Jump to content
Sign in to follow this  
Utherr12

Evaluate my blog

Recommended Posts

I would like to receive some feedback from you guys, but unlike other people i don't have a DNS and would like keep my address hidden + I haven't implemented a javascript function yet to restrict the comment size and some other vulnerabilitiesMy source code is also published on SourceForge and I've included a README.pdf file for people to see the infrastructure of my page. Btw i forgot to give a legend on how to interpret the pdf: Blue circles and Black lines - Visible to anyone, Red Circles and gray lines - only to admin, Circles with no outline: frontend, Circles with outline: backend.I would like to receive feedback from these points of view:- web-site organization- my PHP scripts organization- scalability of the system- security- functionality- some feedback on my design is not necessary but feel free to comment...I'm not a web designer, i actually ###### at designing web pages.The website hasn't got much content. This is a small web-site... it only has 19KBs of code in 10 files (images not included)If you are really bored (or kind or both), PM me and I will send you my sourceforge project link and my website link.I'm mentioning that I just started learning PHP and javascript and css in the middle of September (2 months ago), so I'm not actually very experienced.

Edited by KingA

Share this post


Link to post
Share on other sites

maybe just a live link when its done would be appropriate?

Share this post


Link to post
Share on other sites

Why the secrecy? Either give an actual link along with the "spec", or give the source code pieces you're having doubhts about, and we'll see how we can improve them.That or... hmm... you know what... I think for a (hopefully small) fee, vchris will review everything you have, giving you detailed diagnostics on it... well... he once had this idea at least.I once read something in an installment of BOFH: Security is a journey, not a destination.So... help us get on the journey, don't try to teleport us to your destination.

Share this post


Link to post
Share on other sites

Few things...1. On SourceForge's "files" section, you're supposed to put different releases or modules for your applications in downloadable forms. In other words - you should put the whole thing into an archive file. You should not make your users (us included) download all required files separately.2. To make the source codes viewable on site, as well as enable yourself to jump between different states of the code, use the SVN services. This may be a lot to handle now, so don't feel obligated to do it for now. Just keep it in mind.3. Your comments posting script is waaay too restrictive. There's no way for me to write an angle bracket. What if I wanted to say "<3"? See? I can't show you love even. Escaping HTML special characters is a good idea, but not eliminating them.4. Not only are you not letting me post a second comment (I guess that's acceptable to avoid double posting, as long as there's a way to post again when someone else has posted after me), but you're not letting me modify my name AND you're still outputting the new post form. I wouldn't want to bother (re?)typing something only to find out I can't post it. Directing my attention directly to the "You can't post, modify instead" message is probably a better idea.

Share this post


Link to post
Share on other sites

what's the function that converts escape characters into their codes (like in your case > to < )I tried using SVN and GIT but they are too much for me (i don't really get it on how to use them, although i'm very familiar to Git)

Edited by KingA

Share this post


Link to post
Share on other sites

Ok... in what order should i use strip_tags and htmlspecialchars so no1 can use html tags but still be able to input < or >.I have a feeling if I use htmlspecialchars, an input like "<img src=... >" would be converted to "<img src=..." in the plain text that i have stored in db. I want all < > html tags to be stripped but the < > characters to stay, like this "<strong>text</strong>" would be "text" and "<3 3 is > 5" should be "<3 3 is > 5" in my database.I uploaded the whole .rar archive

Edited by KingA

Share this post


Link to post
Share on other sites

Why?There's no problem in displaying full HTML as plain text. Look at your very post as an example. If the forum wasn't secure, it would've made your text strong. Instead, it just displays the "<" and ">" as plain texts.Just scrap the strip_tags() function, and use htmlspecialchars() instead.I've downloaded the archive, and on first sight, I noticed one very important detail - you're constantly reconnecting to the database and selecting it, writing it in every file... consider placing the DB data in a separate file, which you then include everywhere else. Also, you're casting several queries when displaying posts - one for each column. Consider conbining all of those in one query call.

Share this post


Link to post
Share on other sites
Why?There's no problem in displaying full HTML as plain text. Look at your very post as an example. If the forum wasn't secure, it would've made your text strong. Instead, it just displays the "<" and ">" as plain texts.Just scrap the strip_tags() function, and use htmlspecialchars() instead.I've downloaded the archive, and on first sight, I noticed one very important detail - you're constantly reconnecting to the database and selecting it, writing it in every file... consider placing the DB data in a separate file, which you then include everywhere else. Also, you're casting several queries when displaying posts - one for each column. Consider conbining all of those in one query call.
I would've considered using mysql_fetch_assoc if i would know how to jump on the next row (using mysql_result is easy)

Share this post


Link to post
Share on other sites

Every next mysql_fetch_assoc() moves to the next row. See the manual:

Returns an associative array that corresponds to the fetched row and moves the internal data pointer ahead.

Share this post


Link to post
Share on other sites

internal data pointer.... I KNEW it.... i just never tested it... all my code is written with mysql_result omg -.- there's so much stuff to change/update... idk if i have the patience to do it right now.But every project i make will go to my portfolio and I have to change this if I want to get in front of others at a job position.

Share this post


Link to post
Share on other sites

So can any1 inspect my code? is it good? I know it works, but i wan't to know if its efficient and well organized. That's what I want to hear :)Ok, i know it's not exactly well organized, so I could use some advice.I've updated the archive. I've replaced all mysql_result functions with mysql_fetch_assoc (well not every function) and i've added a 2000 post size limit.

Edited by KingA

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

×
×
  • Create New...