WeBid - auction script

Thanks simpleauction

Nice software, does what it's supposed to do.

Found a lot of problems with WeBid: 1. The organization of UI messages is terrible: some data are kept in the database, some on the disk in the message file, some inside the PHP scripts. 2. Storing logs on the disk in predefined location allows anybody see them. Storage in database would allow better control/analysis/management(removal of old entries etc). 3. Javascript issues: a) About half of the pages do not work if JS is completely disabled, while should. b) Care is not taken about possible XSS. About 20% of all <input type="text"> and <input type="hidden"> do not filter <script>. The quotes are filtered, but one can easily overcome this using String.fromCharCode(...). In the web search for Webid + XSS gives a few of them, but there is MUCH more. For example, when submititng auction, in auction submission (sell.php) user may insert arbitary code in several ways. 4. WeBid logs only user logins, it does not log what exactly the users are doing. This is necessary to detect testers of SQL injection, popularity of different items etc. 5. Financial part: if You are going to run a legal website and would like to accept money for using it, You MUST make different financial reports for paying taxes. In WeBid this possibility is absent. In general I do not think this code may be used for serious commercial project, it is still too raw.