Drill-down charts allow you to convert individual data plots (columns in column chart, pie slices in pie chart etc) of a chart into hotspots (or links).These items, when clicked, can open new charts and you can navigate between these charts easily.

Read the full tutorial on Creating Interactive Drill-Down Dashboards with PHP and FusionCharts with demo link and downloadable files.

1. One day, I will stop liking my job (i.e. programming). I can imagine programming is the kind of work that can be miserable if you don’t love it.
2. I may have to work on a language/environment that I dislike. (e.g. Java).
3. I may end up in a job where I have to wear suit and a tie. Because I believe that Neckties are simply punishment for wimping out and getting a business degree.
4. I would end up working with another developer who doesn’t actually know what they’re doing, but they believe their way is the best way. And that developer is actually above me in the chain of command, so I have to do things their way.
5. Data Loss. But then they say, you haven’t lived until you’ve dropped a production database.
6. Someone will steal my closed-source code.
7. My code may get posted on TheDailyWTF.
8. Having no Internet. Someday the Internet as we know will cease to exist.
9. My significant other hates computer / programming / gadgets / me-in-front-of-a-computer.
10. Last but not the least, I will die alone.

Thankfully I’ve not had any of these fears realized yet!

Of these, the first is the biggest one. Imagine, getting bored of everything about developing, programming, computers, Internet… I’m afraid that, after investing so many year in programming (15 and counting), we get to that age that, “Please… no more computers!” and then I wonder what will I do.

Getting afraid that even though I have the passion of developing and creating web business applications (that’s what drives me), I’m getting sick of such new versions of programming languages, new ways of doing it, new paradigms, it all come too fast… I can’t know it all as I wanted. I’m exhaust of pursuing the new technologies, takes time to be good at one, and when your good… there are 5 more, 3 of them Upgrades! Hell! But then again… without programming something… what else can I do?

For the uninitiated, WikiLeaks is an international non-profit media organization that publishes submissions of otherwise unavailable documents from anonymous news sources and leaks. And of course, the govt is now after him. Read more about the Cable Leak at Wikipedia.The United States diplomatic cables leak began on 28 November 2010 when the website WikiLeaks and five major newspapers published a cache of confidential documents of detailed correspondences between the U.S. State Department and its diplomatic missions around the world. This is effectively melting down the US Foreign Policy.

.

The amount may be small but that’s what he has done from Indian perspective yet. Fair enough. And ya, something is better than nothing. So, for anyone reading this, please donate now.

1. Programming is an Art.
2. A computer code will always do exactly what you tell it to.
3. Writing the code is the easy part. Writing it so someone else can understand it later is the important part. So, make it work, then make it elegant, then make it fast.

The rules may appear different to different people and all of them may not agree but that’s just how I believe it and those are my two cents.

The Problem

In GBK, 0xbf27 is not a valid multi-byte character, but 0xbf5c is perfectly valid. If interpreted as single-byte characters, 0xbf27 is 0xbf (¿) followed by 0x27 ('), and 0xbf5c is 0xbf (¿) followed by 0x5c ().

So what? Now, if someone wants to attempt an SQL injection attack against a MySQL database, having single quotes escaped with a backslash is a bummer. If you’re using addslashes(), however, he’s in luck. All he need to do is inject something like 0xbf27, and addslashes() modifies this to become 0xbf5c27, a valid multi-byte character followed by a single quote. In other words, he can successfully inject a single quote despite the escaping. That’s because 0xbf5c is interpreted as a single character, and not two. Oops, there goes the backslash.

The Demonstration

To demonstrate, I’m going to use MySQL 5.0 and PHP’s mysqli extension. If you want to try this yourself, make sure you’re using GBK. I just changed /etc/my.cnf, but that’s because I’m testing locally:

[client]
default-character-set=GBK

Create a table called users:

CREATE TABLE users (
 username VARCHAR(32) CHARACTER SET GBK,
 password VARCHAR(32) CHARACTER SET GBK,
 PRIMARY KEY (username)
);

The following script mimics a situation where only addslashes() (or magic_quotes_gpc) is used to escape the data being used in a query:

<?php

$mysql = array();

$db = mysqli_init();
$db->real_connect('localhost', 'myuser', 'mypass', 'mydb');

/* SQL Injection Example */
$_POST['username'] = chr(0xbf) .
 chr(0x27) .
 ' OR username = username /*';
$_POST['password'] = 'guess';

$mysql['username'] = addslashes($_POST['username']);
$mysql['password'] = addslashes($_POST['password']);

$sql = "SELECT *
 FROM   users
 WHERE  username = '{$mysql['username']}'
 AND    password = '{$mysql['password']}'";

$result = $db->query($sql);

if ($result->num_rows) {
 /* Success */
} else {
 /* Failure */
}

?>

So, despite the use of addslashes(), one can log in successfully without knowing a valid username or password. He can simply exploit the SQL injection vulnerability.

This type of attack is possible with any character encoding where there is a valid multi-byte character that ends in 0x5c, because addslashes() can be tricked into creating a valid multi-byte character instead of escaping the single quote that follows. UTF-8 does not fit this description.

The Solution

So what can you do? The solution is to use mysql_real_escape_string(), or use prepared statements, which are supported by nearly all PHP database extensions with the notable exceptions of MySQL (ext/mysql) and SQLite2 (ext/sqlite). So, to be on the safe side, I’d recommend using the PDO interface to talks with those databases or in the case of MySQL using the newer MySQLi (ext/mysqli) extension. Those interfaces provide prepared statement support, which allows for separation between query structure and the query parameters.

It should be noted that while PDO does emulated prepared statements for older versions of MySQL that do not support them natively, emulation is still prone to the same kind of issues demonstrated. Therefore for security reasons you should definitely consider upgrading to a more modern version of MySQL and SQLite (SQLite 3).