Don’t be quick to dismiss it as something you just give to your friends, employees and family – it can actually prove to be a very powerful tool.

Let’s put our hands up – how many of us looking for a bargain, search around for a coupon code on discount sites when they see the box? The answer “yes” will be a frequent occurance – maybe even more than you think.

Recent research conducted by Helen Legatt on behalf of Coupon Crazy has shown that 94% of adults have used a coupon code to make an online purchase. As soon as I see the box, I immediately check Hot UK Deals to see if I can get my purchase cheaper!

So I’ve shown how it can be of massive benefit to you as a person when making a purchase, but what about your business?

Whilst I still see sales as an effective tool and something you can target more to specific products, the coupon code also has a lot of potential – let me explain why.

Your customers do the publicity for you!

It’s hard to believe that promoting your store can be this easy, but it is! If you have a good base of users already, it is likely that some of them are using discount sites already and will post your codes to these sites for your behalf – otherwise you may have to do it yourself. Send out a newsletter to your existing customers saying something along the lines of “thank you for shopping with us, here’s 20% off your next order – the code is XXX-XXXX-XXX” – if you don’t see your code(s) appearing on discount sites shortly after (a week or 2), just add them yourself.

Even if your products are more expensive than your competitors, as customers think they are getting such a good deal straight away – they would be more inclined to make the purchase without checking price comparison sites.

Set an expiry date

Shoppers will always be more inclined to buy something when the pressures on. Set an expiry date for a month or two later – you can always run another promotion shortly after.

The research mentioned earlier also shows that a staggering 95% of coupon codes are found to be expired when entered, however very surprisingly, 57% of these shoppers still go ahead with the purchase…the perfect crime?! Remember though, if you are promoting a coupon code to expire on a certain date – don’t expire it sooner, or you could end up with many unhappy shoppers and bad reputation.

See an increase in returning customers

Customers feel more valued when you give them an offer that appears tailored to them – in addition to a newsletter, run special promotions for users on social media streams like twitter and facebook.

Theres no doubt in my mind that this method of shopping has become more popular and we’ll see many more companies adopting this technique in preference over standard sales – everyone does sales now, they are meaningless – get ahead of the game.

Obviously there are literally hundreds of steps you need to be taking to make sure you don’t let hackers into your code, but hopefully using this post combined with others you will be producing water-tight code for as long as you’re a developer!

Assuming you all know the most common practices like making sure you don’t pass important information through a GET or POST value or escaping MySQL strings, I’ll move straight on to some of the more advanced tricks…

Regenerate session ID

It’s not exactly common, but it is possible for a hacker to get hold of your session key – as soon as they do this, they can take over your session and basically control everything that you have permission to on the site. It’s not hard to regenerate the key either, I place the following in my header file:

session_start();
session_regenerate_id(true);

Simple!

Check User Agent

Another simple thing to do, verify the user agent – in the rare occasion where the hacker does actually obtain your session key and gain access, this simple bit of code will throw them off course should they attempt to do this from another browser

if(!isset($_SESSION['ua'])) {
    $_SESSION['ua'] = md5($_SERVER['HTTP_USER_AGENT']);
} else {
    if($_SESSION['ua'] != md5($_SERVER['HTTP_USER_AGENT'])) {
        echo "...exiting. Please contact site admin.";
        session_destroy();
        exit();
    }
}

If the user agent suddenly changes, it will exit. Try to avoid mentioning that the User Agent has changed in your exit message.

Don’t leave old files in the directory

It is bad practice to copy and paste a file into the same directory to make a backup – I suppose this is a simple tip, but it happens too much for me to ignore it. If you need to make a backup of a file, use Volume Shadow Copies or copy them into another directory that you are 100% certain won’t be uploaded.

A common method hackers use to try and gain entry into a site is by trying different combinations of a file name, which will most likely have more security flaws – something that is more likely to occur in older, earlier code (before you have reviewed your code and patched up any noticeable flaws) – to try and access a file like “admin.php” they may try combinations like “admin1.php”, “admin_backup.php” or “adminx.php” – just don’t leave yourself open to this vulnerability!!

Give session keys hard to guess names

I’m talking a lot about sessions aren’t I? Well they are one of the key things to get hijacked when a hacker attempts to take over a site.

Don’t give your session a name like $_SESSION['auth'] – give it something harder to guess, generate a random key and place that in instead, like $_SESSION['2j50dss8'] or something.

There is a problem with that though, it can become quite tedious to remember/keep track of all your session keys, especially when it comes to using them often. The way I combat this problem is by first defining “KEY” in the header:

define("KEY","2j5odss8");

Later on you can use this key when setting or getting a session variable. This means you can give it a more meaningful name, just don’t publish the unique key to anyone!

$_SESSION[KEY]['auth']

Try to sha1 these variables where you can too, for safe storage – which leads me on to my next point:

Don’t use md5

It’s been cracked! There are numerous websites out there that allow you to paste in an md5 code – it puts it into a queue and later returns the unencrypted value!

I use sha1 instead, but it’s advisable to also use a salt for further enhancements to the encryption.

A salt is simply a randomly defined (and stored) value appended to the string you are encrypting.

Use AJAX wisely

Last, but not least – well, not entirely a PHP tip either!

Make sure that any session checks in the admin area, etc are also applied to the AJAX files it calls – something often overlooked…it is just as easy for hackers to use a file called by AJAX to gain access as it is with any other file; just because they don’t see the name of the file in the URL bar, doesn’t mean they can’t view-source the current page to find out what it’s calling, or see it in firebug!

You’ll be surprised to learn that people can handle a lot more than what the tech-heads think. Hopefully, with a few of these pointers you can learn to work with your customers to achieve a perfect result without a big list of changes at the end!

Customers are not inferior

Just because they don’t understand the in’s and out’s of developing doesn’t mean they can’t understand (at least, with a bit of guidance).

If you take the time to guide and educate them, then you may find the whole process is a lot easier in the long run – your customers will be able to see where you are coming from and you can work to their goals without having to spend weeks refining the end product just because “it didn’t work the way they thought it would.”

Be patient

Simply saying “it won’t work because the server load is too high” isn’t good enough. It takes patience to explain why something can’t be done a certain way and you need to explain it all – if they don’t know what a server is, explain it to them. If they don’t know what memory, etc all are – you need to let them know. Explain it to as greater lengths as you can.

If they still don’t understand, they will most likely just give you a nod and accept that it has to be done your way – simply because you have tried to make the effort to explain as opposed to saying “because I said so.”

Try to avoid Jargon

Most clients will understand what a Hard Drive or Memory is, but make sure they do before you start using terminology like this – maybe throw in a subtle “do you know what that is?” when you say it – but try to avoid sounding patronising.

Make sure they understand

Quite often I’ve had clients or colleagues just nod and pretend they understand just because they don’t like to come across as lacking knowledge. Keep questioning them like with the above “do you know what that is?” and make sure they entirely understand what you are telling them. They won’t feel stupid if you ask them, unless of course you say it after every sentence

Talk to them in person

Don’t e-mail or IM them to explain something, it just won’t work. Meet up with them in person to discuss functionality in more detail, preferrably with the work in question at hand to help visualise your points.

Text just doesn’t work…it doesn’t allow for the fine details and usually results in a lot of assumptions.

So talk to your clients and colleagues, explain things to them fully and you’ll find that in the long run it will save time!

I’ve already wrote my “about me” section so don’t need to fill you in with those details – you can see the page for yourself: who am I?

What will you get out this blog? To be honest, I don’t really know what direction it will end up flowing in – but hopefully the randomness will keep a keen interest. In particular, I want to blog about PHP/AJAX and web technologies – but also motivating a team, marketing and a bit about music (oh I do love it!)