

Ask HN: Feedback on project - iSloth

Looking for any constructive feedback on my little php/MySQL project http://whatportis.com - negative or positive comments are all welcomed.<p>Thanks!
======
nbpoole
<http://whatportis.com/index.php?port=%27>

<http://php.net/manual/en/security.database.sql-injection.php>

~~~
iSloth
Cheers, missed out my SQL cleaner in a few places, should be a lot better now
:) will give it another check soon.

~~~
eropple
"my SQL cleaner"

Warning bells. Correct practice is to use PDO or MDB2 and prepared statements
for SQL access. You should never need a "SQL cleaner".

~~~
wizard_2
I have to second prepared statements. You wont have to change your code too
much to use them and they are way too important not to use. They can even lead
to speedups if you're going to reuse queries.

~~~
iSloth
The errors shown on the site was actually from a misguided hack I performed to
log all search variables into a database, unfortunately I forgot to apply the
correct SQL protection techniques that I normally do throughout the rest of
the site and created the vulnerability slaps self on head.

Apologies for the confusion I am not actually using a SQL cleaner, in-fact
with brutal honesty I don’t actually know what one is. I was using the term to
reference my usual methods/techniques for keeping SQL ‘clean’ from injection
attempts.

I am fairly happy with my current SQL setup and the way it protects from
injection, obviously when I code it correctly, however I will certainty look
into using fully prepared SQL, currently I do something ‘similar’ using my
objects so it would probably be very easy to implement.

Thanks for all of the feedback so far and pointing out the flaws, in fact the
logs I have gotten from people ‘testing’ my SQL protection has helped a lot!

~~~
eropple
_I am fairly happy with my current SQL setup and the way it protects from
injection_

In all seriousness: you shouldn't be, because it clearly doesn't protect in
all cases. ("Failed to wrap a query in a magic function to make it sort of
safe" is part of "all cases.") You have demonstrated, by neglecting to use
your "correct SQL protection techniques," why non-prepared statements are
absolutely terrible. You _cannot_ have the error you just did if you train
yourself not to use direct SQL queries, regardless of library. Querying via
MDB2 or PDO (or doctrine-dbal, which is a superset of PDO) means you have to
intentionally and willfully do something very out-of-the-ordinary to pass in
raw data as a SQL query, instead of being forced to wrap your queries in some
slipshod, maybe-works-maybe-doesn't homegrown function that has not been
rigorously tested.

Don't reinvent the wheel. Safe SQL queries are a solved problem.

~~~
iSloth
I do agree that I should consider implementing none direct SQL, however I am
'faily happy' with my current set-up as it does work and protect (when used
correctly).

I will certainly look at none direct SQL, however I just don't feel it's my
number 1 priority at the moment, especially when the template isn't even
rendering in some browsers.

------
benologist
Some general feedback:

\- on the statistics link the top ports to their info.

\- provide more information, like how to open or forward ports etc

\- your url format would be so much easier if you could just type
whatportis.com/xxxx or whatportis.com/keyword rather than the index.php stuff

\- it's not clear you can search for software that uses a port, you do say
name but it would be more clear if it said something like "80, http, world of
warcraft" or whatever

\- "is this port open on my computer/server/whatever"

~~~
iSloth
Thanks, you can actually search using the URL, for example
<http://whatportis.com/80> or <http://whatportis.com/http>, just need to edit
the page so it passes the variable like this, not through the usual GET syntax
like it is at the moment.

A few of the things I know need doing are:

\- More content for the users and also the search engines as they dont appear
to index much of the site, may be even remove the javascript tabs and have
distinct pages to help the search engines a bit more...

\- Edit the search page to pass variables through the URL (cleanly)

\- Some how improve the search system, very basic search at the moment and
probably returns too many results for some parameters.

I do agree the statistics page defiantly needs some work doing to it, such as
there is the same port listed a few times in the top 5 as there is so many
records for it.

Really like the 'this port is open on my computer' although dont want to look
like I am attacking all of my users with port scans, so might make that a
manual click to check.

~~~
iSloth
Searching from the home page will now use the correct URL format, and not
index.php?port=XXX

------
sdfjkl

      $ grep 10080 /etc/services
      amanda          10080/udp   # Amanda 
      amanda          10080/tcp   # Amanda 
    

Incidentally, you're lacking this one too.

------
TuaAmin13
Competition? What about just "Contest"

For a minute I thought you were posting about competing services, then I saw
the page and was like "How is this a competition?" It should be something like
contest > X entries for following, Y for each port you enter. Weight X and Y
however.

I also agree, fonts need help.

~~~
iSloth
Contest idea is great, will work on improving that now :)

------
aam1r
Nice tool. I would love access to the API once its public to write a bash
script that allows you to search from terminal.

Suggestion: \- statistics: top 5 ports show only 2 distinct ports. it would be
better IMO to show 5 distinct ports

~~~
deno
> Nice tool. I would love access to the API once its public to write a bash
> script that allows you to search from terminal.
    
    
        > cat /etc/services | grep " 80/tcp"
        http 80/tcp www www-http # WorldWideWeb HTTP

~~~
reidrac
Cat is useless in that line:

    
    
       $ grep " 80/tcp" /etc/services 
       http            80/tcp          www www-http    # WorldWideWeb HTTP
    

<http://partmaps.org/era/unix/award.html#cat>

~~~
deno
It's not useless. With cat, I don't have to remember the order of grep's
arguments.

~~~
reidrac
Interesting. With grep you need at least something to search (one argument),
don't you? If you don't provide another argument to say "where", it reads from
standard input (as most unix commands).

But you already know that because you're using it that way with cat. How can
you don't remember then the order of the arguments?

~~~
deno
There:

> {1} With grep you need at least something to search (one argument), don't
> you? {2} If you don't provide another argument to say "where", it reads from
> standard input (as most unix commands).

And ‘find’ is the other way around.

I just don't see any reason to not to use cat. It's not like grep will use
fseek() to speed anything up, if I call it with file URI instead.

------
iambot
clickable: <http://whatportis.com>

------
brandoncordell
I think the design would benefit GREATLY from some whitespace, and using
native fonts instead of cufon.

If you're interested in better web fonts, look at Google Web Fonts.

------
iSloth
Just wanted to leave a quick message, thanks everyone!

This is probably some of the most helpful feedback I have gotten in a long
time, on any project :)

------
iambot
hey,

The nav at the top, right hand background-image isn't rendering on my ff5/win7
".details .tabnav li a span".

as so: <http://imm.io/7KxD>

Also, I'd stay well away from centered text if I were you. And the Red
highligthed text is quite disconcerting seeing as they arn't hyperlinks.

Hope that helps :) even if its not technical feedback.

~~~
iSloth
Thanks for the input/images, looks like the layout needs fixing sooner than I
thought, I would like to go for something CSS, clean and basic.

Taking inspiration from something like server fault, however I am not a
designer and finding a template that matches that is hard :)

------
twism
Why canvas for rendering text?

~~~
iSloth
The design is 'temporary' and off themeforest just to get the hack/project
live and on the web - I don't like most of TF's designs however this did seem
more minimal than most.

Preferably I would like something with less javascript and a lot more clean,
just need to find a designer :)

------
drivebyacct2
Why is all of this text images? :/ Also, ripe for SQL Inject

Web fonts > Cufon

~~~
iSloth
Have fixed a lot of the SQL flaws thanks.

Not sure what you mean by the images? you want more? and less text?

~~~
drivebyacct2
No, I just prefer native web fonts to cufon. And you're still not escaping at
least one of your queries properly unless you fixed it in the last 10 minutes.

~~~
iSloth
Hopefully it has been fixed, gone through all the searches over the past hour
and can't see any that are still getting through.

~~~
drivebyacct2
You must have really just fixed it. I'm not seeing the sql errors anymore.

~~~
iSloth
Indeed - Feedback is only useful when you act on it ;)

