jcombs_31 Posted September 4, 2006 Share Posted September 4, 2006 I have some more things to do, but most of this site is done for the citrus/landscape/racing site.http://www.a1acitrus-racing.com/new/index.phpWhat do you think...? Quote Link to comment Share on other sites More sharing options...
AndyB Posted September 4, 2006 Share Posted September 4, 2006 It's excellent. Three tiny things - the mouseOver color on the side menu links are a little light. Although I'm sure they exactly match a colour used elsewhere ...A link to 'top of page' might be worthwhile on the longer pages.And the other is a personal piece of weirdness. On the Citrus and 3D Landscape pages, the side menu ends with a sort of 'quote' graphic with a large point end that's directing me away from the content. Visually, it might be better to make it point back at the page content. Quote Link to comment Share on other sites More sharing options...
bob_the _builder Posted September 4, 2006 Share Posted September 4, 2006 Hi,Just 1 thing ... your contact form, it clears the form when submited with missing fields, you should echo the post data in the fields so they dont have to retype the data if they miss a field out.Nice job! Quote Link to comment Share on other sites More sharing options...
steviewdr Posted September 4, 2006 Share Posted September 4, 2006 Looks very well.1 thing however, your Citrus page - There is a PERFECT crisp image of a citrus in the top image on the left. This is a perfect quality image.When comparing the quality of this image to that on the index page - of the orange, the orange isn't of similar quality. I think you need a better orange image for the index page for the top image.It is VERY sweet apart from that - a HUGE improvement on their current website ,-)Oh - http://www.a1acitrus-racing.com/new/landscape.php?id='858http://www.a1acitrus-racing.com/new/citrus.php?id='14Be careful!!-steve Quote Link to comment Share on other sites More sharing options...
448191 Posted September 4, 2006 Share Posted September 4, 2006 [quote author=steviewdr link=topic=106792.msg427619#msg427619 date=1157361257]Oh - http://www.a1acitrus-racing.com/new/landscape.php?id='858http://www.a1acitrus-racing.com/new/citrus.php?id='14Be careful!![/quote]I think he's already using mysql_real_escape_string, so above examples will never produce anything usefull for a hacker.I tried a little hacking of my own, and although I'm not an expert by any standard, I did find that there is some small room for exploitation.http://www.a1acitrus-racing.com/new/landscape.php?id=1%20or%201=1Gives me all items. I know that's not very scary. ;DAnything with quotes failed, but I was able to probe for the table name.http://www.a1acitrus-racing.com/new/citrus.php?id=14%20OR%20citrus_prod.id%20IS%20NOT%20NULL[quote]Could not run query: Unknown table 'citrus_prod' in where clause[/quote]I didn't find it though..When trying to get table names, I did get some of the MySQL connection (user/host) information:http://www.a1acitrus-racing.com/new/citrus.php?id=14%20UNION%20SELECT%20TOP%20TABLE_NAME%20FROM%20INFORMATION_SCHEMA.TABLES[quote]Could not run query: SELECT command denied to user: 'jcombs31@linhost114.mesa1.secureserver.net' for table 'TABLES'[/quote]Any subqueries I tried all failed.All of this isn't very concerning, but I would still recommend you validate the string in $_GET['id'] to be numeric. That will eliminate any room for exploitation there might be.Edit: Just a question, did you secure your contact form against email header injection? I would've tried it out, but didn't want to bother your client with obnoxious emails... Quote Link to comment Share on other sites More sharing options...
jcombs_31 Posted September 4, 2006 Author Share Posted September 4, 2006 [quote author=448191 link=topic=106792.msg427657#msg427657 date=1157367972][quote author=steviewdr link=topic=106792.msg427619#msg427619 date=1157361257]Oh - http://www.a1acitrus-racing.com/new/landscape.php?id='858http://www.a1acitrus-racing.com/new/citrus.php?id='14Be careful!![/quote]I think he's already using mysql_real_escape_string, so above examples will never produce anything usefull for a hacker.I tried a little hacking of my own, and although I'm not an expert by any standard, I did find that there is some small room for exploitation.http://www.a1acitrus-racing.com/new/landscape.php?id=1%20or%201=1Gives me all items. I know that's not very scary. ;DAnything with quotes failed, but I was able to probe for the table name.http://www.a1acitrus-racing.com/new/citrus.php?id=14%20OR%20citrus_prod.id%20IS%20NOT%20NULL[quote]Could not run query: Unknown table 'citrus_prod' in where clause[/quote]I didn't find it though..When trying to get table names, I did get some of the MySQL connection (user/host) information:http://www.a1acitrus-racing.com/new/citrus.php?id=14%20UNION%20SELECT%20TOP%20TABLE_NAME%20FROM%20INFORMATION_SCHEMA.TABLES[quote]Could not run query: SELECT command denied to user: 'jcombs31@linhost114.mesa1.secureserver.net' for table 'TABLES'[/quote]Any subqueries I tried all failed.All of this isn't very concerning, but I would still recommend you validate the string in $_GET['id'] to be numeric. That will eliminate any room for exploitation there might be.Edit: Just a question, did you secure your contact form against email header injection? I would've tried it out, but didn't want to bother your client with obnoxious emails...[/quote]Thanks for the feedback. How would you suggest securing the email for against header injection?[quote author=bob_the _builder link=topic=106792.msg427558#msg427558 date=1157348610]Hi,Just 1 thing ... your contact form, it clears the form when submited with missing fields, you should echo the post data in the fields so they dont have to retype the data if they miss a field out.Nice job![/quote]I know, didn't finish the contact form yet, just wanted design critiques mostly, but I'll finish that up today probably. [quote author=AndyB link=topic=106792.msg427471#msg427471 date=1157333854]It's excellent. Three tiny things - the mouseOver color on the side menu links are a little light. Although I'm sure they exactly match a colour used elsewhere ...A link to 'top of page' might be worthwhile on the longer pages.And the other is a personal piece of weirdness. On the Citrus and 3D Landscape pages, the side menu ends with a sort of 'quote' graphic with a large point end that's directing me away from the content. Visually, it might be better to make it point back at the page content.[/quote]Thanks Andy, nice subtle point about the pointer. Quote Link to comment Share on other sites More sharing options...
448191 Posted September 4, 2006 Share Posted September 4, 2006 [quote author=jcombs_31 link=topic=106792.msg427762#msg427762 date=1157381588]Thanks for the feedback. How would you suggest securing the email for against header injection?[/quote]Validate. All fields other than the body cannot contain "\r", "\n", "%0D" or "%0D". I don't believe there is a way to inject malicous MIME stuff into the body if the other fields are secure, since php mail() already created the top-level part of the email. Make sure you disable multiparts by including a "Content-Type: text/plain;" header. I could be wrong, so maybe you should check for 'Content-Type' in the body. Make sure there is no HTML or javascript in there, to be sure. Quote Link to comment Share on other sites More sharing options...
jcombs_31 Posted September 5, 2006 Author Share Posted September 5, 2006 Yea, I was reading more about it, believe it or not, i have not really been that careful with email forms before, but will update my class for more protection. BTW, I never send it to the client email while in testing, so feel free to abuse it if you wish. Quote Link to comment Share on other sites More sharing options...
jcombs_31 Posted September 6, 2006 Author Share Posted September 6, 2006 I think I fixed any problems you guys mentioned, with the exception of the item andy mentioned below the sub-menus. (I"m a little lazy for that now). Any final comments? Just a couple small things I have to finish, such as the slideshow on the racing pages, and a small CMS for them to update inventory. Quote Link to comment Share on other sites More sharing options...
steviewdr Posted September 7, 2006 Share Posted September 7, 2006 Just a few things:The graphic saying "Delivery Available" - I think you should make it a link to a "Delivery" section with info on the rates etc. IMO.For the Racing - and Car specifications - I would prefer to see a graphic of a racing car, rather than the driver again.Thats about it. Looking forward to see the image gallery.-steve Quote Link to comment Share on other sites More sharing options...
jcombs_31 Posted September 7, 2006 Author Share Posted September 7, 2006 Stevie, they want everyone to call for rates for the most part because it will vary. I somewhat agree about the specs page, but the car image would not stretch like the image of him, but I'll maybe try it out and see how it looks. I don't think the image gallery will be anything special, I'm going to try to piece it together from my own image gallery that i created. Quote Link to comment Share on other sites More sharing options...
steviewdr Posted September 8, 2006 Share Posted September 8, 2006 The image gallery ->You need to specify a size for the main Div for the photo. It works PERFECT when the images are cached by my browser. BUT going through the image gallery for the first time (delete your temp internet files and see) the image page jumps up and down when loading the image.Your image gallery link on http://www.a1acitrus-racing.com/new/racing.php?id=kids is broken.Coming along nicely.-steve Quote Link to comment Share on other sites More sharing options...
dk4210 Posted September 8, 2006 Share Posted September 8, 2006 I think that you site has a very clean layout. Is this a CMS?Thanks, Dan Quote Link to comment Share on other sites More sharing options...
jcombs_31 Posted September 8, 2006 Author Share Posted September 8, 2006 [quote author=dk4210 link=topic=106792.msg430603#msg430603 date=1157726805]I think that you site has a very clean layout. Is this a CMS?Thanks, Dan[/quote]no Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.