James Cassell's Blog

Wednesday, January 31, 2007

Functional NHS Contact Form

This afternoon, I finished some code to make a test version of the contact form I have been working on operational. As of now, all received feedback goes to a test account, but Duplicate copies will be sent to users if requested. If anyone wants to pound on it, the address of the test site is: test.mvnhs.com/contact/ . I'm not hyperlinking it for fear that Google might index it, and I don't trust 'rel=nofollow'. As I've said previously, I want to know about vulnerabilities sooner rather than later.


Tuesday, January 30, 2007

NHS Site Maintenance

I just completed moving everything from mvnhs.us to mvnhs.com. Previously, I had everything pointing to mvnhs.us because I didn't own mvnhs.com. The move was tedious, but I have rigged it so that anyone looking at the old address is automatically redirected to the new address.

I have been continuing work on the NHS Contact page. It is nearly complete. As of now, the system sends out an e-mail after verifying that all of the user input is acceptable. All that is left is to write a success page that is returned to the user. Once it is complete, I will probably ask for people to stress test it. I would like to know about any vulnerabilities in my code sooner rather than later.

One thing that is getting on my nerves, thought not a critical problem, is the fact that PHP adds an X-PHP-Script header that has the file name of my page generator. I would rather that people didn't know what my underlying code looks like. I do know that security through obscurity isn't really security, but I still don't want people being able to see such information.

Labels: ,

Thursday, January 18, 2007

Implementing a Contact Form on the MVNHS Site

I've been working on a contact form for the NHS site. It has proven to be much more challenging than I first anticipated. While I could just throw together a simple implementation in an hour or so, that would not serve my purposes. I have read that this type of page is often the target of an attack. I am coding very carefully, attempting to avoid any exploitable code. For example, the other night, I spent probably four hours just importing the user's name. It took so long because I had to do a lot of research, read several specifications of similar length to and including this one: Uniform Resource Identifiers (URI): Generic Syntax. So far, my work-in-progress form will take the user's name, and the user's choice from a radio button, and return back to him/her the form as it was submitted. It is going to take some time to get the whole thing done. Another reason that I want to do it correctly is because I will be graduating from Mountain View High School this year, and someone else will have to maintain it.

Another thing I worked on this past three-day weekend was a Maintenance Guide for whoever will maintain the site when I'm gone. I have uploaded my current very rough draft of the guide. It still needs a lot of work, some of which will have to wait until the site is completed.