Tuesday, May 15, 2007

Where should I place Google Ads for high CTR

An eyetracking study recorded how users looked at thousands of Web pages including Google and Slashdot.

The study looked at how people navigate websites, search and react to advertising.

The summary is that a human eye scans a webpage like letter F. These results [similar to Google Heatmap] are depicted in the picture on the right side.

The areas where users looked the most are colored red; the yellow areas indicate fewer views, followed by the least-viewed blue areas. Gray areas didn't attract any fixations.

The results offer some useful hints for Web Designers and Bloggers showing Advertisments.

First, for effective layouts - don't place Google Ads [or other advertising banners] on the right sidebar as web users typically ignore that area.

Users scan a webpage in seconds and no one is going to read text word-by-word. Most are only going to read the first two paragraphs. In a few seconds, their eyes move at amazing speeds across your website’s words in a pattern that's very different from what you learned in school.

Therefore, try to highlight [use different font, increase font weight] the important lines to attract user attention. Make the initial paragraphs interesting

Optimizing Scott Hanselman's Blog for Improving Adsense Revenue

We are kicking off a new Adsense Optimization series to help you increase revenue (or make more money) from Google Adsense program.

Every week or so, we'll pick a website (or blog) and suggest various optimization tips including new banner ad formats or ad unit placements that will help these sites maximize their Adsense earnings. You can apply these techniques and learning to your own site if it has a similar layout.

Our first Adsense case study covers Computer Zen, an excellent blog by Scott Hanselman on Microsoft Technologies. Scott is an MVP, author of several books and also runs an interesting podcast show - Hansel minutes. His blog is subscribed by ~8k readers according to Feedburner.

Let's take a quick look at a recent screenshot of Scott's website - [The Google ad units and search box have been numbered for easier identification].

As you probably noticed from the above screenshot, this site has two Adsense Ad units and one Google Site Search Box. There's also a feedburner ad which we'll skip for the moment.

» There are two 120x240 Ads in the left sidebar. [No 1, 2]
» The Google Search Box is placed in the top right corner [No 3]

Possible Issues with the Current Ad Formats and Layout:

1. The 120x240 ads do not blend with the background since they are enclosed inside a white border.

2. The ads are located below the page fold and will therefore be rarely visible to the site visitors.

3. The ads are located in the sidebar - an area that generally doesn't perform so well.

4. Vertical banners like 120x240 are limited to text only ads. Advertisers cannot show image based CPM ads on this site.

5. The Search Box is placed at a perfect location but it takes the visitor off the main page to Google search box.

What can be done to improve Adsense Performance ?

The new sample screenshot reflects some very simple Adsense related tweaks that may help Scott improve the ad earnings from Computer Zen.

Each of the tweaks or changes in the above screenshot have been numbered which are explained in the detail below:

No 1: Link Units can be a very good source of Adsense revenue if placed somewhere near the site navigation links. In Scott's case, that area is the left sidebar just below his profile and picture.

No 2: The 120x240 Ads units have been removed from the left sidebar since they may not be the best performing units due to their placement as well as dimensions.

No 3: The Google Search Box position need not be changed but Scott may connect the search code with Adsense for Search to increase revenue. Additionally, the search results page should use the new Adsense code that allows visitors to search without leaving the site.

No 4: This is probably the biggest change that will bring him the maximum Adsense revenue - a 250x250 wide format ad unit mixed with the blog content [implemented using div float tag]. The unit should accept both image and text ads. The border and background color should exactly match the page background color.

No 5: This external leaderboard ad from a Job site was based at the top initially. We have moved it at the bottom since it is probably a non contextual ad system and the results may therefore not be superior to Google Adsense.

Google is Not Indexing Your Blog ? No Problem..Just Remove from Blogger Template

Is your blog hosted on on Blogger.com - if yes, there are chances that it may not be indexed by Google, Yahoo or other search engines. The reason maybe NOINDEX, NOFOLLOW Meta tag that may have slipped quietly in your blog pages probably due to a bug.

Google adds the <meta name="ROBOTS" content="NOINDEX,NOFOLLOW"> tag by default to the HTML of your blog pages when the Add your Blog to our listings? setting is set to No.

In on of our test blogs, the above NOINDEX META tag is being inserted even the Setting is set to Yes.

The moment search engine bots read that noindex attribute, they'll skip indexing your webpage. And if that webpage already exists in the search engines' cache, the page will be thrown out immediately. The end result is that none of your blog pages will ever appear on search results of any web search engine.

To override the default setting and let search engines read your blog, manually delete <$BlogMetaData$> from the classic Blogger Template or if you are on New blogger.

How Fast Do Search Engines Index Fresh Content

Legal issues apart, this mutiny at Digg gives us a great opportunity to compare the indexing behaviour of search engines and how frequently search bots scroll the web in pursuit of fresh content.

We executed a search for 09 f9 11 02 9d 74 e3 5b d8 41 56 c5 63 56 88 c0 (without quotes) on all major web and blogs search engines and here are the results.

Web Search

Microsoft owned Live search has just 18k pages containing the HD DVD key while Google has indexed over half a million documents containing that number.

Blog Search

In case of Blog Search Engines, Bloglines (owned by Ask.com) found 6160 blogs and RSS feeds that mentioned the HD DVD key while Technorati suggested the number as 2200. Google Blog Search results were ~5.5k.

Million Dollar Homepage - Interview with $1m Boy

Million Dollar HompepageAlex Tew, a 21 year old student from Wiltshire, England tried a unique experiment to raise money for his university education.

His thought processes went something like this: what if he set up a website called the Million Dollar Homepage which contained exactly one million pixels (the tiny dots that make up an image on a screen)? What if he then used that page as, in effect, an advertising noticeboard where advertisers could buy space at $1 per pixel?

The Million Dollar Homepage is broken up into 10,000 100-pixel squares; Tew sells the 100-pixel squares off for $100 each, or $1 per pixel. The idea was an instant success. In the first four weeks alone, Alex sold more than 300,000 pixels at $1 each. As on today, Tew's Million Dollar Homepage has sold 900,400 pixels and the buyers are still flooding in.

Here is a animated graphic displaying the Making of the MIllion Dollar Homepage.

.NET spoke with Alex Tew, the mastermind behind milliondollarhomepage.com. He explains how he became a wealthy man by selling some pixels and what he intends to do with all the money.

Q: Why does the site seem to succeed? Why do companies buy pixels? And why did it happen so fast?
A: The site succeeds because I think people respect an original idea. Things that are unique and novel naturally get talked about, if they’re interesting. My crazy idea to make money seems to have caught people’s imagination. So it means thousands of people are logging on every day.

Q: Who bought the first pixels and why?
A: A friend of a friend who runs an online music site bought 400 - I basically explained that the site could become really popular if it catches on and these 400 dollars could be the best marketing investment they ever make. They decided it was worth a punt and went for it. I’m sure if the site had flopped they would have wanted their money back, but obviously things took off. I understand their site received over 20,000 unique visitors directly from their ad on my home page within the first three weeks. A pretty good return I think.

Q: What will you spend the money on?
A: The first thing I bought was some new socks! You can see them on my blog. Then I was able to pay for my first year’s university tuition fees and living costs, which was cool, because it took the pressure off my parents. Apart from some normal stuff like clothes and CDs, I've not bought anything extravagant really. With the rest of the money I plan to invest in some of the new ideas I've got.

Read full interview with the brain behind the Million Dollar Homepage

How a Blogger can become a good journalist

Spencer Critchley writes some good tips for Bloggers an newsletter publishers on how good journalists do useful work. The best piece of advice I think is If you can't say something in plain speech, that may mean you don't understand it well enough yet. Here's more:

Identify your sources
Your audience needs to know where this information comes from, so they can judge its credibility.

Respect the value of people's time
Know your point, get to it quickly, and make your content dense with value.

Use plain speech, and talk like a real person.
If a simpler word can be used with no loss of meaning, use it. Same goes for fewer words vs. more.

Reputable pro media outlets use professional fact checkers
People may be citing you as a source, so try to get the details right. Related to this: spell-check!

Opinions are not facts, even your opinions
Opinions make personal journalism lively. But be sure you know the difference between opinion and fact, and make it clear to your readers as well.

Very Useful Websites for Some Cool Start-Ups

ToonDoo Create Your Own Comic Strips
Vixy.net Download Youtube Videos as Quicktime Videos or MP3 Audio Files
Picnik The Best Online Image Editing Tool
Scribd Embed Docs, Excel Spreadsheets, PDFs as Flash Paper
Email Traceroute Plot your email trajectory on Google Maps
Pipl What Google Think about you - EgoSurfing
Gotuit SceneMaker Trim YouTube Videos and Share them
CircleUp Ask Questions, Get a consolidated reply
Blinx The Best Video Search Engine with News Clips, Video Podcasts..
Dumpr.net Interesting Effects for your Digital Photographs
Photo Flicks Impressive Pictures Slideshows in Flash
Zoho Sheet Embed Excel Spreadsheet in Webpages
Flickr Leech Search and Download Images from Flickr quickly
Package Mapping Visually track shipments from FedEx/UPS/DHL on Google Maps
Visual DNA Share your personality with the world in pictures.
Kiss Youtube The easiest way to download Youtube Videos
Voice Books Invite friends to add voice narrations to your photographs
Qipit Convert a book excerpt or newspaper clipping into digital text
Zaptxt Google Alerts++, get updates on Skype, Mobile Phone, Email
LinkInABox Display your LinkedIn Profile on your blog.
Alexaholic Compare Alexa Rankings of multiple website at one place
MyPictr Create profile pictures and avatars of custom sizes in seconds
SlideRoll Flash Slideshows of Flickr Pictures
Review Basics Get feedback on your blog design, brochures, business cards, etc
ePost Real version of GMail Paper, Home delivery email
Rich Chart Live Create rich, animated Flash Charts online
Short Text Internet clipboard - Copy paste text across computers
IMIfied Interact with Google Calendar, Blogger, Remember the Milk, BaseCamp, TypePad via IM (Google Talk, MSN, Yahoo Messenger)
Text Analyzer Analyze your writing style, count words, paragraphs, word frequency, etc.
Feed43 Create RSS Feeds for any website
Files Upload Rapidshare on Steroids, Supports FTP, No limits
GigaSize Email large attachments without problems
Mozy Online Backup for your computer - set it, forget it
Room Visualizer Design the layout of your new room online
Google Docs Batch convert email messages or multiple documents to PDF
VideoJug, Instructables Learn something new everday through Pictures and Video Tutorials
Yahoo! Badges Add Live Stock Quotes and Market Charts to your website
JumpCut Free Online Video Editor - Mix videos, images and sounds
Zamzar Convert files from one format to another, get results by email

Six Wonderful Google Games To Keep You Entertained

Toogle Search - Bill Gates - When you make a search on Toogle, it fetches the first images from Google images search and converts the picture into a colored ascii file made of only the search terms.

Google Mirror - elgoog - This site is like a mirror reflection of Google. All the text is displayed in the reverse order and inclined to the right of the page just like Arabic language. Remember that the queries are also to written in the backward direction [live example]

Gwigle - What Am I Googling? - A very addictive game where you are shown the Google search results page and you then have to reverse guess the search query. The game has various levels and can keep you busy for a long time. The accompanying tips will help you become a better googler. [Thanks, Ionut]

Guess The Google - At the start of this Google game, a grid of 20 image thumbnails would appear each of would match one search keyword. You get 20 seconds to guess the search keyword but you can make as many number of guess as you want during that time.

Googlewhack - A Googlewhack is a Google search query consisting of two words - both in the dictionary, and without quotation marks - that returns a single result. The search will list 'Results 1-1 of 1'. Googlewhacking is the pastime activity of finding such a result. A person attempting to find Googlewhacks is known as a Googlewhacker. [Whack Stack]

World War on Google Maps - Online players (2-25) randomly receive a set of countries with troop hitpoints based on real world population data. To play: attack neutral and enemy countries in an effort to try to take over the world. You have a 20% chance of receiving more troops when you overtake an enemy country. [via Slashdot]

Google Maps Flight Simulator - Nothing so advanced as the Microsoft Flight simulator, but this Googel computer game lets you fly a small farmer plane over any landscape created from a compilation of Google Maps images. You can use the keyboard arrow keys to change the flying directions, bank and dive. Space lets you fire while A/Z are for varying the flying speed.

Guess the Place - You are shown a picture and need to find out which country, state or city is being shown by looking at parts of Google Maps, or Flickr images of the place

Tips, Layout Optimization Tricks for Adsense Higher CTR

Google Adsense is perhaps the easiest way to attract advertisers from across the globe to your blog. Just submit your blog to Google for approval. If Google likes what it sees, it will place contextual ads linking to products likely to appeal to the readers. Each time a reader clicks a link, the advertiser pays Google a small fee, and Google splits that with you.

The next interesting question - How to Make Money with Google Adsense ? Here are The best Google Adsense Tips and Tricks for making more money (profit) from Google adsense program.

a. Strictly follow the rules mentioned in Adsense policies. You will always earn more revenue from Adsense by playing it clean.

b. Never modify the Google Adsense HTML code.

c. Don't ask your friends or visitors to click on your Google ads. Do not include incentives of any kind for users to click on ads. Don't label the Google ads with text other than "sponsored links" or "advertisements.".

d. Don't click on your own ads - Google is much smarter than you think. You should not reload your pages excessively. If you are testing your website layout with Google adsense, follow some precautions. Or you can use the unofficial Google Adsense Sandbox Tool that is accessible from Firefox, IE and other browsers to see what kind of Google ads will be served based on content (website address URL) or keywords.

e. Don't place ads in pop-up windows, error pages or even empty pages.

f. Don't start a "adsense asbestos" or "home equity loan rates" website merely to make money from accidental clicks (accidence). You will never make money out these "made-for-adsense-only" websites. Instead, write on topics what you are passionate about. Don't waste your money on high-paying adsense keywords lists.

g. For short articles, CTR is best when ads are placed just above the content

h. For long articles, CTR improves if ads are placed somewhere in middle of the content - visitors read the long content and then they are looking for more resources.

i. Use Text Ads instead of Image Ads as users get more options. If you still want to display image ads, consider ad formats that support image ads - Choose either the 300x250 medium rectangle or the 160x600 wide skyscraper - or both, if you display multiple ad units on a page.

j. Google Ads without background color and borders always perform better. Make the border color and background color same as your page background color.

k. Always put ads above the main fold. Make sure that the ad unit with the highest clickthrough rate is the first instance of the ad code that appears in the HTML. Since the first ad unit is always filled before the rest, you want to make sure that ad unit is located in the best placement on your page.

l. Try setting the ad link URL color to a lighter shade. If your text is black, you may make the adlink as light gray.

m. Go Wide - The large rectangle is the best paying adsense format (336x280) - The Google Adsense Publisher team also feels that the best formats are the wider ones - the ad formats that contain the widest individual ads. Try using the 336x280 large rectangle, 300x250 medium rectangle, or 160x600 wide skyscraper.

n. Placing images next to ads or above ads does help in attracting user attention.

o. Blend AdLinks with other navigation links or place horizontal adlinks at the top of your webpage. AdSense publishers are permitted to click on link unit topics on their web pages, provided that they do not click on any Google ads on the resulting page.

p. Organize an Adsense Party for your friends and colleagues - Request them to navigate your website, watch their activity - it will provide vital clues about which regions on your website draw more user attention. Try putting ads near those areas. (Thanks Darren)

q. You can put upto 3 adsense units on a page. Try putting a large skyscraper on the right navigation sidebar of your website. That area is close to the browser scrollbar. You can also add 2 AdSense for search boxes, 1 adlink unit and 1 referral button per product (i.e., 1 AdSense referral button and 1 Firefox plus Google Toolbar referral button).

r. The first few lines of your content are an important factor for determining what Ads are served on your webpage. That's the right place to put keywords in bold (strong or <b> tags) or header tags (h1, h2, etc).

s. Always select the setting to open Google Adsense search box results in a new browser window, so you won't lose your visitors. Click the Open search results in a new browser window checkbox and this add target="google_window" to your form tag.

t. Maximum people think the search box is on the top right corner. So you know where to put it.

u. Don't syndicate full content. If people can read everything from the newsreader window itself, why would they visit your website where your ads are.

v. Use URL channels to determine performance of individual pages. I track my most popular pages with Google Analytics, Statcounter and create a channel for each of the URL. You can even track Adsense Clicks with Analytics

w. For low CTR pages, try changing titles or adding more content to get better focused ads

x. Block low paying advertisers with Filters. Why to loose a visitor for 0.01 cents. Use Overture or Google Adwords Keywords tool to discover keywords that are less popular with advertisers.

y. The AdSense for search Top Queries report shows you what your users are looking for, by listing the 25 most common searches conducted through your AdSense for search boxes. Use this report to identify additional topics to add to your site, or to keep track of your most sought-after information. Focus and improve that content.

z. Not everyone has a RSS reader. Use RSS to Email services like FeedBlitz, Bloglet or Rmail to let users subscribe to your blog by email.

Remember, you are the best judge when it comes to choosing ad formats. Even Google doesn't offer the best advise always. For instance, in the visual heat map, Google suggests that webmasters are best served by positioning ads on the upper left-hand side of a Web page. But on the Google homepage, you will find ads on the far right.

Related Links
Display only relevant Google Ads in Blogs
Google Adsense Layout Tips for Maximum Clicks
Guide for Google AdSense Publishers

AdSense is one of the best tools you can use to draw dollars to your site. Remember that there is no easy way to make money on Adsense... it takes a lot of work. Adsense publishers on blogspot.com can integrate Adsense directly from Blogger Interface.

Yahoo Publisher Network YPN and Chitika eMiniMalls offer interesting Adsense alternatives. You can use this free online Sandbox tool to compare Google Adsense, Chitika eMiniMalls and Yahoo Publisher Network (YPN) Program.

Enter any keywords or a website address (URL), choose a geographic location (for Google), customize ad colors or choose from an existing color set and click "Udate Ads Display". You can try the Adsense, YPN or Chitika Services without signing up for any of these services.

How to Access Blocked Websites

Blocking access to undesirable Web sites through the use of Internet protocol filters has been a common government tactic since commercial Internet access first became available here in 1995. China and Saudi Arabia are believed to extend greater censorship over the net than any other country in the world under the pretext of information control.

Most of the blacklisted sites in Saudi Arabia are either sexually explicit or about religion, women, health, drugs and pop culture. They even block access to websites about bathing suits. So if you want to buy something to swim in, they seem to treat that as if it were pornographic in Saudi Arabia.

In China, webites containing sexually explicit content were among those blocked, but they also included sites on sensitive topics such as Tibet, Taiwan, and dissident activity. China also blocks access to Google News, Typepad and Blogger hosted blogs.

But what if an innocent website is accidentally blocked by your ISP or your government. There are always legitimate reasons to visit these blocked websites. We have listed a few methods to help you access blocked websites in school, college, office or at home.

Approach 1: There are websites Anonymizer who fetch the blocked site/ page from their servers and display it to you. As far as the service provider is concerned you are viewing a page from Anonymizer and not the blocked site.

Approach 2: To access the blocked Web site. type the IP number instead of the URL in the address bar. But if the ISP software maps the IP address to the web server (reverse DNS lookup), the website will remain blocked.

Approach 3: Use a URL redirection service like tinyurl.com or snipurl.com. These domain forward services sometimes work as the address in the the url box remain the redirect url and do not change to the banned site.

Approach 4: Use Google Mobile Search. Google display the normal HTML pages as if you are viewing them on a mobile phone. During the translation, Google removes the javascript content and CSS scripts and breaks a longer page into several smaller pages. [link] View this website in Google Mobile

Approach 5: Enter the URL in Google or Yahoo search and then visit the cached copy of the page. To retrieve the page more quickly from Google's cache, click "Cached Text Only" while the browser is loading the page from cache.

Approach 6: A recent Oreilly story on accessing blocked websites suggested an approach to access restricted web sites using Google language tools service as a proxy server. Basically, you have Google translate your page from English to English (or whatever language you like). Assuming that Google isn’t blacklisted in your country or school, you should be able to access any site with this method. Visit this site via Google Proxy

Approach 7: Anonymous Surfing Surf the internet via a proxy server. A proxy server (or proxies) is a normal computer that hides the identity of computers on its network from the Internet. Which means that only the address of the proxy server is visible to the world and not of those computers that are using it to browse the Internet. Just visit the proxy server website with your Web browser and enter a URL (website address) in the form provided.

This page has a long list of proxies. You can either choose one yourself or let the service choose a random proxy for you. Also bookmark the DMOZ directory of free web-based proxy services and DMOZ directory of free proxy servers

Update: China appears to have moved beyond simply blocking access to a Web site with IP filters and may now be employing packet filters to scan individual packets for undesirable information, said Duncan Clark, managing director at telecommunication analyst BDA China Co. Ltd.

Ohhhh! A Secret Google Search URL That Removes/Does not dispay Google Adsense Ads

Google makes most of their money from online advertising.

While it is technically possible to block Google ads on web pages through Firefox extensions or by modifying the hosts file, these hiding methods are mostly implemented by tech-savvy users and may not have that big an effect on Google's revenue.

However, here's a secret trick - if you append the parameter "output=googleabout" to Google Web Search URL, the search results page will not carry any AdSense ads that are otherwise seen on the top and right sections of the page.

Here's a direct URL to search Google minus Adsense/Adwords ads:


Not sure why this parameter is in place but this default Google page could have a serious impact on their bottom line since it allows users to search Google sans advertisements without installing any geeky hacks. Thanks Vedrashko.

The following lines, when added to the Windows HOSTS file, will block Google from serving ads on your computer and won't track your visits on sites that use Google Analytics.

# [Google Inc] pagead.googlesyndication.com pagead2.googlesyndication.com #[Google AdWords] adservices.google.com ssl.google-analytics.com #[urchinTracker] www.google-analytics.com #[Google Analytics] imageads.googleadservices.com #[Ewido.TrackingCookie.Googleadservices] imageads1.googleadservices.com imageads2.googleadservices.com imageads3.googleadservices.com imageads4.googleadservices.com imageads5.googleadservices.com imageads6.googleadservices.com imageads7.googleadservices.com imageads8.googleadservices.com imageads9.googleadservices.com partner.googleadservices.com www.googleadservices.com apps5.oingo.com #[Microsoft.Typo-Patrol] www.appliedsemantics.com service.urchin.com #[Urchin Tracking Module]

Blogs: What is Hot and What is Not

Although podcasting has surpassed the popularity of blogging, that doesn’t mean blogging is a dying art. If you take the time to browse around the Internet, you’ll see that blog hosting communities are still rapidly growing. If you’re not yet part of this crowd, check it out to experience the fun and excitement.

Pressing the Keys at applications. Newbies and advanced users will enjoy blogging at WordPress with the many features available for use such as entry previews, blog categories and blogrolls.

Thumbs-Ups: You can add plug-ins and customize your blog layout. WordPress also provides constant updates for their users.

Thumbs-Down: A bit of software knowledge is required to properly install WordPress. If you have enabled commenting in your site, don’t be surprised to find that more than a few spammers are developing a habit of dropping by your site. [Ed. Note: I've definitely found this to be the case. Having anti-spam filters like Akisimet in place is important to keep on top of the spam issue.]

Fire up at FeedBurner

Is your blog is worth broadcasting? If so, you should consider moving from your old blog community to FeedBurner. At FeedBurner, they help you create content and spread the word about your blog as well.

Thumbs-Ups: With the standard free package, FeedBurner allows you to set up the configuration for your blog for easy posting and even use an RSS subscription button to automatically update the readers of your blog. The Web site gives you information about the average number of visits your blog has per day along with other traffic statistics. You can earn money on the sideline from by adding Google Ads in your blog.

Thumbs-Down: The template editing section of FeedBurner isn't easy to master.

Everything in One at Multiply

If you wish to blog, upload photos, videos, music files, write reviews and post your social calendar with one Web site, all you have to do is sign up for an account at Multiply.

Thumbs-Ups: Photo uploading is virtually unlimited, images can be classified by albums and given captions. Skin choices are provided to give your blogs more color and life and RSS feeds are allowed.

Thumbs-Down: When writing reviews, Multiply doesn’t give users much freedom to customize content by font type or color. Layouts can be edited…but only if you have CSS knowledge and even with that, customization is still limited. The smiley list is woefully inadequate.

Live and Write Freely at LiveJournal

With a hip nickname such as “LJ,” LiveJournal is a Web site that’s designed for the fun-loving crowd on the go.

Thumbs-Ups: Bonds forged online are strengthened by LJ’s email notifications for commenting. If someone comments in your blog, an email will inform you of it. Additionally, an email will be sent to you if your comment on someone else’s LJ receives a reply ­ whether it’s from the blog owner or another blogger doesn’t matter.

Thumbs-Down: LJ isn't easy to customize. Some features offered for free by other blog hosts are only for LJ members with paid accounts.

Be In Vogue at Xanga

Teenagers seem to be enamored with Xanga. If you want a blogging process that’s easy and stylish at the same time, Xanga is the blog host for you.

Thumbs-Ups: Besides having community-based blogging, each post allows you to inform your readers what you’re reading, watching or playing. You can also upload photos, music and write categorized reviews. A guest book is automatically offered to users.

Thumbs-Downs: Although Xanga allows users to use RSS feeds; it takes time to properly integrate it in their blogs. The layout options are limited, the URL for members is a mouthful and commenting is reserved for Xanga members only.


Which blog hosting site do you plan to choose? Wherever you end up blogging, we wish you well! Blog on!

Security Techniques for PHP

With more and more personal information being stored on the Web—credit card data, social security numbers, maiden names, favorite pets—today's PHP developer cannot afford to be ignorant when it comes to security. Sadly, most beginning programmers fail to understand the truth about security: there is no such thing as "secure" or "insecure." The wise programmer knows that the real question is how secure a site is. Once any piece of data is stored in a database, in a text file, or on a Post-it note in your office, its security is compromised. The focus in this chapter is therefore how to make your applications more secure.

This chapter will begin by rehashing the fundamentals of secure PHP programming. These are the basic things that I hope/assume you're already doing. After that a quick example shows ways to validate different kinds of data that might come from an HTML form. The third topic is the new-to-PHP 5 PECL library called Filter. Its usage isn't very programmer-friendly, but the way it wraps all of the customary data filtering and sanitizing methods into one interface makes it worth knowing. After that, two different uses of the PEAR Auth package show an alternative way to implement authorization in your Web applications. The chapter will conclude with coverage of the MCrypt library, demonstrating how to encrypt and decrypt data.

Remembering the Basics

Before getting into demonstrations of more particular security techniques, I want to take a moment to go over the basics: those fundamental rules that every PHP programmer should abide by all of the time.

To ensure a basic level of security

  1. Do not rely upon register_globals.

    The advent of register_globals once made PHP so easy to use, while also making it less secure (convenience often weakens security). The recommendation is to program as if register_globals is off. This is particularly important because register_globals will likely disappear in future versions of PHP.

  2. Initialize variables prior to using them.

    If register_globals is still enabled—even if you aren't using them—a malicious user could use holes created by noninitialized variables to hack your system. For example:

    1if (condition) {
    2 $auth = TRUE;

    If $auth is not preset to FALSE prior to this code, then a user could easily make themselves authorized by passing $_GET['auth'], $_POST['auth'], or $_COOKIE['auth'] to this script.
  3. Verify and purify all incoming data.

    How you verify and purify the data depends greatly upon the type of data. You'll see many different techniques in this chapter and the book.

    Avoiding Mail Abuses

    A security concern exists in any Web application that uses the mail() function with form data. For starters, if someone enters their "to" email address as someone@example.com,someone.else@example.com, you'll now be sending two emails. If a malicious user enters 500 addresses (perhaps by creating their own form that submits to your same page), you're now sending out spam! You can avoid this by using regular expressions to guarantee that the submitted value contains just one address. Or you could search for a comma in the submitted email address, which wouldn't be allowed. But that won't solve the problem entirely.

    Although the mail() function takes separate arguments for the "to" address, "from" address (or other additional headers), subject, and body, all four values are put together to create the actual message. By submitting specifically formatted text through any of these inputs, bad people can still use your form to send their spam. To guard against this, you should watch for newline (\n) and carriage returns (\r) within the submitted data. Either don't send emails with these values or replace them with spaces to invalidate the intended message format. You should probably also make sure that you (or someone involved with the site) receives a copy of every email sent so that close tabs can be kept on this area of the server.

  4. Be careful if you use variables for included files.

    If your code does something like


    then you should either make sure that $page does not come from an outside source (like $_GET) or, if it does, that you've made certain that it has an appropriate value. See the technique in Chapter 2, "Developing Web Applications."

  5. Be extra, extra careful when using any function that runs commands on the server.

    This includes eval(), exec(), system(), passthru(), popen(), and the backticks (``). Because each of these runs commands on the server itself, they should never be used casually. And if you must use a variable as part of the command to execute, perform any and all security checks on that variable first. Also use the escapeshellarg() and escapeshellcmd() functions as an extra precaution.

  6. Consider changing the default session directory or using a database to store session data.

    An example as to how you would do this is discussed in Chapter 3, "Advanced Database Concepts."

  7. Do not use browser-supplied filenames for storing uploaded files on the server.

    When you move a file onto your server, rename it to something safe, preferably something not guessable.

  8. Watch for HTML (and more important, JavaScript) in submitted data if it will be redisplayed in a Web page.

    Use the strip_tags() or similar functions to clear HTML and potential JavaScript from submitted text.

  9. Do not reveal PHP errors on live sites.

    One of the most common ways to hack a site is to try to "break" it—do something unexpected to cause errors—in the hopes that the errors reveal important behind-the-scenes information.

  10. Nullify the possibility of SQL injection attacks.

    Use a language-specific database escaping function, like mysqli_real_escape_data(), to ensure that submitted values will not break your queries.

  11. Program with error reporting on its highest level.

    While not strictly a security issue, programming with error reporting on its highest level can often show potential holes in your code.

  12. Never keep phpinfo() scripts on the server.

    Although vital for developing and debugging PHP applications, phpinfo() scripts reveal too much information and are too easily found if left on a live site.