Finally done - completely DONE!
Moderator: General Moderators
Finally done - completely DONE!
I know I've shown this site a hundred times, but it's been a long process (lots of back-end admin stuff you don't see on the site). It's finally done. What do you all think?
http://goldnuggetmuseum.com/
http://goldnuggetmuseum.com/
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
Beautiful, plus it's 100% standards compliant: http://validator.w3.org/check?uri=http% ... eum.com%2F
Yeah especially when you don't seem to be filtering what you're displaying...The Ninja Space Goat wrote:you know, I'm not really sure. Should have just send $msg=error and then had it do an if $msg == erre then post "this error message" but oh well.,
example
I didn't try to see what other nonsense I could get up to.
Also, maybe it's just me that's seeing a (more or less) blank page with 'Coming Soon' on it when I hit http://goldnuggetmuseum.com/ ? from another browser I get a blank page with two question marks which acheives nothing other than adding to the intrigue.
http://goldnuggetmuseum.com/index.php on the other hand works as intended.
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
the way it is, you've left the door to XSS wide, wide open - example, Session hijacking is another issue you should concern yourself with, along with SQL-injection.
This site is asking to be cracked if you don't filter anything coming from the outside (i.e. HTTP-requests: $_POST, $_GET, $_REQUEST) - for some background, read http://www.sitepoint.com/blogs/2004/03/ ... strangers/
http://www.sitepoint.com/article/php-security-blunders
http://www.sitepoint.com/article/sql-in ... tacks-safe
Handing this site over to the client as is would be very, very bad practice and, imho, irresponsible.
This site is asking to be cracked if you don't filter anything coming from the outside (i.e. HTTP-requests: $_POST, $_GET, $_REQUEST) - for some background, read http://www.sitepoint.com/blogs/2004/03/ ... strangers/
http://www.sitepoint.com/article/php-security-blunders
http://www.sitepoint.com/article/sql-in ... tacks-safe
Handing this site over to the client as is would be very, very bad practice and, imho, irresponsible.
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
Re: Finally done - completely DONE!
Hey Ninja, just so you know, when you visit the link above the page shown is made up of the following code...The Ninja Space Goat wrote:I know I've shown this site a hundred times, but it's been a long process (lots of back-end admin stuff you don't see on the site). It's finally done. What do you all think?
http://goldnuggetmuseum.com/
Code: Select all
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Paradise Gold Nugget Museum - Coming Soon!</title>
<link href="style.css" rel="stylesheet" type="text/css" />
</head>
<body style="margin: 0; padding: 0;">
<div style="padding: 75px"><img src="comingsoon.gif" alt="" /></div>
<div style="border-top: 2px solid black;border-bottom: 2px solid black; height: 204px; padding-left: 100px;"><img src="main.jpg" alt="Coming Soon" /></div>
</body>
</html>- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
regarding the administration folder: put it behind HTTP-Authentication - easy and secure. As everah said, I didn't even have to log in... 
Last edited by patrikG on Wed Apr 05, 2006 10:52 pm, edited 1 time in total.