Application or script?

[hiddeninclouds]

A little background information:

I'm in a class called senior project, which is a 15 week IT solution for a real company.
The project i'm working on is a secure web page for a "middle man" loan company which allows third party credit companies to bid on loan applications. For this project my thought was to have an admin. login on the server (hosting outside of the company) to allow the basics: adding, deleting, changing records ect... One of my teammates suggested that we write a client application which would connect to the database to allow these functions. He felt that by having the admin access restricted to the company's computer with this application would provide better security. I felt we should focus our efforts on creating a secure login on the server itself rather than an application outside of the server.

any thoughts or suggestions?

[xmaddness]

I would definetly stick to just doing a secure login on the server itself. If the only argument to building a client application is because you could set the IP, thats not much of an argument. With the use of sessions and IP id'ing of the headers sent by the client machine to the server, you could easily detect the ip of the client machine connecting. I would also believe, that since the compnay wants a web solution, they don't want to have to be limited to just one machine.

You can definetly make a secure login via a webpage if the proper precautions and input validation/session management is taken.


If I were to build this application, I would combine PHP and MySQL together to form the input/output/admin login/data storage etc etc.

The beuty of the web is that I can make a bid anywhere, not just where I have the client application installed.


Sounds like a great senior project. HAve fun with it.

xmad

[hiddeninclouds]

If I were to build this application, I would combine PHP and MySQL together to form the input/output/admin login/data storage etc etc.

Great minds think alike
We've decided to use php and mysql for this project w/out a doubt. But my teammate wants to build a client application (used ONLY for admin. functions, the bid system will be php) in VB.NET.
His view on the subject is that he feels uncomfortable having an admin. menu on the internet and thinks that it would be safer if the admin. functions were only accessable at the office computer.
If anyone has anything to say which can help me put him at ease please help me out

[hiddeninclouds]

We have reached a solution that makes us all happy
A client application that allows for daily admin. access such as submitting applications and transmitting them into the database, and a server script for less often admin access such as creating users.

[xmaddness]

That sounds good, but I still don't know why you wouldn't just do it all over the net. A secure logon for a web connection is really not that hard to do if the proper checks and balances are taken. I write all my PHP code from scratch so that I can guarantee security.

You should look into the book Secure PHP Development by Mohammed J. Kabir.

ISBN: 0-7645-4966-9

It has lots of good tips and tricks for ensuring proper user authentication techniques.


But in any case... GOOD LUCK!



xmad

[hiddeninclouds]

I still don't know why you wouldn't just do it all over the net

Because the applications are taken by the client application a user could work on a offline computer and update the database when a connection is made. I agree that we don't NEED the client application, but with this solution everyone is happy

You should look into the book Secure PHP Development by Mohammed J. Kabir

Thank you for the resource

[xmaddness]

Because the applications are taken by the client application a user could work on a offline computer and update the database when a connection is made.

That answers that question nicely.

Good luck with it.

xmad

[hiddeninclouds]

I've met with the company I'm working for on this project and after seeing the direction we've taken they have expressed interest in selling our system to other credit companies.

You should look into the book Secure PHP Development by Mohammed J. Kabir.

ISBN: 0-7645-4966-9

It has lots of good tips and tricks for ensuring proper user authentication techniques

It also has a lot of useful information in making scripts more portable

for (x = 1 to 1000)
{
cout << thank you!
}