May 23, 2003 at 1:45 pm
Sorry for the basic question but I was wondering if you could run IIS and MS SQL server on the same box with Coldfusion server? An I asking for trouble?
I am a CF programmer that has used MS Access and I would like to upsize and go more to an Interprize level.
Thanks,
Scooter
May 23, 2003 at 2:35 pm
Sure - I am sure you have already considered the performance and security issues. But as far as technology - no problem.
Guarddata-
May 23, 2003 at 3:17 pm
I would love to say that I have considered all that but the truth is I have used access on the same machine and just figured SQL would be better. By better I just mean could handle more concurrent users. I am really good at making web apps that work, but when it comes to web security, and infrastructure design I am not the best. Just takes lots of homework I guess.
My next app will include saving credit card numbers for automatic re-billing and I am scarred to death. I know I must truly do a lot of home work on how to best do this or I could be in very big trouble.
So donโt be surprised to see me popping up here from time to time.
Scooter
May 23, 2003 at 3:20 pm
quote:
My next app will include saving credit card numbers for automatic re-billing and I am scarred to death. I know I must truly do a lot of home work on how to best do this or I could be in very big trouble.
Separate the servers. Keep the SQL Server out of the DMZ. If you have the option, have 2 SQL Servers. One where the credit card info is actually stored (and not directly reachable by the web server) and the one that drives the web site (and is reachable).
K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1
K. Brian Kelley
@kbriankelley
May 24, 2003 at 2:13 am
Not sure what country you in but when I was working in the US on an e-commerce site, I got all hell because I was saving credit card details on our server. Apparently there are laws (Banking laws?) that you have to adhear to when saving that data.
I left the company sortly after this (Not because of the CC issue).
As Brian suggested, our setup was the same. IIS in DMZ, 2nd "SQL" zone" and a third for the main SQL box. We used replication to get it from the IIS's SQL to the main SQL.
Just a suggestion, maybe it'll keep you out the same @!&* I was in. ๐
Cheers,
Crispin
Cheers,CrispinI can't die, there are too many people who still have to meet me!It's not a bug, SQL just misunderstood me!
May 25, 2003 at 6:56 pm
Perhaps I shouldn't save the numbers then. I do not have the option of a different server. The project doesn't have the budget. I can just have the clients sign up for a year. and make them log in one time per year to re-up. I was just thinking I could write the contract such that they where re-upped automattically unless specified otherwise. I would have made it easier for re-billing. I don't think I want to take this on right now. I don't think it is worth the risk. Everyone has heard about this or that company that got hacked and all their clients had to deal with there credit cards being stolen.
I think I am going to pass.
Thanks for all of your input.
Scooter
May 27, 2003 at 8:42 am
This is one of those difficult areas. To provide convenient service to your users, it is nice to be able to store the numbers. After all, the wallet concept has been around for years. The trick is to store the numbers encrypted and just use a reference to a definition on the web site so the card number only gets transferred during the input or update process and is handled safely on your site.
Honestly, though, I don't know if this solution is still in violation of the laws that were mentioned. There are enough companies that do this, seems like it would be OK.
Guarddata-
May 29, 2003 at 7:14 pm
One thing you can do is set-up the table(s) so that the SQL login that is used by the web application can only INSERT and not SELECT/UPDATE/DELETE. Also, you can set it up that their is only 1 userid/group that has access to the numbers.
They need to be stored encrypted as well. With the above in place you should have no problems legally or otherwise. I helped set-up the above at a prior company.
AJ Ahrens
SQL DBA
Revenue Assurance Management - AT&T
Good Hunting!
AJ Ahrens
webmaster@kritter.net
Viewing 8 posts - 1 through 7 (of 7 total)
You must be logged in to reply to this topic. Login to reply