Jump to content

sites up, may still be some minor bugs...


thewooleymammoth

Recommended Posts

Yes, it is clear. To you. But since you designed the site, then it really isn't something you can tell after a while. Well, in review: The design is thirty-second CSS and hideous, the GETYOURLINKON capitalization is freakishly annoying, it uses tables, and the front-page text is a hideous blob of clueless rambling with no clear purpose and no explanation of something basic like the point of the site.

Link to post
Share on other sites

i only used notepad to create this site, and i still think its fairly obvious what this site does, just as obvious as you tube or 4chan... and i agree about the front page of the site being pointless and such but that was written just to be an index page on the first day i started creating the site., i still have much cosmetic work to do on the site,  i know. (waiting for photoshop to download).  I was really more concerned about what people thought of the system, and how things worked in the site. but i guess all that matters is that i have tables? and the "front-page" (home or index) is annoying.

Link to post
Share on other sites

Try not to use GETYOURLINKON.NET too much, it makes the text harder and longer to read... you can just use "we" or something.

 

Btw this is the critique forum, for more system testing.. try the BETA testing forum. I had a quick look though and security seems alreyt! but im not an expert with the sql injections and that. All seems to run smooth enough, not keen on the like confirmed registration messages and that on a seperate page tho.. seems to take too long, best having them just appear on the homepage or the apropriate page or something.

 

adam

Link to post
Share on other sites

k thanks, thats the kinda stuff i was looking for, i have had people test for security, and i know my site isnt done yet, but i think im almost done (besides bugs and maybe a few features) with the overall system of how things work, just wanted to know what other people think. leave my cosmetics alone. and i changed the index page just for you guys!

Link to post
Share on other sites

Ew the amount of sql injection vulnerability is outrageous. If I wanted to I could delete your whole database. And depending on the version of MySQL that you are running, I might even be able to arbitrarily delete/install/run any file on your computer in any drive I wish.

 

Bad.

 

Also, your Google adsense account will probally be shutdown soon for your blatant terms of service violation. Google is not leniant.

 

In any case, your website is all around ugly, no offense, but it could use some colors or something.

And putting the name of your website IN ALL CAPS EVERY SINGLE TIME YOU MENTION IT (WHICH IS ON EVERY PAGE) IS ANNOYING BECAUSE IT MAKES IT SEEM LIKE YOU ARE SHOUTING OR SOMETHING.

 

Again, no offense, you just asked for an honest critique so I gave one.

Link to post
Share on other sites

i only used notepad to create this site, and i still think its fairly obvious what this site does, just as obvious as you tube or 4chan... and i agree about the front page of the site being pointless and such but that was written just to be an index page on the first day i started creating the site., i still have much cosmetic work to do on the site,  i know. (waiting for photoshop to download).  I was really more concerned about what people thought of the system, and how things worked in the site. but i guess all that matters is that i have tables? and the "front-page" (home or index) is annoying.

Err... it's content is about as obvious as the content of McDonald's Mystery Meat. And as long as you are referencing Youtube, you might get a clue about what aesthetic design is. And the problem isn't just the tables, it is the fact that there is a total lack of any intelligent design displayed on the site.

Link to post
Share on other sites

It's worse now. You have some random cheesy graphic effects, no flow, and some pretty ugly graphics at that. There's no clear theme to the site whatsoever. Chains on the side, sparkles in the subtitle, glowing blue crossthatched something-or-others behind the initials... it just gets worse.

Link to post
Share on other sites

Ew the amount of sql injection vulnerability is outrageous. If I wanted to I could delete your whole database. And depending on the version of MySQL that you are running, I might even be able to arbitrarily delete/install/run any file on your computer in any drive I wish.

 

Bad.

 

Also, your Google adsense account will probally be shutdown soon for your blatant terms of service violation. Google is not leniant.

 

In any case, your website is all around ugly, no offense, but it could use some colors or something.

And putting the name of your website IN ALL CAPS EVERY SINGLE TIME YOU MENTION IT (WHICH IS ON EVERY PAGE) IS ANNOYING BECAUSE IT MAKES IT SEEM LIKE YOU ARE SHOUTING OR SOMETHING.

 

Again, no offense, you just asked for an honest critique so I gave one.

 

really? what code did you use to inject?

Link to post
Share on other sites

Okay. If you're using the standard mysql library, then putting mysql_real_escape_string() around all of the input should sanatize pretty good unless you are using a very weird character set.

 

So basically everywhere in your code that you use a $_GET or $_POST or $_SERVER you should surround that like so; mysql_real_escape_string($_POST['variable']) instead of just $_POST['variable'].

 

Whatever code you are using against XSS (I'm guessing it's strip_tags?) apply that to the data AFTER it is retrieved from the database and about to be displayed, not before putting it into the database. mysqli_real_escape_string is for putting things INTO the database.

 

Also it would probably be better if you just encoded the input as XSS protection instead of deleting all tags. That way if someone has a legit reason to post something with a <> in it it will display properly.

 

To do this just replace the strip_tags with htmlspecialchars.

 

 

If you are using the mysqli library then instead of mysql_real_escale_string use mysqli_real_escape_string and put the mysqli database link as the first parameter (E.G. mysql_real_escape_string($mysqli,$_POST['variable'])

 

This should make it pretty secure as long as you aren't using a very weird encoding that is exploitable. If you're using something like UTF8 or ISO-something then you should be fine.

 

 

 

So basically, all input should have mysql_real_escape_string before going into database, and htmlspecialchars when coming out of database.

Link to post
Share on other sites

Okay. If you're using the standard mysql library, then putting mysql_real_escape_string() around all of the input should sanatize pretty good unless you are using a very weird character set.

 

So basically everywhere in your code that you use a $_GET or $_POST or $_SERVER you should surround that like so; mysql_real_escape_string($_POST['variable']) instead of just $_POST['variable'].

 

Whatever code you are using against XSS (I'm guessing it's strip_tags?) apply that to the data AFTER it is retrieved from the database and about to be displayed, not before putting it into the database. mysqli_real_escape_string is for putting things INTO the database.

 

Also it would probably be better if you just encoded the input as XSS protection instead of deleting all tags. That way if someone has a legit reason to post something with a <> in it it will display properly.

 

To do this just replace the strip_tags with htmlspecialchars.

 

 

If you are using the mysqli library then instead of mysql_real_escale_string use mysqli_real_escape_string and put the mysqli database link as the first parameter (E.G. mysql_real_escape_string($mysqli,$_POST['variable'])

 

This should make it pretty secure as long as you aren't using a very weird encoding that is exploitable. If you're using something like UTF8 or ISO-something then you should be fine.

 

 

 

So basically, all input should have mysql_real_escape_string before going into database, and htmlspecialchars when coming out of database.

 

 

alright, next time i get some time to work on my site ill include that, i only need to include that on pages that connect to mysql dont i?

Link to post
Share on other sites

This only needs to be done for places where users input data that goes into the database.

And for data being displayed from the database that was created by users.

So yes, only pages that use the database.

Link to post
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.