How Secure is This?

J

Jonathan Wood

I've developing an online ordering system. However, in some cases, the order
will originate from another server. This means there needs to be a way to
securely passing the order information to my system.

Originally, I was going just pass the product ID. Then, my system can simply
look up the ID in the database. This is very secure because I read the data
straight from the database.

However, I see now that I need the ability to do a price override, where the
cost in addition to the product ID needs to be passed. This is more of a
problem as I don't want people creating their own Web pages that override
the price to 1 cent.

The way I'm thinking about doing this is by encrypting the data in a hidden
form variable. I haven't determine what encryption algorithm to use
yet--I'll probably just find something on the Web.

But this has me wondering: could a sophisticated user work around this? Is
there a better way?

Thanks.

Jonathan
 
J

Jonathan Wood

Yes - all encryption can be cracked given enough time and resources...


The question you need to ask is how secure your app really needs to be.

What could realistically happen if it were hacked?

How much money could you / your client / your client's customers
realistically lose?

How much money will security cost you in development and testing time?

Security is a question of balance...

Sure. Obviously, I'd like to add more security if it didn't require months
of development. So, for me, the question is: What, if any, is the next level
of security over the one I'm contemplating? From there, I could figure out
if it was worth it.

I ask because I don't really see how it could be made more secure without
losing security in other areas (for example, if the source site is allowed
to access my database directly, then I open myself up to abuse of that
privilege).

Thanks.

Jonathan
 
W

William Niver

This is one of the primary reasons Web Services were created and why they
flourish.
You can restrict what sites can use them, can restrict which sites can get
access to which ones, can even restrict which sites have access to which
methods.
You then have a called method where you can perform logic to further test
the submitted data before calling your own database.

William
 
J

Jonathan Wood

Yup. They sound great to me.

So many things to learn and so little time...

Jonathan
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,743
Messages
2,569,478
Members
44,899
Latest member
RodneyMcAu

Latest Threads

Top