PHP developers - quotes needed...

[kayemdesign]

Hi Guys

Im looking for a PHP developer to help me with a project that has been given the go-ahead yesterday. I will be building the main site but need help with a secure area for my client to post files for download by her clients. What I need is....

A secure area built where client of my customer can login and access documents posted up by my customer. She is an accountant and wants to be able to post up excel spreadsheets to a secure area where her clients can login and download them. It MUST be secure as there will be sensitive account data being served from within the secure area.

So in summary what I need:

1) A secure login system with password username.
2) Once logged in user will go to their own area to download spreadsheets and other files/documents
3) A Password reminder facility
4) Ability for my customer to manage their clients accounts (i.e. create/delete/amend)
5) Must be secure.
6) PHP/MySQL prefered as hosting is on Linux box

The main site I will be doing so this just needs to 'bolt-on' to the main site. It will be accessed via a login box on the home page.

If you need any more info please feel free to call me on 07917 831303. This needs to be done within the next two-three weeks.

Feel free to email me info[at]kayemdesign.co.uk with any questions.

Cheers

Steve

[braindump]

What strength of security are you looking for?

Just username/password validation or is it something that would require 40 or 128-bit SSL server certificates?

[seiretto]

Hi Steve,

Try this:
http://www.dwalker.co.uk/phpautomembersarea/

It covers all your 6 summary points, and you can test and integrate it free.

If you find its what you need then registration is just £19.99 per year.

[Martin]

Little bit of advice, remember the actual security of the server in all aspects when dealing with important data... Having a secure web application is just one part.

It can all be circumvented if a hole is exploitable... 4 vulnerabilities have been found in the software of the Apache Foundation and 8 possible vulnerabilites have been found regarding PHP and it's modules this year alone. (So thats in 16 Days)

[kayemdesign]

Quote:

Originally posted by Martin
Little bit of advice, remember the actual security of the server in all aspects when dealing with important data... Having a secure web application is just one part.

It can all be circumvented if a hole is exploitable... 4 vulnerabilities have been found in the software of the Apache Foundation and 8 possible vulnerabilites have been found regarding PHP and it's modules this year alone. (So thats in 16 Days)

Thanks Martin, well worth considering. Any recommendations for reliable and SECURE hosts? My combination of Apache/MySQL may not be bullet proof enough.

Thanks

Steve

[openmind]

The problem you have is that the only way you will be able to get close to a 100% guaranteed secure server is to run your own dedicated box that you patch and secure yourself.

Shared hosting by it's very nature will increase the risk even if the host has correctly patched and secured the box for all the accounts...

[Martin]

Quote:

Originally posted by openmind
The problem you have is that the only way you will be able to get close to a 100% guaranteed secure server is to run your own dedicated box that you patch and secure yourself.

Shared hosting by it's very nature will increase the risk even if the host has correctly patched and secured the box for all the accounts...

Yep, bang on the money...

Server security is an ongoing process, today secure, tomorrow exploitable.

Using shared servers means loads of people potentially have access to your files because of custom programming, extra accounts, stupid administrators etc etc The more you allow the user to do, like run there own scripts, the bigger the security problem.

If you have a dedicated server, then no one else is using it, and as such a bit more secure... But then you need to know how to secure that box yourself, or have someone who does and then employ them to keep a check on it. Such as performing security tests, and patching / upgrading checks ... On top of that is loads of log file checking, like banks if someone knows it contains sensitive data some ****** will try break in. All this on a daily basis...

It's not cheap... but it's the price you pay for real security and you need to way up to what the data your securing is worth.

For example, you could use PGP (Cheapest way I'd say to do this) to encrypt the files, but then you need to educate everyone who will use the files how to open/decrypt which could prove a problem. (And how to store the data on their own PC's without it being stolen.)

In truth, everyone here running E-Commerce websites should be taking this onboard but it's often overlooked.

It's a massive subject..... and I wouldnt like to suggest a host because in truth I don't really know them.... (personally)

[Martin]

Quote:

Originally posted by Martin

It's a massive subject..... and I wouldnt like to suggest a host because in truth I don't really know them.... (personally)

I shouldn't quote myself, but in the previous post I quoted Phil! Who out of every Web Host I know of, is the only one we all talk to daily, so if you want a recommendation.... There you go