Secure website [message #183534] |
Wed, 30 October 2013 03:02 |
Graham Hobbs
Messages: 42 Registered: September 2010
Karma: 0
|
Member |
|
|
Hellop,
I have an ordinary website (all PHP), it has no 'conscious'
protections, just code that does a job. One page (not written yet
because I don't know how), will advertise a product for sale.
My concept is that a buyer goes to a paypal screen, does the
necessary, when payment is verfified and paid, an email is
automatically sent to the buyer with a download key. At the buyers
dicretion, they go to the download page, enter the key and the
software gets downloaded. Is this sort of thing a novice PHP'er could
do.
I'd like to be sort of semi-conversant before I contact paypal. Is the
above feasible, is my ordinary website secure, is there a specific set
of PHP'ish or other 'things to do'
e.g.
.... how to prevent more than one download, do I store the software
package on my ISP's server, is it safe, since it has several exe files
would they be in a zip file, how to assign a download key, let the
whole process be automated?
... starter clues appreciated, thanks,
Graham Hobbs
|
|
|
Re: Secure website [message #183535 is a reply to message #183534] |
Wed, 30 October 2013 03:26 |
Denis McMahon
Messages: 634 Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On Tue, 29 Oct 2013 23:02:02 -0400, Graham Hobbs wrote:
> My concept is that a buyer goes to a paypal screen, does the necessary,
> when payment is verfified and paid, an email is automatically sent to
> the buyer with a download key. At the buyers dicretion, they go to the
> download page, enter the key and the software gets downloaded. Is this
> sort of thing a novice PHP'er could do.
I've done one commerce site that uses the paypal api - their
documentation and examples at the time (a couple of years ago now) left a
fair bit to be desired - I suspect the documentation and examples were
for slightly different versions of the api, neither of which was the
current one.
I don't know what their rules are about payment for transactions
involving electronic deliverables (or even if they have any specific
rules for such), or how you would protect yourself from people claiming
that they paid and you didn't deliver the goods etc?
--
Denis McMahon, denismfmcmahon(at)gmail(dot)com
|
|
|
Re: Secure website [message #183537 is a reply to message #183534] |
Wed, 30 October 2013 05:52 |
J.O. Aho
Messages: 194 Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 30/10/13 04:02, Graham Hobbs wrote:
> Hellop,
>
> I have an ordinary website (all PHP), it has no 'conscious'
> protections, just code that does a job. One page (not written yet
> because I don't know how), will advertise a product for sale.
>
> My concept is that a buyer goes to a paypal screen, does the
> necessary, when payment is verfified and paid, an email is
> automatically sent to the buyer with a download key. At the buyers
> dicretion, they go to the download page, enter the key and the
> software gets downloaded. Is this sort of thing a novice PHP'er could
> do.
Sure a novice coder could do it, but the question is if it's a good
solution they do or not.
> ... how to prevent more than one download, do I store the software
> package on my ISP's server, is it safe, since it has several exe files
> would they be in a zip file, how to assign a download key, let the
> whole process be automated?
You store the key in a database, together which package, who and a
download time.
When the user request for the file, you check against the database to
see if the row has a download time, if not allow the start of the
download (keep in mind that the user do not get a direct download link,
but it's the php which serves the content to the user) and when the
whole file been sent, then update the row with a download time.
See to that the zip files ain't located in the DocumentRoot directory,
for it they do, then you can download them without the need of the key
you want to send.
And yes, it can be made completely automated, take advantige of the
PayPal IPN system and do not forget that PayPal transactions has a highe
chargeback fee and customers do more disbutes than with other payment
alternatives, so somone could pay and download your product and then
disbute the payment and in worst case you will have to pay for it, so
you need to log everything on your site, so you can proof that the
customer did download the product they paied for.
--
//Aho
|
|
|
Re: Secure website [message #183542 is a reply to message #183537] |
Wed, 30 October 2013 14:47 |
Graham Hobbs
Messages: 42 Registered: September 2010
Karma: 0
|
Member |
|
|
On Wed, 30 Oct 2013 06:52:01 +0100, "J.O. Aho" <user(at)example(dot)net>
wrote:
> On 30/10/13 04:02, Graham Hobbs wrote:
>> Hellop,
>>
>> I have an ordinary website (all PHP), it has no 'conscious'
>> protections, just code that does a job. One page (not written yet
>> because I don't know how), will advertise a product for sale.
>>
>> My concept is that a buyer goes to a paypal screen, does the
>> necessary, when payment is verfified and paid, an email is
>> automatically sent to the buyer with a download key. At the buyers
>> dicretion, they go to the download page, enter the key and the
>> software gets downloaded. Is this sort of thing a novice PHP'er could
>> do.
>
> Sure a novice coder could do it, but the question is if it's a good
> solution they do or not.
>
>> ... how to prevent more than one download, do I store the software
>> package on my ISP's server, is it safe, since it has several exe files
>> would they be in a zip file, how to assign a download key, let the
>> whole process be automated?
>
> You store the key in a database, together which package, who and a
> download time.
> When the user request for the file, you check against the database to
> see if the row has a download time, if not allow the start of the
> download (keep in mind that the user do not get a direct download link,
> but it's the php which serves the content to the user) and when the
> whole file been sent, then update the row with a download time.
>
> See to that the zip files ain't located in the DocumentRoot directory,
> for it they do, then you can download them without the need of the key
> you want to send.
>
> And yes, it can be made completely automated, take advantige of the
> PayPal IPN system and do not forget that PayPal transactions has a highe
> chargeback fee and customers do more disbutes than with other payment
> alternatives, so somone could pay and download your product and then
> disbute the payment and in worst case you will have to pay for it, so
> you need to log everything on your site, so you can proof that the
> customer did download the product they paied for.
---
Gentlemen,
Thanks for that info. It seems I need to learn the comcepts behind
post/get/database etc .. is this how one codes for a dialogue with my
site? Besides the PHP manual, might there be such things as 'template'
examples?
Graham Hobbs
|
|
|
Re: Secure website [message #183544 is a reply to message #183542] |
Wed, 30 October 2013 17:03 |
J.O. Aho
Messages: 194 Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 30/10/13 15:47, Graham Hobbs wrote:
> Thanks for that info. It seems I need to learn the comcepts behind
> post/get/database etc .. is this how one codes for a dialogue with my
> site? Besides the PHP manual, might there be such things as 'template'
> examples?
The exmples at php.net are just basic ones to show how the function
works, I suggest you read comments and look for those who talk about
security and injection prevention and avoid examples made by Indian
developers, those generally are prone for header/sql injections and has
poor security awarness.
Remember to always check user generated data (say name, email and other
things they might enter in a form, or is used in an URL), have white
lists which contains which type of data you allow, for example you may
only allow names written with latin characters, then regexp so it only
contains lating characters and if there is something else, just throw
out an "invalid data" error or ask the user to enter proper data and do
not process anything futher untill you have OK data.
--
//Aho
|
|
|
Re: Secure website [message #183546 is a reply to message #183534] |
Wed, 30 October 2013 18:56 |
Jerry Stuckle
Messages: 2598 Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 10/29/2013 11:02 PM, Graham Hobbs wrote:
> Hellop,
>
> I have an ordinary website (all PHP), it has no 'conscious'
> protections, just code that does a job. One page (not written yet
> because I don't know how), will advertise a product for sale.
>
> My concept is that a buyer goes to a paypal screen, does the
> necessary, when payment is verfified and paid, an email is
> automatically sent to the buyer with a download key. At the buyers
> dicretion, they go to the download page, enter the key and the
> software gets downloaded. Is this sort of thing a novice PHP'er could
> do.
>
> I'd like to be sort of semi-conversant before I contact paypal. Is the
> above feasible, is my ordinary website secure, is there a specific set
> of PHP'ish or other 'things to do'
> e.g.
> ... how to prevent more than one download, do I store the software
> package on my ISP's server, is it safe, since it has several exe files
> would they be in a zip file, how to assign a download key, let the
> whole process be automated?
>
> .. starter clues appreciated, thanks,
>
> Graham Hobbs
>
A couple of questions:
1. What happens if that "one download" is unsuccessful? Are you going
to make the buyer pay again?
2. What is to stop one person from buying your program, then sending it
off to all of his friends (or uploading it to another site)?
You can do it, but in addition to the other comments about PayPal - if
they have a system outage, it can take several hours (even after they
make it back up) for them to process the payment. It doesn't happen
often, but it does occur.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
Re: Secure website [message #183553 is a reply to message #183546] |
Wed, 30 October 2013 23:15 |
Graham Hobbs
Messages: 42 Registered: September 2010
Karma: 0
|
Member |
|
|
On Wed, 30 Oct 2013 14:56:12 -0400, Jerry Stuckle
<jstucklex(at)attglobal(dot)net> wrote:
> On 10/29/2013 11:02 PM, Graham Hobbs wrote:
>> Hellop,
>>
>> I have an ordinary website (all PHP), it has no 'conscious'
>> protections, just code that does a job. One page (not written yet
>> because I don't know how), will advertise a product for sale.
>>
>> My concept is that a buyer goes to a paypal screen, does the
>> necessary, when payment is verfified and paid, an email is
>> automatically sent to the buyer with a download key. At the buyers
>> dicretion, they go to the download page, enter the key and the
>> software gets downloaded. Is this sort of thing a novice PHP'er could
>> do.
>>
>> I'd like to be sort of semi-conversant before I contact paypal. Is the
>> above feasible, is my ordinary website secure, is there a specific set
>> of PHP'ish or other 'things to do'
>> e.g.
>> ... how to prevent more than one download, do I store the software
>> package on my ISP's server, is it safe, since it has several exe files
>> would they be in a zip file, how to assign a download key, let the
>> whole process be automated?
>>
>> .. starter clues appreciated, thanks,
>>
>> Graham Hobbs
>>
>
> A couple of questions:
>
> 1. What happens if that "one download" is unsuccessful? Are you going
> to make the buyer pay again?
- OF COURSE .. just a joke!
- I would guess a failed download would be rare but if so, an email
would ensue and |'d reply with an attachment - reasonable?
>
> 2. What is to stop one person from buying your program, then sending it
> off to all of his friends (or uploading it to another site)?
- doesn't all software face that problem? .. is there a solution?
>
> You can do it, but in addition to the other comments about PayPal - if
> they have a system outage, it can take several hours (even after they
> make it back up) for them to process the payment. It doesn't happen
> often, but it does occur.
- my software has a small audience, I would expect this not to be a
concern
|
|
|
Re: Secure website [message #183554 is a reply to message #183544] |
Wed, 30 October 2013 23:18 |
Graham Hobbs
Messages: 42 Registered: September 2010
Karma: 0
|
Member |
|
|
On Wed, 30 Oct 2013 18:03:24 +0100, "J.O. Aho" <user(at)example(dot)net>
wrote:
> On 30/10/13 15:47, Graham Hobbs wrote:
>
>
>> Thanks for that info. It seems I need to learn the comcepts behind
>> post/get/database etc .. is this how one codes for a dialogue with my
>> site? Besides the PHP manual, might there be such things as 'template'
>> examples?
>
> The exmples at php.net are just basic ones to show how the function
> works, I suggest you read comments and look for those who talk about
> security and injection prevention and avoid examples made by Indian
> developers, those generally are prone for header/sql injections and has
> poor security awarness.
>
> Remember to always check user generated data (say name, email and other
> things they might enter in a form, or is used in an URL), have white
> lists which contains which type of data you allow, for example you may
> only allow names written with latin characters, then regexp so it only
> contains lating characters and if there is something else, just throw
> out an "invalid data" error or ask the user to enter proper data and do
> not process anything futher untill you have OK data.
--
all noted, thanks muchly!
|
|
|
Re: Secure website [message #183555 is a reply to message #183553] |
Thu, 31 October 2013 03:03 |
Jerry Stuckle
Messages: 2598 Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 10/30/2013 7:15 PM, Graham Hobbs wrote:
> On Wed, 30 Oct 2013 14:56:12 -0400, Jerry Stuckle
> <jstucklex(at)attglobal(dot)net> wrote:
>
>> On 10/29/2013 11:02 PM, Graham Hobbs wrote:
>>> Hellop,
>>>
>>> I have an ordinary website (all PHP), it has no 'conscious'
>>> protections, just code that does a job. One page (not written yet
>>> because I don't know how), will advertise a product for sale.
>>>
>>> My concept is that a buyer goes to a paypal screen, does the
>>> necessary, when payment is verfified and paid, an email is
>>> automatically sent to the buyer with a download key. At the buyers
>>> dicretion, they go to the download page, enter the key and the
>>> software gets downloaded. Is this sort of thing a novice PHP'er could
>>> do.
>>>
>>> I'd like to be sort of semi-conversant before I contact paypal. Is the
>>> above feasible, is my ordinary website secure, is there a specific set
>>> of PHP'ish or other 'things to do'
>>> e.g.
>>> ... how to prevent more than one download, do I store the software
>>> package on my ISP's server, is it safe, since it has several exe files
>>> would they be in a zip file, how to assign a download key, let the
>>> whole process be automated?
>>>
>>> .. starter clues appreciated, thanks,
>>>
>>> Graham Hobbs
>>>
>>
>> A couple of questions:
>>
>> 1. What happens if that "one download" is unsuccessful? Are you going
>> to make the buyer pay again?
> - OF COURSE .. just a joke!
> - I would guess a failed download would be rare but if so, an email
> would ensue and |'d reply with an attachment - reasonable?
Less rare than you would think. And how would you check to see if the
download failed or not?
>>
>> 2. What is to stop one person from buying your program, then sending it
>> off to all of his friends (or uploading it to another site)?
> - doesn't all software face that problem? .. is there a solution?
>>
>> You can do it, but in addition to the other comments about PayPal - if
>> they have a system outage, it can take several hours (even after they
>> make it back up) for them to process the payment. It doesn't happen
>> often, but it does occur.
> - my software has a small audience, I would expect this not to be a
> concern
>
Famous last words...
If your audience is so small, why do you worry about it?
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
Re: Secure website [message #183557 is a reply to message #183534] |
Thu, 31 October 2013 10:24 |
David Quinton
Messages: 2 Registered: February 2011
Karma: 0
|
Junior Member |
|
|
On Tue, 29 Oct 2013 23:02:02 -0400, Graham Hobbs <ghobbs(at)cdpwise(dot)net>
wrote:
> My concept is that a buyer goes to a paypal screen, does the
> necessary, when payment is verfified and paid, an email is
> automatically sent to the buyer with a download key. At the buyers
> dicretion, they go to the download page, enter the key and the
> software gets downloaded. Is this sort of thing a novice PHP'er could
> do.
Personally, I'd suggest that you don't "reinvent the wheel" but use
something like:
http://www.withinweb.com/
We've successfully used this "out of the box" and modified versions on
several websites over the years.
--
Free personal divertable Phone number: <http://www.bizorg.co.uk/personalnos.htm>
|
|
|
Re: Secure website [message #183558 is a reply to message #183555] |
Thu, 31 October 2013 14:27 |
Graham Hobbs
Messages: 42 Registered: September 2010
Karma: 0
|
Member |
|
|
On Wed, 30 Oct 2013 23:03:42 -0400, Jerry Stuckle
<jstucklex(at)attglobal(dot)net> wrote:
> On 10/30/2013 7:15 PM, Graham Hobbs wrote:
>> On Wed, 30 Oct 2013 14:56:12 -0400, Jerry Stuckle
>> <jstucklex(at)attglobal(dot)net> wrote:
>>
>>> On 10/29/2013 11:02 PM, Graham Hobbs wrote:
>>>> Hellop,
>>>>
>>>> I have an ordinary website (all PHP), it has no 'conscious'
>>>> protections, just code that does a job. One page (not written yet
>>>> because I don't know how), will advertise a product for sale.
>>>>
>>>> My concept is that a buyer goes to a paypal screen, does the
>>>> necessary, when payment is verfified and paid, an email is
>>>> automatically sent to the buyer with a download key. At the buyers
>>>> dicretion, they go to the download page, enter the key and the
>>>> software gets downloaded. Is this sort of thing a novice PHP'er could
>>>> do.
>>>>
>>>> I'd like to be sort of semi-conversant before I contact paypal. Is the
>>>> above feasible, is my ordinary website secure, is there a specific set
>>>> of PHP'ish or other 'things to do'
>>>> e.g.
>>>> ... how to prevent more than one download, do I store the software
>>>> package on my ISP's server, is it safe, since it has several exe files
>>>> would they be in a zip file, how to assign a download key, let the
>>>> whole process be automated?
>>>>
>>>> .. starter clues appreciated, thanks,
>>>>
>>>> Graham Hobbs
>>>>
>>>
>>> A couple of questions:
>>>
>>> 1. What happens if that "one download" is unsuccessful? Are you going
>>> to make the buyer pay again?
>> - OF COURSE .. just a joke!
>> - I would guess a failed download would be rare but if so, an email
>> would ensue and |'d reply with an attachment - reasonable?
>
> Less rare than you would think. And how would you check to see if the
> download failed or not?
I wouldn't, I'd expect an email from the buyer. Is there a rule of
thumb way to check?
>
>>>
>>> 2. What is to stop one person from buying your program, then sending it
>>> off to all of his friends (or uploading it to another site)?
>> - doesn't all software face that problem? .. is there a solution?
Would be most interested in commentary on this.
>>>
>>> You can do it, but in addition to the other comments about PayPal - if
>>> they have a system outage, it can take several hours (even after they
>>> make it back up) for them to process the payment. It doesn't happen
>>> often, but it does occur.
>> - my software has a small audience, I would expect this not to be a
>> concern
>>
>
> Famous last words...
>
> If your audience is so small, why do you worry about it?
Well I hope 'not SO small':-). Am not worried. Given the small number
of buy operations and infrequency of Paypal downtime, concurrency of
these events would be remote.
But I do worry about some nasty intercepting and cocking up any part
of the process from 'the buy page' through to emailing a 'key' and the
subsequent download. Not infecting buyers is the point.
|
|
|
Re: Secure website [message #183559 is a reply to message #183557] |
Thu, 31 October 2013 14:28 |
Graham Hobbs
Messages: 42 Registered: September 2010
Karma: 0
|
Member |
|
|
On Thu, 31 Oct 2013 10:24:46 +0000, David Quinton
<usenet_2005D_email(at)REMOVETHISBITbizorg(dot)co(dot)uk> wrote:
> On Tue, 29 Oct 2013 23:02:02 -0400, Graham Hobbs <ghobbs(at)cdpwise(dot)net>
> wrote:
>
>> My concept is that a buyer goes to a paypal screen, does the
>> necessary, when payment is verfified and paid, an email is
>> automatically sent to the buyer with a download key. At the buyers
>> dicretion, they go to the download page, enter the key and the
>> software gets downloaded. Is this sort of thing a novice PHP'er could
>> do.
>
> Personally, I'd suggest that you don't "reinvent the wheel" but use
> something like:
> http://www.withinweb.com/
>
> We've successfully used this "out of the box" and modified versions on
> several websites over the years.
---
That's seems to be worth a real study - thanks David.
Graham
|
|
|
Re: Secure website [message #183560 is a reply to message #183558] |
Thu, 31 October 2013 15:24 |
Jerry Stuckle
Messages: 2598 Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 10/31/2013 10:27 AM, Graham Hobbs wrote:
> On Wed, 30 Oct 2013 23:03:42 -0400, Jerry Stuckle
> <jstucklex(at)attglobal(dot)net> wrote:
>
>> On 10/30/2013 7:15 PM, Graham Hobbs wrote:
>>> On Wed, 30 Oct 2013 14:56:12 -0400, Jerry Stuckle
>>> <jstucklex(at)attglobal(dot)net> wrote:
>>>
>>>> On 10/29/2013 11:02 PM, Graham Hobbs wrote:
>>>> > Hellop,
>>>> >
>>>> > I have an ordinary website (all PHP), it has no 'conscious'
>>>> > protections, just code that does a job. One page (not written yet
>>>> > because I don't know how), will advertise a product for sale.
>>>> >
>>>> > My concept is that a buyer goes to a paypal screen, does the
>>>> > necessary, when payment is verfified and paid, an email is
>>>> > automatically sent to the buyer with a download key. At the buyers
>>>> > dicretion, they go to the download page, enter the key and the
>>>> > software gets downloaded. Is this sort of thing a novice PHP'er could
>>>> > do.
>>>> >
>>>> > I'd like to be sort of semi-conversant before I contact paypal. Is the
>>>> > above feasible, is my ordinary website secure, is there a specific set
>>>> > of PHP'ish or other 'things to do'
>>>> > e.g.
>>>> > ... how to prevent more than one download, do I store the software
>>>> > package on my ISP's server, is it safe, since it has several exe files
>>>> > would they be in a zip file, how to assign a download key, let the
>>>> > whole process be automated?
>>>> >
>>>> > .. starter clues appreciated, thanks,
>>>> >
>>>> > Graham Hobbs
>>>> >
>>>>
>>>> A couple of questions:
>>>>
>>>> 1. What happens if that "one download" is unsuccessful? Are you going
>>>> to make the buyer pay again?
>>> - OF COURSE .. just a joke!
>>> - I would guess a failed download would be rare but if so, an email
>>> would ensue and |'d reply with an attachment - reasonable?
>>
>> Less rare than you would think. And how would you check to see if the
>> download failed or not?
> I wouldn't, I'd expect an email from the buyer. Is there a rule of
> thumb way to check?
No, there is no good way to check to see if a download completed or not.
The file may have been sent, for instance, but for some reason not
stored on the user's computer (i.e. internet connection broke, out of
disk space, etc.).
But expecting an email from the buyer after he/she purchased something
isn't very user friendly. That's why most products use unique keys
which must be keyed into the product to make it run. But of course that
only works if the user has a reason to contact your site again, i.e.
upgrades, etc.
If your audience is so small, why not give them a download link which is
good for something like 24 hours? That way if it fails, they can retry.
>>
>>>>
>>>> 2. What is to stop one person from buying your program, then sending it
>>>> off to all of his friends (or uploading it to another site)?
>>> - doesn't all software face that problem? .. is there a solution?
> Would be most interested in commentary on this.
>>>>
>>>> You can do it, but in addition to the other comments about PayPal - if
>>>> they have a system outage, it can take several hours (even after they
>>>> make it back up) for them to process the payment. It doesn't happen
>>>> often, but it does occur.
>>> - my software has a small audience, I would expect this not to be a
>>> concern
>>>
>>
>> Famous last words...
>>
>> If your audience is so small, why do you worry about it?
> Well I hope 'not SO small':-). Am not worried. Given the small number
> of buy operations and infrequency of Paypal downtime, concurrency of
> these events would be remote.
> But I do worry about some nasty intercepting and cocking up any part
> of the process from 'the buy page' through to emailing a 'key' and the
> subsequent download. Not infecting buyers is the point.
>
You can take standard security precautions on your website, but there
isn't much you can do about email being intercepted.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
Re: Secure website [message #183561 is a reply to message #183560] |
Thu, 31 October 2013 16:47 |
Graham Hobbs
Messages: 42 Registered: September 2010
Karma: 0
|
Member |
|
|
On Thu, 31 Oct 2013 11:24:25 -0400, Jerry Stuckle
<jstucklex(at)attglobal(dot)net> wrote:
> On 10/31/2013 10:27 AM, Graham Hobbs wrote:
>> On Wed, 30 Oct 2013 23:03:42 -0400, Jerry Stuckle
>> <jstucklex(at)attglobal(dot)net> wrote:
>>
>>> On 10/30/2013 7:15 PM, Graham Hobbs wrote:
>>>> On Wed, 30 Oct 2013 14:56:12 -0400, Jerry Stuckle
>>>> <jstucklex(at)attglobal(dot)net> wrote:
>>>>
>>>> > On 10/29/2013 11:02 PM, Graham Hobbs wrote:
>>>> >> Hellop,
>>>> >>
>>>> >> I have an ordinary website (all PHP), it has no 'conscious'
>>>> >> protections, just code that does a job. One page (not written yet
>>>> >> because I don't know how), will advertise a product for sale.
>>>> >>
>>>> >> My concept is that a buyer goes to a paypal screen, does the
>>>> >> necessary, when payment is verfified and paid, an email is
>>>> >> automatically sent to the buyer with a download key. At the buyers
>>>> >> dicretion, they go to the download page, enter the key and the
>>>> >> software gets downloaded. Is this sort of thing a novice PHP'er could
>>>> >> do.
>>>> >>
>>>> >> I'd like to be sort of semi-conversant before I contact paypal. Is the
>>>> >> above feasible, is my ordinary website secure, is there a specific set
>>>> >> of PHP'ish or other 'things to do'
>>>> >> e.g.
>>>> >> ... how to prevent more than one download, do I store the software
>>>> >> package on my ISP's server, is it safe, since it has several exe files
>>>> >> would they be in a zip file, how to assign a download key, let the
>>>> >> whole process be automated?
>>>> >>
>>>> >> .. starter clues appreciated, thanks,
>>>> >>
>>>> >> Graham Hobbs
>>>> >>
>>>> >
>>>> > A couple of questions:
>>>> >
>>>> > 1. What happens if that "one download" is unsuccessful? Are you going
>>>> > to make the buyer pay again?
>>>> - OF COURSE .. just a joke!
>>>> - I would guess a failed download would be rare but if so, an email
>>>> would ensue and |'d reply with an attachment - reasonable?
>>>
>>> Less rare than you would think. And how would you check to see if the
>>> download failed or not?
>> I wouldn't, I'd expect an email from the buyer. Is there a rule of
>> thumb way to check?
>
> No, there is no good way to check to see if a download completed or not.
> The file may have been sent, for instance, but for some reason not
> stored on the user's computer (i.e. internet connection broke, out of
> disk space, etc.).
>
> But expecting an email from the buyer after he/she purchased something
> isn't very user friendly. That's why most products use unique keys
> which must be keyed into the product to make it run. But of course that
> only works if the user has a reason to contact your site again, i.e.
> upgrades, etc.
>
> If your audience is so small, why not give them a download link which is
> good for something like 24 hours? That way if it fails, they can retry.
>
>>>
>>>> >
>>>> > 2. What is to stop one person from buying your program, then sending it
>>>> > off to all of his friends (or uploading it to another site)?
>>>> - doesn't all software face that problem? .. is there a solution?
>> Would be most interested in commentary on this.
>>>> >
>>>> > You can do it, but in addition to the other comments about PayPal - if
>>>> > they have a system outage, it can take several hours (even after they
>>>> > make it back up) for them to process the payment. It doesn't happen
>>>> > often, but it does occur.
>>>> - my software has a small audience, I would expect this not to be a
>>>> concern
>>>>
>>>
>>> Famous last words...
>>>
>>> If your audience is so small, why do you worry about it?
>> Well I hope 'not SO small':-). Am not worried. Given the small number
>> of buy operations and infrequency of Paypal downtime, concurrency of
>> these events would be remote.
>> But I do worry about some nasty intercepting and cocking up any part
>> of the process from 'the buy page' through to emailing a 'key' and the
>> subsequent download. Not infecting buyers is the point.
>>
>
> You can take standard security precautions on your website, but there
> isn't much you can do about email being intercepted.
---
That's good notes Jerry, thanks,
I googled 'standard security precautions for websites' .. got to a
company called Webroot (amongst others) .. they list a slew of things
they take care of .. might be a reasonable approach for me? I can't
see me programming 'security' myself, best left to the experts.
Graham
|
|
|
Re: Secure website [message #183564 is a reply to message #183561] |
Fri, 01 November 2013 00:36 |
Jerry Stuckle
Messages: 2598 Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 10/31/2013 12:47 PM, Graham Hobbs wrote:
> On Thu, 31 Oct 2013 11:24:25 -0400, Jerry Stuckle
> <jstucklex(at)attglobal(dot)net> wrote:
>
>> On 10/31/2013 10:27 AM, Graham Hobbs wrote:
>>> On Wed, 30 Oct 2013 23:03:42 -0400, Jerry Stuckle
>>> <jstucklex(at)attglobal(dot)net> wrote:
>>>
>>>> On 10/30/2013 7:15 PM, Graham Hobbs wrote:
>>>> > On Wed, 30 Oct 2013 14:56:12 -0400, Jerry Stuckle
>>>> > <jstucklex(at)attglobal(dot)net> wrote:
>>>> >
>>>> >> On 10/29/2013 11:02 PM, Graham Hobbs wrote:
>>>> >>> Hellop,
>>>> >>>
>>>> >>> I have an ordinary website (all PHP), it has no 'conscious'
>>>> >>> protections, just code that does a job. One page (not written yet
>>>> >>> because I don't know how), will advertise a product for sale.
>>>> >>>
>>>> >>> My concept is that a buyer goes to a paypal screen, does the
>>>> >>> necessary, when payment is verfified and paid, an email is
>>>> >>> automatically sent to the buyer with a download key. At the buyers
>>>> >>> dicretion, they go to the download page, enter the key and the
>>>> >>> software gets downloaded. Is this sort of thing a novice PHP'er could
>>>> >>> do.
>>>> >>>
>>>> >>> I'd like to be sort of semi-conversant before I contact paypal. Is the
>>>> >>> above feasible, is my ordinary website secure, is there a specific set
>>>> >>> of PHP'ish or other 'things to do'
>>>> >>> e.g.
>>>> >>> ... how to prevent more than one download, do I store the software
>>>> >>> package on my ISP's server, is it safe, since it has several exe files
>>>> >>> would they be in a zip file, how to assign a download key, let the
>>>> >>> whole process be automated?
>>>> >>>
>>>> >>> .. starter clues appreciated, thanks,
>>>> >>>
>>>> >>> Graham Hobbs
>>>> >>>
>>>> >>
>>>> >> A couple of questions:
>>>> >>
>>>> >> 1. What happens if that "one download" is unsuccessful? Are you going
>>>> >> to make the buyer pay again?
>>>> > - OF COURSE .. just a joke!
>>>> > - I would guess a failed download would be rare but if so, an email
>>>> > would ensue and |'d reply with an attachment - reasonable?
>>>>
>>>> Less rare than you would think. And how would you check to see if the
>>>> download failed or not?
>>> I wouldn't, I'd expect an email from the buyer. Is there a rule of
>>> thumb way to check?
>>
>> No, there is no good way to check to see if a download completed or not.
>> The file may have been sent, for instance, but for some reason not
>> stored on the user's computer (i.e. internet connection broke, out of
>> disk space, etc.).
>>
>> But expecting an email from the buyer after he/she purchased something
>> isn't very user friendly. That's why most products use unique keys
>> which must be keyed into the product to make it run. But of course that
>> only works if the user has a reason to contact your site again, i.e.
>> upgrades, etc.
>>
>> If your audience is so small, why not give them a download link which is
>> good for something like 24 hours? That way if it fails, they can retry.
>>
>>>>
>>>> >>
>>>> >> 2. What is to stop one person from buying your program, then sending it
>>>> >> off to all of his friends (or uploading it to another site)?
>>>> > - doesn't all software face that problem? .. is there a solution?
>>> Would be most interested in commentary on this.
>>>> >>
>>>> >> You can do it, but in addition to the other comments about PayPal - if
>>>> >> they have a system outage, it can take several hours (even after they
>>>> >> make it back up) for them to process the payment. It doesn't happen
>>>> >> often, but it does occur.
>>>> > - my software has a small audience, I would expect this not to be a
>>>> > concern
>>>> >
>>>>
>>>> Famous last words...
>>>>
>>>> If your audience is so small, why do you worry about it?
>>> Well I hope 'not SO small':-). Am not worried. Given the small number
>>> of buy operations and infrequency of Paypal downtime, concurrency of
>>> these events would be remote.
>>> But I do worry about some nasty intercepting and cocking up any part
>>> of the process from 'the buy page' through to emailing a 'key' and the
>>> subsequent download. Not infecting buyers is the point.
>>>
>>
>> You can take standard security precautions on your website, but there
>> isn't much you can do about email being intercepted.
> ---
> That's good notes Jerry, thanks,
> I googled 'standard security precautions for websites' .. got to a
> company called Webroot (amongst others) .. they list a slew of things
> they take care of .. might be a reasonable approach for me? I can't
> see me programming 'security' myself, best left to the experts.
> Graham
>
Depends on how much you're willing to pay, and how much you trust the
qualifications of the programmers. Anyone can "list a slew of
things...". Fewer can do it properly.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|