Log in

View Full Version : Help me get certified!



Robert Kosek
21-06-2007, 03:57 PM
I need signatures in my blog/guestbook project for my PHP/MySQL course at OST (http://www.oreillyschool.com/). Yes, I wrote the whole thing myself from scratch. :D I went a little overboard considering the design objectives given me, but hey I like things that work well.

So, sign up and sign my guestbook already! ;)

http://rkosek.userworld.com/blog/

Existing features:
Blog/Guestbook tied together -- differentiated only in 1 tag (the poster's "class").
Robust password hashing using "salts".
Banning system.
Registration/User-account-system to prevent spam.
Hidden form field for logging in and registration to foil spam.
User "class" for banned groups with automatic removal of posts.
Secure against most types of web attacks.
Ultra-friendly for dial-up users; css-only design excepting avatars.

All in 9 hours. :mrgreen:

Robert Kosek
21-06-2007, 05:09 PM
Just for the record, making it look nice isn't on the list at the moment. I already made it look nicer so it wasn't an eyesore, but right now I need to focus on completing the course. Later on, I promise, that I'll improve the appearance -- but for the time being it works just dandy on FF/IE7.

Traveler
21-06-2007, 10:09 PM
I hope you dont mind me messing up your questbook a bit, but I just had to give it a try to see if I could spot a few errors in it. Fortunately for you, I'm not much of a hacker, and so little to no harm was done :wink:

You seem to have the basics covered. I've tried messing up the table layout, by inserting html (hence the tags), some sql injection, I even made up my own form and submitted that, but nothing seemed to work. (as it should be).

There's only four tiny things I did notice:
- You dont check for spaces in the name/password (or any fields for that matter, except the message formfield)
- change password does not appear to be working.
- no proper email validation.
- when I post a message without a subject and submit the form, a blanc form is returned. Please, make it so that the message is not lost, and only the text in the subject field has to be added.

In all, nice work for 9 hours :D

Robert Kosek
21-06-2007, 10:57 PM
- You dont check for spaces in the name/password (or any fields for that matter, except the message formfield) For the password, I don't care so much. If you're dumb enough to do that then it's your fault; I don't even know if the crack library is installed, so I won't waste time with a strength test. However I'll put a trim statement around the checks for both those.


- change password does not appear to be working. I haven't tried it, but I'll verify that to be sure. I might've mistyped the query.


- no proper email validation. No sendmail either, so no go there.


- when I post a message without a subject and submit the form, a blanc form is returned. Please, make it so that the message is not lost, and only the text in the subject field has to be added. I could have sworn this was already in, but I found tons of typos in each upload.


In all, nice work for 9 hoursThanks. :D I'm not a complete newbie, I work as a contractor doing some similar stuff, and worked on this in sections of split time. I missed tons of things between days and ended up cleaning up numerous times. I'll tackle a few of these things tonight/tomorrow, so thanks for testing them.

SQL/HTML are both neutered by the same function call; I made a simple "doctorStr" function that escapes and makes strings safe. Post length in the DB is 65K (word) characters.

Robert Kosek
22-06-2007, 01:34 PM
Thanks Traveler, got those squared away now. Usernames and passwords cannot be blank now, change password is working, and a few other minor cleanups I noticed while browsing through my source again.

Now to give you a name via my database terminal. :P

Traveler
22-06-2007, 03:41 PM
No problem. Glad I could help in some way :)

Angelo
22-06-2007, 04:47 PM
Nicely done Robert.

I've got a few questions/hints/tips,

1. What do you exactly mean by this?
"Secure against most types of web attacks."

2. I'm not sure if this is relevant for your script, but please make sure that sql injections such as "0.1,tablefield=value" can not be done.

3. Try to create all your queries on top of the page. Not certain if you are/aren't doing this yet.

4. Make your site xhtml valid, you should standardize this for every website/script/code you create. http://validator.w3.org/check?uri=http%3A%2F%2Frkosek.userworld.com%2Fblog %2F

5. Make your code that it validates whether the server posted or not, if you will not do this, I will be able to run forms from my pc into your database.

Further, keep up the good work :D

If you'd like to know any information about anything, you can ask me ;)

Robert Kosek
22-06-2007, 08:42 PM
4. Make your site xhtml valid, you should standardize this for every website/script/code you create. http://validator.w3.org/check?uri=http%3A%2F%2Frkosek.userworld.com%2Fblog %2F If you ignore the count, it came down to a mere two errors in the code; two missing closing tags causing problems and a missing type declaration in the style tag. Not bad for entirely unvalidated -- I haven't had time for that. The other errors are characters from Traveler's lengthy post, ones that aren't valid SGML, which I don't know how to enforce. Unless you know a simple check or encoding type I don't have the time to hunt down a validation fix.


1. What do you exactly mean by this?
"Secure against most types of web attacks."

2. I'm not sure if this is relevant for your script, but please make sure that sql injections such as "0.1,tablefield=value" can not be done. The first is answered with the second. XSS (cross site scripting), SQL Injection, remote posting (IE, remote hacking of the site by posting), and spambot protection. All in one, and half obscured. I have tested SQL injections and they fail.


3. Try to create all your queries on top of the page. Not certain if you are/aren't doing this yet. Queries are done in the midst of generation. For the time being I don't have time to realign everything. I overshot my objectives by a great distance, and what could have taken 2 hours to complete I turned into something complete in 9; I wasn't exactly supposed to put full functionality together yet.


5. Make your code that it validates whether the server posted or not, if you will not do this, I will be able to run forms from my pc into your database. Go ahead and try it. :D A blind post will get you nowhere. That would could as a potential attack in brute force entry; the only thing you could accomplish at this point (due to not implementing an IP ban) would be a DDoS attack by flood-posting.

Thanks for the comments and the offer. I'm not entirely new to this and it isn't my first time working with databases, but a piece of paper saying "yes I can" will make potential employers happier ... so I have started taking small classes for certification by O'Reilly.