SEO Book Releases Rank Checker FireFox Plugin

SEO Book has released a FireFix plugin that will report rankings for any web site in Google, Yahoo! and MSN Live search engines. Right off the bat I would suggest that Ask should be added, but that's just me. If Ask was added to it, it'd then cover the four search engine I actually care about.

The purpose for creating this tool was the authors not wanting his ranking checks being aggregated by any third party company every time he checks his rankings, plus, the close integration with the browser makes it easy to do.

I haven't used it yet, I am still a fan of WebCEO, but this does sound nice and easy, so I figured I'd share it with everybody.

You can watch the video below to see and understand more about this new plugin.

Who Needs Search Engine Rankings?

That is one of the all time best lines I ever heard from a client.

This client was a partner in a successful internet business back in the mid 90's in a very niche' business. She was constantly saying to me "this worked last time, it will work this time" and other very nonsensical statements.

As hard as I tried to explain that the internet business place is different today, and as diplomatic as I made an effort to be, I just could not for the life of me get this client to admit it wasn't working.

The Internet today is a vastly different virtual world than it was in the 90's. There are exponentially more web sites out there, everybody and their dog has a store online, and organic search placement is more important than ever. Anybody will almost always find you by searching your business name or domain name, but how many people will do that? Only people that are already your customer.

To get new customers you have to be found by product names and descriptions, even other names the same product may be known as. It gets a lot trickier at that point, as this is where keyword analysis and market research comes in to play, as well as content development and keyword density for your search engine optimization strategy.

The most important thing anyone can know in the business of the internet is that what was true yesterday may not be true today, and what is true today may not be tomorrow. It's an ever changing virtual world. Grow with it.

Using Inline SQL or Stored Procedures

This seems to be an area of debate among some developers, especially scripting language developers, such as ASP, PHP or that sort of language.

Whenever possible (which is most of the time) I prefer stored procedures for a number of reasons, highest on the list is security and performance. As much as I hate splitting tiers of logic, SQL and scripting logic are two areas that are very different and can be split logically. All your queries do is return recordsets of data, the code is the business logic behind what to do with that data. It seems like a logical split.

Stored procs bring with them additional security, due to the fact at the beginning of each proc you define each variable being passed to it, and the datatype of the variable, which provides additional security against SQL injection attempts and other such threats.

The stored procs are also already a compiled part of the database, they perform much quicker then inline SQL in terms of execution time to return the resulting recordset. In many small queries this improvement may not even be very visible, but when you get into large queries, joining multiple tables and returning large recordsets, the time improvement can become quite substantial.

About the only thing inline SQL has going for it is ease of maintenance. The SQL sits right there in your code in a single tier of logic, both SQL and business logic can be edited in one place and one single piece of code pushed out to get the job done. This is a weighty argument for the developer that is only concerned about their own experience. But for those concerned with the big picture, that being security of your site, user experience and server load, to me, the award goes to stored procedures with little or no debate at all.

The Importance of "Team"

I've been in many different roles over the years, from a one-man show to a part of a larger team. Both have their pro's and con's and both have things to get used to.

A team of developer can be a great thing, not because you can get more done with more people, but because of the built in support system that is possible with the right dynamics between the team members.

One thing to avoid is becoming to totalitarian about how things should go. Everybody has viable ideas about how to run things, everybody should be an even level player on a level playing field until the day comes that one is appointed a "lead" or "manager" of a team.

The benefits of a team with good dynamics, if you have a problem with something, there is somebody to talk to. I have found that simply having someone to talk to helps, even if they don't talk. I have taken another developer into a conference room with a white board, and explained the problem I was having, they'd sit and listen, and often times, while explaining it I talk myself into the answer without them saying anything, just sitting there listening. Team members likewise have done that to me, pulling me in and explaining stuff to me while they sort it out.

of course, other times the listener will speak, have a completely unclouded, unfrustrated view of the problem and come up with a quick solution, or at least thoughts that get you thinking in the right direction to find the solution.

It's a hugely powerful aspect of team. Learn to use it.

Higher Education or No?

My wife and I have serious differneces of opinion on this subject, and it was a subject of discussion on my talk radio station this morning. It got me thinking about IT work and college educations.

I started doing web work as a hobby/interest before classes were widely available, and degrees or certificates were not even a thought in educators minds. Fast forward over a decade, I am doing pretty well for myself as a self-taught web programmer/designer/marketer. There is one good reason for this, I started at the entery level in a couple of companies and learned a lot from some great mentors. While doing so, I was making money.

That being said, the commonly believed route of learning is going to college, spending a ton of money (and it's more each year) and learning the same things.

So, the cunundrum between my wife and is that I believe you are better off earning while you are learning in the real world, whereas she believes in spending to learn from books and lecture.

In my self-taught world, I have occassionally stumbled across a hole or two in my knowledge base, simply because something came up I had never encountered before, and perhaps a college course would have taught me that, but it hasn't been often.

If you are considering college for an IT career, step back and look at what possible entry level jobs in your area are available and evaluate the potentially learning that could come from it, while you are making money. In addition, know this; through my career and many, many interviews, I have only been asked about my formal education once, and that was because the job was at a college.

The Fuzzy Gray Line Between Good Design and SEO

I got in to an interesting bit of banter of a forum today that sparked the need for a blog posting. The topic at hand in the discussion started when one person said "SEO is a myth" and I immediately said "sorry, your wrong!" and an interesting conversation ensued.

As it turns out, we were actually arguing the same point, but coming from different angles. His point was that SEO firms are a unnecessary because well designed web sites don't need it, my point was that SEO is necessary because too many design firms only desire to make web sites look good with little to no concern about how usable or search engine friendly they are.

The conclusion I have come to is that yes, 90% of SEO comes along with "good design" (good per my opinion), but the sad fact is that many designers are only concerned with making some amazing visual impact, and really don't concern themselves with the overall success of the web site. Thereby necessitating the need for SEO firms to come in after the fact.

In my experience, many large companies have had a long standing relationship with design firms that have long done their brochures, posters, mass mailings, magazine ads and the like. When this new fangled internet thing came along many design firms saw this as a logical area to grow in their design business, but many never got around to research and understand the differences in the mediums. Therefore, those same design firms still concentrate on appearance over all else.

Thankfully, as the internet matures, this is changing. There are more and more full service firms that, when designing a web site, understand usability and SEO. I, for one, always have multiple facets of a web site in mind when it comes to designing. How it looks is surely a valuable consideration, obviously, but the visitor experience and it's search engine friendliness has to be a part of the design plans.

My conclusion to this debate is that SEO is in fact part of good design, when you have design that does not consider SEO, you then enter the need for an SEO firm, and the need to find a new designer.

Using Proper Code for the Job

Too many times I walk in to a new job and their main complaint is performance problem with their web site. Often, when a web site is new, and has relatively low traffic, poor coding practices and structure doesn't really have much impact on the visitor experience. But as the database grows, visitors increase and the server and site is put under greater demand, performance issues start to make a difference. Little things like which control structures to use in a given situation, how to manage database connections, and record set handling, start to show if it was good or bad.

This isn't a matter of the platform/language wars, many people concentrate to much on that level of thought. The real battle is using whatever the chosen platform/language is to it's fullest.

No matter what the platform is, don't be opening and closing database connection inside each function with each query. The connection is the most expensive part of the process, open your connection, do all the work you have to do and close the connection. Don't nest queries if a larger, better written SQL statement can get everything at once.

Don't use a long series of "if" statements if you know only one "if" will match, use a switch/case, or at the very least one if with a few else if/else's tossed in to make sure processing stops once the match is found. if you run one long series of "if" statements, and the first one matches, the code is going to check the rest anyway, if you use if/else if/else type of structure, once the match is found, it will exit that structure and move on, saving execution time.

Do not over think and over code a project. This is my pet peeve of WYSIWYG editors, as they typically, though not always, generate bloated, large code that if written by hand by a knowledgable coder, can be smaller and quicker.

Common AdSense eBook Released

I have recently changed the web site at http://www.common-adsense.com/ to sell it as an eBook. I have so much information there, and had so much more to ad, that rather than maintain it as a static web site, I decided to put all my knowledge and experience into this Common AdSense eBook.

The book is over 30 pages long at this time and is selling for an introductory price of $15. It has instructions for all of Google AdSense tools, tips and tricks for design and placement of ads, strategies for what sizes and shapes to use where. Beyond that, rather than just saying what to do, I explain why it works, provided I know myself why it does.

The tactics I cover in this Common AdSense eBook has resulted in my CTR and therefore revenue to triple, and in some cases quadriple, by simply making a few subtle, or sometimes not so subtle, changes in my advertisement strategies.

I will, over time, be expanding this Common AdSense eBook to include more and more info, design template ideas and much more, but it will also then sell for much more. This first version of the Common AdSense eBook is the previous web site, with a few new topics added, that has done the most good for me, what comes next will be smaller, fine tuning ideas, and likely not have the sweeping impact that the information in this first version will have.

The Power of Indexes in Your Database Tables

Most anybody that has worked with a database understands that almost every table has a "primary key" that acts as an address at which to find a given record. It's a unique identifier of a specific record that makes it quick and easy to find it. It's called an "index".

What many newbies to databases don't understand, or at least fully appreciate, is that there is another type of index that can be used across multiple fields on a single table. These indexes are used on fields that are queried or compared in "where" clauses a lot. Many databases use "foreign keys" which is a combination of an index and a constraint. Being a MySQL guy, foreign keys are not something I use a lot, but indexes I do.

In index is essentailly a record of shortcuts to records with specific values. It's a database structure that allows quick lookup of in one column, or many columns of a database table. While I am by no means a SQL guru of any sort, my basic rule of thumb is that I index two types of columns, one, the primary key, which is typically indexed by default upon being declared a primary key. Secondly, I index columns that are frequently used in "where" clauses or "on" clauses in joins. A well designed database will typically have such columns as integer fields, though something character fields are used as well.

For example, say you have a table with news articles in it, categorized into their own categories that are listed in a different table. The best practice would be to index the "category_id" field in the articles table to make quicker work of the "WHERE category_id ='#'" query, which would undoubtly be very common. It is assured that article_id on the articles table and category_id on the categories table would be indexed as the primary key, so, indexing the category_id field in the articles table, the field that relates the two tables, should be indexed as well.

Integer fields query much faster than the character fields, so, whenever possible, do your queries against integer fields. They also create smaller and faster indexes. Syntax to add an index is usually something along the lines of:

CREATE INDEX index_name ON table_name (column_name)

Varying slightly from database type to database type. Check syntax for your specific database.

I have had this simple formula speed up database queries subtantially at times, I mean very substantially. Especially in the case of large queries joining on several tables that are very large. Smaller tables do not necessarily improve that much as queries are quick on small tables anyway.

Try it, if you have performance problems on your web site, and tables are getting large, look into setting up some indexes and watch the difference.

Google Officially Acquires DoubleClick

According to Google's Official Blog, they have finally completed the acquisition of Double Click. Time will tell if this proves to be a good thing or bad thing. At face value it can't be a bad thing, as Google faces many challenges with their current AdWords/AdSense advertisement system. However, I am not sure DoubleClick is really the answer.

It seems to me that one trobuled system purchasing a second troubled system isn't the answer to much, however, as much as I like AdSense, and as much potential as I see in the system, I sincerely hope it is an answer.

From what I have seen and known of the two, they have different challenges, so together maybe they can help each other, hopefully empower the ad publishers a little bit more as to what appears on their sites and have the reliability of Google's ad servers. I have known some DoubleClick users that say their systems were unreliable for high traffic sites, but their publishing tools were very cool.

So we could have a good system come from it, or be stuck with a hodge-podge of two ailing ones.

Wait and see and hope for the best.

Google Quietly Releases the Ad Review Center to Publishers

I can't say that I know how long this feature has been available, though there is this Adsense blog post from December, and really don't care much. What I am curious about is why Google didn't have a lot of publicity around it's release, since it's something publishers would love.

The Ad Review Center, in my mind is somewhat incomplete, but not bad. You can review and allow or block ads that are targeted specifically to your placement-targeted ad spaces. The incomplete part is that it can't show all ads that show on your site, by keyword or direct targeting, though I can see a few bigger challenges in that.

You can set to auto approve, or manually approve ads. If in manual approval you have 24 hours to block them, or they are considered approved.

Interesting, and very cool, release from the Google AdSense ad publishing system. New or old, I still find it very cool.

Get great AdSense tips and tricks to get the most from the AdSense ads from my eBook Common AdSense, as well as other great bonuses.

Google AdSense Basics

There seems to be a plethora of people out there that simply don't get even the most basic concepts of Google AdSense. I am going to take this opportunity to explain it in caveman terms.

First, AdSense is a web based advertising system, which means, in order to use it, and thereby make money from it, you need to have a web site. AdSense does not allow the publisher to put ads on web sites that are not theirs, in emails, or other such ways, only on web sites owned by the publisher.

Secondly, your web site needs to be established, and have a decent amount of content and traffic, as well as being updated frequently adding more content all the time. While it appears that Google will in fact, approve most anything that isn't illegal or pornographic, you will not make money of you don't have traffic. That is a plain and simple fact of any advertising system. A magazine or newspaper with a small distribution doesn't make much selling ads, neither does a web site.

After you apply, get approved and are ready to roll you need to log in to your AdSense account to start creating ads. When you log in your first page is a report on the current days activity, which will on your first login be empty, or all zero's. You need to click on the "AdSense Setup" tab to start getting ads.

In there you will find many different types of ads. AdSense for Content being the most popular, which creates the typical ads one sees on web sites. You can choose any type, the process is the same, you select the type of ad you want, fill in some form fields with the right info about the ad, such as size, colors, etc. When you submit the form, it will display some JavaScript code to you. You highlight and copy [Ctrl + C] that code to your clipboard, then paste [Ctrl + v] the code in your web site wherever you want the ad to appear. Since AdSense switched to a new code type it takes up to 10 minutes or so for the ads to actually appear.

I recommend, before running any ads, go to the "Channels" section and flip to the "URL Channels", then ad the URL for each web site you plan on running ads on. This will automatically report each web site separately. You can also use custom channels to further slice up reports within web sites, but URL channels is a good start if you are going to run multiple web sites.

The content of the ads is controlled by Google's context analysis system. The AdSense bot will visit your web site, scam your pages and determine what it's about and show ads accordingly. You can use "Section Targeting" to show the bot what sections of the page you want to be targeted as well to further pinpoint your content. it sometimes takes a couple days for the bot to get to your site, so, for the first few days the ads may not be relevant, or, may be public service ads (PSA) which are charity ads that pay nothing.

This should be decent intro to getting AdSense up and running on your site. Visit Common-Adsense for the eBook with more detailed information.

Get great AdSense tips and tricks to get the most from the AdSense ads from my eBook Common AdSense, as well as other great bonuses.

Data Cleansing With Regular Expressions

I will start off by saying I am absolutely, positively, by no means at all a guru, or even of intermediate capabilities when it comes to regular expressions. What I do know is this, regular expressions are an incredibly powerful, and relatively simple (depending on your definition of the word) way of validating strings of data for basic formatting and contents.

However, it's one of those things that I don't use enough to get very fluent with, so it winds up to be something I have to relearn every time I need to use it. With that said, over the years I have acquired a little bit of knowledge, and a decent little library of some regular expressions I use on a regular basis.

For a deeper understanding of regular expressions, otherwise known as RegEx, a great resource is regular-expressions.info, it's where I go for refreshers when I need to figure out something new. You can, through this little library of samples I will give you, learn a basic understanding of the language at a very high level, and I will explain them a little bit as I go.

Basics

For starters, ^ and $ are "beginning" and "end". it indicates what the string starts and ends with to match the regular expression test. What is inside of the { and } is the range of the number of characters allowed in the preceding chunk of code.

Validating Integers

^\d{1,10}$

The first item after the start "^" is \d, that represents a digit. That is followed by {1,10} which means from 1 to 10 characters are allowed, and all must be an integer. It ends with the $. That tells the RegEx that between the beginning and end can only be from 1 to 10 integers. Anything else, and the regular expression match test fails.

Word Characters

^[\w-\.]{1,100}$

Again, with the ^ and $ this RegEx indicates it is testing on the entire string. I use this one for text based querystring validation. The [ and ] means that all the rules within those brackets apply. Within those brackets is a \w, which means "word characters" which means numbers, letters, _. I also add the - and . however the period means something else in RegEx, so, like with many languages it must be escaped, so it's \. to illustrate the period. The net result is allowing numbers, letters, _, - and period to pass the RegEx test. It allows between 1 and 100 of those allowed characters. (Long for a querystring, I know, just put there for examples sake).

Dates

^(\d{1,2})(\/|-)(\d{1,2})(\/|-)(\d{2}|\d{4})$

This will validate mm/dd/yyyy or mm-dd-yyyy, it will not see if it is an actual date, just follow the formatting option. Each chunk of code to be examined is in parenthesis, and matching from beginning to end. The first piece, (\d{1,2}), allows from one to 2 digits, the next, (\/|-), allow either / or - (the / is escaped by using \/), then another 1 to 2 digit check, then another / or - check, then a 2 or 4 digit check. Pretty simple, but cool example of RegEx.

Email

^[\w-\.]+@([\w-]+\.)+[\w-]{2,6}$

There are MUCH more complicated email validation expressions out there, but this one is simple and easy to explain. Looking at it in pieces it makes sense. Before the @ it accepts word characters with the \w as well as a - and period, then an @ sign, then more word characters, then a period followed by 2 to 6 characters as the top level domain extension on the end.

These are simple RegEx to give you an idea of how they work, they are simple but work great for some validation of input and format.

Writing Safe SQL Queries

It's been a trend for me over the last while to base posts around security issues. Writing secure SQL is really more reliant on the input sanitizing processes (I have posted more details for Classic ASP and PHP input sanitizing) before the SQL is ever executed, as well as the type of database you are working with and the configuration of the server itself. However, your SQL itself can make a difference as well.

This will, by no means be a complete guide to SQL security, but I will cover some basic concepts and hopefully, scare you into caring about security. if you have never had a site that has been hacked you are likely in the "what are the chances" school of thought. If you have been hacked, well, your emphasis on the importance of this subject will grow exponentially.

SQL Injection

One of the most common threats in this regard is SQL Injection. SQL Injection is simply the act of finding user input, such as querystrings or form values, that are not sanitized before being executed, and inserting a SQL command within a hard coded SQL command.

Look at this harmless little query...

SELECT fieldlist FROM table WHERE field = '[somevalue]'

If the input that [somevalue] comes from (say a form field) isn't validated and cleansed it could easily become...

SELECT fieldlist FROM table WHERE field = 'whatever' OR 'x'='x'

...and return records from the database...

Or, even more damaging:

SELECT fieldlist FROM table WHERE field = 'whatever'; DROP TABLE table

...and drop your whole database table.

The hacker could in theory update, insert, drop or truncate your database. Perhaps get a list of all your tables, then start looking through tables.

This is precisely why data cleansing is so important. To know what you are getting is what you are expecting, and in the case of free-form text, you escape the dangerous characters.

Stored Procedures

If the database you are using allows stored procedures, these can help as well. Stored procedures have each bit of data being given to it declared by datatype, and if some data does not match that datatype it errors out and won't process. This is a good additional level of security, as well as a performance booster.

Tips and Tricks

Some of the habits I have gotten in to to tweak code to make it a bit safer is minimal, but effective. I always, whether character, integer or date field, I always surround values with a single tick ('), even though integer don't need it, it does delimit the value area to make a subtle break in the SQL that could thwart a couple amateur SQL Injection attempts.

Secondly, whenever possible, which is often, I really, really try to keep WHERE clauses to comparing on integers, as they are very, very easy to validate and cleanse. Short of that, when it has to be character queries, such as a password, you can do things my use an encryption that will assure the string will have no spaces and be only alphanumeric characters. This, like integers, make it quite easy to cleanse for malicious attacks.

Hiding Your Ads From Yourself

I see so many people concerned about even looking at their own web site for fear of ticking of an advertising system for running up impressions, or, more realistically, the fear of accidentally clicking their own ads.

On very small web sites that are new and have low traffic, and quite honestly, really have no business trying to generate ad revenue yet, the web site creator often generates as many impressions, or more, than actually visitors, or at the very least a large percentage. This seriously skews your report stats, as you can't click your own ads so your click through rate (CTR) goes down substantially.

I have found a way that works for me to hide ads from myself, yet still retain layout as though the ads were there.

Almost all my web sites run on one of my two content management systems (CMS) that I have developed for myself. These systems, one of which is quiet large and sophisticated, and the other which is quite small for little project sites, have a mechanism built in to "log me in" as an admin, so I have access to content management tools to create new pages and manage existing pages. When I log in, like most CMS's, I set a cookie, session variable or the like to identify myself as an administrator.

This is the friendly bit of data I use to hide ads from myself.

What I do is, in the code, most of mine of which are PHP based, is check to see if that cookie or session exists. If it does exist, I show an image that is the same size as, or maybe even a screen capture of a sample ad, that shows instead of the real ad. By doing this I prevent adding false impressions, and accidental clicks, which keeps my reports as accurate as possible.

On larger sites your own visits will not skew the reports as much as your own visits dilute in a much larger pool of traffic. In a smaller site though this can make a dramatic difference. Also, displaying the fake ad or properly sized image means your page will still format the same so you are still getting an accurate preview of your site when browsing it.

This method is best done using server-side code, such as ASP, PHP, .Net or the like, rather than client side JavaScript. Using client side code would violate the terms of service of some systems that have a policy against altering the method of delivery, which is quite common in contextually sensitive advertising such as Google AdSense and the clones of it.

Input Validation for Security in PHP

In an effort of fair play, I will extend my post regarding input validation in Classic ASP and now post the same concepts and how to apply it to PHP.

For many of the same reasons, PHP is best served by cleansing user-supplied input upon receiving it. Like Classic ASP, doesn't really have explicit data types upon variables, for this reason, it's nice to have a function to ship input through to make sure it is what you expect it to be, and to sanitize it for inclusion into a database, email message or web display.

Via querystrings or submitted form data a user can inject malicious code used to hack your database, XSS script or obtain high level permissions on the server or the directory structure.

The function I rely on for PHP is much simpler than my ASP functions due to the fact PHP has some built in functions that are pretty handy, and this function certainly can be expanded on to encompass the additional datatypes that my ASP functions do.

Function clean_input($value, $type, $length)
{
if(empty($value))
$rtn_value = "";
else if($type == "int" && is_numeric($value) && strlen($value) <= $length)
 $rtn_value = $value;  
else if($type == "str" && strlen($value) <= $length)
 $rtn_value = mysql_real_escape_string($value); 
else
 die("Can not process this request, invalid input data."); 
return $rtn_value;
}

This function supports fewer datatypes, though it could, I just haven't had the need as yet to expand this function as I have had to for a couple of ASP projects. The very same regular expression concepts can be used in PHP with the eregi() function, as well as other regex functions PHP has.

Thanks to the mysql_real_escape_string() PHP function, it is incredibly easy to properly escape possibly malicious code before inserting the data into the database.

Aptana Free Web Development Platform

I have, over the last few weeks/months, moved toward supporting more open source freeware for my development choices. Not only for an economic reason, but also to simply see if I could. I have developed happily for many years with the shareware/freeware application NoteTab, which has served me well for many uses, but, unfortunately, has been far too slow to develop further over the last couple of years.

I have also over the years used Dreamweaver, my first version being version 1.2 and currently having version 8 (CS2). Since Macromedia has been swallowed up by Adobe, I have been less excited about the application because I have minimal faith in Adobe to create application with the same usability as Macromedia did.

Over the last few weeks, started working with Aptana, a freely usable development platform, more targeted at the web, and most specifically AJAX development. Apatan is, or appears to be, a fork of the Eclipse environment. Thought I have found it much quicker and easier to get up and running with Aptana. Like Dreamweaver, it has coding, FTP, file synchronization and more all built right in, along with an integrated AJAX server.

As I stated in an earlier post, I am not the complete AJAX evangelist, so I haven't gotten to look at the AJAX server much yet, but I have been coding and managing web sites in Aptana, and I must say, at this point, I am very impressed. It has good code management, sample code, plugins for different platforms and much more. The synchronization features are slow, but pretty cool and the environment itself is customizable to fit the needs of how you develop.

Aptana does phone home to get it's updates, I have had trouble getting them to install on my system, but really, that's the only issue I have encountered. After you set up your project, including the local directory, defining the web root on your hosting server, and set up the FTP information, in it works a lot like Dreamweaver or similar products. It comes with PHP and Ruby on Rails support by plugin as well as Adobe AIR and iPhone development. It does come bundled with a load of popular AJAX libraries and Firefox JavaScript debugging tools.

The "Professional" version, which costs $100 comes with full support, IE JavaScript debugging tools, FTPS, SFTP, JSON editor, access to new features, a vote on new features and more. All stuff which I personally do not need...but if you do need it, $100 may be well worth the expense.

For those of you tired of spending hundreds on a platform to develop on, try out Aptana.

Input Validation for Security in Classic ASP

In Classic ASP, as anyone how uses it knows, all variables are looked at as strings. Your need to use functions like CInt(), CDate() and the like to cast it as a different data type. This makes validating user input for security reasons a bit tricky.

When accepting user input, whether via querystring or form field, one needs to verify it as acceptable and expected input in order to prevent malicious attacks such as SQL Injection, XSS and that sort of thing. I discussed this in general terms a while ago.

I have written a small function that takes some parameters to verify the input as valid and acceptable. The function takes three parameters, the input itself, the datatype that it is supposed to be, and the maximum character length the input should be allowed to be.

Valid data types are "email", "integer", "date", "string" and "text". The first three are obvious, the last two are slight differences. The "string" I use to validate text-based querystrings, allowing only letters, numbers, _, - and . whereas "text" is any free-form text form field type content.

Function cleanseData(dataInput,dataType,dataLength)
   Dim regex, validInput, expressionmatch
   regex = ""
   validInput = "1"
   If dataType = "string" And Len(dataInput) > 0 Then
       regex = "^[\w-\.]{1,"& dataLength &"}$"
   ElseIf dataType = "email" And Len(dataInput) > 0 Then
       regex = "^[\w-\.]+@([\w-]+\.)+[\w-]{2,6}$"
   ElseIf dataType = "integer" And Len(dataInput) > 0 Then
       regex = "^\d{1,"& dataLength &"}$"
   ElseIf dataType = "date" And Len(dataInput) > 0 Then
       If Not IsDate(dataInput) Then validInput = "0" End If
   ElseIf dataType = "text" And Len(dataInput) > 0 Then
       If Len(dataInput) > dataLength Then validInput = "0" End If
   End If
   If Len(regex) > 0 And Len(dataInput) > 0 Then
       Set RegExpObj = New RegExp
       RegExpObj.Pattern = regex
       RegExpObj.IgnoreCase = True
       RegExpObj.Global = True
       RegExpChk = RegExpObj.Test(dataInput)
       If Not RegExpChk Then
           validInput = "0"
       End If
       Set RegExpObj = nothing
   End If
   If validInput = "1" And Len(dataInput) > 0 Then
       cleanseData = specialCharacterEncoding(dataInput)
   ElseIf Len(dataInput) = 0 Then
       cleanseData = ""
   Else
       Response.Write "processing halted"
       Response.End
   End If
End Function

You may see at the end of the function, another function is called, this function is to encode possibly malicious characters to their HTML based entity to remove any risk of them being used for a SQL injection attack.

Function specialCharacterEncoding(encodeData)
   encodeData = replace(encodeData,"&", "&")
   encodeData = replace(encodeData,"'", "'")
   encodeData = replace(encodeData,"""", """)
   encodeData = replace(encodeData,">", ">")
   encodeData = replace(encodeData,"<", "<")
   encodeData = replace(encodeData,")", ")")  
   encodeData = replace(encodeData,"(", "(")
   encodeData = replace(encodeData,"]", "]")
   encodeData = replace(encodeData,"[", "[")
   encodeData = replace(encodeData,"}", "}")
   encodeData = replace(encodeData,"{", "{")
   encodeData = replace(encodeData,"--", "--") 
   encodeData = replace(encodeData,"=", "=") 
   specialCharacterEncoding = encodeData 
End Function

Used together, these function can cleanse your data, prevent XSS attacks, SQL Injection attacks and will keep your web site running happily and safely.

Handling Database Connections and Recordsets In Classic ASP...or any other Scripting Language

In my continuing saga of best practices posts brought on by things I see in my latest contract, I got to thinking about database connections and as I mentioned yesterday, recordset handling. Due the the current contract, it centers around Classic ASP.

I am seeing in this application, very bad (in my opinion) practice. They are, within each function that hits the database, opening and closing connections. Pass some info to a function, open a db connection, get the info you need and close it, passing the needed info back to the requesting code.

Now, I have no formal programming education, and no formal IT education, I only draw on my decade+ years of development experience to say this is a bad idea.

The single most expensive piece of code is the connection and query to a database. Constantly opening and closing queries is going to use a lot of resources. In a language like PHP one doesn't have to generally concern themselves with the connection, as you simply instantiate the connection, and, when the script gets to the end, the connection closes. With Classic ASP this is not so, you need to explicitly close the connection.

That being said, the best course of action, as my experience has shown me is to open a connection to the database before HTML headers have even been sent, do all your queries, concatenate all your data into variables, then close the connection. At that point, send your HTML headers, HTML code, and populate the code with your variables of data where necessary.

Some more technical guru type people may argue with this for some reason or another, but to me, this is the most efficient use of resources, as you open the database connection once, do all your recordset handling (hopefully with the getRows() function) and build all the arrays, code and variables as necessary, then close the connection as soon as possible, freeing up all associated resources. From there you enter the presentation layer of the code, running in all ASP mode, no database interactivity at all.

Using this same methodology in any scripting language you can benefit from the performance gains as well. While in PHP you don't need to close database connections explicitly, you most certainly can, and in some very high traffic situations, I have had to as well.

At the end of the day, it's not the platform you are using, the same technical details in the background remain constant. The quicker you open and close connections, and the fewer you have, the better.

Submitted for your consideration and reading pleasure.

Happy coding.

Looking Back at Classic ASP Recordset Handling

My most recent consulting gig is doing some Classic ASP development for a large company on an eLearning system. I will spare you, and them, my arguments of the merit of simply recoding to a .Net platform rather than a massive development effort further burying the application in a dead, unsupported language and just get on with the post.

This application, while not yet having any serious performance issues, does stand the chance of having them in the future, as the development that is being done will increase the usage and likelihood of some very large tables being generated over time. So I went into the job with performance in mind and plan to execute assuming there will be massive datasets and large tables to contend with.

Their database integration is somewhat elementary, thought the application is cool, and fortunately at this point small, I have found that many queries are small, and stacked, rather than writing one larger query to get all the necessary data. In addition they are looping through recordsets while opening more within them, which can be a resource nightmare.

This brought me to refresh myself in knowledge of Classic ASP performance. I had all but forgotten about the very cool getRows() function, which I had always waited for PHP to make an equivalent to. With getRows() there is no recordset that is executing a read through each iteration of the recordset loop, or long term open recordset object. The function simply opens a connection, reads the database once and dumps the entire recordset into a multi-dimensional array, then closes the connection. From there you use ASP to parse through the array that resides in memory.

When dealing with a lot of queries, or facing the possible necessity of nesting queries (such is the case in the ugly instance of a database that isn't normalized), this is a quite handy feature, being able to keep the connection and recordset open for a minimal amount of time.

It's quite simple to do:

Set cn = Server.CreateObject("ADODB.Connection")
Set rs = cnnGetRows.Execute("SELECT id,fname,lname,email FROM tablename")
arrayRs = rs.GetRows()
rs.Close
Set rs = Nothing
cn.Close
Set cn = Nothing

Simple Stuff, eh? Then, the "arrayRs" variable contains a two-dimensional array of the recordset that is referenced like any array. In the above query you loop through the rows with a for loop:

For i = LBound(arrayRS) To UBound(arrayRS)
 id = arrayRs(0,i)
 fname = arrayRs(1,i)
 lname = arrayRs(2,i)
 email = arrayRs(3,i)
Next

The first integer in the array reference (the info in the parenthesis) is the column number, the second is the row number. So the first number can be hard coded (it can also be looped thru dynamically) and the second is the integer of the loop, which is the row count. Think of the two dimensional array just like a database or a spreadsheet, simply rows and columns.

It can be hard to get used to, references columns by array numbers rather than field names, but if you declare the columns as variable at the beginning of each loop, it can be easier, and you can gain a lot of performance at times.

I am not typically big on doing large development on dead platforms, but I am big on simply choosing the right tool for the right job, and ASP, while being deprecated and unsupported, is still a perfectly functional language that can do a lot, and is pretty easy to develop on if you can get past, or are not affected by, some of the limitations, such as file uploading or document exporting of a non MS document type, which is not available natively, and file system object handling, which I always found cludgy.

Thus far this new contract has been fun and a learning experience on an aging platform. If I do a good job maybe I'll be back when they rewrite it in .Net.

Ya Like To Think The Best Of People

I have used lots of freeware and shareware over the years, scripts that are useful, hoping the author had the best intentions while distributing. Hoping so due to the fact I have the best intentions when giving away free code, simply figuring it helped me, maybe it will help somebody else.

Then a friend alerts me to Dustin Brooks' story of G-Archiver, a tool that archives Gmail contents to a local folder. The story is stunning, and that of a man scamming people of their login credintials for their Gmail accounts. The writer of the application hardcoded in his Gmail info into the application to have it email login info to his private account each time somebody used the application. Not everybody could find this, as it was all compiled code that Mr. Brooks used a decompiler to view.

Read the full blog post at Jeff Atwood's Codding Horror blog.

Success isn't Success if it's Generated by Fraud

I was recently told about the WOA Network from a forum friend. This is not something we talk about it terms of doing it, it's something we alert each other to as a scam to watch.

If one needs to resort to these tactics to "succeed" then you don't deserve to succeed for that project. Lying, cheating and stealing is not success, it's criminal, and it affects the legitimate businessperson that is working the system properly. In addition, they always get caught eventually.

Myself, I am more of the type of person that wants to make less money for a long time, rather than rake in the money before getting caught and having the source dry up completely.

If you are a long termer, and want to play this ad publishing game for the long haul, don't resort to these lame tactics for the quick buck, spend the time and money on improving your site and making it more worthy of succeeding on it's own merit. Don't resort to tricks and scams.

Heads up, the mentioned site is a scam, and there are many others like it. Bottom line, if they offer too much money for too little work, it's probably a scam.

AdSense Clicks But No AdSense Earnings!

My continuing rants about people and their repetitive questions on the AdSense support forum moves forward from the previous post of the inability to tell anyone what AdSense will make them, forward, into the area of zero-value clicks.

Zero value clicks can happen for a multitude of reasons. None more likely than a click being determined to be invalid by Google's fraud detection system. This is also the primary reason accounts get banned.

An invalid click is not determined, I would assume, on a site-by-site basis, but over the entire system. Of course the most obvious invalid click is one of the publisher clicking his own ads, which is easily traceable on any computer a publisher logs into their AdSense account with. But, beyond that they could, and I would assume do, watch for system wide fraud, such as automated systems that don't attack a single publisher, but perhaps AdSense as a whole.

Secondly, PSA (public service ads) ads are ads for charity which are displayed when you first sign up until the AdSense bot can get to your site to analyze it. These ads can also show up on pages that have no paying ads available, which you can opt out of in your ad management system.

Thirdly, some ads are cost per impression (CMP) ads. Those ads pay the publisher per thousand impressions, clicks may generate nothing, or, very, very little. I have seen people complain, wanting CPM ads, then, a day later whine about not getting money for clicks. Ya can't have it both ways.

The AdSense system does show the most beneficial ad(s) at the time they are shown. This makes them the most money, and you the most money. The system works, but none the less, people still constantly question it. There are problems, Google is hopefully addressing them as they have the resources. Just because a single click gave you nothing, don't freak out, if you are watching click by click, or even can watch click by click, either you have very little traffic, or a lot of time on your hands.

AdSense has over the last couple of days added a couple of good posts to their blog to help publisher diagnose low earnings, or earnings decreases by explaining how to read an analyze reports to help find out what is happening. Be sure to read parts 1 and 2.

Get great AdSense tips and tricks to get the most from the AdSense ads from my eBook Common AdSense, as well as other great bonuses.

Nobody Can Tell You What AdSense Will Make You, So Stop Asking!

A few months back I blogged about the impossibility of answering the question "How Much Will AdSense Make Me?" Well, from the looks of the AdSense support forum, very few of them apparently read this blog.

The bottom line is this, nobody can tell you. The price of ads is determined by many factors, some of these factors are the topic of your site, the location of your ad space advertisers are bidding on and whether they are pay per click (PPC) or cost per thousand impressions (CPM) ads. In addition to that, there are factors regarding your web site that come in to play, most importantly the amount of traffic you have, the location and design of your ads and how many ads you have on any given page.

This equation is even further figured by tossing in how well your web site converts click-throughs, which is a factor that is figured into AdSense's so-called "smart pricing" system that rewards web sites which convert better than ones that don't.

So, if you are reading this blog while researching the option of using AdSense, and are even debating going to the AdSense support forum to ask how much you'll make, don't bother, nobody can answer it accurately, however, as a completely unsupported figures:

Based on my experience, there is an average click-through rate of 1% to 2% of impressions, and each click is on a very loose average worth about $0.20. Therefore, if you get 1000 impressions a day, you can figured 10-20 people will click, if 10 people click at $0.20 each that would amount to about $2.00 a day.

Now, before anyone dares give me crap about not getting that amount with those figures, I have also seen up to a tripling of click through ratio (CTR) with well designed and placed ads over poorly designed and placed ads. The topic you choose and keywords you use can also make a huge impact.

The bottom line remains the same, nobody can tell you what you will make so stop asking.

Get great AdSense tips and tricks to get the most from the AdSense ads from my eBook Common AdSense, as well as other great bonuses.

Was AJAX Really Ever The Savior?

A couple of years ago, the buzzword in all the trade magazines was AJAX. AJAX was the key to resource, bandwidth and user experience improvements. It wasn't long after that every manager of every development team, or rather managers of development team's customers, were asking for AJAX everything.

Shortly after that I started playing with it, as one manager was breathing down the neck of my manager, who started breathing down my neck, to get them some AJAX. Often times the original requester didn't even really know what it was, what it did, or how it did it, they just new it was all the rage in the trade mags.

The last couple contracts I have been on have been very AJAX powered, which on the whole doesn't bother me, and generally is quite cool, as I am a fan of the technology, but it sometimes does get used counter productively. It's not even (and wasn't then) a new technology, it was simply given a name and process by mixing technologies that already existed.

So, where is AJAX useful? Where is it a hindrance? Why would it ever be a hindrance?

First, look at what AJAX is, it makes it possible to make server side processing done from a client side script and populate the results of that processing in a div on the page. So it makes it possible to basically refresh only part of t