Can shopping carts be safely implemented 开发者_开发百科on shared hosting?
What are some of the best practices, limitations, and concerns when implimenting shopping carts on shared hosting?
Can shopping carts be safely implimented on shared hosting?
I think the short answer is:
YES
although to be honest there does NOT exist a thing as truly safe. When you do bank transactions there even is a risk(very small). Or if you you fly plane there is the probability it can crash. But the odds are going to be extremely small if you do it correctly. Also if you use a solid payment gateway your transactions are going to be refunded if there was some sort of problem.
I think it can be if:
- I think this is the most important part. You trust(know they care about security) your shared hosting. I for example would trust Google's App Engine to be safe and recommend to use it.
- Use SSL to make sure your HTTP connection is safe. Also Google's App Engine has you covered. But there are more shared hosting provider who offer SSL.
- You don't do the payment yourself, but use a proper payment gateway like for example Paypal.
- Don't store the passwords in your database, but use federated login like for example openid(lightopenid is very easy library), facebook connect, twitter single signin, etc.
- have CSRF-protection in place.
- have XSS-protection in place. On PHP make sure filter has been configured properly.
- Have measurements again SQL-injection. I would advise to use PDO.
I would say you probably could make a shopping cart secure on a shared host. You'll want to come up with a good way to encrypt all personal data, and better yet - store as little personal data as possible.
The problem with shared hosting, always, is whether you can trust the other developers to properly secure their code. From a technology standpoint, there is no reason why it cannot be safely implemented. However, from a security perspective, it's definitely a red flag.
Hackers will first attempt to find vulnerabilites in your code. Even if you are super-secure and are impenetrable, they can easily obtain information about other sites using the same IP address. Now, then can attempt to hack those sites to gain access to your database (because it's probably a shared database server).
If you are doing anything that involved social security numbers, credit checks, payments, etc. You should TRY to use dedicated hosting.
In summary - from a technical standpoint (runtime and optimization), it's fine. From a security standpoint, it poses a potential problem.
Depending upon how concerned you are, you might want to setup your own VPS. At least then, you can lock it down the way you want. Plus, the speed difference is usually pretty nice.
精彩评论