android.

Android Emulator

(Click to enlarge)

So, what Is Android?

Android is a complete software stack for mobile devices such as cell phones, PDAs and high end MP3 players. The software stack is split into four layers:

• The application layer
• The application framework
• The libraries and runtime
• The kernel

Cell phone users obviously work with applications in the application layer. Android developers write those applications using the application framework. Unlike many embedded operating environments, Android applications are all equal — that is, the applications that come with the phone are no different than those that any developer writes. In fact, using the IntentFilter API, any application can handle any event that the user or system can generate. This sounds a bit scary at first, but Android has a well thought-out security model based on Unix file system permissions that assure applications have only those abilities that cell phone owner gave them at install time. The framework is supported by numerous open source libraries such as openssl, sqlite and libc. It is also supported by the Android core libraries — more on that in a second. At the bottom of the stack sits the Linux 2.6 kernel, providing the low level hardware interfaces that we all expect from a kernel. This is a Unix based system — that is, the Unix C APIs are available — but don’t expect to drop to a shell and start executing shell scripts with your old friends grep and awk. Most of the Unix utilities are simply not there. Instead Android supplies a well thought out API for writing applications — in Java using the Android core libraries.

That’s right, Android applications are almost exclusively written in Java. The Android core library is a big .jar file that is supported by the Dalvik Virtual Machine — a fast and efficient JVM work-alike that enables java-coded applications to work on the Android cell phone. This is similar to, but not the same as using Sun’s JVM directly.

Building your development environment

Google provides three versions of the SDK; one for Windows, one for Mac OSX (intel) and one for Linux (x86). They also provide two development environments — one is Eclipse based, and the other is a “roll your own.” The Eclipse based environment is quite feature-rich and should suffice for most developers. There is no reason that you can’t use both Eclipse and “roll your own.”

If you get stuck in eclipse (like I did), you may find yourself dropping to the command-line interfaces to see what’s really going on. However for this article, I’ll assume that you’re using the Eclipse IDE for your Android software development needs. Once you’ve downloaded the Android SDK, Eclipse and the Eclipse Plugin, you should work through the first few sections of Google’s install document (System and Software Requirements, Installing the SDK, Installing the Eclipse Plugin). I’d leave the rest of the document for later as it does get quite detailed quickly.

Read the Friendly Manual

Google has done a good job of writing a lot of documentation for Android. However, there isn’t a great way of knowing what’s important to read now vs. what can wait. Here are some links to documents that are important to understand what Android is and how to develop applications using it. If you read them in the order listed, then you’ll gain understanding more quickly as you read increasingly detailed documents. Note that a lot of the documentation is available both online and in the SDK_ROOT/docs/index.html directory on your machine. If you have a fast enough connection, I would suggest using the on-line versions since they will be more up to date.

Here’s the order in which I suggest you read the documentation:

• What is Android? Explains what Android is and gives a high-level overview of its features and architecture. Don’t dive into the links just yet — just get a feel for this overall document.
• Read the Anatomy of an Android Application page. This details the four building blocks of an Android app: Activity, Intent Receiver, Service and Content Provider. Again, don’t follow the links just yet — just get an overview of the architecture. You may want to reread sections on Activities and Intent Receivers — gaining an understanding of these concepts is critical to understanding how to build an Android application. If you don’t get it yet, you’ll see it again when you go through the Notepad Application Tutorial.
• Next read the Development Tools document. Again — just get a flavor, don’t dive into the detail yet.
• Read the Lifecycle of an Android Application page.
• Now, finally, it’s time to get your hands dirty. Work through the Hello Android page. Make sure you actually do it using Eclipse.

• Now go back and read the rest of the Installing the SDK document — the bottom half of it details some great debugging tips and features.
• Next, go through the Notepad Application Tutorial. This is where the rubber really meets the road. If you spend the time to go through this series of exercises and really understand the code, you will be well on your way to becoming an Android expert.
• Read the Developing Android Applications pages. This will take some time — these articles go into a lot of detail about several topics including how to implement the UI, data storage/retrieval and the security model.
• Finally, go back through this list and follow the links in the previous documents as topics interest you.

There’s a lot of documentation, but if flows together nicely, reflecting the architecture of the environment.

Dissecting the SDK

Whenever I download an SDK, I like to take a look at the files I’ve installed. Often, there is a wealth of information hidden in the SDK itself that is not readily visible from the documentation. So here’s what you’ll find in the Android SDK on a Windows machine:

• android.jar - The Android application framework. Unzipping this jar reveals the entire class structure and all of the supporting classes of the framework. Currently there is no source.
• docs - 100 megabytes worth of documentation, samples, etc.
• samples - Six different sample applications - ApiDemos, HelloActivity, LunarLander, NotePad, SkeletonApp and Snake
• tools - the various SDK binaries such as aapt, acp, and emulator live here.
  • lib - various templates and supporting jar files live in this directory
    • activityCreator - the activityCreator python application lives here.
    • images - The Linux file system images are found in this directory: ramdis.img, system.img and userdata.img. They are YAFFS2 file system images, so I couldn’t open them without additional kernel support on my Fedora system.
      • skins - supporting emulator graphics for HVGA and QVGA screens in both landscape and portrait format.

Exercising the SDK

Now that you have read the documentation and set up and debugged a simple project, it’s time to look at some real code. Since Google has provided us with several sample applications, the best place to begin is by examining them.

1. If you have not already done so, execute the first few sections of Google’s install document. Stop after you’ve installed the Eclipse plugin successfully.
2. Now work through the Hello Android page if you haven’t already. This will get you started working with Android applications and the debugger. Note that it’s probably a good idea to create a new workspace for your Android projects if you already use Eclipse.
3. Next we’re going to set up Eclipse projects for each of the sample applications. You can never have too much sample code. I’ll walk through setting up the Lunar Lander example and leave it as an exercise to the reader to set up the rest.
   1. Bring up the same Eclipse workspace that you used for the Hello Android, and close the project (Right click on the project in package explorer->Close Project).
   2. File->New->Android Project
   3. Project Name: LunarLander
   4. Click the “Create Project from existing source” radio button
   5. Browse to the samples/LunarLander directory in the SDK. If you find the right directory, the Properties fields will auto-fill with the correct information from the Package.
   6. Click Finish
   7. Bring up Eclipse’s Console window (Window->Show View->Console) if it’s not already visible in a tab at the bottom of the screen. It will show you the build process that Eclipse went through to create the application.
   8. Create a Run Configuration: Run->Open Run Dialog
   9. Highlight “Android Application” in the treeview to the left.
   10. Click the “New button”.
   11. Name: Lunar Lander
   12. Click the Browse button next to Project
   13. Double-click the LunarLander project and hit OK
   14. Click the down arrow for the Activity and choose the one and only Activity: com.google.android.lunarlander.LunarLander
   15. Click Apply
   16. Click Run
   17. Switch to the Emulator and play a few rounds of Lunar Lander. Kinda fun.

Repeat for the other applications in the samples directory. This exercise should only take a few minutes — besides, the Snake game is fun too! If you’ve taken the time to go through the Notepad Application Tutorial, then you’ll be familiar with the NotePad sample — however, the NotePad sample is fully developed and has features beyond the NotePad developed during the Tutorial.

A File System Explorer Application

Finally, we’ll use our new understanding of the Android to develop a simple file system explorer. The version in this article is pretty simple, but it can serve as a jumping-off point for a more serious application down the road.

Design

Before we start writing code, let’s think about what a reasonable file system browser should do. It should

• Phase I features
  • Show a list of files and directories
  • Allow the user to navigate through the directory structure by clicking on directories
  • Warn the user that he has clicked on a file
• Phase II features
  • Allow the user to display a dump of a file when it is clicked
  • Use a tree view instead of a simple list
  • Show a dialog box with the filesystem information (size, permissions, etc) when the user clicks on an icon next to each file
  • Give this application permissions to read any file on the file system
• Phase III features
  • Do all of phase II with pretty graphics, such as thumbnails, instead of boring dropdowns and list boxes
  • Execute applications that we understand, such as mp3 files

Process

This article will only cover Phase I of the project — but when we’re done, we’ll have a functional file system explorer in just a few dozen lines of code.

New Android Project
(Click to enlarge)
It works!

If you clicked above to follow the hands-on example, you found that in about twenty lines of Java, and a small amount of XML, you’ve created a useful little application that will allow you to explore the Android’s file system. For example, I found the ringtones in /system/media/audio/ringtones, as shown below.

Oooh, ringtones
(Click to enlarge)

As I mentioned in the design section, a lot can be done with this application, and we’ve hardly touched the surface of what you can do with the Android application environment. There’s three billion cell phones out there. I suspect Google will get their fair share of them, so start cranking out code!

Conclusion

Android is a well-engineered development environment. Writing an Eclipse plug-in was a smart move by Google — one that should be emulated by other SDK developers. Eclipse gives a developer and environment where he can really think about the business problem without worrying about the boring details. Adding the functionality of the plugin helps developers just sit down and start coding — without having to worry about all the ins and outs of configuration files and the like.

Dislikes

Android is brand new to the general developer’s world. As I write this, it’s Wednesday, and the SDK came out on Monday of this week. Since it’s brand new, there are some little problems that will have to be solved in the coming releases.

• Many more examples for the APIs.
• A more thorough explanation of what does and does not work under the emulator. My first example application was a simple MP3 player.
• Release the source code. This will make it a lot easier to debug Android applications, as well as write them in the style that the Google developers wrote them.

Likes

Theres a lot to like about Android:

• It’s by Google — so it has a company with some clout behind it.
• Application Developers write their code in Java. Since the learning curve for Java is much less than that of C/C++/ObjectiveC, there will be many many developers who are eager to start writing applications for Android.
• The SDK and API are well designed. There is some complexity there, and as I mentioned, the Documentation needs improvement — but a well designed system is easier to understand and learn, even without lots of great examples.

Every website has ‘em. Forms. Places for users to enter data into your website. Whether it be a search box, a “Contact Us� form, or variables in the website address, at some point in the flow of your script these suckers are going to touch your database. Oh, that’s no problem — We’ll just take what they type in and run a query in MySQL on it!

WHOA, there! Are you sure you want to do that? Any input from a user should be treated like a nuclear fuel rod. You can handle it, but you’ve got to make sure you do it right. You wouldn’t just pick it up with your bare hands, would you?

Why? Just what are MySQL Injection attacks anyway?

Lets say your database has a table inside called ‘tbl_Users’. Inside ‘tbl_Users’ are a list of your users, which all have usernames, passwords, first names, last names, addresses, etc. If these users are presented with a login box somewhere on your site, your php user verification query might be something like this:

SELECT * FROM `tbl_Users` WHERE `username`=’”.$_POST['username'].â€�‘ AND `password`=’â€�.md5($_POST['password']).â€�‘â€�The problem is that unscrupulous users (read: bad ones) could enter this into your form:

 

username: no_onepassword: ‘ OR ”=”Which would make your query look something like this:

SELECT * FROM `tbl_Users` WHERE `username`=’no_one’ AND `password`=” OR ”=”Which, if you read that correctly, would allow that user access to whatever it was you wanted hidden by logging them in. There are a multitude of other ways this can be dangerous, but this is by far the easiest example. Even more unscrupulous users (read: the real jackasses) could send in multiple queries including DELETE queries.

In which case, when you wake up the morning after the attack you are most likely to be heard saying:�Hey, where did all my users go?� 

Wow. Okay so I’ve got a friend… and his website isn’t secure. What can I do to help him out?

The good news is that with a few easy precautions, your “friend’s� website will be pretty secure against these types of attacks. I say pretty secure because there is no way to prevent every attack. We can only do our best to increase security to a point to take every realistic precaution to prevent these attacks.

#1: Escape your variables!

Using the php function ‘mysql_real_escape_string’ you can “escape� the single quote character from user input. This is probably the easiest method to prevent MySQL injection attacks. It works by adding a backslash (�\�) before each quote that the user enters into their input. So, to use our example from before:

username: hey’therebecomes

username: hey\’thereThis effectively stops MySQL injection in its tracks since it not only escapes the single quote (â€�‘â€�) character but also all other characters that the baddies can use to hijack your queries.

If you’ve got an array of data coming in, you can use this neat function that I found on the PHP mysql_real_escape_string page (code by “brian dot folts at gmail dot com�). It escapes all of the values in your array with ease.

To escape an array, use this function:

function mysql_real_escape_array($t){
return array_map(�mysql_real_escape_string�,$t);
}

Then you can call that function easily by passing your array to it:

$your_array = mysql_real_escape_array($your_array);

#2: Check the variable type of your input.

This is done by using the php functions “is_numeric()“, “is_string()“, “is_float()“, and “is_int()� to determine if the input the user is sending in is the same type that you were asking for. It’s not perfect, but if you were asking for a number and they sent in a word you know to discard it straight away and return an error thereby entirely avoiding any change of a MySQL injection attack.

#3: Always use proper MySQL syntax, including “`� and “‘� characters.

If your queries look something like this:

SELECT * FROM tbl_Users WHERE username=$value; Rewrite it so that it looks more like this:

$value = mysql_real_escape_string($value);mysql_query(SELECT * FROM `tbl_Users` WHERE `username`=’”.$value.”‘”); Proper MySQL syntax requires that all table and field names are surrounded by the reverse apostraphe (â€�`â€�) and values surrounded with single quotes / apostraphe (â€�‘â€�).

I hope this gives you a better indication of what you can do to help secure your websites. Keep in mind that this is in no way a complete list. Be ever vigilant in your efforts to prevent attacks of any kind on your code. Leave a comment or two if this helped you at all or if you have different suggestions on how to secure your code from injection attacks!