Need ASP ecommerce solution.
July 29, 2005 12:00 PM Subscribe
I need a good, cheap (free) ASP shopping cart application for Windows 2003 / IIS for a client website. Normally, I would use osCommerce, but for some reason they want everything ASP, etc. Any suggestions? Your help is fantastically appreciated.
A search reveals a previous inquiry with the suggestion of OrangeCart. I would like to have other options as I was not altogether impressed with OC.
A search reveals a previous inquiry with the suggestion of OrangeCart. I would like to have other options as I was not altogether impressed with OC.
Somewhat lateral - have you established that they want everything ASP vs wanting everything IIS? I know this is the consultant version of "is it plugged in?" and I don't mean to be insulting but given what a huge difference there is in PHP vs ASP availability for carts it seemed worth mentioning...
posted by phearlez at 12:40 PM on July 29, 2005
posted by phearlez at 12:40 PM on July 29, 2005
Response by poster: I installed PHP/MySQL on the IIS server with the purpose of using osCommerce, but they said they didn't want to "mix" ASP and PHP. Not to mention the fact, that I had some difficulty in getting PHP working properly with IIS since I'm a total IIS noob. Whenever I try to view php files now it asks for a login and password, so obviously I created the file permissions wrong or added the php extensions wrong. Wondering if I should have used the CGI method rather than the dll's for running PHP, but like I said, total IIS noob.
posted by letterneversent at 1:13 PM on July 29, 2005
posted by letterneversent at 1:13 PM on July 29, 2005
Ouch. Might I then suggest that you get a dedicated php server to handle the shop? IIS is a huge security headache even for experienced sysadmins; I'd hate to try to secure it as an IIS noob. Especially when credit card and other personal details are involved.
posted by blag at 4:58 PM on July 29, 2005
posted by blag at 4:58 PM on July 29, 2005
Best answer: It depends on the version of IIS. IIS6 with Windows Server 2003 is not fraught with the security woes that v5 had. Couple that with the most secure OS that Windows has ever produced and I wouldn't worry so much about security as long as you've got a decent firewall that only allows the requisite web ports through (usually 80 and 443).
Do not run the CGI version of PHP on IIS. Stick with the ISAPI module since it was primarily designed with Windows in mind. Using the CGI version requires some folder security changes that has the potential to create security issues. ASP runs as a .dll and if everything is working fine with it, then it's most likely not file/folder permissions. If you are using IIS6, make sure that you have setup PHP as an allowed module.
Actually, better yet (and if you haven't already) read through the PHP installation instructions. I've setup PHP on both Apache and IIS and PHP v5 is far easier to install and configure on Windows than on Linux (at least, IMO). It all depends on how the server is setup, but here are some best practises that I've used on the 5+ IIS servers that I maintain (caveat, I will stress again, this is all IIS6. I strongly recommend upgrading if you can afford it, IIS5 is bad, bad, bad):
1. Use the default installation settings with IIS. Microsoft changed how they handled default installations from allowing pretty much anything, to forcing the administrator to knowingly open up certain services.
2. Always separate web content from the system partition. If it's possible, re-partition the drive and keep all web stuff on the secondary drive (including PHP).
eg. System drive is C:\, new partition (as NTFS) is D:\
Web content: D:\Inetpub\www\
PHP: D:\PHP
3. In the past, PHP required certain files to be copied over to the system folders (or other folders in the PATH) but this is not the case with 5 (thank god, it's much more secure this way and it makes upgrading PHP a lot easier). Add D:\PHP to the PATH environment variable.
4. Use the php.ini-recommended. Read through it carefully (and read all of it). Each section is explained pretty thoroughly and most of the default settings are the most secure.
5. Using the website properties, use the configuration tab to add the PHP5 ISAPI module as the executable for all files with the .php extension (or even create your own non-standard extension). Add .php as an allowed module in IIS.
6. If you are running the site under the anonymous security settings (meaning, you do not require NTLM credentials on the server or file/folder in order to access the site) then make sure the IISUSR account has access to read/list the web folder that is storing the .php files.
I could go into more detail, but without more knowledge of the environment I'm not sure what would be important or even helpful. I agree with blag that creating an e-commerce site on any web server without detailed knowledge of the server and how to secure it would be a very bad idea regardless of the underlying language used to design it. If something happens with any of the information stored, or used, then you are culpable for any harm and you would most likely lose your job or even worse.
If the company is forcing you to use IIS, then tell them that you need to learn more about it. Have them spring for some books, training courses, or even a sandbox that you can play around with (Virtual PC can also help in this respect). Mixing PHP and ASP in the same web-app is also not recommended as you would pretty much have to maintain two separate web applications instead of one consolidated product. A quick Google search yielded VP-ASP.
Hope that helps.
posted by purephase at 5:28 PM on July 29, 2005
Do not run the CGI version of PHP on IIS. Stick with the ISAPI module since it was primarily designed with Windows in mind. Using the CGI version requires some folder security changes that has the potential to create security issues. ASP runs as a .dll and if everything is working fine with it, then it's most likely not file/folder permissions. If you are using IIS6, make sure that you have setup PHP as an allowed module.
Actually, better yet (and if you haven't already) read through the PHP installation instructions. I've setup PHP on both Apache and IIS and PHP v5 is far easier to install and configure on Windows than on Linux (at least, IMO). It all depends on how the server is setup, but here are some best practises that I've used on the 5+ IIS servers that I maintain (caveat, I will stress again, this is all IIS6. I strongly recommend upgrading if you can afford it, IIS5 is bad, bad, bad):
1. Use the default installation settings with IIS. Microsoft changed how they handled default installations from allowing pretty much anything, to forcing the administrator to knowingly open up certain services.
2. Always separate web content from the system partition. If it's possible, re-partition the drive and keep all web stuff on the secondary drive (including PHP).
eg. System drive is C:\, new partition (as NTFS) is D:\
Web content: D:\Inetpub\www\
PHP: D:\PHP
3. In the past, PHP required certain files to be copied over to the system folders (or other folders in the PATH) but this is not the case with 5 (thank god, it's much more secure this way and it makes upgrading PHP a lot easier). Add D:\PHP to the PATH environment variable.
4. Use the php.ini-recommended. Read through it carefully (and read all of it). Each section is explained pretty thoroughly and most of the default settings are the most secure.
5. Using the website properties, use the configuration tab to add the PHP5 ISAPI module as the executable for all files with the .php extension (or even create your own non-standard extension). Add .php as an allowed module in IIS.
6. If you are running the site under the anonymous security settings (meaning, you do not require NTLM credentials on the server or file/folder in order to access the site) then make sure the IISUSR account has access to read/list the web folder that is storing the .php files.
I could go into more detail, but without more knowledge of the environment I'm not sure what would be important or even helpful. I agree with blag that creating an e-commerce site on any web server without detailed knowledge of the server and how to secure it would be a very bad idea regardless of the underlying language used to design it. If something happens with any of the information stored, or used, then you are culpable for any harm and you would most likely lose your job or even worse.
If the company is forcing you to use IIS, then tell them that you need to learn more about it. Have them spring for some books, training courses, or even a sandbox that you can play around with (Virtual PC can also help in this respect). Mixing PHP and ASP in the same web-app is also not recommended as you would pretty much have to maintain two separate web applications instead of one consolidated product. A quick Google search yielded VP-ASP.
Hope that helps.
posted by purephase at 5:28 PM on July 29, 2005
i've used comersus before - there's a decent free version, the site i used it for is basically entirely rewritten - but it's a good base to start with.
posted by muddylemon at 10:15 PM on July 29, 2005
posted by muddylemon at 10:15 PM on July 29, 2005
This thread is closed to new comments.
posted by Dipsomaniac at 12:10 PM on July 29, 2005