Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Anyone want a really quick little earner

  • 17-04-2003 3:55pm
    #1
    Banned (with Prison Access) Posts: 8,486 ✭✭✭


    OK I'm looking for someone to do a little job for our site thats going live again in May

    Basically we have band profiles on our site and each profile is in their own seperate folder on the server. Now can someone please make a form we've done already secure so we can recieve the CC info. We don't need merchant accounts or out like that we just wanna make the form secure.

    Also, while your at it I'd like ya to get working another 2 javascript for (one secure the other not)

    BTW no web design company's need apply:mad:

    Just lob your proposal underneath this post and your qoute and I'll reply to everyone (whether I give ya the job or not)


Comments

  • Closed Accounts Posts: 19,777 ✭✭✭✭The Corinthian


    Originally posted by the-raptor
    Now can someone please make a form we've done already secure so we can recieve the CC info.
    You might want to do a bit of research on what constitutes a secure transaction before you throw open your doors to every Webdev cowboy out there.
    BTW no web design company's need apply:mad:
    And that comment is a case in point, this sort of thing is not really a design company's core competency.


  • Banned (with Prison Access) Posts: 8,486 ✭✭✭miju


    Originally posted by The Corinthian
    You might want to do a bit of research on what constitutes a secure transaction before you throw open your doors to every Webdev cowboy out there.

    And that comment is a case in point, this sort of thing is not really a design company's core competency.

    We'll for a start we'll just change our passwords while the work is being done so that should do the trick (I think)

    And a web design company should still be able to do secure pages but hey what do I know?


  • Closed Accounts Posts: 19,777 ✭✭✭✭The Corinthian


    Originally posted by the-raptor
    We'll for a start we'll just change our passwords while the work is being done so that should do the trick (I think)
    OMG! :rolleyes: :mad: :(

    You are sooooo going to get raped.


  • Banned (with Prison Access) Posts: 8,486 ✭✭✭miju


    well look it's like this

    All web design / development companies I've contacted have not even bothered their arses replying to my enquiries and theres about 20 odd that I've contacted.

    SO IMO THEY DON'T ****ING DESERVE MY BUSINESS

    So I'm just trying to get the job ****ing done in time for May 1st.

    So in that case I will ask has anyone any suggestions about what to do?


  • Moderators, Social & Fun Moderators Posts: 10,501 Mod ✭✭✭✭ecksor


    Originally posted by the-raptor
    We'll for a start we'll just change our passwords while the work is being done so that should do the trick (I think)

    The following isn't meant to be comprehensive, but some things that come to mind to put you on the right track in terms of figuring out what people are offering you. It is up to you to adequately weigh this up in terms of your own business model to see what makes sense. (what exactly are you selling here, or is it obvious and I missed it?)

    Security in the context of e-commerce usually involves SSL to encrypt the details in transit and (using a trusted CA supplied cert) to ensure that your server isn't open to being spoofed. In practice that stuff means more in terms of insurance and due-diligence than it does in terms of security, but that just makes it more essential. There are a number of rules defined by companies visa for what is the minimum required for a secure e-commerce platform, which can be found on their site. Off the top of my head it includes things like server hardening, a firewall, encrypted storage on the server and some other operational type security precautions.

    Depending on how the site is structured you can easily open other avenues of attack against the server through poor input validation which can be mitigated through coding standards and the principle of least privilege. Or it may be possible to hijacking another user's session's through some social engineering and a bit of cross site scripting, or perhaps they're just predicatable, because the developer thinks that no one will spot that the ID is actually unixtime, or it's the last inserted database ID.

    And a web design company should still be able to do secure pages but hey what do I know?

    Designers aren't developers, and developers don't always know security. Not your job to know about it, but as Corinthian seems to be getting at, the nub is that in an unregulated 'cowboy' market, the lack of knowledge can lead to you getting badly burned because you don't know the difference between a good solution and a bad one.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 6,315 ✭✭✭ballooba




  • Banned (with Prison Access) Posts: 8,486 ✭✭✭miju


    Right about how we're going to sell things.

    1st off we'll be selling CD's of unsigned bands and the like but how and ever.

    Secondly, I dont want to do a "catalogue" form store instead I just to have a link on each bands profile page to their secure form in their own folder

    All I want is the CC details to be encrypted and sent to us and then unencrypted at our end and any other security that can be done is a plus I suppose.

    So can anyone point me in the right direction cos I swear to god for an industry that's supposed to be struggling the web companies don't seem to be that bothered about my business


  • Banned (with Prison Access) Posts: 8,486 ✭✭✭miju


    Originally posted by ballooba
    http://www.freelanceireland.ie/

    I forgot to mention the fact I posted this here and got a few qoutes and when I replied to them I heard nothing back from any of them freelanceireland is a load of bollocks anyway IMHO


  • Closed Accounts Posts: 19,777 ✭✭✭✭The Corinthian


    Securing the form is straightforward enough if you go down the SSL route (although you may want to clean up some of the client side code too).

    However, once the data reaches your server where is it going? Will it be stored (if so where)? Emailed? Encrypted/not? Is your server secure? Is it dedicated or virtual? What scripting languages are available? What There’s quite a few questions that anyone would look at answering before doing anything.

    I remember a secure (over HTTPS) payment form a few years back that wrote to an unprotected text file in the Web root. The name of the text file could be found as a hidden field in the form.

    A tip - if someone quotes a price that’s too good to be true, that’s because it is.

    If you want to talk to me further about it, feel free to PM me.


  • Moderators, Social & Fun Moderators Posts: 10,501 Mod ✭✭✭✭ecksor


    Originally posted by the-raptor
    So can anyone point me in the right direction cos I swear to god for an industry that's supposed to be struggling the web companies don't seem to be that bothered about my business

    Perhaps you come across unprofessionally.

    freelanceireland is a load of bollocks anyway IMHO


  • Advertisement
  • Banned (with Prison Access) Posts: 8,486 ✭✭✭miju


    Nope I came across very professional and polite.

    I know I'm not being here but thats cos it's in a different situation ya know.

    It's no wonder the IT industry is going under in this country if most places dont even bother replying to you


  • Closed Accounts Posts: 382 ✭✭misterq


    we do this quite a bit at work for customers:

    - Shared SSL space
    - Setup form on this
    - Form to PGP Encrypted email script installed
    - Merchant gets PGP encrypted email to their account

    Once the Merchant has the PGP plugin installed in their mail client it is plain saling for them.

    Ideal if you have low volume sales and an existing merchant account.
    I do always point out that you should check with your bank to make sure they will allow you to take numbers over the net.


    Regards

    Ronan


  • Closed Accounts Posts: 237 ✭✭FreeHost


    From reading through this post, basically you need SSL and you want to process everything yourself. Well that's really no problem at all, in fact, many people do it manually to test sales before deciding on a payment gateway.

    First get some information from your Host;
    1. Are you hosted on Windows or Linux
    2. Is it name based or IP based

    If you have an IP based site then your laughing, all you need to do is purchase a secure cert and install it on the site. Your host will do this for you.

    Web Designers and developers use different hosts depending on what the site requirments are, and the host would then set up what ever is needed for the designer/developer.

    From my reading of the above posts, what you need is an IP based site with a secure cert.


  • Registered Users, Registered Users 2 Posts: 7,740 ✭✭✭mneylon


    If you want to get this kind of job done you will need to get a professional to do it.
    Have a look at http://vertigo.irishfreelance.com
    They did a similar job for The Walls http://www.thewalls.ie


  • Registered Users, Registered Users 2 Posts: 9,579 ✭✭✭Webmonkey


    I can do it if you want. With a bit of Md5 Encryption. Is the form going to your email account? Could you explain to me a bit more. thanx

    ./Webmonkey


  • Moderators, Social & Fun Moderators Posts: 10,501 Mod ✭✭✭✭ecksor


    Originally posted by Webmonkey
    With a bit of Md5 Encryption.

    What is that?


  • Moderators, Social & Fun Moderators Posts: 10,501 Mod ✭✭✭✭ecksor


    Ah, that said 'm5' when I read it first.

    md5 is one way. If you apply md5 to some data, you don't have an efficient way of recovering it (that I've heard about anyway).


  • Registered Users, Registered Users 2 Posts: 9,579 ✭✭✭Webmonkey


    Achually i was thinking the wrong way there. Sorry. hmm what bout PGP. Can't that be installed on the server? I saw something before about it


  • Closed Accounts Posts: 8,264 ✭✭✭RicardoSmith


    I don't know much about it but why do you need SSL? Could you not use a database to hold all the data and use PHP sessions to prevent the info being cached? Surely you only need SSL if you are actually going to do the payment online etc. Which I don't think the-raptor is going to do.


  • Moderators, Social & Fun Moderators Posts: 10,501 Mod ✭✭✭✭ecksor


    Originally posted by RicardoSmith
    I don't know much about it but why do you need SSL? Could you not use a database to hold all the data and use PHP sessions to prevent the info being cached?

    :eek:
    Surely you only need SSL if you are actually going to do the payment online etc. Which I don't think the-raptor is going to do.

    2 reasons. The credit card information needs to be protected against snooping as it travels between the client and the web server. Also, SSL uses a chain of trust that starts with the pre-loaded public certs in your web browser to validate to the user that they are actually communicating with the domain that they think they are.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 9,579 ✭✭✭Webmonkey


    Yeah thats true. Why don't u just use a form to transfer the data onto a file/database on the same server. The data won't leave the server.

    I think it wud be secure enough, don't u think?


  • Closed Accounts Posts: 8,264 ✭✭✭RicardoSmith


    I always heard that PHP sessions are much safer than other types of sessions you can use. I was of the understanding you can write unique encrypted data to and from the server that no can read.

    Besides I thought it was quite difficult to get a SSL certificate that allows you to get the cc info. Which is why people use payment systems that hide all the cc data from the merchant for security reasons?

    Oh and don't give me a hard time, for asking dumb questions. I already admitted to knowing fig all about it :D


  • Registered Users, Registered Users 2 Posts: 7,740 ✭✭✭mneylon


    You can get a variety of SSL certificates that vary in price and encryption. They all work fine for CC transactions.
    Maybe you are confusing 'grabbing' the CC information and actually processing it afterwards?


  • Closed Accounts Posts: 8,264 ✭✭✭RicardoSmith


    Could be. How are the two handled differently?


  • Registered Users, Registered Users 2 Posts: 258 ✭✭peterd


    I found this interesting example of using javascript to encode a c/c number and the form is emailed to the recipient. I'm not a java-scripter, so I can't comment on how effective this is at encoding the data, but I would have assumed that because the code for "scrambling" is hardcoded in the page source, that it would be easier to decode?


  • Closed Accounts Posts: 19,777 ✭✭✭✭The Corinthian


    Originally posted by RicardoSmith
    Could be. How are the two handled differently?
    They're different processes. One handles the transport of the data to the server, the other is involved in processing that data once it gets there.


  • Registered Users, Registered Users 2 Posts: 9,579 ✭✭✭Webmonkey


    Originally posted by peterd
    I found this interesting example of using javascript to encode a c/c number and the form is emailed to the recipient. I'm not a java-scripter, so I can't comment on how effective this is at encoding the data, but I would have assumed that because the code for "scrambling" is hardcoded in the page source, that it would be easier to decode?

    oh god i would never trust client side encryption. Easily hacked. But then again maybe i'm wrong in the way i'm understanding it


  • Closed Accounts Posts: 8,264 ✭✭✭RicardoSmith


    So are you all saying that SSL certificates are the only secure method of 'grabbing' the CC information and actually processing it afterwards? Both for transporting the data to the server, and processing that data once it gets there?


  • Registered Users, Registered Users 2 Posts: 9,579 ✭✭✭Webmonkey


    Unless you create your own encryption method and be able to decrypt it again afterwords? Scamble the words using serverside script rather than clientside. - Say PHP?

    ./Webmonkey


  • Advertisement
  • Closed Accounts Posts: 19,777 ✭✭✭✭The Corinthian


    Originally posted by RicardoSmith
    So are you all saying that SSL certificates are the only secure method of 'grabbing' the CC information and actually processing it afterwards? Both for transporting the data to the server, and processing that data once it gets there?
    No, I'm not saying that.


  • Registered Users, Registered Users 2 Posts: 2,120 ✭✭✭p


    Originally posted by Webmonkey
    oh god i would never trust client side encryption. Easily hacked. But then again maybe i'm wrong in the way i'm understanding it

    Didn't you just suggest a client side solution earlier on in the thread? ...

    Yeah thats true. Why don't u just use a form to transfer the data onto a file/database on the same server. The data won't leave the server.

    Getting stuff from the form » server, means it's going from the client » server.

    - Kevin


  • Closed Accounts Posts: 382 ✭✭misterq


    I think the consensus is that for the shopper to enter the credit card details securely online, they will need to be connected to a secure server.
    This will encrypt any communications between the shopper and the server, so nobody else can see the credit card numbers.
    It's done by 1,000's of sites across the world, it is industry standard and an absolute must in my opinion.

    Ok, so now the shopper has sent the details to the web server.
    Our next objective is to communicate the card number to the seller.
    We can normally do this in either of two ways:
    1) Send the information to the seller as an email
    or
    2) Store the CC information on the server and notify the seller to collect it from the server

    1) Sending as Email
    Most Linux servers have PGP installed which can encrypt the email before sending and thus the data will be secure while being sent across the Internet.

    If you don't have PGP, you could try another encryption method, but I don't know of any Javascript, ASP or PHP encryption methods that are proven to be secure.

    2) Store on Server
    The details are written to a database or file and the seller is informed by email to connect up (via SSL) to retrieve the info.
    If you go this way, you had better encrypt the CC details while on the server! It would also be a very good idea to remove them once viewed.
    I haven't used this method myself as I believe there are more potential security risks and more work involved.

    Hope this is helpful.

    Ronan


  • Registered Users, Registered Users 2 Posts: 9,579 ✭✭✭Webmonkey


    Originally posted by p
    Didn't you just suggest a client side solution earlier on in the thread? ...

    am no, I suggested Md5 which is PHP which hmm let me think is server side? But i know i wasn't thinking right but if you read again u'll see that i didn't say anything bout client side encryption.

    Originally posted by p
    Getting stuff from the form » server, means it's going from the client » server.

    Doesn't everything. Maybe i was thinking another way yet again.


Advertisement