The "Freeola Customer Forum" forum, which includes Retro Game Reviews, has been archived and is now read-only. You cannot post here or create a new thread or review on this forum.
Hi people, could you try and mess this up for me, its not on SSL yet but I will do that later...i want you people to test the security...thanks.
DO YOUR WORST...lol!
Cheers...SS
[URL]http://81.178.216.126/shop[/URL]
PS (Check this thread in case my IP changes)
SERVER GOES DOWN AT - 12:00 am
SERVER COMES ONLINE AT - 7:00 am
DO YOUR WORST...lol!
Cheers...SS
[URL]http://81.178.216.126/shop[/URL]
PS (Check this thread in case my IP changes)
SERVER GOES DOWN AT - 12:00 am
SERVER COMES ONLINE AT - 7:00 am
Page:
Ok thanks...il look into that...validation. If you can do damage...do it my friend!
An excellent start to making sure its secure would be validate all POST and GET data and handle it properly if its not.
Small example;
http://81.178.216.126/shop/show_cart.php?new=SCREWTHINGSUP
I've just put in random text there but if I was feeling malicious that would be one starting point to start to try to inject my own prices and so on. That URL at present gives me a blank item in the shopping cart. :)
Various other stuff like that in the site too, eg I currently have an item in my shopping cart with a quantity of b. :P
Small example;
http://81.178.216.126/shop/show_cart.php?new=SCREWTHINGSUP
I've just put in random text there but if I was feeling malicious that would be one starting point to start to try to inject my own prices and so on. That URL at present gives me a blank item in the shopping cart. :)
Various other stuff like that in the site too, eg I currently have an item in my shopping cart with a quantity of b. :P
OOO Turbonutter is back...can you have a go at this please...I want my security seriously tested.
Thanks.
Thanks.
Right, another problem that I am faced with, is with MySQL 4, the expression LIKE %SOMETHING% worked so that it would return anything that contained the "SOMETHING" between the %'s. Since I upgraded the version of MySQL on the server, it hasn't worked. I'm referring to the page:
[URL]http://81.178.216.126/index.php?page=1&from=0&limit=10[/URL]
Enter something like "novafold" into the product description box, and hit...see the problem.
Also, anyone else who wants to try and mess up the shop, feel free.
[URL]http://81.178.216.126/index.php?page=1&from=0&limit=10[/URL]
Enter something like "novafold" into the product description box, and hit
Also, anyone else who wants to try and mess up the shop, feel free.
Ok will do, thanks a lot.
secret_squirrel™ wrote:
> Ok I see...sorry. They will be manually keying them in to their own
> terminal I think. I'll cross that bridge when i come to i
> think...but good point. Probably the keying into terminal method.
I've found this is the biggest hurdle to cross.
If they are proccessing offline (keying the transactions) then as long as your shop works for 'normal' visitors there will be no problem. If an order for 1000 thingies comes through for 2p they will see the carts been hacked and won't process the order.
I've got some shops that work like this (taking the order under a Thawte SSL and processing offline) and it all works fine. The problem comes with some banks 'Internet Merchant Accounts' that don't allow this - and insist on you using a PSP which gets more complicated and expensive.
Hope this makes sense!? Before you spend alot of time getting things up and running ensure their bank are happy...
Good Luck.
> Ok I see...sorry. They will be manually keying them in to their own
> terminal I think. I'll cross that bridge when i come to i
> think...but good point. Probably the keying into terminal method.
I've found this is the biggest hurdle to cross.
If they are proccessing offline (keying the transactions) then as long as your shop works for 'normal' visitors there will be no problem. If an order for 1000 thingies comes through for 2p they will see the carts been hacked and won't process the order.
I've got some shops that work like this (taking the order under a Thawte SSL and processing offline) and it all works fine. The problem comes with some banks 'Internet Merchant Accounts' that don't allow this - and insist on you using a PSP which gets more complicated and expensive.
Hope this makes sense!? Before you spend alot of time getting things up and running ensure their bank are happy...
Good Luck.
Ok I see...sorry. They will be manually keying them in to their own terminal I think. I'll cross that bridge when i come to i think...but good point. Probably the keying into terminal method.
secret_squirrel™ wrote:
> Payments will be made using the online webshop once I set up an SSL
> server. Key Catering then have their own credit card system.
Not sure what you mean by this. Will they be processing the payments manually by keying them into their own terminal or will the payments go automatically via a PSP (Payment Service Provider)?
There's a big difference in security...
> Payments will be made using the online webshop once I set up an SSL
> server. Key Catering then have their own credit card system.
Not sure what you mean by this. Will they be processing the payments manually by keying them into their own terminal or will the payments go automatically via a PSP (Payment Service Provider)?
There's a big difference in security...
Lol, good good. I will watch in amazement...
Just about to try and have some fun with Brutus.
Page: