Quicksilver_ Posted June 21, 2007 Share Posted June 21, 2007 Okay, for an Open Source assignment required by one of my lecturers, I'm expected to communicate with an online community in a Socially acceptable manner about my Open Source assignment. As previously specified, it's a PHP forum, and yes I'm aware that this is, in a way, a lot like reinventing the wheel, but when you create something from scratch using source code, you can take such projects in many different directions. Also, with this project I thought it would be useful as a template to other designers who want to use a fully flexible forum that they themselves can edit as they see fit. The problem with a lot of already predesigned templates is that they don't offer access to the forum source code, and as such you are limited only by what the providers of the forum give you. So my aim is to get some constructive criticism for how to improve the forum and to get others interested in the idea. Word of warning: This project is incomplete. It is a small basic design, without pretty colours. Due to time constraints, my lecturer advised against creating more features that would distract me from the aim of learning to communicate amongst other Open Source designers. So here it is: http://quicksilver.110mb.com/Open_Source.doc - the Documentation http://quicksilver.110mb.com/forum/upload.zip - All the forum files http://quicksilver.110mb.com/forum/forum.php - The official forum uploaded to my server. Link to comment Share on other sites More sharing options...
gabeg Posted June 21, 2007 Share Posted June 21, 2007 There's no form validation for the registering. On http://quicksilver.110mb.com/forum/showtopic.php?topicid=3 it says I edited it, but I didn't Edit post page throws a mysql error Text isn't being displayed correectly (ie: It\'s instead of It's) There's no navigation on thread view I'll stop there, there is too much stuff that needs to be worked on Link to comment Share on other sites More sharing options...
corbin Posted June 22, 2007 Share Posted June 22, 2007 Here comes a lot of constructive criticism ;p. JS injection is possible as shown in http://quicksilver.110mb.com/forum/showtopic.php?topicid=30. HTML injection is possible as shown in that thread as well. New Cheese It\'s not there anymore, don\'t worry This is an EDIT from New Cheese, just verifying that the edit function works for members, not just admins. This post has been edited by c, on Jun 03, 2007 09:44:4 ______________________ I registered the name c, and I'm not an admin, so why does it say I edited it? Oh shit..... This definately isn't right: Username Post Tasks Quicksilver I don't know where this post is, but it has now been hackzor'd by Corbin. ;p This post has been edited by c, on Jun 22, 2007 12:42:3 ______________________ This is a signature I went to edit my own post and changed the url.... http://quicksilver.110mb.com/forum/editpost.php?postid=<my post id>&content=<my content> became http://quicksilver.110mb.com/forum/editpost.php?postid=1&content= (you can see the result on http://quicksilver.110mb.com/forum/showtopic.php?topicid=1 ) I would've changed it back to what you posted, but I wasn't sure what it said >.<. With the edit urls, why pass the content? Why not just pull the content from the DB.... Oh, and you probably want to test the owner of the post instead of letting anyone edit posts and only showing the edit buttons for your own posts. Umm this is mainly a personal preference, but it could be held by a lot of people: Do you not have a logout button? Shouldn't the category listing page be index.php? Shouldn't the login page say something when you're already logged in, instead of letting you relogin? Judging from your post, you're aware of it, but just in case, your polls give you a 404 error. Also, why use radiobutton x as the value? Why not just make them numeric, and then you can just do is_numeric to make sure they're valid (and make sure the selected value exists for the poll). When you make a new post on a thread, it makes a new thread if it doesn't exist.... This isn't a problem technically, but http://quicksilver.110mb.com/forum/showtopic.php?topicid=X can be changed.... I could make it the highest value in your SQL table (int 10 or something like that) effectively jamming your board if you're using an auto incrementing primary key (like you should be). And my last thing, you're getting random mysql errors EVERYWHERE! The first post on some threads is weird. The first post showing on the forum sub select thing when it lists all the threads is on crack sometimes. Can I ask why you're using mysql_result (http://php.net/mysql_result)? If you're using it for just one row results, then I would just use mysql_fetch_[assoc|array|row]. If you're looping through results and using mysql_result then that's bad... Use while($r = mysql_fetch_[assoc|array|row]($query)). If you've got any questions, just ask them ;p. Link to comment Share on other sites More sharing options...
agentsteal Posted September 21, 2007 Share Posted September 21, 2007 Cross Site Scripting: There is Cross Site Scripting if the Expect header contains code. Link to comment Share on other sites More sharing options...
Recommended Posts