[pmwiki-users] shopping cart cookbook - oscommerce vs PmWiki

Ben Wilson dausha at gmail.com
Thu Sep 21 12:06:05 CDT 2006


On 9/20/06, Eclectic Tech, LLC Info <info at eclectictech.net> wrote:

I'd seen Smarty, but not seen it done right. That said, I have not
looked at the Blogger code. I recently looked at Vanilla Forum, and
after first thinking the code was a bit clean realized that the forum
was essentially one God object (which explains why there's word of a
scaleability problem). I also don't like programs that require you to
update a PHP object so you can update a field in the SQL database
(otherwise you can't write an SQL query to retrieve or query that
field).

> As long as the files are in a directory that people can get in -- required
> for the webserver to find the files -- people can find your directory and
> look at your text.  Just not directly via the web.  They can do it
> indirectly via the same web server you use, or by FTP change directories
> until they're in your directory.  (Chrooted users being an exception, but
> I've seen webhosts NOT set up CHROOTed.)

I should have caveated that most of my recent experience has been with
chrooted systems. I think I've been involved with three or four web
hosts that all chroot as a matter of course. So, the security measures
I refer to are protected from other server users by chroot as well as
the web server. I suppose I've come to expect chrooting as a standard
business practice. I would certainly hope that we would advice clients
to use a web host provider with demonstrable security practices.

I should note that my favorite host (available on request) has a
fairly strict SSH policy: only with valid government photo ID, and
only from pre-approved IPs (i.e. you have to tell them which IPs to
accept). They also troll the web space for naefareous world
permissions (e.g. 777 and 666), and accept variance only by direct
request.

The only worse example was in as a consultant for a facility that
exercised a thorough background check, and still only accepted certain
people (having worked there for at least a year and not had any
security infractions) to have one-time password access to live
servers. There's nothing like having a 777 directory open for a few
minutes on a _development_ server, having your account suddenly locked
with email sent to yourself and your superior to meet with the
webmaster to explain _why_ you should be allowed back on the server
(let alone why not just run you out of the building)---these actions
introduced via a cron that looked every couple of minutes for such
rampant security violations. "Thank you, Sir! May I have another!"

-- 
Ben Wilson
"All this worldly wisdom was once the unamiable heresy of some wise man." HDT




More information about the pmwiki-users mailing list