Anyone want a really quick little earner

miju

OK I'm looking for someone to do a little job for our site thats going live again in May

Basically we have band profiles on our site and each profile is in their own seperate folder on the server. Now can someone please make a form we've done already secure so we can recieve the CC info. We don't need merchant accounts or out like that we just wanna make the form secure.

Also, while your at it I'd like ya to get working another 2 javascript for (one secure the other not)

BTW no web design company's need apply:mad:

Just lob your proposal underneath this post and your qoute and I'll reply to everyone (whether I give ya the job or not)

The Corinthian

Originally posted by the-raptor
Now can someone please make a form we've done already secure so we can recieve the CC info.

You might want to do a bit of research on what constitutes a secure transaction before you throw open your doors to every Webdev cowboy out there.

BTW no web design company's need apply:mad:

And that comment is a case in point, this sort of thing is not really a design company's core competency.

miju

Originally posted by The Corinthian
You might want to do a bit of research on what constitutes a secure transaction before you throw open your doors to every Webdev cowboy out there.

And that comment is a case in point, this sort of thing is not really a design company's core competency.

We'll for a start we'll just change our passwords while the work is being done so that should do the trick (I think)

And a web design company should still be able to do secure pages but hey what do I know?

The Corinthian

Originally posted by the-raptor
We'll for a start we'll just change our passwords while the work is being done so that should do the trick (I think)

OMG! :rolleyes: :mad:

You are sooooo going to get raped.

miju

well look it's like this

All web design / development companies I've contacted have not even bothered their arses replying to my enquiries and theres about 20 odd that I've contacted.

SO IMO THEY DON'T ****ING DESERVE MY BUSINESS

So I'm just trying to get the job ****ing done in time for May 1st.

So in that case I will ask has anyone any suggestions about what to do?

ecksor

Originally posted by the-raptor
We'll for a start we'll just change our passwords while the work is being done so that should do the trick (I think)

The following isn't meant to be comprehensive, but some things that come to mind to put you on the right track in terms of figuring out what people are offering you. It is up to you to adequately weigh this up in terms of your own business model to see what makes sense. (what exactly are you selling here, or is it obvious and I missed it?)

Security in the context of e-commerce usually involves SSL to encrypt the details in transit and (using a trusted CA supplied cert) to ensure that your server isn't open to being spoofed. In practice that stuff means more in terms of insurance and due-diligence than it does in terms of security, but that just makes it more essential. There are a number of rules defined by companies visa for what is the minimum required for a secure e-commerce platform, which can be found on their site. Off the top of my head it includes things like server hardening, a firewall, encrypted storage on the server and some other operational type security precautions.

Depending on how the site is structured you can easily open other avenues of attack against the server through poor input validation which can be mitigated through coding standards and the principle of least privilege. Or it may be possible to hijacking another user's session's through some social engineering and a bit of cross site scripting, or perhaps they're just predicatable, because the developer thinks that no one will spot that the ID is actually unixtime, or it's the last inserted database ID.

And a web design company should still be able to do secure pages but hey what do I know?

Designers aren't developers, and developers don't always know security. Not your job to know about it, but as Corinthian seems to be getting at, the nub is that in an unregulated 'cowboy' market, the lack of knowledge can lead to you getting badly burned because you don't know the difference between a good solution and a bad one.

ballooba

http://www.freelanceireland.ie/

miju

Right about how we're going to sell things.

1st off we'll be selling CD's of unsigned bands and the like but how and ever.

Secondly, I dont want to do a "catalogue" form store instead I just to have a link on each bands profile page to their secure form in their own folder

All I want is the CC details to be encrypted and sent to us and then unencrypted at our end and any other security that can be done is a plus I suppose.

So can anyone point me in the right direction cos I swear to god for an industry that's supposed to be struggling the web companies don't seem to be that bothered about my business

miju

Originally posted by ballooba
http://www.freelanceireland.ie/

I forgot to mention the fact I posted this here and got a few qoutes and when I replied to them I heard nothing back from any of them freelanceireland is a load of bollocks anyway IMHO

The Corinthian

Securing the form is straightforward enough if you go down the SSL route (although you may want to clean up some of the client side code too).

However, once the data reaches your server where is it going? Will it be stored (if so where)? Emailed? Encrypted/not? Is your server secure? Is it dedicated or virtual? What scripting languages are available? What There’s quite a few questions that anyone would look at answering before doing anything.

I remember a secure (over HTTPS) payment form a few years back that wrote to an unprotected text file in the Web root. The name of the text file could be found as a hidden field in the form.

A tip - if someone quotes a price that’s too good to be true, that’s because it is.

If you want to talk to me further about it, feel free to PM me.

ecksor

Originally posted by the-raptor
So can anyone point me in the right direction cos I swear to god for an industry that's supposed to be struggling the web companies don't seem to be that bothered about my business

Perhaps you come across unprofessionally.

freelanceireland is a load of bollocks anyway IMHO

miju

Nope I came across very professional and polite.

I know I'm not being here but thats cos it's in a different situation ya know.

It's no wonder the IT industry is going under in this country if most places dont even bother replying to you

misterq

we do this quite a bit at work for customers:

- Shared SSL space
- Setup form on this
- Form to PGP Encrypted email script installed
- Merchant gets PGP encrypted email to their account

Once the Merchant has the PGP plugin installed in their mail client it is plain saling for them.

Ideal if you have low volume sales and an existing merchant account.
I do always point out that you should check with your bank to make sure they will allow you to take numbers over the net.


Regards

Ronan

FreeHost

From reading through this post, basically you need SSL and you want to process everything yourself. Well that's really no problem at all, in fact, many people do it manually to test sales before deciding on a payment gateway.

First get some information from your Host;
1. Are you hosted on Windows or Linux
2. Is it name based or IP based

If you have an IP based site then your laughing, all you need to do is purchase a secure cert and install it on the site. Your host will do this for you.

Web Designers and developers use different hosts depending on what the site requirments are, and the host would then set up what ever is needed for the designer/developer.

From my reading of the above posts, what you need is an IP based site with a secure cert.

mneylon

If you want to get this kind of job done you will need to get a professional to do it.
Have a look at http://vertigo.irishfreelance.com
They did a similar job for The Walls http://www.thewalls.ie

Webmonkey

I can do it if you want. With a bit of Md5 Encryption. Is the form going to your email account? Could you explain to me a bit more. thanx

./Webmonkey

ecksor

Originally posted by Webmonkey
With a bit of Md5 Encryption.

What is that?

ecksor

Ah, that said 'm5' when I read it first.

md5 is one way. If you apply md5 to some data, you don't have an efficient way of recovering it (that I've heard about anyway).

Webmonkey

Achually i was thinking the wrong way there. Sorry. hmm what bout PGP. Can't that be installed on the server? I saw something before about it

RicardoSmith

I don't know much about it but why do you need SSL? Could you not use a database to hold all the data and use PHP sessions to prevent the info being cached? Surely you only need SSL if you are actually going to do the payment online etc. Which I don't think the-raptor is going to do.

ecksor

Originally posted by RicardoSmith
I don't know much about it but why do you need SSL? Could you not use a database to hold all the data and use PHP sessions to prevent the info being cached?

:eek:

Surely you only need SSL if you are actually going to do the payment online etc. Which I don't think the-raptor is going to do.

2 reasons. The credit card information needs to be protected against snooping as it travels between the client and the web server. Also, SSL uses a chain of trust that starts with the pre-loaded public certs in your web browser to validate to the user that they are actually communicating with the domain that they think they are.

Webmonkey

Yeah thats true. Why don't u just use a form to transfer the data onto a file/database on the same server. The data won't leave the server.

I think it wud be secure enough, don't u think?

RicardoSmith

I always heard that PHP sessions are much safer than other types of sessions you can use. I was of the understanding you can write unique encrypted data to and from the server that no can read.

Besides I thought it was quite difficult to get a SSL certificate that allows you to get the cc info. Which is why people use payment systems that hide all the cc data from the merchant for security reasons?

Oh and don't give me a hard time, for asking dumb questions. I already admitted to knowing fig all about it

mneylon

You can get a variety of SSL certificates that vary in price and encryption. They all work fine for CC transactions.
Maybe you are confusing 'grabbing' the CC information and actually processing it afterwards?

RicardoSmith

Could be. How are the two handled differently?

peterd

I found this interesting example of using javascript to encode a c/c number and the form is emailed to the recipient. I'm not a java-scripter, so I can't comment on how effective this is at encoding the data, but I would have assumed that because the code for "scrambling" is hardcoded in the page source, that it would be easier to decode?

The Corinthian

Originally posted by RicardoSmith
Could be. How are the two handled differently?

They're different processes. One handles the transport of the data to the server, the other is involved in processing that data once it gets there.

Webmonkey

Originally posted by peterd
I found this interesting example of using javascript to encode a c/c number and the form is emailed to the recipient. I'm not a java-scripter, so I can't comment on how effective this is at encoding the data, but I would have assumed that because the code for "scrambling" is hardcoded in the page source, that it would be easier to decode?

oh god i would never trust client side encryption. Easily hacked. But then again maybe i'm wrong in the way i'm understanding it

RicardoSmith

So are you all saying that SSL certificates are the only secure method of 'grabbing' the CC information and actually processing it afterwards? Both for transporting the data to the server, and processing that data once it gets there?

Webmonkey

Unless you create your own encryption method and be able to decrypt it again afterwords? Scamble the words using serverside script rather than clientside. - Say PHP?

./Webmonkey

The Corinthian

Originally posted by RicardoSmith
So are you all saying that SSL certificates are the only secure method of 'grabbing' the CC information and actually processing it afterwards? Both for transporting the data to the server, and processing that data once it gets there?

No, I'm not saying that.