How To

  Homes arrow How To arrow How to Stop Digital Thieves with CGI
 Webmaster Tools
 
Base64 Encoding 
Browser Settings 
CSS Coder 
CSS Navigation Menu 
Datetime Converter 
DHTML Tooltip 
Dig Utility 
DNS Utility 
Dropdown Menu 
Fetch Content 
Fetch Header 
Floating Layer 
htaccess Generator 
HTML to PHP 
HTML Encoder 
HTML Entities 
IP Convert 
Meta Tags 
Password Encryption
 
Password Strength
 
Pattern Extractor 
Ping Utility 
Pop-Up Window 
Regex Extractor 
Regex Match 
Scrollbar Color 
Source Viewer 
Syntax Highlighting 
URL Encoding 
Web Safe Colors 
Forums Sitemap 
Weekly Newsletter
 
Developer Updates  
Free Website Content 
 RSS  Articles
 RSS  Forums
 RSS  All Feeds
Write For Us 
Contact Us 
Site Map 
Privacy Policy 
Support 
 USERNAME
 
 PASSWORD
 
 
  >>> SIGN UP!  
  Lost Password? 
HOW TO

How to Stop Digital Thieves with CGI
By: Developer Shed
  • Search For More Articles!
  • Disclaimer
  • Author Terms
  • Rating:  stars stars stars stars stars / 0
    2004-01-29

    Table of Contents:

    Rate this Article: Poor Best 
      ADD THIS ARTICLE TO:
      Del.ici.ous Digg
      Blink Simpy
      Google Spurl
      Y! MyWeb Furl
    Email Me Similar Content When Posted
    Add Developer Shed Article Feed To Your Site
    Email Article To Friend
    Print Version Of Article
    PDF Version Of Article
     
     

    SEARCH DEV MECHANIC

    TOOLS YOU CAN USE

    advertisement

    How to Stop Digital Thieves with CGI
    by Steve Humphrey

    I'm going to assume you're serious about your business. If you're not, I can't help you anyway. You've gone as far as getting a real merchant account to accept credit card payments online.

    You know that this was neither easy or cheap. So does everyone else! So, a merchant account shows that you've made a serious commitment to your business. That's good for customer confidence, which is good for business. So far so good...

    Now there's the issue of selling stuff to people online. Your order form leads them to feed their credit card info to a secure gateway, using software you bought or leased from (or through) your merchant account provider. Finally, the transaction is approved or denied.

    If approved, the software generates a receipt and emails you and the customer each a copy. At this point, the customer is returned to a page you specified. In the case of downloadable products, this is often the page where they download your product. So, you've got the entire process fully automated.

    For a product or service with a fairly low price point and a potential for many thousands of sales, this seems ideal. You can quite literally make sales and earn income 24 hours a day. So, what's the problem?

    The form code on your order page is the problem. If someone uses the ViewSource function of their browser, they can see all your code. If they have even a tiny bit of initiative and skill, they can locate the URL of your download page. After all, it's right there in your form code!

    CGI provides two ways of fixing this problem. One involves using a script that makes it impossible to view the source code. You can find a source for such a script by searching the web. Expect to pay a lot for this technology.

    Another way is to make the return path a script instead of the actual download location. The script would be used to create and display the download page. It would not be visible to the surfer, since it's not an HTML document. The script can also record details of the transaction for book-keeping purposes.

    I admit that I discovered this by trial and error - and a lucky guess or two. Your merchant account gateway software may have radically different behavior than mine, but here's what I've learned:

    The gateway uses the POST method to send the customer to your specified return URL (which can be a script as well as a web page). It also POSTs most of its input data items at the same time. They are usually ignored, but your script can read them if you want to!

    Use the names given to the form inputs. Have your script extract the values of these "named parameters" at the time it creates the download page. Record what you want to save about the transaction in your orders file or database.

    Now here's the real secret to foiling the thieves. Inside the script, check to see that the variables you extract contain non-empty values. Did you get that? Here's an example:

    if (
    In this example, the script expects to get an email address. If it contains no characters, the script quits instantly. By testing for the presence of some data in such fields as customer name, email address, item #, price, etc., you can tell whether the script was called after a successful transaction - or by a thief...

    Put all your security checks prior to the code that creates the download page. If any test fails, the script exits and the thief is left empty- handed. If your form-handling script can convert a product name to a product ID that's never visible to a browser, this provides even more security. This will be POSTed back to the script and you can check for it before allowing the download.

    Close these security holes and you'll make more money. You may even sleep a little better knowing that people can't steal that product you worked so hard to create. I know I do!

    --------------------------------------------------------------------------------
    Steve Humphrey promises that you can learn to use CGI to turn your own website into a marketing machine in two hours or less with his excellent CGI learning system: "Learn to Use CGI in 2 Hours." We highly recommend this book as required reading for anyone who wants to automate their website or their marketing efforts. Click here for immediate access: http://www.roibot.com/tk cgi2h.cgi?cgiAV2b
    DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware.

    More How To Articles
    More By Developer Shed

       

    HOW TO ARTICLES

    - Traffic Down One Month? Don`t Panic
    - How to Handle Fake Reviews
    - Facebook Game Update Tweaks
    - Facebook Profile Tweaks
    - How To Download Your Facebook Profile
    - Facebook Tips for Hiding Your Friends List
    - Facebook Tips to Avoid Unwanted Friend Reque...
    - Blog Contests: Do it Right
    - Simple Technique for Memorable Headlines
    - Understanding Your Analytics Results
    - Your Guide to Creating Quality Back Links
    - Getting Your True Ranking: Going Beyond Goog...
    - Optimizing for Google
    - The Right Way to Build Reciprocal Links
    - Monetization: How Not to Put Multiple Ad Ven...

    Developer Shed Affiliates

     



    © 2003-2018 by Developer Shed. All rights reserved. DS Cluster - Follow our Sitemap