Join 132,690 Programmers for FREE! Get instant access to thousands of experts, tutorials, code snippets, and more! There are 1,320 people online right now. Registration is fast and FREE... Join Now!
My project is basically a simple online banking system which offer basic services towords customers and please tell me how it is and how much it needs to improve in which areas i will work more to get the grade A waitign for your valueable reply
and ON LEFT side of the meue click on the link onlin_banking then it will as you for login name and password then enter 123456 username and password is 123 enter in the site and explore the following optiosn
Well I've check it out... tested the admin page and login page for SQL injection vulnerabilities... none found. Seems like you put a LOT of work into this. Obviously you have a lot of knowledge of website security, which is always a very good thing to have.
few bugs I've found:
CAPTCHA IMAGE - doesn't always work... 4/5 times it worked, but I'm not sure why this happened. tested 20 times (i know the submit was correct) and still got errors about 20% of the time.
NEWSLETTER - not sure if it works. I noticed that after you sign up, it outputs:
Name: $email
not sure if this is just an inproperly declared variable or if you forgot to <?php echo $email ?>
ACCOUNT REGISTRATION - data input check isn't working properly. ALL fields were filled out, and upon clicking submit, i get a "Please enter characters in the name field" error.
all in all, seems like a very complete and well put together website.
You'll get an A.
This post has been edited by pr4y: 25 Sep, 2008 - 06:33 AM
General: You may want to take a look at the styles, it displays pretty weird if js is disabled. If you are ok with that, then don't worry about it.
I must also ask that you remove the marquee tags, they are a horrible excuse for a tag and should never really be used. On top of the fact that they will not work in most browsers.
You are abusing the crap out of tables, there are all kinds of empty cells to align things, you should probably look at doing this with css and divs instead for the most part.
Your folders are viewable, by manually removing the file names. Not a huge exploit, but should be protected against.
on the left it says "currency ratess" with the extra s.
Captcha: 1) the background colours are too distinct from the characters and could easily be scripted around. 2) captchas should be used when creating an account, not when logging in, i suppose it offers extra security, but anyone who has stolen the login information is going to have no issues typing in a captcha as well. 3) It should not be case sensitive
Login: passing the session id value in the form is a bad idea on both the login and forgot password, these should be retrieved server side.
Mr William_Wilson how should i protect my all website pages which is viewable in the web without extension.please tell me about that. ----------------------------------------------- and "passing the session id value in the form is a bad idea on both the login and forgot password, these should be retrieved server side." so what should i do any alternative solution for that can you illustrate any example -----------------------------------------------
"captchas should be used when creating an account, not when logging in, i suppose it offers extra security," can you explain it again please and what other security type or thing is required over here ----------------------------------------------- how should i check for the js disable or not. please explain me ----------------------------------------------- waiting for your valuable comments
This post has been edited by dreamincodehamza: 25 Sep, 2008 - 02:50 PM
to protect your folders you edit the permissions. Making it so that users cannot view the folders. A value of 711 is reasonably secure for most folders. You may want to look into permissions or chmod for folders.
Session Ids are part of the Session data, I assume that's how you are creating this value in the first place. Instead of passing the value as part of the form, you should have on the php file which is method of the form $id = $_SESSION['id']; to access the value. There is always the possibility for modifying this value with javascript injection or other methods from within the form.
A Captcha is not commonly used when logging in. Captcha's are meant to prevent automated scripts from activating a form, such as spamming comments, or creating countless accounts. I don't see the need for having one just to sign in, it should instead be apart of the account creation.
You would need to ensure that the styles and code handles js enabled or not, you could add a <noscript>Javascript is required to view this site properly</noscript>, or something to that effect, and it will only show up if js is not enabled. There is no way to see if js is enabled in php, you can only check if the browser has js capabilities unfortunately.
Really thank you so much for you valuable time. but after your post i have triend this code to check the js script but nothing happened. if js is disable as you know php code will not showed just blank page will be output i think. but using this code both the text is outputing by the browser IE. what should i do now
<body> <?php echo '<br>testing no script'; ?> </body> </html>
And
Captcha : why i use this . because to avoid the robot script. i have red from some where is that robot script try to login again and agaign so to protect login i have used this.
i think i should chech the php folder permission fucntions from php.net okey if have all the function than where should i but those fucntions and tell me one thing that i have apply all the folder permission now to protect each folder in my website.
noscript tags are in the body of the document, not the head.
I understand why you use the captcha, i just think in use users would become annoyed by continually having to enter captcha values. Websites usually combat the scripts you speak of, by having a limit to the number of login attempts to an account or from an ip, thus locking out an account or ip if that count is exceeded.
You do not need to use functions to set the permissions, you can set them manually on the folders using an ftp software, etc. Most will offer check boxes for each setting, so understanding the chmod values is not necessary.
Really nice for the chmod i understand what you said about chnmod but if i need to apply chnmod manually then any php function for it . and
now i have put the code in the body of the current page but still same thing is happening can you please try it in yoru IE brower i have disabled the js in IE and tried this code but both lines are showing ....
<body> <noscript> Please enable the scripting </noscript> <?php echo '<br>testing no script'; ?> </body> </html>
and number of loin tries ccount or ip if that count is exceeded then i think it requires a databae table for insrting number of tries . for perticuler ip address. am i right or anything else should be posibble .
noscript only shows up when js is disabled, it does not stop php code from being rendered. The echo call would show up with or without the noscript tags. All they are for is informing the user that they do not have js enabled and they need to have it enabled.
database isn't really necessary, a session variable could handle it as well. If you aren't using a database, how are you handling the usernames and passwords?
we can handly with text files as well what say about it .
and if you go to hotmail page and your js is disabled then they will show you the message. without renderting the actual login code.
any solution for noscript when using php / any alternative solution you have.
few min ago i have tried the chnmod ftl software setting but the server on which i have hosted temporarly said that this server do not support chnmod. so i think i mnaually do the permissin.
Hotmail is using more than php to make this check.
javascript does not prevent any site functionality, I was merely offering an option for your users to get the best experience from your site.
You can always make some sort of javascript function call to display the login form, thus without it, the form cannot appear. The login is not the issue, mostly it is your scrolling news feed that displays overlapped, you should make this have no value or a basic value, and have the text loaded initially by javascript, thus without it it has a default value, perhaps static text and a scroll bar.
This post has been edited by William_Wilson: 25 Sep, 2008 - 05:08 PM
12 Sep, 2008 - 02:25 PM
| 