Posted on

A simple way to password protect your Magento store

This post will describe a simple technique to secure your Magento virtual host with basic HTTP password protection provided by Apache. This can be useful if you want to keep users away from the webstore during development, or if you sell products wholesale and do not want unauthorized users to view your catalog/pricing.

To be very clear from the outset, this technique uses basic HTTP authentication, which if used over HTTP (rather than HTTPS) affords no security for the passwords while they are in transit across the internet. If you are interested, you can learn more about the limitations of basic access authentication. As a simple mechanism for keeping people out of a site, it will do just fine. If you store your nuclear missile access codes in a Magento store database, do not use this technique to protect them, please.

Normally when I’m developing a new site I just use virtual hosting and a modified operating system hosts file to prevent people visiting it while it’s in development. I realize that’s not really security, more obscurity, but it has worked fine for me in the past.

Recently I have had a need to more fully protect a site, but also to make it public via DNS records. In a nutshell the steps required are, configure virtual hosting for your webstore, configure Apache authentication, setup a user/password and reload apache. I’ll run through everything in detail below.
Continue reading A simple way to password protect your Magento store

Posted on

How to use the MAMP Mysql command line client in a terminal

Coming from a Linux background, one of the things I didn’t like about MAMP was the way it hid away the mysql command line interface. Once you are comfortable using it, the CLI is a powerful and quick method of interacting with a mysql server. I just wanted to share a quick and easy way to access the MAMP mysql command line client on Mac OSX.

Firstly you can run the Mac OSX terminal easily by just typing:

ctrl + space bar (to access spotlight)

Then start typing ‘Terminal’ before you have even finished the little Apple gnomes will have guessed you want to open the Terminal (which of course you do). Start the Terminal by hitting enter when spotlight highlights the Terminal app.

Now that you are in a Terminal you are able to do all sorts of excellent things to your Mac. For now though, we’ll stick to running the mysql client. The client is located in /Applications/MAMP/Library/bin so to run it execute this command:

/Applications/MAMP/Library/bin/mysql -uroot -p

Continue reading How to use the MAMP Mysql command line client in a terminal

Posted on

Top 3 Solutions when your Magento Categories are not displaying

Here are 3 quick solutions to try if you do not see your Magento store categories after a fresh install of Magento or an upgrade to the latest version. I wanted to post this because I just recently helped install Magento for someone (one of my 5 free Magento installations) and experienced this. The installation version was the latest Magento version, 1.2.1.2 and product categories did not show up on the frontend after they were added in the administration interface.

The top 3 solutions to this in my experience are:

  1. The categories not added as sub-categories of the Default, Root category.
  2. The Magento store configuration has no default category set.
  3. The category cache requires a refresh.

I’ll cover each of these points in more detail with screenshots, so that if you are having trouble with your categories not showing up you can hopefully solve the problem.

Continue reading Top 3 Solutions when your Magento Categories are not displaying

Posted on

shuffle() or: How I Learned to Stop Worrying and Love PHP

I have said some not very nice things about PHP on this blog, and I’m sure over time I’ll be adding more such criticisms. This time I’d like to highlight a handy little feature in PHP, one that is a great deal easier to use than it’s Java counterpart.

Shuffling the elements in an array is probably a programming exercise in every single 1st year computer science textbook, it’s easy enough to do, but because it’s been done roughly 100 million times before, it feels moronic doing it again. So it’s nice when programming languages offer it as standard language functionality. PHP does by way of the shuffle() function and Java does by Collections.shuffle() static method. Seems simple enough, except that an array is not a collection in Java. So you can’t take your int[] and shuffle the elements quite so easily.

If you have an Integer[] in Java you can just pass it into Arrays.asList(array), get the collection and shuffle it. Uh oh, I said Integer[] which sadly is not the same as an int[]! So the difference between the two means I’m going to need to convert all the elements of the int[] into a Integer[] before I can shuffle it, geez, if I have to iterate the list once to convert type, I may as well just not put them back where I found them!

So this is me admitting there is an advantage to a dynamic language. I maintain I’d still rather pay the upfront cost of a few extra lines of code here-and-there for type safety, try getting a PHP IDE to reliably autocomplete instance methods for you, when it doesn’t know the type of a variable! Perhaps I need to start using Eiffel

Posted on

Magento CSRF attack: A Simple Explanation

Everyone with a Magento store will recently have seen the notification that a possible CSRF attack against the Magento admin interface has surfaced. I thought I would take this opportunity to give a quick overview to CSRF(Cross-site request forgery) attacks, particularly how they work against web administration panels such as Magento and ways to protect Magento and other web applications from these sort of attacks.

The CSRF Basics

The easiest way to explain the attack is to think about what is happening under the hood when you are navigating a web page. You browser makes requests to the remote server for content, and to manipulate data stored on the server. In a strict RESTful approach to web applications, your browser will make GET requests when you are reading information and POST or PUT requests when you are creating or updating information.

Continue reading Magento CSRF attack: A Simple Explanation