Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

It's safe give files and database backup to a profesional?


Jumpfree

Recommended Posts

Hi everyone
I'm hiring a profesional to made un upgrade of my oscommerce. He told me that he can create a test copy in his server.
It's safe to give him a copy of actual ftp files and database backup?

Are there any sensible infos that he can use to attack my actual or future instalation?

Thanks

Link to comment
Share on other sites

@Jumpfree

It all depends on how much you want him (or her) to do, or for you to do yourself.

Many developers will create the site for you, convert the database, install it all on your host's server, and test everything. Obviously, they will have to have full access to your site and your data. If you go this route, it would be wise to create a new admin name and password for you *after* the site is up and running, and then disable their Admin account. You may want to keep their account available in case you want them to do more work for you in the future (or, you could create another temporary account when needed).

Or, if you prefer, you can hire someone to *just* build your site for you. Then, it's your responsibility to convert your database, and install and test everything yourself.

Malcolm

Link to comment
Share on other sites

If this professional is a known name from this Forum, you should have no problem.

Look at their feedback; 

https://www.oscommerce.com/forums/forum/99-developer-feedback/

If they do not have a feedback thread, ask yourself "why not".

Look at their Posts;

Do they help other people out?  That's good.
Do they ask loads of dumb questions?  That's not good.

 

To answer your question;  as soon as you share anything with anyone, it becomes less secure.

Link to comment
Share on other sites

4 minutes ago, ArtcoInc said:

@Jumpfree

Tanks both for your comments, but in my answer I'm asking: "It's safe give files and database backup to a profesional?"...
I need to know if in that files are there any information that can be used in fraudulent way, such as paswword, bank key or other... And if yes: can I modify that files before sharing it with that profesional?

Thanks 

 

Link to comment
Share on other sites

@Jumpfree

Asked and answered ...

15 minutes ago, ArtcoInc said:

Or, if you prefer, you can hire someone to *just* build your site for you. Then, it's your responsibility to convert your database, and install and test everything yourself.

Anything else you have them do for you, you're giving them access to things. And remember, they don't have to wait until your site is finished to steal from you ...

IMHO

Link to comment
Share on other sites

@Jumpfree

7 minutes ago, Jumpfree said:

I need to know if in that files are there any information that can be used in fraudulent way, such as paswword, bank key or other... And if yes: can I modify that files before sharing it with that profesional?

If you are giving them a copy of your database, you're giving them access to all of your customer, what they've bought, when, etc. Not knowing the industry you are in, is that information valuable to anyone else?

Link to comment
Share on other sites

As with any business dealing involving sensitive data or access, you want to have a good feeling about the honesty of the other party. Having a physical signed contract spelling out what they can do with information is better than an oral agreement. Having them physically close enough that you can afford to take them to court if they break this agreement is better than having someone on the other side of the world.

If they intend to defraud you, there's not much you can do up front if you need to give them a working site. You should change all passwords associated with your site and osC installation after they're done, to deny them any access. You may not be able to change bank keys or other financial access codes, but at least you can talk with your bank about what's possible, and how to be on the lookout for signs that they've stolen financial data. You shouldn't have anyone's credit card information on your site (PCI-DSS compliance). Ask the worker if they will need live financial access (bank keys, etc.) for their work -- if not, change them before handing over the site (or data), and change them back when you take back the site. If they're merely making a pretty theme, they probably don't need sensitive data.

Link to comment
Share on other sites

Just now, ArtcoInc said:

@Jumpfree

If you are giving them a copy of your database, you're giving them access to all of your customer, what they've bought, when, etc. Not knowing the industry you are in, is that information valuable to anyone else?

Thanks Malcom, yes of course customer information is important, but in my case it's not a sensible information, I sell common product, in worst scenario I suppose customers can be used for mail spamming...

I'm just realizing that in config.php there are information about database name and paswword: maybe I can delete that information...

And I'm thinking about bank encryptation code SHA256 visible in front-end: Do you it can be used in wrong way?
Thanks

Link to comment
Share on other sites

@Jumpfree

6 minutes ago, Jumpfree said:

I'm just realizing that in config.php there are information about database name and paswword: maybe I can delete that information...

If your developer is testing your new site on their server, they are going to have their own database, and hence their own database name, user name, and password. They won't need yours to build your site on their machine, nor to convert your database.

*IF* you want them to install and test the finished site on your host's server, then they will have to have that access. While you probably can't/won't be able to change the database name or user name, you definitely can (and should!) change the database password after the site is up and running.

8 minutes ago, Jumpfree said:

And I'm thinking about bank encryptation code SHA256 visible in front-end: Do you it can be used in wrong way?

Don't know ...

Malcolm

Link to comment
Share on other sites

Hola Juan @Jumpfree,

I think the important point is what Gary pointed out.

If you hire a developer who has built up a well known reputation at least in this forum, you will be safe.

It's not easy and it is slow to get it, but easy and fast to loose it. No serious developer who wants to continue working will risc to spoil his reputation.

Link to comment
Share on other sites

Thanks to all recomending hiring  a well reputated profesional, but he is already hired and my answer is not about the way to hire, I trust on him , but I prefer to know wich information I'm really giving to him.
Please if you want help me, try to answer to my doubt about wich information it shared with him if  give him ftp files and database backup...

It's enough, in your opinion?
- Delete database name and password in config.php
Bank encryptation code SHA256 visible in front-end can be use in fraudulent way?
- Any other infromation that I can delte in files or backups

Thanks

Link to comment
Share on other sites

Do what you think is right, ensuring data privacy for your existing clients.  

Data is the most important thing you have in your site.  Protect it.

Please don't again ask "how".  It should be obvious that he does not need your customer data or order data.

Link to comment
Share on other sites

5 hours ago, Jumpfree said:

Thanks to all recomending hiring  a well reputated profesional, but he is already hired and my answer is not about the way to hire, I trust on him , but I prefer to know wich information I'm really giving to him.
Please if you want help me, try to answer to my doubt about wich information it shared with him if  give him ftp files and database backup...

I think the point others tried to make is that at some point, you have to trust the person you are working with. If you do, then what you give him probably doesn't matter.

But as far as what you give him, assuming the files and database are to be stored on his server and not yours, then you should remove the login parts of the two configure file. Leave the rest in those files since they may contain specific things for your shop.  Unless you have some code specific to your shop with login details, that is all you need to remove from the files. For the database, you can empty the data from the address_book, customers and orders table. Just remove the data, not the structure. Once all of that is done, he will be able to create a copy of your site but not have anything he can use, though as mentioned, I can't imagine a legitimate developer doing that.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

Thanks @Burt, @Jack_mcs and all contributions...

Any more opinion on the Information on the Bank encryptation code SHA256 that is visible in front-end in paymento module, is that information (such "encryptation key") sensible and vulnerable?

Thanks again
 

Link to comment
Share on other sites

Do they need the Bank encryption code for whatever they're working on? If not, let them work on a copy of the site (test directory) where you have removed/dummied-out the code. If their work needs a live code (and/or can't use a test system), you'll just have to trust them to Do the Right Thing. Talk to your bank about the possibility of changing the encryption code after the work is done, so they can't steal from you in the future.

Link to comment
Share on other sites

19 hours ago, MrPhil said:

Do they need the Bank encryption code for whatever they're working on? If not, let them work on a copy of the site (test directory) where you have removed/dummied-out the code. If their work needs a live code (and/or can't use a test system), you'll just have to trust them to Do the Right Thing. Talk to your bank about the possibility of changing the encryption code after the work is done, so they can't steal from you in the future.

Thanks MrPhil
right now I'm giving them ftp backup and a sql backup (cleared of sensible customers data)
But I can't found the way to clear bank data from that backups...
Anyone knows were bank information (as encryptation code SHA256, etc...) is stored? In database I can't see nothing related to that info nor in ftp file...
Thanks

Link to comment
Share on other sites

If it's entered in the payment module setup, it should be stored in the "configuration" table of your database

otherwise, but unlikely, it could be in the language file of the payment module

or look in the payment module folder in: ext/modules/payment/your payment module name/

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...