Security for HTML Form Creator—Search and Match: Search for Compatible Groups
The scripts below are Security-related parts of match_.php
The Security for HTML Form Creator—Search and Match: Search for Compatible Groups CMS script is one of a group of PHP scripts that handle both the administrative and end-user aspects of a general purpose HTML Form Creator that allows not just input boxes but multiple selection enabled select/option lists as well. In addition to the expectable editing scripts for both administrative and end-user functions, there's also a Search and Match script—the one on this page is just for the search and match form—so that users can use the scripts to find other users with various individual or group commonalities, including proximity searches, i.e., find all the users within various distances. There are even private messaging scripts in this Content Management System (CMS). And the script on this page, match_.php, includes a word search as well as a proximity search based on zip codes and a criteria matching search.
- HTML Form Creator
- Edit Options in HTML Form Creator Form
- Administrator Page for HTML Form Creator
End-User HTML Form Creator Scripts
- HTML Form Creator—Register with Captcha
- HTML Form Creator—View Profile
- HTML Form Creator—Edit Profile
- HTML Form Creator—Search and Match
- HTML Form Creator—Search and Match — Security
- HTML Form Creator—Search and Match — JavaScript
- HTML Form Creator—Search and Match — Form
- HTML Form Creator—Search and Match — PHP
- HTML Form Creator—Enter Record in Form
- HTML Form Creator—View Record in Form
- HTML Form Creator—Profile and Account Management
- HTML Form Creator—Login to Profile and Account Management
- HTML Form Creator—Logout of Profile and Account Management
- HTML Form Creator—Delete Group Account
- HTML Form Creator—Forgot User Name
- HTML Form Creator—Forgot Password
- HTML Form Creator—Form to Send Private Message
- HTML Form Creator—Send Private Message
- HTML Form Creator—Private Message Outbox
- HTML Form Creator—Private Message Inbox
- HTML Form Creator—Delete Private Message from Inbox
- HTML Form Creator—Delete Private Message from Outbox
- HTML Form Creator—Private Message Logout
- HTML Form Creator—Search and Match Session Monitoring
- HTML Form Creator—Configure File for Database Connection
- HTML Form Creator—Captcha Script for Registration and Login
Administrative HTML Form Creator Scripts
The scripts below are Security-related parts of match_.php
Before proceeding, you need to know that HTML Form Creator—Configure File for Database Connection is where password security and MySQL database connection security resides. Check it out!
The first section is at the start of the script. First, we use the checkid_.php script to ensure that the session id variable is set, and send the user to register-with-captcha_.php if it is not. Then we put the session variable 'username' into $U—we will be checking that it is set in a second. Then we define a named constant '_NODIRECTACCESS'. We include the config.php file (in the includes folder) which uses the PHP defined() function to check on this constant. If it is not set, we are thrown out of the config.php file like yesterday's trash.
Next we check if the session variables 'groupname', 'username', and 'userid' are set. If not, we are sent to the login_.php script. We make sure $U is still equal to the session variable 'username', that it is not an empty string, and that it's at least 6 characters long or . . . you guessed it . . . the login script. We make sure the session id is set and send them away if not.
The reason we are willing to use JavaScript to send visitors away is that none of our scripts will work without it. One cannot register, enter data, get from here to there, etc., in most of our scripts without it. What serious web surfer turns off JavaScript? In case you were not aware, many sites rely totally on JavaScript for menu functioning and some of their scripts. And what about data entry? In case you didn't know it, it is a huge convenience for the user because of the way it does input validation. A good site will validate in JavaScript as well as PHP. When the JavaScript data validation script catches unacceptable input, it can simply send focus to the input box where the bad input happened, the user fixes it, and the script is submitted. But if JavaScript is disabled, the user gets sent to PHP data validation which catches the bad data and sends the user back to the input form to redo all input from scratch. The JavaScript data validation script will not make a user restart, if well written. If you have experienced restarting data entry in a long form due to an accidental character, you know exactly what we are talking about. It's maddening! And a good way to get users to surf away from your site forever. If a person turns off THE major browser scripting language just because of a miniscule chance of encountering a scripting exploit on some web page, rather than installing good anti-spyware and anti-virus software, his Internet experience overall will be greatly diminished. Many sites have no alternatives to their script-enabled navigation, so the person is 100% screwed on those sites. But even on those with the alternative, it is always cumbersome and awkward. Point taken?
<?php
//copyright (c) 2011 by MCS Investments, Inc. all rights reserved
include_once"checkid_.php";
$U=$_SESSION['username'];
define('_NODIRECTACCESS', TRUE);
include_once"includes/config.php";
if (!isset($_SESSION['groupname']) || !isset($_SESSION['userid']) || !isset($_SESSION['username']) || $_SESSION
['username']<>$U || !isset($U) || $U=="" || strlen($U)<6 || !isset($_SESSION['sessionid'])){echo '<script language="javascript">alert("Please login."); window.location = "login_.php";</script>';}
?>
The reason there is no mysql_real_escape_string() function below is that in the whole script we merely search for data—we do not enter data in the db table. Notice that when we UPDATE the MySQL database table, we merely increment database integers. We use no user input in this process, so there are no dangerous characters to escape. On the other hand, in editing or registration or questionnaire scripts, we use mysql_real_escape_string() constantly, as it's the backbone of database security—as we all know.
Below are a few exerpts from the match_.php script that illustrate security methods. First there is htmlentities(stripslashes($row['city']), ENT_QUOTES)— a good way to echo data to the page without compromising security. The htmlentities() function converts all applicable characters to HTML entities, since data can potentially contain hacker exploits. This disables these, since HTML entities are considered safe. The stripslashes() function is to remove any backslashes the mysql_real_escape_string() function may have left in data retrieved from a MySQL database table.
Next we use the PHP substr() function to ensure that the user inputted search data is no longer than it's supposed to be. Then the strip_tags() function dumps any tags that may have been stuck into the search data. Next we use regular expressions patterns to create whitelists to use in the preg_replace() function to ensure ONLY allowable characters get past our filters.
echo "<tr><td colspan='5' style='text-align:center'><b>Location: ".htmlentities(stripslashes($row['city']), ENT_QUOTES).", ";
echo htmlentities(stripslashes($row['state']), ENT_QUOTES)." ";
echo htmlentities(stripslashes($row['zip']), ENT_QUOTES)."</b></td></tr><br>";
$G=$_POST['groupname'];
$C=$_POST['city'];
$S=$_POST['state'];
$Z=$_POST['zip'];
$G=substr($G,0,20);
$C=substr($C,0,33);
$S=substr($S,0,2);
$Z=substr($Z,0,5);
$pattern1 = '/[^a-zA-Z\\-\\s]/i';
$pattern3 = '/[^a-zA-Z0-9\\_]/i';
$pattern5 = '/[^0-9]/';
$pattern6 = '/[^A-Z]/';
$G=strip_tags($G);
$C=strip_tags($C);
$S=strip_tags($S);
$Z=strip_tags($Z);
$C=preg_replace($pattern1, $replacement, $C);
$Z=preg_replace($pattern5, $replacement, $Z);
$G=preg_replace($pattern3, $replacement, $G);
$S=preg_replace($pattern6, $replacement, $S);
while($row = mysql_fetch_array($r)){
$ID=$row['member_id'];$sql="UPDATE my_members SET score=score+1 WHERE id='$ID'";$result=mysql_query($sql);}}}