NYCPHP Meetup

[Chris Shiflett]

--- leam at reuel.net wrote:
> OScommerce requires register globals to be on, and Zen Cart requires
> some world-writeable directories in the DocumentRoot. THe other
> possibilites are AgoraCart, Interchange Cart, and CubeCart.

I've never looked at any of these things, but I've heard OScommerce
mentioned a few times recently. It's not obvious to me what this software
does by visiting their site. Is it just a content management and shopping
cart thing, or does it have more sophisticated support for payment
processing and such?

There seem to be all of these common problem spaces where someone needs to
write a solution that doesn't suck. I'm wondering if this is yet another
one.

> I'm reading Chris' security workbook

:-)

You might be interested to know that this has been renamed to the PHP
Security Guide and is now a project of the PHP Security Consortium:

http://phpsec.org/projects/guide/

It should be enhanced and translated as time passes.

> How do you protect yourself against liability, and more
> importantly how do you give the customer the security they deserve?

I've been asking these same questions recently. It sounds like having a
separate business entity protects you personally, and having a signed
contract can protect your business. I haven't spoken with a lawyer yet, so
take this with a grain of IANAL salt.

As for security, I truly think that giving a damn is the most important
step, so you're already on the right track. :-) Learn as much as you can
(I've tried to do my best to provide lots of free resources over the past
few years, and many are available at http://phpsec.org/), and focus on
filtering input and escaping output.

If you're security needs are very demanding, you can have someone perform
a security audit of the code.

Hope that helps.

Chris

=====
Chris Shiflett - http://shiflett.org/

PHP Security - O'Reilly     HTTP Developer's Handbook - Sams
Coming Soon                 http://httphandbook.org/