|
|
Posted by Jerry Stuckle on 03/02/07 02:50
Michael Vilain wrote:
> In article <1172784801.571566.193560@31g2000cwt.googlegroups.com>,
> "C." <colin.mckinnon@gmail.com> wrote:
>
>> On 1 Mar, 05:35, Michael Vilain <vil...@spamcop.net> wrote:
>>> I setup credit card charging with a combination of php and perl. It's
>>> running on a shared server, so I had to use a protected perl script with
>>> the constants like passwords and hash keys in the script. The script is
>>> run by CGIwrap under my account's UID rather than as the web server's
>>> UID.
>>>
>> I can't imagine what problem this sensibly solves. What is a
>> 'protected' perl script? I assume you mean with different permissions
>> on ownership, and running under a different uid. If the POST is
>> initiated by the CC handler, then there's no need to store passwords
>> in order to receive it.
>
> In the shared environment of my ISP, all the web pages must be readable
> by the web server. In order for a file containing passwords etc. to be
> protected from other users with shell access, I had to set permissions
> to rwx------. The web server would not be able to "see" that page and
> would report a "forbidden" return code if it were run as a web page. By
> placing the perl script in my cgi-bin and setting it's permissions to
> 700, it could only be run by the ISP's CGIwrap package as my UID, thus
> allowing it to be "seen" by the web browser.
>
> http://cgiwrap.sourceforge.net/
>
>>> Perl seems to be suited to do SSL submissions to authorize.net, receive,
>>> and process their reply.
>> Why?
>
> Not sure what you're asking here. All I can say is that the code to
> open the SSL connection and send the payment info to authorize.net's
> processor site was very straightforward (LWP::UserAgent CPAN module).
> The result of the connection is the information returned as a binary
> array. I just parse it and display the OK or credit card failure page
> accordingly.
>
> Of course, YMMV. I just couldn't see how to code PHP to connect to a
> SSL web site, submit a POST request, and process the result. I'm sure
> it could be done, but then I'd have to embed passwords which others
> could read. If PHP were offered as a CGI scripting language, then I
> would have tried it. But my ISP didn't offer that option.
>
You should have checked out CURL.
And no, if your webserver is set up properly, other users (with the
exception of sysadmins) would not be able to read your files - even
though the webserver could. Unlike Perl, PHP doesn't need to be set up
as a CGI for this level of security.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
Navigation:
[Reply to this message]
|