The Pants Awards archive

The Pants Awards were satirical (and snarky) 'awards' I gave to bloggers and webmasters between 2006-2011, typically because they gave out bad code advice that was dangerous to fellow webmasters. The vast majority of the recipients were not happy about receiving a Pants Award but most have since admitted that they needed it.

In hindsight, a 'carrot' rather than 'stick' approach probably would have worked better.

Pants: micromart.co.uk

The last time I mentioned Micro Mart on my blog was when I was ranting about their habit of “educating” their readers with a poor standard of coding. My letter, as predicted by the majority of us, was not published or replied to. It did help me get that ‘moment’ off my chest though, heh. Anyway…

In the most recent mag’, a World’s Worst 100 Websites article was published, featuring the first 50 worst websites. I found this particularly amusing as the Micro Mart website is pretty crap — featuring some pretty awful coding and missing required alt attributes (e.g. <img border="0" src="/sites/micro_mart/images/this_weeks_cover.jpg"></img>).

There are browser issues in Firefox and IE..

overlapping text
Overlapping text in Firefox

missing side border
Missing side borders in Internet Explorer

..as well as an absolute crap-load of flashy, annoying adverts down the side which several of the supposedly “worst websites” got criticised for. The layout is quite obviously designed for 800×600 users but offers no resizeable/fluid versions which means everything is crammed into a tiny space leaving over 600 pixels of screen width wasted when I maximise my browser.

The website relies on JavaScript for certain parts to work (the forum link on the side, unless you fancy clicking another link) without actually pointing this out with <noscript>, and the Copyright 2005 notice is set as a blank link (redundancy, yay). The entire site loads tediously slowly even when all of the adverts and images have been cached, and the amount of crud they stick on one page is off-putting.

The “REGISTER” page has several required fields and yet no note is made next to any of them to state this. A few have bolded labels (I say labels, but they’re not — they’re misappropriate table headers) but this doesn’t seem to reflect anything in particular. There is no <form> around the input fields, and any validation of the fields is poorly done — I successfully entered “boobs” as a postcode which is obviously invalid.

So, Micro Mart, because I doubt you’ll list yourself in your worst 100 websites list, you get the pants award:

pants award

Try cleaning up your own website before preaching about other people’s — only *I* am allowed to be a hypocrite, you know.

Edit (24th June): If you want to see the full list of supposedly “Worst Websites”, there’s a blogspot dedicated to it.

Pants: phpeasystep.com

It’s that time again — I’m dishing out another pants award.

This time it’s phpeasystep.com which, according to their meta description, will “Teach you step-by-step with easy simple php code”. Simple is the right word — completely basic, with no attempt at security what-so-ever, leaving anybody who uses some of the tutorials at great risk of being exploited.

Let’s take a look at the Verifying email address tutorial:
// values sent from form
$name=$_POST['name'];
$email=$_POST['email'];
$country=$_POST['country'];

// Insert data into database
$sql="INSERT INTO $tbl_name(confirm_code, name, email, password, country)VALUES('$confirm_code', '$name', '$email', '$password', '$country')";
$result=mysql_query($sql);

Hands up if you know the problem here? Of course, anyone with any experience in PHP will automatically spot the fact that data is taken straight from a form, assigned to variables and added straight to the database with no validation or clean up at all. I refer back to point one of my Writing Your Own CMS article — security! And I quote:

Look after your data going in to the database by stripping out malicious scripts, HTML tags, PHP and the like.

There’s no attempt at mail headers injection protection which means a whole host of e-mail addresses could be inserted into the e-mail field and ALL would be spammed with whatever else the malicious user chooses to add in. Oh, and did anyone notice the weird comment in this tutorial which obviously doesn’t apply? (// if $count not equal 1)

Moving swiftly on to the Sending forgotten password tutorial. I’d like to quote Katy here:

bloody hell, this is bad on so many levels..

Quite right. More unvalidated data being used in a database query, plain text passwords in the database, no confirmation that the user actually requested his password e-mailed to him.. oh, the humanity.

The Creating a simple PHP guestbook tutorial again inserts ‘dirty’ data in to the database, the Upload and Rename File doesn’t check the files being uploaded meaning a virus could be uploaded, or a PHP file could be uploaded to pull sensitive data from a database (or even delete it), show passwords, delete/edit files, etc. The PHP Login script tutorial is easily bypassed with a bit of SQL Injection (insert “boob' or 'foo' = 'foo' --” into the username form and the query checks to make sure foo is equal to foo (which is obviously is) and ignores everything after that — rendering any password protection useless).

So, phpeasystep.com, you’ve won the pants award:

[pants award]

Please clean up your tutorials, you’re putting people at risk.