Secure site search

In my last update for Path to 2265, I briefly described the major improvements made to the searching capabilities of the website. Today, I’m going into detail about these changes and why they are important for security and code quality. Examples included!

How it was
The decision to add a search to the website was made fairly early on, during a time where other aspects of the website like the visual layout design were more important to me. This resulted in a crude but working search solution that you can read about here. It is a very linear search in that it just finds and returns the results sequentially in the order they were found by the SQL query. And that was fine back then, but something better is needed now!

I should mention that in November, the search feature got a little attention with the conversion from raw MySQL calls to PHP Data Objects (PDOs) with prepared statements. Whilst this was a major plus for security, the implementation was still ugly and quick.

The new concept
A search that is to be deployed on the WWW needs to be functional AND secure. It is not hard to find reports about SQL injections and other malicious acts against site searches that can be a pain in the butt to deal with. With that in mind, I decided to rebuild the search engine from the ground up with security (and good code quality) in mind. The new concept calls for class encapsulation as well as PDOs – the usage of object orientation allows for controlled access to the code querying the database by only providing a set amount of methods and required arguments to interact with said code.

How does this all benefit security?
Well, PDOs alone do not help much in terms of security. But the usage of prepared statements does by separating the variable part (in our case, the search term) of an SQL query into a method that can safely bind the variable and exclude any nasty code. Here’s a good page about SQL injections and prepared statements!

Class encapsulation also does not actually affect the SQL’s ‘secureness’ directly. But if it is used right, it can provide a reduced interface that could be used for code security purposes (as well the usual benefits of using object-orientated code). If the core code is not in a class, the code will be executed in a procedural manner where there are no barriers to what you can supply that code. But if that core code is in a class, you can then write a select few methods inside that class that can access that encapsulated code with a parameter set that can be as wide or as tight as you want. In my case, I want to tighten how the code is accessed, hence “reduced interface”. All methods that can be called only take in data that I believe is needed for operation and nothing more.

Example – class specification
This is a listing of the class members for an example I will be using to show off these concepts at the basic level. The class structure is based on Path to 2265’s engine – the major difference is the exclusion of the experimental ordered tag search (more about that in a later update) that I am still working on.

  • private $dbHandle
    • stores instance of PDO object with database connection details
  • private $statement
    • stores prepared statements
  • private $query
    • stores last-processed query string
  • public __construct()
    • class constructor
  • private cleanString($string)
    • removes special characters from any input string
    • $string – input string to ‘clean’
  • private processInput($input)
    • breaks down an input string into an array of characters for tag searching
    • $input – input string to break down
  • public createStandardSearch($class, $col, $term)
    • executes a linear search
    • $class – table in the database to search from
    • $col – column in the table to match from
    • $term – input string
  • public createTagSearch($class, $string)
    • executes a basic unordered tag-based search
    • $class – table in the database to search from
    • $string – input string
  • public countResult()
    • returns a count of results matched
  • public getResult()
    • returns result for when a single result is expected
  • public getResults()
    • returns result for when an array of results is expected

Example – implementation
I have uploaded an implementation of that class specification that works almost out of the box (you’ll need to enter your database’s details etc). As I said earlier, it is based on Path to 2265’s code for the same functionality.

Link!

Disclaimer: if there are any errors in that code, I am not liable for any damage they may cause – the code is provided for demonstrative purposes only.

20180103_search
An example of how you could interact with the SearchEngine class from the ‘outside’


Other possible applications this example can do
The great thing about this implementation is the fact that it can be used for things other than just ‘normal’ searching. By using the standard search feature and retrieving a single result, you effectively have the main thing you need for making a dynamic website!

So if your website has something like a database-style section (many in the case of Path to 2265), you can get rid of those countless HTML pages and have a single page instead that calls upon the SearchEngine to find and retrieve the desired page data (indicated with a unique ID through a variable in the URL) in your MySQL database and display the information accordingly.

The best example of this on Path to 2265 is the Database section: clicking on any of the ships (take http://pathto2265.com/resources/apps/ship?ID=2095_ECS_J as an example) takes you to the same page for all of them, expect they all have a different IDs in the URL. A provided ID on that page is fed into the search engine via a standard search call and the single result is fetched and echoed into their destined positions in the markup for you viewing pleasure. It’s great, isn’t it?

Anyway, I think that’s it for today! I hope this has been an interesting read!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s