Re: Secure website [message #183564 is a reply to message #183561] |
Fri, 01 November 2013 00:36 |
Jerry Stuckle
Messages: 2598 Registered: September 2010
Karma:
|
Senior Member |
|
|
On 10/31/2013 12:47 PM, Graham Hobbs wrote:
> On Thu, 31 Oct 2013 11:24:25 -0400, Jerry Stuckle
> <jstucklex(at)attglobal(dot)net> wrote:
>
>> On 10/31/2013 10:27 AM, Graham Hobbs wrote:
>>> On Wed, 30 Oct 2013 23:03:42 -0400, Jerry Stuckle
>>> <jstucklex(at)attglobal(dot)net> wrote:
>>>
>>>> On 10/30/2013 7:15 PM, Graham Hobbs wrote:
>>>> > On Wed, 30 Oct 2013 14:56:12 -0400, Jerry Stuckle
>>>> > <jstucklex(at)attglobal(dot)net> wrote:
>>>> >
>>>> >> On 10/29/2013 11:02 PM, Graham Hobbs wrote:
>>>> >>> Hellop,
>>>> >>>
>>>> >>> I have an ordinary website (all PHP), it has no 'conscious'
>>>> >>> protections, just code that does a job. One page (not written yet
>>>> >>> because I don't know how), will advertise a product for sale.
>>>> >>>
>>>> >>> My concept is that a buyer goes to a paypal screen, does the
>>>> >>> necessary, when payment is verfified and paid, an email is
>>>> >>> automatically sent to the buyer with a download key. At the buyers
>>>> >>> dicretion, they go to the download page, enter the key and the
>>>> >>> software gets downloaded. Is this sort of thing a novice PHP'er could
>>>> >>> do.
>>>> >>>
>>>> >>> I'd like to be sort of semi-conversant before I contact paypal. Is the
>>>> >>> above feasible, is my ordinary website secure, is there a specific set
>>>> >>> of PHP'ish or other 'things to do'
>>>> >>> e.g.
>>>> >>> ... how to prevent more than one download, do I store the software
>>>> >>> package on my ISP's server, is it safe, since it has several exe files
>>>> >>> would they be in a zip file, how to assign a download key, let the
>>>> >>> whole process be automated?
>>>> >>>
>>>> >>> .. starter clues appreciated, thanks,
>>>> >>>
>>>> >>> Graham Hobbs
>>>> >>>
>>>> >>
>>>> >> A couple of questions:
>>>> >>
>>>> >> 1. What happens if that "one download" is unsuccessful? Are you going
>>>> >> to make the buyer pay again?
>>>> > - OF COURSE .. just a joke!
>>>> > - I would guess a failed download would be rare but if so, an email
>>>> > would ensue and |'d reply with an attachment - reasonable?
>>>>
>>>> Less rare than you would think. And how would you check to see if the
>>>> download failed or not?
>>> I wouldn't, I'd expect an email from the buyer. Is there a rule of
>>> thumb way to check?
>>
>> No, there is no good way to check to see if a download completed or not.
>> The file may have been sent, for instance, but for some reason not
>> stored on the user's computer (i.e. internet connection broke, out of
>> disk space, etc.).
>>
>> But expecting an email from the buyer after he/she purchased something
>> isn't very user friendly. That's why most products use unique keys
>> which must be keyed into the product to make it run. But of course that
>> only works if the user has a reason to contact your site again, i.e.
>> upgrades, etc.
>>
>> If your audience is so small, why not give them a download link which is
>> good for something like 24 hours? That way if it fails, they can retry.
>>
>>>>
>>>> >>
>>>> >> 2. What is to stop one person from buying your program, then sending it
>>>> >> off to all of his friends (or uploading it to another site)?
>>>> > - doesn't all software face that problem? .. is there a solution?
>>> Would be most interested in commentary on this.
>>>> >>
>>>> >> You can do it, but in addition to the other comments about PayPal - if
>>>> >> they have a system outage, it can take several hours (even after they
>>>> >> make it back up) for them to process the payment. It doesn't happen
>>>> >> often, but it does occur.
>>>> > - my software has a small audience, I would expect this not to be a
>>>> > concern
>>>> >
>>>>
>>>> Famous last words...
>>>>
>>>> If your audience is so small, why do you worry about it?
>>> Well I hope 'not SO small':-). Am not worried. Given the small number
>>> of buy operations and infrequency of Paypal downtime, concurrency of
>>> these events would be remote.
>>> But I do worry about some nasty intercepting and cocking up any part
>>> of the process from 'the buy page' through to emailing a 'key' and the
>>> subsequent download. Not infecting buyers is the point.
>>>
>>
>> You can take standard security precautions on your website, but there
>> isn't much you can do about email being intercepted.
> ---
> That's good notes Jerry, thanks,
> I googled 'standard security precautions for websites' .. got to a
> company called Webroot (amongst others) .. they list a slew of things
> they take care of .. might be a reasonable approach for me? I can't
> see me programming 'security' myself, best left to the experts.
> Graham
>
Depends on how much you're willing to pay, and how much you trust the
qualifications of the programmers. Anyone can "list a slew of
things...". Fewer can do it properly.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|