I have recently been working on my first-ever true PHP project, Classchat.
It includes all of the basic features of a web chat plus more, including individual chat rooms, live updates, full message formatting, and more.
The github repo can be found here: https://github.com/calclover2514/ClassChat
A live preview of the latest updates can be found here: https://classchat.calclover2514.repl.co
I'm open to all suggestions, bug reports, optimization requests, etc. as long as they are constructive for my learning of PHP.
And yes, some of this content was taken from tutorials. I'm just learning PHP, so cut me a break. (;

Current features (as of v0.4.9b) include:
    ▪ Creating new chat rooms
    ▪ Managing/Deleting chat rooms
    ▪ Generating room links
    ▪ Sending images and formatted posts (Uses HTML)
    ▪ Voice-to-text
    ▪ Swear word filtering
    ▪ Individual Admin accounts with custom passwords
    ▪ Randomly generated user ID colors seeded with the user's ID
    ▪ Endless semi-public chat rooms
    ▪ User join notifications
    ▪ Message send dates
Misc commentary:
  • Why do several of your .php files not contain any PHP code (it's confusing and slightly inefficient)?
  • Using raw cookie values to construct filesystem paths is vulnerable to directory traversal to extract secrets from your server.
  • Attaching an event listener to window.onclick seems inefficient, since it'll need to run your code for every click. Seems better to attach listeners to each element you care about individually.
  • It's trivial to bypass authentication by inspecting the response to getpwd, since it's enforced only on the client.
  • It doesn't work at all in browsers that don't support speech recognition because you try to use recognition even if it's not available.
  • Long-lived rooms will have very poor performance as it needs to scan the entire log for new messages. This is difficult to fix when using filesystem storage as you are, but a not-too-hard approach might be to split logs by time (such that each file only has one hour's worth of log in it or something).
There are probably more things that are weird about this, but I don't want to spend too much time trying to pick it apart.
Tari wrote:
Misc commentary:
    1. Why do several of your .php files not contain any PHP code (it's confusing and slightly inefficient)?
    2. Using raw cookie values to construct filesystem paths is vulnerable to directory traversal to extract secrets from your server.
    3. Attaching an event listener to window.onclick seems inefficient, since it'll need to run your code for every click. Seems better to attach listeners to each element you care about individually.
    4. It's trivial to bypass authentication by inspecting the response to getpwd, since it's enforced only on the client.
    5. It doesn't work at all in browsers that don't support speech recognition because you try to use recognition even if it's not available.
    6. Long-lived rooms will have very poor performance as it needs to scan the entire log for new messages. This is difficult to fix when using filesystem storage as you are, but a not-too-hard approach might be to split logs by time (such that each file only has one hour's worth of log in it or something).
There are probably more things that are weird about this, but I don't want to spend too much time trying to pick it apart.

    1. Can I use .HTML?
    2. I didn't even try to optimize this for security yet (Also, what I'm doing with the cookies is hard to do any other way, and the said data is not supposed to be hidden anyway - it's the name of the chatroom)
    3. I'm using window.onclick to hide dropdowns when the user clicks away from them. I'm not sure how else to do this.
    4. Again, not optimized for security yet, although I could fix this one pretty easily.
    5. Isn't that only IE (In which case my CSS is probably broken too Razz)? (Safari?)
    6. Splitting up the logs by time is not a bad idea, although I'm not sure yet how I would implement this. I'll look into it.
calclover2514 wrote:
Tari wrote:
Misc commentary:
    1. Why do several of your .php files not contain any PHP code (it's confusing and slightly inefficient)?
    2. Using raw cookie values to construct filesystem paths is vulnerable to directory traversal to extract secrets from your server.
    3. Attaching an event listener to window.onclick seems inefficient, since it'll need to run your code for every click. Seems better to attach listeners to each element you care about individually.
    4. It's trivial to bypass authentication by inspecting the response to getpwd, since it's enforced only on the client.
    5. It doesn't work at all in browsers that don't support speech recognition because you try to use recognition even if it's not available.
    6. Long-lived rooms will have very poor performance as it needs to scan the entire log for new messages. This is difficult to fix when using filesystem storage as you are, but a not-too-hard approach might be to split logs by time (such that each file only has one hour's worth of log in it or something).
There are probably more things that are weird about this, but I don't want to spend too much time trying to pick it apart.

    1. Can I use .HTML?
    2. I didn't even try to optimize this for security yet (Also, what I'm doing with the cookies is hard to do any other way, and the said data is not supposed to be hidden anyway - it's the name of the chatroom)
    3. I'm using window.onclick to hide dropdowns when the user clicks away from them. I'm not sure how else to do this.
    4. Again, not optimized for security yet, although I could fix this one pretty easily.
    5. Isn't that only IE (In which case my CSS is probably broken too Razz)? (Safari?)
    6. Splitting up the logs by time is not a bad idea, although I'm not sure yet how I would implement this. I'll look into it.


I am pretty sure you can use .html files in a PHP server depending on which web server you choose.
calclover2514 wrote:
    1. Can I use .HTML?
    2. I didn't even try to optimize this for security yet (Also, what I'm doing with the cookies is hard to do any other way, and the said data is not supposed to be hidden anyway - it's the name of the chatroom)
    3. I'm using window.onclick to hide dropdowns when the user clicks away from them. I'm not sure how else to do this.
    4. Again, not optimized for security yet, although I could fix this one pretty easily.
    5. Isn't that only IE (In which case my CSS is probably broken too Razz)? (Safari?)
    6. Splitting up the logs by time is not a bad idea, although I'm not sure yet how I would implement this. I'll look into it.


    1. You can but I don't think there's anything wrong with using a .php extension. Most of my pages have some form of PHP because I call a one or two headers, even if the core page is strictly HTML. It's not an issue for you, yet, but as you get more pages that need to have the same header, it's ideal to split the header and footer into their own pages. Then you can include_once() the header and again for the footer. That way a change to the header (or the footer) is reflected on all the pages without having to manually update each one.

    2. That's fine. Ideally, you'll want to beef it up but accomplish that in project steps that you can tackle. Tari is just letting you know about potential risks. I find that projects are more digestible when I break them out into smaller projects. I need to implement a way for members to log in? I've never done that so I'll work on using one text field to get access to a "private" page. Then I worked on using two text fields; username and password. This let me make sure I was taking steps right. Now that I know how to do it I don't need to take those baby steps, haha. Likewise, when I expanded the "logged in" state from a single page to multiple pages. Baby steps. Be Xzibit: Yo dawg, I heard you like projects so put projects in your project so you can work on smaller projects while working on your project.

    5. Can confirm this happens in Safari.

    6. I recommend to use GMT as your default time for logs. Use PHP or JS to create a new file at every set interval. Keep it time consistent; every 100 messages could be 15 minutes or 3 hours and it'll be confusing. If you ever need to recall a message from a day, you'll be able to quickly find it based on time. Similar to #2, work in project sizes you're comfortable with but consider moving to a database at some point, this is the perfect project to learn.

    6. File names can be something human readable like chatroom-YYYY-MM-DD-HH.txt, or something more succinct like epoch time chatroom-1597025289.txt which you can quickly translate to a human readable format. You may even want to create a new directory for each chat room to keep things clean on your end. If you ever need to delete an entire chat room history, or share it, just locate the chatroom directory.
calclover2514 wrote:
    3. I'm using window.onclick to hide dropdowns when the user clicks away from them. I'm not sure how else to do this.

3. What you're looking for is the onblur event.
Regarding your use of seedrandom.js, its pretty inefficient to load ~2kb of js to generate random numbers that are used once to pick background and text colors, you should just use Math.random. You can't seed it, but I don't see why that matters.
Also, encoding the password in base 64 is not encryption.
mr womp womp wrote:
calclover2514 wrote:
    3. I'm using window.onclick to hide dropdowns when the user clicks away from them. I'm not sure how else to do this.

3. What you're looking for is the onblur event.
Regarding your use of seedrandom.js, its pretty inefficient to load ~2kb of js to generate random numbers that are used once to pick background and text colors, you should just use Math.random. You can't seed it, but I don't see why that matters.
Also, encoding the password in base 64 is not encryption.

I am seeding it with the username of the user who posted it, therefore making each username have a unique color. Also, onblur is a good idea Smile
Also, I have moved on to other projects at this point, and I wasn't exactly going for security when I wrote this. Razz
  
Register to Join the Conversation
Have your own thoughts to add to this or any other topic? Want to ask a question, offer a suggestion, share your own programs and projects, upload a file to the file archives, get help with calculator and computer programming, or simply chat with like-minded coders and tech and calculator enthusiasts via the site-wide AJAX SAX widget? Registration for a free Cemetech account only takes a minute.

» Go to Registration page
Page 1 of 1
» All times are UTC - 5 Hours
 
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

 

Advertisement