Before I get started, I just wanted to let you know that I've checked with Ted and he's happy for me to make this request...

I've spent the last few months writing a new website to allow people to acquire and/or dispose of ('buy' and 'sell' in effect) existing leases on vehicles, and I've now reached the stage where I've done most of my testing and am just about ready to launch it. However, most of you will probably know that it's never a good idea to rely solely on testing that you've carried out on your own work, and this is where you good people come in....

I'm hoping that some of you might be able to spare a bit of your precious time, even if it's only 10 minutes, to have a bit of a play around with the site and see if you can find any problems or usability issues. The things I'm particularly interested in are:

- Errors encountered during normal usage
- Areas where the site can be 'broken' (normally by carrying out an unexpected action)
- Usability problems e.g. unclear screens, lack of explanations, unhelpful/confusing messages, difficult-to-use processes

To give you an idea of the general areas of the system, from a testing point of view, the high-level functionality breaks down as follows:

- Register as a user
- Amend user details and validate email addresses
- Login / logout (inc. password reminders)
- Search for a vehicle
- Add/remove vehicles from favourites list
- Advertise/delete a vehicle
- Add and validate vehicle photos
- View help and information (contact, charges etc.)

The data that's on the site is all test stuff, so please feel free to register and add, edit and delete vehicles to your heart's content. All the test data will be removed when the site goes live, so it really doesn't matter what goes in at this stage.

One other point to note is that, although I've been trying to keep the site browser independent, my development has centred around Microsoft Internet Explorer, and I have subsequently come across issues when testing with Netscape and Opera; these issues are currently preventing the site from functioning correctly within those browsers, but this won't be a problem if you're using IE.

If you are able to help at all I'd be very grateful. The address to use for testing the site is:

www.MotorLeaseExchange.com/testing

If you have any questions about this request or any aspects the site, just drop me a message on this thread, or email me through my profile.

Thanks, in anticipation,

Richard

had a quick look to try and break it.

You need to double check your user entries before submitting your query. I tried an easy sql injection by placing a single quote in the prefix text box. This broke the page as it caused an error (good job you are not using a SQl Server db otherwise we would have had some real fun).

Ok so I could not get access to the db but it showed me that your functions were being held in vbi files and by pointing my browser at these could view the code in register/register.vbi and login/login.vbi, search appears to be the same.

These gave me more clues to the structure of your db including the fact that user details appear to be held in a "users" table, although it is good that you hid the connection string, although this appears to be a function of another vbi file, and if so may be as unsafe as the others, I will try to force a connection error to see if I can find the source.

Haven't got much time but will continue to look later.

Cheers

Paul

p.s you may see some unusual users in the db

edited to add

Set up some tests to run while I was out, starting to get a number of 500 errors when the concurrent users was set to 10, I suspect this will be connection issues to the access db which doesn't like too many user connections at the same time (I've seen some Access db's fall over much before 10) the error shows as "Unspecified" howver it occurs on your

objDBConnection.Open(vbGetDSN())

command.

(still looking for the source of this vbGetDSN() btw)



I notice you have registered the domain and are hosting with oneandone and assume you the 9.99 per month package (smallest MS hosting that has an access db), I would seriously reccomend that as soon as you get any traffic you upgrade to the SQL server account, but not before you fix the injection attack risk, otherwise as soon as you get more than 7-10 people using it at the same time they will get errors which is very off putting.

If oneandone allow it you could ask about using mySQL which is imo a much better db for web apps, and being open source, a lot cheaper (free I think), but this may be limited to their linux hosting accounts.

Also I would personally turn of the right click prevention - it only stops the idily curious and is like a red rag to a bull for anyone who really wants to see your html anyway, and it is easily countered.

HTH

Paul



>> Edited by gopher on Sunday 21st March 11:25

edited to add general comments.

Starting to get an increasing number of "unspecified errors"

this one is typical

Provider error '80004005'

Unspecified error

/search/search.asp, line 65

when trying a search - in this case for a saab, no other options selected. Unfortunatly I can't replicate it all the time.

I have registered a trade account but when I try to add a car I'm asked to validate my email address which I had done a few hours earlier.

get

Provider error '80004005'

Unspecified error

/register/register.asp, line 164

when clicking on My Account and then My Details

then navigate to help/information then click back on browser and my details are shown correctly.

As a suggestion when you click on the major navigation links (advertise, find a vehicle, my account, help/information) I would show a default page in the body framset, rather then the previous page - still have the minor links like Search and My Favourites, but perhaps default to the search page so at least the user can see something has changed. (I found it difficult to get used to looking for the minor links when it appeared that the content had not changed)

I think you could rename your include files to .asp - at least that way the code is not viewable if someone finds out the name of them - it would "run" as such but as they are all functions the asp would render nothing, but at least the code would not be viewable.

Personally I would drop the frameset as I find them a complete pain to use and to code, but thats my opinion.

Cheers

Paul




>> Edited by gopher on Sunday 21st March 12:20

Thanks for the feedback everyone! Paul, I need to sit down and work through the points that you raised, and I'll respond to/resolve them individually then. It's all great stuff though - just the sort of detail I was looking for - I really appreciate your time with this!

blondemoment said:

Nice to see you've put TVR on there

Absolutely! (Enjoyed the article in Sprint BTW).

julianhj said:

I might be doing something wrong, but I can't seem to validate my email. I get the validation email, click on the link, by when I go to my account details I'm still not validated.

When you click the link in the email you should be taken to a page showing the message "Thank you for activating your home email address. You will not need to do this process again unless you change your home email address at any stage.". Are you seeing that?

RichardR said:

When you click the link in the email you should be taken to a page showing the message "Thank you for activating your home email address. You will not need to do this process again unless you change your home email address at any stage.". Are you seeing that?

No, I'm not getting that. I'll have another go

Hi Paul,

Finally got round to having a crack at the points you raised...

gopher said:

had a quick look to try and break it. You need to double check your user entries before submitting your query. I tried an easy sql injection by placing a single quote in the prefix text box. This broke the page as it caused an error (good job you are not using a SQl Server db otherwise we would have had some real fun).

I've added a new function to check for and handle single quotes within fields. If you try this again now it should (hopefully) just save the contents of the field correctly with the single quote in it.

gopher said:

Ok so I could not get access to the db but it showed me that your functions were being held in vbi files and by pointing my browser at these could view the code in register/register.vbi and login/login.vbi, search appears to be the same. These gave me more clues to the structure of your db including the fact that user details appear to be held in a "users" table, although it is good that you hid the connection string, although this appears to be a function of another vbi file, and if so may be as unsafe as the others, I will try to force a connection error to see if I can find the source.

As suggested, I've changed all the .vbi files to be .asp so you should now be prevented from seeing the source.

gopher said:

Set up some tests to run while I was out, starting to get a number of 500 errors when the concurrent users was set to 10, I suspect this will be connection issues to the access db which doesn't like too many user connections at the same time (I've seen some Access db's fall over much before 10) the error shows as "Unspecified" howver it occurs on your objDBConnection.Open(vbGetDSN()) command.

I've now changed my connection to be DSNless which should make it more robust hopefully.

gopher said:

(still looking for the source of this vbGetDSN() btw)

Not in a .vbi anymore!

gopher said:

I notice you have registered the domain and are hosting with oneandone and assume you the 9.99 per month package (smallest MS hosting that has an access db), I would seriously reccomend that as soon as you get any traffic you upgrade to the SQL server account, but not before you fix the injection attack risk, otherwise as soon as you get more than 7-10 people using it at the same time they will get errors which is very off putting.

As you suspected, I am using the 9.99 package with One&One. I decided to start off with this and then switch to the MS SQL package if I start getting the traffic to justify it. I could make the switch very quickly so I'm happy with this plan.

gopher said:

Also I would personally turn of the right click prevention - it only stops the idily curious and is like a red rag to a bull for anyone who really wants to see your html anyway, and it is easily countered.

Fair enough! It's done.

gopher said:

Starting to get an increasing number of "unspecified errors" this one is typical Provider error '80004005' Unspecified error /search/search.asp, line 65 when trying a search - in this case for a saab, no other options selected. Unfortunatly I can't replicate it all the time.

Again, this is apparently symptomatic of a system DSN connection to Access. The DSNless connection should improve/prevent this.

gopher said:

I have registered a trade account but when I try to add a car I'm asked to validate my email address which I had done a few hours earlier.

This may be connected to the validation problem I noted in the previous posting.

gopher said:

As a suggestion when you click on the major navigation links (advertise, find a vehicle, my account, help/information) I would show a default page in the body framset, rather then the previous page - still have the minor links like Search and My Favourites, but perhaps default to the search page so at least the user can see something has changed. (I found it difficult to get used to looking for the minor links when it appeared that the content had not changed)

Done.

gopher said:

I think you could rename your include files to .asp - at least that way the code is not viewable if someone finds out the name of them - it would "run" as such but as they are all functions the asp would render nothing, but at least the code would not be viewable.

Also done - see above.

gopher said:

Personally I would drop the frameset as I find them a complete pain to use and to code, but thats my opinion.

The main reason I wanted to use the frameset was for the persistence of the peripheral pages and particularly the search page. However, I do have to agree with your assertion - they are a pain in the arse to code!


Thanks again for all your input. If you get a chance to review the changes I've detailed above I'd be really grateful.

Cheers,

Richard

Hi Paul,

That's excellent news! It'll be interesting to see how the concurrency tests go as well.

If you fancy sacrificing a bit more of your valuable time to my cause, it'd be great if you could have a bit of a play with the vehicle stuff as there's a bunch of additional validation stuff on there, including a photo verification process that could do with some proving.

If you find yourself further east at any point, you'll have to let me know so that I can stand you a or ten!

Thanks again,

Richard

Microsoft JET Database Engine error '80040e07'

Data type mismatch in criteria expression.

/register/register_vbi.asp, line 200

Microsoft JET Database Engine error '80040e14'

Syntax error in ORDER BY clause.

/search/search_vbi.asp, line 226