A product website design and development

Mario

Ambassador of Buzz
How long approximately is each module taking to code?

And when do you do this? Weekends? or 7 days a week?
 

nbaztec

Master KOD3R
^^that will require good infrastructure and code optimization. Can think of that down the line but as of now it should be good enough. Probably some performance testing can be done . I guess I'll look for the tools for that.

Sure, check for Availability is good and can be done but I have seen in some sites that the check is done automatically on input.

It's fine the way it is, the backend DBMS optimize queries under the hoods so if your `user_id` is indexed and unique the search time is negligible. The only scenario I think it could be significant would be if you were checking it on key events, which you aren't EDIT: Oh wait, you are. Use onblur or onsubmit.

...Or perhaps if someone maliciously polls the script to generate 1000 requests/second >_>
 
OP
Faun

Faun

Wahahaha~!
Staff member
How long approximately is each module taking to code?

And when do you do this? Weekends? or 7 days a week?
Working for about a month over it. Reading documentation and thinking of how to implement takes some time but coding part is done pretty easily after that.

Working as and when I get time. Weekends usually BF3 multiplayer, so don't look at it much.

It's fine the way it is, the backend DBMS optimize queries under the hoods so if your `user_id` is indexed and unique the search time is negligible. The only scenario I think it could be significant would be if you were checking it on key events, which you aren't EDIT: Oh wait, you are. Use onblur or onsubmit.

...Or perhaps if someone maliciously polls the script to generate 1000 requests/second >_>
That can be done with onblur too. database requests are only for user id. So I guess leave it at onblur itself and remove the keyup.

Anyway to keep the throttling of database ?

Looks Good & Cool
Thanks.
 
Last edited:

Mario

Ambassador of Buzz
...Or perhaps if someone maliciously polls the script to generate 1000 requests/second >_>

Anyway to keep the throttling of database ?

IMHO, any such use case would kill the network/app server long before it took down the db! Probably a function of connection pools!

Question should probably be "any way to keep the throttling of the web server"!
Well, we did never get DOS if there was some foolproof way of doing that!
 
OP
Faun

Faun

Wahahaha~!
Staff member
^^yeah, likely.

Slight change is look and feel
*farm9.staticflickr.com/8285/7557527844_56f32c4952_o.png

Right side buttons:
*farm8.staticflickr.com/7258/7557589106_a680a65c0b_o.png
 

Mario

Ambassador of Buzz
Looks fine.
Can you change that X for the delete to something else? I know its functional, in fact, very functional. but looks slightly odd.

May be, a yellow pencil icon instead of the "Update" href and beside it a red x icon for delete.

BTW, how did you get that textbox rectangle to be rounded at couple of corners? Is that via CSS? Looks cool - the price, quantity and subtotal align are slightly off I think, would look cooler if it could be aligned at 180.
:thumbs:

Edit: Just noticed the Proceed link. I think it should be a more prominent button, don't you think?
Where does Proceed go by the way? "Continue shopping" or "Checkout"? May be, two buttons with those names instead of Proceed?
 

CyberKID

In search for Tech Gyan!
The Design is nice. I noticed the SKU number. You seem to be entering the SKU number yourself. Wouldn't it be good to be using the Auto_Increment attribute of MySQL to generate unique SKU number for each product? That way, you'll be saving time entering a new product each time as SKU generation will be done under the hood.
 
OP
Faun

Faun

Wahahaha~!
Staff member
Looks fine.
Can you change that X for the delete to something else? I know its functional, in fact, very functional. but looks slightly odd.

May be, a yellow pencil icon instead of the "Update" href and beside it a red x icon for delete.
here, looks good. Though I am not doing theming yet but once in a while gets bored of coding and resorts to CSS.
*farm9.staticflickr.com/8158/7561789922_016f192b97_o.png

BTW, how did you get that textbox rectangle to be rounded at couple of corners? Is that via CSS? Looks cool - the price, quantity and subtotal align are slightly off I think, would look cooler if it could be aligned at 180.
:thumbs:
Yeah, used CSS. Will not work with crap internet explorer. Will have to hack CSS separately for that.:-x

Edit: Just noticed the Proceed link. I think it should be a more prominent button, don't you think?
Where does Proceed go by the way? "Continue shopping" or "Checkout"? May be, two buttons with those names instead of Proceed?
[/quote]
It just displays the shipping address below the cart with animated scroll to get it in focus.

I havent implemented that functionality completely. Some areas, I have to think about.

The Design is nice. I noticed the SKU number. You seem to be entering the SKU number yourself. Wouldn't it be good to be using the Auto_Increment attribute of MySQL to generate unique SKU number for each product? That way, you'll be saving time entering a new product each time as SKU generation will be done under the hood.
SKU is chosen because it will be convenient and there wont be problem of duplicate product entries. Also, a quick check is done for already existing SKU in database while entering SKU in the field.

I guess it's better this way than incrementing automatically a number.
 

Mario

Ambassador of Buzz
here, looks good. Though I am not doing theming yet but once in a while gets bored of coding and resorts to CSS.
Great! The alignment still looks a bit off though!
Move the red cross beside the update?? Dunno, maybe better this way!


Yeah, used CSS. Will not work with crap internet explorer. Will have to hack CSS separately for that.:-x

Ugh! Don't even get me started on stupid IE! :-x:-x
Not only IE, a few days back I wrote a piece of code to generate reports formatted using CSS3 to be displayed in Outlook. Guess what? It worked in Outlook 2000 and 2003 and got completely screwed out of place in Outlook 2007/2010 - A google search revealed tons about how bright the folks at MS are! :-x:-x
Complaints to MS result in stupid answers like this one!

And this image just about sums up my story!

:confused: :-?
 

nbaztec

Master KOD3R
...Or perhaps if someone maliciously polls the script to generate 1000 requests/second >_>
Anyway to keep the throttling of database ?
IMHO, any such use case would kill the network/app server long before it took down the db! Probably a function of connection pools!

Question should probably be "any way to keep the throttling of the web server"!
Well, we did never get DOS if there was some foolproof way of doing that!

I was just jesting with that, Sheesh. :|

And there's nothning *you* can do about DoS/DDoS attacks rather the web server should/ought/might be the one checking of packets for floods (ineffective in case of DDoS). The only thing you should be worried is that *you* aren't overwhelming the DBMS with queries on key events when you have someone like @ico typing at ~ 90wpm. (Not specific to your project, but in general).
 

Mario

Ambassador of Buzz
I was just jesting with that, Sheesh. :|

And there's nothning *you* can do about DoS/DDoS attacks rather the web server should/ought/might be the one checking of packets for floods (ineffective in case of DDoS). The only thing you should be worried is that *you* aren't overwhelming the DBMS with queries on key events when you have someone like @ico typing at ~ 90wpm. (Not specific to your project, but in general).

Ico types at 90 words per minute????? :shock::shock: I think the max I ever hit must have been around the low 80s in my college days! which was of course a one-time thing!
@Ico, upload a video of you typing! :p (Reminds me of Adnan Sami for whatever reason!)

[Anyway, 90 wpm is not gonna crash any db worth its salt! ;)]

@nbaztec
BTW, what were you testing with?
LOIC? :D
IMHO, from what I have seen, IDS/IPS systems are epic fails! Some even try to chase back to identify the attacker(s) (and confirm things in the process! How stupid is that! :x)
 

nbaztec

Master KOD3R
[Anyway, 90 wpm is not gonna crash any db worth its salt! ;)]
Think a thousand ICOs (Yes it's disturbing as well)

@nbaztec
BTW, what were you testing with?
LOIC? :D
IMHO, from what I have seen, IDS/IPS systems are epic fails! Some even try to chase back to identify the attacker(s) (and confirm things in the process! How stupid is that! :x)
I was jesting not testing :lol:
LOIC is a fairly simple concept, nothing much complex, it's however the simplicity of it that catches my fancy. As for IPS/IDS, you can't blame 'em really. It's the very nature of IP that makes the task difficult for them. But that doesn't mean it's impossible or that they are epic fail. A trivial DHCP server log can uncloak you :| But given the fact that the laws of foreign lands rarely cooperate, it's a laudable practice - I'd give you that.
 

Mario

Ambassador of Buzz
Think a thousand ICOs (Yes it's disturbing as well)
Well, if you lined up a 1000 ICOs, I guess I will line up a RAC! :D

I was jesting not testing :lol:
LOIC is a fairly simple concept, nothing much complex, it's however the simplicity of it that catches my fancy. As for IPS/IDS, you can't blame 'em really. It's the very nature of IP that makes the task difficult for them. But that doesn't mean it's impossible or that they are epic fail. A trivial DHCP server log can uncloak you :| But given the fact that the laws of foreign lands rarely cooperate, it's a laudable practice - I'd give you that.

Didn't get the part about "laws of foreign lands"...
But in my experience, a flawless IDS/IPS or even an IDPS seems utopian and unreal! An IDS tells me an attack is in progress, when, how, etc. And expects me to do something about it - meanwhile, I am losing business by the minute! An IPS generates too many false positives (disconnects valid business - my loss again) and is a little too easy to fool (!?! suspect the AV and Network Security Industry guys want it to be that way?! - anyway, reading signature patterns or reading load patterns is hardly an intelligent way to deduce an "attack" - have seen too many instances of peak load, line noise setting off an IDPS)... Both sit on my network and eat resources - its like I have to grease the greedy policeman to keep the extortion gangs out!

If I must do all of that, why can't I instead draw out a contract with my ISP, tell them to install a BFF (thats a Big F***ing Firewall :D) on their end (don't see the logic behind a downstream firewall - if the bloody little rascala packets have to reach my downstream firewall to get blocked, why, they have already won half the war by clogging my lifeline to my ISP), configure it with some strict rules and maybe, use a IDPS to simulate an attack just to harden my rules (and then get rid of it) and then sit back and pray that someone with a big honeypot does not want to pawn my a$$?

It would still not mean 100% security (not like the IDPS would guarantee that either), but I got rid of resource hoggers and applications that sometimes like to chase back and confirm that the port the attacker suspected is open IS actually open!

The only advantage I can see an IPS might hold is that it will trigger even when the attack originates from inside my network! But I guess that is easily taken care of by architecting the network properly in the first place and having a second BFF inside the DMZ.

I guess I am just trying to say, if the very nature of IP makes a IDPS fall short of what it must do (or at least is expected to do), why use it in place of something which would let me do kind of the same thing with lesser resources and better accuracy! Granted a DOS would leave its marks on my logs, but the idea is to save my a$$ (my business), not sue people later on to recover the losses.
 

nbaztec

Master KOD3R
Well, if you lined up a 1000 ICOs, I guess I will line up a RAC! :D



Didn't get the part about "laws of foreign lands"...
But in my experience, a flawless IDS/IPS or even an IDPS seems utopian and unreal! An IDS tells me an attack is in progress, when, how, etc. And expects me to do something about it - meanwhile, I am losing business by the minute! An IPS generates too many false positives (disconnects valid business - my loss again) and is a little too easy to fool (!?! suspect the AV and Network Security Industry guys want it to be that way?! - anyway, reading signature patterns or reading load patterns is hardly an intelligent way to deduce an "attack" - have seen too many instances of peak load, line noise setting off an IDPS)... Both sit on my network and eat resources - its like I have to grease the greedy policeman to keep the extortion gangs out!

If I must do all of that, why can't I instead draw out a contract with my ISP, tell them to install a BFF (thats a Big F***ing Firewall :D) on their end (don't see the logic behind a downstream firewall - if the bloody little rascala packets have to reach my downstream firewall to get blocked, why, they have already won half the war by clogging my lifeline to my ISP), configure it with some strict rules and maybe, use a IDPS to simulate an attack just to harden my rules (and then get rid of it) and then sit back and pray that someone with a big honeypot does not want to pawn my a$$?

It would still not mean 100% security (not like the IDPS would guarantee that either), but I got rid of resource hoggers and applications that sometimes like to chase back and confirm that the port the attacker suspected is open IS actually open!

The only advantage I can see an IPS might hold is that it will trigger even when the attack originates from inside my network! But I guess that is easily taken care of by architecting the network properly in the first place and having a second BFF inside the DMZ.

I guess I am just trying to say, if the very nature of IP makes a IDPS fall short of what it must do (or at least is expected to do), why use it in place of something which would let me do kind of the same thing with lesser resources and better accuracy! Granted a DOS would leave its marks on my logs, but the idea is to save my a$$ (my business), not sue people later on to recover the losses.

I totally agree with you. While these systems can pin-point the attack location and in rare cases nab the culprit, but the damage caused by false positives and the overwhelming requests is the only thing that matters. And you are spot on with the downstream firewall rules as well - DoS will clog it.

The idea of BFF is a nice alternative since the packet must be dropped before it is switched thus minimizing resource wastage. The best bet would be to implement something on the lines of TCP's congestion control that would travel upstream to update the routing tables of switching points, but HTTP and TCP are as similar as apples and oranges. HTTP is inherently connection (and state) less, maybe HTTPS can implement something like that but that would mean compromising efficiency, simplicity and performance of HTTP.

And l meant that countries rarely cooperate in exchanging information, if a Chinese IP is detected DoSing Indian servers, I sure a hell doubt the Chinese government would reveal the DHCP logs to identify the culprit, which for all they know, might be a proxy through a proxy.
 
Last edited:

Mario

Ambassador of Buzz
@nbaztec

Dude, I was kinda presuming you work in Network Security and then I hit your site - holy cow! what are you, the Ankit Fadia we haven't heard of yet?!!? :D

Anyway, we can safely conclude, that we have pretty much DDOS-ed Faun's thread here! :p
 
OP
Faun

Faun

Wahahaha~!
Staff member
lol...a lot happened here guys :p

Ok, now the next step is to integrate paypal with the website. If I put up the value of amount in hidden field then it can be changed very easily by tampering the http header.

Has anyone got some experience with that ? What should I do ?
 

gopi_vbboy

Cyborg Agent
lol...a lot happened here guys :p

Ok, now the next step is to integrate paypal with the website. If I put up the value of amount in hidden field then it can be changed very easily by tampering the http header.

Has anyone got some experience with that ? What should I do ?

Yes never use hidden fields for posting critical data, as it can be manipulated.

Always code business logic in php code behind and not front end js.

Better add dual validations on server side and client side.
 

nbaztec

Master KOD3R
lol...a lot happened here guys :p

Ok, now the next step is to integrate paypal with the website. If I put up the value of amount in hidden field then it can be changed very easily by tampering the http header.

Has anyone got some experience with that ? What should I do ?

Use Paypal's own code, IIRC they have a get request header.
 
Top Bottom