please check out my college final project

  • (2 Pages)
  • +
  • 1
  • 2

16 Replies - 2865 Views - Last Post: 25 April 2009 - 04:14 PM

#1 dreamincodehamza   User is offline

  • D.I.C Regular
  • member icon

Reputation: -12
  • View blog
  • Posts: 349
  • Joined: 12-September 08

please check out my college final project

Post icon  Posted 12 September 2008 - 03:25 PM

My project is basically a simple online banking system which offer basic services towords customers
and
please tell me how it is and how much it needs to improve in which
areas i will work more to get the grade A
waitign for your valueable reply

the website link is show below :

main page
http://76.163.166.21...r/main_page.php

and
ON LEFT side of the meue click on the link onlin_banking
then it will as you for login name and password
then enter 123456 username and password is 123
enter in the site and explore the following optiosn


waiting for the valuable replies

Is This A Good Question/Topic? 0
  • +

Replies To: please check out my college final project

#2 pr4y   User is offline

  • Location: 127.0.0.1
  • member icon

Reputation: 35
  • View blog
  • Posts: 621
  • Joined: 19-September 08

Re: please check out my college final project

Posted 25 September 2008 - 07:30 AM

Well I've check it out... tested the admin page and login page for SQL injection vulnerabilities... none found. Seems like you put a LOT of work into this. Obviously you have a lot of knowledge of website security, which is always a very good thing to have.

few bugs I've found:

CAPTCHA IMAGE - doesn't always work... 4/5 times it worked, but I'm not sure why this happened. tested 20 times (i know the submit was correct) and still got errors about 20% of the time.

NEWSLETTER - not sure if it works. I noticed that after you sign up, it outputs:

Name: $email

not sure if this is just an inproperly declared variable or if you forgot to <?php echo $email ?>

ACCOUNT REGISTRATION - data input check isn't working properly. ALL fields were filled out, and upon clicking submit, i get a "Please enter characters in the name field" error.




all in all, seems like a very complete and well put together website.

You'll get an A. :)

This post has been edited by pr4y: 25 September 2008 - 07:33 AM

Was This Post Helpful? 0
  • +
  • -

#3 dreamincodehamza   User is offline

  • D.I.C Regular
  • member icon

Reputation: -12
  • View blog
  • Posts: 349
  • Joined: 12-September 08

Re: please check out my college final project

Posted 25 September 2008 - 12:43 PM

thank you so much for checking my site
i will check all these error's soon.


please anyone else have a time to check then
please check it and tell me the bugs in it
Was This Post Helpful? 0
  • +
  • -

#4 William_Wilson   User is offline

  • lost in compilation
  • member icon

Reputation: 207
  • View blog
  • Posts: 4,812
  • Joined: 23-December 05

Re: please check out my college final project

Posted 25 September 2008 - 01:45 PM

General:
You may want to take a look at the styles, it displays pretty weird if js is disabled. If you are ok with that, then don't worry about it.

I must also ask that you remove the marquee tags, they are a horrible excuse for a tag and should never really be used. On top of the fact that they will not work in most browsers.

You are abusing the crap out of tables, there are all kinds of empty cells to align things, you should probably look at doing this with css and divs instead for the most part.

Your folders are viewable, by manually removing the file names. Not a huge exploit, but should be protected against.

on the left it says "currency ratess" with the extra s.

Captcha:
1) the background colours are too distinct from the characters and could easily be scripted around.
2) captchas should be used when creating an account, not when logging in, i suppose it offers extra security, but anyone who has stolen the login information is going to have no issues typing in a captcha as well.
3) It should not be case sensitive

Login:
passing the session id value in the form is a bad idea on both the login and forgot password, these should be retrieved server side.



SQL injection does appear to be prevented +1
Was This Post Helpful? 0
  • +
  • -

#5 dreamincodehamza   User is offline

  • D.I.C Regular
  • member icon

Reputation: -12
  • View blog
  • Posts: 349
  • Joined: 12-September 08

Re: please check out my college final project

Posted 25 September 2008 - 03:47 PM

Mr William_Wilson
how should i protect my all website pages which is viewable in the web without extension.please tell me about that.
-----------------------------------------------
and "passing the session id value in the form is a bad idea on both the login and forgot password, these should be retrieved server side."
so what should i do any alternative solution for that can you illustrate any example
-----------------------------------------------

"captchas should be used when creating an account, not when logging in, i suppose it offers extra security,"
can you explain it again please
and what other security type or thing is required over here
-----------------------------------------------
how should i check for the js disable or not.
please explain me
-----------------------------------------------
waiting for your valuable comments

This post has been edited by dreamincodehamza: 25 September 2008 - 03:50 PM

Was This Post Helpful? 0
  • +
  • -

#6 William_Wilson   User is offline

  • lost in compilation
  • member icon

Reputation: 207
  • View blog
  • Posts: 4,812
  • Joined: 23-December 05

Re: please check out my college final project

Posted 25 September 2008 - 04:05 PM

to protect your folders you edit the permissions. Making it so that users cannot view the folders. A value of 711 is reasonably secure for most folders. You may want to look into permissions or chmod for folders.

Session Ids are part of the Session data, I assume that's how you are creating this value in the first place. Instead of passing the value as part of the form, you should have on the php file which is method of the form $id = $_SESSION['id']; to access the value. There is always the possibility for modifying this value with javascript injection or other methods from within the form.

A Captcha is not commonly used when logging in. Captcha's are meant to prevent automated scripts from activating a form, such as spamming comments, or creating countless accounts. I don't see the need for having one just to sign in, it should instead be apart of the account creation.

You would need to ensure that the styles and code handles js enabled or not, you could add a <noscript>Javascript is required to view this site properly</noscript>, or something to that effect, and it will only show up if js is not enabled. There is no way to see if js is enabled in php, you can only check if the browser has js capabilities unfortunately.
Was This Post Helpful? 0
  • +
  • -

#7 dreamincodehamza   User is offline

  • D.I.C Regular
  • member icon

Reputation: -12
  • View blog
  • Posts: 349
  • Joined: 12-September 08

Re: please check out my college final project

Posted 25 September 2008 - 05:00 PM

Really thank you so much for you valuable time.
but
after your post i have triend this code to check the js script but nothing happened.
if js is disable as you know php code will not showed just blank page will be output
i think.
but using this code both the text is outputing by the browser IE.
what should i do now

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Untitled Document</title>
<noscript>
  Please enable the scripting 
</noscript>
</head>

<body>
<?php
	echo '<br>testing no script';
?>
</body>
</html>




And

Captcha : why i use this .
because to avoid the robot script. i have red from some where is that
robot script try to login again and agaign so to protect login i have
used this.

i think i should chech the php folder permission fucntions from php.net
okey if have all the function than where should i but those fucntions
and
tell me one thing that i have apply all the folder permission now to
protect each folder in my website.

again waiting for your valuable comments
Was This Post Helpful? 0
  • +
  • -

#8 William_Wilson   User is offline

  • lost in compilation
  • member icon

Reputation: 207
  • View blog
  • Posts: 4,812
  • Joined: 23-December 05

Re: please check out my college final project

Posted 25 September 2008 - 05:19 PM

noscript tags are in the body of the document, not the head.

I understand why you use the captcha, i just think in use users would become annoyed by continually having to enter captcha values. Websites usually combat the scripts you speak of, by having a limit to the number of login attempts to an account or from an ip, thus locking out an account or ip if that count is exceeded.

You do not need to use functions to set the permissions, you can set them manually on the folders using an ftp software, etc. Most will offer check boxes for each setting, so understanding the chmod values is not necessary.
Was This Post Helpful? 0
  • +
  • -

#9 dreamincodehamza   User is offline

  • D.I.C Regular
  • member icon

Reputation: -12
  • View blog
  • Posts: 349
  • Joined: 12-September 08

Re: please check out my college final project

Posted 25 September 2008 - 05:26 PM

Really nice for the chmod
i understand what you said about chnmod
but if i need to apply chnmod manually then any
php function for it .
and

now i have put the code in the body of the current page but still same thing is happening
can you please try it in yoru IE brower i have disabled the js in IE and tried this
code but both lines are showing ....
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
 <title>Untitled Document</title>
</head>

<body>
<noscript>
  Please enable the scripting 
</noscript>
<?php
	echo '<br>testing no script';
?>
</body>
</html>







and
number of loin tries ccount or ip if that count is exceeded
then i think it requires a databae table for insrting
number of tries . for perticuler ip address.
am i right or anything else should be posibble .
Was This Post Helpful? 0
  • +
  • -

#10 William_Wilson   User is offline

  • lost in compilation
  • member icon

Reputation: 207
  • View blog
  • Posts: 4,812
  • Joined: 23-December 05

Re: please check out my college final project

Posted 25 September 2008 - 05:29 PM

a function would make chmod easier for sure.

noscript only shows up when js is disabled, it does not stop php code from being rendered. The echo call would show up with or without the noscript tags. All they are for is informing the user that they do not have js enabled and they need to have it enabled.

database isn't really necessary, a session variable could handle it as well. If you aren't using a database, how are you handling the usernames and passwords?
Was This Post Helpful? 0
  • +
  • -

#11 dreamincodehamza   User is offline

  • D.I.C Regular
  • member icon

Reputation: -12
  • View blog
  • Posts: 349
  • Joined: 12-September 08

Re: please check out my college final project

Posted 25 September 2008 - 06:00 PM

we can handly with text files as well what say about it .

and
if you go to hotmail page and your js is disabled then they will show you the message.
without renderting the actual login code.

any solution for noscript when using php / any alternative solution you have.

few min ago i have tried the chnmod ftl software setting but the server on
which i have hosted temporarly said that this server do not support chnmod.
so i think i mnaually do the permissin.
Was This Post Helpful? 0
  • +
  • -

#12 William_Wilson   User is offline

  • lost in compilation
  • member icon

Reputation: 207
  • View blog
  • Posts: 4,812
  • Joined: 23-December 05

Re: please check out my college final project

Posted 25 September 2008 - 06:07 PM

Hotmail is using more than php to make this check.

javascript does not prevent any site functionality, I was merely offering an option for your users to get the best experience from your site.

You can always make some sort of javascript function call to display the login form, thus without it, the form cannot appear. The login is not the issue, mostly it is your scrolling news feed that displays overlapped, you should make this have no value or a basic value, and have the text loaded initially by javascript, thus without it it has a default value, perhaps static text and a scroll bar.

This post has been edited by William_Wilson: 25 September 2008 - 06:08 PM

Was This Post Helpful? 0
  • +
  • -

#13 dreamincodehamza   User is offline

  • D.I.C Regular
  • member icon

Reputation: -12
  • View blog
  • Posts: 349
  • Joined: 12-September 08

Re: please check out my college final project

Posted 25 September 2008 - 06:15 PM

yeah i understand but

My file type is php and noscript is not running in IE .
but it is working properly in safari and FIREFOX/
what is that mean
and in which brower you are trying to execute.
Was This Post Helpful? 0
  • +
  • -

#14 William_Wilson   User is offline

  • lost in compilation
  • member icon

Reputation: 207
  • View blog
  • Posts: 4,812
  • Joined: 23-December 05

Re: please check out my college final project

Posted 25 September 2008 - 06:20 PM

I am not going to answer your questions in more than 1 thread, please pick one a stick with it.
Was This Post Helpful? 0
  • +
  • -

#15 dreamincodehamza   User is offline

  • D.I.C Regular
  • member icon

Reputation: -12
  • View blog
  • Posts: 349
  • Joined: 12-September 08

Re: please check out my college final project

Posted 25 September 2008 - 06:31 PM

Anyone else like to help
Was This Post Helpful? 0
  • +
  • -

  • (2 Pages)
  • +
  • 1
  • 2