12 replies to this topic

[KingA]

I would like to receive some feedback from you guys, but unlike other people i don't have a DNS and would like keep my address hidden + I haven't implemented a javascript function yet to restrict the comment size and some other vulnerabilities

My source code is also published on SourceForge and I've included a README.pdf file for people to see the infrastructure of my page. Btw i forgot to give a legend on how to interpret the pdf: Blue circles and Black lines - Visible to anyone, Red Circles and gray lines - only to admin, Circles with no outline: frontend, Circles with outline: backend.

I would like to receive feedback from these points of view:

- web-site organization
- my PHP scripts organization
- scalability of the system
- security
- functionality
- some feedback on my design is not necessary but feel free to comment...I'm not a web designer, i actually ###### at designing web pages.

The website hasn't got much content. This is a small web-site... it only has 19KBs of code in 10 files (images not included)

If you are really bored (or kind or both), PM me and I will send you my sourceforge project link and my website link.

I'm mentioning that I just started learning PHP and javascript and css in the middle of September (2 months ago), so I'm not actually very experienced.

Edited by KingA, 20 November 2010 - 04:26 PM.

[thescientist]

maybe just a live link when its done would be appropriate?

[boen_robot]

Why the secrecy? Either give an actual link along with the "spec", or give the source code pieces you're having doubhts about, and we'll see how we can improve them.

That or... hmm... you know what... I think for a (hopefully small) fee, vchris will review everything you have, giving you detailed diagnostics on it... well... he once had this idea at least.

I once read something in an installment of BOFH: Security is a journey, not a destination.

So... help us get on the journey, don't try to teleport us to your destination.

[KingA]

Well ok...If you don't feel comfortable like this .

http://89.115.144.183/blogger/

https://sourceforge....ects/kingablog/







BTW: RICK ROLL'D

Edited by KingA, 20 November 2010 - 04:50 PM.

[boen_robot]

Few things...

1. On SourceForge's "files" section, you're supposed to put different releases or modules for your applications in downloadable forms. In other words - you should put the whole thing into an archive file. You should not make your users (us included) download all required files separately.
2. To make the source codes viewable on site, as well as enable yourself to jump between different states of the code, use the SVN services. This may be a lot to handle now, so don't feel obligated to do it for now. Just keep it in mind.
3. Your comments posting script is waaay too restrictive. There's no way for me to write an angle bracket. What if I wanted to say "<3"? See? I can't show you love even. Escaping HTML special characters is a good idea, but not eliminating them.
4. Not only are you not letting me post a second comment (I guess that's acceptable to avoid double posting, as long as there's a way to post again when someone else has posted after me), but you're not letting me modify my name AND you're still outputting the new post form. I wouldn't want to bother (re?)typing something only to find out I can't post it. Directing my attention directly to the "You can't post, modify instead" message is probably a better idea.

[KingA]

what's the function that converts escape characters into their codes (like in your case > to &lt; )

I tried using SVN and GIT but they are too much for me (i don't really get it on how to use them, although i'm very familiar to Git)

Edited by KingA, 20 November 2010 - 06:02 PM.

[boen_robot]

htmlspecialchars()

[KingA]

Ok... in what order should i use strip_tags and htmlspecialchars so no1 can use html tags but still be able to input < or >.

I have a feeling if I use htmlspecialchars, an input like "<img src=... >" would be converted to "&lt;img src=..." in the plain text that i have stored in db. I want all < > html tags to be stripped but the < > characters to stay, like this "<strong>text</strong>" would be "text" and "<3 3 is > 5" should be "&lt;3 3 is &gt; 5" in my database.

I uploaded the whole .rar archive

Edited by KingA, 20 November 2010 - 06:14 PM.

[boen_robot]

Why?

There's no problem in displaying full HTML as plain text. Look at your very post as an example. If the forum wasn't secure, it would've made your text strong. Instead, it just displays the "<" and ">" as plain texts.

Just scrap the strip_tags() function, and use htmlspecialchars() instead.

I've downloaded the archive, and on first sight, I noticed one very important detail - you're constantly reconnecting to the database and selecting it, writing it in every file... consider placing the DB data in a separate file, which you then include everywhere else. Also, you're casting several queries when displaying posts - one for each column. Consider conbining all of those in one query call.

[KingA]

boen_robot, on Nov 20 2010, 09:18 PM, said:

Why?

There's no problem in displaying full HTML as plain text. Look at your very post as an example. If the forum wasn't secure, it would've made your text strong. Instead, it just displays the "<" and ">" as plain texts.

Just scrap the strip_tags() function, and use htmlspecialchars() instead.

I've downloaded the archive, and on first sight, I noticed one very important detail - you're constantly reconnecting to the database and selecting it, writing it in every file... consider placing the DB data in a separate file, which you then include everywhere else. Also, you're casting several queries when displaying posts - one for each column. Consider conbining all of those in one query call.

I would've considered using mysql_fetch_assoc if i would know how to jump on the next row (using mysql_result is easy)

[boen_robot]

Every next mysql_fetch_assoc() moves to the next row. See the manual:

manual said:

Returns an associative array that corresponds to the fetched row and moves the internal data pointer ahead.

[KingA]

internal data pointer.... I KNEW it.... i just never tested it... all my code is written with mysql_result omg -.- there's so much stuff to change/update... idk if i have the patience to do it right now.

But every project i make will go to my portfolio and I have to change this if I want to get in front of others at a job position.

[KingA]

So can any1 inspect my code? is it good? I know it works, but i wan't to know if its efficient and well organized. That's what I want to hear

Ok, i know it's not exactly well organized, so I could use some advice.

I've updated the archive. I've replaced all mysql_result functions with mysql_fetch_assoc (well not every function) and i've added a 2000 post size limit.

Edited by KingA, 22 November 2010 - 11:33 PM.