TOPIC: Pre Sale Question

Hi,
looks like quick seller matches my needs,
so I am about to purchase business edition
and integrate it end of next week.

Before I do that, here`s questions left:

1. If I understand it right, quick seller keeps selling goods
within public space and I consider it pretty insecure.

My current (discontinued) J1.5 shop is able
to deal per deafult with files outside public space.
Not sure, maybe because of setting an absolute path
to the files within the entire webspace.
How can this be done with quick seller ?


2. I am thinking about splitting up sales into 2 paypal accounts,
one for regular payments (above micro limit),
one for micro payments (within micro limit).

That means I have to define per item where to direct the paypal sales.
How can this be done with quick seller ?

And btw, after forum registration this happens to appear:
Error loading component: com_discussions, 1
but everything is working ok.

Hi Omkar,

1. I am not sure if I understand well, but if you are asking about if the files are accessible by public with direct urls, they are not, they are under a protected not accessible folder with a .htaccess "deny from all" directive.

2. You can use different accounts per button. Cart mode can't do it though, if you add items from different sellers it would sent payment to the first account only. This means you need standard version.

Thanks for reporting com_discussions issue, it was removed as insecure.

Let me know if you have other questions
Kind regards,
Deian

Hi Deian,

2. It`s ok, the paypal separation was an idea and I can live with one account.

1. Let me reply in general, so every reader understands it:

Whenever a file is placed within the public folder of your webspace,
commonly a root folder starting with /www/ or /html/
lets say in your /html/joomla/ installation, it becomes visible and accessible
for the internet, which means in potential for everybody else who is online.

You can protect direct linking with .htaccess, which is what you are doing,
but you cannot protect the file against direct access.
One kind of direct access is ftp for instance, but this is not the only one.

This is why there are so many efforts and tricks
to secure a file within this public root folder when needed,
but as long as the file resides there,
it remains visible and accessible for everybody who knows how to do it.

When a file on your webspace resides outside that public /www/ or /html/ folder,
you don`t need to do anything, because it is neither visible nor accessible.

I.e. my current shop sends purchased files from a "files" folder
outside the public /www/ or /html/ space.
The individual selling items are directed to this folder via absolute path.

This is the point where it makes sense to protect the direct linking.
You basically protect the linking adress not to be shown to the buyer,
so nobody knows where your non public "files" folder is.

So, .htaccess direct linking proection makes sense
when files are outside the public folder,
when you don`t want to showcase the file`s webspace adress
and you don`t allow direct access.

But your .htaccess direct linking proection is only a partial solution
when a file is within a public folder,
because it is already visible and accessible per se.
It is like trying to hide the adress to the buyer,
but everybody else can see and access it.

There are people with proper search tools
who are doing nothing else but scanning this public folders
and grab whatever it`s there.

If they don`t get what they want online,
they simply mirror the entire public folder and all its content on the hard drive.

Now, even if only some profis can bypass all the known tricks,
the problem is, once your files has been leeched,
they are going for free into the public sharing networks.

That means not only one successful leecher is not going to pay for it,
but millions who are connected to those sharing networks and you are doomed.

Just to mention it, the .htaccess file or your selling itms
can be manipulated in whatever direction once the folder is accessed.

I am sorry for the long reading, but I think this issue
has not been taken seriously enough
and most people are even not aware of it.

This is the only backdraw I see on your product
and I`ll have to think about it.
Otherwise, it is well designed and matches everything else.

Hi Omkar,

deny from all

completely denies any access to the files, even if they know the exact filenames, it's not just preventing indexing, it's preventing downloads via direct access.

Thanks!

P.S. If you still feel it's insecure though, you can move the uploads folder to be outside of the public_html directory, it will still work.

Cheers!

admin wrote:
Ah, now we are talking ...

I`ve watched your tutorials again and checked the screenshots,
but failed to find a demonstration on how to setup the upload path.

I can see a predefined upload path within the public root folder,
but no settings on this.

Can you direct me to a document or video
where the upload path settings can be defined ?

Here it is mate