How do auction sites get nearby postcodes?, For instance: 50km of X Options

[mb0742]

Hey ATMPC,

Looking for a solution for a web based project. Basically like every auction website ever; I want to track down local areas for the customers. Ie. post code is 3000 and user sets searchable distance to 50KM.

Cheers guys

This post has been edited by mb0742: May 26 2012, 11:46 AM

[SledgY]

Usually have a list of lat/lng coordinates of the centre of each postcode.

Here is an example listing: http://blog.datalicious.com/free-download-...ostcodes-geocod

[mb0742]

Usually have a list of lat/lng coordinates of the centre of each postcode.

Here is an example listing: http://blog.datalicious.com/free-download-...ostcodes-geocod

The BSPno. works like a champ as long as you query ± 1. But then do I have to break out the heavy calculations for each resulting suburb long and lat?

EDIT: Fantastic guide here https://www.dougv.com/2009/03/27/getting-al...-php-and-mysql/

This post has been edited by mb0742: May 27 2012, 02:36 PM

[SledgY]

Usually have a list of lat/lng coordinates of the centre of each postcode.

Here is an example listing: http://blog.datalicious.com/free-download-...ostcodes-geocod

The BSPno. works like a champ as long as you query ± 1. But then do I have to break out the heavy calculations for each resulting suburb long and lat?

EDIT: Fantastic guide here https://www.dougv.com/2009/03/27/getting-al...-php-and-mysql/

This linked example is implementing the correct way get surrounding postcodes (limiting to a square to query data and then filtering down the more complex calculation on the resulting set), it also includes an example that you should never use in a production system.

ANY developer who generates SQL expressions by concatenating strings (especially from a POST or GET dictionary) is an incompetent fool, always use parametrised queries. In this case it may seem safe, they do some simple validation first but what happens when somebody refractors this code and misses a validation step? You now have a SQL injection vulnerability and the dishonour of getting yourself the #1 badge from the OWASP top 10.

/end rant

[Zzozzach]

ANY developer who generates SQL expressions by concatenating strings (especially from a POST or GET dictionary) is an incompetent fool, always use parametrised queries. In this case it may seem safe, they do some simple validation first but what happens when somebody refractors this code and misses a validation step? You now have a SQL injection vulnerability and the dishonour of getting yourself the #1 badge from the OWASP top 10.

/end rant

Ahem....for a site that is supposedly an 'authority' on web security you'd think they'd at least be able to avoid a simple mistake such as ensuring their server's certificate matches the hostname. My browser just popped up a window warning me that the server's hostname is owasp.com but the certificate is only valid for owasp.org or *.owasp.org. Blindly accepting the certificate will set you up for a redirection or man-in-the-middle attack.

[SledgY]

ANY developer who generates SQL expressions by concatenating strings (especially from a POST or GET dictionary) is an incompetent fool, always use parametrised queries. In this case it may seem safe, they do some simple validation first but what happens when somebody refractors this code and misses a validation step? You now have a SQL injection vulnerability and the dishonour of getting yourself the #1 badge from the OWASP top 10.

/end rant

Ahem....for a site that is supposedly an 'authority' on web security you'd think they'd at least be able to avoid a simple mistake such as ensuring their server's certificate matches the hostname. My browser just popped up a window warning me that the server's hostname is owasp.com but the certificate is only valid for owasp.org or *.owasp.org. Blindly accepting the certificate will set you up for a redirection or man-in-the-middle attack.

The link is to owasp.org...

Either way, that would be a #9 on the top 10 the difference being:

#1 is Easily exploitable, not that easy to detect (aside from extensive code reviews and security testing) and has a severe impact rating
vs
#9 that is difficult to exploit, easy to detect and has only a moderate impact rating (especially for a site that does not collect any personal information)

I might also add that #1 is trivial to avoid in any web application framework. ORM and parametrised queries are commonplace and effectively mitigate this risk for databases.

This post has been edited by SledgY: Jun 1 2012, 12:24 PM

[mb0742]

Usually have a list of lat/lng coordinates of the centre of each postcode.

Here is an example listing: http://blog.datalicious.com/free-download-...ostcodes-geocod

The BSPno. works like a champ as long as you query ± 1. But then do I have to break out the heavy calculations for each resulting suburb long and lat?

EDIT: Fantastic guide here https://www.dougv.com/2009/03/27/getting-al...-php-and-mysql/

This linked example is implementing the correct way get surrounding postcodes (limiting to a square to query data and then filtering down the more complex calculation on the resulting set), it also includes an example that you should never use in a production system.

ANY developer who generates SQL expressions by concatenating strings (especially from a POST or GET dictionary) is an incompetent fool, always use parametrised queries. In this case it may seem safe, they do some simple validation first but what happens when somebody refractors this code and misses a validation step? You now have a SQL injection vulnerability and the dishonour of getting yourself the #1 badge from the OWASP top 10.

/end rant

Well to be fair the post wasn't written for the tech illiterate. If you were writing an example would you include a large amount of variable checking?