TalkPHP

TalkPHP (http://www.talkphp.com/forums.php)
-   Show Off (http://www.talkphp.com/show-off/)
-   -   My first script ever , critisize !! (http://www.talkphp.com/show-off/1863-my-first-script-ever-critisize.html)

webtuto 01-04-2008 05:59 PM
My first script ever , critisize !!
 
I DIDNT USE SECURITY FOR NOW
here is my first script ever
it is simple
NEWS SCRIPT or ARTICLES SCRIPT

i used php and html no ps or somehting to design it
it is a test to see if i can code a articles website
here is the link to check it => http://webtutotest.freehostia.com/news/home.php

and to enter to the admin control panel from here =>
username = 123
password = 123
http://webtutotest.freehostia.com/news/admin_cp.php

rate the programmation
any suggesions plz

u critisize me , u are my friend ;-)

YouNeek 01-04-2008 06:41 PM
Hello there webtuto.

Apart from what is outputted to the front-end it is rather hard to review the script in to much depth. The lack of security is a rather large hole however in the general development as, without security, a script is a prime target for all sorts of attacks.

A few questions/advice about registration;
  1. A major flaw that often crops up in new registration scripts in the lack of user input validation - by this I mean the expectation that the user is going to put in exactly what you want them too. For instance, with the 'Email' field, what if they don't put in a real email that follows name@domain or put in something completely different altogether! It's very important to check that the input information is valid.
  2. It's always advisory to make sure your 'password' fields are set as type=password otherwise anyone looking over the shoulder knows exactly how to get in a make some havoc! Also users are much less willing to give passwords away to sites which don't hide them.
  3. It's very important to tell the user what to do and what's going on - once I registered I was sent back to the login screen; does this mean I was successful? Did the system crash? I have no idea! Make sure to update the user as to what's going on throughout.
  4. Database injections can be nasty stuff and without escaping your Db input alot you could be facing some major issues. Always make sure to addslashes() and if you don't want HTML outputting when you come to retrieve it use either strip_tags() or htmlentities() depending on the desired effect. Personally I go down the route of making a parsing class for all my Database Ins/Outs and $_GET's.

Just some small points that should hopefully help - generally it seems like a good work in progress so keep it up and if you want some further help post up some code and I'll take a look. (:

Alan @ CIT 01-04-2008 07:20 PM
Your redirects didn't work for me unfortunately - when I tried to register I got a webpage (http://webtutotest.freehostia.com/news/reg2.php) with the following on it:

Code:
<meta http-equiv='refresh' content='0;url=login.php'
Using IE7.

Alan

WinSrev 01-04-2008 10:09 PM
You might wanna make an index file:
Index of /news

webtuto 01-04-2008 11:24 PM
about ur suggestions youneek ,

1 - i didnt pay attention to security in this script and about email i dont know how to do what u said :'-(

2-yeah will i just forgot it is fixed now

3-yes im gonna use them later when i finish everything in that script

thanks dude for the help and critisize
------------------------------------------------
Alan @ CIT
will it works for me and others maybe !!! i didnt get that problem well im using firefox
------------------------------------------------
WinSrev
well yes :d

sketchMedia 01-09-2008 02:22 PM
Sorry i havnt looked at your script fully yet, i will do when i get sum time.

I think there is an option witin IE7 to enable META REFRESH this could explain why it wasnt working for Alan. I believe it can be enabled/disabled in the Internet Security settings. I havnt got IE7 atm as i am on linux so i cant test this thoery, failing that its most likly to be another 'random feature' of IE7.

Why not use:

PHP Code:
header('Location: login.php'); 
instead of using the refresh, or did you want to have a short delay before the redirect?

webtuto 01-09-2008 02:27 PM
i didnt use header bcz when i use it , it gaves me an error :s

sketchMedia 01-09-2008 07:30 PM
if its the classic 'headers already sent' error,then use an output buffer like so:

PHP Code:
ob_start(); //start the output buffer put at start of page

//do sum stuff

header('Location: login.php');

ob_flush(); //or ob_end_flush() if you want to close the buffer aswell as flush it 
Just remember that inorder for anything to get back to the browser you must call:
ob_flush(); so that the buffer is flushed to the browser.

That should stop that error as it keeps all output in a temp 'buffer' so that when you flush it everything get sent at the same time thus solving the 'Headers already sent' error.

Hope that helps

webtuto 01-09-2008 07:43 PM
thanks im gonna remember that in my next projects thanks :d

NathanH 02-20-2008 10:54 PM
I had the 'header already sent' error message several times on my pages. I found that if I wrote my includes/requires after the "header('Location....') then it worked.

For example, I had:
<?php
require("config.php");
require("userheader.php");
requrie("usernav.php");

*some more code*

header('Location: home1.php');
?>

If I put the 2nd and 3rd requires at the end of the php code (after the whole script) then I didn't receive any errors. That's what I found anyway :)

Pete 02-21-2008 10:56 AM
yeah, php.net on headers says you cant have output of anykind on the site and then a header, i belive this includes white space. So to get it to work your statment has to be one of the first things you do without using echo, print or just plain html.

Nor 02-21-2008 01:06 PM
Quote:
Originally Posted by sketchMedia (Post 8017)
Sorry i havnt looked at your script fully yet, i will do when i get sum time.

I think there is an option witin IE7 to enable META REFRESH this could explain why it wasnt working for Alan. I believe it can be enabled/disabled in the Internet Security settings. I havnt got IE7 atm as i am on linux so i cant test this thoery, failing that its most likly to be another 'random feature' of IE7.

Why not use:

PHP Code:
header('Location: login.php'); 
instead of using the refresh, or did you want to have a short delay before the redirect?
ewlll :-P
PHP Code:
header("refresh: 1; url=login.php"); 
:)



Quote:
I had the 'header already sent' error message several times on my pages. I found that if I wrote my includes/requires after the "header('Location....') then it worked.
OR putting
PHP Code:
ob_start(); 
at the top of your pages or in your config and include it to all your pages boom perfect ;).


All times are GMT. The time now is 06:33 AM.

Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.1.0