For those who are interested in critiquing my code, or to see proof that I am actually writing code and capable of doing this (which is material information for anyone interested in supporting this project with a personal business loan), I've decided to release the snippet of code which creates this:
If you are taking input from users and not sanitizing it then is to prevent them from injecting malicious php code or creating xss vulnerabilities?
Good point. In this case, the server-side pulls info out of the database and pushes it into a javascript variable. So if someone could introduce an entry name like x"}}; {malicious code}; var z = {{"x there might be some sort of problem. However, right now only admins can put information into the database, and in the future users who edit the database will have their submissions put into a changelog where admins can review it before it goes live.
Generally I design for security first, but in this case it's not so vital, as admins would have access to the database anyways.
On other sections of code, I have a cleanstr function which right now uses (I think) htmlentities. ex:
if (strcmp($action, "browse") == 0)
{
$conclusion = GetMatchingKeywordAndTag($keywords, $tags, $sl, $tl);
// Let's make our table.
// 1. HEADER
$data = "";
$data .= "";
$data .= "";
$data .= "";
$data .= "";
$data .= "";
$data .= "";
$data .= "";
$data .= "";
$data .= "";
// 2. BODY
foreach ($conclusion as $row)
{
$data .= "";
$data .= "";
$data .= "";
$data .= "";
$data .= "";
$data .= "";
$data .= "";
$data .= "";
$data .= "";
$data .= "";
}
// 3. CLOSE TABLE
$data .="
| id no. | entry | canonical | pos | phonetic | phonetic2 | definition | tags |
";
$data .= "" . cleanstr($row['id']) . " | " . cleanstr($row['entry']) . " | " . cleanstr($row['canonical']) . " | " . cleanstr($row['pos']) . " | " . cleanstr($row['phonetic']) . " | " . cleanstr($row['phonetic2']) . " | " . cleanstr($row['definition']) . " | " . cleanstr($row['tags']) . " |
";
}
One interesting point to make about a site like this is that it isn't the sort of thing that would come under repeated or focused attack (IMO). It isn't a financial site, I plan to outsource payment processing (at least at first), and so on. Who would want to hack into someone else's japanese learning account? I admit some people would do it for the lulz but I'm not obsessing over it too strongly this time. Good point tho.