Rare craft threads - a cleaner solution - Page 2

Ailetha · 07/25/07, 10:53 AM

Wow! Fabulous idea. I love it. Although, I do agree about the easier-to-remember site name. Hopefully the one you've selected is easy enough to remember for most US users.

I will be forwarding the players on Skywall US to your site as soon as it is up and running. Can't wait to see it completed!

sp00n · 07/25/07, 11:32 AM

Nice language selector you have there.

8ballistic · 07/25/07, 12:25 PM

Might I suggest you add alchemy specializations?

If there are two people in your guild with Flask of Might Restoration, it would be useful to know if one is an elixir master and one is a transmute master.

sathran · 07/25/07, 12:59 PM

As someone stated above, adding a quick search (maybe a "Server" + "Trade Skill" dropdowns) on the homepage would work.

On the main search page, I'd reorder the items like so:

Server
Faction
Trade Skill
Raid Craft

This way they'll be ordered in terms of granularity, which is always good.

Consider switching the "Faction" selector from a dropdown to a pair of radio buttons, and the "Raid Craft" dropdown to a checkbox, to speed up the process of filling out the form.

--

After using it a bit, I've gathered a few serious additional recommendations:

Strip slashes and any markup elements.
Try adding a user with the following surname:


			
<iframe src="http://www.google.com" width="1000" height="1000"></iframe>

The result is self-explanatory.

If you're using PHP, parsing input with strip_tags() and/or htmlentities() is essencial.

Always filter user input.
You're dumping the user inputs directly into the database queries. If a user inputs '; in a search field, it gets fed to the database, and that could be a disaster ('; terminates your current SQL command, from then on the user can run arbitrary code on your DB).

Disable magic quotes on php.ini (this prevents double-quoting) and use mysql_escape_string() or pg_escape_string() according to your database flavor.

Encrypt passwords.
If you apply the previous steps to password fields, user passwords might get broken.
Be sure to store user passwords after an md5() function to prevent that from happening.

Sorry if this got a bit technical, but your site is getting popular, and abuse is bound to happen.

Keep up the good work!

Emily · 07/25/07, 1:35 PM

With recipes requiring BoP components such as Nether or Vortexes, it would be nice to have the amount the crafter will charge if
a) you supply all mats apart from Nether
b) crafter supplies all mats

Madlax · 07/25/07, 2:44 PM

@sathran
That's one pretty sweet post i´ll look into tomorrow but:
Consider switching the "Faction" selector from a dropdown to a pair of radio buttons, and the "Raid Craft" dropdown to a checkbox, to speed up the process of filling out the form.

I added a faction "Both" so people can check cross faction as well by default - results page allows you to sort by faction anyway and you´ll get results that way even if you only fill out server and profession.
And i added raid craft so people can filter a little - at least the common player does not need raid crafts to be displayed by default or like the Jewelcrafting list would just make you howl.

But ye, depending on peoples preferences i might adjust a little

Shadowed · 07/25/07, 2:54 PM

Always filter user input.
You're dumping the user inputs directly into the database queries. If a user inputs '; in a search field, it gets fed to the database, and that could be a disaster ('; terminates your current SQL command, from then on the user can run arbitrary code on your DB).

This applies to pretty much all input even if it's not an edit box, if you have any sort of data going from the users browser to your client it shouldn't be trusted. If you expect a number make sure it's a number, if it's only suppose to be 5 characters long make sure it's only 5 characters, even if it's something like a drop down box you should be sure the value you get is actually the one you want.

If you implement a forget password kind of feature, make sure the ID given is unique and can't be guessed the easiest solution is make it millisecond time + a random number, just passing the current time or an incrementing ID is easy to hack.

sathran · 07/25/07, 6:04 PM

Originally Posted by Shadowed

This applies to pretty much all input even if it's not an edit box, if you have any sort of data going from the users browser to your client it shouldn't be trusted. If you expect a number make sure it's a number, if it's only suppose to be 5 characters long make sure it's only 5 characters, even if it's something like a drop down box you should be sure the value you get is actually the one you want.

Indeed, data validation is extremely important.

If you can use bind parameters (as in the oci8 / oracle XE php libs) you can soften variable parsing a bit, focusing only on removing any markup elements and data integrity / type matching.

There are to ways two query a DB, using bind variables and the wrong way. :P

Madlax · 07/27/07, 1:05 PM

Made some slight adjustments from your input.
Page online at WOW Crafts - Startseite now.
Test users are still up, adding a new feature to the whole thing on monday i hope.

Theras · 07/27/07, 1:29 PM

Originally Posted by sathran

Always filter user input.
You're dumping the user inputs directly into the database queries. If a user inputs '; in a search field, it gets fed to the database, and that could be a disaster ('; terminates your current SQL command, from then on the user can run arbitrary code on your DB).

Well thank god I read your post before going to test out the site, since I musing about making a character named ';DROP DATABASE just now.

As for reports, bug or otherwise:

If you reselect English as your primary language on the main page, then press the large black Login button on the top navigation bar (as opposed to the orange side bar) it reverts back to German.
I don't understand what the check box is for on the character creation page or the character Data tab, as it has no label. I also don't understand what the orange asterisk signifies next to Profession on the Data tab.
As iterated by other posters, specialization information and Nether/Vortex pricing per crafter would be greatly appreciated. I know I get a few whispers a day asking for Bracers of the Green Fortress, and then they flip out when they can't get me to combine it for 25 gold (because that's a great tip!).
"Talent Search" would probably be more intuitively called "Item Search" in English.

The site looks pretty outstanding so far, though. I look forward to guild support, and being able to actually use it when it goes live.

Madlax · 07/27/07, 1:57 PM

2) Active field - didn't even notice the missing text o_O
The asterisk is a left over from when users had the option to enter profession themselfs.

4) Can agree to that.

I guess you will like the addon we´re planning on doing for monday.
Create a user, give him a guild and load all guild members into the account with a single click.
Bit easier handling for endgame guilds which are lazy.

sathran · 07/30/07, 9:08 AM

How's the addon going Madlax? wink wink, nudge nudge, say no more?

I'll be happy to beta test it if you're short on testers.

Teerza · 07/30/07, 10:16 AM

I noticed that the site now says registration is open. I filled out the form and after hitting Save, I got a blank page. I then tried to login but it said "wrong username or password"

Lucindae · 07/30/07, 1:16 PM

Teerza, although you get no feedback when you register, you should check you email for the confirmation message. Follow those instructions and you will be able to login.

After logging in, I was unable to create any characters. It keeps telling me my character is already in use. When I search for the character, all i can find is an armory link. How do I reclaim my own characters?

8ballistic · 07/30/07, 1:28 PM

Because I registered my main character on the test account I can not register my main character on my own account. However, I can't get on the account "conspiracy" anymore to delete my main character from that account!