Where to save &quot;price&quot; values

Where to save "price" values

hadoob024

My site is a real estate listing site. The only transaction we do is if someone wants to list a property. Residential listings cost $x and commercial listings cost $y. Basically, I want to know what/where is the best place to store these variables? Right now, I was thinking of defining constants for both of the values in a PHP file that's outside of the web document tree. And then I just include() this file to retrieve the values. Is this a safe way of doing it? Any chances on the values being changed? Thanks.

Stepdad

hadoob024 wrote:
My site is a real estate listing site. The only transaction we do is if someone wants to list a property. Residential listings cost $x and commercial listings cost $y. Basically, I want to know what/where is the best place to store these variables? Right now, I was thinking of defining constants for both of the values in a PHP file that's outside of the web document tree. And then I just include() this file to retrieve the values. Is this a safe way of doing it? Any chances on the values being changed? Thanks.

As long as your include directory is outside the directories accessible to the website that will work wonderfully, it will allow the server to access the needed information without making it available to anyone who downloads or views your web pages code.

Generally most of the web page design work I do makes fairly heavy use of this concept. I generally work with PHP and MYSQL for most of my website design, and I place all of the login information needed for the mysql databases in the include directory for php, then use the include() directive to give the webpage access to that information. That way if anyone actually downloads the webpage or views it source, they see things like $mysql_login and $mysql_password in the code rather than the actual login information for the database, which is stored safely out of reach in the php include directory.

Works like a charm, never had a security problem. Hope that helps.

hadoob024

Cool. Thanks. That's what I was thinking too. I found this solution too for dealing with keeping your MySQL passwords safe:

Create a file, /path/to/secret-stuff, that only root can read (not nobody):
SetEnv DB_USER "searcher"
SetEnv DB_PASS "blahblahblah"

Include this file within httpd.conf as follows:
Include "/path/to/secret-stuff"

Now we can use $SERVER['DB_USER'] and $SERVER['DB_PASS'] in our code. Not only do you never have to write your username and password in any of your scripts, the web server can't read the secret-stuff file, so no other users can write scripts to read your access credentials (regardless of language). Just be careful not to expose these variables with something like phpinfo() or print_r($_SERVER)

I think I might try using this approach. Any thoughts on this? I figure it's good for info that you don't want anyone to read. But my particular case is that I don't care if someone can read the value, I just don't want anyone to be able to change it.

Stepdad

hadoob024 wrote:
Cool. Thanks. That's what I was thinking too. I found this solution too for dealing with keeping your MySQL passwords safe:

I think I might try using this approach. Any thoughts on this? I figure it's good for info that you don't want anyone to read. But my particular case is that I don't care if someone can read the value, I just don't want anyone to be able to change it.

I think either approach would work fine. I prefer the include approach myself, not that it's more efficient or will get you more attention from the ladies, it's just my preferred method in coding.

In fact if you look at most of the websites I've done from the web side and view the source code, you'll generally only find one or two lines of code on the actual webpage itself, just a few function calls to functions that are defined in the include file.

Being inherently lazy I generally try to reuse code as much as humanly possible, so whenever I'm coding anything I break it up into functions, all the functions go into an include file and then when I need to access them from the webpage I do the include() and then the one or two function calls necessary to do the task.

I like this particular approach for two reasons, it hides my source code from prying eyes and it keeps it safe from harm. Even if by some miracle someone managed to hack into the server over the web the worst they could do is scramble up the html. The real workings of the site are tucked safely away in a directory that isn't accessible from the web.

In fact one of my favorite coding projects was for a gentleman who was running a personal website on his home PC - he'd made some rather unfortunate enemies during his days on IRC and as a result they were constantly hacking his website. He asked me for some assistance, and the solution I came up with was.. well, in his words, diabolical.

I replaced his entire website with one index page. Nothing else was stored in directories accessible to the web, everything was accessed dynamically using PHP and drawn from directories outside the directory accessible to the web.

When you clicked on a link to another page other than the index page, what was actually happening is that PHP would reload the index page and pull all the content from outside files using functions that simply read in the entire html file into one variable and then echoed it back out when index was reloaded.

From the users perspective it still looked and felt like any other website, but from a hacker perspective the thing was a nightmare. Worst case scenario if anyone did ever manage to hack into the site all they could do would be to mess with the index page, but since all the content was elsewhere it was completely safe. All he had to do was keep a copy of the index page saved elsewhere and if he did get hacked he just copied the index page back into that directory and viola! Website restored.

Of course his hacking problems ceased when we replaced the chintzy webserver software he was using with Apache, but given his paranoia level I decided to up the ante a bit and make absolutely sure his site was going to be as hacker proof as I could make it.

hadoob024

That's a brilliant design. I'm sort of doing it the same way, you just took it to the next level. All my main pages (in the web document tree) don't do that much. They basically call other files/functions from outside of the web document tree. I mean, I still do all my verifying/sanitizing/checks in these files, but most of the functionality (i.e., db connects, error handling, etc.) is called using include().

Sweet. I'm glad to know that this is an approach that someone with experience uses. Thanks. Yeah, this is the first project where I'm responisble for all aspects of it, so I've been overly paranoid. Normally it's like, work on this section, or work on that section. But this project is for this company me and this dude started, and I'm responsible for all aspects on the computer side (he's the legals/accounting/marketing guy).

Stepdad

Well really when your working with a LAMP or even a WAMP server (Linux, Apache, Mysql, PHP or Windows, Apache, Mysql & PHP) they are generally pretty solid. Apache is a pretty smart cookie and it's not an easy hack, nearly impossible to do so on a well installed Linux system. Haven't messed around too much with IIS myself, I've done a few projects for IIS servers but don't have a lot of experience with them on the maintanence/security side so I can't really give an informed opinion on their security features.

But there is certainly no harm in being extra careful. My love of includes really has to do more with ease of coding and maintaining code than it does with security, the security is just an added bonus for most of my projects. I did rather enjoy that one particular project though, it presented a unique challenge and really that's what I love most about programming.

My current project is for a company that handles mortages, and it's been a lot of fun. I've setup the website so all of the content is stored in mysql and they can edit their own webpages from a secure login page on the website. They weren't really expecting a CMS but I always like to go just a bit above and beyond whenever possible. Since the vast majority of my customer base is word of mouth it always helps to "shock and awe" whenever possible 🙂 Truthfully it's as much for my benefit as it is for theirs, it will save me a ton of time down the road because they'll be able to administer their own webpages without having to learn FrontPage or Dreamweaver. The component I'm working on now will allow people to sign and post real estate listings for sale, nothing worth writing home about mind you but it is kind of a fun little project really.

hadoob024

Yeah. That makes sense. For our site, it's just a simple pay to list your property, and then searches for listings are for free. We thought initially about adding the functionality of being able to manage your listings, but changed our minds. We just felt that the security overhead associated with this would've pushed back our launch date way too much (considering I'm the only one working on this). So anyway, I just completed the "add listing" portion of the page (the form validation, db insertion part). Basically all I have left to do is to implement the PayPal code, then it's ready for QA testing and a security audit.