Jump to content

Recommended Posts

Note: When this service is 100% set up and operational it will be something I charge for, but this test is just that, a test.  No information is submitted to the database, nothing is saved, nothing is sent.  Nothing will be charged, obviously, since who charges for a test.  I wanted to clear that up since people on another site called me many mean names because they thought I was charging them to test this.  There is no charge, I haven't set that up yet.

 

I had this big long post written up, but in my haste to grab the URL to link to it I accidentally closed the tab with the post page...so it's gone.

 

I suppose I'll just say I added a bunch of features, fixed a bunch of things, and I'm at the point where I should stop procrastinating and start working on the actual submission for the darned thing!

 

I've set up a public test for people to mess with, test, break, find things I need to fix...etc. Please check it out here:

 

http://infectionist.com/misc/capture/public_test/capture.php

 

I think it's pretty cool. Nice little fade effects when you don't fill in a required field, and fade out when you fill it in. It uses my getFileShare class (which you can find a thread about in this forum). Basically it's a custom php Class that I wrote that'll let you retrieve the fileshare items of any gamertag supplied, it makes it REALLY easy. I cut down 15-20 lines of code using it, and that's pretty considerable. As far as I know, validation is working, but that's what I want people to test the most completely. The following fields are required:

 

Gamertag, Film, Email Address, Accept the price, and Accept the ToS.

 

Those fields must be filled in/checked for a submission to take place. If anyone manages to get it to submit without filling in one of those fields, please let me know.

 

Also, probably my favorite new feature is the little notification you get when the price changes (when you switch between 720p and 480p). Try it, I won't ruin the surprise, but I love it. Just select a film and change between 720p and 480p, back and forth. I've tested it as much as I can in IE7 and Firefox, but since I know how it's supposed to work, I can't find things that don't work how they're supposed to do, that's why the public test!

 

Anyway, try it out, lemme know what you think. Submission doesn't actually submit anything, it just takes you to a page with the information you entered on it, but by all means, click the button, you'll need to to test it properly.

 

Here's the link again:

 

http://infectionist.com/misc/capture/public_test/capture.php

  • Replies 61
  • Created
  • Last Reply

Top Posters In This Topic

You realize that this is only one layer of the validation.  Basically all I'm doing here is checking to make sure the fields were filled in period.  In the next layer I'll check to make sure they were filled in with valid values, but I wanted to stop people from submitting the form if the information wasn't there.  How about next time you actually read the post instead of just clicking those fancy little underlined words and then insulting me...mmmmk.

 

For the record, this one layer of validation is using Jvascript only, no php involved, thus I don't have the same abilities as I will when I incorporate the second layer of validation.

Do you read?!?  Honestly, for Chist's sake.  This is one layer of protection only!  The people that have JS disabled won't even be able to start the submission process because when they enter in their gamertag, the page uses AJAX to load up the films for that gamertag.  Since AJAX is called up via Javascript, the films will never load up, and thus the form will never appear, and thus no, they won't be able to enter anything.  Better programming conepts than you think, you just have to actually THINK, and not just assume, use what you know.  This is THE FIRST STEP of the system, the VERY FIRST STEP.  Directly after the person submits this information I'll have my php do a load more checks to make sure everything is valid.  Things like email validation, referencing the gamertag with the saved film clip submitted, and a ton of other things to make sure things go smoothly.  This will all be transparent to the user but it will be there.

 

Have any more constructive comments?

you should really read the below article and see how wrong you are.

 

How Javascript Validation can be bypassed

 

While you may be Validating your stuff in JavaScript, it is not the best of methods to use. even with JavaScript enabled i can still bypass it and insert crosssite scripting attacks. itis best to still use PHP validation like i mentioned above, those functions will correctly validate your backend in PHP.

 

 

 

 

 

Thank you, I will, but that's the last step I take.  I find it's too tedious to keep doing it because while the code that I write is pretty clean to start with, everyone makes mistakes and I'd rather fix them all at once than after every step.  It took me a year after I brought the new version of my site online to go through and validate it...still, I did it, so yeah.

Thank you, I will, but that's the last step I take.  I find it's too tedious to keep doing it because while the code that I write is pretty clean to start with, everyone makes mistakes and I'd rather fix them all at once than after every step.  It took me a year after I brought the new version of my site online to go through and validate it...still, I did it, so yeah.

 

 

Honestly i could go through code quite easily and validate it if you really cared enough about your site , it sounds like you really do not.and i highly doubt your code was"clean" to start with if i found a SHITLOAD of XSS  attacks being allowed. :P

 

 

Apart from the issues that have already been brought up, I'm going to touch on your html. I don't have a gamer tag, I don't even know what one is, so I couldn't get past page one!

 

Your site is built with tables, big no no. tables are for content requiring a tablatured layout. You should be using divs for page positionning and general layout. You should try and avoid inlie styles, you're already calling an external style sheet, why not keep consistent?

 

When you have a list of links you should use a list <ol> or <ul>

 

should this page http://infectionist.com/misc/capture/public_test/submit.php be printing 'Array ( )' to screen?

 

And to just re-iterate what's been said, compliance isn't that hard. be it css, or html 4.01, takes minutes on small sites, your could be done in an hour tops.

Oh my freaking god.  Ok, just stop it, then, all of you.  Obviously none of you read otherwise all these stupid questions would be answered.

 

darkfreak, you're starting to piss me off.  I know my code isn't perfect, I know there are errors, bugs, glitches, and unvalidated code.  I KNOW, that's why they call this a TEST, so you can TEST these things to find the bugs and FIX them.  code validation is the LAST step I do because I PERSONALLY find it tedious to do it after every step, that's just me.  You do it how you want, I will do it how I want.  I don't care about your XSS attacks, this is the first step.  Javascript doesn't allow for the same kind of feature set as php does, thus when I have my php code (on the next step, that isn't written yet) go through the data that's being input, it should catch it all.  The javascript is an extra little feature to stop half the people from submitting the form if everything's not filled in, the rest will be stopped by the php.

 

gevans...I realize you wre trying to be helpful but I wasn't asking for suggestions on the layout of my site.  I don't give a shit if you don't like that I use tables, I'm gonna keep doing it.  It looks fine, it works, I didn't write it, so get over it.  Notice how if you go to the forums it's the same layout, and at the bottom there's a nice little link saying "xbox 360 by scott stubblefield"...that's becuase he wrote the template for a  phpbb2 forum and I modified it so I could use it with my frontpage of my site.  I find tables to be more organized and divs to not be as compatible, so I use tables.  Where do I have a list of links, in the navigation bar?  Why would I use ordered list or unordered list in the navigation bar, I don't want bullets or numbers up there and I don't care to write the css to get rid of them.  Oh and where is the inline styles?  I only had one bit of style code on that page and I got rid of it because the feature it was for didn't work properly.  And yes, submit.php should be printing an array, it should be printing the submitted POST array from the form on capture.php.  And how can you not know what a gamertag is?  How old are you?  Whatever, use halo2freeek, that's my gamerag, it'll return a list with the item "rack on tours".

 

And for the last time, compliance checks are the ABSOLUTE LAST THING I DO.  My workflow:

 

1. make it work

2. make it pretty

 

Ok?

Oh my freaking god.  Ok, just stop it, then, all of you.  Obviously none of you read otherwise all these stupid questions would be answered.

If you don't want feedback, don't ask for it.

 

And how can you not know what a gamertag is?

Neither do I.

 

How old are you?

He is 23. Says so on his profile. Besides, what does that have to do with anything?

 

Gamertag, Film, Email Address, Accept the price, and Accept the ToS.

 

Those fields must be filled in/checked for a submission to take place. If anyone manages to get it to submit without filling in one of those fields, please let me know.

It was pretty damn easy submitting the form without agreeing to your ToS, price acceptance, etc. Just remove the onsubmit attribute on the form.

gevans...I realize you wre trying to be helpful but I wasn't asking for suggestions on the layout of my site.  I don't give a shit if you don't like that I use tables, I'm gonna keep doing it.

 

My views about the layout of your site were to do with SEO, which if you're not concerned about confusese me greatly. Why make a website if you don't want people to find it? Also I don't appreciate being sworn at as a response to 'beta testing' a site on your request, not direct request, but an open one.

 

I find tables to be more organized and divs to not be as compatible, so I use tables.

 

Tables are more organised, that's why they are meant to be used in organising structured content. If you find divs to be not as compatible it's due to your incompetance in the field.

 

Where do I have a list of links, in the navigation bar?  Why would I use ordered list or unordered list in the navigation bar, I don't want bullets or numbers up there and I don't care to write the css to get rid of them.  Oh and where is the inline styles?

 

Notice how the word list was in italic print, that was meant to convey that their not in an actual list, but should be for best practice. Again having your navigation links in a list will improve your seo, and if you "don't care to write the css" why do you even start making a website? CSS is a crucial part of the front end development of a website (if you want it to look vaguely inviting).

 

As far as inline styles go;

 

[pre]<td width="100%" height="100%" style="background:#FFFFFF;" align="center" valign="top">

<td style="color:#3c6696;padding-left:15px;"><b>Announcement:</b></td>

<td width="54" valign="top" style="background: url('/forum/templates/Xbox360/images/pattern_bkgd.gif');">[/pre]

There's a list of just 3 I could be assed to grab.

 

And yes, submit.php should be printing an array, it should be printing the submitted POST array from the form on capture.php.  And how can you not know what a gamertag is?  How old are you?  Whatever, use halo2freeek, that's my gamerag, it'll return a list with the item "rack on tours".

 

The submit.php link could have been a script issue, just wanted to let you know (BETA TEST)

 

I spend most of my life in front of a computer working. The short amount of time I do stop working, I try to avoid getting in front of another screen, have you ever heared of the outdoors? (no offense to gamers intended).

 

And thanks for the offer, but I won't be using your gametag. I only begrudgingly went back to your site to get some examples seen above, don't think I really care much now.

I think you should adress these problems that they have showed you man. It will make your code cleaner and more user friendly. These guys Know what they are doing I have listened and have tried my best to fix what is wrong with my script. Thank you phpfreaks users. Its not good to complain about the input your getting.  >:( I do agree that If you didnt want input you should of not posted it. I want all the input I can get on my script so maybe someday It will be one of the best out there.  ;D But it is alot of work for one person lol.  ;D Making your script sound so that it is not easy to be hacked because then all you will be doing is burnig your money. lol But thank you phpfreaks for all the help on my script.  ;D  ;)

I just wanted testers for the service only though, not the layout or the look of the page.  Bugs, etc.  If there's something I can do to make it so that the form can't be submitted (or is harder to submit) without filling in all the things, purely using Javascript as the first step, then please, let me know about that.  For now, I want to make it work.  Inline styles are fine for me, tables, etc.  That works, which is what I care about now.  When I'm done making it work, I'll make it pretty but I don't do that all at once.  I'd rather see raw output that works then a pretty page that doesn't.  I'm not refusing the help, I need the help, I just wasn't asking for help on the layout, I said that.

 

gevans, I'm sorry I blew up at you, it wasn't yo, it was darkfreaks.  If there's one thing I hate it's when people say something sucks without giving ways they can fix it.  he started by saying my validation sucked and giving me links to php functions, I told him I was using javascript for this first layer of validation, he told me that I had poor programming concepts, I told him that I was going to use php, just not this step, next step, he said that I had to use php, I told him, angrily at this point, that I said I was going to use php I just was only using javascript for this first step.  Then he told me I needed to clean up my code, I told him it was the last thing I did.  Then you, gevans, posted telling me that I was stupid for using tables, that I needed to use list tags for my links (I'm still not sure if you even meant the navigation links, I don't know how I could use a list tag for that), and then again mentioned compliance, which I'd already stated was the last thing I ever did.

 

Maybe I'm not that good at this, I'm better at php anyway, I just need help making this more secure, not pretty.  If you guys can give me comments on how to make it work better, I can make it pretty later, it's not public yet (except this test, it is).  I don't know how one would go about removing the onsubmit attribute of a form and still submitting it.  Do they save the form to their computer and modify the code so that it submits to the actual url and not the relative page?  Seems like a lot of trouble for nothing since the next step, which will use php validation, will catch all those missing fields and just send them back to the actual form page and they'll have to start over.

If there's something I can do to make it so that the form can't be submitted (or is harder to submit) without filling in all the things, purely using Javascript as the first step, then please, let me know about that.

 

I'm afraid that is entirely impossible. The user will always have control over what is going on on his machine, which is why client-side validation can only serve as a convenience for the user, and not as actual validation because it is easily circumvented.

Then you, gevans, posted telling me that I was stupid for using tables, that I needed to use list tags for my links (I'm still not sure if you even meant the navigation links, I don't know how I could use a list tag for that), and then again mentioned compliance, which I'd already stated was the last thing I ever did.

 

Hey, man.

 

1. I never called you stupid. I said using tables was a no no.

 

2. Yes I did mean the navigation links. You don't have to do it, just a suggestion, a recomendation even. If you do want to do it you'll easily get help in the html/css forums

 

3. Yes I did mention compliance, but I did state that I was re-iterating that point, just as I believe it is important.

 

That's enough of that.

 

I've looked back at your site, used your gamertag, and it works pretty nice. I can't say there's much to comment on. If you don't want to hear about layout, html, compliance, server-side validation then all I can say is, yes it works like a form.

 

Now that we're on better terms, can you help me figure out some ways a person would be able to bypass this first, simple layer of protection that I've layed down?  I know t's only Javascript, but there has to be something more I can do to help.

can you help me figure out some ways a person would be able to bypass this first, simple layer of protection that I've layed down?

 

See attached screenshot. As I said, Javascript isn't protection, it's user convenience.

 

[attachment deleted by admin]

you need to Validate your form in Javascript and PHP. not one or the other. like Daniel showed you can easily go into a browser editor and change the form input values to whatever you wish and submit it without the java script even validating it.

 

1.) i was not making fun of you or your programing ability

 

2.) you wanted advice on how to properly validate your form in java script and PHP  you got nothing that you did not ask for. end of.

 

 

Ok, I understand now, daniel, I didn't know you could do that so simply since I don't use FF but I can see now.  Javascript is still a decent way of doing simple validation, it's very widely used I know that.  I was always planning on having php validation on the other end (submit.php) that would either tell the user they'd forgotten to enter something and send them back (which would be harder), or just print the entry fields for what they forgot to enter and make them enter it.  The latter will be easier since I have the javascript that hides and shows the div containing the rest of the form, I wouldn't know how to make that appear on page load...well, I suppose I could, I just think it'd be easier to simply reprint the whole form with the valid entries printed as text and the invalid entries printed as text boxes, forcing them to enter it before the script will continue.  That will all be done in php.

 

Does that sound like a decent plan?  Should I simply remove the javascript I have now, or should I leave it?  I'm partial to leaving it there, mostly because it took a long time to get everything to work together with the fading and highlighting and everything.

Well, you're doing things sort of the backwards way of what one would normally do. Normally you would start with the bare minimum (this means without CSS and Javascript) and make sure it works, you would then add on top of it.

 

http://en.wikipedia.org/wiki/Progressive_enhancement

http://en.wikipedia.org/wiki/Unobtrusive_JavaScript

I have years of development experience, too.

 

I'm not disputing that. I'm basically saying that the accumlative experience of multiple developers is often worth tapping into; instead of completely rejecting it and getting stroppy about it.

 

You said something about going back and adding another layer later on. Regardless of your experience level, that is just simply bad programming. You should have a policy in place from the beginning, validating data and so on etc. Lazy programming is just as bad as inexperienced programming.


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.