Hello all!

I am using the php open-source cart FreeTrade for one of my clients, and have some specific questions if anyone has ever used it before. I've also got a couple very general questions, so please read on even if you've never heard of FreeTrade!

My general questions are pretty simple, probably, but this is my first e-commerce application and I'm on a schedule that keeps me up at night crying... Anyway, once I get my host to install the SSL certificate, how in the heck do I use it? When he sets it up, will one of the folders just be SSL? Or do I have to do something? And, along the same vein, I have moved all of the "module" files in FreeTrade above the web root (call me crazy, but I'm not real comfy with leaving the database username and password in a web-accessible location, as it is in the standard install...). So, because I'm doing includes for all the data pages in the cart, if I secure the shop directory, will this be an issue? The cart runs as such - it's all driven from one page that calls other pages in with includes, so I assume that the main index page has to be in the secure directory, otherwise the whole thing will be unprotected, right? I'm just wondering if I'm going to get that wonderfully reassuring "Some secure and some insecure" message everytime the user loads a page...

Now, onto specific questions about FreeTrade - it natively stores credit card numbers in the database. I don't like this at all... I've already re-vamped the code to at least md5 encrypt user passwords (which were also unencrypted by default in the db) and got that working, so I feel better about that, but I'm hating the idea of storing the cc numbers in the db. (General part of specific question)Is this really an issue, and (specific part of specific question) is there a tag or toggle in FreeTrade that I'm not seeing that will change this behavior?

Thanks in advance for any help or advice on this issue...

    firstly, md5 as I understand it is ONE-WAY hashing. you CANNOT get your original value back from your md5 hash of a number. you'll need mcrypt or blowfish or something.

    also--and i could be wrong here--but I don't think there's much advantage to be gained from moving your modules out of your web folder. even though your password and login are stored in the php files, they won't cough them up when you access the files. even if you access the page directly, php will just output an empty page. in other words, inspect the file. it probably doesn't have any statements echoing your password.

    the security of your php pages is mostly determined by how carefully you deal with user input in your forms. screen input for " and '. you should probably make sure magic_quotes is on in your php config. also be careful of register globals. i think php.net has some good reading on security.

    you could dramatically improve your safety if you configure your database to reject queries from any machine except the authorized machine. i'm not sure exactly how to do this but it's probably a good idea if you're storing credit card numbers.

    as for the certificate...not sure. i rarely do server config myself. he'll probably give you an https folder...anything in there would be served securely.

      First off, thank you for your help - I appreciate it greatly!

      The main problem with not moving the code comes in the fact that with FreeTrade - with the default install - none of the included php files have a file extension. So, if you figure out the actual file name and location, the browser will spit it out as plain text. Boom - location, name, user, and password - right there for the reading! I may try to include the extension in the global include path and then just run through all the files and add the extension - then I could move the files back to where they originally are.

      As for md5, I know that it's one way - that works just fine. I'd rather someone have to call to get a new password than be able to just look it up and tell them.

      And, of course, the vast majority of the coding is done for me with the FreeTrade cart, and I have no actual access to the php.ini or server-wide variables (the host machine isn't even in the same state...).

      Thanks for the info on the SSL set-up - I didn't actually know if the server admin takes care of everything or if I had to do something about it at my end.

        you should keep in mind that open source projects often have config options relating to http vs. https. might want to read the free trade faq?

        phpBB, for instance, has some config stuff that relates to https because many urls are generated by the application. if you have a cert, you don't want free trade sending people to http://foo.com/checkout.php....you want them sent to httpS://foo.com/checkout.php

          FreeTrade does a global variable for use with an SSL, so I don't think that'll be a problem. My main concern is the storing of the cc numbers in the db - if it does get hacked, what happens and who's liable? I don't want anybody coming after me, my employer, or the client. Of course, at this point, I'm so close to the deadline that I don't really have any time to redo it, so it may be a moot point, but Im just trying to cover all the bases...

            That's pretty much what I was thinking. But somehow, I missed the Mcrypt functions - thanks for the link! This'll make me feel better..

            Thanks everybody!

              Write a Reply...