# Searchmercials — Project Analysis

Generated: 2026-04-13
Source: `/var/www/html/Searchmercials/` (commit `7ea37ec`)
Scope: Full-stack analysis of the legacy Hyperseek/iWeb-derived advertising platform.

Access to these docs is blocked at the web layer via `.htaccess`. Read them from the filesystem.

## Reading order

| # | File | Purpose |
|---|---|---|
| 00 | [00-overview.md](00-overview.md) | Product definition, audience, elevator pitch |
| 01 | [01-architecture.md](01-architecture.md) | Top-level layout, entry points, request flow |
| 02 | [02-data-model.md](02-data-model.md) | Database, SDBA ORM, table catalog |
| 03 | [03-modules-breakdown.md](03-modules-breakdown.md) | Per-directory module summaries |
| 04 | [04-auth-security.md](04-auth-security.md) | Login flow, sessions, role separation |
| 05 | [05-integrations.md](05-integrations.md) | GeoIP, YouPortal, PayPal, Authorize.net, video ads |
| 06 | [06-deployment.md](06-deployment.md) | Symlink strategy, vhosts, SSL cert generation |
| 07 | [07-code-health.md](07-code-health.md) | PHP 8 risks, deprecated calls, backup file litter |
| 08 | [08-security-audit.md](08-security-audit.md) | SQL injection, exposed debug endpoints, CSRF |
| 09 | [09-api-reference.md](09-api-reference.md) | Per-file entry point behavior |
| 10 | [10-video-ads-system.md](10-video-ads-system.md) | Video advertising subsystem |
| 11 | [11-database-credentials.md](11-database-credentials.md) | DB layout + credential handling (redacted) |
| 12 | [12-git-history-notes.md](12-git-history-notes.md) | Recent commits, branching |
| 13 | [13-affiliates-and-data.md](13-affiliates-and-data.md) | `affiliates/` cobrand webroots + `data/` shared config, templates, SQL migrations |

## Quick facts

- **Product**: Legacy video-ad marketplace + publisher directory, Hyperseek/iWeb lineage (~2001 era)
- **Host root**: `/var/www/html/Searchmercials/`
- **Two webroots**: `httpdocs/` (HTTP) and `httpsdocs/` (HTTPS) linked via `fixlinks.sh`
- **Multi-brand cobrand webroots** live in `affiliates/` (262 MB, ~30 subdirs) — see [13-affiliates-and-data.md](13-affiliates-and-data.md)
- **Shared per-brand config/templates** live in `data/` (59 MB) — config `.inc`s, template `.txt`s, Hyperseek exports, one-time SQL migrations
- **Primary language**: PHP (pre-5.4 era idioms — `mysql_*`, `get_magic_quotes_gpc`, manual `$include_dir`)
- **DB**: MySQL/MariaDB on `127.0.0.1`, user `ostv`, databases: `searchmercials`, `youportal_aroundme_new`, `beta_db`, `domain_site`
- **Auth**: Session + cookie (`_islogged`) — no CSRF tokens, weak math CAPTCHA
- **Co-hosted with**: YouPortal (`/var/www/html/youportal`) — data sync via `ypbackfill_feed_data`
- **Cumulative LOC**: ~115 PHP files at depth ≤3, ~264MB in `search/` (mostly media), ~1.1MB in `classes_new/` (vendor)

## Headline risks (see 08-security-audit.md)

1. **Plain-text DB passwords** in version-controlled `dbconnect.php`
2. **SQL injection** in `httpsdocs/r.php` (lines 123, 394)
3. **Deprecated `mysql_*` functions** will fatal on PHP 7+
4. **Exposed `phpinfo.php`** in `httpdocs/search/`
5. **No CSRF protection** anywhere

## How the docs were generated

Findings compiled from filesystem scan + targeted file reads by an exploration sub-agent. Paths and line numbers are cited so every claim can be re-verified against the source.