Secure site search

In my last update for Path to 2265, I briefly described the major improvements made to the searching capabilities of the website. Today, I’m going into detail about these changes and why they are important for security and code quality. Examples included!

How it was
The decision to add a search to the website was made fairly early on, during a time where other aspects of the website like the visual layout design were more important to me. This resulted in a crude but working search solution that you can read about here. It is a very linear search in that it just finds and returns the results sequentially in the order they were found by the SQL query. And that was fine back then, but something better is needed now!

I should mention that in November, the search feature got a little attention with the conversion from raw MySQL calls to PHP Data Objects (PDOs) with prepared statements. Whilst this was a major plus for security, the implementation was still ugly and quick.

The new concept
A search that is to be deployed on the WWW needs to be functional AND secure. It is not hard to find reports about SQL injections and other malicious acts against site searches that can be a pain in the butt to deal with. With that in mind, I decided to rebuild the search engine from the ground up with security (and good code quality) in mind. The new concept calls for class encapsulation as well as PDOs – the usage of object orientation allows for controlled access to the code querying the database by only providing a set amount of methods and required arguments to interact with said code.

How does this all benefit security?
Well, PDOs alone do not help much in terms of security. But the usage of prepared statements does by separating the variable part (in our case, the search term) of an SQL query into a method that can safely bind the variable and exclude any nasty code. Here’s a good page about SQL injections and prepared statements!

Class encapsulation also does not actually affect the SQL’s ‘secureness’ directly. But if it is used right, it can provide a reduced interface that could be used for code security purposes (as well the usual benefits of using object-orientated code). If the core code is not in a class, the code will be executed in a procedural manner where there are no barriers to what you can supply that code. But if that core code is in a class, you can then write a select few methods inside that class that can access that encapsulated code with a parameter set that can be as wide or as tight as you want. In my case, I want to tighten how the code is accessed, hence “reduced interface”. All methods that can be called only take in data that I believe is needed for operation and nothing more.

Example – class specification
This is a listing of the class members for an example I will be using to show off these concepts at the basic level. The class structure is based on Path to 2265’s engine – the major difference is the exclusion of the experimental ordered tag search (more about that in a later update) that I am still working on.

  • private $dbHandle
    • stores instance of PDO object with database connection details
  • private $statement
    • stores prepared statements
  • private $query
    • stores last-processed query string
  • public __construct()
    • class constructor
  • private cleanString($string)
    • removes special characters from any input string
    • $string – input string to ‘clean’
  • private processInput($input)
    • breaks down an input string into an array of characters for tag searching
    • $input – input string to break down
  • public createStandardSearch($class, $col, $term)
    • executes a linear search
    • $class – table in the database to search from
    • $col – column in the table to match from
    • $term – input string
  • public createTagSearch($class, $string)
    • executes a basic unordered tag-based search
    • $class – table in the database to search from
    • $string – input string
  • public countResult()
    • returns a count of results matched
  • public getResult()
    • returns result for when a single result is expected
  • public getResults()
    • returns result for when an array of results is expected

Example – implementation
I have uploaded an implementation of that class specification that works almost out of the box (you’ll need to enter your database’s details etc). As I said earlier, it is based on Path to 2265’s code for the same functionality.

Link!

Disclaimer: if there are any errors in that code, I am not liable for any damage they may cause – the code is provided for demonstrative purposes only.

20180103_search
An example of how you could interact with the SearchEngine class from the ‘outside’


Other possible applications this example can do
The great thing about this implementation is the fact that it can be used for things other than just ‘normal’ searching. By using the standard search feature and retrieving a single result, you effectively have the main thing you need for making a dynamic website!

So if your website has something like a database-style section (many in the case of Path to 2265), you can get rid of those countless HTML pages and have a single page instead that calls upon the SearchEngine to find and retrieve the desired page data (indicated with a unique ID through a variable in the URL) in your MySQL database and display the information accordingly.

The best example of this on Path to 2265 is the Database section: clicking on any of the ships (take http://pathto2265.com/resources/apps/ship?ID=2095_ECS_J as an example) takes you to the same page for all of them, expect they all have a different IDs in the URL. A provided ID on that page is fed into the search engine via a standard search call and the single result is fetched and echoed into their destined positions in the markup for you viewing pleasure. It’s great, isn’t it?

Anyway, I think that’s it for today! I hope this has been an interesting read!

Advertisements

Site name simplication, PHP classes, and more

So I’m gonna be shaking up how I do updates for Path to 2265 from now on. Firstly, these updates are going to be more structured because I want to make them easier to read. Secondly, I want to make it so people can either briefly look at the change list or read details depending on what they want to find out. Also I am removing any set times for posting updates since I’ve missed almost all the targets for posting them these last few months. So with out further ado, here’s we go!

Sitename simplication
I have decided to drop the “Starfleet” part of the website’s name. I believe “Path to 2265” is a more clean site name and it matches the domain name now! Plus, both sides of the “to” are ‘balanced’ with four characters each now (as long as you’re not counting spaces)!

Reimagined search engine capabilities
For a long time, the searching capability and ship report part of the website have continued to rely on the fairly crude MySQL calls demonstrated all the way back in September. By early November, I upgraded to using PHP Data Objects (PDO) for enhanced security and code quality. Now, I have moved to class encapsulation as I become more and more proficient with coding in PHP! So with this object orientated approach, the code required to connect and query the database can be contained and interacting with the “SearchEngine” object can be securely controlled by only allowing certain methods with certain argument sets to be called. The search is also now (FINALLY) a tag-based search and I am currently developing an algorithm that can weight the results of one or more SQL queries and display the most relevant results to the user! I’m thinking about making a separate post to describe the process of doing this and its benefits in more detail, so stay tuned for that! But for now, I’ll leave you with this screenshot:

searchengine class
Most of the code has been collapsed from view since it may have sensitive data

Sitemap
Thanks to the new search engine capabilities, I have been able to reuse the SearchEngine class for other new features such as the website’s sitemap. Essentially, constructing the sitemap is done by querying a database for a result containing all the pages belonging to the same category. The SQL code is the same as a user searching (for now though, more about that later), so a SearchEngine object can be used without any problems.

Click here to see the sitemap!

SS Polaris progress
There is finally some progress on my second design project! I have taken a u-turn on the nacelle placement, and I have stripped some details that I thought made the design too advanced. In return, I tried to pepper in some details that make the design both more unique, polished and maybe industrial. Instead of having that weird dual deflector system mounted on top, the nose of the ship has been cut away to reveal one large deflector/communication array that I hope adds emphasis that the design relies on communication (since it is a diplomatic vessel). The new dish is also surrounded by some missile bays. The design will not have any energy weapons.

It’s quite funny, this design was developed without specs and was required to be developed in a week! Yet, it’s taken like two months or so to get to this stage… xD. Hopefully lesson learnt – ALWAYS iron out design specs ’cause it will just cause headaches later on.

comparison
Polaris: before (top) and after (bottom)

EXP-type Warp Reactor
I have added a new early UESPA reactor to the database. It is an attempt to explain how and why Earth had a matter/antimatter reactor (on deep space probe Friendship 1) so early on.

You can read about it here!

Progress gallery & milestones article
I’ve added these fun articles to show the progress and effort that was put into Path to 2265. Progress gallery is already up to do (mostly), but milestones still needs it content.

Chapter 1 proofreading
After discovering some grammatical errors on this chapter of the History report, I am currently in the process of thoroughly proofreading it!

Discontinuation of the “Todo” page
In all honestly, the page was only created for myself as a temporary tracker whilst I worked on the website. It was a place where I could list issues when I found them for later solving. Now that I use GitHub for issue tracking and source control, it has become redundant and will be removed from the website soon.

What’s the come!
My main focus is developing the search capabilities further right now. I soon hope to have an intelligent tag search with proper result ordering and sorting.

SS Polaris is nearly completion. So I might roll that out soon. The design documentation for both SS Voyager and SS Polaris need proper attention and revamping.

Chapter 2 (“Space Boomers”) should be completed in the next few weeks too!

And I think that’s that for today!

A new button (again) and the first Star Trek: Discovery ship review

So,the website has a new logo (again)!

testing_tablet_20171005

I’ve also been experimenting with colours. I want the Red/Blue theme, but I want it to be easy on the eyes too.

The biggest addition is the first starship review, which is of USS Shenzhou from Star Trek: Discovery. All things considered, I gave it a weighting of 6.3/10. I should have the rest of the Federation background ships from the Battle of the Binary Stars done soon. Other than that, not much to report really.

Just a new button image, really

Due to starting a new semester this week, I will now be confining my time for everything in a schedule. 6PM to 10PM on Thursdays is dedicated for this website, which gives me 3 and a half hours of actual work and 30 minutes to write an update on this blog. Since I have been busy trying to quickly get back into the routine of university life, I have not done much this week.

The only noticable change is the new home button image. It’s just a plain white version of the “UFP” text from the 23rd century Federation banner. The favicon has also been updated according (albeit black instead).

testing_desktop_20170928
The size of the “UFP” button image is subject to change.

Chapter 1 is mostly complete at this stage, only requiring the addition of my UESPA-9 design. Ship information on Bonaventure is complete, and Friendship is almost complete. In preparation for Chapter 2, a DY-732 database entry will be worked on soon. Chapter 2 primarily focuses on the development of the Earth Cargo Service (hence the chapter title “Space Boomers”), but it will also include UESPA and civilian ships from roughly 2080 to 2110. Already there are database entries for some of these ships; Emmette (from the Star Trek: Enterprise title sequence), aforementioned DY-732, and Declaration (which includes Enterprise XCV-330). There will probably be more ships in the chapter as well, likely including some of the later DY series ships.

Well, that’s it for today!

Rationalising and solving UESPA problems

(I think it is safe to designate Thursday as the Starfleet’s Path to 2265 development update day.)

Since my last update: UESPA-9 design is taking a bit longer to complete. I am still on the detail phase, stuck trying to prevent the design from looking too advanced for its area. But that in itself inspired me to write this short essay today. The other notable update was the acquisition of the domain for the website.

uespa9_stage5
Here’s a preview of the detail on UESPA-9 so far! Check out my last update for more information behind the design.

Anyway, let’s get into this.

The United Earth Space Probe Agency (UESPA), the best-known agency for Earth’s pre-Starfleet exploration missions, has a few seemingly very advanced designs that The Powers that Be of Star Trek thought were fitting. I am by no way criticising the aesthetics of those designs as I personally like them, but they seem too advanced for being designed, constructed and launched only a few years after Zefram Cochrane’s warp flight and deadly conflicts like World War III. SS Valiant (canon mission designation, non-canon visual design) and SS Conestoga (fully canon design) are examples of two fully-functional deep space vessels launched way less than a decade after the Cochrane’s achievement. Whilst writing the first chapter of my website, this has presented a few challenges for me to overcome since I have to rationalise these canon or well-known non-canon designs, and then fill gaps with my own designs based on canon designs! One thing I should also point out is that only a few decades after these designs, civilians then had unprecedented access to space via things like the DY-500-class and the Earth Cargo Service.

There were two solutions I could chose in my mind to the problem. One, Earth had most of the technology mastered thanks to military advancement in spatial travel due to World War III. Two, first contact inspired humanity to race to the stars at an astonishing rate.

Based on how things turned out in World War I and II, the first solution can seem plausible since many innovations and/or wide-scale adoptions were made in those deadly conflicts that we take for granted, in most fields of science. Examples include things like tracked-based vehicle development, nuclear development, aviation advancement, and even the adoption of penicillin! There is one elephant in the corner though. Probably the biggest requirement for deep space travel is a solid, powerful reactor system. If nuclear fusion or even matter/antimatter technology was available in WWIII, surely the level of destruction granted from those immature (for mid-21st century humans) technologies would be far greater than 600 million dead and Earth’s majority recovery in only a decade or so?

Now considering the second solution, it is clear that it is more idealistic to think that all of humanity embraced a brighter future right on the spot in 5th April 2063. We are aware of a well-established post-atomic horror that lasted for a few decades, which resulted in some humans retaining the ‘old ways’ for a large period of time. However, this is Star Trek and I think large amounts of optimism is not out of reach. So I have developed the premise of my UESPA writing based on this solution. But, with a twist. The UESPA could have simply duplicated Cochrane’s reactor and nacelle designs (I’d like to think of Cochrane’s Warp reactor as a fusion reactor, instead of a matter/antimatter reactor) to begin with and scaled them up. We have done similar things in our history, even with spacecraft such as the Boeing X-37 (which is a 120% scaled derivative of the Boeing X-40). Early ships such as SS Valiant uses a system of multiple Cochrane reactor clones, and then most of the spaceframe technology is derived from earlier space programs. The only technologies that would be considerably different (or invented) from now to then is gravity generation, radiation shielding and weapons. Seeing as Star Trek seems to indicate that the Eastern countries were worse off, I have written than the strongest American, European or Eurasian countries spearheaded these advanced programs in an effort to rebuild Earth with whatever we could hope to find in space. Whilst the governments were exploring options, a guy from Montana launches an ex-nuclear missile with an advanced propulsion system that his isolated team developed. He gains the attention of the Vulcans, and the most stable governments of Earth realise that space IS the answer. After hearing from the Vulcans that there are indeed other sentient lifeforms in the universe as well, Earth establishes the UESPA and human ambition pushes us to the stars in only a few short years.

Now the specifics. I have written that the UESPA was founded after a popular uprising began to persuade the rebuilding governments that Earth’s future was in the stars. Which even from my perspective today, Earth’s position future in the stars might be a necessity – we will eventually need more living space, and new and unusual building materials or food products from some planet out there would be cool too. So in light of the WWIII disaster, I think it’s safe to assume a space-based economy using the resources from other planets is the logical solution. This rebuilding effort is definitely a gamble, but since Earth is unwilling to suffer more, humanity takes the bet. The UESPA designs the first explorers as large boxes with Cochrane’s engine designs to find these new worlds. Deep space probes with antimatter technology follow (but I have written that the lack of methods to properly mass-produce antimatter results in Earth being stuck with fusion for at least 6 or 7 decades) to seek out new life and civilisations to make friends with and trade with. Colony ships come not long after suitable planets for human expansion are discovered. To add balance, I have peppered in a few large accidents that indicate the immature state of this advanced technology (my UESPA-9 design is one of them – an ambitious but fatal design). The rest you’ll have to see on the website itself.

I have had other issues to resolve too, such as the timeline placement of the Bonaventure spacecraft seen in the background of a few Star Trek episodes – it’s clear it exists, but it was once attributed to the discovery of Warp! My website’s Articles section will eventually have pages detailing those minor decisions.

For today though, that’s enough (1,000+ words)! See you next week!