Jump to content

Recommended Posts

I have made a few improvements to the site like a search box when you are logged in, and a way to sort the names when viewing them. The new changes can be downloaded here: http://foar.sitesled.com/addyonline.zip or viewed here www.lszanto.com/addyonline/ and the username is admin and password is now pass. Mods or admins please delete the old thread.

Enjoy.
Link to comment
https://forums.phpfreaks.com/topic/33284-address-database-20/
Share on other sites

Just giving it a casual once-over, I have one suggestion: Don't make me pick how to sort them before you show me the addresses. Show me the list sorted normally, and then have links to change the sort method.

The rule of web design I'm invoking here: Fewer clicks is better.
Link to comment
https://forums.phpfreaks.com/topic/33284-address-database-20/#findComment-155499
Share on other sites

[quote author=neylitalo link=topic=121451.msg499455#msg499455 date=1168225117]
Just giving it a casual once-over, I have one suggestion: Don't make me pick how to sort them before you show me the addresses. Show me the list sorted normally, and then have links to change the sort method.

The rule of web design I'm invoking here: Fewer clicks is better.
[/quote][quote author=Daniel0 link=topic=121451.msg500110#msg500110 date=1168296754]
You might want to generate the menu items depending on your user status/login status.
[/quote]

My first two thoughts exactly lol...

I like how you can change the style, but it's based on sessions so if you wanted to change the style and not have to do it every time it could get old fast... Maybe add a column in the admin table to store the style sheet?

[code=php:0]
$sql = "UPDATE data SET name='$name', email='$email', home='$home', mobile='$mobile', address='$address' WHERE name='$update'";
[/code]

Some people have very common names and this could become a problem.  I think that you should update based on the id field to avoid someone changing John Smith's info and another John Smith changing too.

Also, like I suggested in the other forum, I personally think that you should use $_POST instead of $_GET, but I can't think of any problems $_GET might make, so I guess that's just personal preference.

I can't really blame you for this one since it wouldn't make sense to add weird script to your own site, but I suggest you replace <'s and >'s with their respective &lt; and &gt; to avoid things like <script>alert("hi");</script> or just an accidental <> that would cause problems in the html.

Once again mainly one of my personal things, but I tend to avoid links like
[code=php:0]
die("New passwords did not match, please go <a href=\"javascript: history.go(-1);\" >back</a> and try again.");
[/code]
that rely on solely JS, and I try to use links like
[code=php:0]
die("New passwords did not match, please go <a href=\"{$_SERVER['HTTP_REFERER']}\" onClick=\"history.go(-1); return false;\">back</a> and try again.");
[/code]
That allows the link to work even if JS is not enabled, which is rare now days, but still a possibility.

That's about all I got for now :p.
Link to comment
https://forums.phpfreaks.com/topic/33284-address-database-20/#findComment-156280
Share on other sites

When you try to edit names, at least make it not case-sensitive.  It would be even better if you showed a list of names, and then I got to click on which one I wanted to edit.

I like the idea of listing the names regardless when you click view, and controlling the display later.
In general, I agree with what everyone said about logging out, admin interface, etc...

Just my opinion.
Steve
Link to comment
https://forums.phpfreaks.com/topic/33284-address-database-20/#findComment-157702
Share on other sites

If you're doing this as a little project to help you learn php, then might I suggest an import/export feature?

This will give you an insight into parsing content, such as CSV files, maybe some regular expression work.  The export feature could include some XML work too :)

I use something similar to import the contacts that I export from my mobile phone.

Regards
Huggie
Link to comment
https://forums.phpfreaks.com/topic/33284-address-database-20/#findComment-161846
Share on other sites

I had a quick look at the application, and here are my comments

The site is not shown correctly in IE...the logo image is repated twice.
If you are going to let users login and add their addresses, then you should filter HTML.
validation for all field should be done, for example, in the phone, you should accept only number.

That's all for now
Link to comment
https://forums.phpfreaks.com/topic/33284-address-database-20/#findComment-162716
Share on other sites

Well, since I always read the forum I guess I should finally post something remotely helpfull...

The site is in good tracks but really... check your validation. It's a TOP concern before adding new functionality.
I got around the "<script>" check by not declaring the javascript and using an onMouseOver event handler (Check the ASDF link... inside the big fat table) instead...  ;D a not so friendly onLoad handler and your page goes kaput.

And well... I kinda feel guilty since the view adress page is now really messed with my table tampering  :P I even got marquees, Forms and CSS in (after a few tries I remembered to use ":" instead of "=").

So htmlentities is your friend here and/or some alphanumeric REGEXP.

Looking forward for the next version!
Cheers.

Edit.

Lol, did a search for the word "now", two results popped up: "Unknown" and "now" (second one submited by me... entry contains a "malicious" submit buton). So, I clicked on "now" and took me to the "now" profile page. My "ClickMe" malicous button of DooM was there, and upon clicking it, I stumbled to a page which displayed "You should not be on this page."  :D
On further inspection, that happens when there is no GET argument passed to the search and profiles pages. Consider redirecting them to the default search and directory listing views instead.

Edit nº2.

Incidentaly I now found out that while playing with the "Back" button on my browser I re-posted some fields... that should NOT happen... I realised thay you are passing every single form argument through GET to the addadress.php page... why? POST is already there, why pass the arguments through GET?? Only adds more complexity and potential security holes.
Also alows to skip any direct on the fly javascript validating on the form fields, since a user could simply populate the browser adress with malicious code.
Link to comment
https://forums.phpfreaks.com/topic/33284-address-database-20/#findComment-166194
Share on other sites

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.