Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Newbie Security Question


Pos Nut

Recommended Posts

I am very new to all the PHP and online commerce business and need some guidance. Probably my questions will sound really dumb but i still have to ask them.

We are opening a new webstore and got a domain. As the bonus there is a osCommerce application available to install through control panel. So I have installed the webstore and it looks very nice. I am not going to make any mods to it because i simply do not have enough knowledge to perform them. I like it the way it is.

I have mentioned that in all the permissions to the folders and files are already set according to the installation manual(I guess installer did that). I also mentioned that I can get an access to files inside the folders(catalog, extras) by just typing in www.mysite.com/catalog/images in the browser. Or i can read file www.mysite.com/mysql_catalog.sql! The same applies to different *.php files in the catalog folder. This scared me a bit because if I can do it so easily then everybody else can do it as well. I am not even sure if I should worry about this access, maybe that is normal and nobody can do any harm by using these files.

I guess my gola is to make sure taht NOBODY can make any changes to database except for the admin. I do not want anybody to be able to see the contents of the tables in DB.

I know taht this is a very basic questions but I am just joining this community. Thanks in Advance!

Oleg

Link to comment
Share on other sites

osC has security in mind, but you can further it using SSL and .htaccess. Keep in mind, the ability to go directly to a file by typing in the name of it is different that being able to change it. do a search on .htaccess in this forum or others will show you how to put a good one together that will make your admin directory secure, another recommended security change is to rename your admin directory to something less obvious (remember to make necessary changes in includes/configure.php and admin/includes/configure.php)

 

The other things recommended are to delete the extras directory and to remove file_manager.php from your admin directory. You don't want to use the admin panel's filemanager anyway.

Link to comment
Share on other sites

osC has security in mind, but you can further it using SSL and .htaccess. Keep in mind, the ability to go directly to a file by typing in the name of it is different that being able to change it. do a search on .htaccess in this forum or others will show you how to put a good one together that will make your admin directory secure, another recommended security change is to rename your admin directory to something less obvious (remember to make necessary changes in includes/configure.php and admin/includes/configure.php)

 

The other things recommended are to delete the extras directory and to remove file_manager.php from your admin directory. You don't want to use the admin panel's filemanager anyway.

 

Thanks a lot for you reply. i will go and start working on it. We are palnning to use Pay Pal for the order processing and it works that way, that user enters all CC info on the pay pal page, so I am not worried about it, i am not even going to touch CC numbers. My biggest concirn is somebody's ability to change pricing in DB(say change price to 1$) and order lots of items. But I am very happy to see lots of people using osCommerce and are very happy with it.

Thanks to all supporters/developers of Open Source software!

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...