Usability Testing & Web Design, Security Best Practices

Wednesday, December 13, 2006
Office presentation icon WebGroupPres_JanKnight.ppt1.04 MB

State of the Web:

There has been no new information on the directive from Dr. Shelton about the consistent UA web banners to appear on each UA website; the color palette that was supplied by an outside company that contains complimentary colors to UA Red & Blue is not yet available.

Usability Testing & Web Design

Jan Knight Research Specialist, Learning Technology Center Attachment: PowerPoint [1,065 KB]

LTC provides a campus-wide Usability Testing service at a cost. Sometimes the testing is only for tweaking an existing site but more often for a redesign of a website.

  • typically test 2 or 3 users from each audience demographic;
  • one-on-one sessions in a private location at LTC;
  • A final report is given to the department with recommendations;
  • Quote based on size of site;

The Powerpoint attachment provides details on the process used for testing and many suggestions on how to make your site more usable.


  • Why test if you will be totally redesigning a site? -- It lets you find out what the users feel is important on your site; gives suggestions on labeling; find out what is good with current site; what is the most useful on site.

Discussion - Best Practices

Todd Merrit Systems Programmer, CCIT

Form Validation

Not validating form input can open up security holes. Users can alter the query you are expecting as input. You should not trust user input.

All forms should be validated to strip these characters:

& ; ` ' \ " | * ? ~ < > ^ ( ) [ ] { } $ \n \r


Can use functions to strip characters:


  • tr or regular expression replacement in perl
  • preg_replace or ereg_replace functions in php


  • turn off global variables
  • use safe mode
  • disable allow_url_fopen
  • use import_request_variables() to import user input
  • users can search for files that include phpinfo and use the information to exploit your system.


  • use the -w flag
  • enable suexec in apache

Storing Credentials

  • Login username/password information needs to be secured;
  • Give file extension of .php so the content is not displayed over the web; never store it as plain text;
  • Store the conf file within an password protected subdirectory or below public_html
  • Use sessions for authorization rather than relying on a generic variable or user provided data

Get vs Post

Get shows data in the url string. It displays in the access log files. If the form is sending sensitive information, use method post instead of get.


There are two major categories of things to look for. The first would if the form input is going to be passed through some external command, or written to a file, you could just append ";/bin/ls" to the end of some form input and see if the resulting page contains a listing of files in their account. The second category would be sql injection. There isn't exactly a generic example for this, you'll really need to have some familiarity with the script that you want to try it on. You could try adding something like:

' OR 1=1

to an input field that is going to be inserted into an sql query that is expected to return false. If it returns true then you can tell that something is wrong. If you want to test an insert statement, you could try appending:

and then check to see if an additional row was inserted into the table

Use of mysql_real_escape_string() function in PHP can mitigate these risks