[thelist] site check

.jeff jeff at members.evolt.org
Sat Jan 12 02:01:33 CST 2002 

cayley,

><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
> From: Cayley Vos
>
> Mount Rainier interactive climbing guide
> http://ascenddvd.com
><><><><><><><><><><><><><><><><><><><><><><><><><><><><><

title doesn't change from page to page which wouldn't be so bad by itself,
but "weekend2" doesn't really mean much to me.  it'll mean even less if i
bookmark the site and try to find it later as bookmarking it uses the title
by default as the label for the bookmark.  in addition, the title of the
page is used by search engines in the search results as the link to your
site and could weigh in to your pages relevancy rank as it's some of the
first words the bot will encounter when it starts crawling your pages.

"rainier" & "aconcagua" links are broken (they're just a hash) on the
"mckinley" page.

i'm not hip to the header changing on the rainier review page.

it would be good if the orange arrow denoted the page you're viewing.  i
know that you're trying to use it to give the "shop" link some emphasis, but
since you're also using it in the rollover images, it seems out of place.
it looks more like an indication of what page you're on, though it never
actually does that.  this effect is particularly odd when viewing the
homepage because the "shop" link is the top one in the left nav.  it was
enough that i ended up clicking on it last.  it was only after visiting a
couple pages from the left nav that i figured that you were using it for
emphasis instead of a location indicator -- probably the opposite effect you
were going for.

perhaps use a definition list (<dl> tag with child <dt> and <dd> tags) on
the contact page to get some indenting for the contact info in from the
three headings.  do the same on the links page for the three headings.

be consistent with your use of colons on headings.  some have them, some
don't.

your rollover images aren't preloading like they should.  once they're in
the cache they seem to be fine, but the first time you rollover something it
takes an age for the image to swap.  this is due to the fact that your
changeImages() function uses image paths when assigning a new "src"
attribute value.  the only way for your preload() function to work properly
is to refer to the variable you created when preloading and it's "src"
property value instead.

after further inspection it appears that your preloadImages() function is
trying to preload images that don't even exist.  fixing that *might* fix
this slow load situation.  if it doesn't, replace the paths in your calls to
the changeImages() function to variable references.  also change your
changeImages() function to use self[arguments[i+1]].src for the new "src"
attribute value.  holler if that doesn't make sense to you.

i've saved the best (worst) for last.  i think the site looks great ...
until i click the order button on the "shop" page.  oh boy, then i'm greeted
with a rather ugly page that barely resembles the site i just came from.
i'm also bombarded with a cookie -- ick.  don't get me wrong, cookies have
their uses, but it's not really necessary here.

so i select my shipping options and payment option and click purchase.

next screen i fill out my billing info.  nice feature with the "same as
billing" button to fill in my shipping info.  click "enter".

what?  a cookie?  lemme see what they wanna set.  my personal info in a
cookie?  nope -- blocked.  that's quite uncool.

so i'm at the payment screen.  view source to see if there are any holes in
the security of the checkout process.  sure enough.  ctrl+o.  paste
"javascript:document.forms[0].fulltotal.value = '1.00'; void(0);" click
enter -- just to see if it'll let me alter the value.  enter my info, along
with a bogus card number, but one i know will pass the luhn-10 check, and
click "authorize payment".

i briefly see a screen that says something like "thank you. leaving secure
mode now" and i get redirected to a receipt page that appears as if i got
charged the full price (despite my muddling with the payment form).  you'll
have to look over the order to tell me if i indeed got "charged" the full
amount or the $1.00 i changed the price to.

(meantime while writing the rest of this and double-checking it, i received
a receipt which shows the full price.  it appears my messing with the form
field value didn't have much effect.)

so, just to see what happens, i click the back button.

i land at https://mall.kisite.com/cgi-bin/ssl.pl

and see this:

  "Your ssl.pl script is successfully installed!

   To test it:
   Make sure Personal Variable #24 is set to "1"
   to allow Secure Online Credit Card Transactions.
   Set Secure Server Variable #1 to the full URL
   to this script. If you want the ssl.pl script
   to collect credit card info in SSL (Secure
   ...
   [snip]
   ...
   ssl.pl 2.40
   5/22/98
   Dansie Shopping Cart
   http://www.dansie.net"

that's kinda icky.  let's see what else is out there about dansie.

http://www.google.com/search?hl=en&lr=lang_en&q=Dansie+Shopping+Cart+hack

dansie shopping cart developer leaves back door
http://www.safenetworks.com/Others/scart2.html

even more icky.

i see that you're already using php on the site itself.  for a single
product with very simply shipping options it should be very easy to write a
cart that not only does what you need it to, but also keeps the visitor
completely within your site and is without this backdoor.

good luck,

.jeff

http://evolt.org/
jeff at members.evolt.org
http://members.evolt.org/jeff/

More information about the thelist mailing list