Feeds:
Posts
Comments

1. Make a marketing Strategy

This should be the first thing you do. Even though you have all the info needed in your head, putting it on paper will give many advances and definitely be worth the extra work. Not only will you that way be «forced» to think through important issues and possible challenges before they occur, but it can also be a lot easier for you to get the needed help from potential business partners or investors when you have a good business plan to show them. You need to know how you will find clients, you need a plan in place.

2. Plan your days ahead

Allow yourself an hour or so at the beginning of each work week, or the last hour of the previous week to plan the upcoming week. Then it’ll be easier for you to plan how to spend your hours to reach the deadlines you have upcoming. The more ongoing projects you have, the more important this is.

3. Use free software and open source tools

Starting up as a freelancer can be challenging economically, and by choosing from all available and good free software you can save a lot of costs without necessarily having to give up a lot of functionality. Free doesn’t have to mean it’s not good software, there are more and more options available every day so make sure you check out what can be used related to your business.

Don’t try to pay for everything, but pay for the premium tools you would use daily. For example, when building websites, I never use free themes, I always go either for a quality premium WordPress theme or framework. But again, this expense doesn’t make sense to you if you are a graphic designer. If you are building websites regularly for your clients, it totally does make sense to become 10x more productive.

4. Create a good logo, website and social media pages

To look professional and catch those potential clients in a tight market, requires hard work when it comes to branding yourself. Creating an eye-catching logo and a simple and informative website will be more professional and easier to see. The power of a good logo and actually using it on business cards, websites and such will give you that professional look which could be the extra inch needed to catch the attention of a new client.

Social Media is another important platform to market yourself to display your great jobs and abilities.

5. Learn to say NO!

If you don’t have the time for another client at the moment, it’s important to be able to realize it and say no. It is the most fair thing to yourself, your existing client and the new ones that knock on your door. Worst case scenario is saying yes to too many and it having consequences for existing clients. You always want to make sure you have enough time to give your current clients the best service you can. A client too many could be the thing that lowers the quality of  all your work.

6. Make a blog

In this Internet age that we are, having a website of your own can mean a whole lot. Not only does it make you look more professional but it is also a gateway to new clients. Many do surf the net to find people for their next projects and if they can’t find you online they won’t know you’re there.

7. Update your website regularly

Do you already have a website or blog? – great! But to maximize its value to you it’s very important to update it regularly. If new clients visit your site and see that you haven’t updated the content for a very long time, that might just be the reason for them to choose someone else instead. Updating regularly will require an hour of your time every now and then but can pay back multiple times rewarding you with new clients.

8. Give some offers to your online visitors

Giving something extra to the visitors on your website always is a good thing. If you work as a designer you can for example consider putting up some free textures or buttons. This will give your site more visitors and potentially more clients for you. Or how about offering every visitor a percentage off on their first order with you? Again, this could be the extra thing needed to stand out to new clients.

9. Active in social media

Social media is where many relationships are made these days. No matter which country you live in, using social media can connect you to potential clients and partners all over the world. Twitter is a must, and you should consider Facebook or snap chat and also forums related to your business. If you are a designer consider having a look at behance and YouTube as well. In several of these media you can advertise for your own business as long as you make sure to not spam it too much.

10. Get allies

Having allies can mean everything. Connecting with people through social media or even spreading the word of your business through friends and family can get you just that word out there that you need. Also making relations with people who can do things for the clients that you can’t can help, you give the clients a more complete package of what they need. One day you are the one sending a client to an ally that can offer a more suitable service in that case, the next day you could be the one having clients sent your way.

11. Save for rainy days

Even though your business may go really well, there can and probably will come a bad month or two every now and then. Being a freelancer is being vulnerable to changes in the market. My advice would be to save up a little bit of your income each month, save it in an own savings account so that you have it as a safety buffer for when times get rough. You sure wont regret doing that. It would be a shame if a couple of small bills would ruin everything for you in a bad month.

12. Be creative

There are many ways to be creative, to get new clients or to make better use of equipment and office space. Some examples can be to upgrade an existing computer if you can’t afford a new one, redecorate a spare room if you can’t afford the rent for an office outside of your home. Add a new product or service to your current list or ask friends or family if they know anyone that may be in need of your services. The options are many, all you need is to try think a bit out of the box

13. Reward loyal clients

If the market is tight you need to do what you can to have your customers back a second and third time. Being friendly and service minded is always a must, but what about giving them a discount the second time? Or sending them special offers of various kinds. Use your fantasy and implement these things into your business plan. Make customers want to come back and you will have the best possible chance to survive.

14. Treat every client as if he is the only one

Giving existing customers good offers as mentioned in the previous tip is important. But remember to be service minded. If a customer feels important that will make him more loyal as well. Use positive language when you talk or write to him. Don’t be afraid to say that you will go out of your way to make sure he is satisfied with the product/service he is getting. And remember to let him know that feedback is appreciated. That way you can keep making your services more and more attractive and get happier clients. Don’t forget that existing clients can be the best advertising you ever get!

15. Work when you are at work

If you have decided to work from lets say 8am to 4pm every day, then do so. If you have errands to run, private mail accounts to check, private phone calls to make and so on, these will quickly eat of your much-needed work time. Make a promise to yourself to only do this when you are not supposed to work, as in before or after work or during your lunch break. It may not seem that much to you, but I’ve seen several great freelancers getting their days completely messed up because they were not good enough at managing their time properly.

16. Know when to start and stop

Just as important as actually working when you are at work, is starting when you should and stopping when you should. You may have to prepare yourself for working extra hours every now and then to keep your business alive, but it is very important that you have free time too. You need to recover and get your mind filled with other things or you will get burned out and ruin things for yourself. The more hours you work at once, the less productive you get. So remember to follow your own rules on when to start and stop the day at work.

17. Keep your finances tidy

Keeping your finances tidy probably sounds easy, and it can be – as long as you keep an eye on them regularly. No matter how small a business you are running you will run into trouble if you only spend time on billing and accounting once or twice a year. Set up dates for when you pay your bills, when you send out invoices to clients and to make monthly budgets. Not only will this make it easier for you throughout the whole year but you will be able to fix errors quicker, do adjustments if needed and so on.

18. Remember to relax

relax you say? Yes 😉 And by relaxing I mean that you need to take care of yourself. You may be freelancing using a computer or two, a camera or other tools, – but the most important tool will always be yourself. Remember to continue to spend time on your hobbies, friends and family even if you have a busy work schedule

19. Get out of the house occasionally (if you work from home)

If you have a home based office it’s important to get some fresh air. Book some of your meetings somewhere else, meet business partners for lunch, or spend an hour or two working from a library or coffee shop with your laptop if you can. The change of scenery may boost your energy level/creativity and give you a lot back.

20. Make an inspirational string

Rough days come and rough days go. Simple as it may sound, having something around you to remind you of why you are working this hard can be what you need to get some extra energy on that one difficult day. Make your own inspirational string! Take a piece of string or use a cork board/whiteboard, whichever you have available. Add a picture of your kids, of the vacation spot you are saving to go to, or maybe a car you hope to be able to buy. Add some of your favorite inspirational quotes or pictures, whatever inspires you really. And there you go, your own inspirational string! Taking a look at it when you are close to giving up or when a day is extra stressful can work wonders for you. You should give it a try 🙂

21. Be humble and honest

No one is born an expert or world champion. If things go well or you feel on top of things it can be easy to get a little bit too confident, which can be bad for your reputation and bad for the quality of your work. You should always aim to be humble, listen to your clients on what they want. Give them your professional opinion when needed but in the end it is the client that generates your paycheck. Also remember to willingly take advice from colleagues or others who have been in the market for a while.

22. Look professional, in every way possible

You have the logo, the website and so on and things are starting to look pretty good. Remember to also meet clients with respect, look presentable and be polite. Being your own boss doesn’t mean you can talk or act in any way and still keep your clients. Remember that.

23. Ask for feedback

Not only should you have comments enabled on your website but you should also ask your friends/family/allies for feedback on your work. And most important of all, after you have finished your project – ask the client what he thinks. Not only do you get a great chance to improve but the client also feels important. Getting someone else’s opinion is always good and this will help you to become even more successful.

24. Always carry a notebook around with you

It being a normal notebook, your iPhone or any other digital form of “notebook” you should carry it with you and remember to take notes. This is for many reasons. Not only can you unexpectedly run into a potential client or an existing one, but you may come up with valuable ideas when you are on the bus, on the plane or basically anywhere else. Several times have I had amazing ideas, not had a notebook, forgotten the ideas and seen them used somewhere else a year later.

25. Take the time you need!

This is so important, it can’t be mentioned enough. Same as with the tip about learning to say no. Once you have said yes to a project you need to make sure that you take the time needed to do the best you can do. Handing over a project that is half done will not only give you a client who won’t come back, but it can give you a bad reputation. Your clients are your best references to show in the future and no one want a freelancer who leaves the work half-finished.

 

 

 

Branding – Incorporate memorable elements of your brand into your Web site, such as your logo and company color scheme. Make your logo prominent on your home page and put it on all subsequent pages to promote your brand.

Home page – Visitors should be able to tell immediately what your site is about. Any call to action such as “Buy Now” sould be visually prominent on the page.

Navigation – Put some real thought into site layout, so customers can navigate it easily. Make sure all important sections are prominently listed. Link as many pages as you can into the main navigation bar, instead of having subpages from pages.

Content – If your primary business is offline, just present enough clear, concise information to get customers to call or email. If you sell your products or services online, provide complete information to give customers the confidence to click and buy. Don’t put too much content on any one page, as Internet readers don’t like to scroll down.

Refresh content – Changing content draws customers back. One easy way to renew your content without a lot of code changes is by starting a blog.

SEO – Always bear search engine optimization (SEO) in mind as you design. Photos and splashy graphics may look nice, but likely won’t be read by search engines. One fix: have a text link that says “View portfolio” instead of a graphical button. The text will be more easily read by search engines.

Colors – Use complementary colors that make your text easily readable. Clashing colors such as red text on a blue background make text too hard to read and turn off visitors.

Be accessible – Make sure your contact information or a prominent link to it is at the top or bottom of every page of your site.

Sound good – Music that starts playing automatically when your site loads is an automatic turnoff for many visitors. If you have sound, make sure it’s pleasant and easily disabled.

External links – Links that take visitors away from your site should always load in a new window. Make sure your site stays in front of the customer, even as you provide them with additional resources.

 

There is a nice technique to reduce the amount of calls your browsers has to make to the server. This will be every image, every css and every JavaScript file included in the webpage. Each time you want to load in one of these elements you will be sending a request to the server which will return the requested object known as a HTTP request.
Reduce Page Loading Time With PHP

Each one of these uses up time on your page loading, so to reduce page load all you have to do is reduce the amount of calls being made. But what if you want to organise you JavaScript files, jquery file, general file, application file and page file. There could be upto 4 requests for some javascript for the page.

It is possible in PHP to combine these JavaScript files together and trick the browser into thinking they are just one JavaScript file, therefore reducing the amount of calls being made to the server. This is done by reading the JavaScript with PHP then changing the header to JavaScript like the example below.

Create a PHP file and use the readfile function to bring in your Javascript files then change the header to Javascript and the server will treat this page as Javascript.

readfile(jquery.js’);

readfile(general.js’);

readfile(jquery-ui.js’);

readfile(page.js’);

header(‘Content-type: text/javascript’);

This technique can be used for css files too.. [thanks to paulund]

Are you a web designer or do you run a website? Good, because this article is for you. If you’re designing websites for a living or running your business online, there are 18 tips in this article that you should definitely read and remember.

You can have the best visual design skills on the planet, but if you build a website that works like crap and doesn’t allow the visitor to feel comfortable going from item to item and page to page, you are missing the very core of a good website design. So in today’s article I’m going to go over some of the dos and don’ts of usability on the web.

Do utilize a grid for your website structure

Before you get upset and start screaming that a grid is a box for creativity, I’m not saying to ensure your entire site is boxed in. What I do want you to understand though about a grid is that it helps structure your site and keep the eye flow going for your visitor, which is key. Once you’ve got the main structure down and it’s clean – create the funky stuff you do to go around it all and incorporate everything into a killer design, but don’t forget the grid.

Do Not forget your search form

A lot of people will go to your site and immediately look for a search box. It’s just instinctive I guess. So, if you don’t have one, guess what happens – they leave. They’re not going to feel comfortable on a site where they don’t feel in control. The ideal spot for a search bar is somewhere towards the top of the page on the right hand side as this is where users are used to it being displayed.

Do make your navigation easy to find & readable

If you’re designing a site and your navigation is supposed to take your visitor from point A to point B, why the hell would you place it in a weird spot or use images that do not generally showcase the type of links they are (ie: a house for the home page is ok, but a circle with a lightning bolt inside of it for services isn’t). Try keeping the navigation easy to read, right at the top of the site so the visitor can easily navigate through your site.

Do Not make your “contact” link in your navigation bar a mailto: link

A lot of people (myself included) will hover over a link and see what the bottom of our browser screen says before we click on it, especially the contact link since some people think it’s a bright idea to link this directly to your email address, causing an email program to open up. This is not a good UX practice. Create a contact page, put your email address on it and also add a contact form – your user will thank you – and will actually email you more often.

Do utilize UX Apps as much as possible for web tests

Keeping track of the various forms of data from your website is something you should definitely get a grasp on if you haven’t already. Google analytics is perfect for seeing where your visitors are coming from, what pages they’re going to and how long they’re on your site. A UX app like Crazy Egg is perfect for learning where your visitors are clicking and seeing what parts of your site are getting the most attention. You can also use a site like Feedback Army to test how users see and use your site. Learning these types of stats for your site can ensure you’re utilizing space as well as possible and making sure that you’ve got the important stuff where it needs to be.

Do Not flood your website’s sidebar with tons of widgets

O.K. We get that you’re running a blog and there are a million widgets you can use on it – but you don’t actually need to use them all. Think of it like a bedroom. If there’s clutter everywhere and it’s not clean, that special someone you brought home might not want to stay – so tidy up and keep things organized. Your readers don’t (in most cases) need to see your google friend’s, mybloglog friends, friendfeed friends and the various other social profiles you’re a part of, so leave them alone and stick to the things that matter most for the user experience on your site.

Do make sure that your website displays well on various browsers

We all know that IE6 is dead and no one is complaining about that, but do not forget that there is still a lot of users on IE7, IE8, Opera, Safari, Firefox, Chrome, ect. Just because your website looks good on one or two of them doesn’t mean the visitor using another browser will like that your site isn’t displaying properly. Take a couple hours, dig into the code and make sure it all works across the various browsers.

Do Not make your visitor jump through hoops to fill out a form

Your contact form shouldn’t be a mile long and neither should a sign up form. Keep things simple. The chances that people will turn away when they’re faced with a 20 part sign up form is far greater than if they were staring at three simple questions (name, email, comments).

Do ensure your various pages are consistent in structure

Unless you’re a design blog and you’re structuring/designing every one of your posts different like (insert names here), you need to remember that people want familiarity when they’re viewing your site. If they feel like they’re somewhere different when they load a new page up, they’re going to click the back button – and fast.

Do Not forget a print stylesheet for those who want to print your content

This is especially true for blogs/content sites. If your reader wants to print off content (trust me, many still do, especially older visitors), you shouldn’t require them to print off your entire design, plus all of the comments and advertisements across the page. That’s unnecessary clutter. If you look at the print preview on this post about why better blogging equals better business for freelancers, you’ll see a clean page, black and white, no images, no comments, no sidebar. The content is what matters for printing, so make sure it stands out.

Do make sure your content is easy to scan and follow along with

In general, people have short attention spans. So, by utilizing section titles (h2, h3 or h4 tags) to split your article up, you allow the visitor to scan the article quickly and see if it’s something they’re looking to read and if they’ll be able to get anything out of it. When you’re writing your content, you should also be aware of the size of each paragraph as users will tend to get tired of scanning 20+ lines in a paragraph. Things are much easier to read when split up into 5-10 lines (at most).

Do Not cram more into a space than what can fit comfortably

Minimalism. We love it here at Spyre Studios and I know readers here do as well. That’s why this tip is so important to all of us – crowding things into a small space and not allowing the users eye to focus on the important stuff is counter productive. Yes, you’ve got a ton of information above the fold, but why would you worry about the fold so much? Paddy Donnelly already debunked the life below 600px, so allow your design and content to breath. Your users will thank you.

Do make sure to include breadcrumbs in your design

Breadcrumbs are useful in giving your visitor control over where they’re at and what they’re going to do next. If they’re on a sub page of your about page, your breadcrumbs will look something like this (Home > About > Sub Page Title). This tells the user exactly what page they’re on and how to go back various levels if they’d like to.

Do Not forget to utilize color and contrast to shift focus

If you use a heading and then a sub heading for sections of your site, try various shades of color to allow the visitor to notice the important stuff first (ie: #464646 for the title and #c1c1c1 for the subtitle). These shifts in color and contrast will dictate what your user sees next, ultimately bringing them into a space where you want them to be (a sign up page, a contact form, a subscription page, ect).

Do check for broken links and images

Checking for broken links and images in your older articles is great because you may have visitors coming to your page from a search engine and if there are broken links, they’re going to assume one of two things: 1, you’re an old site that isn’t being updated anymore or 2. you’re not keeping up to date on the value of your site, so they’re going to go elsewhere. If you’re a wordpress user, there’s a plugin that is amazing for this: Broken Link Checker. You can also head over to iwebtool and use their free broken link checker (5 requests per hour is the limit).

Do Not neglect your footer and the power it has

So, you’re on a website and you scroll through everything and get to the bottom of the page only to find a bland, single line of text telling you that there’s a copyright on the site. Boring. Why not spruce your footer up a bit, add some extra content into it like popular articles, a search box, a newsletter subscription, ect. If you’d like to find some ideas on how to design a killer footer for your site, you should check out Footer Fetish, not to be confused with the other foot fetish.

Do use wireframing in your design process

Drawing out wireframes for your site on paper (or in simple box shapes in photoshop) can really help you visualize what’s the most important aspect of the page and how you can use it as a central focus point. By doing this, you’re also able to experiment with various layout options without having to break up a killer design you may have been creating already. For wireframe inspiration, I check out the I love Wireframes group on flickr – it’s full of amazing wireframe drawings.

Do Not write for search engines – write for your readers

Last, but not least is the tip that you should be writing for your readers, not search engines. Keyword stuffing may have worked in the past (and may still today), but if you have an actual reader come across your page, only to find the word “designer” 100X times in 3 paragraphs, what do you think the odds are that they’re going to hit their back button and never step (virtual) foot on your page again? Yeah, the odds of that happening are extremely high.

A tip I’ve heard before is to read your content out loud and if it doesn’t sound like a natural flowing conversation you’d normally have, rewrite it until it does. People will read your content and expect it to sound like something a real person would say, so make sure it does sound that way.

original Content from =>  http://spyrestudios.com/dos-and-donts-of-usability/

12 htaccess Tips

1. Redirect to a secure https connection

If you want to redirect your entire site to a secure https connection, use the following:

  1. RewriteEngine On
  2. RewriteCond %{HTTPS} !on
  3. RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} Continue Reading »

Building traffic to your website is not an easy task. “If you build it, they will come” concepts work only for movies and it does not work with your website. A well designed website is just the first step in your internet business venture. Driving traffic to your website takes Knowledge, proper planning, time and great effort. I write this post believing that these tips will help you reach the right people to achieve online business success.

It is imperative to determine your online business objectives or goals before you plan the online strategy and definitely before you even write the first line of code for your website. Know your objectives and build your website around them, it will ensure satisfaction at the end of the day.

Presenting your website message carefully is yet another important factor for any successful website. The visitors to your website need to know and understand your message instantly from the very first page that is your home page. If not they will bounce back to another website most probably your competitor. Keep an eye on your website load time. The visitor to your site may not have time to wait till it loads the first page of your website. Imagine if your home page loads very slowly and the face of an impatient visitor. A good visitor will definitely tell 100 friends about your website, while an unsatisfied visitor will tell 1000 people about your website.

Use your competitor site to the maximum and take advantage of it. They might have brainstormed 1000 ideas and stands strong as a competitor. Learn what they are doing, what do you feel your website lack, ask yourself. Visit your niche related sites and the sites that are listed on hot sites pages. In the coming posts I will discuss about studying the competitor website in a Search Engine point of view. It is the key techniques we do to make our clients stand strong in any competition. Look at the design of your competitor website and learn the do’s and don’ts of the niche website marketing. See how the information is organized, feature provided, color, background etc.

Realize the potential of your domain name. Domain name plays an important role in internet marketing. Your internet domain is your exclusive web address, which you can purchase through several domain registrars.The domain name itself can add traffic to your website. There are certain points you need to remember when buying a domain name. We will discuss that in the coming posts. The above given are some quick tips you need to revisit when you plan to create your online identity.


1. Unvalidated Parameters

Most importantly, turn off register_globals. This configuration setting defaults to off in PHP 4.2.0 and later. Access values from URLs, forms, and cookies through the superglobal arrays $_GET, $_POST, and $_COOKIE.

Before you use values from the superglobal arrays, validate them to make sure they don’t contain unexpected input. If you know what type of value you are expecting, make sure what you’ve got conforms to an expected format. For example, if you’re expecting a US ZIP Code, make sure your value is either five digits or five digits, a hyphen, and four more digits (ZIP+4). Often, regular expressions are the easiest way to validate data:

if (preg_match('/^\d{5}(-\d{4})?$/',$_GET['zip'])) {
    $zip = $_GET['zip'];
} else {
    die('Invalid ZIP Code format.');
}

If you’re expecting to receive data in a cookie or a hidden form field that you’ve previously sent to a client, make sure it hasn’t been tampered with by sending a hash of the data and a secret word along with the data. Put the hash in a hidden form field (or in the cookie) along with the data. When you receive the data and the hash, re-hash the data and make sure the new hash matches the old one:

// sending the cookie
$secret_word = 'gargamel';
$id = 123745323;
$hash = md5($secret_word.$id);
setcookie('id',$id.'-'.$hash);

// receiving and verifying the cookie
list($cookie_id,$cookie_hash) = explode('-',$_COOKIE['id']);
if (md5($secret_word.$cookie_id) == $cookie_hash) {
    $id = $cookie_id;
} else {
    die('Invalid cookie.');
}

If a user has changed the ID value in the cookie, the hashes won’t match. The success of this method obviously depends on keeping $secret_word secret, so put it in a file that can’t be read by just anybody and change it periodically. (But remember, when you change it, old hashes that might be lying around in cookies will no longer be valid.)

See Also:

  • PHP Manual: Using Register Globals
  • PHP Cookbook: Recipe 9.7 (”Securing PHP’s Form Processing”), Recipe 14.3 (”Verifying Data with Hashes”)

2. Broken Access Control

Instead of rolling your own access control solution, use PEAR modules. Auth does cookie-based authentication for you and Auth_HTTP does browser-based authentication.

See Also:

3. Broken Account and Session Management

Use PHP’s built-in session management functions for secure, standardized session management. However, be careful how your server is configured to store session information. For example, if session contents are stored as world-readable files in /tmp, then any user that logs into the server can see the contents of all the sessions. Store the sessions in a database or in a part of the file system that only trusted users can access.

To prevent network sniffers from scooping up session IDs, session-specific traffic should be sent over SSL. You don’t need to do anything special to PHP when you’re using an SSL connection, but you do need to specially configure your webserver.

See Also:

  • PHP Manual: Session handling functions
  • PHP Cookbook: Recipe 8.5 (”Using Session Tracking”), Recipe 8.6 (”Storing Sessions in a Database”)

4. Cross-Site Scripting (XSS) Flaws

Never display any information coming from outside your program without filtering it first. Filter variables before including them in hidden form fields, in query strings, or just plain page output.

PHP gives you plenty of tools to filter untrusted data:

  • htmlspecialchars() turns & > " < into their HTML-entity equivalents and can also convert single quotes by passing ENT_QUOTES as a second argument.
  • strtr() filters any characters you’d like. Pass strtr() an array of characters and their replacements. To change ( and ) into their entity equivalents, which is recommended to prevent XSS attacks, do:
    $safer = strtr($untrusted, array('(' => '(', ')' => ')'));
  • strip_tags() removes HTML and PHP tags from a string.
  • utf8_decode() converts the ISO-8859-1 characters in a string encoded with the Unicode UTF-8 encoding to single-byte ASCII characters. Sometimes cross-site scripting attackers attempt to hide their attacks in Unicode encoding. You can use utf8_decode() to peel off that encoding.

See Also:

5. Buffer Overflows

You can’t allocate memory at runtime in PHP and their are no pointers like in C so your PHP code, however sloppy it may be, won’t have any buffer overflows. What you do have to watch out for, however, are buffer overflows in PHP itself (and its extensions.) Subscribe to the php-announce mailing list to keep abreast of patches and new releases.

See Also:

6. Command Injection Flaws

Cross-site scripting flaws happen when you display unfiltered, unescaped malicious content to a user’s browser. Command injection flaws happen when you pass unfiltered, unescaped malicious commands to an external process or database. To prevent command injection flaws, in addition to validating input, always escape user input before passing it to an external process or database.

If you’re passing user input to a shell (via a command like exec(), system(), or the backtick operator), first, ask yourself if you really need to. Most file operations can be performed with native PHP functions. If you absolutely, positively need to run an external program whose name or arguments come from untrusted input, escape program names with escapeshellcmd() and arguments with escapeshellarg().

Before executing an external program or opening an external file, you should also canonicalize its pathname with realpath(). This expands all symbolic links, translates . (current directory) .. (parent directory), and removes duplicate directory separators. Once a pathname is canonicalized you can test it to make sure it meets certain criteria, like being beneath the web server document root or in a user’s home directory.

If you’re passing user input to a SQL query, escape the input with addslashes() before putting it into the query. If you’re using MySQL, escape strings with mysql_real_escape_string() (or mysql_escape_string() for PHP versions before 4.3.0). If you’re using the PEAR DB database abstraction layer, you can use the DB::quote() method or use a query placeholder like ?, which automatically escapes the value that replaces the placeholder.

See Also:

7. Error Handling Problems

If users (and attackers) can see the raw error messages returned from PHP, your database, or external programs, they can make educated guesses about how your system is organized and what software you use. These educated guesses make it easier for attackers to break into your system. Error messages shouldn’t contain any descriptive system information. Tell PHP to put error messages in your server’s error log instead of displaying them to a user with these configuration directives:

log_errors = On
display_errors = Off

See Also:

8. Insecure Use of Cryptography

The mcrypt extension provides a standardized interface to many popular cryptographic algorithms. Use mcrypt instead of rolling your own encryption scheme. Also, be careful about where (if anywhere) you store encryption keys. The strongest algorithm in the world is pointless if an attacker can easily obtain a key for decryption. If you need to store keys at all, store them apart from encrypted data. Better yet, don’t store the keys and prompt users to enter them when something needs to be decrypted. (Of course, if you’re prompting a user over the web for sensitive information like an encryption key, that prompt and the user’s reply should be passed over SSL.)

See Also:

9. Remote Administration Flaws

When possible, run remote administration tools over an SSL connection to prevent sniffing of passwords and content. If you’ve installed third-party software that has a remote administration component, change the default administrative user names and passwords. Change the default administrative URL as well, if possible. Running administrative tools on a different web server than the public web server that the administrative tool administrates can be a good idea as well.

10. Web and Application Server Misconfiguration

Keep on top of PHP patches and security problems by subscribing to the php-announce mailing list. Stay away from the automatic PHP source display handler (AddType application/x-httpd-php-source .phps), since it lets attackers look at your code. Of the two sample php.ini files distributed with PHP ( php.ini-dist and php.ini-recommended), use php.ini-recommended as a base for your site configuration.