Http://www.liamsmart.co.uk

Hi everyone,

I have finally finished my new website.

I got a lot of help from the people on this forum with doing the font-size changing thing, breadcrumbs, using arrays for the first time and much more. So I just want to say thanks!

Website should work fine without Javascript as I made sure I used ASP to do the font-size thing and breadcrumbs even though it took me a lot longer than it would have if I just used Javascript, but its definitely worth it.

Feedback would also be nice (i know it wont be everyones cuppa tea)

Heres the link: www.liamsmart.co.uk

I got server timeout error once or twice but think I sorted the problem. If anyone else gets that let me know as it will be worth posting my ASP file to see what Ive done the long hard way as I know the function to turn the first letter of the breadcrumbs into Capital is done a longer than necessary way (i tried a short way but couldnt get it figured out).

1) Admin login page is vulnerable to SQL Injection.

2) Blog is vulnerable to a stored XSS attack.

Hi Memmoch,

Thanks for your reply!

I went onto 4guysfromrolla and followed their article on protecting against injection. The say to use replace(myStr,"'", "''") and use CLng when passing querystrings as anything other than a number will cause an error.

Problem is now though, if a text based querystring is used, the page returns an error. Can i use IsNumeric instead? and then do a quick IF ELSE statement?

Having read a good few articles on SQL injection since reading your reply, I noticed that a lot is written about if a non valid querystring is entered, an error is displayed stating the table name the query is calling. But because Im calling an array value, the table name is never displayed incase of an error. Instead its just the usual array associated errors.

I also looked up how to stop XSS attacks and added in validation to stop scripts being added into the DB. I read how to do this on the website below:

http://www.4guysfromrolla.com/webtech/061902-1.shtml
http://www.nextmill.net/knowledge.php?articleid=64

Am I doing this right? And is this enough?

I appreciate your help.

very nice website, congrats for the valid XHTML and CSS.

two comments though:

1. the blog ticker act weird, at least in Firefox. on initial page load, it goes
   to the left. sometimes it stop there, sometimes it goes to the right. sometimes
   it just stuck in the middle.
2. in the Contact Me page the captions (Name, Email Address etc) are too
   bright, it's hard to read them, unless you hover then the color is good.

Thanks for checking it out shadow!

I haven't seen any problems with the ticker and no-one else has mentioned anything. I've tested it in FF2 & 3 but I will go and have a 2nd look.

The forms being like that is done on-purpose so each element looks like its disabled, and when you hover over, or click them, they become active.

There was a reason for that design wise. I didn't want big blocks detracting from overall design, so I've tried to partially hide them just enough so they are still noticeable enough to see, but not grab too much attention.

You aren't the first person to comment on them though so I might have to scrap that idea.

You helped me on a good few ASP aspects of the site (breadcrumbs if I remember correctly). I said thanks at the time but thanks again.

One last request from yourself, can you give me some basic pointers on how to stop the SQL injection XSS attacks mentioned in the first comment in this topic.

I think I have done what I can. Ive blocked any script getting added through the forms and replaced "'", "''" etc. I think this enough for a small personal website isnt it?

I'm using Firefox 3.0.3 version. how the ticker should behave?

regarding the security, I fear I don't have the required experience in this.
Memnoch is much better in those areas, he will have the best answer.

Only allow characters that are acceptable, such as A-Z, a-z, 0-9. Escape all potentially malicious characters, such as '. Then HTMLEncode all output, so characters such as <, >, ", etc...

Get rendered as & lt; & gt; & quot; <--- Spaced for display purposes.

It should behave exactly the same as the BBC's but mines goes from right to left.

I have added the random typo thing though that spits out some random characters (sometimes), deletes them, and moves on.

Is this what you are meaning? If not, can you take a screen dump and post it up?

Cheers Memnoch!

I will use 'server.HTMLEncode' when outputting the recordsets then and do what you mentioned above.