JohnHok.Com

Chances are, if you’re reading my blog, you probably know about Google AdSense already.

“Google AdSense is a fast and easy way for website publishers of all sizes to display relevant Google ads on their website’s content pages and earn money.” - Quoted from the Google AdSense homepage

The major reason that Google AdSense has been such a big success is because it’s very easy for publishers to integrate the content based ads into their existing site. The ads easily fit because the colours of the ad unit and the text can be changed to match the site. This has presented Google with a problem. Sometimes the units are so well integrated that it can be confusing for visitors to distinguish the site’s content from the advertising units and as a result, some visitors that click the ads are not those who are genuinely interested in the advertiser’s site. Advertisers, who are paying Google per click, are loosing out because these visitors that AdSense draws are not genuine visitors; they were directed into clicking because they were confused.

So what is Google’s solution? They incorporate unique branding styles into their ads in an effort to distinguish the ads more from the publisher’s page as well as experimenting with different ad styles from time to time. Probably one of the most famous ad brandings that Google has done and, I’m sure you have seen, are the “Ads by Goooooooooogle”. That probably worked for awhile, but eventually “ad blindness” kicks in and users don’t really notice it anymore.

So Google has gone back to the drawing board and here are just some of the variations I have spotted around the Internet and my own websites.

Chances are, if you’re reading my blog, you probably know about Google AdSense already.

“Google AdSense is a fast and easy way for website publishers of all sizes to display relevant Google ads on their website’s content pages and earn money.” - Quoted from the Google AdSense homepage

The major reason that Google AdSense has been such a big success is because it’s very easy for publishers to integrate the content based ads into their existing site. The ads easily fit because the colours of the ad unit and the text can be changed to match the site. This has presented Google with a problem. Sometimes the units are so well integrated that it can be confusing for visitors to distinguish the site’s content from the advertising units and as a result, some visitors that click the ads are not those who are genuinely interested in the advertiser’s site. Advertisers, who are paying Google per click, are loosing out because these visitors that AdSense draws are not genuine visitors; they were directed into clicking because they were confused.

So what is Google’s solution? They incorporate unique branding styles into their ads in an effort to distinguish the ads more from the publisher’s page as well as experimenting with different ad styles from time to time. Probably one of the most famous ad brandings that Google has done and, I’m sure you have seen, are the “Ads by Goooooooooogle”. That probably worked for awhile, but eventually “ad blindness” kicks in and users don’t really notice it anymore.

So Google has gone back to the drawing board and here are just some of the variations I have spotted around the Internet and my own websites.

Click for Full Image

Click for Full Image

If you haven’t noticed already I have added some visual “guides” on two points of my WordPress template. The first is the calendar icon () beside the date for each of my posts. The second visual guide added is the comments icon ().

These might seem like small changes but often times these are the tiny details that are overlooked. Sometimes making changes as small as adding some visual guides, in the form of icons, help make a big difference for readers. I think the icons help draw your eyes more to these areas and it also helps draw the reader’s attention to the comments link for each of the blog entries but at the same time the icons are not too overwhelming.

The important thing to keep in mind when making changes in your designs is to take small steps in improving your design and always remain open to user feedback on the changes you’ve made.

Often times we take for granted the things programmers make. We go freely to install plugins and content management systems with little regard towards how they were build and the knowledge of the programmer who built them. I have to admit that I am guilty of this as well. The dangers of this are evident when you take into account how many of these plugin programmers actually know (or don’t) about basic security when working with databases.

I feel compelled to call out all those programmers out there who freely distribute code with little regards to the security of those who may be using their code. There are just too many amateur programmers out there who don’t know the basics about security and properly filtering user input. You’re putting the people who use your code at risk and depending on your carelessness or lack of knowledge it can prove costly for them. Research what you’re doing a little for the sake of everyone. I’m not here to bash all programmers but those who are careless in what they do. I applaud those who want to help others by creating these plugins but please take into regard what you’re doing and the security implications it may have for the end-user.

Comment Karma was a recent plugin that I came across while browsing John Chow’s blog. I went to download the plugin to see how it worked and I quickly saw the total disregard for basic security. The plugin passes a typical input for each ‘karma’ rating from the following javascript lines:

javascript:karma('10314', 'subtract', 'www.cyber-knowledge.net/blog/wp-content/plugins/ck-karma/', 'wp_')

So right away I know that the table prefix for this user’s WordPress installation is “wp_”. That is nothing big but unnecessary information nonetheless. Now the big chink in the armour is how this data is processed. It is passed along to a file called ck-processkarma.php. This is an excerpt from the file:

 $k_id = $_GET['id'];
$k_action = $_GET['action'];
$k_path = $_GET['path'];
$k_prefix = $_GET['prefix'];
$table_name = 'wp_ck_karma';
if($k_id && $k_action && $k_path && $k_prefix){
    //Check to see if the comment id exists and grab the rating
    $table_name = $k_prefix . 'ck_karma';
    $query = "SELECT * FROM `$table_name` WHERE ck_comment_id = $k_id";

Instantly I see:

 $k_id = $_GET['id'];

The user input is directly passed into a variable without even being touched or filtered! It remains unfiltered right into the mySQL query. I’m not saying I’m a pro programmer at the age of 17 but come on. This is basic mySQL injection we’re talking about here! Let me modify the javascript input to show how this is dangerous:

javascript:karma('10314 OR 1=1', 'subtract', 'www.cyber-knowledge.net/blog/wp-content/plugins/ck-karma/', 'wp_')

So now when the javascript is processed the mySQL SELECT query will now look like this:

$query = "SELECT * FROM wp_ck_karma WHERE ck_comment_id = 10314 OR 1=1";

Of course 1 always equals 1 (or at least in my world). Then finally when the actually UPDATE query is initiated:

 $query = "UPDATE wp_ck_karma SET ck_rating = '-1', ck_ips = 'xxx' WHERE ck_comment_id = 10314 OR 1=1";

This will finally update all karma ratings that have been made to be -1 (bad karma) because the WHERE clause will always be true for anything in the database.

The security risk that I’ve shown in this example is only a mild one. With a bit of modifying it will be easy to exploit this query so that it can DROP any mySQL tables that the WordPress user has. So this is why I’m calling out these ‘programmers’. People are using these things without even knowing the security implication that these scripts hold. These plugins are being installed on popular blogs and you’re putting these people at risk so for the sake of those who use your scripts please, please take some mySQL Injection 101 courses at your local community college or visit your best friend.

*Update: This has now been fixed by the plugin author.

So who exactly is John Hok? John Hok is your worse nightmare. John Hok is your most feared enemy. John Hok is a kid on a journey through the tubes that make up the Internet?

Well it goes something like this. I’m just a 17 (soon to be 18) year old kid that has grown to have an absolutely huge fascination over the Internet and the things that go on in the technology industry in general. I’m a web developer, I’m a web designer, and I’m a webmaster. I code, design, and manage many different types of web properties (websites). Starting out small and finding a unique twist to my web properties is the way it starts; enough about my online life.

Guess what? I’m from Canada- Winnipeg, Manitoba to be exact. I’m almost graduating high school? That’s right, so what do I have planned for the coming years? Toronto, Ontario has always been a city that has interested me so I have plans to attend the University of Toronto to study Computer Science. Can my life get anymore geekier? Possibly, but that’s for you to find out. Check out the blog, leave me some comments (and I’ll comment you back if you have a blog), and I hope you enjoy the ride.