HomeBuilding Your WebsiteWeb Programming and Application Development

scripting security

goblin posted this at 19:09 — 2nd December 2005.

They have: 1 posts

Joined: Dec 2005

I have placed a few PHP and ASP open source programs in my website (Advanced Guestbook http://www.proxy2.de/ and Comersus Shopping
Cart http://www.comersus.com). i made sure to have the latest versions an followed security advice (don't want sensible in fo in the cart to be at risk). no problem so far, but i read in forums that open source is more risky in terms of security (code is exposed). what do you think? should i move to close (paid) apps?

Greg K posted this at 21:41 — 2nd December 2005.

Greg K's picture

He has: 2,145 posts

Joined: Nov 2003

In the area of taking payments, my thought is use free stuff to learn how to write your own code.

I did that on our site, from the login, to the credit card processing to the encrypting of the credit cards to be stored in a database, and the recurring payment processing.

These areas were too critical to just put up a canned script. I wanted to make sure I knew what it was doing, and in looking though the code, you learn it enough to write your own customized code. This is my personal preference though, I prefer to know it inside and out.

Now if you do opt to use a canned script, either free or paid, I suggest at least going through and changing things like the name of input fields, or aything else that may give people a clue as to what script you are using. As an example, as seen discussd on here before, there has been issues of people putting up a canned guestbook, only to find down the road, someone is using a script to mass post in their guestbook. Someone has a script that knows what information to feed the canned guestbook script to get the data in there. (ie, knows the field names on the form).

Again, my prefered method is to custom write my own, but if you do not have the option, do as much as you can to prevent anyone browsing the site from knowing which "canned" scripts you are running in case a security issue were to be known. (ie now that you posted on here which scripts you used, i would recommend against posting your site's address).

Keep in mind though I have had a few people tell me I go overboard on security Smiling

-Greg

Want to join the discussion? Create an account or log in if you already have one. Joining is fast, free and painless! We’ll even whisk you back here when you’ve finished.