Finally done - completely DONE!

It doesn't matter if you do all the error checking in the world, or if you have the most beautiful graphics, if your site or application design isn't usable, it's not going to do well. Get input and advice on usability and user interface issues here.

Moderator: General Moderators

crackedPavement
Forum Newbie
Posts: 11
Joined: Wed Mar 01, 2006 8:18 pm
Location: portland, or

Post by crackedPavement »

User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

The Gold Nugget Museum web site wrote:The Gold Nugget Museum was incorperated in 1973. Our mission is to preserve and protect The Ridge heritage through our collection and artifacts and with community education programs...
Who is managing the content? They might want to consider spell checking before posting (or maybe you can charge them to develop and implement a spell checking tool. Hmm. Hmm?). Also, do they mean "collection of artifacts"?
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

No they mean collection and artifacts. She is a hard lady to deal with. This site was free (donation :D ), and she still complains about EVERYTHING on it. Thank you all so much for all your advice. I will fix those problems with injection.

What would I do to prevent XXS?
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

One thing you could do is not use $_GET for the message text in your contact form. Allowing a user to pass a variable to your scripts through a URI is a big risk, unless you validate what is being passed. In your case, you could use an array index as a passed parameter and echo back the array value for that index as an error message after validating the numeric value of the $_GET var. Or you could just not use $_GET at all and rely on preprogrammed error messages based on triggers thrown by the script (I tend to use this method).
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

I apologize for not completely understanding what you mean by "triggers thrown by the script" could you elaborate?
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Well, I suppose I mean whatever in the script would give cause to show the message. Relying on the $_GET['message'] var being set and then using the value of it is insecure. Ususally, I do some checking of the values of the form data and post an error message as needed. This is typically generated within the script using a check of some sort. That way nothing gets passed to the script though the URI.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

If ever displaying dynamic content, play it safe with htmlentities(), in combination with whitelisting values, example:

Code: Select all

if ($validator->isString($_GET['blah'])) {
   echo htmlentities($_GET['blah']);
}
Post Reply