pagedrop Posted April 6, 2009 Share Posted April 6, 2009 I have built a web storage with ajax and php, mysql. please test the website and let me know the good and bad. thank you http://www.storagedrop.com Link to comment Share on other sites More sharing options...
Adam Posted April 6, 2009 Share Posted April 6, 2009 It's not too bad, though I do have a few issues with it. First off it's completely JavaScript dependent. Then with JavaScript on, although the effects and pop ups may look pretty, they slow down the whole process quite considerably. There's no human validation like captcha images or email verification, so the whole thing's wide open to spamming! If you upload a file, then upload another with the same name, the old one is automatically over-written, this could cause some serious frustration! Also the links in the top right hand corner seem to vary on every page. Adam Link to comment Share on other sites More sharing options...
darkfreaks Posted April 6, 2009 Share Posted April 6, 2009 you need to work on injection something like <?php function clean($text){ $text=strip_trags(trim(mysql_real_escape_string($text))); } $passwordview=clean($_POST['passwordview']); $userview=clean($_POST['userview']); $mysqli= new mysqli('localhost','username','password','database'); //connect $sql= $mysqli ->prepare("INSERT* INTO users WHERE username=? AND password=?");//prepare statement $sql ->bind_param('ss',$userview,$passwordview);//bind parameters to replace ? in statement $sql ->execute();//execute statement ?> Link to comment Share on other sites More sharing options...
pagedrop Posted April 6, 2009 Author Share Posted April 6, 2009 Hello, thank you, But i'm not sure what is injection? could you please tell me about it and the code ? Link to comment Share on other sites More sharing options...
darkfreaks Posted April 6, 2009 Share Posted April 6, 2009 i have used an example of the MYSQLI prepared statements to weed out any injection before it gets submitted to the database also before i even prepare the statement i use my clean() function to weed out most if not all of the injection attempts. i have explained in the example how the code works if you need to refer to something feel free to google MYSQLI prepared statements. Link to comment Share on other sites More sharing options...
premiso Posted April 6, 2009 Share Posted April 6, 2009 Hello, thank you, But i'm not sure what is injection? could you please tell me about it and the code ? SQL Injection is the biggest one you want to watch out for: Read here Cross-site Scripting (XSS) Exploit is another issue: Read here For file uploading you really need to filter the names, as on some operating system a / is allowed but renders that file like a folder and is un-deletable or a ' can cause a file issue. So filtering that as well will save you some major headaches. Link to comment Share on other sites More sharing options...
pagedrop Posted April 7, 2009 Author Share Posted April 7, 2009 Thank you both, i will learn about the techniques then. thanks once again. Link to comment Share on other sites More sharing options...
Recommended Posts