Re: Secure website [message #183560 is a reply to message #183558] |
Thu, 31 October 2013 15:24 |
Jerry Stuckle
Messages: 2598 Registered: September 2010
Karma:
|
Senior Member |
|
|
On 10/31/2013 10:27 AM, Graham Hobbs wrote:
> On Wed, 30 Oct 2013 23:03:42 -0400, Jerry Stuckle
> <jstucklex(at)attglobal(dot)net> wrote:
>
>> On 10/30/2013 7:15 PM, Graham Hobbs wrote:
>>> On Wed, 30 Oct 2013 14:56:12 -0400, Jerry Stuckle
>>> <jstucklex(at)attglobal(dot)net> wrote:
>>>
>>>> On 10/29/2013 11:02 PM, Graham Hobbs wrote:
>>>> > Hellop,
>>>> >
>>>> > I have an ordinary website (all PHP), it has no 'conscious'
>>>> > protections, just code that does a job. One page (not written yet
>>>> > because I don't know how), will advertise a product for sale.
>>>> >
>>>> > My concept is that a buyer goes to a paypal screen, does the
>>>> > necessary, when payment is verfified and paid, an email is
>>>> > automatically sent to the buyer with a download key. At the buyers
>>>> > dicretion, they go to the download page, enter the key and the
>>>> > software gets downloaded. Is this sort of thing a novice PHP'er could
>>>> > do.
>>>> >
>>>> > I'd like to be sort of semi-conversant before I contact paypal. Is the
>>>> > above feasible, is my ordinary website secure, is there a specific set
>>>> > of PHP'ish or other 'things to do'
>>>> > e.g.
>>>> > ... how to prevent more than one download, do I store the software
>>>> > package on my ISP's server, is it safe, since it has several exe files
>>>> > would they be in a zip file, how to assign a download key, let the
>>>> > whole process be automated?
>>>> >
>>>> > .. starter clues appreciated, thanks,
>>>> >
>>>> > Graham Hobbs
>>>> >
>>>>
>>>> A couple of questions:
>>>>
>>>> 1. What happens if that "one download" is unsuccessful? Are you going
>>>> to make the buyer pay again?
>>> - OF COURSE .. just a joke!
>>> - I would guess a failed download would be rare but if so, an email
>>> would ensue and |'d reply with an attachment - reasonable?
>>
>> Less rare than you would think. And how would you check to see if the
>> download failed or not?
> I wouldn't, I'd expect an email from the buyer. Is there a rule of
> thumb way to check?
No, there is no good way to check to see if a download completed or not.
The file may have been sent, for instance, but for some reason not
stored on the user's computer (i.e. internet connection broke, out of
disk space, etc.).
But expecting an email from the buyer after he/she purchased something
isn't very user friendly. That's why most products use unique keys
which must be keyed into the product to make it run. But of course that
only works if the user has a reason to contact your site again, i.e.
upgrades, etc.
If your audience is so small, why not give them a download link which is
good for something like 24 hours? That way if it fails, they can retry.
>>
>>>>
>>>> 2. What is to stop one person from buying your program, then sending it
>>>> off to all of his friends (or uploading it to another site)?
>>> - doesn't all software face that problem? .. is there a solution?
> Would be most interested in commentary on this.
>>>>
>>>> You can do it, but in addition to the other comments about PayPal - if
>>>> they have a system outage, it can take several hours (even after they
>>>> make it back up) for them to process the payment. It doesn't happen
>>>> often, but it does occur.
>>> - my software has a small audience, I would expect this not to be a
>>> concern
>>>
>>
>> Famous last words...
>>
>> If your audience is so small, why do you worry about it?
> Well I hope 'not SO small':-). Am not worried. Given the small number
> of buy operations and infrequency of Paypal downtime, concurrency of
> these events would be remote.
> But I do worry about some nasty intercepting and cocking up any part
> of the process from 'the buy page' through to emailing a 'key' and the
> subsequent download. Not infecting buyers is the point.
>
You can take standard security precautions on your website, but there
isn't much you can do about email being intercepted.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|