Tag Archives: Microsoft

This is where you set the PHP version for your Azure website. Note that version 5.4 is the default version selected when you create an Azure website.

Microsoft Azure Doesn’t Load The SQL Server PDO Driver In PHP Version 5.5

Another of those “learn from my mistakes” moments: Azure Web Sites don’t include the SQL Server PDO extension if your site is running PHP 5.5.

This I learned the hard way today.

I set up my site to run PHP 5.5.11, the version that as of this writing Azure uses. But my script halted without warning; knowing from experience that this meant there was a PHP error, I quickly popped into my site’s log and saw this entry:

[23-Jun-2014 12:52:36 America/Los_Angeles] PHP Warning:  PHP Startup: Unable to load dynamic library 'D:\Program Files (x86)\PHP\v5.5\ext\php_sqlsrv.dll' - The specified module could not be found.

Continue reading

New England GiveCamp 2014 Recap

I spend the weekend of April 4-6 at New England GiveCamp, a weekend hackathon that pairs tech and design people with charities in the Boston and New England region.

This year, I worked for Generations Inc., a Boston-based charity that pairs senior citizens as literacy tutors for children.

The process they used for accepting volunteer applications was time- and labor-intensive. Basically, they used the Job Manager WordPress plugin to accept applications, which went into their WordPress install as a custom post type.

Then, a staff member would have to re-enter all that information into Salesforce, which they use to track volunteers, clients and related assignments.

Since Salesforce is the endpoint for managing all of Generations Inc.’s relationships, they wanted a way to take online applications and put them directly into Salesforce. So that was my project for the weekend.
Continue reading

New England GiveCamp 2013 This Weekend

I’ll be attending New England GiveCamp 2013 this weekend.

GiveCamp is a way for technical people and designers to donate their time to worthy nonprofits. Organized by Jim O’Neil and Kelley Muir and hosted at Microsoft’s New England Research and Development center on the Massachusetts Institute of Technology campus, New England GiveCamp is in its fourth year.

This year I’ll again be working with The Esplanade Association. Last year, I was the leader of the team that revamped their website. It’s a real pleasure to work with them again.

Over the weekend, we’ll be working on an interactive map, probably built on the Google Maps API, of the Esplanade’s many amenities and features. The fellows assigned to this task are already full of ideas and getting to work, so once again, I’ve been very fortunate to have highly motivated, very capable team members assigned to our task.

It’s probably going to be another hectic, exciting weekend. Can’t wait!

All links in this post on delicious: https://delicious.com/dougvdotcom/new-england-givecamp-2013-this-weekend

Microsoft’s Advice On Avoiding SQL Injection Attacks

Not to kiss my own ass, but Microsoft’s official advice on avoiding SQL injection attacks sounds awfully familiar to readers of this blog:

Sanitize (validate) all inputs: “This helps to ensure that the input is free from characters that cause SQL injection attacks.” It also allows you to fix the form and data type of the user input, which pretty much renders basic script kiddie attacks useless.

Parameters, not strings, as query variables: “Creating dynamic queries using string concatenation potentially allows an attacker to execute an arbitrary query through the application.”

In other words, it’s harder to break this:

@person VARCHAR(20); SELECT * FROM table WHERE person = @person;

than it is to break this:

SELECT * FROM table WHERE person = 'some user string';

Stored procedures, not free-form queries:Stored procedures by themselves do not remove SQL injection vulnerabilities. They only raise the bar on the attacker by hiding much of the underlying database schema.” That is, the attacker can’t easily find out what columns are in a table, or what type of data is in those columns, if you use a stored procedure.

Minimal permissions: “In general, database applications should be using a low-privileged account that has the minimum permissions required to execute the statements submitted to SQL Server.” As in, create a user in your SQL database whose only permission set is to execute your Web-based stored procedures, and connect to the database server as that user.

Those are the basics. And if you don’t understand how to do them, I’ll be putting together a blog series on how to convert your old string-queried Web applications into one secured with stored procedures and proper permissions.

Continue reading