7 replies to this topic

[Samleeuwenburg]

Hey guys, I made this website to learn php but I also have use it for an intake at my new school. Design is not counted but the php and mysql use is.

I love getting feedback from people who are php programmers themselfs and feedback from users,

Can you guys please test my webpage and leave some feedback for me? It will be very usefull for me to finish the webpage!!

Thnx alot!!

Website : http://www.zennized.trap17.net

[truefusion]

I suppose in some important areas you have filtered the input, but you seem to have forgotten about $_GET. I haven't tried all the pages, but this page allows for arbitrary HTML (don't worry, it is just Google —but it could have been worse).

[Samleeuwenburg]

truefusion, on Mar 22 2010, 02:35 AM, said:

I suppose in some important areas you have filtered the input, but you seem to have forgotten about $_GET. I haven't tried all the pages, but this page allows for arbitrary HTML (don't worry, it is just Google —but it could have been worse).

first of all thanks alot for helping out, I don't really get what this means though.. Does this mean every page I use the GET function is unsafe? How can I fix this? Because I still want to use the get function so you can bookmark the page or link it.
For example when u click on a quote it uses it's id to load the right quote from the database with the get function

[Samleeuwenburg]

truefusion, on Mar 22 2010, 02:35 AM, said:

http://www.zennized.trap17.net/category.ph...3E%3C/iframe%3E

I get it now. In my php script I echo the ?q= from the link, so that means you can write any html in there. what is good way to prevent this?
for numbers I could do a check if its a number or not. but if its a word like the category.php page uses what could i use to prevent html use?

[Бојан]

I like the idea with the quotes, but the design sucks. Try to make better one by making or editing it on Dreamweaver.

[truefusion]

Samleeuwenburg, on Mar 22 2010, 09:42 AM, said:

I get it now. In my php script I echo the ?q= from the link, so that means you can write any html in there. what is good way to prevent this?
for numbers I could do a check if its a number or not. but if its a word like the category.php page uses what could i use to prevent html use?

PHP has a function for stripping HTML from a string: strip_tags(). Use it for every _GET variable you output to the browser. Or you can just have this at the beginning of the script:

$_GET = array_map("strip_tags", $_GET);

[linekill]

I'm not a PHP Programmer so I won't be able to give you a feedback regarding how it might have been set up. I could, however, provide some pointers to better the design of your site.

The site's color is simple. And since you're posting quotations, I would suggest adding more designs to it. Not the very flashy ones. Maybe some swirls here on the header and a small version of it on the footer. I would also suggest losing the gradient-tube effect of the navigation bar. For easier identification, putting a :hover effect and/or :active effects on the navbar will significantly increase the appeal of the website - inverting the colors is simple but would be sufficient.

All in all, you have a good starting point for a design. Put more detail and you're good to go.

[Samleeuwenburg]

Thanks alot for all the replies. and yes I know the design sucks but lucky for me I wont be scored for that part.
and also thank you Treufusion for that piece of code, ill mess around with it and see what comes up.