Please test my new PHP-MySQL site!

[RohanShenoy]

URL: http://www.MHT-CET-Online.com

Purpose: Helps me conduct online test series.

Langauge: PHP and MySQL (and lil bit of javascript).

How to use the site:
1. Check for availability of username. register if available
2. Choose the question paper available and click OK.
3. Once the question paper loads, please select your answers using the radio buttons.
4. Submit the answer sheet to evaluate. Evaluations will be saved into databse.

If encounter any 404 file not found, please let me know the link which you followed.

For programmers and white hat hackers:
Do let me know if you come across any security hole. I have observed the below measures:
1. All input validated on server side
2. No cookies used at all to store any information.


Thank you.
-Rohan Shenoy

[jtyoungs]

worked fine for me in firefox 2 (mac)

congrats

[c010depunkk]

Registration:
You can copy/paste your email into the second field. Either prevent that or don't require the retype....

Login:
I registered successfully, but when I login, the control panel display once and when i refresh the page, I am no longer logged in.....

[RohanShenoy]

Quote:

Originally Posted by jtyoungs

worked fine for me in firefox 2 (mac)

congrats

Nice to know that. I didn't test on Mac!(I use Windows XP)
Thanks!

[RohanShenoy]

Quote:

Originally Posted by c010depunkk

Registration:
You can copy/paste your email into the second field. Either prevent that or don't require the retype....

Quote:

Originally Posted by c010depunkk

Login:
I registered successfully, but when I login, the control panel display once and when i refresh the page, I am no longer logged in.....

It a security measure. I don't want to use cookies. Hence this problem. The problem with cookies is that they cannot be created/read/deleted/modifiedif I use a .exe compiler on client machines.

[c010depunkk]

So how is the login supposed to work???

[Daniel]

Rohan you'll need to use some sorta cookie else users wont be able to do anything

[RohanShenoy]

@Daniel,
The students will not use the usual browser such as IE, FF, Opera, etc. to take the test. They will access it through a .exe file (made using ebook compiler). The exe files such created are not capable of handling cookies, neither opening multiple windows.

@c010depunkk
Login will just authenticate the user and send him to his student control panel. And yes, none of the URL which you see in your address bar will be visible to the student.

[Daniel]

Rohan if you do not have a cookie then whenever the student moves to a different page they will be logged out.

[alexgeek]

Use sessions then?

[Rakuli]

Quote:

Use sessions then?

Sessions in PHP still need a cookie for the best security. If you don't use cookies the session ID is passed from page to page in the query string and then anyone can access that session with the url.

[RohanShenoy]

Quote:

Originally Posted by Daniel

Rohan if you do not have a cookie then whenever the student moves to a different page they will be logged out.

Try that, they won't be logged out. Ofcourse, if they try to bookmark and page and then access it, or copy-paste the URL from one window to another, they will be logged out.

[Daniel]

Please test my new PHP-MySQL site!

See.

[RohanShenoy]

Quote:

Originally Posted by Daniel

Please test my new PHP-MySQL site!

See.

[c010depunkk]

Without cookies or session the users don't stay logged in for more than one page load..... Then what's the point of the login system?

[RohanShenoy]

Quote:

Originally Posted by c010depunkk

Without cookies or session the users don't stay logged in for more than one page load..... Then what's the point of the login system?

Did you take the test there?It can keep you logged in for more than one page load.

[Rakuli]

How is it you are doing that?

You surely must be using a session cookie or appending PHPSESSID to the query string...

Or perhaps it works for the tests because it is a form sending data from one page to the next..

If you're not using the above methods then state won't be maintained across pages unless you send it via GET or POST. If you are relying on form data this opens a security hole as well.

[c010depunkk]

nope, after submitting the first page, i get a "validation failed".....

[RohanShenoy]

Quote:

Originally Posted by Rakuli

How is it you are doing that?

You surely must be using a session cookie or appending PHPSESSID to the query string...

Or perhaps it works for the tests because it is a form sending data from one page to the next..

If you're not using the above methods then state won't be maintained across pages unless you send it via GET or POST. If you are relying on form data this opens a security hole as well.

Yeah, data is sent using forms.

[RohanShenoy]

Quote:

Originally Posted by c010depunkk

nope, after submitting the first page, i get a "validation failed".....

Yeah, every script that is supposed to take a input from the user and interact with database will validate it. If validation fails due to malicious input or null input, validation fails and 'Validation Failed' is returned.