Developing a site with a possibility of linking to ones site for free

[marasm]

Hi there,

I'm thinking about developing a page where everyone can add a link to their site for free. I have several concerns so I'm asking experiences php devs for help.

First of all I'm not asking if this is something what can bring any benefit for me or if it is silly or not. The point is what are risks of such an idea.

Let me explain the concept of the idea:
- the page will contain 2 textboxes for title and url of the site,
- there will be select with categories,
- there will be some mechanism for preventing robots from filling the form - don't know yet what will it be (captcha, basic question, etc.),
- the data will be stored in db (after it's validated and after I'm sure that any kind of sql injection or hacking is not possible).

That's it for now - it's just a prototype of the idea.

Does anyone have any experience with similar problem?
Any thoughts or comments?
Would you like to put a link to your site on such a portal?

[zen-r]

The complexity of this will obviously be based on how much "vetting" you want to do on the data entered.

Are you going to allow obscenities in the title, or links to sex sites, for example? The potential for abuse is quite high.

The easiest way would be to just allow submissions by email, & to vet them yourself!

Maybe you're intending this form as the first stage of the submission process, with you then vetting the entries yourself before they make it onto your site?


I can't help you with your other questions I'm afraid. Perhaps someone else can answer the technical stuff?..........

[marasm]

Wow zen-r, it looks like you spend a lot of time here ;)

Thanks for your answer. Yeah, the plan is to doublecheck every site before displaying the link on the page. I need to create some rules that page has to conform to.

I will probably create a script that displays only confirmed and validated pages. And an admin panel for me to see the pages with pending validation. Additional functionality might be blocking ips from possibility of submitting new urls and so on.

[slacker3]

just escape and validate every user input, but that should be done for every website...

i suggest you take an opensource guestbook script and modify it a little,
maybe
http://www.carbonize.co.uk/Lazarus/

[marasm]

Thanks slacker,

I'm pretty sure I'm able to create such a mechanism on my own without using some 3rd party code. One never knows what errors can be found in such a code and reviewing it can take much more than developing it from scratch. Validating user input is not a problem.

I think I'll finish the page today or tomorrow so I'll probably ask x10 members to try to break the code.

Cheers,
Maras

[slacker3]

open source code should be quite secure and readable most of the times,
but you're right, writing stuff yourself is never a bad idea


breaking code ?
thats sounds like fun, tell us when you are ready.. :fruit:

[marasm]

Ok, finished. You can try to add your links here and make some harm to my site - I have backup of the whole site and db ;)

http://marasm.pl/add-link/

Still need to create admin panel for me.

[slacker3]

well, i didn't spend much time on your site but i have to say it looks fine..

now to the code:
it's possible to get urlencoded things trough you may not want, you are allowing only the charset "a-z 0-9 ? & _ - % . : # /" but it's easy to circumvent this by encoding the url like this :

somwhere.com&buysome%3Dpizza&amount%3D1000

%3D would evaluate to "=", which is not in your charset, see
http://ha.ckers.org/xss.html for examples and an urlencoder

it may also be possible to get sql injections trough with this, but i guess you're escaping the string anyway before storage

[marasm]

Hi slacker,

Thanks again for your answer. You're right, one can encode all characters using %code. However, I'm checking all the urls manually before putting them on the site. The only reason why I created the set of allowed chars is a need of protection against sql injection (which I should not even care about as the user which is used to store the data in db has not any privileges that could harm the db).

Besides I allow urls with = as there are many sites with dynamic links ( http://example.com?page=123 ), I just forgot to put the char in the list.

Thanks anyway for your help
If you want me to put a link to your site on the featured list, just let me know.

Cheers,
Maras

[slacker3]

"If you want me to put a link to your site on the featured list, just let me know."

this would be fine

i think of creating an exam simulation for LPIC-1 (linux's MCSA) some time in the future, you can read more about lpi at http://www.lpi.org/eng/certification/the_lpic_program


there are no training-simulations available on the web with updated questions
(new objectives since 1.4.09) and i believe this would generate some traffic


to clarify: no braindumps, just an test with the similar amount and quality of questions to get prepared for the real exam