It's not accessing the directory that is the problem. Protecting the directory is not at issue. What is the problem are those who know the scripts, know how they are configured and the file names with critical information, who then find one, an easy thing, and then attempt a crack. If one can call the file, one can access the customer information. If one can sniff a data string, one can grab the customer info including bank account numbers, passwords, mummy's maiden name, addresses, phone numbers, SS and CC numbers. But, if so well protected that the customer cannot input the information in the first place, they can't buy anything. Now I know that if using tricky file sets and fixing the pointers, one can make it pretty much foolproof, but I don't have the time nor inclination to rewrite and troubleshoot every shopping cart a client decides they like.
Shopping carts are my biggest bain. I hate them with a purple passion...because most of the time, regardless of how well they are supposedly protected, I can myself, who is NOT a wiz at this stuff, figure out a way to crack them open from surf side. Hell, I am an artist and .html coder. Husband grasps cgi, perl, and C . But I'm the one who winds up doing it all because HE is typical of coders: lazy. Steve, our degreed hired gun who configues the damned things is a whiz at this stuff but I can still crack most of them from surf side, which of course drives him crazy. He tells me I just have a talent for finding strange hidden openings no-one would ever think of. I don't believe that for a moment. So it comes down to hoping the code originator has locked the thing up well. In most cases they haven't. In most cases, it is a matter of having to fuss with the damned code so much, it would have been better to just put up an order form that splits off the CC number and writes to a protected file that one accesses via FTP or utilizes a .bat function to pull down. But this is NOT what customers want. They want a shopping cart. And if they have a big inventory, that is the only way to go.
Now, for the record, we have never had a cart hacked, but, like I said, IF I CAN DO IT, so can someone else.
And SSL, in my opinion, is a laugh. I've gone over to nice, top of the line shopping sites, no names mentioned, and sat outside them and pulled anything I might need were I dishonest to max out someone's CC account. Encryption? Only if it is done PGP and getting a client to comprehend that function is like trying to get a pig to grasp algebra. Most of them can't figure out how to do email, yet they want an online store.
Now, maybe I'm all wet here. I've been playing with this stuff for 7 years, 18 hours a day, and I have yet to find THE SOLUTION that will finally make my life easy. So if you know of a foolproof, iced NICE shopping cart, NOT MIVA which is a total AH of a program and dysfunctional for customer use, please advise. And don't say Agora, because Agora does not work on DH, and neither do quite a few others.
Is my frustration showing? Sorry.
zentao web design, graphic art and design at www.zentao.com
zentao7, Gallery of Artists and Speculative Novel Writers Groups