63 {{ upvoteCount | shortNum }}
63 {{ upvoteCount | shortNum }}

Any DELAVO Alternatives? (For Sales/Affiliate Mgmt)

by launch3
54 replies
Hello.

I'm curious if there are any Delavo alternatives that Warriors have had success using (sales processing, affiliate management, etc) for digital products.

I signed up for the Delavo list, got my zip file, and successfully installed it on my server.

Unfortunately, I made the mistake of registering my copy under my main domain name instead of the subdomain I intended to create & put it in (to make life easier and more organized). Their instructions didn't specify otherwise, so I didn't think it would make a difference.

I just heard back from customer support that there is nothing they can do. Really?? Guess I'm not important enough.

So my copy of Delavo, which I was anxious to implement immediately, is basically useless.

Any alternatives products would be appreciated.

Thanks,
Jeff
#alternatives #delavo
  • Profile picture of the author TheRichJerksNet
    Hi Jeff,
    Sent you a PM with a solution that can help you ...

    James
    {{ DiscussionBoard.errors[825306].message }}
  • Profile picture of the author launch3
    Thanks James. Will take a peek at your solution.
    {{ DiscussionBoard.errors[825356].message }}
    • Profile picture of the author TheRichJerksNet
      Originally Posted by launch3 View Post

      Thanks James. Will take a peek at your solution.
      Any questions let me know .. I think you will find it offers everything you need + more and no plugins are required.

      James
      {{ DiscussionBoard.errors[825403].message }}
      • Profile picture of the author Tom B
        Banned
        I am pretty sure the download page said they will change the domain once for free but charge $47 for every time after that.

        Is the subdomain the problem? From reading the download page, it shouldn't be a problem for them to change the url.
        {{ DiscussionBoard.errors[825899].message }}
  • Profile picture of the author launch3
    If you signed up for Delavo last week, the "core" or basic version without plugins is free. I got a number of emails from internet marketers promoting it saying it will be the greatest thing since the moon landing. Unfortunately, I'll never know due to my little mistake.
    {{ DiscussionBoard.errors[825359].message }}
    • Profile picture of the author Intrepreneur
      It's the greatest thing since the moon landed, but a very steep curve.

      I got a copy over at archangelhost, have to say, I haven't used it yet, but when I find time to sit back and take it all in, I will use it.
      Signature
      SEO, copywriting and backlinks service UK
      {{ DiscussionBoard.errors[825366].message }}
  • Profile picture of the author Sonja
    Originally Posted by launch3 View Post

    Hello.

    I'm curious if there are any Delavo alternatives that Warriors have had success using (sales processing, affiliate management, etc) for digital products.

    I signed up for the Delavo list, got my zip file, and successfully installed it on my server.

    Unfortunately, I made the mistake of registering my copy under my main domain name instead of the subdomain I intended to create & put it in (to make life easier and more organized). Their instructions didn't specify otherwise, so I didn't think it would make a difference.

    I just heard back from customer support that there is nothing they can do. Really?? Guess I'm not important enough.

    So my copy of Delavo, which I was anxious to implement immediately, is basically useless.

    Any alternatives products would be appreciated.

    Thanks,
    Jeff
    Jeff,

    It is just as Thomas told you. You can get it moved once for free and then there is a fee. You can't put it on a subdomain but you can move it to another domain. So if you want to put it on another domain, please just create a helpdesk ticket and tell them your situation and you will be taken of.
    Signature
    ~Yeah I'm working on it~
    {{ DiscussionBoard.errors[826046].message }}
  • Profile picture of the author TheRichJerksNet
    That is where it limits you I guess.. The solution I sent you jeff is good for domain name and sub-domain names both ...

    James
    {{ DiscussionBoard.errors[826140].message }}
  • Profile picture of the author Chuck Evans
    James, I'd love to take a look also. I've spent 3 days trying to download DELAVO, had emails back and forth with support and still cannot download! I know it's a free product from John and I'm grateful to have gotten in but I've wasted enough time on this!

    chuck
    Signature

    Chuck Evans - Golf Magazine Top 100 Teacher
    Learn How To Play Your Best Golf

    {{ DiscussionBoard.errors[826144].message }}
    • Profile picture of the author UncleHQ
      James,

      I would be interested in seeing what you are putting up against Delavo.

      Chuck,

      If you want me to download and install it for you let me know.

      Brian
      Signature

      Free WP Plugins Get Free Articles Delivered Directly To Your Blog...
      Warriors For Hire Professional Webmasters For Hire - Get Your Own Highly Skilled Technical Team On Demand! - From $10

      ContePass, JVManager, Fantasos and Delavo are trademarks of The Internet Company LLC. All rights reserved.

      {{ DiscussionBoard.errors[826154].message }}
      • Profile picture of the author TheRichJerksNet
        Originally Posted by briancol View Post

        James,

        I would be interested in seeing what you are putting up against Delavo.

        Chuck,

        If you want me to download and install it for you let me know.

        Brian
        Brian,
        I would not say I am putting anything up against Delavo..

        What I am building is the most advanced membership script to hit the market with a full all-in-one solution which includes building sites on the fly with no ftp or design software needed. Building memership sites with recurring payment, one time payment, trial access, or free and at the same time run affiliate review sites. All managed from your admin area.

        That is just the tip of the iceberg.. complete affiliate system built in and mass mail management built in for members and subscribers or use aweber or getresponse if you wish. Also will include paypal fraud protection against those serial refunders that love to hit IM sites.

        No plugins, no third party scripts needed... Best of all it will be very affordable even for those just starting out.

        James
        {{ DiscussionBoard.errors[826320].message }}
        • Profile picture of the author UncleHQ
          Originally Posted by TheRichJerksNet View Post

          Brian,
          I would not say I am putting anything up against Delavo..

          What I am building is the most advanced membership script to hit the market with a full all-in-one solution which includes building sites on the fly with no ftp or design software needed. Building memership sites with recurring payment, one time payment, trial access, or free and at the same time run affiliate review sites. All managed from your admin area.

          That is just the tip of the iceberg.. complete affiliate system built in and mass mail management built in for members and subscribers or use aweber or getresponse if you wish. Also will include paypal fraud protection against those serial refunders that love to hit IM sites.

          No plugins, no third party scripts needed... Best of all it will be very affordable even for those just starting out.

          James
          Ok James, sounds very interesting - would you please PM me the details?

          Brian
          Signature

          Free WP Plugins Get Free Articles Delivered Directly To Your Blog...
          Warriors For Hire Professional Webmasters For Hire - Get Your Own Highly Skilled Technical Team On Demand! - From $10

          ContePass, JVManager, Fantasos and Delavo are trademarks of The Internet Company LLC. All rights reserved.

          {{ DiscussionBoard.errors[826673].message }}
      • Profile picture of the author Chuck Evans
        Originally Posted by briancol View Post

        James,

        I would be interested in seeing what you are putting up against Delavo.

        Chuck,

        If you want me to download and install it for you let me know.

        Brian
        Thanks Brian, I'll have a couple of days off soon from the lesson tee...I'll PM you!

        chuck
        Signature

        Chuck Evans - Golf Magazine Top 100 Teacher
        Learn How To Play Your Best Golf

        {{ DiscussionBoard.errors[826955].message }}
    • Profile picture of the author TheRichJerksNet
      Originally Posted by Chuck Evans View Post

      James, I'd love to take a look also. I've spent 3 days trying to download DELAVO, had emails back and forth with support and still cannot download! I know it's a free product from John and I'm grateful to have gotten in but I've wasted enough time on this!

      chuck
      Hi Chuck,
      PM has been sent to you ...

      James
      {{ DiscussionBoard.errors[826158].message }}
  • Profile picture of the author kswr123
    For all those who need a little help:

    Create a product first - The options are easy enough
    Then create a package - Put your product in the package - Then your can set your order page to be in the DelAvo theme - It makes everything a lot easier!

    Mubarak
    Signature
    Minisite Design
    {{ DiscussionBoard.errors[826944].message }}
  • Profile picture of the author launch3
    Thanks Thomas & Sonja.

    Here's all I was told:

    "Delavo makes a difference between domain names and subdomain names. We are very sorry, but it is not allowed to use Delavo on a subdomain, if your license is associated with the main domain name."

    Jeff
    {{ DiscussionBoard.errors[827294].message }}
    • Profile picture of the author UncleHQ
      Originally Posted by launch3 View Post

      Thanks Thomas & Sonja.

      Here's all I was told:

      "Delavo makes a difference between domain names and subdomain names. We are very sorry, but it is not allowed to use Delavo on a subdomain, if your license is associated with the main domain name."

      Jeff
      Hi,

      Then all you need to do is ask for the license to be changed to the subdomain you want to host it on.

      Copy and paste your details:

      License Number
      Old Registered Domain (Main Domain)
      New Domain (subdomain)

      Brian
      Signature

      Free WP Plugins Get Free Articles Delivered Directly To Your Blog...
      Warriors For Hire Professional Webmasters For Hire - Get Your Own Highly Skilled Technical Team On Demand! - From $10

      ContePass, JVManager, Fantasos and Delavo are trademarks of The Internet Company LLC. All rights reserved.

      {{ DiscussionBoard.errors[827320].message }}
    • Profile picture of the author TheRichJerksNet
      Originally Posted by launch3 View Post

      Thanks Thomas & Sonja.

      Here's all I was told:

      "Delavo makes a difference between domain names and subdomain names. We are very sorry, but it is not allowed to use Delavo on a subdomain, if your license is associated with the main domain name."

      Jeff
      As a webdeveloper for over 15 years that makes no sense at all to me.. A sub-domain name is the same as the domain name.. It is still on the same host and the same ip.

      There is a very powerful benefit to using sub-domain names when it comes to marketing your website / product.

      @Intrepreneur - I build highly advanced websites with powerful features but I also make my sites 200% user friendly. All my sites have step by step instructions, help messages on the pages, and etc.

      James
      {{ DiscussionBoard.errors[827382].message }}
      • Profile picture of the author dlwalsh
        Mark Joyner who never recommends anything recommends Delavo. So who better to believe that Delavo is the best then the father of internet marketing? And of course others are going to recommend their platform over Delavo. That is the nature od sales. But then again, is their platform being recommended by anyone of Mark's caliber? If not, and none are, think about why Mark choose Dealvo as the platform he says EVERYONE should have.

        There are contextual help files on every page, videos, manuals, workshops, 1 on 1 Skype consults, email support, all free as was Delavo itself.

        And it is very easy to get a domain name changed. Just submit a help desk ticket with your license number, your full name, your old domain and the new domain.

        I don't know if Delavo will work on a subdoomain in this format: sub.main.com but I do know it works in this main.com/sub.

        However, I will find out and let everyone know.

        Donna
        Signature

        If you want to learn how to build a RESPONSIVE and therefore, PROFITABLE list download this FREE 20 page report, 'Building A Profitable List' from: http://donna-suggests.com/BuildingAProfitableList

        {{ DiscussionBoard.errors[827450].message }}
  • Profile picture of the author launch3
    "As a webdeveloper for over 15 years that makes no sense at all to me.. A sub-domain name is the same as the domain name.. It is still on the same host and the same ip.

    There is a very powerful benefit to using sub-domain names when it comes to marketing your website / product."


    James, I couldn't agree with you more. I've been a web developer for 11 years. I have 16 subdomains on SolveYourProblem.com alone. It makes everything so much easier to organize too.
    {{ DiscussionBoard.errors[827793].message }}
    • Profile picture of the author TheRichJerksNet
      Originally Posted by launch3 View Post

      "As a webdeveloper for over 15 years that makes no sense at all to me.. A sub-domain name is the same as the domain name.. It is still on the same host and the same ip.

      There is a very powerful benefit to using sub-domain names when it comes to marketing your website / product."


      James, I couldn't agree with you more. I've been a web developer for 11 years. I have 16 subdomains on SolveYourProblem.com alone. It makes everything so much easier to organize too.
      Not to mention the boost it gives to the main domain.. Not only boost in search rankings but also boost in authority and branding..

      James
      {{ DiscussionBoard.errors[827811].message }}
    • Profile picture of the author John Delavera
      Please contact support again or PM the ID of your ticket.

      I am not sure what info did you exchange there but
      DELAVO CAN be installed to a subdomain. All we have
      to do is to change the domain you gave to us.

      With more than 5,000 licenses in 1 6 days you can excuse
      1 misunderstanding.

      Again if this is not resolved ASAP send a PM with your ticket ID

      Thanks

      John


      Originally Posted by launch3 View Post

      "As a webdeveloper for over 15 years that makes no sense at all to me.. A sub-domain name is the same as the domain name.. It is still on the same host and the same ip.

      There is a very powerful benefit to using sub-domain names when it comes to marketing your website / product."


      James, I couldn't agree with you more. I've been a web developer for 11 years. I have 16 subdomains on SolveYourProblem.com alone. It makes everything so much easier to organize too.
      Signature
      Don't Worry http://www.ThankYouPackage.com
      Be Happy! http://use-sell.com/TM2
      {{ DiscussionBoard.errors[827947].message }}
  • Profile picture of the author dlwalsh
    That is the beauty of Delavo. You can run hundreds of domains through just this one platform on a single domain, thereby centralizing your business.

    And when you are talking here are you talking subdomains or addon domains?

    I hav many of both in my main account. Many are subdomains I run for products I do not want to purchase separate domain names for while others are addon domains for my own products.

    And all are run through Delavo.

    Donna
    Signature

    If you want to learn how to build a RESPONSIVE and therefore, PROFITABLE list download this FREE 20 page report, 'Building A Profitable List' from: http://donna-suggests.com/BuildingAProfitableList

    {{ DiscussionBoard.errors[827917].message }}
  • Profile picture of the author launch3
    Hi Donna.

    I'm talking about subdomains.

    I registered Delavo to SolveYourProblem.com.

    I setup the subdomain hub.solveyourproblem.com to run Delavo. I wanted it to be the central entry point for affiliates, partners, etc...

    Installation went perfectly, but the message on my screen was "Sorry, your license does not allow to install the script on domain hub.solveyourproblem.com"

    Jeff
    {{ DiscussionBoard.errors[827957].message }}
  • Profile picture of the author launch3
    Hey John.

    Thx much.

    I'd really like to see Delavo in action after all the buzz (plus my growing digital product line & desire for an army of affiliates).

    Jeff
    {{ DiscussionBoard.errors[827983].message }}
    • Profile picture of the author dlwalsh
      Hi Jeff

      That would be because your license is associated with SolveYourProblem.com

      But I am going to personally change that domain to hub.SolveYourProblem.com

      I will PM you with the details on how to get your new installation kit so give me 5 minutes.

      Donna
      Signature

      If you want to learn how to build a RESPONSIVE and therefore, PROFITABLE list download this FREE 20 page report, 'Building A Profitable List' from: http://donna-suggests.com/BuildingAProfitableList

      {{ DiscussionBoard.errors[827995].message }}
      • Profile picture of the author dlwalsh
        Ok I have changed it and am now sending you a PM

        Donna
        Signature

        If you want to learn how to build a RESPONSIVE and therefore, PROFITABLE list download this FREE 20 page report, 'Building A Profitable List' from: http://donna-suggests.com/BuildingAProfitableList

        {{ DiscussionBoard.errors[827999].message }}
  • Profile picture of the author launch3
    Thanks Donna & John.

    I've installed Delavo to my subdomain.
    No hiccups at all. Very smooth & easy.

    I am glad the disappointment of my mistake was short lived and ready to give this baby a whirl.

    Jeff
    {{ DiscussionBoard.errors[828139].message }}
  • Profile picture of the author dlwalsh
    Glad everything went good.

    Donna
    Signature

    If you want to learn how to build a RESPONSIVE and therefore, PROFITABLE list download this FREE 20 page report, 'Building A Profitable List' from: http://donna-suggests.com/BuildingAProfitableList

    {{ DiscussionBoard.errors[828165].message }}
    • Profile picture of the author alertinvestor
      dlwalsh,

      You mention in an earlier post that there are all kinds of help files available. Where do I find these. I downloaded the script, unzipped it, but I don't see any install instructions. I went back to the web site and couldn't find any help files.

      Am I missing something?

      Thanks for any help
      {{ DiscussionBoard.errors[828495].message }}
  • Profile picture of the author dlwalsh
    Hi

    You should have gotten an email where you needed to confirm that you wanted more info from Delavo group. After confirming, you shoud get an eamil with the URL and password to downlaod the manuals and videos.

    Donna
    Signature

    If you want to learn how to build a RESPONSIVE and therefore, PROFITABLE list download this FREE 20 page report, 'Building A Profitable List' from: http://donna-suggests.com/BuildingAProfitableList

    {{ DiscussionBoard.errors[828664].message }}
  • Profile picture of the author secretssovaluable
    [DELETED]
    {{ DiscussionBoard.errors[828940].message }}
    • Profile picture of the author UncleHQ
      Originally Posted by secretssovaluable View Post

      This looks like the same bunch of guys in here posting. I question that some of you are not Delavo affiliates.

      Anyhow, I have the link. I haven't downloaded Delavo yet, and to tell you the truth, I didn't really understand the sales pitch. What exactly does Delavo do?

      Some useful tools that seem to do the same thing are SalesForce.com, StatsJunkie, and Amember. I don't know, am I completely off track here?
      Hi,

      Affiliates for a free product - yeah sure that is why we give so much help ;-)

      What sales pitch - Delavo is a solution for running your back office functions like taking orders, collecting payment, tracking affiliates and digitally delivering the goods.

      Sure there are other tools that do some or most of the functions - for someone like myself who has used all the versions over the last 3 1/2 years though there is nothing like a script you can trust.

      Brian
      Signature

      Free WP Plugins Get Free Articles Delivered Directly To Your Blog...
      Warriors For Hire Professional Webmasters For Hire - Get Your Own Highly Skilled Technical Team On Demand! - From $10

      ContePass, JVManager, Fantasos and Delavo are trademarks of The Internet Company LLC. All rights reserved.

      {{ DiscussionBoard.errors[828948].message }}
    • Profile picture of the author TheRichJerksNet
      Originally Posted by secretssovaluable View Post

      This looks like the same bunch of guys in here posting. I question that some of you are not Delavo affiliates.

      Anyhow, I have the link. I haven't downloaded Delavo yet, and to tell you the truth, I didn't really understand the sales pitch. What exactly does Delavo do?

      Some useful tools that seem to do the same thing are SalesForce.com, StatsJunkie, and Amember. I don't know, am I completely off track here?
      I am not an affiliate - Although I do have a full membership solution that offers 3 times what Amembers does and it's 3 times cheaper price wise ... lol

      James
      {{ DiscussionBoard.errors[829104].message }}
  • Profile picture of the author designfuschion
    I've got the download links for delavo. At first a little confused but eventually realised i had to enter a domain name for hosting.

    Does it matter what domain its on? I really want to just get it installed and take a look.I don't have digital products to launch or sell-so that means i dont have any relevant domains.
    I was thinking of putting delavo on a subdomain or in a folder of 1 of my domains
    eg.
    hub.domain.com or domain.com/hub
    (borrowing the OP term hub)
    I have 3 domains i was thinking of installing it to..designfuschion.com(personal) /devfresh.com (future products/blog site)or rockyourplr.com ( this won't be main product)

    So if i registered it with hub.designfuschion.com -only those who i give link to would know there is even hub.designfuschion.com right?

    I don't particularly want to register a domain just to see if delavo is for me.
    If i understand correctly,the first domain wouldn't matter too much if it handles more than 1 domain.
    Signature

    Wordpress Install service. PM me for rates and packages or what you need and we can work something out.

    {{ DiscussionBoard.errors[829247].message }}
    • Profile picture of the author dlwalsh
      You can install Delavo on a subdomain or even in a folder of a domain. I have my test version of Delavo installed in a folder on my consult site like this: myconsultsite.com/Delavo.

      But you could install as you said on hub.mysite.com But id you install like this, hub.mysite.com is the domain that most be associated with your license, not mysite.com

      Donna
      Signature

      If you want to learn how to build a RESPONSIVE and therefore, PROFITABLE list download this FREE 20 page report, 'Building A Profitable List' from: http://donna-suggests.com/BuildingAProfitableList

      {{ DiscussionBoard.errors[829970].message }}
  • Profile picture of the author Devan Koshal
    ive been looking through delavo powerful software but there are a few things that worry me.

    For one, sensitive customer details are not being encrypted in the database. The admins password is not encrypted in the database, not even with the basic md5 hash.

    so if the database is breached, the customers details can be stolen or the hacker gets direct access to your admin details will no real effort. everything is in plain view.

    just something to look out for.
    {{ DiscussionBoard.errors[830560].message }}
    • Profile picture of the author TheRichJerksNet
      Originally Posted by Devan Koshal View Post

      ive been looking through delavo powerful software but there are a few things that worry me.

      For one, sensitive customer details are not being encrypted in the database. The admins password is not encrypted in the database, not even with the basic md5 hash.

      so if the database is breached, the customers details can be stolen or the hacker gets direct access to your admin details will no real effort. everything is in plain view.

      just something to look out for.
      Devan,
      I do not have nor do I own Delavo but I have been a website developer for over 15 years so let me give you my input...

      MD5'ing an admin password is one of the most stupidest things a site developer can do. MD5 for one means nothing in the database because a hacker can still get access to your admin if they get access to the database. 2nd MD5 slows down the way the database proccesses and when that happens it slows down the site. Slap 20,000+ members on a site at once with MD5 and don't you see many of them drop your membership in a minute.

      If you are on a proper host then you have nothing to worry about. Now nothing is 100% secured and anything can be hacked. Point is though it is your respoinsibility to make sure you have a secure server. It is the developers responsibility that he/she developed a secure script.

      I am sure john has security on his script as I see no reason why he would'nt...

      James
      {{ DiscussionBoard.errors[831572].message }}
      • Profile picture of the author Devan Koshal
        hashing & salting user passwords wether it be using md5, sha1 or sha512 is a proven technique to protecting user passwords. It's used in a lot of applications including wordpress and similar methods are implemented by amazon & ebay.

        It's bad practice to store passwords in the database unhashed or unencrypted.

        md5 alone is not as effective as it used to be, but salting the password then hashing the password is much more effective. Using this method for only logins does not slow down the software dramatically. Using php to hash and salt the password before hand does not put any extra load on the database as its all done before the string is sent to the database. I don't mean use the functions built in to the database to hash the password, if thats what you thought i meant.

        There probably is security settings built into delavo but looking at the database structure that is what i saw.
        {{ DiscussionBoard.errors[832513].message }}
        • Profile picture of the author TheRichJerksNet
          Originally Posted by Devan Koshal View Post

          hashing & salting user passwords wether it be using md5, sha1 or sha512 is a proven technique to protecting user passwords. It's used in a lot of applications including wordpress and similar methods are implemented by amazon & ebay.

          It's bad practice to store passwords in the database unhashed or unencrypted.

          md5 alone is not as effective as it used to be, but salting the password then hashing the password is much more effective. Using this method for only logins does not slow down the software dramatically. Using php to hash and salt the password before hand does not put any extra load on the database as its all done before the string is sent to the database. I don't mean use the functions built in to the database to hash the password, if thats what you thought i meant.

          There probably is security settings built into delavo but looking at the database structure that is what i saw.
          You are missing the entire point .. MD5 is trash I do not care how you look at it. Some places are using "Salt" to block auto submission software not to protect any passwords.

          This is the point though - If the hacker has access to your database then it does not matter what you have encrypted because they can do many things within your database and you never even know it. They could even run a log script to track everything going on in your system, and you would never know it..

          You need to secure your site and secure access to your database not the passwords.

          James
          {{ DiscussionBoard.errors[833353].message }}
    • Profile picture of the author Tom B
      Banned
      Originally Posted by Devan Koshal View Post

      ive been looking through delavo powerful software but there are a few things that worry me.

      For one, sensitive customer details are not being encrypted in the database. The admins password is not encrypted in the database, not even with the basic md5 hash.

      so if the database is breached, the customers details can be stolen or the hacker gets direct access to your admin details will no real effort. everything is in plain view.

      just something to look out for.
      If the person has access to the database, then why would they care what passwords are in there? Passwords give access and it would seem they would already have access without the passwords.

      Now if it was credit card details that are in plain site then I would agree.
      {{ DiscussionBoard.errors[833902].message }}
  • Profile picture of the author dlwalsh
    People on the Fantsos forum have stated that they have tried to hack Fantasos. No one has succeeded. Delavo is built on Fantasos engine so I am positive it is as secure as Fantasos.

    Just recently somone tried to steal one of my products by hitting the back browser in the Payment gate. Delavo denied access to the downloads. Then the person was stupid enough to ask me for the Product saying my system didn't give them access. Well, duh.

    Donna
    Signature

    If you want to learn how to build a RESPONSIVE and therefore, PROFITABLE list download this FREE 20 page report, 'Building A Profitable List' from: http://donna-suggests.com/BuildingAProfitableList

    {{ DiscussionBoard.errors[831657].message }}
  • Profile picture of the author Devan Koshal
    It's still best practice to hash all passwords. and thats what i was on about by encrypting users sensitive details. If the database is fully breeched the details are in plain view.

    even if the hacker only pulls one table from the database if that table contains users passwords, the hacker has access to the sensitive data via the application.
    {{ DiscussionBoard.errors[833502].message }}
    • Profile picture of the author TheRichJerksNet
      Originally Posted by Devan Koshal View Post

      It's still best practice to hash all passwords. and thats what i was on about by encrypting users sensitive details. If the database is fully breeched the details are in plain view.

      even if the hacker only pulls one table from the database if that table contains users passwords, the hacker has access to the sensitive data via the application.
      If a hacker pulls one table then he will have access to the entire database.. Please understand I have built over 10,000+ custom websites for clients. I build all my sites from the ground up (I do not use open source code to build sites) and every single site has security built in, so I fully understand what I talk about when it comes to security.

      It is your responsibility to have a secured host so no hackers even get that far. Please do not try to put this responsibility off on a developer. I fully disagree with the encryption of passwords because it does not mean anything.

      There are many things you can do besides have a secure host and that is to install extra security measures, such as Bad-Bot Killer which is a product I developed that blocks bots from your server... Well over 1,000 customers use this script on their server as well as me.

      Something else that you may not have considered. Let's say you have a database with encrypted passwords and a year later you outgrow your site and you have 50,000+ members and you decide you want a custom script built. Well there is a problem, your database must be integrated in with this new script which requires scripts to be built to transfer the information from one database built by one developer to another database built by a different developer.

      The problem is because the passwords are encrypted, all passwords must be reset to a default one and all members would have to login the new system to change their passwords. The problem here is all default passwords would have to be the same. This could cause problems is someone figures out everyones password is the same.

      So you see, not only is encrypting passwords useless but it could cuase you problems later down the road. The above is just one example.

      James
      {{ DiscussionBoard.errors[833801].message }}
      • Profile picture of the author stevenh512
        Originally Posted by TheRichJerksNet View Post

        If a hacker pulls one table then he will have access to the entire database..
        Exactly.. you can't get access to just one table, if you can access the one table you can access the whole database.

        It is your responsibility to have a secured host so no hackers even get that far. Please do not try to put this responsibility off on a developer.
        But at the same time, there have been known security vulnerabilities in quite a few web scripts (opensource or proprietary) that have caused a lot of trouble recently. While you have a responsibility to have a secure host, the developer has a responsibility to write secure software too, especially in the case where you can not modify the software yourself to fix any security vulnerabilities you find because the developer hasn't provided editable source code (for example, a script with heavily obfuscated source code or an IonCube or Zend encoded script).

        such as Bad-Bot Killer which is a product I developed that blocks bots from your server
        I don't know specifically about Bad-Bot Killer since I've never used it, but there are a number of different scripts that block certain bots, IPs of known hackers and forum spammers, etc. I'm assuming Bad-Bot Killer is something along those likes. Always a good idea to have something like that as an extra line of defense.

        The problem is because the passwords are encrypted, all passwords must be reset to a default one and all members would have to login the new system to change their passwords. The problem here is all default passwords would have to be the same. This could cause problems is someone figures out everyones password is the same.
        Not necessarily. That's one way to handle it, for sure, but considering that most PHP scripts use one of 3 methods (MD5, SHA1 or the much-hated crypt() function) it wouldn't be too hard to let your new developer know what hash or encryption algorithm the old script was using to hash the passwords. Even failing that, it would be trivial to write a small script that generates a random password for each user, emails it to that user and hashes it with the new script's hash algorithm to store it in the database.

        But there is one thing to keep in mind when you're thinking about encrypting passwords in the database. How many of us use SSL on our login pages (or any page where a user might enter or change their password)? What good does it do to encrypt the password in the database when that password is always sent "in the clear" from the user to the server every time they log in?
        Signature

        This signature intentionally left blank.

        {{ DiscussionBoard.errors[834163].message }}
        • Profile picture of the author TheRichJerksNet
          Originally Posted by stevenh512 View Post

          But at the same time, there have been known security vulnerabilities in quite a few web scripts (opensource or proprietary) that have caused a lot of trouble recently. While you have a responsibility to have a secure host, the developer has a responsibility to write secure software too, especially in the case where you can not modify the software yourself to fix any security vulnerabilities you find because the developer hasn't provided editable source code (for example, a script with heavily obfuscated source code or an IonCube or Zend encoded script).

          I don't know specifically about Bad-Bot Killer since I've never used it, but there are a number of different scripts that block certain bots, IPs of known hackers and forum spammers, etc. I'm assuming Bad-Bot Killer is something along those likes. Always a good idea to have something like that as an extra line of defense.
          This I agree with and that is the exact reason I do NOT use open source code. Sure I have been known to use a free html editor and even buy a license for one. AP uses a full licensed HTML Editor. As far as the sites coding and functions, I build it all from scratch. I secure my scripts as much as humanly possible.

          When using open source and trying to tie this together and that together from different developers is causes security issues that many may not even realize until it is too late. The same goes for that free ajax code and etc many use.. Again I build all my own and always will because I care about the product I put out and I care about my customers.

          BadBot-Killer (depending upon which version you have) has ip/country blocking, badbot blocking, tracking, and stats... I developed it so it could be used on any php enabled website.

          As far as modifying the software yourself, you must understand a developer spends 2, 3, 6 months on a project to build a script. They sure as heck do not want anybody and everybody just getting it and selling it on DP or eBay ... This would kill all sales for the developer, so the developer just wasted months of their time just for some warez user to giveaway or sell a script they never paid for.

          Personally speaking for myself I fully support the scripts I have built and if any bugs found I fix them..

          James
          {{ DiscussionBoard.errors[834199].message }}
          • Profile picture of the author stevenh512
            Originally Posted by TheRichJerksNet View Post

            As far as modifying the software yourself, you must understand a developer spends 2, 3, 6 months on a project to build a script. They sure as heck do not want anybody and everybody just getting it and selling it on DP or eBay ... This would kill all sales for the developer, so the developer just wasted months of their time just for some warez user to giveaway or sell a script they never paid for.
            In general I like to be able to modify my scripts, or at least write my own code that "plugs into" them to give them whatever custom functionality I might want or need.. but that being said.. as long as the script is actually secure (not just "security through obscurity"), well supported by its author and easy/flexible enough for me to work with I have absolutely no problem with the idea of source obfuscation or Zend/IonCube encoding.

            For example, DLGuard is one of my all-time favorite scripts. It comes IonCube encoded (and before that, Sam was using another encoding scheme). I absolutely love it, Sam does a great job of supporting his customers and he makes it easy for me to plug in whatever "extras" I need. DELAVO comes with mostly obfuscated source code, I don't mind because I know John supports his software and his customers, and there may not be too many ways to "plug into" it right now but I hear there's an API plugin on the way and even though there's no documentation for it (and probably never will be.. lol) in theory you could write your own plugins. In those cases I have absolutely no need to modify the actual script myself, I can plug in the functionality I need because they were designed with a good API in mind (and if not, I can always go to straight database queries.. lol), and I know if there's any kind of a security issue Sam or John will be on top of it.
            Signature

            This signature intentionally left blank.

            {{ DiscussionBoard.errors[834218].message }}
            • Profile picture of the author Devan Koshal
              Not all attacks on database result in full access to the database where the hacker can edit data. Most attacks get the database are where the hacker cannot edit the data, only view it. In that case if some data can only be decrypted using the application and the hacker has the password in plain text they have have access to the application, which would allow them to edit data and decrypt encrypted data.

              I've built ecommerce stores, email marketing applications and crm's and cms's from the ground up in PHP over the past 7 years.

              in the case of an email marketing app the user can't do much damage in the database, since ive encrypted the email addresses and hashed the password, but if he had access to the software, by finding out the password, he could view all the emails in plain text as they would be decrypted and even send spam emails from the server.

              The full access to the application can have more damage than access just to the database.
              {{ DiscussionBoard.errors[834833].message }}
          • Profile picture of the author Tyrus Antas
            Originally Posted by TheRichJerksNet View Post

            This I agree with and that is the exact reason I do NOT use open source code.
            Bullshit. Security through obscurity is not security. Do you really think your little script will be secure against vulnerabilities because very few people use it? Once the code is out there it will be as vulnerable as everything else.

            In fact, it will probably be worse since very few people will be looking at the code and therefore is more likely to be insecure.

            PS: do you ever participate in this forum in a way that is not self-promotional?

            Tyrus
            {{ DiscussionBoard.errors[836113].message }}
        • Profile picture of the author Devan Koshal
          Originally Posted by stevenh512 View Post

          But there is one thing to keep in mind when you're thinking about encrypting passwords in the database. How many of us use SSL on our login pages (or any page where a user might enter or change their password)? What good does it do to encrypt the password in the database when that password is always sent "in the clear" from the user to the server every time they log in?
          Very true, but it is possible to use javascript to hash the password before sending it over the browser, it turns up hashed in the http headers.
          {{ DiscussionBoard.errors[834844].message }}
  • Profile picture of the author TheRichJerksNet
    I have made many useful post and not self promotion - I have also helped many out without asking for anything in return ... Read the title of this thread and the replies..

    FACT: My scripts are secured as I build security into the code, I said nothing about security through obscurity - DO NOT take what I said out of context and post a small line of what I said. You have no idea of the sites I have built and created and if you did, you would not make the rude uncalled for remarks you just did.

    I find it offensive that you come in here using bad language just to ruin a good discusssion..

    I love how you assume I have "very few" people that use the scripts I build .lol Now that was funny ...

    James
    {{ DiscussionBoard.errors[837200].message }}
  • Profile picture of the author SharynP
    Customer view point, having been thru PayPal over 100,000 times, for over 7 years, I have a fair idea of the experience.

    I used to make note f the scripts used to order through.
    Fantasos(r) and Delavo(tm) were by far the most streamlined and reliable.

    And why in recent years I use it. The only times I had a problem, was when the owner had made a mistake in setup, which I could see what it was by then, and email them on the exact problem.

    As far as enchryption, it is a funny point, I dont trust many that are enchrypted, but, from a solid organization I do.

    As a consumer, the advise I would give is to use a good solid script, and, have links or menus on your sales pages, indecating that the site has substance behind it.

    Credibility on the net is as deep as your screne, visuals, substance, evidence of support etc. will give this. The sales page format is almost like a "turnoff" to "mainstream" consumers, and, if you want to stop feeding off each other, like gamblers around a card table, to see who wins the pot, then, this is what should happen.

    Also the names of your products reak fear to "mainstram", we know what "viral product" is, but, others think its pirated and contains a virus. "Time Bombs" was a recent name for a WP Plugin, hmmmm, made me wonder if it would blow up my site, and it was enchrypted, so I did not install it.

    Just my 2 bits worth, as a well seasoned customer, and one who has thrown her cards in.

    Shaz
    Signature
    Shale/Coal Seam Methane/Gas STOP IT IN YOUR AREA. Water rendered toxic!
    {{ DiscussionBoard.errors[4134533].message }}

Trending Topics