Web Site Critique

[powerman]

I'm about 95% of the way done with a new web site and I was wondering if any of you would be willing to offer any suggestions about the design of it. The purpose of the web site is to list local service providers (such as roofers, painters, IT pros, etc.). The providers are listed on the site and then can be rated by consumers who use their services. Consumers also can post a proejct that they need help with and service providers will respond with an estimate (when possible and applicable).

One of the worries that I have is ensuring that the ratings are done by consumers who have truely used the services of the providers. For this reason, I am requiring all providers to verify the name of the consumer and/or the purchase number for each rating. The providers don't get to see what the rating is, just the name of the consumer and their purchase number if they chose to enter one. Sure its obvious that a provider won't accept a rating from a customer that they have had trouble with, but I think its better than just accepting all of the ratings. Any suggestions for a more streamline approach?

I don't want to let all of the ratings through to ensure that the ratings are accurate. But at the same time, it can't be too much of a hassle to rate providers or nobody will bother with it. I'm really looking for a compromise.

Please let me know if you experience any 403.9 "server too busy errors". I had a few of these when debugging but I think it was from an infinite loop in my code.

I'm planing to clear the database of the debug companies and projects that I've listed. There are already a few companies waiting in line to become lsited.

I've really spent a lot of time working on the site and I'm glad to finally be rolling it out pretty soon. I'd very much appreciate any last minute tips so that I can tweak the site before its first unvailing.

My whole idea was to find an effective way to network with several other companies in the area. I think this site will generate several goods leads for me and others. I can stand there and BS to someone for five minutes, but I' think they would remember me longer if I got them some referrals and put money in their pocket. The best way to getting referrals is usually to help someone out first.

I almost forgot, the site is _____________

Thanks for the help!

 

[calebb]

My initial thought is there is too much text on your landing page.

Most users are not like the average [H]ard|Forum user - they won't spend 1+ minutes on a page. They have short attention spans...

Since your target audience is "end-users," my opinion is that you should get to the point more quickly on your home page.

Is that the "holy grail" css? I love that look IMO, nice color scheme, etc.

 

[Lethal]

Spellcheck. You might want to get a grammar geek to proof the site.

"This will allow you to post your compnay name..."

"We are a group of remdolling contractors..."

"Past customers of service providers listed on our web site rate the service they received after its completed."

Where is this?

This is the former College Hill home of William T. Simpson, one of the three founders ARMCO Steel.

What does that have to do with the site?

Register? Not without a clearly stated privacy policy.

Current Projects - I would reorder it with most recent first. Looks stale when you show the oldest first.

I see a big problem in using frames to mask the re-direct. Your html pages contain nothing but frameset info, there is no indexable content for the search engines to index.

Since it's CincyService, I presume you service the Cincinnati area. But nowhere do I see that mentioned. You want to zoom in on keywords that would help potential users find the site.

Use page titles wisely, and make them descriptive to each page.

Good luck with it.

 

[powerman]

Thanks for the replies so far. I'm working on a spell check of the site and thinking of some ways to get to the point faster.

As for the large image of the house, my idea was to post a unique photo of somewhere around town every couple of months to change things up. Sort of like a "have you seen this" game. I am a real estate agent so there will likely be a heavy concentration of real estate businesses listed on the site. I wanted to let all businesses in on the site because its main purpose to me is to help develop a large contact list. However, my focus is more toward real estate businesses - but all are welcome.

As for the site forwarding, I use GoDaddy and I told them to mask the site so the .com domain name shows up in the address bar instead of my freebie non-.Com DNS domain name. I use a different domain name (________) as my DNS service. Basically, I need a DNS service and a .com domain name. Is there a way in classic ASP to change the URL in the viewers browser? Honestly, I had no idea that GoDaddy was using a frame for that.

Thanks again.

 

[Flawles]

Im not a web designer, but as a visitor, I'd prefer that the picture of the tree be a little better quality

 

[Lethal]

As for the site forwarding, I use GoDaddy and I told them to mask the site so the .com domain name shows up in the address bar instead of my freebie non-.Com DNS domain name. I use a different domain name (____________) as my DNS service. Basically, I need a DNS service and a .com domain name. Is there a way in classic ASP to change the URL in the viewers browser? Honestly, I had no idea that GoDaddy was using a frame for that.

Hosting isn't that expensive these days. Why in the world would you want to mask the domain so it can go to a freebie when that is the worst possible thing you could do to ensure that the site won't get indexed by search engines?

 

[maw]

the first thing that struck me was its too "dense" with words. it think you need to be more creative with the use of color, padding and whitespace to separate the different sections out a bit. right now, nothing is drawing my attention to anywhere on the page in particular, so its easy to get information fatigue.

also mix the fonts up a little more, the overwhelming amount of verdana quickly gets boring. maybe try a little georgia for the headings.

frames...why?

the navigation section looks like it would work much better in a horizontal format with dropdowns. the Login, Contact and Register links probably don't belong there either, maybe make them separate links apart from your nav links.

 

[mikeblas]

Dense with words? It's nice that it has some content, unlike so many of the sites we're asked to review here.

But that content is still off. It reads like someone who got a "C" in composition in high school wrote it.

Why do you have an empty robots.txt?

"Realtors" is a circle-R, so you should fix that before trouble starts.

Your biggest blunder is forgetting that it's the world wide web. Your service is very local, but you don't explain where it is. That makes getting htis from localized search engines unlikely, and makes it hard for users to decide if they want to keep reading or not.

It's very amateurish, overall, because of these faults.

The "provider search" page is broken. And it's broken in such a way that makes it obvious the page is a target for SQL injection attacks. I could delete your database, if I wanted to.

Sorry to harsh your deal, but I hope you can accept the feedback that you asked for in the spirit that it was intended.

 

[mikeblas]

Your registration page is vulnerable to SQL injection, too.

This is a basic mistake, and your site is covered in it. You should take the site down until you fix it. Seriously.

 

[rayman2k2]

Your biggest blunder is forgetting that it's the world wide web. Your service is very local, but you don't explain where it is. That makes getting htis from localized search engines unlikely, and makes it hard for users to decide if they want to keep reading or not.

I thought the CINCYservice gave it away. Unless, of course, it's not in Cincinnati which would be kinda weird...



But I agree with the second half of said quoted text.

 

[mikeblas]

I thought the CINCYservice gave it away.

Believe it or not, many Americans don't know that "Cincy" is a colloquallism for Cincinatti. People in Canada, Japan, Kuait, Afghanistan, and so on, are very unlikely to know that, too.

Did you really think they did?

Even so, I have to browse many pages at that site before I find the word "Ohio". Local servies (like Yahoo! Local, Live Local, and Google's Local thing) are unlikely to appropriately index the site for localized searches, as a result. They, too, it turns out, don't know that "Cincy" means "north central Kentucky, plus south east Indiana, and a bunch of south-western Ohio".

 

[mikeblas]

I see that you're storing your user passwords as plaintext. That's really bad.

In case it wasn't clear, please take down the site until you can figure out how to make it more secure. I'm not exaggerating.

 

[calebb]

Your registration page is vulnerable to SQL injection, too.

This is a basic mistake, and your site is covered in it. You should take the site down until you fix it. Seriously.

qft.

There are plenty of spammer out there that run "SQL Injection Crawlers" (similar to this one. They look for sites with the easiest-to-exploit vulnerabilities (the low-hanging fruit) and add links to their spam/scam sites to boost their search engine rankings and attract new customers.

Just validate your form data with a regular expresion. All form data should probably only contain a-z A-Z 0-9 . _ - @ you could expand the rules for the password field if you want... make sure you specifically allow characters people might use in their password. Don't allow , ; unless you will specifically handle those characters.

Even better, find a tutorial on stored procedures. That will cover you against the other 1% of sql injection attacks

 

[calebb]

I see that you're storing your user passwords as plaintext. That's really bad.

In case it wasn't clear, please take down the site until you can figure out how to make it more secure. I'm not exaggerating.

Perusing his database while you wait for him to take it down I see?

User passwords should never be stored in plaintext in case your database is compromised. In case of a successful hack, you could tell your users that some of their personal information was compromised, but at least their password was encrypted... because a lot of users will keep the same password on many sites. (and, FYI, this is one of the reasons that is a bad idea).

This is low priority compared to making your website web-safe... but when you do get around to encrypting user passwords, it's very easy! Almost all databases have an MD5 function built in.... so your authentication check becomes

SELECT * from USERS where username='$username' and password=md5('$password');

And similarly, you save their password in the database with:

INSERT into USERS (username,password) VALUES ('$username', md5('$password'))

Then the only time their password is sent in plaintext is when they login to your website and that only happens once.

(of course, the syntax will be different depending on your choice of programming language / SQL server)

 

[mikeblas]

Perusing his database while you wait for him to take it down I see?

I was surfing around to try and find out how long it would be before I found "Ohio" on a page, or "Cincinnati", and I stumbled on another input page. When I stuffed it full of badness, the error message included information I could use to do more evil.

It's a real liability. And it's sad that vulnerable pages are more plentiful than pages which would tell me where the target market for the site is.

 

[powerman]

So basically every field that I get from a form by Request() needs to be checked? Does this include hidden input types?

I would think the bad characters are ' = % ; Are there any others to watch out for in particular? I'll just allow spaces, letters, numbers and periods.

Instead of trying to filter these characters, would it be valid to change them to something else? For example, what if I changed all occurances of ' to ascii code 15? The I would just need another function to convert back when I read the data.

The security issues from SQL injection only are within the database right? Its not like someone could get onto a PC from it? Its seems like the maximum damage would be removing all of the data in the DB or taking it. There isn't anything too private that would be in the DB, but I want to keep it secure none the less.

 

[calebb]

You could insert PHP/ASP/ETC code into the database. A clever hacker could then execute said (arbitrary) code.

And yes, the characters you listed are some of the worst offenders. Replacing them with a different character is a good strategy. Another strategy is to escape bad characters.. but this can be dangerous as it is hard to consider every possible series of characters a hacker might submit.... so I always go with the regular expression approach.

 

[mikeblas]

You shouldn't worry about characters; you should bind your parameters instead of concatenating strings. That way, you're on your way to unbreakable (just like Larry Ellison).

Yes, someone can get into the machine through SQL Injection. There might have to be multiple attack vectors open, though.

Since you store the passwords as plain text, and since you've blown the SQL injection thing, someone could get the content of the database -- including the email addresses and passwords, in plain text. People are pretty poor with passwords, so it's likely I can use a bunch of those passwords and email addresses to log in to other sites and recover all sorts of other information, impersonate stuff, and so on.

Why do you think the contact information that people enter into the site isn't "too private"?

 

[powerman]

Well the whole point of the site is for businesses to get their contact infromation out there The only field in the DB that isn't shown on an unpassword protected page is the username/password. It's not like I'm getting their SSN or credit card number so I wasn't trying to make it ultra tight. But none the less, I'm working on fixing it so that my data doesn't get wiped out and the passwords are safe.

I wasn't really even thinking of an overly secure site since just about all the data in the DB is shown freely anyway. I don't really see much of a motive to try and get in the DB except for the user's password. I suppose it would be worth it for that.

 

[mikeblas]

Perhaps you don't have the right attitude to be running websites.

 

[calebb]

I wasn't really even thinking of an overly secure site since just about all the data in the DB is shown freely anyway. I don't really see much of a motive to try and get in the DB except for the user's password. I suppose it would be worth it for that.

All you need to do is follow the money. What is the motivation to hack your site? Well, the higher your PageRank is, the more "valuable" outgoing links are. Outgoing links to spammer/scammer sites gives them more credibility (in the eyes of the search engine) and also there is a chance your users will follow them.

Spammers/scammers/hackers could also setup your website to install malware on your users' machines. Perhaps they get paid a flat rate for every machine they are able to compromise?

Then there is the good 'ol email list. A good targeted list of email addresses can fetch a few dollars.

And in case we weren't clear... it doesn't take any effort at all to hack an unsecured website! There are 1001 website "vulnerability" scanners out there. They are "designed" to help you secure your website, but hackers write programs that use this software to automatically crawl the web and do their bidding.

I could go on and on and on but any one of these reasons should be more than enough to convince you to either invest in a good programmer or research security best practices yourself. You only have one reputation!

And, btw, kudos for getting some tech-savvy users to do a (free) peer review on your site for you. Most people in your shoes would just go live with their site...

 

[powerman]

Perhaps you don't have the right attitude to be running websites.

Security is defiantely important. However, the entire contects of the DB is visible on the site except for user/pass. The site is different from most others in that way. At first, I just wanted to make sure I wasn't going through the hassle of protecting a DB full of public data. I can see where its important to keep passwords secure which is why I'm fixing the problem. I'll admit the passwords are something I overlooked. The rest of the data is shown without a login though since its an advertising site.

Anyway, I do appreciate your help and I'm working on fixing it. It shouldn't be too hard to encrypt the passwords and some of the other data.

Do you guys encrpyt the entire DB? Is there a setting in MySQL to just encrypt by default? Is there anything else to watch out for besides the SQL injections?

Security for the machine is important too and a whole different issue. I have all the latest updates and only the needed ports are opened. What else do you guys do?

 

[mikeblas]

Security for the machine is important too and a whole different issue. I have all the latest updates and only the needed ports are opened. What else do you guys do?

Where is the machine? It also has to be physically secured.

I'd turn off the friendly ASP errors. They expose a lot of useful information about the site.

 

[maw]

Dense with words? It's nice that it has some content, unlike so many of the sites we're asked to review here.

actually, read the rest of what i said. i don't have any problems with content, its just that in this case it needs to be better organized so users can more easily identify the different sections on the page.

 

[calebb]

Do you guys encrpyt the entire DB? Is there a setting in MySQL to just encrypt by default? Is there anything else to watch out for besides the SQL injections?

Encrypting your database will not fix your ASP vulnerabilities. The only field you can encrypt is the password field because md5/aes & other hashing alogorithms are one-way.
i.e., lets say your user picks a password of a1b2c3

Now, you save md5('a1b2c3') in your database.
md5('a1b2c3') = 9f281214ccca357beb1ef1b46b0b4012
So now you have 9f281214ccca357beb1ef1b46b0b4012 in your database.

This is only really useful for ONE thing. That is... when a user logs in you want to make sure md5('WHATEVER USER ENTERS') = 9f281214ccca357beb1ef1b46b0b4012

See how that works?

If you encrypted other info like... the user's city, then the database would contain a bunch of random letters/numbers. This would not be useful...

 

[rayman2k2]

Believe it or not, many Americans don't know that "Cincy" is a colloquallism for Cincinatti. People in Canada, Japan, Kuait, Afghanistan, and so on, are very unlikely to know that, too.

Did you really think they did?

Even so, I have to browse many pages at that site before I find the word "Ohio". Local servies (like Yahoo! Local, Live Local, and Google's Local thing) are unlikely to appropriately index the site for localized searches, as a result. They, too, it turns out, don't know that "Cincy" means "north central Kentucky, plus south east Indiana, and a bunch of south-western Ohio".

Wow, you loooove being a jackass don't you?


Obviously, this site is catered to a certain group of people, all of whom know what the term 'cincy' means.

Why don't you losen your belt and chill...for once

 

[mikeblas]

Wow, you loooove being a jackass don't you?

Call me whatever names you want; all I'm doing is disagreeing with you.

 

[calebb]

Wow, you loooove being a jackass don't you?

Be nice to the guy that exposed multiple SQL injection attacks to you for free.

That sort of vulnerability analysis would normally cost $5,000+.... and he gave it to you for free. And then you call him a jackass?

Do you want him to drop your databases for you? Lucky for you, he's a nice guy and probably won't...

 

[rayman2k2]

Be nice to the guy that exposed multiple SQL injection attacks to you for free.

That sort of vulnerability analysis would normally cost $5,000+.... and he gave it to you for free. And then you call him a jackass?

Do you want him to drop your databases for you? Lucky for you, he's a nice guy and probably won't...

Oh he exposed them to me? Just to me? Too bad my life doesn't revolve around databases.

 

[mikeblas]

And then you call him a jackass?

Rayman thinks anyone who dares not share his opinion is a jackass. I'm used to that response from him; it's the third or fourth time he's run that trick on me.

I don't think he's the site owner, BTW -- it's powerman's site.

 

[rayman2k2]

Rayman thinks anyone who dares not share his opinion is a jackass. I'm used to that response from him; it's the third or fourth time he's run that trick on me.

I don't think he's the site owner, BTW -- it's powerman's site.

See, its not that mike


Its whatever I post (or you post), we BOTH have differing opinions. I post my ideas, and you respond in your own witty, jackass-ish way. That's what pisses me off. Why do you have to act like such a smart alec?


And don't generalize. I've never called anyone with differing opinions a jackass, besides you. You see, other people have tact when they share their opinions. I've never read a post by you where you WEREN'T a jackass.


BTW, OP, why'd you edit your URL out?

 

[mikeblas]

I've never read a post by you where you WEREN'T a jackass.

If you were smart, you'd add me to your ignore list.

 

[MadJuggla9]

Where did the link go???

As far as mikeblas goes, you just have to get used to his style of critique and acknowledge his level of expertise. I think a lot of people mis-interpret what he is trying to say by means of poor contextual judgement. If you look at it from a different point of view, it's all help and suggestions in a manner that is much more motivational than "cool website dude ... ummm change the colors and stuff and it would be the awesomest site ever!"

A lot of times we want positive feedback on stuff that needs work, but thats really not what you should be looking for, and he's great at pointing that out

I get ripped a new one by him everytime I post of a better way to do something. I take what he says, research it, and find that it yields much better results. If I have problems with what he says, he continues to help until either:

A) I understand, or
B) I give up and do it my way for small practical purposes

Take your pick

 

[mikeblas]

Where did the link go???

I think Powerman took it down while he reworks the database layer. I expect he'll post it again when things are safe so that we can take another pass at the site.

I get ripped a new one by him everytime I post of a better way to do something. I take what he says, research it, and find that it yields much better results. If I have problems with what he says, he continues to help until either:

I'm glad you can take my posts in the spirit in which they're intended. Mostly, anyways!

 

[rayman2k2]

If you were smart, you'd add me to your ignore list.

oh yeah, good point.

/addignore

 

[maw]

I'm glad you can take my posts in the spirit in which they're intended. Mostly, anyways!

i'd just like to add that i respect your opinions too. you know a heck of a lot more about DB security than I do. IIRC, you're the one who turned me on to prepared statements and i am forever grateful for that.

 

[Tawnos]

Wow, someone has a problem with Mike, you know, the book writer who spends godknowshowmuch time here helping people, for free.

Rayman... What's *your* problem? If someone asks for a critique, and they get one, is that a bad thing?

 

[mikeblas]

oh yeah, good point.

See? I helped even you, though you were over-the-top rude to me. I don't know if you'll read this or not, but I think you're going to save yourself a lot of time by skipping messges which you're unable to find use for.

i'd just like to add that i respect your opinions too. you know a heck of a lot more about DB security than I do. IIRC, you're the one who turned me on to prepared statements and i am forever grateful for that.

Happy to help, and I'm glad you've got sustained value from what you discovered.

 

[mikeblas]

Wow, someone has a problem with Mike, you know, the book writer who spends godknowshowmuch time here helping people, for free.

Well, it's not like I don't learn stuff, too.

 

[rayman2k2]

crap, you all are feeding his ego


oh well, i'm out, i guess i'm not worthy to post in the same thread with the poster child of all that is good and mushy