| Re: Secure website [message #183561 is a reply to message #183560] |
Thu, 31 October 2013 16:47   |
Graham Hobbs
Messages: 42
Registered: September 2010
Karma:
|
Member |
|
|
On Thu, 31 Oct 2013 11:24:25 -0400, Jerry Stuckle
<jstucklex(at)attglobal(dot)net> wrote:
> On 10/31/2013 10:27 AM, Graham Hobbs wrote:
>> On Wed, 30 Oct 2013 23:03:42 -0400, Jerry Stuckle
>> <jstucklex(at)attglobal(dot)net> wrote:
>>
>>> On 10/30/2013 7:15 PM, Graham Hobbs wrote:
>>>> On Wed, 30 Oct 2013 14:56:12 -0400, Jerry Stuckle
>>>> <jstucklex(at)attglobal(dot)net> wrote:
>>>>
>>>> > On 10/29/2013 11:02 PM, Graham Hobbs wrote:
>>>> >> Hellop,
>>>> >>
>>>> >> I have an ordinary website (all PHP), it has no 'conscious'
>>>> >> protections, just code that does a job. One page (not written yet
>>>> >> because I don't know how), will advertise a product for sale.
>>>> >>
>>>> >> My concept is that a buyer goes to a paypal screen, does the
>>>> >> necessary, when payment is verfified and paid, an email is
>>>> >> automatically sent to the buyer with a download key. At the buyers
>>>> >> dicretion, they go to the download page, enter the key and the
>>>> >> software gets downloaded. Is this sort of thing a novice PHP'er could
>>>> >> do.
>>>> >>
>>>> >> I'd like to be sort of semi-conversant before I contact paypal. Is the
>>>> >> above feasible, is my ordinary website secure, is there a specific set
>>>> >> of PHP'ish or other 'things to do'
>>>> >> e.g.
>>>> >> ... how to prevent more than one download, do I store the software
>>>> >> package on my ISP's server, is it safe, since it has several exe files
>>>> >> would they be in a zip file, how to assign a download key, let the
>>>> >> whole process be automated?
>>>> >>
>>>> >> .. starter clues appreciated, thanks,
>>>> >>
>>>> >> Graham Hobbs
>>>> >>
>>>> >
>>>> > A couple of questions:
>>>> >
>>>> > 1. What happens if that "one download" is unsuccessful? Are you going
>>>> > to make the buyer pay again?
>>>> - OF COURSE .. just a joke!
>>>> - I would guess a failed download would be rare but if so, an email
>>>> would ensue and |'d reply with an attachment - reasonable?
>>>
>>> Less rare than you would think. And how would you check to see if the
>>> download failed or not?
>> I wouldn't, I'd expect an email from the buyer. Is there a rule of
>> thumb way to check?
>
> No, there is no good way to check to see if a download completed or not.
> The file may have been sent, for instance, but for some reason not
> stored on the user's computer (i.e. internet connection broke, out of
> disk space, etc.).
>
> But expecting an email from the buyer after he/she purchased something
> isn't very user friendly. That's why most products use unique keys
> which must be keyed into the product to make it run. But of course that
> only works if the user has a reason to contact your site again, i.e.
> upgrades, etc.
>
> If your audience is so small, why not give them a download link which is
> good for something like 24 hours? That way if it fails, they can retry.
>
>>>
>>>> >
>>>> > 2. What is to stop one person from buying your program, then sending it
>>>> > off to all of his friends (or uploading it to another site)?
>>>> - doesn't all software face that problem? .. is there a solution?
>> Would be most interested in commentary on this.
>>>> >
>>>> > You can do it, but in addition to the other comments about PayPal - if
>>>> > they have a system outage, it can take several hours (even after they
>>>> > make it back up) for them to process the payment. It doesn't happen
>>>> > often, but it does occur.
>>>> - my software has a small audience, I would expect this not to be a
>>>> concern
>>>>
>>>
>>> Famous last words...
>>>
>>> If your audience is so small, why do you worry about it?
>> Well I hope 'not SO small':-). Am not worried. Given the small number
>> of buy operations and infrequency of Paypal downtime, concurrency of
>> these events would be remote.
>> But I do worry about some nasty intercepting and cocking up any part
>> of the process from 'the buy page' through to emailing a 'key' and the
>> subsequent download. Not infecting buyers is the point.
>>
>
> You can take standard security precautions on your website, but there
> isn't much you can do about email being intercepted.
---
That's good notes Jerry, thanks,
I googled 'standard security precautions for websites' .. got to a
company called Webroot (amongst others) .. they list a slew of things
they take care of .. might be a reasonable approach for me? I can't
see me programming 'security' myself, best left to the experts.
Graham
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]