Comments system - need testers

[booboo]

Hey,

I have coded up my comments feature for my website - it's in beta mode, so it's not live. I just need you to check it out for me, try it out, test it, try to hack it etc.

It's got an edit and delete capaibilites as well. So if you post that comment, it will allow you to edit and delete it.

Just give it a go - feedback is great :)

Thanks!

p.s: http://beta.touch-innovation.com/details-70/#comments

Thanks again!

[HighOnAmbien]

i think I broke it nevermind

[booboo]

Dodgy spammers :(

[booboo]

Okay fixed the layout problem, it now checks each word - and if theres a word more than 40chars it will stop it.

[Banjo]

1. You don't escape the stored name, email or website. Try enter this for each:

'><script>alert("test");</script>

2. You are doubly escaping the name. If you enter

<b>test</b>

You see

Posted by <b>test</b> on the Thursday 21st of August 2008 at 1:42pm

3. You probably shouldn't use email addresses for deleting/editing, they're not hard to guess, especially since a lot of people will probably have addresses like [email protected]

4. You should use POST requests for rating, since someone could do this:

<img src="https://beta.touch-innovation.com/index.php?mode=rate&id=70&cid=0&vno=5">

If they put that in a busy page, every single viewing it would give their program a 5 and they would go to the top very quickly.

See:

Everyone viewing this thread will now rate it 5

Edited August 30, 2008 by Banjo

[booboo]

Wow, I had forgotten about this thread!

I'll just go through the things you said:

1.) I fixed that a few days ago

2.) Yeah, fixed that ages ago as well :p

3.) Email is only 1 of many checks, it also checks your ip address to match (and more, but security through obscurity :p)

4.) That's very true, because search engines index it, and makes ratings inaccurate, I'll do that now (post) :)

Thanks alot btw :)

[roadgeek9]

Works perfectly fine.

[booboo]

Thanks :)

For the time being it's going to be a session ID instead of a post - too much hassle POSTing the info :p.