This class takes a string/sentence as an input, and outputs several code-friendly values- bamb, your own quick-add. We use the Zend Gdata library to integrate with the Google Calendar API, which [lucky for us] supports creating events by the quick-add method. The basic function of this class is to retrieve start-time, end-time, and get a title for a “slang” event description.

The Details of Textdate

The textdate.class.php creates an event with the description you input using the Quick-add API, stores the needed details about the event, then deletes the event. We assume you will need a double opt-in system for scheduling, and don’t want to schedule an event without either the user or yourself making sure the text-to-date conversion went as planned. We have added an “add_event” function to handle the actual scheduling, which would be step two after [maybe] checking the event against a database of existing events or schedules.

Setup and Use textdate.class.php

You will need to download the Zend Gdata Library first. For this example, I simple extracted the folder “Zend” inside the “library” folder, and uploaded that in my root directory. There are many ways to make sure the library is accessible to the class, and we take care of it opting for the simple way, but if you are using the library extensively and want to include it by default you can use a PHP include in your PHP configurations, in the .htaccess, or using a line of PHP (read the Zend “INSTALL.txt” for more info).

Assuming you have a Google Apps or Gmail account, you should have access to a Google Calendar, and you will share your login information in the textdate.class.php file to access the calendar API. Below is the basic usage of the class:

<?php
include('textdate.class.php');

$td = new Textdate;
$event_details = $td->convert('Meet Jeff tomorrow at 5pm for 3 hours');

if(!isset($event_details['error']))	{
	echo 'Title: '.$event_details['title'];
	echo '<br/>';
	echo 'Start: '.date('g:sa M j, Y',$event_details['start']);
	echo '<br/>';
	echo 'End: '.date('g:sa M j, Y',$event_details['end']);
}	else	{
	echo $event_details['error'];
}

Title: Meet Jeff
Start: 5:00pm Sep 1, 2010
End: 8:00pm Sep 1, 2010

We are passing around a Unix time-stamp for the “start” and “end”, we find that is easiest to start with for most development. After you run some checks, or give the user a view of some of the details to verify, you can use the “add_event” to actually put the event into the calendar:

$td->add_event($event_details);

There are a couple other things you can look to add, like notes for the event, people/email addresses, where the event will be, etc. We find this should serve as a good starting point for the basic text-to-date conversion though. Here is the class itself, and a ZIP package is given below of both the class and the test file.

<?php
require_once 'Zend/Loader.php';
date_default_timezone_set('America/New_York');

class Textdate	{
	function convert($event_string)
	{
		$gcal = $this->load_calender();

		//add quick event
		$event = $gcal->newEventEntry();
		$event->content = $gcal->newContent($event_string);
		$event->quickAdd = $gcal->newQuickAdd('true');
		$newEvent = $gcal->insertEvent($event);

		$query = $gcal->newEventQuery();
		$query->setUser('default');
		$query->setVisibility('private');
		$query->setProjection('full');
		$query->setOrderby('lastmodified');

		//get feed, or catch error
		try {
			$feed = $gcal->getCalendarEventFeed($query);
		}
		catch(Zend_Gdata_App_Exception $e) {
			$event_details = array(
								'error'=>'Error: '.$e->getResponse()
								);
			return $event_details;
		}

		//store details
		foreach($feed as $event) 	{
			$event_details = array(
								'start'=>strtotime($event->when[0]->getStartTime()),
								'end'=>strtotime($event->when[0]->getEndTime()),
								'title'=>$event->title,
								'url'=>$event->getEditLink()->href
								);
			break;
		}

		//delete event
		$event = $gcal->getCalendarEventEntry($event_details['url']);
		$event->delete();
		return $event_details;
	}

	function add_event($event_details)	{
		$gcal = $this->load_calender();

		try {
			$event = $gcal->newEventEntry();
			$event->title = $gcal->newTitle($event_details['title']);
			$when = $gcal->newWhen();
			$when->startTime = date(DATE_ATOM,$event_details['start']);
			$when->endTime = date(DATE_ATOM,$event_details['end']);
			$event->when = array($when);
			$gcal->insertEvent($event);
		} catch (Zend_Gdata_App_Exception $e) 	{
			return "Error: ".$e->getResponse();
		}
		return TRUE;
	}	

	function load_calender()	{
		// load library
		Zend_Loader::loadClass('Zend_Gdata');
		Zend_Loader::loadClass('Zend_Gdata_ClientLogin');
		Zend_Loader::loadClass('Zend_Gdata_Calendar');
		Zend_Loader::loadClass('Zend_Http_Client');

		// create authenticated HTTP client for Calendar service
		$gcal = Zend_Gdata_Calendar::AUTH_SERVICE_NAME;
		$user = "YOUREMAIL";
		$pass = "YOURPASSWORD";
		$client = Zend_Gdata_ClientLogin::getHttpClient($user, $pass, $gcal);
		return $returnCal = new Zend_Gdata_Calendar($client);
	}
}

Download the ZIP Package

Isn’t that Neat?

Google is basically awesome for letting everyone tap into their text-to-event algorithm work, and hopefully you find it at least intriguing, and maybe useful on an application down the road. We encourage you to leave a comment if you like this or need any help getting it running, happy coding ya’ll.

1) Create a Link. 2) View it, send it, blow it up.

Put Hackers Against the Clock

As a development company, we either require, or maintain login information for servers, mail accounts, or applications for our clients- all of which are generally secured by a username and password. So when we need login information, we get it in an email. This confidential information remains in our sent folder, the clients inbox, and maybe on some of our mobile devices (if we choose to sync them). We decided we needed a way to send confidential information, but not have it linger inside an email client. Timebomb.it creates random URL’s for logins, with the option to blow it up in 1-hour, 1-day, or 1-week. Now we just send that link over, and know that if a hacker gets a hold of our computer in a year, our email account isn’t peppered with our clients usernames and passwords.

A Simple Interface, Because it Should Be

Our background in mobile webapps gave us the tools to make this thing mobile-ready out of the box. Using HTML5, CSS3, and custom jQuery scripts, we are seeing sub-500ms load times on a regular internet connection. The only images used are on the timebomb.it about page, which is full-width for most screens, and scales seamlessly on a mobile device. We figure with some of the odd situations you could use timebomb.it for, you want it viewable on a phone, quick to access, and easy to read:

- You need the alarm code for your grandmas garage door (just use the password field)
- You want your mom to send you the logins to your AT&T account
- Your co-worker emailed you asking for the credentials to the computer in the testing lab
- You reset the combination-code door lock on your office building, and want to inform your employees

Once you have created a link, we even have the option to “Blow it Up”; not only because it is fun to blow things up, but because you might decide you no longer want the information available. Each data field uses a mix of custom Flash and Javascript enabling a cross-browser click-to-copy feature. We set out for a professional design so users trust it, and super-transparency with the presentation of information- hopefully you agree this is a “mission accomplished”.

Passwords love encryption, give them some love.

We use an SSL encrypted connection, or HTTPS, to transfer all information to and from timebomb.it over the internet. This means people snooping your network can’t get a hold of anything you type in, or look at. Our databases are also completely encrypted, expired links are deleted every hour, and no link is ever used twice. Our servers have brute force detection, strict firewalls, and are behind bullet proof glass with armed guards (thanks Media Temple). We currently use a 10-character alpha-numeric random string to generate links; this means there are 3,656,158,440,062,979 (3.65 quadrillion) links available. Put it this way, the odds someone winning the lottery, getting struck by lighting, and dating a supermodel in their lifetime are better than their chance of finding a timebomb.it link (remember, links must expire within a week).

CIA: Confidentiality, Integrity, Availability

This acronym represents the three widely accepted components of information security. We have described how we address confidentiality and integrity using some great technology, but the most important aspect is availability. Sure, random URL’s may not be a great idea to send nuclear launch codes, but its a heck of a lot better than sending them in a plain-text email. In security we make trade-offs, and we know that if a system is too hard to use, or takes too long to access, it will get scrapped. Our mission is to provide something really secure, and to force people to think about things like security and password management, while not slowing them down.

Thats a Wrap, plus an API with a Wrapper

We never want to leave our automation-loving, UI-enhancing developers without something neat and exciting, and this is why we made a simple API and PHP wrapper, check it out: timebomb.it API and PHP Wrapper Class. Please make sure to leave you thoughts in the comments, we hope you all enjoy this little tool.

Using the API with JSON

We require four pieces of information for the API to process successfully: the API key, a username, a password, and an expiration value. If you have tried out timebomb.it, this should make perfect sense. The API is accessed through the following URL structure:

https://timebomb.it/api/json/APIKEY/USERNAME/PASSWORD/EXPIRATION

The only somewhat non-standard entry is the EXPIRATION value. This will be set to either a 1, 2, or 3, corresponding to 1-hour, 1-day, or 1-week expiration time respectively. The output will be a JSON encoded string with the following keys:

username : provided username
password : provided password
url : timebomb generated URL
expiration : seconds until link expires
created : unix timestamp

Example Input:

https://timebomb.it/api/json/Y8dqEisNoAChS6AFmwyQ1LoJ/elvis/bluesuedeshoes/1

Example output:

{“username”:”elvis”,”password”:”bluesuedeshoes”,”url”:
“https:\/\/timebomb.it\/4dewszeaoa”,”expiration”:3600,”created”:1282529729}

We suggest reading the HTTP header status in order to gain details on the success or failure of the request. The following statuses are returned based on the request:

Status = 202 : Request Successful
Status = 404 : Request Denied, Check Data Structure
Status = 500 : Request Denied, Possible timebomb.it Error

PHP Wrapper Class using cURL

We have created a basic PHP wrapper that can be used as a standalone class, making it pretty simple to integrate timebomb.it into your application. Of course it’s not perfect, that will be subject to your application, but it will get you off the ground quickly. We are using the PHP library cURL, which you probably have if PHP is installed on your server, otherwise look at How to Install cURL for PHP. Below is the standard usage for the timebomb.class.php wrapper.

<?php
require_once('timebomb.class.php');
$tb = new Timebomb();

$data = array(
	"key"=>"Y8dqEisNoAChS6AFmwyQ1LoJ",
	"username"=>"elvis",
	"password"=>"bluesuedeshoes",
	"expiration"=>"1"
	);

$timebomb = $tb->create_link($data);

if($timebomb['success'])	{
	echo $timebomb['url'];
}	else	{
	echo $timebomb['message'];
}

/*$timebomb_data array elements
	$timebomb['success'] : TRUE or FALSE
	$timebomb['message'] : status message
	$timebomb['username'] : provided username
	$timebomb['password'] : provided password
	$timebomb['url'] : TimeBomb generated URL
	$timebomb['expiration'] : seconds until link expires
	$timebomb['created'] : unix timestamp
*/

//Use for auto-generated passwords
//$password = $tb->create_password();

We have added a simple password generator to the timebomb.class.php wrapper as well, just in case you want to produce them on the fly. The “timebomb” array returned from the class is described above in the PHP comments, and provides all the important information about the created link, or if there was an error. Below is the source for the timebomb.class.php wrapper, and we have provided both of these files in a ZIP package for convenience.

<?php
class Timebomb	{

	function create_link($timebomb_info)	{
		$url = implode('/',$timebomb_info);

		$ch = curl_init('https://timebomb.it/api/json/'.$url);
		curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0');
		curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 30);
		curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
		curl_setopt($ch, CURLOPT_HEADER, 1);
		$curl_data = curl_exec($ch);
		$curl_info = curl_getinfo($ch);
		curl_close($ch);

		if($curl_data != FALSE)	{
			$timebomb_data['status'] = $curl_info['http_code'];

			switch ($timebomb_data['status']) {
				case 202:
					$json_data = substr($curl_data, $curl_info['header_size']);
					$timebomb_data = json_decode($json_data,TRUE);
					$timebomb_data['success'] = TRUE;
					$timebomb_data['message'] = 'Congrats, your TimeBomb link was created.';
					return $timebomb_data;
					break;
				case 404:
					$timebomb_data['success'] = FALSE;
					$timebomb_data['message'] = 'Please check your inputs and make sure you have a valid TimeBomb API key.';
					return $timebomb_data;
					break;
				case 500:
					$timebomb_data['success'] = FALSE;
					$timebomb_data['message'] = 'TimeBomb may have blown itself up, please try again.';
					return $timebomb_data;
					break;
				default:
					$timebomb_data['message'] = 'Houston, we have a problem with something, not sure who to pin it on right now.';
					$timebomb_data['success'] = FALSE;
					return $timebomb_data;
			}
		}
		$timebomb_data['message'] = 'The cURL process failed.';
		$timebomb_data['success'] = FALSE;
		return $timebomb_data;
	}

	function create_password($length=12) {
		$chars = array_merge(range('a', 'z'),range('A', 'Z'),range(0, 9));
		$password ='';
		for($i=0;$i < $length;$i++) {
		   $password .= $chars[mt_rand(0,count($chars)-1)];
		}
		return $password;
	}
}

Download the timebomb.class.php ZIP Package

Final Remarks

If you would like to contribute, collaborate, or provide feedback to our timebomb.it project, please be sure to visit the Prime Studios Homepage, or comment on this post. Happy coding everybody.

As a developer, your world might crumble without using FTP (File Transfer Protocol). Oh how we love our port 21, uploading and downloading everything in plain text. However, if you are at all worried about security and integrity of your (and your clients) data and information, you would be much better suited using an encrypted file transfer method like sFTP- the “s” standing for “SSH”, or “secure”.

In our video we talk about the importance of data encryption across the wire, as well as over the air, and show how attackers can take advantage of non-encrypted data transfer. Our alternative to FTP is sFTP, which utilizes the SSH (Secure Shell) protocol for file transfers, providing a fully [public key] encrypted path for the data to flow. We are essentially mitigating any MITM (Man in the Middle) attacks, or network sniffing; where an attacker simply jumps onto your network and steals confidential information as it flows. By using encrypted data transfer, the data can still be sniffed and logged, but it is nearly impossible to make useful. Some of our tips for using sFTP are as follows:

Consider moving your primary SSH port to non-standard location and block the use of port 22.

Never use the root account to log into sFTP (or SSH). Create users with sufficient privileges for particular needs.

Use a client like FileZilla, WinSCP, or Putty for all your sFTP and SSH needs.

As always, security is only as strong as the weakest link, so the first step is to not allow attackers onto you network. Use strong, randomized passwords, and if your router isn’t already using WPA2 for the encryption type, either change the setting, or get a new router! If you are [still] using WEP encryption, you will get cracked faster than a whip on a horses behind. Check the links below for some more info:

Chroot SFTP user on Ubuntu Intrepid

How to Secure SSH Server from Attacks

OpenSSH

You’re Email.

Although Microsoft Outlook still holds the largest market share for email clients at around 37% (Email client trends for 2009), the trend continues to be that web-based email clients (Hotmail, Gmail) are on the rise by about six percent in 2009, and clients such as Thunderbird and Outlook are seeing drop in usage anywhere between three and nine percent. When you’re average Joe at the local flower shop wants to email someone, and is faced with options for TLS or SSL email encryption, he can go with an IT guy, or move to a simple solution like Gmail.

One better, Google Apps makes it really simple to setup Gmail with your webserver, which means you can have email addresses like “you@yourdomain.com”, all controlled through the simple Gmail control panel. Your email can be accessed from anywhere in the world, it is fully encrypted, and you don’t need an IT guy to explain it because Google does a great job with tutorials. The only techy work is from a web team who change a couple things called MX records on your server, we can do that.

Your Website.

If you’re a young or small business, you are relying on setting yourself apart from the crowd, because if you don’t, your business will fail. You want a cool website, something that engages users and is peppered with crisp graphics and photography; we know. Unfortunately when you put this in the hands of an IT guy, he might be great at setting up servers, and maybe he took a class on HTML in college, but when it comes your online presence, he will probably screw you over. A website used to be a “coding” thing, something only geeks in basements could do, but it’s now a full-fledged marketing tool that needs everything from built-in blogging, to the hippest social media integration. There is a huge leap between those who can build websites, to those who can build websites correctly.

You’re Finances.

Our affinity for desktop financial software is similar to our affinity for petting cobras. The first time you open QuickBooks, you immediately realize there isn’t going to be anything quick about it. As a small business you are worried about a couple things relating to your finances, keeping it quick, and being informed. You don’t have money for an IT guy to setup your financial database, with your invoice templates, hooked to your printer, exporting to some Excel archive. Add a computer, better buy another software license, and not to mention deal a plethora of operating system and hardware requirement hurdles. Use a WebApp for your invoices, and either have a web team take an hour to show you how to use it, or take a morning and learn it yourself. Look into Freshbooks, FreeAgent, or Blinksale.

The Difference between Agile Web Teams and IT Guys

The world of IT is by nature wrapped up in legacy software, and slow implementation. This might be okay for corporations, and large entities, but most small businesses need everything done five minutes ago. We [Prime Studios] can run full security audits, buy domains, and send any file from any project from our phones.

Scany, GoDaddy, and SugarSync iPhone Apps

The fact is that local storage is becoming second to “the cloud”, and there is no such thing as a “workstation” for people; we work from our laptops, our phones, on airplanes, and should expect an internet connection to be enough for 95% of our business tasks. The new-age is replacing IT guys with VOIP applications like Skype and Google Voice, eliminating the need for a database guru with simple web and phone apps, and taking advantage of smart web teams who stay on top of the very best ways to make a small business grow, and not worry about the tech.

Your on a shoot and the clouds start to roll in, you feel the moisture, and you know its about to get wet. Don’t be stuck with no options, all you have to do is remember to jam an old, used plastic bag from the grocery into that miscellaneous corner of your camera bag. Use a rubber band and poke a hole for your viewing pleasure. You do know all your buttons by heart, right?

2. Grey Paint Sample Card

If you are moving a lot and really need some control over your white balance, our best suggestion is to make sure you are taking your photos in RAW (and hey, jpeg correcting is pretty effective too) and a cheap grey card. Post process in a program like Adobe Lightroom to fix all the issues. We use free paint cards from Home Depot, “Seal Grey”, and they are pretty darn effective.

3. Fake Credential

Ok, were not suggesting you make a fake passport or start stealing identities, but having something that looks official with your picture on it and “PRESS ACCESS” can help you at least get better parking, or a couple inches closer to your target.

4. Outlet Accessories

So you had some grand plan to use a 2 studios lights at this shoot, but guess what? There is one outlet, 30-feet away, and it doesn’t have a grounding pin. Hopefully you were wise enough to bring an extension cord, but never assume you will be presented with an ample electrical system, and prepare for the worst.

5. Dust Brush

This might be more common than others, but most of the time a lens or filter doesn’t need you to be wiping [scraping] the glass, it just needs the dust to be cleared. Dust can cause some horrible reflections (flaring) and make you pretty mad you didn’t pay attention to it when you start post processing at full resolution.

6. Level

If your trekking across some uneven terrain a level can help make sure your horizon is darn close to level. Some tripods have levels built in, but they are very small and sometimes a little less responsive than we could hope for.

7. Business Cards

You need business cards if your in it to make money, but make good use of them in your camera bag too. We put one in each of our lens cases, a couple scattered in the bag itself, and even tapped to our equipment if we are going somewhere busy. Sure, it doesn’t stop thieves, but if a Lion on your safari drags it 100 miles to another tribe, or if it gets picked up mistakenly by the other media crew next to you, they know who to return it to!

8. Food

You thought this shoot was going to be an hour, in and out, right? If your selling the photos, and need the best ones, you will stay planted until you get them. Not only does it stink to be hungry, but your vision starts to get sluggish, and your reaction time goes down, so dont risk it and bring a snack.

9. Rubber Bands

There are a ton of situations where a rubber band could come in handy, but one great example is to make a bounce card on the fly. We personally use a couple different types of bounce cards, but kicking it old-school and making one from a piece of paper and a rubber band is just as effective (plus you can throw it out after).

10. Flashlight

Whether you need a brighter focus beam for low-light photography, or you are getting your creative on and exploring some old broken-down buildings, a small flashlight comes in handy. Please don’t think this replaces your speed lite, or on the flip side, dont try to use your speed lite to explore broken buildings (flash.. walk 10 paces.. repeat).

There is a huge list of web browsers out there and most likely you have heard of (or use) Google Chrome, Apple Safari, Internet Explorer, Firefox, or Opera- but have you made sure your website works and looks the same in all of these? You don’t want the first impression of your business to be a broken website. You can check out how your website looks in many browsers here: http://browsershots.org

2. It is hardly usable on mobile devices.

Have you considered that in two years more internet connections will be made from mobile devices than full-sized computers? Not only is this a cross-browser compatibility issue, it is a content issue. A website needs to have simple navigation, fast page loads, and directed content no matter what type of device is used to view it. Imagine your computer screen at a quarter of its current size, and make sure your website is still [marginally] useable.

3. It doesn’t use proper authentication for secure areas.

Most communication paths for a computer start at a router, then to a modem, next to a larger hub, then off to the Internet Service Provider (ISP), yatta yatta. All it takes is an attacker to be snooping on any one of those lines to catch all your data, including passwords and personal information. Using proper authentication certificates (keywords: SSL or TLS) utilizes “https://” web addresses, and properly encodes data so it is safe to transfer.

4. It doesn’t make use of Cascading Style Sheets (CSS).

You always want to make sure to use a style sheet on your website. Style sheets have been around for a while, and not only do websites often become cleaner by using them, it makes it easier for a website to be handed to another web team and still be easily modified. Search engine optimization (SEO) can also be affected if styles are “inline”, and use of CSS is not done correctly. See W3Schools CSS Tutorial for an in-depth look.

5. It is a little too glossy.

Sometimes we call this “Web 2.0″, the era that we began to use fades, reflections, and drop shadows on everything. These elements are [sometimes] needed for a great design, but only in small amounts. Effective web design is simple; gradients are subtle, drop shadows are not heavy, and reflections are definitely approached with caution. Make sure to not abuse this type of new-age styling, your web team should have no problem toning it down on a website if requested.

6. There has not been any thought given to usability, or action placement.

We can’t tell you how many times we land on a website and have to click into another page to actually see what a business does. While the “about” page is common to put company information, you want someone to understand why they would hire you, use your service, or buy your product on page one (the homepage). If there are “action” buttons, or links to important information, make sure the stand out! Consider the Gutenberg Diagram below.

7. Its URL structure is not SEO friendly.

The URL structure refers to the individual page links, like “www.example.com/about”. These pages can have a huge impact on SEO, so you want to make sure each page has a relevant URL. For example, you might list case studies on your website, and instead of “www.example.com/casestudy1″, use something like “www.example.com/automobile-human-factors-case-study”. This is just one of the many things that can enhance SEO.

8. It includes the file extension in the URL.

You’ll notice on many webpages that there is a “.html” or “.php” at the end of it. This is the type of file the webpage is saved as (just like a .doc for a Word Document), and presents a couple issues. First, these extensions are not needed, pages operate the same with or without them, and they are visually distracting. Second, by listing the file extension you are giving hackers great insight into the type of files your site uses, which allows them to more easily plan an attack. To remove these extensions, contact your web team and ask them about the “.htaccess” file, or take a look at this Removing File Extensions tutorial.

9. It doesn’t properly use meta-tags or titles.

Have you ever wondered how Google knows what to put when they link to your website, or try to describe what you do? This is contained inside the website in hidden header information, using either “meta-tags” or the title tags. Properly filling out this information is crucial for SEO; every search engine listing relies on this information being filled out correctly and to be relevant. For instance, you often see homepage titles like “Home”, “Welcome”, or “Index-1″; something more effective might be “David’s Customs | Where We Repair Custom Cars”. Now users are more informed when they scroll down their search listings for “custom car repair”.

10. The on-page copy (text) is not relevant or descriptive.

This problem is two-fold. First, it affects SEO a great amount, and when the Google Bot visits your website it will read through whatever text is on the page and rate your site largely by the words on there. If you talk a lot about baseball cards, you will most likely find yourself higher in search results for “baseball cards” because the search engine assumed that’s what your website offers expertise in. Second, many websites don’t properly address what users are looking for. If the about page has one stock photo and just says “We have been around since 1995 and help customers find potential in their business”, there is no reason for it to exist. If you have very little content, consider a one-page website (here’s a couple we have done: Woodward The Band, Oasis Tan Northville). Consider spending just a small amount of time every week to write a little about what you do, every little bit helps!

11. It does not provide any link to social media or blogging.

We are definitely not advocates of having stagnant twitter accounts, or a Facebook page just to just be part of the hype, but these tools can not only help you market your business (and website), but they can help you connect with communities. Sometimes users just want to know that your company is alive and there are real people working there, and this is just one thing “micro-blogging”, or short-updates can do. Maybe you have a new product, or want to mention a new client project you’re working on, this can give outsiders some more insight into what you do and a human-level connection to your business. Also, using social media can connect you with potential clients, or like-minded experts in your field; these are people you want to have around you! Here’s a list of the Top Web Designers to Follow on Twitter. Use Google to find people in your field.

If you don’t know that you are doing all of things, or would like us to help, make sure to visit the Prime Studios Homepage and get in touch.

ScreenCast Commentary

Today we are going to talk about CSRF (or Cross Site Request Forgery), otherwise known as session riding, see-surf, and XRSF, and how to built a token system in Code Igniter to mitigate any potential attacks using CSRF.

To start, the core of CSRF lies in web browsers making requests that they are “technically” authorized to do, however the user doesn’t actually know the request is being made (otherwise known as a confused deputy attack). Consider things like image tags, or iFrames, they make calls to external URL’s all the time.. if instead of a call to an actual image, the image tag calls a URL with malacious GET variables in the URL, some damage can occur.

One solution to this problem is the use of form tokens, or a unique and random string put into a hidden POST variable and into a cookie every time the page is loaded. This makes it nearly impossible to make a POST request from an external source because that token must be validated on the server side based on the POSTed token value and the set cookie value. Remember the same basic principle works in any PHP application, Code Igniter just makes session management a lot simpler.

Remember if an application vulnerable to XSS (Cross Site Scripting) it could possibly navigate through the DOM and find the token value, making it possible for an automated attack. Read up on the “samy is my hero” MySpace attack for more on that.

End Commentary

CSRF with POST variables is dangerous because an attacker can setup a false form, maybe just asking for your favorite color, and then post hidden content to a form/site that you have a session on. Below is the code we used inside the Code Igniter Auth class and the main controller to implement a form token system.

<?php  if ( ! defined('BASEPATH')) exit('No direct script access allowed');

class Auth 	{
	function Auth()	{
		$this->ci =& get_instance();
	}

	function token()	{
		$token = md5(uniqid(rand(),true));
		$this->ci->session->set_userdata('token',$token);
		return $token;
	}
}

/* End of file Auth.php */

<?php

class Welcome extends Controller {

	function Welcome()
	{
		parent::Controller();
		$this->load->model('search_model');
	}

	function index()
	{
		if($this->input->post('login'))	{
			$this->session->set_userdata('logged_in','yes');
		}
		if($this->input->post('logout'))	{
			$this->session->set_userdata('logged_in','no');
		}

		if(strcmp($this->session->userdata('logged_in'),'yes')==0)	{
			$data['logged_in'] = true;
			if($this->input->post('search'))	{
				if($this->input->post('token') == $this->session->userdata('token'))	{
					$this->search_model->add_search($this->input->post('search'));
				}
			}

		}	else	{
			$data['logged_in'] = false;
		}

		$data['token'] = $this->auth->token();
		$data['search_amt'] = $this->search_model->post_amt();
		$this->load->view('welcome_message',$data);
	}
}

/* End of file welcome.php */
/* Location: ./system/application/controllers/welcome.php */

Before we try to explain that, lets talk a little about how a lock works. A lock has a set number of pins inside (anywhere between 5-7 pins for a normal lock), each cut to a specific height. When a key with the correct pattern is inserted all the pins line up straight and allow the lock mechanism to rotate (see more at How Stuff Works). The problem for someone without a key is that they need to manually manipulate each pin to the correct height in order to get the lock to rotate/open.

So lets start with a simple comparison, we can easily see that the more pins in a lock, the harder it is to pick. Along with this, the more random the pin-heights, the harder the lock will be to pick. Sound familiar? In web application security we use bit-length (each bit is a technically “layer” of security) and randomness all the time. Consider how we encode passwords to save in a database, the most common hash’s are MD5, and SHA1, which are as a standard are a 128-bit vs. 160-bit encryption (respectively). Quick Tip: Anything encoded for the US Government must be at least as secure as the SHA1 encryption, MD5 is unacceptable. Lets see an example:

Well, indeed MD5 is a shorter encryption, and in turn less secure if we were to try to break it using “brute force”- having server upon server running automated scripts using good ole’ trial and error. Lock pickers use brute force all the time, one method uses these nifty “jiggler keys”:

These keys are made for car door locks. As you can see there is some randomness between each key, and the idea is that when you put that into the door lock, “jiggle and twist”, but the time you give each pattern a couple minutes you find one that works- brute force at it’s finest!

Handcuffs are a well-known lock that display some layers of security. Instead of six or seven pins, handcuffs have one simple lever- yes, society trusts that if you are dumb enough to get arrested, you are not smart enough to bypass a single-lever mechanism. However, consider the more transparent layers of security related to handcuffs:

Be pro-active, strip and clean anything that could damage the application. Give as little information about the way the application is built as possible; hide file extensions and handle all errors. Lastly, watch and react; if you get 100 requests from an IP address in China in 3 minutes, block it. As developers we must try our best to put the attacker at a disadvantage by using layers, remember some of these when building a web application:

Layers, The Future, and You.

We believe one large part in the evolution of web security is summed up in agreat quote from an OWASP Podcast we recently listened to, “If someone was throwing rocks at your house window, you wouldn’t just sit there and be happy your windows are strong, you would call the police or go after the person. We don’t do this in web application security yet.” One idea we are currently piloting at Prime Studios is a “that’s weird” database; we add a simple line to our XSS (Cross Site Scripting) filtering, our CRSF (Cross Site Request Forgery) filters, and authentication systems to monitor for anything that we would say “that’s weird” to. It doesn’t sound like much, but if we see a lot of login failures or broken form tokens over a certain time period, we can take action on a particular user, IP address, User Agent, or a mix of all of them.

Everyone likes elegant solutions, but unfortunately with web application security we can’t just rely on a single [Godly] plugin or framework to handle all our security needs. The first step is knowing what to look for (education), and then you can start building your own methods for a strong security policy throughout your applications (implementation). Hit up the following links for some more great web application security tips:

Improving Web Application Security

OWASP Top Ten for 2010

Web Application Firewalls

XSS, or Cross Site Scripting, is one of the biggest security risks that any web application developer or concerned client should have a good understanding of. XSS makes use of vulnerabilities in a website to inject [malicious] code. Websites are made up of many elements, including things like header information, HTML elements, and sometimes JavaScript elements. JavaScript runs on the browser, and can modify things within a webpage dynamically, and without the user actually knowing. This video explains a vulnerability on a website that includes a search box and a login form in the same view. We show how to use JavaScript to modify a form action, resulting in a complete exploit of a users credentials.

Our privacy policy: With knowledge comes power, use it wisely and in positive ways. For more information about web application security visit OWASP (Open Web Application Security Project).