FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » Secure website
Show: Today's Messages :: Polls :: Message Navigator
Switch to threaded view of this topic Create a new topic Submit Reply
Secure website [message #183534] Wed, 30 October 2013 03:02 Go to next message
Graham Hobbs is currently offline  Graham Hobbs
Messages: 42
Registered: September 2010
Karma: 0
Member
Hellop,

I have an ordinary website (all PHP), it has no 'conscious'
protections, just code that does a job. One page (not written yet
because I don't know how), will advertise a product for sale.

My concept is that a buyer goes to a paypal screen, does the
necessary, when payment is verfified and paid, an email is
automatically sent to the buyer with a download key. At the buyers
dicretion, they go to the download page, enter the key and the
software gets downloaded. Is this sort of thing a novice PHP'er could
do.

I'd like to be sort of semi-conversant before I contact paypal. Is the
above feasible, is my ordinary website secure, is there a specific set
of PHP'ish or other 'things to do'
e.g.
.... how to prevent more than one download, do I store the software
package on my ISP's server, is it safe, since it has several exe files
would they be in a zip file, how to assign a download key, let the
whole process be automated?

... starter clues appreciated, thanks,

Graham Hobbs
Re: Secure website [message #183535 is a reply to message #183534] Wed, 30 October 2013 03:26 Go to previous messageGo to next message
Denis McMahon is currently offline  Denis McMahon
Messages: 634
Registered: September 2010
Karma: 0
Senior Member
On Tue, 29 Oct 2013 23:02:02 -0400, Graham Hobbs wrote:

> My concept is that a buyer goes to a paypal screen, does the necessary,
> when payment is verfified and paid, an email is automatically sent to
> the buyer with a download key. At the buyers dicretion, they go to the
> download page, enter the key and the software gets downloaded. Is this
> sort of thing a novice PHP'er could do.

I've done one commerce site that uses the paypal api - their
documentation and examples at the time (a couple of years ago now) left a
fair bit to be desired - I suspect the documentation and examples were
for slightly different versions of the api, neither of which was the
current one.

I don't know what their rules are about payment for transactions
involving electronic deliverables (or even if they have any specific
rules for such), or how you would protect yourself from people claiming
that they paid and you didn't deliver the goods etc?

--
Denis McMahon, denismfmcmahon(at)gmail(dot)com
Re: Secure website [message #183537 is a reply to message #183534] Wed, 30 October 2013 05:52 Go to previous messageGo to next message
J.O. Aho is currently offline  J.O. Aho
Messages: 194
Registered: September 2010
Karma: 0
Senior Member
On 30/10/13 04:02, Graham Hobbs wrote:
> Hellop,
>
> I have an ordinary website (all PHP), it has no 'conscious'
> protections, just code that does a job. One page (not written yet
> because I don't know how), will advertise a product for sale.
>
> My concept is that a buyer goes to a paypal screen, does the
> necessary, when payment is verfified and paid, an email is
> automatically sent to the buyer with a download key. At the buyers
> dicretion, they go to the download page, enter the key and the
> software gets downloaded. Is this sort of thing a novice PHP'er could
> do.

Sure a novice coder could do it, but the question is if it's a good
solution they do or not.

> ... how to prevent more than one download, do I store the software
> package on my ISP's server, is it safe, since it has several exe files
> would they be in a zip file, how to assign a download key, let the
> whole process be automated?

You store the key in a database, together which package, who and a
download time.
When the user request for the file, you check against the database to
see if the row has a download time, if not allow the start of the
download (keep in mind that the user do not get a direct download link,
but it's the php which serves the content to the user) and when the
whole file been sent, then update the row with a download time.

See to that the zip files ain't located in the DocumentRoot directory,
for it they do, then you can download them without the need of the key
you want to send.

And yes, it can be made completely automated, take advantige of the
PayPal IPN system and do not forget that PayPal transactions has a highe
chargeback fee and customers do more disbutes than with other payment
alternatives, so somone could pay and download your product and then
disbute the payment and in worst case you will have to pay for it, so
you need to log everything on your site, so you can proof that the
customer did download the product they paied for.

--

//Aho
Re: Secure website [message #183542 is a reply to message #183537] Wed, 30 October 2013 14:47 Go to previous messageGo to next message
Graham Hobbs is currently offline  Graham Hobbs
Messages: 42
Registered: September 2010
Karma: 0
Member
On Wed, 30 Oct 2013 06:52:01 +0100, "J.O. Aho" <user(at)example(dot)net>
wrote:

> On 30/10/13 04:02, Graham Hobbs wrote:
>> Hellop,
>>
>> I have an ordinary website (all PHP), it has no 'conscious'
>> protections, just code that does a job. One page (not written yet
>> because I don't know how), will advertise a product for sale.
>>
>> My concept is that a buyer goes to a paypal screen, does the
>> necessary, when payment is verfified and paid, an email is
>> automatically sent to the buyer with a download key. At the buyers
>> dicretion, they go to the download page, enter the key and the
>> software gets downloaded. Is this sort of thing a novice PHP'er could
>> do.
>
> Sure a novice coder could do it, but the question is if it's a good
> solution they do or not.
>
>> ... how to prevent more than one download, do I store the software
>> package on my ISP's server, is it safe, since it has several exe files
>> would they be in a zip file, how to assign a download key, let the
>> whole process be automated?
>
> You store the key in a database, together which package, who and a
> download time.
> When the user request for the file, you check against the database to
> see if the row has a download time, if not allow the start of the
> download (keep in mind that the user do not get a direct download link,
> but it's the php which serves the content to the user) and when the
> whole file been sent, then update the row with a download time.
>
> See to that the zip files ain't located in the DocumentRoot directory,
> for it they do, then you can download them without the need of the key
> you want to send.
>
> And yes, it can be made completely automated, take advantige of the
> PayPal IPN system and do not forget that PayPal transactions has a highe
> chargeback fee and customers do more disbutes than with other payment
> alternatives, so somone could pay and download your product and then
> disbute the payment and in worst case you will have to pay for it, so
> you need to log everything on your site, so you can proof that the
> customer did download the product they paied for.
---
Gentlemen,
Thanks for that info. It seems I need to learn the comcepts behind
post/get/database etc .. is this how one codes for a dialogue with my
site? Besides the PHP manual, might there be such things as 'template'
examples?
Graham Hobbs
Re: Secure website [message #183544 is a reply to message #183542] Wed, 30 October 2013 17:03 Go to previous messageGo to next message
J.O. Aho is currently offline  J.O. Aho
Messages: 194
Registered: September 2010
Karma: 0
Senior Member
On 30/10/13 15:47, Graham Hobbs wrote:


> Thanks for that info. It seems I need to learn the comcepts behind
> post/get/database etc .. is this how one codes for a dialogue with my
> site? Besides the PHP manual, might there be such things as 'template'
> examples?

The exmples at php.net are just basic ones to show how the function
works, I suggest you read comments and look for those who talk about
security and injection prevention and avoid examples made by Indian
developers, those generally are prone for header/sql injections and has
poor security awarness.

Remember to always check user generated data (say name, email and other
things they might enter in a form, or is used in an URL), have white
lists which contains which type of data you allow, for example you may
only allow names written with latin characters, then regexp so it only
contains lating characters and if there is something else, just throw
out an "invalid data" error or ask the user to enter proper data and do
not process anything futher untill you have OK data.

--

//Aho
Re: Secure website [message #183546 is a reply to message #183534] Wed, 30 October 2013 18:56 Go to previous messageGo to next message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
Senior Member
On 10/29/2013 11:02 PM, Graham Hobbs wrote:
> Hellop,
>
> I have an ordinary website (all PHP), it has no 'conscious'
> protections, just code that does a job. One page (not written yet
> because I don't know how), will advertise a product for sale.
>
> My concept is that a buyer goes to a paypal screen, does the
> necessary, when payment is verfified and paid, an email is
> automatically sent to the buyer with a download key. At the buyers
> dicretion, they go to the download page, enter the key and the
> software gets downloaded. Is this sort of thing a novice PHP'er could
> do.
>
> I'd like to be sort of semi-conversant before I contact paypal. Is the
> above feasible, is my ordinary website secure, is there a specific set
> of PHP'ish or other 'things to do'
> e.g.
> ... how to prevent more than one download, do I store the software
> package on my ISP's server, is it safe, since it has several exe files
> would they be in a zip file, how to assign a download key, let the
> whole process be automated?
>
> .. starter clues appreciated, thanks,
>
> Graham Hobbs
>

A couple of questions:

1. What happens if that "one download" is unsuccessful? Are you going
to make the buyer pay again?

2. What is to stop one person from buying your program, then sending it
off to all of his friends (or uploading it to another site)?

You can do it, but in addition to the other comments about PayPal - if
they have a system outage, it can take several hours (even after they
make it back up) for them to process the payment. It doesn't happen
often, but it does occur.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
Re: Secure website [message #183553 is a reply to message #183546] Wed, 30 October 2013 23:15 Go to previous messageGo to next message
Graham Hobbs is currently offline  Graham Hobbs
Messages: 42
Registered: September 2010
Karma: 0
Member
On Wed, 30 Oct 2013 14:56:12 -0400, Jerry Stuckle
<jstucklex(at)attglobal(dot)net> wrote:

> On 10/29/2013 11:02 PM, Graham Hobbs wrote:
>> Hellop,
>>
>> I have an ordinary website (all PHP), it has no 'conscious'
>> protections, just code that does a job. One page (not written yet
>> because I don't know how), will advertise a product for sale.
>>
>> My concept is that a buyer goes to a paypal screen, does the
>> necessary, when payment is verfified and paid, an email is
>> automatically sent to the buyer with a download key. At the buyers
>> dicretion, they go to the download page, enter the key and the
>> software gets downloaded. Is this sort of thing a novice PHP'er could
>> do.
>>
>> I'd like to be sort of semi-conversant before I contact paypal. Is the
>> above feasible, is my ordinary website secure, is there a specific set
>> of PHP'ish or other 'things to do'
>> e.g.
>> ... how to prevent more than one download, do I store the software
>> package on my ISP's server, is it safe, since it has several exe files
>> would they be in a zip file, how to assign a download key, let the
>> whole process be automated?
>>
>> .. starter clues appreciated, thanks,
>>
>> Graham Hobbs
>>
>
> A couple of questions:
>
> 1. What happens if that "one download" is unsuccessful? Are you going
> to make the buyer pay again?
- OF COURSE .. just a joke!
- I would guess a failed download would be rare but if so, an email
would ensue and |'d reply with an attachment - reasonable?
>
> 2. What is to stop one person from buying your program, then sending it
> off to all of his friends (or uploading it to another site)?
- doesn't all software face that problem? .. is there a solution?
>
> You can do it, but in addition to the other comments about PayPal - if
> they have a system outage, it can take several hours (even after they
> make it back up) for them to process the payment. It doesn't happen
> often, but it does occur.
- my software has a small audience, I would expect this not to be a
concern
Re: Secure website [message #183554 is a reply to message #183544] Wed, 30 October 2013 23:18 Go to previous messageGo to next message
Graham Hobbs is currently offline  Graham Hobbs
Messages: 42
Registered: September 2010
Karma: 0
Member
On Wed, 30 Oct 2013 18:03:24 +0100, "J.O. Aho" <user(at)example(dot)net>
wrote:

> On 30/10/13 15:47, Graham Hobbs wrote:
>
>
>> Thanks for that info. It seems I need to learn the comcepts behind
>> post/get/database etc .. is this how one codes for a dialogue with my
>> site? Besides the PHP manual, might there be such things as 'template'
>> examples?
>
> The exmples at php.net are just basic ones to show how the function
> works, I suggest you read comments and look for those who talk about
> security and injection prevention and avoid examples made by Indian
> developers, those generally are prone for header/sql injections and has
> poor security awarness.
>
> Remember to always check user generated data (say name, email and other
> things they might enter in a form, or is used in an URL), have white
> lists which contains which type of data you allow, for example you may
> only allow names written with latin characters, then regexp so it only
> contains lating characters and if there is something else, just throw
> out an "invalid data" error or ask the user to enter proper data and do
> not process anything futher untill you have OK data.
--
all noted, thanks muchly!
Re: Secure website [message #183555 is a reply to message #183553] Thu, 31 October 2013 03:03 Go to previous messageGo to next message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
Senior Member
On 10/30/2013 7:15 PM, Graham Hobbs wrote:
> On Wed, 30 Oct 2013 14:56:12 -0400, Jerry Stuckle
> <jstucklex(at)attglobal(dot)net> wrote:
>
>> On 10/29/2013 11:02 PM, Graham Hobbs wrote:
>>> Hellop,
>>>
>>> I have an ordinary website (all PHP), it has no 'conscious'
>>> protections, just code that does a job. One page (not written yet
>>> because I don't know how), will advertise a product for sale.
>>>
>>> My concept is that a buyer goes to a paypal screen, does the
>>> necessary, when payment is verfified and paid, an email is
>>> automatically sent to the buyer with a download key. At the buyers
>>> dicretion, they go to the download page, enter the key and the
>>> software gets downloaded. Is this sort of thing a novice PHP'er could
>>> do.
>>>
>>> I'd like to be sort of semi-conversant before I contact paypal. Is the
>>> above feasible, is my ordinary website secure, is there a specific set
>>> of PHP'ish or other 'things to do'
>>> e.g.
>>> ... how to prevent more than one download, do I store the software
>>> package on my ISP's server, is it safe, since it has several exe files
>>> would they be in a zip file, how to assign a download key, let the
>>> whole process be automated?
>>>
>>> .. starter clues appreciated, thanks,
>>>
>>> Graham Hobbs
>>>
>>
>> A couple of questions:
>>
>> 1. What happens if that "one download" is unsuccessful? Are you going
>> to make the buyer pay again?
> - OF COURSE .. just a joke!
> - I would guess a failed download would be rare but if so, an email
> would ensue and |'d reply with an attachment - reasonable?

Less rare than you would think. And how would you check to see if the
download failed or not?

>>
>> 2. What is to stop one person from buying your program, then sending it
>> off to all of his friends (or uploading it to another site)?
> - doesn't all software face that problem? .. is there a solution?
>>
>> You can do it, but in addition to the other comments about PayPal - if
>> they have a system outage, it can take several hours (even after they
>> make it back up) for them to process the payment. It doesn't happen
>> often, but it does occur.
> - my software has a small audience, I would expect this not to be a
> concern
>

Famous last words...

If your audience is so small, why do you worry about it?

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
Re: Secure website [message #183557 is a reply to message #183534] Thu, 31 October 2013 10:24 Go to previous messageGo to next message
David Quinton is currently offline  David Quinton
Messages: 2
Registered: February 2011
Karma: 0
Junior Member
On Tue, 29 Oct 2013 23:02:02 -0400, Graham Hobbs <ghobbs(at)cdpwise(dot)net>
wrote:

> My concept is that a buyer goes to a paypal screen, does the
> necessary, when payment is verfified and paid, an email is
> automatically sent to the buyer with a download key. At the buyers
> dicretion, they go to the download page, enter the key and the
> software gets downloaded. Is this sort of thing a novice PHP'er could
> do.

Personally, I'd suggest that you don't "reinvent the wheel" but use
something like:
http://www.withinweb.com/

We've successfully used this "out of the box" and modified versions on
several websites over the years.
--
Free personal divertable Phone number: <http://www.bizorg.co.uk/personalnos.htm>
Re: Secure website [message #183558 is a reply to message #183555] Thu, 31 October 2013 14:27 Go to previous messageGo to next message
Graham Hobbs is currently offline  Graham Hobbs
Messages: 42
Registered: September 2010
Karma: 0
Member
On Wed, 30 Oct 2013 23:03:42 -0400, Jerry Stuckle
<jstucklex(at)attglobal(dot)net> wrote:

> On 10/30/2013 7:15 PM, Graham Hobbs wrote:
>> On Wed, 30 Oct 2013 14:56:12 -0400, Jerry Stuckle
>> <jstucklex(at)attglobal(dot)net> wrote:
>>
>>> On 10/29/2013 11:02 PM, Graham Hobbs wrote:
>>>> Hellop,
>>>>
>>>> I have an ordinary website (all PHP), it has no 'conscious'
>>>> protections, just code that does a job. One page (not written yet
>>>> because I don't know how), will advertise a product for sale.
>>>>
>>>> My concept is that a buyer goes to a paypal screen, does the
>>>> necessary, when payment is verfified and paid, an email is
>>>> automatically sent to the buyer with a download key. At the buyers
>>>> dicretion, they go to the download page, enter the key and the
>>>> software gets downloaded. Is this sort of thing a novice PHP'er could
>>>> do.
>>>>
>>>> I'd like to be sort of semi-conversant before I contact paypal. Is the
>>>> above feasible, is my ordinary website secure, is there a specific set
>>>> of PHP'ish or other 'things to do'
>>>> e.g.
>>>> ... how to prevent more than one download, do I store the software
>>>> package on my ISP's server, is it safe, since it has several exe files
>>>> would they be in a zip file, how to assign a download key, let the
>>>> whole process be automated?
>>>>
>>>> .. starter clues appreciated, thanks,
>>>>
>>>> Graham Hobbs
>>>>
>>>
>>> A couple of questions:
>>>
>>> 1. What happens if that "one download" is unsuccessful? Are you going
>>> to make the buyer pay again?
>> - OF COURSE .. just a joke!
>> - I would guess a failed download would be rare but if so, an email
>> would ensue and |'d reply with an attachment - reasonable?
>
> Less rare than you would think. And how would you check to see if the
> download failed or not?
I wouldn't, I'd expect an email from the buyer. Is there a rule of
thumb way to check?
>
>>>
>>> 2. What is to stop one person from buying your program, then sending it
>>> off to all of his friends (or uploading it to another site)?
>> - doesn't all software face that problem? .. is there a solution?
Would be most interested in commentary on this.
>>>
>>> You can do it, but in addition to the other comments about PayPal - if
>>> they have a system outage, it can take several hours (even after they
>>> make it back up) for them to process the payment. It doesn't happen
>>> often, but it does occur.
>> - my software has a small audience, I would expect this not to be a
>> concern
>>
>
> Famous last words...
>
> If your audience is so small, why do you worry about it?
Well I hope 'not SO small':-). Am not worried. Given the small number
of buy operations and infrequency of Paypal downtime, concurrency of
these events would be remote.
But I do worry about some nasty intercepting and cocking up any part
of the process from 'the buy page' through to emailing a 'key' and the
subsequent download. Not infecting buyers is the point.
Re: Secure website [message #183559 is a reply to message #183557] Thu, 31 October 2013 14:28 Go to previous messageGo to next message
Graham Hobbs is currently offline  Graham Hobbs
Messages: 42
Registered: September 2010
Karma: 0
Member
On Thu, 31 Oct 2013 10:24:46 +0000, David Quinton
<usenet_2005D_email(at)REMOVETHISBITbizorg(dot)co(dot)uk> wrote:

> On Tue, 29 Oct 2013 23:02:02 -0400, Graham Hobbs <ghobbs(at)cdpwise(dot)net>
> wrote:
>
>> My concept is that a buyer goes to a paypal screen, does the
>> necessary, when payment is verfified and paid, an email is
>> automatically sent to the buyer with a download key. At the buyers
>> dicretion, they go to the download page, enter the key and the
>> software gets downloaded. Is this sort of thing a novice PHP'er could
>> do.
>
> Personally, I'd suggest that you don't "reinvent the wheel" but use
> something like:
> http://www.withinweb.com/
>
> We've successfully used this "out of the box" and modified versions on
> several websites over the years.
---
That's seems to be worth a real study - thanks David.
Graham
Re: Secure website [message #183560 is a reply to message #183558] Thu, 31 October 2013 15:24 Go to previous messageGo to next message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
Senior Member
On 10/31/2013 10:27 AM, Graham Hobbs wrote:
> On Wed, 30 Oct 2013 23:03:42 -0400, Jerry Stuckle
> <jstucklex(at)attglobal(dot)net> wrote:
>
>> On 10/30/2013 7:15 PM, Graham Hobbs wrote:
>>> On Wed, 30 Oct 2013 14:56:12 -0400, Jerry Stuckle
>>> <jstucklex(at)attglobal(dot)net> wrote:
>>>
>>>> On 10/29/2013 11:02 PM, Graham Hobbs wrote:
>>>> > Hellop,
>>>> >
>>>> > I have an ordinary website (all PHP), it has no 'conscious'
>>>> > protections, just code that does a job. One page (not written yet
>>>> > because I don't know how), will advertise a product for sale.
>>>> >
>>>> > My concept is that a buyer goes to a paypal screen, does the
>>>> > necessary, when payment is verfified and paid, an email is
>>>> > automatically sent to the buyer with a download key. At the buyers
>>>> > dicretion, they go to the download page, enter the key and the
>>>> > software gets downloaded. Is this sort of thing a novice PHP'er could
>>>> > do.
>>>> >
>>>> > I'd like to be sort of semi-conversant before I contact paypal. Is the
>>>> > above feasible, is my ordinary website secure, is there a specific set
>>>> > of PHP'ish or other 'things to do'
>>>> > e.g.
>>>> > ... how to prevent more than one download, do I store the software
>>>> > package on my ISP's server, is it safe, since it has several exe files
>>>> > would they be in a zip file, how to assign a download key, let the
>>>> > whole process be automated?
>>>> >
>>>> > .. starter clues appreciated, thanks,
>>>> >
>>>> > Graham Hobbs
>>>> >
>>>>
>>>> A couple of questions:
>>>>
>>>> 1. What happens if that "one download" is unsuccessful? Are you going
>>>> to make the buyer pay again?
>>> - OF COURSE .. just a joke!
>>> - I would guess a failed download would be rare but if so, an email
>>> would ensue and |'d reply with an attachment - reasonable?
>>
>> Less rare than you would think. And how would you check to see if the
>> download failed or not?
> I wouldn't, I'd expect an email from the buyer. Is there a rule of
> thumb way to check?

No, there is no good way to check to see if a download completed or not.
The file may have been sent, for instance, but for some reason not
stored on the user's computer (i.e. internet connection broke, out of
disk space, etc.).

But expecting an email from the buyer after he/she purchased something
isn't very user friendly. That's why most products use unique keys
which must be keyed into the product to make it run. But of course that
only works if the user has a reason to contact your site again, i.e.
upgrades, etc.

If your audience is so small, why not give them a download link which is
good for something like 24 hours? That way if it fails, they can retry.

>>
>>>>
>>>> 2. What is to stop one person from buying your program, then sending it
>>>> off to all of his friends (or uploading it to another site)?
>>> - doesn't all software face that problem? .. is there a solution?
> Would be most interested in commentary on this.
>>>>
>>>> You can do it, but in addition to the other comments about PayPal - if
>>>> they have a system outage, it can take several hours (even after they
>>>> make it back up) for them to process the payment. It doesn't happen
>>>> often, but it does occur.
>>> - my software has a small audience, I would expect this not to be a
>>> concern
>>>
>>
>> Famous last words...
>>
>> If your audience is so small, why do you worry about it?
> Well I hope 'not SO small':-). Am not worried. Given the small number
> of buy operations and infrequency of Paypal downtime, concurrency of
> these events would be remote.
> But I do worry about some nasty intercepting and cocking up any part
> of the process from 'the buy page' through to emailing a 'key' and the
> subsequent download. Not infecting buyers is the point.
>

You can take standard security precautions on your website, but there
isn't much you can do about email being intercepted.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
Re: Secure website [message #183561 is a reply to message #183560] Thu, 31 October 2013 16:47 Go to previous messageGo to next message
Graham Hobbs is currently offline  Graham Hobbs
Messages: 42
Registered: September 2010
Karma: 0
Member
On Thu, 31 Oct 2013 11:24:25 -0400, Jerry Stuckle
<jstucklex(at)attglobal(dot)net> wrote:

> On 10/31/2013 10:27 AM, Graham Hobbs wrote:
>> On Wed, 30 Oct 2013 23:03:42 -0400, Jerry Stuckle
>> <jstucklex(at)attglobal(dot)net> wrote:
>>
>>> On 10/30/2013 7:15 PM, Graham Hobbs wrote:
>>>> On Wed, 30 Oct 2013 14:56:12 -0400, Jerry Stuckle
>>>> <jstucklex(at)attglobal(dot)net> wrote:
>>>>
>>>> > On 10/29/2013 11:02 PM, Graham Hobbs wrote:
>>>> >> Hellop,
>>>> >>
>>>> >> I have an ordinary website (all PHP), it has no 'conscious'
>>>> >> protections, just code that does a job. One page (not written yet
>>>> >> because I don't know how), will advertise a product for sale.
>>>> >>
>>>> >> My concept is that a buyer goes to a paypal screen, does the
>>>> >> necessary, when payment is verfified and paid, an email is
>>>> >> automatically sent to the buyer with a download key. At the buyers
>>>> >> dicretion, they go to the download page, enter the key and the
>>>> >> software gets downloaded. Is this sort of thing a novice PHP'er could
>>>> >> do.
>>>> >>
>>>> >> I'd like to be sort of semi-conversant before I contact paypal. Is the
>>>> >> above feasible, is my ordinary website secure, is there a specific set
>>>> >> of PHP'ish or other 'things to do'
>>>> >> e.g.
>>>> >> ... how to prevent more than one download, do I store the software
>>>> >> package on my ISP's server, is it safe, since it has several exe files
>>>> >> would they be in a zip file, how to assign a download key, let the
>>>> >> whole process be automated?
>>>> >>
>>>> >> .. starter clues appreciated, thanks,
>>>> >>
>>>> >> Graham Hobbs
>>>> >>
>>>> >
>>>> > A couple of questions:
>>>> >
>>>> > 1. What happens if that "one download" is unsuccessful? Are you going
>>>> > to make the buyer pay again?
>>>> - OF COURSE .. just a joke!
>>>> - I would guess a failed download would be rare but if so, an email
>>>> would ensue and |'d reply with an attachment - reasonable?
>>>
>>> Less rare than you would think. And how would you check to see if the
>>> download failed or not?
>> I wouldn't, I'd expect an email from the buyer. Is there a rule of
>> thumb way to check?
>
> No, there is no good way to check to see if a download completed or not.
> The file may have been sent, for instance, but for some reason not
> stored on the user's computer (i.e. internet connection broke, out of
> disk space, etc.).
>
> But expecting an email from the buyer after he/she purchased something
> isn't very user friendly. That's why most products use unique keys
> which must be keyed into the product to make it run. But of course that
> only works if the user has a reason to contact your site again, i.e.
> upgrades, etc.
>
> If your audience is so small, why not give them a download link which is
> good for something like 24 hours? That way if it fails, they can retry.
>
>>>
>>>> >
>>>> > 2. What is to stop one person from buying your program, then sending it
>>>> > off to all of his friends (or uploading it to another site)?
>>>> - doesn't all software face that problem? .. is there a solution?
>> Would be most interested in commentary on this.
>>>> >
>>>> > You can do it, but in addition to the other comments about PayPal - if
>>>> > they have a system outage, it can take several hours (even after they
>>>> > make it back up) for them to process the payment. It doesn't happen
>>>> > often, but it does occur.
>>>> - my software has a small audience, I would expect this not to be a
>>>> concern
>>>>
>>>
>>> Famous last words...
>>>
>>> If your audience is so small, why do you worry about it?
>> Well I hope 'not SO small':-). Am not worried. Given the small number
>> of buy operations and infrequency of Paypal downtime, concurrency of
>> these events would be remote.
>> But I do worry about some nasty intercepting and cocking up any part
>> of the process from 'the buy page' through to emailing a 'key' and the
>> subsequent download. Not infecting buyers is the point.
>>
>
> You can take standard security precautions on your website, but there
> isn't much you can do about email being intercepted.
---
That's good notes Jerry, thanks,
I googled 'standard security precautions for websites' .. got to a
company called Webroot (amongst others) .. they list a slew of things
they take care of .. might be a reasonable approach for me? I can't
see me programming 'security' myself, best left to the experts.
Graham
Re: Secure website [message #183564 is a reply to message #183561] Fri, 01 November 2013 00:36 Go to previous message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
Senior Member
On 10/31/2013 12:47 PM, Graham Hobbs wrote:
> On Thu, 31 Oct 2013 11:24:25 -0400, Jerry Stuckle
> <jstucklex(at)attglobal(dot)net> wrote:
>
>> On 10/31/2013 10:27 AM, Graham Hobbs wrote:
>>> On Wed, 30 Oct 2013 23:03:42 -0400, Jerry Stuckle
>>> <jstucklex(at)attglobal(dot)net> wrote:
>>>
>>>> On 10/30/2013 7:15 PM, Graham Hobbs wrote:
>>>> > On Wed, 30 Oct 2013 14:56:12 -0400, Jerry Stuckle
>>>> > <jstucklex(at)attglobal(dot)net> wrote:
>>>> >
>>>> >> On 10/29/2013 11:02 PM, Graham Hobbs wrote:
>>>> >>> Hellop,
>>>> >>>
>>>> >>> I have an ordinary website (all PHP), it has no 'conscious'
>>>> >>> protections, just code that does a job. One page (not written yet
>>>> >>> because I don't know how), will advertise a product for sale.
>>>> >>>
>>>> >>> My concept is that a buyer goes to a paypal screen, does the
>>>> >>> necessary, when payment is verfified and paid, an email is
>>>> >>> automatically sent to the buyer with a download key. At the buyers
>>>> >>> dicretion, they go to the download page, enter the key and the
>>>> >>> software gets downloaded. Is this sort of thing a novice PHP'er could
>>>> >>> do.
>>>> >>>
>>>> >>> I'd like to be sort of semi-conversant before I contact paypal. Is the
>>>> >>> above feasible, is my ordinary website secure, is there a specific set
>>>> >>> of PHP'ish or other 'things to do'
>>>> >>> e.g.
>>>> >>> ... how to prevent more than one download, do I store the software
>>>> >>> package on my ISP's server, is it safe, since it has several exe files
>>>> >>> would they be in a zip file, how to assign a download key, let the
>>>> >>> whole process be automated?
>>>> >>>
>>>> >>> .. starter clues appreciated, thanks,
>>>> >>>
>>>> >>> Graham Hobbs
>>>> >>>
>>>> >>
>>>> >> A couple of questions:
>>>> >>
>>>> >> 1. What happens if that "one download" is unsuccessful? Are you going
>>>> >> to make the buyer pay again?
>>>> > - OF COURSE .. just a joke!
>>>> > - I would guess a failed download would be rare but if so, an email
>>>> > would ensue and |'d reply with an attachment - reasonable?
>>>>
>>>> Less rare than you would think. And how would you check to see if the
>>>> download failed or not?
>>> I wouldn't, I'd expect an email from the buyer. Is there a rule of
>>> thumb way to check?
>>
>> No, there is no good way to check to see if a download completed or not.
>> The file may have been sent, for instance, but for some reason not
>> stored on the user's computer (i.e. internet connection broke, out of
>> disk space, etc.).
>>
>> But expecting an email from the buyer after he/she purchased something
>> isn't very user friendly. That's why most products use unique keys
>> which must be keyed into the product to make it run. But of course that
>> only works if the user has a reason to contact your site again, i.e.
>> upgrades, etc.
>>
>> If your audience is so small, why not give them a download link which is
>> good for something like 24 hours? That way if it fails, they can retry.
>>
>>>>
>>>> >>
>>>> >> 2. What is to stop one person from buying your program, then sending it
>>>> >> off to all of his friends (or uploading it to another site)?
>>>> > - doesn't all software face that problem? .. is there a solution?
>>> Would be most interested in commentary on this.
>>>> >>
>>>> >> You can do it, but in addition to the other comments about PayPal - if
>>>> >> they have a system outage, it can take several hours (even after they
>>>> >> make it back up) for them to process the payment. It doesn't happen
>>>> >> often, but it does occur.
>>>> > - my software has a small audience, I would expect this not to be a
>>>> > concern
>>>> >
>>>>
>>>> Famous last words...
>>>>
>>>> If your audience is so small, why do you worry about it?
>>> Well I hope 'not SO small':-). Am not worried. Given the small number
>>> of buy operations and infrequency of Paypal downtime, concurrency of
>>> these events would be remote.
>>> But I do worry about some nasty intercepting and cocking up any part
>>> of the process from 'the buy page' through to emailing a 'key' and the
>>> subsequent download. Not infecting buyers is the point.
>>>
>>
>> You can take standard security precautions on your website, but there
>> isn't much you can do about email being intercepted.
> ---
> That's good notes Jerry, thanks,
> I googled 'standard security precautions for websites' .. got to a
> company called Webroot (amongst others) .. they list a slew of things
> they take care of .. might be a reasonable approach for me? I can't
> see me programming 'security' myself, best left to the experts.
> Graham
>

Depends on how much you're willing to pay, and how much you trust the
qualifications of the programmers. Anyone can "list a slew of
things...". Fewer can do it properly.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
  Switch to threaded view of this topic Create a new topic Submit Reply
Previous Topic: reading files with accents in the filename from PHP
Next Topic: No action desired until one button is clicked
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Fri Dec 27 00:18:16 GMT 2024

Total time taken to generate the page: 2.68297 seconds