MC (Microcommunity) Search and Match — Security
- Register Group with Captcha
- View Group Profile
- Edit Group Profile
- MC (Microcommunity) Search and Match
- MC (Microcommunity) Search and Match — Security
- MC (Microcommunity) Search and Match — JavaScript
- MC (Microcommunity) Search and Match — Form
- MC (Microcommunity) Search and Match — PHP
- MC Questionnaire
- Microcommunity (MC) Registration Script — Enter Questionnaire Data in Database
- MC Search and Match Profile and Account Management
- Login to MC Search and Match Profile and Account Management
- Logout of MC Search and Match Profile and Account Management
- MC Questionnaire Login
- MC Questionnaire Info
- Delete Group Account
- Forgot User Name
- Forgot Password
- Form to Send Private Message
- Send Private Message
- Private Message Outbox
- Private Message Inbox
- Delete Private Message from Inbox
- Delete Private Message from Outbox
- Private Message Logout
- Private Message Session Monitoring
- MC (Microcommunity) Search and Match Session Monitoring
- Configure File for Database Connection
- Captcha Script for Registration and Login
So what is an MC and why would anyone want to search it, register for it, or even hear about it? See for yourself: MCs (Microcommunities). They are the key to social enhancement and community enrichment on a scale undreamed of on the social networking sites and chat rooms that are—in comparison—a pale imitation of real connectedness and successful community functioning.
The search and match script has been specifically designed for MCs (Microcommunities), but it will work for any group matching purposes. The security aspects of this script are partly in this script and partly dependent on the input filtering that is used in Register Group with Captcha (the profile data filtering script) and the questionnaire data filtering script and the hashing and salting and named constant checking in the config.php script, Configure File for Database Connection.
The scripts below are security-related parts of match.php
The first section is at the start of the script. First, we use the checkid.php script to ensure that the session id variable is set, and send the user to register-with-captcha.php if it is not. Then we put the session variable 'username' into $U—we will be checking that it is set in a second. Then we define a named constant '_NODIRECTACCESS'. We include the config.php file (in the includes folder) which uses the PHP defined() function to check on this constant. If it is not set, we are thrown out of the config.php file like yesterday's trash.
Next we check if the session variables 'groupname', 'username', and 'userid' are set. If not, we are sent to the login-to-mc.php script. We make sure $U is still equal to the session variable 'username', that it is not an empty string, and that it's at least 6 characters long or . . . you guessed it . . . the login script. We make sure the session id is set and send them away if not.
The reason we are willing to use JavaScript to send visitors away is that none of our scripts will work without it. One cannot register, enter data, get from here to there, etc., in most of our scripts without it. What serious web surfer turns off JavaScript? In case you were not aware, many sites rely totally on JavaScript for menu functioning and some of their scripts. And what about data entry? In case you didn't know it, it is a huge convenience for the user because of the way it does input validation. A good site will validate in JavaScript as well as PHP. When the JavaScript data validation script catches unacceptable input, it can simply send focus to the input box where the bad input happened, the user fixes it, and the script is submitted. But if JavaScript is disabled, the user gets sent to PHP data validation which catches the bad data and sends the user back to the input form to redo all input from scratch. The JavaScript data validation script will not make a user restart, if well written. If you have experienced restarting data entry in a long form due to an accidental character, you know exactly what we are talking about. It's maddening! And a good way to get users to surf away from your site forever. If a person turns off THE major browser scripting language just because of a miniscule chance of encountering a scripting exploit on some web page, rather than installing good anti-spyware and anti-virus software, his Internet experience overall will be greatly diminished. Many sites have no alternatives to their script-enabled navigation, so the person is 100% screwed on those sites. But even on those with the alternative, it is always cumbersome and awkward. Point taken?
<?php
//copyright (c) 2011 by MCS Investments, Inc. all rights reserved
include_once"checkid.php";
$U=$_SESSION['username'];
define('_NODIRECTACCESS', TRUE);
include_once"includes/config.php";
if (!isset($_SESSION['groupname']) || !isset($_SESSION['userid']) || !isset($_SESSION['username']) || $_SESSION
['username']<>$U || !isset($U) || $U=="" || strlen($U)<6 || !isset($_SESSION['sessionid'])){echo '<script language="javascript">alert("Please login."); window.location = "login-to-mc.php";</script>';}
?>
The reason there is no mysql_real_escape_string() function below is that in the whole script we merely search for data—we do not enter data. Notice that when we UPDATE the MySQL database table, we merely increment database integers. We use no user input in this process, so there are no dangerous characters to escape. On the other hand, in editing or registration or questionnaire scripts, we use mysql_real_escape_string() constantly, as it's the backbone of database security—as we all know.
Below are a few exerpts from the match.php script that illustrate security methods. First there is htmlentities(stripslashes($row['city']), ENT_QUOTES)— a good way to echo data to the page without compromising security. The htmlentities() function converts all applicable characters to HTML entities, since data can potentially contain hacker exploits. This disables these, since HTML entities are considered safe. The stripslashes() function is to remove any backslashes the mysql_real_escape_string() function may have left in data retrieved from a MySQL database table.
Next we use the PHP substr() function to ensure that the user inputted search data is no longer than it's supposed to be. Then the strip_tags() function dumps any tags that may have been stuck into the search data. Next we use regular expressions patterns to create whitelists to use in the preg_replace() function to ensure ONLY allowable characters get past our filters.
echo "<tr><td colspan='5' style='text-align:center'><b>Location: ".htmlentities(stripslashes($row['city']), ENT_QUOTES).", ";
echo htmlentities(stripslashes($row['state']), ENT_QUOTES)." ";
echo htmlentities(stripslashes($row['zip']), ENT_QUOTES)."</b></td></tr><br>";
$G=$_POST['groupname'];
$C=$_POST['city'];
$S=$_POST['state'];
$Z=$_POST['zip'];
$G=substr($G,0,20);
$C=substr($C,0,33);
$S=substr($S,0,2);
$Z=substr($Z,0,5);
$pattern1 = '/[^a-zA-Z\\-\\s]/i';
$pattern3 = '/[^a-zA-Z0-9\\_]/i';
$pattern5 = '/[^0-9]/';
$pattern6 = '/[^A-Z]/';
$G=strip_tags($G);
$C=strip_tags($C);
$S=strip_tags($S);
$Z=strip_tags($Z);
$C=preg_replace($pattern1, $replacement, $C);
$Z=preg_replace($pattern5, $replacement, $Z);
$G=preg_replace($pattern3, $replacement, $G);
$S=preg_replace($pattern6, $replacement, $S);
while($row = mysql_fetch_array($r)){
$ID=$row['id'];$sql="UPDATE mc_members SET score=score+1 WHERE id='$ID'";$result=mysql_query($sql);}}}