Home      Products & Services      Contact Us      Links

WebHatchers will design & develop your site for you.

Website Menu Heaven: menus, buttons, etc.

Send us your questions.

site search by freefind

SEO, Google, Privacy
   and Anonymity
Browser Insanity
Popups and Tooltips
Free Website Search
HTML Form Creator
Buttons and Menus
Image Uploading
Website Poll
IM and Texting
   or Not MySQL
Personal Status Boards
Content Management
Article Content
   Management Systems
Website Directory
   CMS Systems
Photo Gallery CMS
Forum CMS
Blog CMS
Customer Records
   Management CMS
Address Book CMS
Private Messaging CMS
Chat Room CMS
JavaScript Charts
   and Graphs

Free Personal Status Boards (PSB™)

Free Standard Free PSB

Free PSB Pro Version

Free Social PSB

Free Social PSB Plus (with Email)

Free Business PSB

Free Business PSB Plus (with Email)

PSB demo

Social PSB demo

Business PSB demo

So what's all this PSB stuff about?

Chart comparing business status boards

PSB hosting diagram

PSB Licence Agreement

Copyright © 2002 -
MCS Investments, Inc. sitemap

PSBs, social networking, social evolution, microcommunities, personal status boards
PSBs, social networking, business personal status boards
website design, ecommerce solutions
website menus, buttons, image rotators
Ez-Architect, home design software
the magic carpet and the cement wall, children's adventure book
the squirrel valley railroad, model railroad videos, model train dvds
the deep rock railroad, model railroad videos, model train dvds

Security for HTML Form Creator—Search and Match: Search for Compatible Groups

The scripts below are Security-related parts of match_.php

The Security for HTML Form Creator—Search and Match: Search for Compatible Groups CMS script is one of a group of PHP scripts that handle both the administrative and end-user aspects of a general purpose HTML Form Creator that allows not just input boxes but multiple selection enabled select/option lists as well. In addition to the expectable editing scripts for both administrative and end-user functions, there's also a Search and Match script—the one on this page is just for the search and match form—so that users can use the scripts to find other users with various individual or group commonalities, including proximity searches, i.e., find all the users within various distances. There are even private messaging scripts in this Content Management System (CMS). And the script on this page, match_.php, includes a word search as well as a proximity search based on zip codes and a criteria matching search.

The scripts below are Security-related parts of match_.php

Before proceeding, you need to know that HTML Form Creator—Configure File for Database Connection is where password security and MySQL database connection security resides. Check it out!

The first section is at the start of the script. First, we use the checkid_.php script to ensure that the session id variable is set, and send the user to register-with-captcha_.php if it is not. Then we put the session variable 'username' into $U—we will be checking that it is set in a second. Then we define a named constant '_NODIRECTACCESS'. We include the config.php file (in the includes folder) which uses the PHP defined() function to check on this constant. If it is not set, we are thrown out of the config.php file like yesterday's trash.

Next we check if the session variables 'groupname', 'username', and 'userid' are set. If not, we are sent to the login_.php script. We make sure $U is still equal to the session variable 'username', that it is not an empty string, and that it's at least 6 characters long or . . . you guessed it . . . the login script. We make sure the session id is set and send them away if not.

The reason we are willing to use JavaScript to send visitors away is that none of our scripts will work without it. One cannot register, enter data, get from here to there, etc., in most of our scripts without it. What serious web surfer turns off JavaScript? In case you were not aware, many sites rely totally on JavaScript for menu functioning and some of their scripts. And what about data entry? In case you didn't know it, it is a huge convenience for the user because of the way it does input validation. A good site will validate in JavaScript as well as PHP. When the JavaScript data validation script catches unacceptable input, it can simply send focus to the input box where the bad input happened, the user fixes it, and the script is submitted. But if JavaScript is disabled, the user gets sent to PHP data validation which catches the bad data and sends the user back to the input form to redo all input from scratch. The JavaScript data validation script will not make a user restart, if well written. If you have experienced restarting data entry in a long form due to an accidental character, you know exactly what we are talking about. It's maddening! And a good way to get users to surf away from your site forever. If a person turns off THE major browser scripting language just because of a miniscule chance of encountering a scripting exploit on some web page, rather than installing good anti-spyware and anti-virus software, his Internet experience overall will be greatly diminished. Many sites have no alternatives to their script-enabled navigation, so the person is 100% screwed on those sites. But even on those with the alternative, it is always cumbersome and awkward. Point taken?

//copyright (c) 2011 by MCS Investments, Inc. all rights reserved

if (!isset($_SESSION['groupname']) || !isset($_SESSION['userid']) || !isset($_SESSION['username']) || $_SESSION
['username']<>$U || !isset($U) || $U=="" || strlen($U)<6 || !isset($_SESSION['sessionid'])){echo '<script language="javascript">alert("Please login."); window.location = "login_.php";</script>';}

The reason there is no mysql_real_escape_string() function below is that in the whole script we merely search for data—we do not enter data in the db table. Notice that when we UPDATE the MySQL database table, we merely increment database integers. We use no user input in this process, so there are no dangerous characters to escape. On the other hand, in editing or registration or questionnaire scripts, we use mysql_real_escape_string() constantly, as it's the backbone of database security—as we all know.

Below are a few exerpts from the match_.php script that illustrate security methods. First there is htmlentities(stripslashes($row['city']), ENT_QUOTES)— a good way to echo data to the page without compromising security. The htmlentities() function converts all applicable characters to HTML entities, since data can potentially contain hacker exploits. This disables these, since HTML entities are considered safe. The stripslashes() function is to remove any backslashes the mysql_real_escape_string() function may have left in data retrieved from a MySQL database table.

Next we use the PHP substr() function to ensure that the user inputted search data is no longer than it's supposed to be. Then the strip_tags() function dumps any tags that may have been stuck into the search data. Next we use regular expressions patterns to create whitelists to use in the preg_replace() function to ensure ONLY allowable characters get past our filters.

echo "<tr><td colspan='5' style='text-align:center'><b>Location: ".htmlentities(stripslashes($row['city']), ENT_QUOTES).", ";
echo htmlentities(stripslashes($row['state']), ENT_QUOTES)." ";
echo htmlentities(stripslashes($row['zip']), ENT_QUOTES)."</b></td></tr><br>";



$pattern1 = '/[^a-zA-Z\\-\\s]/i';
$pattern3 = '/[^a-zA-Z0-9\\_]/i';
$pattern5 = '/[^0-9]/';
$pattern6 = '/[^A-Z]/';


$C=preg_replace($pattern1, $replacement, $C);
$Z=preg_replace($pattern5, $replacement, $Z);
$G=preg_replace($pattern3, $replacement, $G);
$S=preg_replace($pattern6, $replacement, $S);

while($row = mysql_fetch_array($r)){
$ID=$row['member_id'];$sql="UPDATE my_members SET score=score+1 WHERE id='$ID'";$result=mysql_query($sql);}}}