Increasing the ROI of content marketing?

Great content marketing takes serious time and energy, and the cost can also become quite high. That’s why it’s important to keep the return on investment (ROI) as high as possible, so you actually get something in return for all your efforts. That “something” can be, for example, more traffic to your website or increased online sales. How to improve your ROI, that’s what we’ll dig into in this series of blog posts. Aim for position 0 in Google Position 0, also known as the featured snippet, is the text box that pops up in a Google search and gives you a direct answer to your search query. Research has shown that position 0 generates a whopping 114% more traffic to a website than position 1. Clearly, it’s well worth the battle! You’ll see the best results by using the right keywords. To help you in that area, you can use Textmetrics Content Ranking. That tool indicates whether you’re on the right track and offers you tips for improved keywords. Practical tips You might think that position 0 is only available to online giants like Wikipedia. It’s actually also up for grabs for your company or organization, but of course within search queries that are relevant to your business! To improve your chances of reaching this position, you can apply the tips listed below. Use questions to your advantage. It’s smart to use actual questions in your web text, like “How do I rank higher in Google?” and “How can I maximize the ROI of my content marketing?” Then you answer the question very briefly in the intro and expand on your answer in the body of the post. Are you a small business owner? Focus your efforts on local SEO, like “Where can I find a washing machine in Amsterdam?” or “How do I get to the closest café in Victoria?” Make sure to answer those questions briefly, just like in tip 1. Use keywords that already score high in other articles on your website. Not sure which ones those are? Try using the handy Content Ranking Index by Textmetrics. Run the Textmetrics Keyword Analysis to link the search queries related to your top keywords. That way you know exactly which searches rank highest in Google, allowing you to adjust your web copy accordingly. Position 0 likes things to the point and strong. The long pieces of web copy you use to explain a product or service won’t score you that ranking. That’s why it’s smart to create separate pieces of content containing about 54 to 58 words in total. Don’t forget about longer blog posts and articles altogether, since Google likes those, too. Make sure you include both styles on your website. Or make sure you have a main question followed by a short summary of a longer post. Columns, tables, rankings, lists… Position 0 loves those! Definitely use them in your content, just like we’ve done here. Make sure your articles and blogs are connected to related questions. Try explaining any jargon specific to your business on a separate page or come up with some questions that are linked to the topic of discussion in your article. Stay alert! Textmetrics Content Ranking Index will keep track of how you’re scoring in comparison to your competitors. That way you know exactly when it’s time to take action. Automation of SEO. Textmetrics offers the plug-in ‘SEO-editor’, which you can apply to your website (compatible with WordPress, Drupal, Joomla, SiteCore, and Word). It automatically ensures that your content is made Google-proof. Easy peasy, right? Use smart tools By applying the tips listed above, you’ll improve your chances of conquering position 0 in Google. But that can only work if your SEO basics are in place. Check to make sure that your website is completely optimized before even thinking of position 0. Make things easy on yourself, though, by using our Content Creation Engine and the Textmetrics Content Ranking. These smart tools make it much easier and a lot more fun to write great, discoverable, and Google-friendly content. Need more help than that? In this blog you’ll find more information. Whitepaper SEO Would you like to dig a bit deeper into SEO and how to best apply it to your website? You could, of course, dig through thousands of whitepapers about SEO, all available online. But if you lack the time and desire to do that, you can simply use the Content Creation Engine by Textmetrics. Just start writing, and our tool offers you tips to update your SEO along the way. Our team is always up-to-date, does take the time to read all the thousands of SEO whitepapers, and then integrates all that information into the Content Creation Engine. That way you can create great content quickly, without having to hit the books first. You can even have it check your “older” content. Copy and paste the existing copy into our tool to get advice about SEO. The tool will check the text against the latest rules and guidelines for Google and offer advice on that front. Implement the points of improvement, then paste the optimized text back into your website. It’s practically child’s play! .

How SEO and Reputation Content Countermeasures Are Ruining The Internet Part 1

Marketing has always consisted of presenting a narrative of your product, service, or even ideas and crafting them in a manner more pleasing to the audience.  With the increase in data sharing and interactions online, this has only grown.  The problem with this growth is that it comes with an increasing rate of growth for Content Countermeasures that are intended to stifle, erase, or completely distort the truth about specific content online. Content Countermeasures are nothing more than the attempt to deceive the public with exaggerated, inflated and, in some cases, invented information. In some cases, this serves a very legitimate purpose, like incentivizing positive reviews and ratings from clients to overcome someone who griped about not getting his water and hot bread fast enough when entering a restaurant.  There are certainly legitimate cases like this for businesses to present a positive image of themselves to the public. There is a duality of this topic as there are those who purposefully mislead the public with positive or negative spam of business content, causing a countermeasure to any possible chance of receiving accurate information.  While this might seem like a trifle act, it damages the ability to have a reasonable expectation of receiving correct and verifiable data in search results. "Reputation Management Scams" When it comes to the dirtier uses of Content Countermeasures, the "reputation managers" of the world are almost always going to be one of the top offenders.  The ads heard on talk radio and pushed for local companies are usually nothing short of bragging on how they can spam the public with disinformation about your company or yourself.  Sure, it's sold as "restoring your good name", but if you are going to go through extreme steps(and reputation management often requires extreme steps) to garner enough faked or duplicated content to push down the negative reviews and ratings, then the entire concept of public relation is in shambles. Again, this isn't being critical of those who have a solid and honest goal of ensuring honest content about their business (because we will talk below of the content assassins below).  Let's be clear, if you have to market your company or yourself with false or spammed information, then you or your product simply aren't worth what you are trying to present them as. Scam Spam The same holds true for people who want to push down legitimate information to hide their concerning content from the public.  Content writers are notorious for this one. We get a different one filling our spam folders every week with messages bragging about how they can spam the highest ranking blogs on the internet ... for a price of course.  This is a two-pronged version of Content Countermeasure SEO.  First, they are spamming mass content about themselves on the front end of the conversation, then, they have to do something to remove data from all of the people who are complaining about the unsolicited content.  There will be the guys who have dozens, sometimes hundreds of, blogger, webly, Tumbler...etc, sites with several variations of their own name and all with content claiming to be the most relevant.  We've found the same thing done lately with people who have warrants and want to confuse police (from identifiable IP addresses though, so not sure how well that works).  Additionally, they will play the game of buying any and all variations of ones name in domain format, and again, spamming the internet with redundant and often obscure data to attempt to divide relevancy on the person's identity.  We ran into one of these guys recently who had over 200 variations of his own name out there, all to push down the 40-50 ripoff reports filed about his poor business practices. The spam data traces act as a SEO Countermeasure to prevent people from finding about his actual business practices, and instead focus on a false narrative that is completely opposite to reality. No, I am not coming down on narratives themselves.  As I said in the intro to this post, narratives are shaped by the marketer, but as soon as they are completely falsified narratives, then nothing is left but a dishonest scam being perpetrated on the reader.   The petty marketers who believe that there is a magical line of lies they can hover on and still have their integrity intact are some of the most genuine and shining examples of cognitive dissonance available. SEO Assassins These are the lowest bottom-feeders of he internet. They include "Yelpers", "Competing Reviewers", and all the others willing to destroy.  Content Assassins, or SEO Assassins are often written off as competitors or disgruntled employees, but we've found more instances lately of little to no association being the culprit. The internet gives strength to those who wish to do damage to others with impunity. A restaurant client of ours apparently slighted a patron by serving his therapist.  The individual saw this as a slight against him, and went on to commit a fake review and spam campaign to destroy the restaurant's reputation. Using a photoshopped comment image, the spammer made it appear that the restaurant (run by a gay man) had made anti-gay statements to him on Facebook. This one fake image, posted in several LGBT social media groups, caused over 500 negative reviews in one night. By the time the  restaurant came to us, we had over 900 review accounts to send individual requests and explanations to.    

Negative SEO: Have You Been a Victim Of Nefarious SEO Tectics

Recently, our Chicago SEO clients came to us with a new, and expected problem. Thanks to Google's desire to stop SEO spamming and farming, we now have a new problem. Negative SEO is happening and it’s something that can be used against your business at any time, no matter what industry you are in. This post will help you quickly identify if you’ve been a victim of negative SEO and provides tips on how to overcome it. O

Good SEO vs. Negative SEO

There’s good(positive) SEO and then there’s assassin (negative) SEO. Just like a good comic book character, the super power of SEO can be used for dark purposes; in the same way, negative SEO can be used nefariously and refers to the worst kind of SEO possible:

Negative SEO - The intentional act of over-optimizing or spamming a site in order to lower its rankings in search results.

Good SEO is a highly ethical practice and is based solely on hard work for a strong output. When it’s employed honestly, it helps quality sites with great content to establish well-deserved rankings through following developer best practices and Google’s quality guidelines. It’s also ethical when used to help well-intentioned sites overcome technical barriers such as unintentional duplicate content, crawlability, page speed and other issues.

Good vs Bad SEO

How Does Negative SEO Occur?

Negative SEO is done primarily through link spamming and farming, usually through Fivrr and SEOClerks gigs. For example, someone may pay an off-shore firm to build 10,000+ links to your site using a key phrase your site is targeting. Please note: if your current agency is doing this with the belief this is going to improve rankings, cancel immediately or you may experience traffic declines similar to this:

Negative SEO traffic drop

How to Tell if You’ve Been Targeted With Negative SEO

Spotting negative SEO is fairly obvious if you’ve never intentionally built links or targeted specific keywords through spam bombing. If you have built links manually through the years using various target keywords, then it may not be as simple. Regardless of how the links have appeared in your profile, here are a handful of things you can do:

  • Conduct a backlink analysis, focusing on anchor text using sites like MajesticSEO
  • Look for unnatural or suspicious IPs
  • Identify any unrelated anchor text (Credit Checks, Pills, Payday, etc.)
  • Check Google Webmaster Tools for Manual Penalties

Always keep an eye on what anchor text is being used to link to your site? A detailed backlink analysis should be conducted to help identify which terms link to you the most. There are a number of great tools including Ahrefs, Link Detox, Majestic SEO, Open Site Explorer to help you do this but pay special attention to keyword-rich anchor text. Any links that aren't simply linking with your brand or domain name raise flags and be put on the suspect list.

If your site and target markets are located entirely in the U.S. then you shouldn’t have foreign IPs or non-US TLDs pointing to your site. Tools such as Ahrefs are handy in quickly spotting TLD distributions:

Foreign ccTLDs

Do you have any nonsense, unrelated anchor terms? This is the biggest problem in the topic and the easiest way to tank a website's SEO. Negative SEO Assassinss often take advantage of all the algorithms associated with certain industries such as PayDay Loans. If a site happens to link to yours using anchor text which includes these terms, your rankings will suffer. We have a local dentist as a client with remarkable payday-related anchor text in hisprofile:

Do you have any Manual Actions/Penalties in Google Webmaster Tools? Here’s what you’ll see if you do:

How to Recover

Future posts will delve further into the complete recovery process but where is the rough and basic path to recover from Google Penalties and the principles are the same:

  • Keep in touch with webmasters and remove known bad links (yes this makes us upset too - especially if you’re not the one that built bad links – but Google still wants you to do you best to remove them)
  • Use the Disavow Links tool (with extreme caution)
  • Submit a reconsideration request (for manual penalties only, for some penalties, it will be difficult to even know your site has penalty)
  • Contact Google through the Webmaster Tools Troubleshooter (for algorithmic penalties)

To summarize, know what links are pointing to your site and know what anchor text is being used the most. Be suspect of any anchor text that is highly optimized (focuses on your primary keywords) or especially be on the lookout for completely non-related industry terms (such as payday loans, etc.). Attempt to remove all known bad links and add all [bad domains] to your disavow file in Google Webmaster Tools. Be up front about the issue and be respectful in your communication to Google through the reconsideration request form or troubleshooter and don’t give up, even after several contact attempts.


WordPress 4.0 Released With Useful Features To Add A Richer Platform

What do CNN, The Blaze, Fox News, Flickr, TechCrunch, eBay and Best Buy all have in common? They all use WordPress. Initially developed as a blogging platform, WordPress has evolved in the last 11 years to a full-fledged popular content management system (CMS), capable of hosting static and dynamic content, e-commerce and event calendars, audio and video podcasts, and more, thanks largely to an expansive plugin system and a supportive community. Of the top 10 million Alexa-ranked websites, 23% use WordPress; of those sites that use a CMS, WordPress accounts for 61% of the market. WordPress dwarfs the competition, with Joomla and Drupal holding only 8% and 5% of the CMS market, respectively.

Media  and Plugin Options

WordPress 4.0 focuses on making it easier for site admins to write content, install plugins and manage media. If you spend any time at all in your site's back end (as opposed to using a client like WordPress for iOS or Android or MarsEdit 3 for Mac), these changes will be apparent and appreciated. There are now more options for adding rich content to your posts. Have an image, video or tweet to share with your readers? Since WordPress 2.9, authors have been able to paste the link directly into the WYSYWIG editor (or by clicking "Add Media > Insert from URL") and WordPress would automatically embed the referenced media at a width appropriate to their theme -- for example, so that a YouTube video would play within a site. There's been no need to obtain separate embed code or use the HTML editor. With WordPress 4.0, that automatically embedded media can now come from any of 26 supported sites. Joining essential platforms such as YouTube, Flickr, Twitter and Instagram are others such as CollegeHumor, Issuu, Mixcloud and TED Talks. Also new in 4.0 is the ability to see the embedded media in the WYSYWIG editor, offering a more accurate preview of the published post. But this feature works only when pasting in URLs from the aforementioned 26 hosts. If you prefer to manually obtain, configure and insert a site's embed code in order to, say, start a video at a certain time or add captions, WordPress will not show a preview of media embedded in this fashion.   This is a repost for our Chicago, Naperville and Glen Ellyn web design network team.

Marketing Your Local Business Online

If you run a local business, you may be missing out on a wealth of effective and economical online marketing opportunities. Search Engine Optimization (SEO) is known for connecting people around the globe with their target products and successfully promoting businesses. It's  even more well known for marketing local businesses in their communities. There is an entire  world of marketing opportunities available for location-based businesses, including search, social, and content marketing options. In this guide, we look into two marketing strategies that successful local businesses use to boost their local SEO. Follow these SEO steps to getting noticed in your local community searches. Naperville Local SEO Optimizing your website for local search is one of the top priorities.  There are a number of ways you can optimize your website for local search that will help attract local clients and customers. The first thing you need to do is identify your keywords. These are the words (usually a short phrase) that describe your business.  If, for example, you run a wedding photography business, your keywords might be “wedding photographer.” To localize your business, add the city you target to that phrase, e.g. “Naperville wedding photographer" or "Glen Ellyn Wedding Photography.” Read the Small Business SEO Guide, do some keyword research to make sure the city + keyword phrase has strong search volume, then optimize your website for the best locally focused keywords using the on-site optimization tips in the guide. Next, include a local street address and phone number (with a local area code, not 800 number) on each page of your website. Most businesses do this in the footer. This information must be on the website in text, not image format, so that search engines can crawl the information. If your business has multiple locations, the alternative is to put the primary location on each page and create individual contact pages for each location. Tip: Make sure your website has a contact page for each location that includes the address, phone number, and a map helping customers find it. Adding photos of each location on the contact page is also a good idea.   Find the right local directories to join Local directories and review sites are often referred to as “citations,” and they can help your business website rank well in local search results on Google. Here are the keys to ensuring each local directory and review site you join counts towards helping your business rank well in local search:
  • Make sure your business name, address, phone number, and website are consistent, on both your website and in local listings. Things that will cause ranking problems include having your business name listed as ABC Services in one place and A.B.C. Services in another, or having your address listed as 1500 West First St. in one place and 1500 W. First Street in another, or having your website address listed as in one place and in another.
  • Encourage (but do not incentivize, bribe, or purchase) customers to write reviews about your business on the top local directories and review sites. The more positive reviews you have, the better your business is going to rank.
  • Complete each of your local listing profiles as thoroughly as possible. If you are given the option of adding additional information, social network links, photos, and videos, be sure to do so.
With hundreds of local directories, review sites, and profile pages, choosing which ones to sign up for can be difficult. Start here:
  • Create listings on Google+ Local, Yahoo Local, Bing Local, and Yelp.
  • Search for your business name using Google and then claim and complete profiles for any of the listings that appear on the first couple of search engine results pages (SERPs).
  • Use the GetListedresource pages to find the best citations for your business based on industry and city.
To get in a wide array of listings without spending a lot of time, you can use services like Universal Business Listing. You complete a profile in their system, and they take that information and populate it across all of the local directories and review sites. You can also use tools like Whitespark to find citations for your competitors. They also offer a free review handout generator that helps you create a guide for your customers to use on how to do reviews for your business. Don’t forget about local media and organizations such as newspapers, news stations, and chambers of commerce. Many have their own business directory that you can get listed in simply by asking or becoming a member. You can also reach out to local business owners to see if they are willing to become referral partners. For example, caterers, wedding planners and florists would be ideal referral partners for a wedding photographer. Look for local businesses with partner’s pages or local resource pages.

Google Authorship Is Dead & What That Means For Your SEO Strategy

The Authorship markup was first unveiled by Google in June 2011 and SEO Techs everywhere rejoiced. Its roots can be traced back to the company's Agent Rank patent of 2007. Bill Slawski, an expert on Google's patents, says that the Agent Rank patent is a type of system wherein multiple pieces of content are connected with a digital signature that represents one or more "agents" (authors).

Three years after Google Authorship was launched, the company decided to discontinue the project and SEO's everywhere cried a little. The announcement came from John Mueller of Google Webmaster Tools which he posted in Google+. According to Mueller, Google will stop displaying authorship in Google Search. Likewise, it will no longer track data from content with the rel=author markup in SERP rankings.

Google noticed that displaying the authorship information wasn't as useful as the company had thought it would be. At some point, it can even distract from the results. For these reasons, Google decided to axe the Authorship project.

Don't discount Author Rank as a result of this change and the reduced spinets.

According to Search Engine Land:

Author Rank Is Real — And Continues!

Schmidt was just speculating in his book, not describing anything that was actually happening at Google. From Google itself, there was talk several times last year of making use of Author Rank as a way to identify subject experts and somehow boost them in the search results:

  • Google Authority Boost: Google’s Algorithm To Determine Which Site Is A Subject Authority, May 2013
  • Google’s Matt Cutts: Someday, Perhaps Ranking Benefits From Using Rel=”Author”, June 2013
  • Google Still Working On Promoting Subject-Specific Authorities In Search Results, December 2013

That was still all talk. The first real action came in March of this year. After Amit Singhal, the head of Google Search, said that Author Rank still wasn't being used, the head of Google’s web spam team gave a caveat of where Author Rank was used: for the “In-depth articles” section, when it sometimes appears, of Google’s search results.

Google divulged that dropping Google Authorship shouldn't have an impact on how the In-depth articles section works so strong writers' SEO platforms should be intact. Google also explained that the dropping of Google Authorship won’t impact its other efforts to reward authors who perpetually make quality and engaging content. Well, if you read the above portion, you're likely scratching your heads. How is there to be author rank without authorship, when Google has also said that it’s ignoring authorship markup? The answer is that Google has other ways to the author of a quality story, if it wants. In particular, Google is likely to look for visible "bylines" and citations that often appear on news stories and blog posts. These existed before Google Authorship, and they aren't going away. One thing to keep in mind, you will want to ensure that all of your titled work is consolidated under the account name you will want tracked.

How to Link to a Phone Number

I always hate when companies get all creative with their phone numbers and have to have letters in the number. My phone doesn't have the letters with the numbers the way they are on a landline phone. Sure I can get my phone to do that but it is an extra step and lets face it I might be driving so it is a pain. So when I come across your site do me a favor and I won't leave your site for another one. So you need to link your phone Number to dial out from a Smart Phone, iphone or Android. Well here is a handy little code that will do it for you. This is what the code looks like in html: <a href="tel:5555551212">555-555-1212</a> and this is what the code looks like on your page: 555-555-1212 You can even link it to pictures on your site. If you click the picture on this page it will input the number into your phone as well.

test deco

Arrival Date
Select Date
Departure Date
Select Date
Nights1 2 3 4 5 67 8 9 10 11 1213 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30
Adults 2 3 4
Children0 1 2 3 4

Downtime Can Be A Nightmare

We're glad to be back in the land of the tubes.  The past two weeks has made for an incredible experience of getting our site back up and working out the finer points with our host. Before we get into that portion though, we should probably explain why we were down... As we often point out, we are hosted by Byethost.  They and Bluehost are the two hosting companies we've come to trust the most for shared server space. Unfortunately, we discovered that a plugin we were using for the feeds was not well accepted by our neighbors on the server.  We were capturing all of our feeds with the Wordpress plugin wp-o-matic. What we didn't realize is that this plugin causes for some major drain on the server side, and when on shared space, damages your neighbors bandwidth... OOPS!!! We honestly never considered that such a widely-used plugin would be the cause of such issues, but test afterward have shown that it couldn't have been anything else. Because of the excessive bandwidth, resources, and memory that wp-o-matic was stripping from the shared space, we were booted to a Virtual Private Server... Ie...Banished to the Degaba System. It took a week of negotiating, but byethost was willing to settle the discourse once we were well assured that it had to be the plugin that was causing all of he trouble.  One week later, we're back up and on the way again.... Needless to say, our feeds will no longer run through WP-O-Matic. Now for the sob-story While we were only down about a day and back and forth from IP's for one week, Google took a lot of notice.  Our impressions went from an average of 1,000/day to 22 tonight.  Our traffic went from an average of 200/day to 30 tonight. The past week of being back up is representative of absolute downtime in the SERPs. Notice in the screen-shot that the exact date of being down is visible, as well as the subsequent falling out with Google ranking. While this is a pretty steep setback for the short-term, we will return to our previous standing rather quickly.  We've run into similar situations with client sites, but never thought we would need to do damage control of our own. Here are the following steps that must be taken directly after an event like this. 1. Immediate push for Back-links- During the month following a down-time like this one, the need for sites around the web to verify your existence is crucial.  The pages that Google attempts and fails to Crawl can be put on the back burners for a period of time.  Making a strong push for links and acknowledgment can get a faster crawl to those skipped pages than would likely come otherwise. 2. Add more content.  We all know that the best way to get Google's attention is to give it something new to look at. While we feed several different blogs on this site, we also enjoy adding our own content on a regular basis  At this moment its pertinent to add more than we normally would.  The additional content will signal that the site is not dead and is in fact very much alive and active. 3.  In addition to adding the content, we have to make sure that Google is aware of it being added.  To drive home this point, we submit sitemaps... Several sitemaps. From XML to ROR, wee submit every possible format of sitemap available.  Some may think this a bit eccentric, but in dire moments like these, it can be the difference between being demoted  for weeks or for months.  For additional sitemaps in Wordpress, we suggest using the following We also have some made at in url.txt and rss.ror format. Our running experiment will now be to see how long it will take to return to the traffic and ranking that we had last month.  We will share this experience with you all and welcome any suggestion or thoughts you would like to add.

Another Saturday Night in Web Development

How many times must it be said?


I'm 5 cups of coffee past sanity and still have an hour or two before I can sleep.  Recently many of our clients began getting hacked by the children on the Defacement Logging Website that shall remain nameless.  (Quite frankly, I don't want to add ourselves to the hit-list.) They targeted three of our clients sites this past week. Their targeting was very general in nature, and used a few different methods.  Two were injections, and one is still being debated.   The portion that hurts is that one of our clients didn't back up his database. After a forced entry into your website, it is generally considered a good idea to burn the damage.  IE... kill the database and erase data from the server to ensure that back door code has not been left in the site. Tonight, that is not an option.  our client had apparently gone three months without an xml backup, and has misplaced where that copy is located. Instead of the famous 5 Minute Install, or in some cases 5 Minute Reset", we get to go through tons of lines of MySQL database to ensure that we eliminate all code that may have been left.  I will not be a very happy person in the morning, and I'm grateful that it will be Sunday.  Hopefully we get a day off.

Protecting Against SQL Injections

No, this is not a replay of 2002.  SQL Injection is still in an active exploit for hijacking and defacing a database driven website.  While there are several methods and builds of site that can be attacked in this method, we will be confining our feeds to SQL Injections into a Wordpress MySQL database.  Here is the first we will be referencing.  It comes from G4B1DEV and is a good article on ways t protect your PHP and MySQL Database.  In None of these feeds will we reference the "How To" in SQL Injection, but we will be adding regular post on how to protect your website. -Enjoy-

SQL Injection Protection in PHP With PDO

Database abstraction layers like PHP’s Portable Data Objects (PDO) are not a new concept, but a lot of developers don’t seem to realise the security benefit they’re getting for free by using them – inherent protection against SQL injection. SQL injection is the buffer overflow of the web application world – it’s been around forever, and every web application developer should know how to write secure code that’s not vulnerable to it. For those not in the know, SQL injection is a technique whereby a malicious attacker can exploit inadequate data validation to inject arbitrary SQL code into your application’s queries and have it executed as though it is a legitimate query. I won’t go too deeply into SQL injection in this article, but here’s a simple example: The front page of your application has a login form, which is submitted to a PHP script to validate the user’s credentials and allow or deny access to the application. The login form submits two variables by POST as follows: username=fred&password=Fr3dRul3z The POSTed data is then used to build an SQL query to validate the credentials, like this: $sql = “SELECT * FROM users WHERE username = ‘”.$_REQUEST['username'].”‘ AND password = ‘”.$_REQUEST['password'].”‘”; This would result in the SQL query: SELECT * FROM users WHERE username = ‘fred’ AND password = ‘Fr3dRul3z’ Assuming a row exists in the database with these credentials, the user would be allowed to log in. An attacker could easily circumvent this authentication scheme by escaping out of the username field into the SQL query by entering nothing into the password field and this into the username field: ‘ OR 1==1 – The resulting SQL query string would look like this: SELECT * FROM users WHERE username = ‘fred’ OR 1==1 — ‘ AND password = ” Which, as I’m sure you can see, would select all users from the database as the condition 1==1 will always be true. The rest of the query is discarded with the comment operator ‘–’. The way to avoid this kind of attack is to sanitise the data submitted to the form by escaping everything that could be used to escape the confines of the quotes around the fields (e.g. mysql_real_escape_string() if you’re using MySQL). However, in a land far away somebody was inventing database abstraction layers… The primary objective of database abstraction layers like PDO is clean abstraction in your code away from the database platform – so, theoretically, you could switch database platforms from, say, MySQL to PostgreSQL or Oracle with minimal changes to the code. In practice this depends heavily on how much your code relies on platform-specific features like triggers and stored procedures, but if you’re not relying on them at all and you’re just doing simple INSERT/UPDATE/DELETE operations it’s a free ride. Sounds moderately useful, but nothing exciting, right? Right. Another neat feature invented a long time ago is prepared statements, and most database abstraction layers (including PDO) implement this as a way to perform the same query multiple times with different data sets (e.g. inserting a whole bunch of new rows). Now, when building statements with PDO, instead of building the SQL string manually as demonstrated earlier, we build the statement with placeholders like this: $sql = “INSERT INTO fruits (name, price) VALUES (?, ?)”; and then execute the query with a data set passed to the abstraction layer as follows: $sth = $dbh->prepare($sql); $sth->execute(array($fruit, $price)); When the data is handed to PDO like this, it then either passes the data on to the database driver directly, or builds the query internally in a safe manner with any potentially malicious data encoded or escaped. As you can see, this is an easy way around the problem of SQL injection. However, prepared statements with PDO aren’t all puppies and rainbows. Using prepared statements can introduce a number of interesting caveats of which developers should be aware. For example, in the MySQL client API prepared statements can not execute certain types of queries[1] and they do not use the query cache[1][2] which may have an impact on your application’s performance. The inherent security in using prepared statements sounds great, but developers should not let PDO and other abstraction layers/prepared statement implementations lull them into a false sense of security. Untrusted data should always be validated and sanitised, PDO is just another line of defense. It doesn’t cover the territory of a multitude of other input validation vulnerabilities like cross site scripting, but it does do a good job of protecting applications against SQL injection. The best strategy is only allowing known good data by whitelisting characters and matching input data against regular expression patterns, then using prepared statements to catch anything SQL injection-wise that the input validation misses, all in conjunction with a web application firewall like ModSecurity. PDO has been built in to PHP since version 5.1.0, which was released in Nov 2005. Unless you’ve got a good reason for not using it in your PHP apps, you should be – it is a portable replacement for the old mysql_* functions and other platform-specific functions with the added benefit of protection against SQL injection. Author: Loukas Kalenderidis Article Source: Provided by: Duty on LCD/Plasma TV

New Directories

We've revived and added new directories to the ever-expanding Naper Design Business Network. While the number of Business Directories is currently limited, there will be many more to come.  We are using the DirectoryPress produced by Mark Fail, and will be asking for everyone to list a business that they know of.  Our hope is to add 200 businesses a month for each directory.  Here is a list of the first batch....  more will be added in days to come. Naoerville Business Directory Raleigh Business Directory (serving the entire Triangle Area) Chicago Business Directory Aurora Business Directory (Aurora, Illinois) Charleston Business Directory (For the entire Tri-County and Low Country Area) There will be many more directories added to this list and all will be managed for accuracy.   After implementation on July 1st, listings will be automatic for all registered users of each site. Leave your thoughts, and we'll see what we can add to the directory plot that will make it more user friendly.