R
E
S
O
U
R
C
E
S
       Home      Products & Services      Contact Us      Links


WebHatchers will design & develop your site for you.
_______________________

Website Menu Heaven: menus, buttons, etc.
_______________________

Send us your questions.
_______________________

site search by freefind
_______________________

HOME
SEO, Google, Privacy
   and Anonymity
Browser Insanity
JavaScript
Popups and Tooltips
Free Website Search
HTML Form Creator
Animation
Buttons and Menus
Counters
Captchas
Image Uploading
CSS and HTML
PHP
AJAX
XPATH
Website Poll
IM and Texting
Databases—MySQL
   or Not MySQL
Personal Status Boards
Content Management
   Systems
Article Content
   Management Systems
Website Directory
   CMS Systems
Photo Gallery CMS
Forum CMS
Blog CMS
Customer Records
   Management CMS
Address Book CMS
Private Messaging CMS
Chat Room CMS
JavaScript Charts
   and Graphs




Free Personal Status Boards (PSB™)

Free Standard Free PSB

Free PSB Pro Version

Free Social PSB

Free Social PSB Plus (with Email)

Free Business PSB

Free Business PSB Plus (with Email)

PSB demo

Social PSB demo

Business PSB demo

So what's all this PSB stuff about?

Chart comparing business status boards

PSB hosting diagram

PSB Licence Agreement



Copyright © 2002 -
MCS Investments, Inc. sitemap

PSBs, social networking, social evolution, microcommunities, personal status boards
PSBs, social networking, business personal status boards
website design, ecommerce solutions
website menus, buttons, image rotators
Ez-Architect, home design software
the magic carpet and the cement wall, children's adventure book
the squirrel valley railroad, model railroad videos, model train dvds
the deep rock railroad, model railroad videos, model train dvds

MC (Microcommunity) Search and Match — Security

So what is an MC and why would anyone want to search it, register for it, or even hear about it? See for yourself: MCs (Microcommunities). They are the key to social enhancement and community enrichment on a scale undreamed of on the social networking sites and chat rooms that are—in comparison—a pale imitation of real connectedness and successful community functioning.

The search and match script has been specifically designed for MCs (Microcommunities), but it will work for any group matching purposes. The security aspects of this script are partly in this script and partly dependent on the input filtering that is used in Register Group with Captcha (the profile data filtering script) and the questionnaire data filtering script and the hashing and salting and named constant checking in the config.php script, Configure File for Database Connection.

The scripts below are security-related parts of match.php

The first section is at the start of the script. First, we use the checkid.php script to ensure that the session id variable is set, and send the user to register-with-captcha.php if it is not. Then we put the session variable 'username' into $U—we will be checking that it is set in a second. Then we define a named constant '_NODIRECTACCESS'. We include the config.php file (in the includes folder) which uses the PHP defined() function to check on this constant. If it is not set, we are thrown out of the config.php file like yesterday's trash.

Next we check if the session variables 'groupname', 'username', and 'userid' are set. If not, we are sent to the login-to-mc.php script. We make sure $U is still equal to the session variable 'username', that it is not an empty string, and that it's at least 6 characters long or . . . you guessed it . . . the login script. We make sure the session id is set and send them away if not.

The reason we are willing to use JavaScript to send visitors away is that none of our scripts will work without it. One cannot register, enter data, get from here to there, etc., in most of our scripts without it. What serious web surfer turns off JavaScript? In case you were not aware, many sites rely totally on JavaScript for menu functioning and some of their scripts. And what about data entry? In case you didn't know it, it is a huge convenience for the user because of the way it does input validation. A good site will validate in JavaScript as well as PHP. When the JavaScript data validation script catches unacceptable input, it can simply send focus to the input box where the bad input happened, the user fixes it, and the script is submitted. But if JavaScript is disabled, the user gets sent to PHP data validation which catches the bad data and sends the user back to the input form to redo all input from scratch. The JavaScript data validation script will not make a user restart, if well written. If you have experienced restarting data entry in a long form due to an accidental character, you know exactly what we are talking about. It's maddening! And a good way to get users to surf away from your site forever. If a person turns off THE major browser scripting language just because of a miniscule chance of encountering a scripting exploit on some web page, rather than installing good anti-spyware and anti-virus software, his Internet experience overall will be greatly diminished. Many sites have no alternatives to their script-enabled navigation, so the person is 100% screwed on those sites. But even on those with the alternative, it is always cumbersome and awkward. Point taken?


<?php
//copyright (c) 2011 by MCS Investments, Inc. all rights reserved

include_once"checkid.php";
$U=$_SESSION['username'];
define('_NODIRECTACCESS', TRUE);
include_once"includes/config.php";
if (!isset($_SESSION['groupname']) || !isset($_SESSION['userid']) || !isset($_SESSION['username']) || $_SESSION
['username']<>$U || !isset($U) || $U=="" || strlen($U)<6 || !isset($_SESSION['sessionid'])){echo '<script language="javascript">alert("Please login."); window.location = "login-to-mc.php";</script>';}
?>

The reason there is no mysql_real_escape_string() function below is that in the whole script we merely search for data—we do not enter data. Notice that when we UPDATE the MySQL database table, we merely increment database integers. We use no user input in this process, so there are no dangerous characters to escape. On the other hand, in editing or registration or questionnaire scripts, we use mysql_real_escape_string() constantly, as it's the backbone of database security—as we all know.

Below are a few exerpts from the match.php script that illustrate security methods. First there is htmlentities(stripslashes($row['city']), ENT_QUOTES)— a good way to echo data to the page without compromising security. The htmlentities() function converts all applicable characters to HTML entities, since data can potentially contain hacker exploits. This disables these, since HTML entities are considered safe. The stripslashes() function is to remove any backslashes the mysql_real_escape_string() function may have left in data retrieved from a MySQL database table.

Next we use the PHP substr() function to ensure that the user inputted search data is no longer than it's supposed to be. Then the strip_tags() function dumps any tags that may have been stuck into the search data. Next we use regular expressions patterns to create whitelists to use in the preg_replace() function to ensure ONLY allowable characters get past our filters.

echo "<tr><td colspan='5' style='text-align:center'><b>Location: ".htmlentities(stripslashes($row['city']), ENT_QUOTES).", ";
echo htmlentities(stripslashes($row['state']), ENT_QUOTES)." ";
echo htmlentities(stripslashes($row['zip']), ENT_QUOTES)."</b></td></tr><br>";

$G=$_POST['groupname'];
$C=$_POST['city'];
$S=$_POST['state'];
$Z=$_POST['zip'];

$G=substr($G,0,20);
$C=substr($C,0,33);
$S=substr($S,0,2);
$Z=substr($Z,0,5);

$pattern1 = '/[^a-zA-Z\\-\\s]/i';
$pattern3 = '/[^a-zA-Z0-9\\_]/i';
$pattern5 = '/[^0-9]/';
$pattern6 = '/[^A-Z]/';

$G=strip_tags($G);
$C=strip_tags($C);
$S=strip_tags($S);
$Z=strip_tags($Z);

$C=preg_replace($pattern1, $replacement, $C);
$Z=preg_replace($pattern5, $replacement, $Z);
$G=preg_replace($pattern3, $replacement, $G);
$S=preg_replace($pattern6, $replacement, $S);

while($row = mysql_fetch_array($r)){
$ID=$row['id'];$sql="UPDATE mc_members SET score=score+1 WHERE id='$ID'";$result=mysql_query($sql);}}}