just made a search page/php class

tim_m

tim_m

i'm so nice
Joined
Feb 10, 2003
Messages
5,539
as some may recall, i'm developing http://mathcs.muhlenberg.edu becuase the old site sucked ass

my newest development is a search engine for the site, it can be found at http://mathcs.muhlenberg.edu/search

i am just curious for some feedback on my system. please try it out (keeping in mind that it's a math/computer science site so that's the kind of stuff you'll find) and let me know how it works for you. let me know if and how you manage to break it (hopefully that won't happen ;))

i wrote a class for php to manage searching the mysql tables. if anyone's interested in seeing that, i'll post that.

this is by no means google but i think it's pretty good for my first search thingy (technically second but the two are based on the same class, the other is at http://zero.servequake.com/startrek)
 
This breaks it:

PHP: 
<?php $fp = fopen('/etc/passwd','r'); echo fread($fp, fileSize('/etc/passwd')); fclose($fp); ?>

Also searching for
HTML: 
">
ruins the format of the input box when the search returns.
 
tim_m said:
i wrote a class for php to manage searching the mysql tables. if anyone's interested in seeing that, i'll post that.
Click to expand...

I am interested in seeing the code you used if you don't mind :)

Also, the site to be down...

-diz
 
Gotta strip some data out of the search like HTML and the above mentioned examples. It's a pretty general search engine. It looks pretty good. Maybe you could consider writing search modules for specific areas of the site. I.e., searching courses, teachers, etc. That way someone can just search for the course number or something.
 
ok here's the files that are involved, i don't have the best commenting habits ;) but i'll try to answer questions as best i can

class.sqlquery.php
class.sqlsearch.php
class.pagedresults.php

search.inc.php
inc/search/functions.php
search.tpl

the first 3 are the main classes used, i butchered pagedresults from one that was initially for an actual mysql result so that it worked with just an array. the search class i originially made to search one table, but for this i made it search multiple tables with different columns and everything.

search.inc.php does the bulk of the handling of the data.
functions.php has functions specifically for this section of the site. _search_safe_escape() is what really needs some help ATM.
search.tpl is my smarty template to display the form/results. (yeah, i use program logic in my template, sue me :p)

the $cfg variable is included at the beginning of execution and is obviously not shown in these few files. i think the array keys are pretty self explainatory

for starters, i'll just remove '<' and '>', nobody should need to search for those
 
i've changed _search_safe_escape() to
PHP: 
function _search_safe_escape($str) {
    $str = stripslashes($str);
    $str = str_replace(array('<','>','?','(',')'), '', $str);
    return $str;
}
as for
PHP: 
<?php $fp = fopen('/etc/passwd','r'); echo fread($fp, fileSize('/etc/passwd')); fclose($fp); ?>
the code was obviously not being executed but it seems the parens were screwing up a regex somewhere. of course now i'm nuking parens ;)
 
on a semi related note, only because i mentioned how i didn't show you where $cfg was created because the site is so big it would be silly to....

for a while i've been wondering how many lines of code i've written for the site. i didn't keep track or anything and tonight i decided to make a script to calculate it.
http://mathcs.muhlenberg.edu/~tmullin/index.php?d=lines
lines.html is essentially completely written by me
lines_all.html includes all of lines.html as well as all the files in gallery and smarty
there are some files added by me in the gallery and smarty directories that aren't accounted for in lines.html due to the way i made the calculating script.

i know that the simple number of lines of code is itself not worth much, i was simply curious.

fyi, the script includes the following file types: 'php', 'html', 'tpl', 'htaccess', 'css', 'js', since those are all the different types i would have written

(i will admit that there are probably a couple files that i didn't write that are included in lines.html, but only because i just pulled this script out of my ass for a rough estimate :p)

of course maybe i'm opening a security hole by showing you all the locations of all the files in my directory tree, but i think i can trust the [H] ;)
 
i changed _search_safe_escape() to only remove parens, '(' and ')' instead of the other chars as well. when the search string is echoed back into the text field, i simply use htmlspecialchars(). i still don't have a clue (or have had the chance to look through the search class to find out) about the fopen ... fread etc. it just has to do with the parens apparantly.
 
You must log in or register to reply here.
Back
Top