Basic SSL / shopping cart questions

paulthelegend

Ok as a porject in college i created a workin ASP online store, it makes the people register there username n password and then goes onto take there credit card details etc etc, and stores all the info in one Microsoft Database in the admin folder .... im grand with all languages but just don't know where to go from here

so i think this is how it is .... you buy a SSL for a certain amount a year (im hosted with hosting365 so get a shared SSL for 99 ex vat) and do i just need to point it to the admin folder or create a new sub directory shop.mydomain.ie and put the whole cart in there and then not have to touch any of my asp code?

I have alot of reading up to do on getting merchant accounts etc etc sounds like such a headache, but if an ssl will just protect my database then im happy with that .... like can people not just view sources of the asp files and tract it back to the database file? and then download that (say in gozilla or what ever put www.mydomain.com/databasefolder/database.mdb) and open it and tada got all your details etc ??

Sorry for the basic questions just can't get me head around this at all and the books ive read and sites ive visited don't explain it at all.

thanks
Paul

maxheadroom

Place the database file outside of the web tree. I don't know how H365 is set up on Windows, but on linux you have

/mydomain.com
/logs

in the root of your account. Why not set up a new directory there called database then, if you had a script in /mydomain.com/cgi-bin/shooping.cgi (for example) it could reference the db in ../../database/mydb.mdb

Another option would be to use your mySQL account. Probably a better option in the long run too.

paulthelegend

Oh yea, i didnt even cop that at all!! so simple that people don't put it in books thank you very much! im guessing putting it in your root under database or something along that lines would be completely safe? like impossible to access it from anywhere but the accounts shared on your hosting folder (which i own all them and design all them anyway)

thanks again
Paul

maxheadroom

Exactly. again, I'm not sure of the exact terms used for windows, but the basic idea is that each domain has a "Document Root" directory which equates to http://mydomain.com. anything outside of that directory tree won't be web accessible.

paulthelegend

Yea windows is roughly the same, so from then all all i need is to get an ssl cert and point it to mydomain.com, and that secures the transfere of info from mydomain.com/shippincart.asp to send there details to ../../databasefolder/database.mdb ? i dont have to add any code or anything to serious? god thats brilliant haha can't believe i spent the last couple of days learning about how the 128 bit encryption works and all the key stuff jasus! haha thanks for the help, really appriciated.
Paul

maxheadroom

Well, it'll stop people directly accessing the database file from the web. You'll still need to make sure the web application accessing the database is secure, naturally

dynamic.ie

Couple of things to poing out to you here...

Do create a forlder called databases above your websites root folder so that you have a tree like this:

yourdomain.com/
databases/
logs/

You won't be able to access the database using a dsn-less connection so you will have to use ODBC to access the database and reference where it is. Change your connection string if this is not how you have gotten set up. DSN connections are a bit slower than DSN-Less connections but sometimes you got to do it.

The SSL you are on about purchasing is not a shared SSL, it's your own SSL. So, if you buy an SSL cert for www.yourdomain.com, you can access the site using either:

1. http://yourdomain.com
2. http://www.yourdomain.com
3. https://www.yourdomain.com

The only secure access is through no. 3 above. I would advise encrypting your credit card numbers using a key before inserting into the database so that even if someone did get your database somehow (can be done if they get ftp or web based access), they still can't view the credit card numbers because they will be encrypted and can only be decrypted with the correct key. Their is a good tutorial at http://www.4guysfromrolla.com/webtech/110599-1.shtml about this. Thinking of writing my own one shortly though cause it can be a pain in the ass to get your head around.

maxheadroom gave good advice... no point securing your database and using ssl if someone could access your admin pages to view what is in your database, without actually having direct access to the database. Have a look at my post on this topic that I put up about extra admin security... http://www.boards.ie/vbulletin/showthread.php?s=&threadid=131195.

Regarding someone being able to trace your database path from viewing your source, there are simple messures to avoid this. Make sure that anywhere you reference the location of your database in your source code, that it is in between <% and %> as well as making sure the name of the file extension always ends in .asp. Always rename access databases and folders they are in with something like:

nemndej322930tgj3n3/ndnfn02drgjrejw.mdb

Don't use guessable words for each like:

database/database.mdb

That's how people get databases from sites. Last thing is to never use a file extension such mydbconnection.inc. Ok, you can include the file and use it in your code but if someone runs the mydbconnection.inc by itself in a browser it will show your code exactly how you have written it and not compile it at all.

Cheeurs... Dave

mrterry

ASP source code can be read if parent path is enabled be sure to have this turned off on the Web Server.

Seth Brundle

Originally posted by dynamic.ie
Couple of things to poing out to you here...

Do create a forlder called databases above your websites root folder so that you have a tree like this:

yourdomain.com/
databases/
logs/

You won't be able to access the database using a dsn-less connection so you will have to use ODBC to access the database and reference where it is. Change your connection string if this is not how you have gotten set up. DSN connections are a bit slower than DSN-Less connections but sometimes you got to do it.

Yes you will be able to access via a DSN-less connection!
<%
Dim MyConn
Set MyConn = Server.CreateObject("ADODB.Connection")
MyConn = "Driver={Microsoft Access Driver (*.mdb)};DBQ=" & Server.MapPath("../database/myDB.mdb")
%>

paulthelegend

<%
Function GetConnectionString()
GetConnectionString = "Provider=Microsoft.Jet.OLEDB.4.0; Data Source="&Server.MapPath("../path/databasename.mdb")&";"
End Function
%>


thats my connection file and it in a connection.inc file ... in my admin folder ... so im guessing thats not good news should i just rename the file to something mad or do i have to change it all 2gether? like again this is just a project at the moment so no ones in danger ... YET
i will be reading them tutorials now and will use a key, the DNS thing kind of lost me a bit but ill read up on all that

im guessing no one can go into gozilla or what ever and type www.mydomain.com/default.asp and download that then look at what its pointing to and get that etc, is that the idea of ASP? that what evers inside the <% and %> cant be viewed or downloaded no matter what.... it was a rushed thing (so i dont know much about the background or benifits) cause what i done was looked at source codes of guest books and code snippets like reading from a database and login details etc and made a frankinstine style shopping cart but enough to get me 85% so far

i cant thank everyone enough for the help
Paul

Seth Brundle

all code between <% and %> is processed by the server and some kind of output (if coded) is sent to the user.
Rename all *.inc files to *.asp. That way your secret code (connection string etc.) will be processed by the server if someone requests it. When the user receives the file it will be blank - try it.

usualsuspect

You should talk to the bank about a merchant account and handling credit cards online. Good enough for you may not be good enough for them, or for your potential customers or for the law should it ever come to that...good luck anyway!