Do you feel bored of using Google/Bing every day ? Do you think Google is slow ? Do you sometimes feel it is hard to find what search results are on page 200 or 1000 ? As a proactive developer, you definitely want to write your own search engine. Thank to Yahoo Boss, I wrote my own customised search engine in less than 200 lines of codes.
Live demo @ www.trunghlt.com/search
Click here to download the source code.
Even god made mistakes, please let me know what mistakes I have made.
Security vulnerability is always a concern of PHP newbies. This post series are to summarise rules in order to help PHP beginners with developing PHP web applications confidentially. The content is referenced extensively from Essential PHP security.
Rule 1: Disable register_globals
Using register_globals can increase the magnitude of a security vulnerability and hides the origin of data. Super global arrays $_GET and $_POST should be used instead.
Rule 2: Disable error notification
Error notifications help developer with debugging but also reveal malicious information. Therefore as soon as the website is established, it necessary that you have to disable error notifications. Set display_errors to Off and set log_error to On for error logs. If you are unable to make changes to file php.ini, httpd.conf, or .htaccess, use the following:
ini_set('error_reporting', E_ALL | E_STRICT);
ini_set('display_errors', 'Off');
ini_set('log_erros', 'On');
ini_set('error_log', '/usr/local/apache/logs/error_log');
You can also handle your own error. This is an example of using set_error_handler:
set_error_handler("my_error_handler");
function my_error_handler($number, $string, $file, $line, $context) {
$error = "------------------------------------------------------"
$error .= "Number: [$number]n";
$error .= "String: [$string]n";
$error .= "File: [$file]n";
$error .= "Line: [$line]n";
$error .= "Context: n". print_r($context, TRUE) . "nn";
$error_log($error, 3, "/usr/local/apache/logs/error_log");
}
Rule 3: Filter input (not validate input)
Filtering input is a process by which you prove the validity of data. The vast majority of security vulnerabilities in PHP application come from invalid input data. Please always remember that input data can be anything which does not depend on the input type. Also use a separated array, e.g. $clean, for filtered data. The following code filters a typical numeric input:
$clean = array();
if (preg_match("/^[-+]?[0-9]+$/", $_GET["id"])) {
$clean["id"] = $_GET["id"];
}
Rule 4: Escape output
htmlentities($string, ENT_QUOTES) and $html[] for escaped strings.mysql_real_escape_string() and $mysql[] for escaped strings.The following example demonstrates the proper technique for a MySQL database:
$mysql = array();
$mysql["username"] = mysql_real_escape_string($clean["username"]);
$sql = "SELECT * FROM profile WHERE username = '{$mysql['username']}'";
$result = mysql_query($sql);
(more coming soon…)
Even god made mistakes, please let me know what mistakes I have made.
Howard's puremango.co.uk
Recent Comments