Jump to content

surefire

Members
  • Posts

    1,008
  • Joined

  • Last visited

Everything posted by surefire

  1. With the understanding that nothing is 100% secure... I think you're reasonably safe with either one but I have more experience with Mambo. It's a stable system with lots of community contributers and appears to have more flexibility in the template design (although one of my biggest complaints about Mambo is the tempating engine... ) Big Gorilla is correct in that the 777 and similar settings are there so that you can do things like upload files from the user/admin interface in the cms. There's no reason why you couldn't a) change the settings to 777 when you want to upload and then turn them back to 755 when done just ftp the documents and images instead of asking the script to do it. In terms of security, you need to make intelligent choices with the full knowledge that nothing is foolproof. If it's a deep dark secret or involves credit card numbers, SS numbers, and the like... don't put it on the web, even a database. Backup often and update your CMS often as vulnerabilities are found on every CMS I've seen... and patches come out just as quickly (if the community is strong). There are other things you can do to improve the security of a CMS, or any site. Just good programming sense. Strong passwords, config files with php extension outside of your public dir... etc. Now cpanel even gives you the ability to assign permissions to database users and limit what they can do... That's a HUGE step forward that has been long awaited.
  2. There are a variety of opinions on this (as everything... right?) but here's mine... and I've researched it quite a bit! Does Google index pages with dynmaic urls (www.yoursite.com/index.php?var=1&blah=blah&etc=1)... yes. Does Google rank static (and static appearing pages) better... yes. You can make your pages look static with just a little knowledge and some recoding. Now, it's a lot easier if you wrote the pages... because you know where to look. If you are trying to recode someone else's code, and it's a big one, then you're in for a lot of sleepless nights... it's not easy. Do a search on mod rewrite and also 'force type' Both methods work great. Here's another hint... download Gallery, the script, and look at the htaccess file that creates the search engine friendly urls... good stuff there. They use modrewrite to pass the variables straight out of the url before the script is even executed and the rewrite the urls. Very cool.
  3. This isn't the best procedure IMHO. You should let the processing company worry about storing the credit card/client data. But that's not what you asked. There is no SSL-ish protection available that I know of. You can encrypt the data in your database. There are a million and one encryption procedures and you can choose one or two that suit your needs. The encryption can be done automatically. This adds another layer of security... and a good one, but nothing is foolproof. If you have a secret to keep, don't put it online, even in a database. You have to evaluate the risk/reward. I lock my doors and turn on the alarm when I go out of town, but I know that a world class thief could still get in.
  4. It looks suspicious to me. The from and to are the same... plus there's a bcc. It might have been an attempt to see if the form mail script on the client's site is vulnerable to hijacking. The acid test of form mail scripts is whether the email recipient addresses are hard coded into the server side code... or if you pass it to the script from a hidden form tag in the html on your form page. If the script requires (or allows!) you to set the recipient email address(es) by sending the email addresses from the form html, then the script is vulnerable and you should use a different one. Even if your code compares the form data recipient email address against a pre-set array of accepted email addresses, there are serious vulnerabilities. The best form mail code is set up by the website owner to send all message to a prearranged set of email addresses. I don't know of a way that a form mail script could be hijacked if the recipients are hardcoded.
  5. Glad you're back. We all missed you!
  6. I want to preface this by saying, I don't know everything there is to know about php... and this is in no way an attack... just my differing viewpoint. I have serious doubts as to whether the second part of Kasey's strategy would work. PHP does things on the server and then sends html to the visitor's browser. That being the case, a spam bot browsing through web pages is going to see the email address just as surely as your human visitors will. There is no difference. By the time anything is sent to the browser, php has already done everything it's going to do (actually, the server does it). If someone wants to point out the fault in my logic, I will gladly chalk this up as a new lesson learned. Until then, I would stick to the first part of Kasey's advice, which is very sound.
  7. Glad you like it. Thank you Natimage for recommending. There are lots of form processors out there. I'm glad you find mine worthwhile.
  8. It's safe to say that this needs fixing Your form should point to a specific file that isn't the front page of your site. The page it should point to needs to be able to do the following Parse the data Check it for validity Email you the data There are plenty of cgi/perl or php scripts that can do that. But right now, your form is sending all the data to your index page... actually just your public_html directory... and that's incorrect.
  9. I read the book. It's okay. If you are looking for one or two good ideas, then you'll be happy. It's not the most groundbreaking book I've ever read... but it's good. On of the biggest ideas in the book is to limit the size and amount of javascript. I'm not much of a javascript user, so that part of the book doesn't apply to me. The book also encourages xhtml versus html... I haven't made that change yet and don't really see the advantage... yet. There are some interesting tricks with tables. Also, he discusses css layout as a replacement for tables. I finished the book thinking that most of the ideas were valid... but not always practical.
  10. OK... I have more info for you... Firebird wth bookmarks open on left hand side... I'm sure you guys are rolling your eyes at me. Pretty much everyone uses ie so I wouldn't sweat it, but here's what it looks like to me.
  11. For the login part, check out patUser. http://www.php-tools.de/site.php Part two would seem to be a custom appliation that you will have to build on your own. If you don't have experience with php and mysql, then I would check out some tutorials at DevShed or purchase a book. Don't take that as a blow off answer... it's not easy to explain how to write a custom php/mysql script from start to finish. A book or online tutorial (prewritten) is your best bet. You might find a script ready to use at HotScripts.com
  12. This is off topic, but I wanted to let you know that 1- your site looks beautiful (in IE) 2- it breaks very badly in Mozilla (Firebird)
  13. I'm sure others will chime in with their info, but here's my two cents. The most professional, independent way to do it, is also sometimes the most challengin, which IMHO, would be your own ssl and mrechant account. The shopping cart would be set up to transmit the data securely to the merchant account where it should be instantly processed, and the results returned securely to your site where the shopping cart gives your user feedback on the success/failure of the purchase and sends a receipt to them by email (without their credit card numbers on it) That's not the only way to do it though. As you mentioned, there are numerous payment processors out there that provide the secure connection and payment processor, sometimes even the cart, all in one. Who you go with is a matter of preference. But your shopping cart would basically do the same thing up until the time of transaction, when at that point, the customer would leave your site (even if they don't know it) as data is posted to the payment processing service, a ssl connection is made, credit card info is given, and then they are sent back to your site where the rest continues as I described above. IMHO, here are your choices ssl & merchant account long setup time more initial cost lower ongoing cost if you have a high volume of sales more complicated to set up more professional paysystems, ccnow, clickbank, et al. quicker setup lower initial cost higher ongoing cost if you have a high sales volume lower ongoing cost if you have weak sales less complicated to set up less professional Ta da... I'm sure someone will chime in to give you a different version, but that's what I've learned from experience.
  14. As stated earlier, there is a support forum set up specifically for this code and I answer ever question posted to it. The link to the forum was already posted, but you can also find the link in the readme of the files you downloaded (along with instructions)
  15. I'm glad it's been helpful to all. I've answered every question ever posted to my support forum.
  16. Awesome script. Thanks.
  17. I'd really recommend setting up Invision Board on your site and playing with it first. After playing around with the board, it will become apparent how to make it work for your specific needs... One word of advice, make sure you think like a criminal a bit and understand that if there is a loophole that the folks who are supposed to be paying find out that they don't have to... then your client will be very upset. I know it can be done... I looked at mine today just to verify.
  18. Just do a 301 redirect in .htaccess 301 redirect /index.html http://www.[youractualsite].com/index.php
  19. Invision Board can easily password protect certain forums or hide them from certain groups.
  20. I think a better way would be for you to download Gallery or Coppermine. Gallery has an option where users can subscribe and upload their photos. http://www.totalchoicehosting.com/help/thirdpartypage.htm
  21. I heard on CNN the other day that Yahoo is finally going to be moving away from Google in the coming months and using their Inktomi investment. I hope this happens sooner rather than later. I believe in competition and right now things are too one sided in the search engine world for my taste. I also believe that just as Google came from out of nowhere to become the 'best' search engine, someone else will come along that will change the playing field.
  22. I don't know... but I bet you're glad you tested it for yourself. If you had just assumed what you thought you knew... as I did... then you wouldn't have chosen correctly. This is a little reminder to me that I don't know everything and shouldn't take anything for granted. Thanks for reporting your results. By the way, was it drastically faster? Or just slightly?
  23. Just to clarify... My point was that if you wanted to have minor portions of your site, like banners or the titles of articles in blogs, that kinda thing,... if you wanted to have them in some esoteric font, then you can use server side code to dynamically create images on the fly so that your weird font works with all browsers. Certainly this is not a solution for the majority of your text.
  24. Bill, I laughed so much at the ending because almost the same thing happened to me many years ago. I changed lanes without looking, realized too late that there was a car in the blindspot, but barely bumped it. So the guy's furious and motions for me to pull over, which I was in the process of doing. He parks on one side of the block and I have to park around the corner. I feel just horrible and I'm walking around the corner to apologize to the guy and as I turn the corner I see that he's all of 5 foot nothing and looking to tear someone a new one.... until he see's my athletic 6'4" frame come around the corner, and you could just watch all the bad-I AM A SPAMMER just fizzle and dissapear as he realized he should be civil about the whole incident. I apologized and waited for the cops, but inside I was laughing at how this little weazel had done a total 180 out of self preservation.
  25. And I've beefed up the documentation on the latest version of the code with a line by line (almost) explanation of what the different variables do. http://www.surefirewebdesign.com/scripts/docs/ And for those TCH members that currently run the script but forgot where to get the code, I'll direct you to the TCH help page: http://www.totalchoicehosting.com/help/id65.htm
×
×
  • Create New...