How Secure is This?

  • Thread starter Thread starter Jonathan Wood
  • Start date Start date
J

Jonathan Wood

I've developing an online ordering system. However, in some cases, the order
will originate from another server. This means there needs to be a way to
securely passing the order information to my system.

Originally, I was going just pass the product ID. Then, my system can simply
look up the ID in the database. This is very secure because I read the data
straight from the database.

However, I see now that I need the ability to do a price override, where the
cost in addition to the product ID needs to be passed. This is more of a
problem as I don't want people creating their own Web pages that override
the price to 1 cent.

The way I'm thinking about doing this is by encrypting the data in a hidden
form variable. I haven't determine what encryption algorithm to use
yet--I'll probably just find something on the Web.

But this has me wondering: could a sophisticated user work around this? Is
there a better way?

Thanks.

Jonathan
 
Yes - all encryption can be cracked given enough time and resources...


The question you need to ask is how secure your app really needs to be.

What could realistically happen if it were hacked?

How much money could you / your client / your client's customers
realistically lose?

How much money will security cost you in development and testing time?

Security is a question of balance...
Click to expand...

Sure. Obviously, I'd like to add more security if it didn't require months
of development. So, for me, the question is: What, if any, is the next level
of security over the one I'm contemplating? From there, I could figure out
if it was worth it.

I ask because I don't really see how it could be made more secure without
losing security in other areas (for example, if the source site is allowed
to access my database directly, then I open myself up to abuse of that
privilege).

Thanks.

Jonathan
 
This is one of the primary reasons Web Services were created and why they
flourish.
You can restrict what sites can use them, can restrict which sites can get
access to which ones, can even restrict which sites have access to which
methods.
You then have a called method where you can perform logic to further test
the submitted data before calling your own database.

William
 
Yup. They sound great to me.

So many things to learn and so little time...

Jonathan
 
Back
Top