My document search engine

Post by **ayu** » 21 May 2007, 10:28

Finally i have started my document search engine...and i have an idea on how i want to do it. And i would like opinions from experienced users about my idea =) so that i can plan the site before i start coding (alternative pseudocode)

Anyway the site will contain the following files

1: Index.php in the www root folder
2: Search.php in the www root folder
3: config.php in the server root folder
4: admin.php in the server root folder
5: submit.php in the www root folder
6: request.php in the www root folder
7: requests.php in the www root folder

Now the index.php will only have the search engine in the middle of the site, and i was thinking of a white and empty theme (will be worked on). When you search for a document (like a guide or a tutorial) it will take you to search.php which will contain the search results and another search engine on the top left corner of the page. All of the information on the site, like documents and documents that are waiting approval will be stored in a Mysql database. I was first thinking of having everything in textfiles and then search the directories, but this idea sounds better in my opinion (want yours too). Anyway, if anyone wants to add his/her document, they will be able to do so on the submit.php page, which will be stored in the Mysql database until i "agree" with it and adds it to the document part of the database using the admin.php script. People will also be able to request documents in the request section, when they request something it will be added in the "requests.php" page, where people can see all the requests and then if they feel like it they can submit one and "mark" the request that they are answering too, so that if i agree with the document the request will be marked as "approved".

In the config.php i will have security data such as mysql data and so on.

Now this is an idea/project that is still in the "brain storming" part so it is full of holes ^^

BUT! now i want all of your opinions.... what should i change? any ideas of stuff that i could add? what are the security risks that i should think of? flood me!

ebrizzlez · Post by **ebrizzlez** » 21 May 2007, 10:43

If its a search engine becareful with the XSS attacks. You would need to put bound checks to make sure XSS attacks arnt allowed through. Normally if your engine acepts the img tags in html, then it will accept java, thus it will accept cross server scripts.

Post by **ayu** » 21 May 2007, 11:30

ebrizzlez wrote:If its a search engine becareful with the XSS attacks. You would need to put bound checks to make sure XSS attacks arnt allowed through. Normally if your engine acepts the img tags in html, then it will accept java, thus it will accept cross server scripts.

hehe yeah i will stick that into my notes ^^

Note: Murder people trying to use XSS attacks

Post by **alien100** » 21 May 2007, 11:32

neo130 wrote:
ebrizzlez wrote:If its a search engine becareful with the XSS attacks. You would need to put bound checks to make sure XSS attacks arnt allowed through. Normally if your engine acepts the img tags in html, then it will accept java, thus it will accept cross server scripts.
hehe yeah i will stick that into my notes ^^

Note: Murder people trying to use XSS attacks

ebrizzlez · Post by **ebrizzlez** » 21 May 2007, 13:30

lol. I read an article to stop XSS attacks with some php boundary code, but cant find it. =\ Just test your search engine by typing in:

Code: Select all

<img src="www.example.com/example.jpg">

Then see if it executes the command. Then try to type some java code to see if XSS attacks are allowed or not.

If there executable you got a bigggg problem in your hands and need lots of programing to be on the safe side. Mainly guestbooks are vurnable to XSS attacks. But so is search engines or anything that has an input value or text box.