| monitoring IP address calls of a PHP application [message #175057] |
Tue, 09 August 2011 06:00  |
E.Sajad
Messages: 1
Registered: August 2011
Karma: 0
|
Junior Member |
|
|
Hi there,
I have cross-posted this issue in two related groups: PHP and Software
Testing.
THE PROBLEM
I have outsourced development of a web-based application to a
freelancer. He will be delivering the software soon. However, after
I perform acceptance testing and give the OK and release the funds to
him, I might never be able to get hold of this person and according to
our contract, once I "accept" the software, he will have no future
obligations with respect to this project.
So I'm trying to protect myself by somehow verifying that their
delivered application:
1. Does not connect to/use/call any other web services or connect to
other IP addresses (or servers) other than Google [note: the
application extracts some info from Google search results]
2. Does not connect to any databases other than the one on the local
server
3. Does not use any third-party libraries that I might have to pay for
in the future.
4. Does not contain files that, although they need to be editable (for
future modification, such as XML configuration files), have been
converted into binary or non-editable or non-readable format.
Basically, anything that will render me “ripped off” after I fully pay
for the application because I won’t have access to the developer later
on (and my budget is too tight to pay for consultants).
Any fellow outsourcers who've run into this issue, please share what
tools (preferably open-source) you used to verify any of the above
items.
I believe if I can somehow monitor all the IP addresses that the
application calls (connects to) in
real time, I'll be able to check if it's referencing any web services
or sources other than Google as well as other than my own database.
This alone will solve concerns number 1 and 2. But I don't even know
how to do this! Should I install a monitoring application on my
virtual dedicated server that would run in the background? What
application(s) do you folks recommend?
USEFUL INFO
The application is written in PHP (not sure 4 or 5) and runs on a
virtual dedicated server on a linux machine hosted by HostGator.
Also, while acceptance testing, I will be testing the deliverable on
this virtual dedicated server and I have full admin control over this
hosting account. For this account I have access to a cPanel and a VZ
control panel. Which control panel should I use for this purpose? I
get lost in these control panels as it's the first time in my life I'm
using a virtual dedicated server for a project.
Thanks so much in advance! And hopefully this post will help other
project managers as well.
Kind regards,
E. Sajad
|
|
|
|
| Re: monitoring IP address calls of a PHP application [message #175058 is a reply to message #175057] |
Tue, 09 August 2011 06:19  |
Michael Vilain
Messages: 88
Registered: September 2010
Karma: 0
|
Member |
|
|
In article
<b0df5b47-ed75-48d0-9c50-1f9d02194c8a(at)l37g2000yqd(dot)googlegroups(dot)com>,
"E.Sajad" <amirehsans(at)yahoo(dot)com> wrote:
> Hi there,
>
> I have cross-posted this issue in two related groups: PHP and Software
> Testing.
>
> THE PROBLEM
> I have outsourced development of a web-based application to a
> freelancer. He will be delivering the software soon. However, after
> I perform acceptance testing and give the OK and release the funds to
> him, I might never be able to get hold of this person and according to
> our contract, once I "accept" the software, he will have no future
> obligations with respect to this project.
>
> So I'm trying to protect myself by somehow verifying that their
> delivered application:
>
> 1. Does not connect to/use/call any other web services or connect to
> other IP addresses (or servers) other than Google [note: the
> application extracts some info from Google search results]
> 2. Does not connect to any databases other than the one on the local
> server
> 3. Does not use any third-party libraries that I might have to pay for
> in the future.
> 4. Does not contain files that, although they need to be editable (for
> future modification, such as XML configuration files), have been
> converted into binary or non-editable or non-readable format.
>
> Basically, anything that will render me ripped off after I fully pay
> for the application because I wont have access to the developer later
> on (and my budget is too tight to pay for consultants).
>
> Any fellow outsourcers who've run into this issue, please share what
> tools (preferably open-source) you used to verify any of the above
> items.
>
> I believe if I can somehow monitor all the IP addresses that the
> application calls (connects to) in
> real time, I'll be able to check if it's referencing any web services
> or sources other than Google as well as other than my own database.
> This alone will solve concerns number 1 and 2. But I don't even know
> how to do this! Should I install a monitoring application on my
> virtual dedicated server that would run in the background? What
> application(s) do you folks recommend?
>
> USEFUL INFO
> The application is written in PHP (not sure 4 or 5) and runs on a
> virtual dedicated server on a linux machine hosted by HostGator.
> Also, while acceptance testing, I will be testing the deliverable on
> this virtual dedicated server and I have full admin control over this
> hosting account. For this account I have access to a cPanel and a VZ
> control panel. Which control panel should I use for this purpose? I
> get lost in these control panels as it's the first time in my life I'm
> using a virtual dedicated server for a project.
>
> Thanks so much in advance! And hopefully this post will help other
> project managers as well.
> Kind regards,
> E. Sajad
I think if you don't trust this guy, you shouldn't be doing business
with him. Or factor in funds to 'find him with extreme prejudice' after
you've paid him. This is not a technology issue as much as it is a
business issue.
Seriously, if you don't trust him, don't pay him and find someone else
you trust and can contact after the project is over for follow-on work.
--
DeeDee, don't press that button! DeeDee! NO! Dee...
[I filter all Goggle Groups posts, so any reply may be automatically ignored]
|
|
|
|
| Re: monitoring IP address calls of a PHP application [message #175062 is a reply to message #175057] |
Tue, 09 August 2011 11:26 |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 8/9/2011 2:00 AM, E.Sajad wrote:
> Hi there,
>
> I have cross-posted this issue in two related groups: PHP and Software
> Testing.
>
> THE PROBLEM
> I have outsourced development of a web-based application to a
> freelancer. He will be delivering the software soon. However, after
> I perform acceptance testing and give the OK and release the funds to
> him, I might never be able to get hold of this person and according to
> our contract, once I "accept" the software, he will have no future
> obligations with respect to this project.
>
> So I'm trying to protect myself by somehow verifying that their
> delivered application:
>
> 1. Does not connect to/use/call any other web services or connect to
> other IP addresses (or servers) other than Google [note: the
> application extracts some info from Google search results]
> 2. Does not connect to any databases other than the one on the local
> server
> 3. Does not use any third-party libraries that I might have to pay for
> in the future.
> 4. Does not contain files that, although they need to be editable (for
> future modification, such as XML configuration files), have been
> converted into binary or non-editable or non-readable format.
>
> Basically, anything that will render me “ripped off” after I fully pay
> for the application because I won’t have access to the developer later
> on (and my budget is too tight to pay for consultants).
>
> Any fellow outsourcers who've run into this issue, please share what
> tools (preferably open-source) you used to verify any of the above
> items.
>
> I believe if I can somehow monitor all the IP addresses that the
> application calls (connects to) in
> real time, I'll be able to check if it's referencing any web services
> or sources other than Google as well as other than my own database.
> This alone will solve concerns number 1 and 2. But I don't even know
> how to do this! Should I install a monitoring application on my
> virtual dedicated server that would run in the background? What
> application(s) do you folks recommend?
>
> USEFUL INFO
> The application is written in PHP (not sure 4 or 5) and runs on a
> virtual dedicated server on a linux machine hosted by HostGator.
> Also, while acceptance testing, I will be testing the deliverable on
> this virtual dedicated server and I have full admin control over this
> hosting account. For this account I have access to a cPanel and a VZ
> control panel. Which control panel should I use for this purpose? I
> get lost in these control panels as it's the first time in my life I'm
> using a virtual dedicated server for a project.
>
> Thanks so much in advance! And hopefully this post will help other
> project managers as well.
> Kind regards,
> E. Sajad
I agree with Michael. If you don't trust someone, don't do business
with him at all. But you've already contracted with him, so you're
obligated to pay him. So pay him and don't use his code.
As for the rest - pay someone you do trust (if there is someone like
that) to examine the code.
But there are a lot worse things than what you're worried about.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
| Re: monitoring IP address calls of a PHP application [message #175063 is a reply to message #175057] |
Tue, 09 August 2011 11:40 |
me
Messages: 192
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 8/9/2011 2:00 AM, E.Sajad wrote:
> So I'm trying to protect myself by somehow verifying that their
> delivered application:
>
> 1. Does not connect to/use/call any other web services or connect to
> other IP addresses (or servers) other than Google [note: the
> application extracts some info from Google search results]
> 2. Does not connect to any databases other than the one on the local
> server
> 3. Does not use any third-party libraries that I might have to pay for
> in the future.
> 4. Does not contain files that, although they need to be editable (for
> future modification, such as XML configuration files), have been
> converted into binary or non-editable or non-readable format.
<snip>
> I believe if I can somehow monitor all the IP addresses that the
> application calls (connects to) in
> real time, I'll be able to check if it's referencing any web services
> or sources other than Google as well as other than my own database.
> This alone will solve concerns number 1 and 2. But I don't even know
> how to do this! Should I install a monitoring application on my
> virtual dedicated server that would run in the background? What
> application(s) do you folks recommend?
<snip>
Practically speaking, if the person who did the coding is in fact
devious (I'm not assuming so but looking at worst case) it would be easy
to write code that would activate #1 and #2 at some point in the future.
That the code does neither now may be of little comfort.
Bill B
|
|
|
|
| Re: monitoring IP address calls of a PHP application [message #175064 is a reply to message #175063] |
Tue, 09 August 2011 12:50 |
The Natural Philosoph
Messages: 993
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
Bill B wrote:
> On 8/9/2011 2:00 AM, E.Sajad wrote:
>> So I'm trying to protect myself by somehow verifying that their
>> delivered application:
>>
>> 1. Does not connect to/use/call any other web services or connect to
>> other IP addresses (or servers) other than Google [note: the
>> application extracts some info from Google search results]
>> 2. Does not connect to any databases other than the one on the local
>> server
>> 3. Does not use any third-party libraries that I might have to pay for
>> in the future.
>> 4. Does not contain files that, although they need to be editable (for
>> future modification, such as XML configuration files), have been
>> converted into binary or non-editable or non-readable format.
>
> <snip>
>
>> I believe if I can somehow monitor all the IP addresses that the
>> application calls (connects to) in
>> real time, I'll be able to check if it's referencing any web services
>> or sources other than Google as well as other than my own database.
>> This alone will solve concerns number 1 and 2. But I don't even know
>> how to do this! Should I install a monitoring application on my
>> virtual dedicated server that would run in the background? What
>> application(s) do you folks recommend?
>
> <snip>
>
> Practically speaking, if the person who did the coding is in fact
> devious (I'm not assuming so but looking at worst case) it would be easy
> to write code that would activate #1 and #2 at some point in the future.
> That the code does neither now may be of little comfort.
>
> Bill B
Its php ffs
phpinfo will reveal if any extraneous libs are linked in.
A grep of its source code for any system() type calls will reveal if odd
ode is being invoked.
Ditto a code walk for any database open calls or CURL will check for
access to where it may or may not access.
If its beyond the OP, I suggest a paid contract to another contractor to
'find the bugs, and indentify the rubbish'
Set a thief to catch a thief.
|
|
|
|
| Re: monitoring IP address calls of a PHP application [message #175065 is a reply to message #175064] |
Tue, 09 August 2011 13:30 |
me
Messages: 192
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 8/9/2011 8:50 AM, The Natural Philosopher wrote:
> Bill B wrote:
>> On 8/9/2011 2:00 AM, E.Sajad wrote:
>>> So I'm trying to protect myself by somehow verifying that their
>>> delivered application:
>>>
>>> 1. Does not connect to/use/call any other web services or connect to
>>> other IP addresses (or servers) other than Google [note: the
>>> application extracts some info from Google search results]
>>> 2. Does not connect to any databases other than the one on the local
>>> server
>>> 3. Does not use any third-party libraries that I might have to pay for
>>> in the future.
>>> 4. Does not contain files that, although they need to be editable (for
>>> future modification, such as XML configuration files), have been
>>> converted into binary or non-editable or non-readable format.
>>
>> <snip>
>>
>>> I believe if I can somehow monitor all the IP addresses that the
>>> application calls (connects to) in
>>> real time, I'll be able to check if it's referencing any web services
>>> or sources other than Google as well as other than my own database.
>>> This alone will solve concerns number 1 and 2. But I don't even know
>>> how to do this! Should I install a monitoring application on my
>>> virtual dedicated server that would run in the background? What
>>> application(s) do you folks recommend?
>>
>> <snip>
>>
>> Practically speaking, if the person who did the coding is in fact
>> devious (I'm not assuming so but looking at worst case) it would be
>> easy to write code that would activate #1 and #2 at some point in the
>> future. That the code does neither now may be of little comfort.
>>
>> Bill B
> Its php ffs
>
> phpinfo will reveal if any extraneous libs are linked in.
> A grep of its source code for any system() type calls will reveal if odd
> ode is being invoked.
>
> Ditto a code walk for any database open calls or CURL will check for
> access to where it may or may not access.
>
> If its beyond the OP, I suggest a paid contract to another contractor to
> 'find the bugs, and indentify the rubbish'
>
> Set a thief to catch a thief.
Thanks, I had overlooked that. Good reminder.
Bill B
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]