FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » monitoring IP address calls of a PHP application
Show: Today's Messages :: Polls :: Message Navigator
Switch to threaded view of this topic Create a new topic Submit Reply
monitoring IP address calls of a PHP application [message #175057] Tue, 09 August 2011 06:00 Go to next message
E.Sajad is currently offline  E.Sajad
Messages: 1
Registered: August 2011
Karma: 0
Junior Member
Hi there,

I have cross-posted this issue in two related groups: PHP and Software
Testing.

THE PROBLEM
I have outsourced development of a web-based application to a
freelancer. He will be delivering the software soon. However, after
I perform acceptance testing and give the OK and release the funds to
him, I might never be able to get hold of this person and according to
our contract, once I "accept" the software, he will have no future
obligations with respect to this project.

So I'm trying to protect myself by somehow verifying that their
delivered application:

1. Does not connect to/use/call any other web services or connect to
other IP addresses (or servers) other than Google [note: the
application extracts some info from Google search results]
2. Does not connect to any databases other than the one on the local
server
3. Does not use any third-party libraries that I might have to pay for
in the future.
4. Does not contain files that, although they need to be editable (for
future modification, such as XML configuration files), have been
converted into binary or non-editable or non-readable format.

Basically, anything that will render me “ripped off” after I fully pay
for the application because I won’t have access to the developer later
on (and my budget is too tight to pay for consultants).

Any fellow outsourcers who've run into this issue, please share what
tools (preferably open-source) you used to verify any of the above
items.

I believe if I can somehow monitor all the IP addresses that the
application calls (connects to) in
real time, I'll be able to check if it's referencing any web services
or sources other than Google as well as other than my own database.
This alone will solve concerns number 1 and 2. But I don't even know
how to do this! Should I install a monitoring application on my
virtual dedicated server that would run in the background? What
application(s) do you folks recommend?

USEFUL INFO
The application is written in PHP (not sure 4 or 5) and runs on a
virtual dedicated server on a linux machine hosted by HostGator.
Also, while acceptance testing, I will be testing the deliverable on
this virtual dedicated server and I have full admin control over this
hosting account. For this account I have access to a cPanel and a VZ
control panel. Which control panel should I use for this purpose? I
get lost in these control panels as it's the first time in my life I'm
using a virtual dedicated server for a project.

Thanks so much in advance! And hopefully this post will help other
project managers as well.
Kind regards,
E. Sajad
Re: monitoring IP address calls of a PHP application [message #175058 is a reply to message #175057] Tue, 09 August 2011 06:19 Go to previous messageGo to next message
Michael Vilain is currently offline  Michael Vilain
Messages: 88
Registered: September 2010
Karma: 0
Member
In article
<b0df5b47-ed75-48d0-9c50-1f9d02194c8a(at)l37g2000yqd(dot)googlegroups(dot)com>,
"E.Sajad" <amirehsans(at)yahoo(dot)com> wrote:

> Hi there,
>
> I have cross-posted this issue in two related groups: PHP and Software
> Testing.
>
> THE PROBLEM
> I have outsourced development of a web-based application to a
> freelancer. He will be delivering the software soon. However, after
> I perform acceptance testing and give the OK and release the funds to
> him, I might never be able to get hold of this person and according to
> our contract, once I "accept" the software, he will have no future
> obligations with respect to this project.
>
> So I'm trying to protect myself by somehow verifying that their
> delivered application:
>
> 1. Does not connect to/use/call any other web services or connect to
> other IP addresses (or servers) other than Google [note: the
> application extracts some info from Google search results]
> 2. Does not connect to any databases other than the one on the local
> server
> 3. Does not use any third-party libraries that I might have to pay for
> in the future.
> 4. Does not contain files that, although they need to be editable (for
> future modification, such as XML configuration files), have been
> converted into binary or non-editable or non-readable format.
>
> Basically, anything that will render me ripped off after I fully pay
> for the application because I wont have access to the developer later
> on (and my budget is too tight to pay for consultants).
>
> Any fellow outsourcers who've run into this issue, please share what
> tools (preferably open-source) you used to verify any of the above
> items.
>
> I believe if I can somehow monitor all the IP addresses that the
> application calls (connects to) in
> real time, I'll be able to check if it's referencing any web services
> or sources other than Google as well as other than my own database.
> This alone will solve concerns number 1 and 2. But I don't even know
> how to do this! Should I install a monitoring application on my
> virtual dedicated server that would run in the background? What
> application(s) do you folks recommend?
>
> USEFUL INFO
> The application is written in PHP (not sure 4 or 5) and runs on a
> virtual dedicated server on a linux machine hosted by HostGator.
> Also, while acceptance testing, I will be testing the deliverable on
> this virtual dedicated server and I have full admin control over this
> hosting account. For this account I have access to a cPanel and a VZ
> control panel. Which control panel should I use for this purpose? I
> get lost in these control panels as it's the first time in my life I'm
> using a virtual dedicated server for a project.
>
> Thanks so much in advance! And hopefully this post will help other
> project managers as well.
> Kind regards,
> E. Sajad

I think if you don't trust this guy, you shouldn't be doing business
with him. Or factor in funds to 'find him with extreme prejudice' after
you've paid him. This is not a technology issue as much as it is a
business issue.

Seriously, if you don't trust him, don't pay him and find someone else
you trust and can contact after the project is over for follow-on work.

--
DeeDee, don't press that button! DeeDee! NO! Dee...
[I filter all Goggle Groups posts, so any reply may be automatically ignored]
Re: monitoring IP address calls of a PHP application [message #175062 is a reply to message #175057] Tue, 09 August 2011 11:26 Go to previous messageGo to next message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
Senior Member
On 8/9/2011 2:00 AM, E.Sajad wrote:
> Hi there,
>
> I have cross-posted this issue in two related groups: PHP and Software
> Testing.
>
> THE PROBLEM
> I have outsourced development of a web-based application to a
> freelancer. He will be delivering the software soon. However, after
> I perform acceptance testing and give the OK and release the funds to
> him, I might never be able to get hold of this person and according to
> our contract, once I "accept" the software, he will have no future
> obligations with respect to this project.
>
> So I'm trying to protect myself by somehow verifying that their
> delivered application:
>
> 1. Does not connect to/use/call any other web services or connect to
> other IP addresses (or servers) other than Google [note: the
> application extracts some info from Google search results]
> 2. Does not connect to any databases other than the one on the local
> server
> 3. Does not use any third-party libraries that I might have to pay for
> in the future.
> 4. Does not contain files that, although they need to be editable (for
> future modification, such as XML configuration files), have been
> converted into binary or non-editable or non-readable format.
>
> Basically, anything that will render me “ripped off” after I fully pay
> for the application because I won’t have access to the developer later
> on (and my budget is too tight to pay for consultants).
>
> Any fellow outsourcers who've run into this issue, please share what
> tools (preferably open-source) you used to verify any of the above
> items.
>
> I believe if I can somehow monitor all the IP addresses that the
> application calls (connects to) in
> real time, I'll be able to check if it's referencing any web services
> or sources other than Google as well as other than my own database.
> This alone will solve concerns number 1 and 2. But I don't even know
> how to do this! Should I install a monitoring application on my
> virtual dedicated server that would run in the background? What
> application(s) do you folks recommend?
>
> USEFUL INFO
> The application is written in PHP (not sure 4 or 5) and runs on a
> virtual dedicated server on a linux machine hosted by HostGator.
> Also, while acceptance testing, I will be testing the deliverable on
> this virtual dedicated server and I have full admin control over this
> hosting account. For this account I have access to a cPanel and a VZ
> control panel. Which control panel should I use for this purpose? I
> get lost in these control panels as it's the first time in my life I'm
> using a virtual dedicated server for a project.
>
> Thanks so much in advance! And hopefully this post will help other
> project managers as well.
> Kind regards,
> E. Sajad

I agree with Michael. If you don't trust someone, don't do business
with him at all. But you've already contracted with him, so you're
obligated to pay him. So pay him and don't use his code.

As for the rest - pay someone you do trust (if there is someone like
that) to examine the code.

But there are a lot worse things than what you're worried about.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
Re: monitoring IP address calls of a PHP application [message #175063 is a reply to message #175057] Tue, 09 August 2011 11:40 Go to previous messageGo to next message
me is currently offline  me
Messages: 192
Registered: September 2010
Karma: 0
Senior Member
On 8/9/2011 2:00 AM, E.Sajad wrote:
> So I'm trying to protect myself by somehow verifying that their
> delivered application:
>
> 1. Does not connect to/use/call any other web services or connect to
> other IP addresses (or servers) other than Google [note: the
> application extracts some info from Google search results]
> 2. Does not connect to any databases other than the one on the local
> server
> 3. Does not use any third-party libraries that I might have to pay for
> in the future.
> 4. Does not contain files that, although they need to be editable (for
> future modification, such as XML configuration files), have been
> converted into binary or non-editable or non-readable format.

<snip>

> I believe if I can somehow monitor all the IP addresses that the
> application calls (connects to) in
> real time, I'll be able to check if it's referencing any web services
> or sources other than Google as well as other than my own database.
> This alone will solve concerns number 1 and 2. But I don't even know
> how to do this! Should I install a monitoring application on my
> virtual dedicated server that would run in the background? What
> application(s) do you folks recommend?

<snip>

Practically speaking, if the person who did the coding is in fact
devious (I'm not assuming so but looking at worst case) it would be easy
to write code that would activate #1 and #2 at some point in the future.
That the code does neither now may be of little comfort.

Bill B
Re: monitoring IP address calls of a PHP application [message #175064 is a reply to message #175063] Tue, 09 August 2011 12:50 Go to previous messageGo to next message
The Natural Philosoph is currently offline  The Natural Philosoph
Messages: 993
Registered: September 2010
Karma: 0
Senior Member
Bill B wrote:
> On 8/9/2011 2:00 AM, E.Sajad wrote:
>> So I'm trying to protect myself by somehow verifying that their
>> delivered application:
>>
>> 1. Does not connect to/use/call any other web services or connect to
>> other IP addresses (or servers) other than Google [note: the
>> application extracts some info from Google search results]
>> 2. Does not connect to any databases other than the one on the local
>> server
>> 3. Does not use any third-party libraries that I might have to pay for
>> in the future.
>> 4. Does not contain files that, although they need to be editable (for
>> future modification, such as XML configuration files), have been
>> converted into binary or non-editable or non-readable format.
>
> <snip>
>
>> I believe if I can somehow monitor all the IP addresses that the
>> application calls (connects to) in
>> real time, I'll be able to check if it's referencing any web services
>> or sources other than Google as well as other than my own database.
>> This alone will solve concerns number 1 and 2. But I don't even know
>> how to do this! Should I install a monitoring application on my
>> virtual dedicated server that would run in the background? What
>> application(s) do you folks recommend?
>
> <snip>
>
> Practically speaking, if the person who did the coding is in fact
> devious (I'm not assuming so but looking at worst case) it would be easy
> to write code that would activate #1 and #2 at some point in the future.
> That the code does neither now may be of little comfort.
>
> Bill B
Its php ffs

phpinfo will reveal if any extraneous libs are linked in.
A grep of its source code for any system() type calls will reveal if odd
ode is being invoked.

Ditto a code walk for any database open calls or CURL will check for
access to where it may or may not access.

If its beyond the OP, I suggest a paid contract to another contractor to
'find the bugs, and indentify the rubbish'

Set a thief to catch a thief.
Re: monitoring IP address calls of a PHP application [message #175065 is a reply to message #175064] Tue, 09 August 2011 13:30 Go to previous message
me is currently offline  me
Messages: 192
Registered: September 2010
Karma: 0
Senior Member
On 8/9/2011 8:50 AM, The Natural Philosopher wrote:
> Bill B wrote:
>> On 8/9/2011 2:00 AM, E.Sajad wrote:
>>> So I'm trying to protect myself by somehow verifying that their
>>> delivered application:
>>>
>>> 1. Does not connect to/use/call any other web services or connect to
>>> other IP addresses (or servers) other than Google [note: the
>>> application extracts some info from Google search results]
>>> 2. Does not connect to any databases other than the one on the local
>>> server
>>> 3. Does not use any third-party libraries that I might have to pay for
>>> in the future.
>>> 4. Does not contain files that, although they need to be editable (for
>>> future modification, such as XML configuration files), have been
>>> converted into binary or non-editable or non-readable format.
>>
>> <snip>
>>
>>> I believe if I can somehow monitor all the IP addresses that the
>>> application calls (connects to) in
>>> real time, I'll be able to check if it's referencing any web services
>>> or sources other than Google as well as other than my own database.
>>> This alone will solve concerns number 1 and 2. But I don't even know
>>> how to do this! Should I install a monitoring application on my
>>> virtual dedicated server that would run in the background? What
>>> application(s) do you folks recommend?
>>
>> <snip>
>>
>> Practically speaking, if the person who did the coding is in fact
>> devious (I'm not assuming so but looking at worst case) it would be
>> easy to write code that would activate #1 and #2 at some point in the
>> future. That the code does neither now may be of little comfort.
>>
>> Bill B
> Its php ffs
>
> phpinfo will reveal if any extraneous libs are linked in.
> A grep of its source code for any system() type calls will reveal if odd
> ode is being invoked.
>
> Ditto a code walk for any database open calls or CURL will check for
> access to where it may or may not access.
>
> If its beyond the OP, I suggest a paid contract to another contractor to
> 'find the bugs, and indentify the rubbish'
>
> Set a thief to catch a thief.

Thanks, I had overlooked that. Good reminder.

Bill B
  Switch to threaded view of this topic Create a new topic Submit Reply
Previous Topic: Re: ftp with win-filenames with chr#32 ?
Next Topic: Do you have Paypal Credit Card Payment Gateway code in php
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Fri Nov 29 23:00:24 GMT 2024

Total time taken to generate the page: 0.02438 seconds