If you're in any way involved with coding, you'll probably have your own preferences with regards to a development environment. IDE's (Integrated Development Environments) range from a simple editor such as Notepad or vi, all the way up to full studios like Microsoft's Visual suite. In many situations, a fully fledged environment is overkill. However, it's also nice to have a few time saving features. This is where Notepad++ sits.

The program supports all of the popular programming and scripting languages, and will highlight them appropriately. There are also a vast range of community produced plugins available, as well as the standard integrated ones like the Hex editor and file explorer.

Obviously, you wouldn't want to write an entire operating system using it, but for some down and dirty editing, it's a life saver.

You can download Notepad++ from SourceForge

As part of my day to day work, I deal with a wide range of technologies. Recently, a client asked me to help out with adding some affiliate links in to their site. Easy, huh? Well, it's a bit of a pain to be frank. The site runs on a Joomla framework, which means it's incredibly easy to configure - if you've never used Joomla before, I'd suggest popping over to their site and having a look.

So, getting your content laid out as you want it is easy enough. However, when it comes to adding scripts, all bets are off! Even though it's now 2008, the default WYSIWYG editor tinyMCE has no facility for adding in scripted content - you have to go all the way in to the site global preferences and turn the editor off, add your scripts, then go and turn it back on. God help you if you then edit that content and forget to turn it off again - make sure you have backups!

So Joomla guys, if you read this, can we please have a default WYSIWYG editor that at least has the option to insert scripts? Please!

As you'll probably know, vbScript has no defined data types - they're all interpreted as required. Sometimes 12.3 may be a number, sometimes it's a string. This is all well and good, but what happens when you try to pass variables from vbScript into a more structured environment?

At the moment, I am currently writing a web front end to sit over some archived financial data. The brief is fairly simple - the back end database is to be read only, and should be searchable by invoice amount, customer name, customer reference, and postcode. All fairly simple. As it's going to be used only sparsely, I've decided to go with URL variables. The web front end will be accessible to certain people via directory security, so there is no need to obfuscate the data.

So, we create the ODBC link, put together a front end page for the users, then pass the variables via the URL to the backend processing page. Here, the URL variables are used to create a dynamic SQL SELECT statement like this:

strSQL = "select gl_account, gl_amount, gl_batch_ref, gl_date, gl_description, gl_contra, gl_ref, gl_sub_ledger, gl_year from dbo.gl_transactions where gl_amount = " & amount2 & " order by gl_contra ASC"

So we then pass this to SQL Server, and this happens...

Problem - as you can see from the error message, SQL is treating the variable as a string and using this to do a select against a numeric field... Result - dead app!

So, how do we get SQL to recognise this as a number?

The first thing to try is CAST. This is an in-built SQL function that is used to transform variables from one type to another. So, we rewrite the query like this:

strSQL = "select gl_account, gl_amount, gl_batch_ref, gl_date, gl_description, gl_contra, gl_ref, gl_sub_ledger, gl_year from dbo.gl_transactions where gl_amount = cast(" & amount2 & " as decimal) order by gl_contra Asc"

You would think that converting the variable to a decimal would solve the problem. Well, you're wrong. If you have a look at this page (beware - it's huge, and will open in a new window) - Cast as Decimal, you'll see that the constrained column, gl_amount, contains hundreds of different values, not just the one we passed, which in this case was 18.69. If you look closer, you'll see that all of the values are in the range 18.50 to 19.49. It appears that even though you've specified a decimal, it's rounded it to the nearest integer, 19. Therefore, again, SQL is technically correct, as all of the values in the gl_amount column will round to 19...

We need to get more accurate. Fortunately, SQL includes a couple of useful data types. We could use float, but this would give us far more precision than we need. Instead, we'll use money. This'll give us the precision we need, without eating up too many resources. Have a look at this page Cast as Money for the results.

Hopefully you should now see why it's important to keep track of your variables, and wherever possible to declare them explicitly - it'll save you a lot of headaches in the long term!

Coming from the world of Windows, I'm used to nice dialogue boxes and animations when I configure my security settings... Raw Linux is therefore incredibly scary! However, when it comes to web directory security, LAMP is incredibly powerful.

Under IIS, securing a directory is, to be frank, a pain in the arse. Under Apache, you can do it with two files - .htaccess and .htpasswd. We'll have a look at these in a little more detail...

First of all, the . Under UNIX and variants, the . signifies a hidden file. This is obviously a good thing, as you don't want any dodgy types trawling your directories and finding it. So make sure you use the dot!

.htpasswd, as you may imagine, contains usernames and passwords in encrypted form similar to what's below:

technorama:dGE7EaNuRBiic

You'll need to add a line for every user, and it's only one user per line. To generate the encrypted password, try htaccess tools password generator.

.htaccess is a little more complex. Basically, you put this file in any directory that you want to protect. The contents should be similar to that below (you can also visit htaccess tools to create your own):

AuthType Basic
AuthName "Keep Out!"
AuthUserFile /path/to/.htpasswd
Require valid-user

The parts of interest above are the AuthName and AuthUserFile.

AuthName is the title of the box that is presented to anyone who tries to access your protected directory. AuthUserFile is the full path to your .htpasswd file - this can be in any directory you like. The standard path is to drop it in to your /etc directory.

To see it in action, click here. And no, you can't have the password!

Hopefully you should be able to see what a powerful tool this is. Obviously, if you want to protect more directories, you can repeat this procedure. You can also use as many .htpasswd files as you like, so you can allow cetatin users access to some directories but not others

Have you ever been faced with a computing problem and thought, "I wish there was a tool that could do this for me?"

The guys at tlbox have collected some of the best design and support tools on the market, and best of all, they're all FREE!

I cam across DZone Snippets by chance. It's an open repository of code snippets that people have written and decided to share with the world. You may come across something useful, or you may not.

My day to day job is working with the backend of our CRM and Finance systems to make sure they do what they are supposed to do, and on occasion what they are not supposed to do.

Our enrolment system contains the details for all of our students, so I decided to link the enrolment database to Active Directory to create student accounts (part of the code was in the previous post).

With this in mind, I knocked together the following SQL query to get the data I needed in to it's own table (note that I've removed some sensitive data and replaced it with asterisks):

SQL Query

I've stripped out most of the stuff that took me hours to write and left the WHERE clause below...

WHERE (((dbo.StudentDetail.AcademicYearID)='07/08')
AND ((dbo.Offering.AcademicYearID)='07/08')
AND ((dbo.Enrolment.CompletionStatusID)='1')
AND ((dbo.Enrolment.IsWBL)=0)
AND ((dbo.Offering.OfferingStatusID)='1')
AND ((CollegeLevel_1.LevelNum)='2')
AND ((dbo.CollegeLevel.LevelNum)='1'))
AND (dbo.site.description !='*****')
AND (dbo.site.description ='*****')
AND (dbo.site.description !='*****')
AND (dbo.site.description !='*****')
AND (dbo.site.description !='*****')
AND (dbo.site.description !='*****')
AND (dbo.site.description !='*****')
AND (dbo.site.description !='*****')
AND (dbo.site.description !='*****')
AND (dbo.site.description !='*****')
ORDER BY dbo.StudentDetail.RefNo, dbo.StudentDetail.Surname, dbo.StudentDetail.FirstForename, dbo.Offering.AnnualGLH DESC;

The code was duly integrated in to our network, and at the start of enrolments I was expecting about 600 new accounts a day...

After a week, 4 accounts!

This is why it always pays to bug check your code, because if I had, I would have noticed the missing ! and saved a week of headscratching and swearing at the server...

There are many day to day computing tasks for which there is no substitute for a well written script. Unfortunately, most of my scripts are absolute monsters that I am frankly ashamed to pass on to our support team.

However, there is an alternative. Microsoft provide a very handy library of well structured scripts that can be customised for your own use - there is no point reinventing the wheel.

Visit the Microsoft Script Centre here

I've been wrestling with osCommerce over the weekend for a new project of mine. As you may know, this is a massively powerful open source shopping cart system. As you may not know, there is also a huge security hole in the checkout process that potentially leaves your site vulnerable to anyone with a lack of morals and access to Google...

Firstly, add the items you want to your basket. Then, go to the checkout and select the postage method. Finally, select PayPal or Nochex as the payment option.

Once you've got to this point, you're ready to complete the hack. If you type https://[domain name]/catalog/checkout_process.php in to the address bar, the order will process without you having actually paid...

This is a huge security hole, and I would advise anyone running an osCommerce site to confirm payment before shipping goods.

There is a fairly simple fix for this - using session variables at the start and end of each page to force a path flow (similar to the code structure below):

Page/step 1:
Code starting
....
.
.
.
.
.
if everything is correct then just before redirect set
$_SESSION['step1'] = true;
and goto next page
Code ending

Page/step 2:
Code starting
only if $_SESSION['step1'] = true proceed else back
....
.
.
.
.
.
if everything is correct then
$_SESSION['step2'] = true;
goto next page

I'm quite surprised that this hasn't been fixed in the core code yet - it's been an issue for more than 2 years. A simpler alternative is to rename the pages, which is always a useful thing to do to defeat other attempts at compromising your site security.

Spam email is one of those background annoyances to life - like sorting out the recycling, ironing and filling out a tax self assessment form, it's always going to be part of your routine...

I have a simple rule with regards to spam that I share with a lot of people - if it entertains me, or I know it's coming from a compromised but legitimate site, I'll investigate further. If it tells me where to buy penis enhancing drugs, it gets binned. There are whole sites dedicated to scamming the scammers (419eater.com is one of my favourites), and with various projects that I am involved in, it's easier to feed the guys on there any contacts I get.

About a month ago, I had a free half hour, and decided to have a look through my spam folder. I do this occasionally as legitimate email does sometimes get dropped in there - it's usually from one of the big (BIIIIIG!!!) companies I've bought hardware off of, and who seem to employ copywriters who's last job was writing ads for C1al!$... Anyway, after sifting through the dross, I came to an invitation to log in to my online bank account immediately or I would face "diar consequences" (how can you miss-spell dire but not consequences??)

Looking at the HTML showed where my login details would be transmitted, and it pointed at a site with a .nz address that also seemed to be hosting a legitimate WordPress blog... Ran the site through SiteAdvisor and it came up fine, so I contacted the site admin through the Contact Me page on the blog and advised him that his site was compromised...

7 days of silence followed, during which time I receive another similar looking spam, which again proved to be from the same site... Once again, I contacted the owner via the Contact Me form. This time I got a response, accusing me of not knowing what I was talking about because the blogs author had been in IT for more than 20 years, and that there was no way his site was compromised.

I of course sent him the link to the fake login screen...

Two weeks later and the link is still active, so I contact the guys hosting company, who close the account immediately. Almost as quickly, I get an email from the blog owner, calling me all the names he can think of, and some that I'm pretty sure he's made up...

In 2007, the Kiwis became one of the last one of the countries in the developed world to introduce an anti-spam law, allowing for a fine of up to $200,000 for individuals, so you'd have thought the guy would have been a little bit happier.

Wish I'd kept my mouth shut