Ok, let me just come straight. Slyr0x, i spent about a week painfully coding this up with as much security consciousness as I could have. Oya do your thing, pls.

Link
http://sawyerrken.net/clients/gamecdswap/

Test account:
Username: sawyerrken
Password: sawyerrken

if anyone changes the password to test it, change it back to sawyerrken after testing abeg.

Description:
A site where people place Video game CDs they have for exchange.

Features:
Ability to add, view, delete game CD exchanges.
Ability to view member profile and also rate them.
Private Messaging among members
Game CD search based on Game name or location of Game CD owner
News board that can be editted and controlled by site admin


Slyr0x, one more thing: Check the site and assume you didnt know I was the one who did it, then tell me what server side language I used.
I think that's all.

It is my hope that no vuln is found

chai! i wanted to make some comments but ,

oya , Slyr0x over to you.

As you don put slyrox. Tasty reviewers like us have been put out of business!

na wa o. I am accepting reviews from everyone joor. Babes can review too.

Nice layout and the owner of the site has a nice concept too.

My Review;

1. I tried editing a field after logging in but when I clicked on the field, all the initial text written disappeared. Leaving me a blank field. What if I just wanted to correct a simple spelling error. Does it mean I'll have to retype everything? Also it happened when I tried to edit my profile. It can drive someone who's just trying to change a character nuts

2. If I'm to send a message to admin and I mistakenly didn't fill the subject field, my entire message is lost. You need to enable some session to store my already typed text.

3. Lastly I think it will be cool if I can just click the username of a CD owner to PM him.

That's just it from it.

But really, I think the concept will sell. It's simple. Good work.

Cmon, thanks.

Points 1 and 2 and been taken care of. You can check again and let me know if it feels better.

Point 3, an interested exchanger may want to know some background info about the owner before PM'ing him so that's why I am sending him to the profile so he can see the guy's rating, location, contact e.t.c.

Ogzille try o. I dey see your "drop table" handwork. :-P

- put recent games on the dashboard
- change timestamp to 12 hours
- don't make me confirm that I indeed want to edit a message or save, I know what I clicked!
- categorize game types, Ps2, ps3 wii etc etc
- aggregate your ratings, you can create a modal box to show rating break down, n I will click it if I care to know

Thanks, will work on all your suggestions.

Np. Not tested the functionalities though, checked from iPad.
Why not make it open source if you are not developing for a client?

Its for a client.

That is a well developed site,

but has your client worked out the logistics involved in carrying out the CD exchanges or will the members be handling that on their own?

Thanks.
He plans to leave that for the exchanging parties to decide. Will put up a disclaimer shortly.

nyc
no problems wif it but the following details should be important

category of the c.d(genre,console)
date game c.d was bought
why you want to exchange/swap
then a check box for "scratches" (yes or no)

sayhi2ay:

- put recent games on the dashboard
- change timestamp to 12 hours
- don't make me confirm that I indeed want to edit a message or save, I know what I clicked!
- categorize game types, Ps2, ps3 wii etc etc
- aggregate your ratings, you can create a modal box to show rating break down, n I will click it if I care to know

Thanks, I have categorised games now. I have also added to the Admin panel the ability to add, edit and delete game categories. Then I have added "Console" to the side bar search criteria so users can search for games based on the desired console.

Dizzy001:

date game c.d was bought
why you want to exchange/swap
then a check box for "scratches" (yes or no)

Thanks bro. I have taken care of this on the "Add Games" page. It instructs them to add all these and other necessary info to the description field.


Meanwhile, slyr0x is no where to be found. Earlier on my server kicked out his IPs when he tried his voodoo. I removed him from the blacklist. He's found his way into the blacklist again this time for "port scanning" offenses.

Dual Core:

Meanwhile, slyr0x is no where to be found. Earlier on my server kicked out his IPs when he tried his voodoo. I removed him from the blacklist. He's found his way into the blacklist again this time for "port scanning" offenses.

Sorry i had sm stuffs to settle offline, jst came Online now. Then to your 'Over-sabi' firewall, wetin dey do am? U shoulda told it i was a 'legal attacker'.

Nywaiz, i'll try cloaking, lets see as it goes + I dnt have access as the pwd 'sawyerrken' has been changed.

Lol sorry, the firewall work dey do wetin i send am. The sawyerrken password has been reset to sawyerrken

U using PHP/5.2.14 ?

+

Check ur logs + It seems your over-sabi firewall is at it again. Still bouncing my connection around tho.

Lol, the firewall has blocked an entire block of your IP.
41.***.*8.0/24

Mail me a list of your IPs, let me add a temporary rule to ignore them. Php version correct. 1+

Yeah, thats d range. From 41.***.*8.0 - 41.***.*8.255.

Range is clear now. Go in nice and steady.

Stupiid question: Does this in effect mean my present firewall config will go a long way to stop the real exploits? Pls ansa.

I'll be online for the next couple of hours so holla me when you done so I can take off the ignore rule.

answer : yeah it will buh there lotta ways to bypass it.

Read here --> http://www.pisa.org.hk/event/bypassfw.pdf

I'll buzz u when am done.

[UPDATE] You got mail bro.

Thanks. Got it and pretty happy with the result. Thanks for your help bro .

Nice layout


Powerful graphics

Overall concept at the highest madness


Overall rating *****

- put successful registration details on the dashboard, and not the sidebar above the login info, that's not where users expect to find it

- on the welcome page: add 'Messages' quick link, and then the number of new messages , e.g Messages (3) or Messages *new

- You can have a functionality where users can click that they have interest in a game CD, but they might not have the exchange the original poster is looking for , then the poster can contact whoever is interested for alternate negotiations.

- Put the Recent available items available on another page entirely, not after the profile and account section. looks weird .

- i shouldn't be able to rate another user, unless we have had a transaction. you might need to implement another rating system though, people should be able to write a short note on feedback.

Well done!!!

Thanks guys,

Oga AY, thank god sey you no be the client sha. I for don mad by now. Thanks for your time to look into this for me. Don't go too far off the land just yet though, I am finishing up another site and would need reviews.