By Nickizzle
Theres a secret weapon sitting on most e-commerce platforms out there, it isn’t plastered all over the site but sits rather snuggly between the cart and the checkout. I’m talking about the coupon code box…also known as voucher codes, promotion codes, discount codes – I think I’ve seen many more variations too!
Don’t be quick to dismiss it as something you just give to your friends, employees and family – it can actually prove to be a very powerful tool.
Let’s put our hands up – how many of us looking for a bargain, search around for a coupon code on discount sites when they see the box? The answer “yes” will be a frequent occurance – maybe even more than you think.
Recent research conducted by Helen Legatt on behalf of Coupon Crazy has shown that 94% of adults have used a coupon code to make an online purchase. As soon as I see the box, I immediately check Hot UK Deals to see if I can get my purchase cheaper!
So I’ve shown how it can be of massive benefit to you as a person when making a purchase, but what about your business?
Whilst I still see sales as an effective tool and something you can target more to specific products, the coupon code also has a lot of potential – let me explain why.
Your customers do the publicity for you!
It’s hard to believe that promoting your store can be this easy, but it is! If you have a good base of users already, it is likely that some of them are using discount sites already and will post your codes to these sites for your behalf – otherwise you may have to do it yourself. Send out a newsletter to your existing customers saying something along the lines of “thank you for shopping with us, here’s 20% off your next order – the code is XXX-XXXX-XXX” – if you don’t see your code(s) appearing on discount sites shortly after (a week or 2), just add them yourself.
Even if your products are more expensive than your competitors, as customers think they are getting such a good deal straight away – they would be more inclined to make the purchase without checking price comparison sites.
Set an expiry date
Shoppers will always be more inclined to buy something when the pressures on. Set an expiry date for a month or two later – you can always run another promotion shortly after.
The research mentioned earlier also shows that a staggering 95% of coupon codes are found to be expired when entered, however very surprisingly, 57% of these shoppers still go ahead with the purchase…the perfect crime?! Remember though, if you are promoting a coupon code to expire on a certain date – don’t expire it sooner, or you could end up with many unhappy shoppers and bad reputation.
See an increase in returning customers
Customers feel more valued when you give them an offer that appears tailored to them – in addition to a newsletter, run special promotions for users on social media streams like twitter and facebook.
Theres no doubt in my mind that this method of shopping has become more popular and we’ll see many more companies adopting this technique in preference over standard sales – everyone does sales now, they are meaningless – get ahead of the game.
By Nickizzle
I’ve done some reading, into steps you need to take to make sure your PHP code is completely hacker proof – but shocked to learn that some of the main articles that Google was throwing up in the top results don’t cater for a lot of the key points.
Obviously there are literally hundreds of steps you need to be taking to make sure you don’t let hackers into your code, but hopefully using this post combined with others you will be producing water-tight code for as long as you’re a developer!
Assuming you all know the most common practices like making sure you don’t pass important information through a GET or POST value or escaping MySQL strings, I’ll move straight on to some of the more advanced tricks…
Regenerate session ID
It’s not exactly common, but it is possible for a hacker to get hold of your session key – as soon as they do this, they can take over your session and basically control everything that you have permission to on the site. It’s not hard to regenerate the key either, I place the following in my header file:
session_start();
session_regenerate_id(true);
Simple!
Check User Agent
Another simple thing to do, verify the user agent – in the rare occasion where the hacker does actually obtain your session key and gain access, this simple bit of code will throw them off course should they attempt to do this from another browser
if(!isset($_SESSION['ua'])) {
$_SESSION['ua'] = md5($_SERVER['HTTP_USER_AGENT']);
} else {
if($_SESSION['ua'] != md5($_SERVER['HTTP_USER_AGENT'])) {
echo "...exiting. Please contact site admin.";
session_destroy();
exit();
}
}
If the user agent suddenly changes, it will exit. Try to avoid mentioning that the User Agent has changed in your exit message.
Don’t leave old files in the directory
It is bad practice to copy and paste a file into the same directory to make a backup – I suppose this is a simple tip, but it happens too much for me to ignore it. If you need to make a backup of a file, use Volume Shadow Copies or copy them into another directory that you are 100% certain won’t be uploaded.
A common method hackers use to try and gain entry into a site is by trying different combinations of a file name, which will most likely have more security flaws – something that is more likely to occur in older, earlier code (before you have reviewed your code and patched up any noticeable flaws) – to try and access a file like “admin.php” they may try combinations like “admin1.php”, “admin_backup.php” or “adminx.php” – just don’t leave yourself open to this vulnerability!!
Give session keys hard to guess names
I’m talking a lot about sessions aren’t I? Well they are one of the key things to get hijacked when a hacker attempts to take over a site.
Don’t give your session a name like $_SESSION['auth'] – give it something harder to guess, generate a random key and place that in instead, like $_SESSION['2j50dss8'] or something.
There is a problem with that though, it can become quite tedious to remember/keep track of all your session keys, especially when it comes to using them often. The way I combat this problem is by first defining “KEY” in the header:
define("KEY","2j5odss8");
Later on you can use this key when setting or getting a session variable. This means you can give it a more meaningful name, just don’t publish the unique key to anyone!
$_SESSION[KEY]['auth']
Try to sha1 these variables where you can too, for safe storage – which leads me on to my next point:
Don’t use md5
It’s been cracked! There are numerous websites out there that allow you to paste in an md5 code – it puts it into a queue and later returns the unencrypted value!
I use sha1 instead, but it’s advisable to also use a salt for further enhancements to the encryption.
A salt is simply a randomly defined (and stored) value appended to the string you are encrypting.
Use AJAX wisely
Last, but not least – well, not entirely a PHP tip either!
Make sure that any session checks in the admin area, etc are also applied to the AJAX files it calls – something often overlooked…it is just as easy for hackers to use a file called by AJAX to gain access as it is with any other file; just because they don’t see the name of the file in the URL bar, doesn’t mean they can’t view-source the current page to find out what it’s calling, or see it in firebug!
session_start();
session_regenerate_id(true);
