Opinion on website

Discussion in 'Computer Programming, Emulation, and Game Modding' started by shakirmoledina, May 12, 2012.

May 12, 2012

Opinion on website by shakirmoledina at 12:06 AM (528 Views / 0 Likes) 6 replies

  1. shakirmoledina
    OP

    Member shakirmoledina Legend

    Joined:
    Oct 23, 2004
    Messages:
    6,611
    Location:
    Dar es Salaam
    Country:
    Tanzania
    There is a website that has been made using php and mysql. I wanted people's opinion on what features it needs more and what improvements can be made.
    There wasnt any real focus on design so dont worry about that though you CAN comment on it but be nice.

    http://shakirmole.fbdhost.com/ - normal user
    http://shakirmole.fbdhost.com/admin - admin panel

    Admin username = admin
    Admin password = mahdi

    The credit cards for buying stuff (its a prototype so its not really online and therefore there is a local table)
    1234567890123456
    1111111111111111
    2222222222222222
    and so on to 6

    Thanks

    PS - dont change the admin password
     
  2. Xuphor

    Banned Xuphor I have lied to all of you. I am deeply sorry.

    Joined:
    Jul 14, 2007
    Messages:
    1,681
    Location:
    USA
    Country:
    United States
    I'm sorry, but that was really stupid.
    This forum is viewable by not only members, but guests as well, who couldn't care less if they get banned from GBATemp. You really need to find some way to only have that stuff viewable to members of this site, with like more than 100 posts or something. You really are just asking for something bad to happen.
     
  3. FAST6191

    Reporter FAST6191 Techromancer

    pip
    Joined:
    Nov 21, 2005
    Messages:
    21,747
    Country:
    United Kingdom
    Using my standard paranoid security.

    Email- plain text. http://www.albionresearch.com/misc/obfuscator.php exists.
    What is going on with your background- "http://shakirmole.fbdhost.com/css/images/bg_middleblue.gif" redirects to http://1062257856286496.securesignupoffers.net/a/ as does 404 but I guess that is toy hosting causing this.

    Straight up HTML tables as a layout device, I have done such a thing rather more recently than I might like but CSS tables are the usual way to do here. Equally a hardcoded width of 1000 works OK for those of us rocking nice large monitors but probably not so good for general use (if you must use tables go percentages.

    I assume you will stick the signin and other such things over HTTPs when it gets real.

    Credit card number as a sole login..... Now I applaud the lack of need to sign up to a site and it truly is a backwards site that makes me do it (unless it is a huge company but even then) but credit card numbers are prone to change and I can not help but feel PCI compliance is not being met here.

    Logo- I know you said no design but size and alias. Along the same lines might as well stick a favicon up there.

    I am not sure what your CMS/stock and store management would be like but hey

    I am not a web security expert but I should not be able to put -7 orders in there (I guess it is manual but if I stick a couple of devices and a couple of negative devices in there someone would probably catch it but I can make it cost less or indeed nothing or negative. There is a limit though somehow and -999999999....99999 became -2147483648 and ( 2147483647 for the positive (7FFFFFFF aka 31 bits or I am guessing basic signed values)) and it did seem to sanitise a bit (typing random words in there did nothing and it sanitised it down to the numbers in general when I started typing nonsense) so I guess it is not all bad.
    I posted HTML that got parsed in your comments box. Less than ideal that. I also managed to add an iframe to the page itself but alas the rabbit hole does not go deep.
    I posted Javascript that got parsed and worked. Definitely less than ideal. (both those on http://shakirmole.fbdhost.com/?prodid=14&module=products&action=specificproduct ).
    Those two alone are almost dealbreaking but I could probably get fangs and try something really nasty. For giggles I jumped a nonexistent product ( http://shakirmole.fbdhost.com/?prodid=92564&module=products&action=specificproduct ) and the same again worked which now means I get free hosting with you (I was going to try some base64 decode or pushing the limits but it is 1am right now and too much time staring at the road today for me to think straight).
    I have not tried proper SQL injection fun yet or messing around with CURL, I did not notice any points for inclusions of the PHP type or otherwise either but again I am not a web security type.

    My general suggestion- get an off the shelf web store (I guess you are going manual and building it off the back of something like ebay or amason due to a general lack of support). There are free or very cheap quite customisable ones that will do wonders.

    Minor test to see if you should be building a commercial/money taking site as opposed to off the shelf stuff- did you have the list of test credit card numbers when building this/know they existed? http://www.crazysquirrel.com/finance/test-cc.jspx for instance. Basically if "InfoTech Traders wishes to be the pioneer of online business in Tanzania" don't let it be one of hacking.
     
  4. shakirmoledina
    OP

    Member shakirmoledina Legend

    Joined:
    Oct 23, 2004
    Messages:
    6,611
    Location:
    Dar es Salaam
    Country:
    Tanzania
    oh lol this is no way going to be used in a real life situation

    your security suggestions fast are... amazing. Thanks and i saw the things u did there, very nice checking i must say.

    i could change the password from the databse in case someone acted funny but this is just for teaching others php so i wanted to know which features we can add.

    i guess i can make the inputs more cleaner to disallow unwanted content.
    I was not liking the credit card system but if it is better then surely will keep it. my teacher suggested that.
    about the part of order -7 i didnt understand a thing but u said "i guess its not bad" and i gasped for goodness
    lol to the unknown product part, i will try dealing with that.

    the thing i wanted to demonstrate was implementing features but not much security but u analysing the site "securitarily" was a great thing thanks

    Ah html table for layout is truly a bad idea but i am slowly shifting to full pages. I am going to upload 2 more websites, if possible and then if u can check those too.
     
  5. FAST6191

    Reporter FAST6191 Techromancer

    pip
    Joined:
    Nov 21, 2005
    Messages:
    21,747
    Country:
    United Kingdom
    Yeah I was doing a writeup as things went on at 1 am despite being on the road for a few too many hours that day.

    First I am really am not a web security type or even much of a web developer- I mean I know basic computer science and roughly how most of these web languages work as well as standard attacks but my code fragments were largely copied and pasted even though they were basic and it would have probably been quicker to type them. In short there are script kiddies out there that probably know way more than I do about this sort of thing and where you would have to try very hard to maintain a virus/infection on a machine I have access to and responsibility for much of web stuff sails right over my head (I would not call me to optimise a or even really understand a SQL driven website much less secure it).

    I guess you declared a 32bit signed value for the order number (either accidentally or to allow people to remove multiples and even then I would just make it a signed value and allow people to change that) and it it was for a small business I guess it would be manually fulfilled so someone would catch it. If however you had it go to an auto completion side in a warehouse or someone that was not about to check things (say an intern asked to grab orders off the shelf* and stick them in the post) you as a business could be left holding the bag for a little while which has killed more than a few businesses or losing the money entirely which has definitely killed more than a few businesses.

    *worse is a negative symbol could be overlooked/assumed to be a printer error or even a lead in mark so I could get my positive order and the stuff from my negative and not have to pay or if things went really wrong your system ends up paying me (it sees me as a debt/refund or something similar).

    The HTML injection stuff... the only times you want to have people able to put HTML and/or javascript in a website is if they are staff for it or otherwise trusted or you parse it to remove everything but a small subset of instructions (links, maybe pictures, text formatting (bold, italic and what have you) and not much else)- it is pretty much the reason why bbcode exists. To make matters worse I could effect post anonymously and indeed by a bot (no bot checks) and include full HTML and javascript which scares me no end- I include a micro iframe to a site I control and that either has malware on it (many web security packages will flag this) or I have just gained the ability to see who visits your site, to do some spamming, to do some black hat SEO all in addition to the whole ability to host things for free on your site we already covered. This alone means I would be inclined to pull even this test site from the web* (I am guessing your local legal system is not very clued up on tech and you really do not want to have to explain why you are now hosting a link farm or worse to some unpleasant content should someone with actual bad intentions come along- you are now listed in google at least) or at least make it reset every 10 minutes or so (probably not an easy option on your current host).
    Depending upon how it is parsed it might also allow php to be included which would be very very bad (I tried something basic just now a couple of times and it did not take (various parts of it ended up as comments where others did not) but I probably screwed it up and might be able to pull it back- if it leaves comments and adds something that might be enough to trick it).

    *get your students a copy of http://www.uniformserver.com/ or something for them to learn on if you have not already. Also if I may be so bold it might be better to get them an existing shop framework to customise/reverse engineer or get them to build something with a bit less potential to cause serious issues (making a basic blog, guestbook or image gallery will teach all the same things)- you really do not want some students using this as a commercial website and if my experience with such matters is anything to go by copy, paste and change the relevant names is a sound idea for most beginners/students for this sort of thing (if you have marked essays and exams how many times have you had an almost word for word copy of your lecture notes/the textbook come back at you or indeed done something similar yourself).

    I had not meant to imply using credit card numbers as authentication/username was a good thing (it really isn't). I should also mention credit card numbers have a habit of changing with time so if a company/person wants to maintain an order history it is best that is not the sole thing.
     
  6. DCG

    Member DCG GBAtemp Advanced Fan

    Joined:
    Jan 1, 2010
    Messages:
    637
    Location:
    Schiedam
    Country:
    Netherlands
    You should make it possible to click on products again, when you are in a product subsection, back buttons are annoying ;p
     
  7. shakirmoledina
    OP

    Member shakirmoledina Legend

    Joined:
    Oct 23, 2004
    Messages:
    6,611
    Location:
    Dar es Salaam
    Country:
    Tanzania
    ah sure fast thanks for the points u have mentioned. i usually use xampp to get all the things installed and then work from there.
    I hope at least those who see it can see what anyone can do with php which was what I was aiming for. To prevent problems as u have mentioned, i will have to work upon security.

    i personally would not advise anyone using this as an ecommerce solution as packages like oscommerce and zencart do a much better job.

    Ok about registrations, Credit cards is better or registering and then providing details is better? either way, it seems one is changing and the latter is an inconvenience.

    Ah yes DCG that is absolutely true hehe.
     

Share This Page