site review and htaccess question

[powell1]

After reading through Eli's blog, I decided to give the database site building a shot. I've gotten some good help from you guys so far, and I appreciate it. This is my first crack at anything that wasn't straight html, so it was pretty rough going.

Anyway, I finally got the site up at Online Job Service: Search and find a local job now!
I'd appreciate any feedback that you might have to make it better. I know it needs a search, and I'm working on it. I can't seem to get string comparisons to work right in php, but I'll figure it out eventually.

One problem I know I have is the site is open to SQL injection. Here is the htaccess file I'm using:

Options +FollowSymLinks
RewriteEngine on
RewriteRule ^alljobs/([A-Za-z\ A-Za-z]+)/([A-Za-z\ A-Za-z]+)/([0-9]+)/([0-9]+)/?$ index.php?alljobs=1&state=$1&city=$2&zip=$3&spage=$4 [L]
RewriteRule ^alljobs/([A-Za-z\ A-Za-z]+)/([A-Za-z\ A-Za-z]+)/([0-9]+)/?$ index.php?alljobs=1&state=$1&city=$2&zip=$3 [L]
RewriteRule ^([A-Za-z\ A-Za-z]+)/([A-Za-z\ A-Za-z]+)/([0-9]+)/([^/]+)/([0-9]+)/?$ index.php?state=$1&city=$2&zip=$3&job=$4&spage=$5 [L]
RewriteRule ^([A-Za-z\ A-Za-z]+)/([A-Za-z\ A-Za-z]+)/([0-9]+)/([0-9]+)/?$ index.php?state=$1&city=$2&zip=$3&page=$4 [L]
RewriteRule ^([A-Za-z\ A-Za-z]+)/([A-Za-z\ A-Za-z]+)/([0-9]+)/([^/]+)/?$ index.php?state=$1&city=$2&zip=$3&job=$4 [L]
RewriteRule ^([A-Za-z\ A-Za-z]+)/([A-Za-z\ A-Za-z]+)/([0-9]+)/?$ index.php?state=$1&city=$2&zip=$3 [L]    
RewriteRule ^([A-Za-z\ A-Za-z]+)/([A-Za-z\ A-Za-z]+)/?$ index.php?state=$1&city=$2 [L]
RewriteRule ^([A-Za-z\ A-Za-z]+)/?$ index.php?state=$1 [L]

There are a couple places where it'll take in any characters. I know there is a way to filter them out in php, but I don't know what it is. Also, with that file, if someone were to type in Online Job Service: Find a local job in douche it would browse the state "douche" and ask you to select a city. It's not a huge deal, but I'd like to somehow stop that from happening, maybe by comparing $state to the list of unique states in the database and redirecting to the home page if that state doesn't exist. Anyone know how I might go about doing that?

Thanks for your help, you guys have been awesome.

 

[DewChugr]

Your SQL protection and cross site scripting protection is normally done in your PHP. It's not that hard and you should be able to find great resources through google. Chris Shifflet (sp?) is a PHP security expert and has some great articles. Your htaccess file can affect any file you create in the future and could lead to banging your head against the wall.

What you want to do is NOT filter out bad things people may enter, but rather allow only things that they should be entering. For example if they are supposed to be entering an email address you build a regular expression to make sure they are giving you a valid email address. Regular expressions can be a bit tough to get a handle on but they get a lot easier as you use them.

If you are taking get or post parameters you need to validate all of them before you use them for anything at all, period.

Another thing you can do to help protect your forms is to use sessions and pass a random number through a hidden form field and through a session. This will insure that your form was submitted from your site rather than some spammer submitting it remotely.

Keep in mind that things like < and % can be represented by their hex code equivalent by hackers/spammers.

Hope this helps a little.

 

[Jondoe0069]

I don't have any good answers for your coding questions, but is this site more for generating organic traffic and getting them to click on your adsense?

The site is pretty simple to use, but it takes a while to drill down to view jobs. If you just want people to click on your ads (and don't expect them to come back) this is probably a good thing. If you want them to actually stick around and use the site (and come back) then you should work on the usability considerably.

Everything else looks really good.

 

[powell1]

thanks guys. I know the usability isn't that great. The sites main purpose was just to get indexed and give me some pages, but I've been trying to make it so that people actually return to the site. The search feature will help once I get that up and running.