Page 1 of 1
Beta testing a web site!
Posted: Tue Mar 02, 2004 11:20 am
by emperor
I don't know whether this is the right place to post this, but I have been building a site for a friend which I have put on my own web space for beta testing. I need people who know how PHP & MySQL work to take a look and try to hack/break the site, to find bugs or security holes.
It can be found at
http://www.coldknife.net/imitationoflife and it is supposed to be a site where people can buy & sell art and photography, but I have filled it with pictures of hot celebrity girls for testing purposes (I had no real art, it's the best I could do) so at least there will be some reward for your efforts.
Please direct any issues/suggestions regarding the site to me at
anbolb@boltblue.com - anything at all, whether it's script errors, poorly rendered CSS or anything anything ANYTHING!!
Thanks guys!
Posted: Tue Mar 02, 2004 12:30 pm
by pickle
Despite what you said, I'm gonna post my thoughts here. Posting them publicly will help the best solution flesh out.
Keep in mind that all this stuff is in my opinion, not set in stone
First off, very clean style. I'm interested, is it CSS standard compliant?
When resized correctly, 'Imitation of Life' is broken up weird. 'Life' goes to a new line, 'of' goes right over to the right, and 'Imitation' stays on the left. My guess is you need to left justify the text, not spread it out newspaper style.
Also, try and move your GET vars into POST. It will require moving your links to buttons, but that can be hidden just fine with CSS and images.
Speaking of CSS - I'd recommend changing the look of your 'Search' button. It seems kind of drab and out of place in the midst of all that nice style.
When signing up, you don't say explicitely which fields are required. It would probably be best to put a red star or a note beside those fields that are necessary. Also, some users get annoyed when required to give too much personal info - such as town/city, country, postal code (note postal, not post). I can understand you'd want this for billing and mailing and the sort, but I personally wouldn't make that a requirement of sign up.
I can't go into it much more (I'm at work

). It seems like a nice and clean site thought - good job.
Posted: Tue Mar 02, 2004 12:39 pm
by ol4pr0
Resized problem: Not on my IE browser or my Netscape browser
pickle wrote:
When signing up, you don't say explicitely which fields are required
Agree there tho

Posted: Tue Mar 02, 2004 5:33 pm
by d3ad1ysp0rk
<br />
<b>Warning</b>: mysql_result(): Unable to jump to row 0 on MySQL result index 5 in <b>/home/emperor/functions/account_functions.php</b> on line <b>28</b><br />
once registered
Posted: Tue Mar 02, 2004 6:35 pm
by redhair
LiLpunkSkateR wrote:<br />
<b>Warning</b>: mysql_result(): Unable to jump to row 0 on MySQL result index 5 in <b>/home/emperor/functions/account_functions.php</b> on line <b>28</b><br />
once registered
ooooeee :!: Big nono...
Posted: Wed Mar 03, 2004 9:06 am
by emperor
Thanks for the input guys, I have fixed the script error! Re the JavaScript form validation, I actually wrote the PHP validation first before putting JavaScripts in to do it, so it's fairly secure. As for query strings, I have tried to keep a lot of stuff hidden in POSTs but due to the "back" links and a few other things, I have had to leave some stuff in.
I'm going to work on the account page so that an address is optional when first joining. Thanks again for your help!
Posted: Thu Mar 11, 2004 3:17 pm
by pickle
Ok, I give up. How'd you do it? I'm trying to duplicate the effect you create with the imitationoflife logo floating overtop the stretching lake image. I've managed to get the image to stretch, but I can't for the life of me, get another image to be placed on top of it. Feel like sharing?
Update: I've managed to put the logo in the same space as the background image, but I can't put the logo overtop of the background image. I've changed the order of the image tag entry, as well as goofed with the z-index. I looked at your CSS but I can't figure out how it works for you.
Update 2: Thanks to my typo fixing - I've managed to figure it out. I realize I'm kind of talking to myself here (as no one has posted in between the three times I've edited this post), but thanks for the inspiration anyway!
Posted: Thu Mar 11, 2004 3:38 pm
by Weirdan
seems like it's not vulnerable to basic traversals and sql injection attacks. Though vulnerable to simple login - password enumeration. The message in case of wrong password should not be distinct from message in case of wrong email.
I haven't all necessary tools now to check if your app can be fooled somehow by changing the hidden fields, cookies, browser info etc.