Page 2 of 2 FirstFirst 12
Results 26 to 45 of 45
  1. #26
    Join Date
    May 2013
    Location
    USA
    Posts
    931
    Quote Originally Posted by Steven View Post
    Some scripts try to hide things like encryption keys and salts ( which should not be static anyway ) in the code... well I can usually sniff that out with xdebug without ever decompiling the code.. so that is pretty moot.
    I agree and you'd be surprised how many application frameworks out there will, for example, use the same salt on every password and store that salt in a plaintext config file. Almost defeats the entire purpose of salting!
    ▄▀▄ Brian Harrison, Lead Engineer - Reprise Hosting (AS62838)
    ▄▀▄ Deals on cheap dedicated server hosting. IPMI included! Unmetered bandwidth.
    ▄▀▄ Website migration, 24/7/365 support, basic server setup, 15 day money back.
    ▄▀▄ Looking for DEALS on self-managed cheap VPS hosting? Visit VPSHostingDEAL.com

  2. #27
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Most importantly the code needs to use zero functions that are being depreciated currently/in the near future ... that means for example mysql_* == NOPE
    Needs to support php 5.4 out of the box as the default requirement as people need to be moving off php 5.3.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  3. #28
    Join Date
    Jan 2010
    Location
    USA
    Posts
    2,173
    Quote Originally Posted by BrianHarrison View Post
    I agree and you'd be surprised how many application frameworks out there will, for example, use the same salt on every password and store that salt in a plaintext config file. Almost defeats the entire purpose of salting!
    Exactly. I am so sick of seeing people either not using salt or using one static salt for all of their passwords. If coders don't use a different salt for each password, then there is almost no point in hashing the passwords in the first place. Hashing without a different salt for each password is vulnerable to rainbow tables. Coders definitely need to store a different, long, random salt for each password, either in a separate salt field or within the encrypted password field. (like PBKDF2)
    No Support Linux Hosting Bargain cPanel Hosting Experts Only
    We IGNORE the support questions, and pass the SAVINGS on to YOU!
    We also ignore questions about VPS Hosting

  4. #29
    Join Date
    Jan 2010
    Location
    USA
    Posts
    2,173
    Quote Originally Posted by twhiting9275 View Post
    It adds a bit of protection, and keeps every prying eye out. I'm not saying it's the end all and be all of everything, of course it's not, but it does add that layer of protection, even if breakable.
    Encoding the source (with IonCube for example) does not add any layer of security and it does not keep prying eyes out. Hackers have tools for quickly decoding IonCube. It only takes them a few seconds to get to the source code. Encoding the source code does not keep any of those prying eyes out. The only eyeballs that it keeps out are the law abiding coders that would be willing to help improve the code. Encoding the source keeps the helpful people out but lets the harmful people in. It is the opposite of what you want to happen.

    Open source lets everybody in. If there are a lot of helpful people in the community, an open source project can get a lot better a lot more quickly than any close source alternative. If you are scared that open sourcing the code will make it less secure, then your code is not good enough to use online anyway. Hiding the source code does not increase the security of that code.
    No Support Linux Hosting Bargain cPanel Hosting Experts Only
    We IGNORE the support questions, and pass the SAVINGS on to YOU!
    We also ignore questions about VPS Hosting

  5. #30
    Join Date
    Mar 2002
    Location
    London & Kent, UK
    Posts
    394
    Quote Originally Posted by NoSupportLinuxHostin View Post
    Open source lets everybody in. If there are a lot of helpful people in the community, an open source project can get a lot better a lot more quickly than any close source alternative.
    This is largely true, but no matter how promising an opensource project may get, if it lacks funding it can still end up on the opensource graveyard of good ideas so that everyone ends up losing out, not to mention the in-fighting, forks, transient commitment etc. that can eat away at an opensource project like a disease; you may be aware of the significant troubles and legal issues surrounding the Joomla project some years back.

    If a product is developed and released by a real but possibly fledgling company who have bills and staff to pay, revenue protection is essential so that they'll still be around in 6 months time and able quite literally to keep the lights on. Releasing as opensource is a great way to get community buy-in in terms of enthusiasm and ideas, but poses a real challenge to get buy-in with hard cash to actually fund the project for the long term. Selling high-priced support contracts once a product gets sufficiently developed and adopted by industry is one strategy, but a high risk one, and surviving until that time should it ever be reached could be impossible.

    In general and if managed correctly, protecting at least portions of code, even if reluctantly at the risk of going against the idealistic opensource visions of some, is a far more sure-fire way of locking in project revenue early; it can establish the viability of a project, and ensure that development professionals can be procured to develop, maintain and support the product indefinitely going forwards. Most end users aren't going to be bothered if a project isn't opensource and will be happy to take that trade if it ensures that they'll have support, product updates and bug fixes, and a product that'll still be around in 10 years time.

    Quote Originally Posted by NoSupportLinuxHostin View Post
    Encoding the source (with IonCube for example) does not add any layer of security and it does not keep prying eyes out. Hackers have tools for quickly decoding IonCube. It only takes them a few seconds to get to the source code. Encoding the source code does not keep any of those prying eyes out.
    Not entirely accurate, but it's certainly the case that total protection through hardware or software mechanisms is never attainable, and there's an ever present possibility of reverse engineering to any solution. The realistic goal is to make reverse engineering as time consuming, challenging and expensive as possible. With ionCube today, encoding for PHP 5.4 and using obfuscation defeats current decompilation sites that we've seen, with ionCube Bespoke Solutions offering further security opportunities over the off the shelf products. New releases from vendors such as ourselves and Zend also tend to introduce new security features, keeping or moving ahead of the reverse engineers.

    Tools such as ionCube are primarily about code protection though, and by default should do nothing to change the behaviour of an application; if an application has five code injection flaws, after encoding it will still have five code injection flaws. If a provider isn't confident in their ability to minimise security risks from the outset and responsibly handle their resolution when remaining ones do get discovered, then perhaps they *should* release as opensouce to let others do the work for them. Code protection can be effective in stopping security flaws being introduced though by a 3rd party, such as when a hacker breaks into a website and slips in a compromise undetected, and there may be features that can be actively used by the application developer in their program to enhance security, but not passively. In short, there's no magic bullet to improving the inherent security of an application, nor substitute for good design through experience and education.
    Real-time intrusion protection and error reporting for PHP sites ioncube24.com
    Software protection for website owners and PHP developers ionCube PHP Encoder

  6. #31
    Join Date
    Apr 2013
    Posts
    170
    Quote Originally Posted by phpa View Post
    Protection for PHP scripts - ionCube PHP Encoder
    Create Web Application Installers - ionCube Package Foundry
    And when will you release ioncube loaders for PHP 5.5.x? PHP 5.5.0 was released 20-Jun-2013, and has now reached version 5.5.4 - but still you have not released any compatible incoube loaders.

    Also it does not seem like you care about all people waiting for PHP 5.5.x compatible loaders: http://forum.ioncube.com/viewtopic.php?t=4051

    I am now considering to stop supporting ioncube loaders on our shared hosting servers because of this. We want to upgrade to PHP 5.5.x now, but are not able to because of missing ioncube loaders. I am starting to mislike your company.

    You do understand that the new development cycle of PHP, is to release a new major PHP version every 12 months? So, we will then have this waiting game every year, waiting for you to take it serious and release loaders. Waiting, and waiting and WAITING!

  7. #32
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    14,135
    Quote Originally Posted by about: View Post
    And when will you release ioncube loaders for PHP 5.5.x? PHP 5.5.0 was released 20-Jun-2013, and has now reached version 5.5.4 - but still you have not released any compatible incoube loaders.
    Get used to it. Ioncube loaders are always way behind. Expect them sometime next year.

    You'd think that all the public criticism about them not actually, you know, using the betas to get their program ready would have sunk in by now, but nope, typically 6-12 months later.
    Tom Whiting, WHMCS Guru extraordinaire
    Linux problems? WHMCS Problems? Give me a shout
    Check out my WHMCS Addons

  8. #33
    Join Date
    Nov 2000
    Location
    localhost
    Posts
    3,771

    You do understand that the new development cycle of PHP, is to release a new major PHP version every 12 months? So, we will then have this waiting game every year, waiting for you to take it serious and release loaders. Waiting, and waiting and WAITING!
    Perhaps it is the vendors that release code ioncubed that you should direct your frustration at? It is a sad state of affairs in the PHP ecosystem that authors of simple CRUD applications (written in a retarded way no less) worry that people will steal their precious work (i mention that in a double edge sword manner). Then again you even get some people that say they wouldnt trust a billing system that is open source..
    MattF - Since the start..

  9. #34
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    14,135
    Quote Originally Posted by MattF View Post
    Perhaps it is the vendors that release code ioncubed that you should direct your frustration at?
    It's not the vendor's fault that ioncube can't do their jobs in a timely fashion.
    Tom Whiting, WHMCS Guru extraordinaire
    Linux problems? WHMCS Problems? Give me a shout
    Check out my WHMCS Addons

  10. #35
    Join Date
    May 2008
    Location
    Tampa, Florida
    Posts
    185
    There are a couple of major turn offs, in my opinion, when it comes to WHMCS which lead me to not use it at all.

    Those turn offs being:

    1: It takes a good amount of time to setup. I'm a super busy woman between running my business in the hosting industry, now having an at home day care business with my best friend, going to school, helping clients, spending time with my hubby and family - I have a very hectic life so it would be great to have something that was a bit less time consuming to setup. I think, for me, the best way to do that is to have well laid out step by step in order documentation that I could easily follow. WHMCS' documentation is well everywhere, scattered instructions are the worst and that drives me personally insane.

    2: Security! I read about security issues they have almost as if they are having a hack every single week it seems and that is just a major issue, not to mention a huge headache if something were to happen like for those who actually had to turn off their billing areas. That is just a major turn off. Sure, of course, I would prefer that sales be missed from having the billing area down than having it up and people getting their confidential information leaked all over the internet but I think my point is the fact that it shouldn't happen in the first place. If it takes them to hire professionals to audit their coding on a daily/weekly/monthly bases, then that should be done.

    3: Lack of support. They either give you a very vague answer or just don't answer at all. As someone who takes giving support to customers very seriously because frankly without your customers, you are nothing so they deserve to be answered when they need your help.

    Of course, all my opinion and the specific reasons as to why I don't use WHMCS any more and haven't in years.
    Last edited by HostcrateCEO; 10-09-2013 at 10:45 AM.
    Hostcrate.com - Shoutcast Streams & Web Hosting
    █ Custom Streams Available - Contact me - We're in Second Life Too!
    Real Quality - Real Support - Real Affordable since 2008!

  11. #36
    Join Date
    Oct 2009
    Posts
    590
    Billing is different then other applications. It's very difficult to have one commercial billing application that works for almost everyone. The tradeoff is that it has a LOT of features most people will never use. Also tends to be difficult to set up.

    The alternative is to have a custom billing application made.

    Those are really the only 2 options for most people now a days. There have been some attempts at an open source billing application but so far they haven't gotten much traction and may never be anywhere near as good as the commercial alternatives.

  12. #37
    Join Date
    Jun 2003
    Location
    Sheffield
    Posts
    810
    Quote Originally Posted by HostcrateCEO View Post
    3They either give you a very vague answer or just don't answer at all. As someone who takes giving support to customers very seriously because frankly without your customers, you are nothing so they deserve to be answered when they need your help.
    Hi,
    I'm sorry to hear you say that, I had a look at your account and can't see anywhere you expressed dissatisfaction with the responses we gave in any of the tickets you opened. In fact one of your responses was:

    Thank you. That worked. I appreciate the fast and accurate response
    If you would be so kind as to PM your ticket IDs and feedback to me, I'd be very interested in seeing how we can improve in future in your eyes.
    WHMCS
    The Complete Client Management, Billing & Support System
    Documentation | Help Guides

  13. #38
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    14,135
    Quote Originally Posted by HostcrateCEO View Post
    1: It takes a good amount of time to setup.
    Hire someone to do it? There's plenty of us who are familiar with setting it up that can have it done for you.

    I know, not really the answer you want to hear, but let's face it, setting something like this up is never, ever going to be 'point and click'.

    Quote Originally Posted by HostcrateCEO View Post
    2: Security!
    This is the main reason that most should be moving away from this, I agree wholeheartedly.

    Quote Originally Posted by HostcrateCEO View Post
    3: Lack of support.
    WHMCS used to have the best support on the planet. I used to be able to open a ticket, know it would be answered and resolved within a few hours and move on confidently.

    Any more, it's just the opposite. It's become far too 'corporate', far, far too structured. Now, it's all about
    • Open ticket
    • Wait 12+ hours for response
    • Wait weeks (possibly months) for resolution



    Take a look at this thread for example. Client wasn't even able to collect his funds because WHMCS , et all, refused to properly fix his install.. Instead? Wait a few months until our next release (currently in beta) is out.

    #2 and #3 are reasons that I started this discussion, hoping to get somewhat of a list of realistic needs that people wanted from a billing client in order for them to switch from the current king of the hill, maybe inspire someone to put something together.
    Tom Whiting, WHMCS Guru extraordinaire
    Linux problems? WHMCS Problems? Give me a shout
    Check out my WHMCS Addons

  14. #39
    I would definitely like to see AJAX checkouts where users are easily able to checkout on one page.
    Webuzo - Multi user control panel supporting Apache, NGinx, MySQL, MariaDB, Percona, LiteSpeed, Varnish, WordPress, etc.
    Virtualizor - VPS Control Panel supporting OpenVZ, Xen, KVM and has 200+ OS Templates
    Softaculous - Auto Installer with 400+ scripts for Webuzo, cPanel, DirectAdmin, InterWorx, Plesk, etc.

  15. #40
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    14,135
    Quote Originally Posted by alons View Post
    I would definitely like to see AJAX checkouts where users are easily able to checkout on one page.
    Yeah, that would be a developer's nightmare, I'm sure.
    Ajax is not the end all and be all of everything. Like all things, moderation is required. I could see this being just ugly and a pain to work with
    Tom Whiting, WHMCS Guru extraordinaire
    Linux problems? WHMCS Problems? Give me a shout
    Check out my WHMCS Addons

  16. #41
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Quote Originally Posted by twhiting9275 View Post
    Yeah, that would be a developer's nightmare, I'm sure.
    Ajax is not the end all and be all of everything. Like all things, moderation is required. I could see this being just ugly and a pain to work with
    I don't know, I am seeing more and more developers that prefer ajax to not having it.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  17. #42
    If the alternative was some how more graphically pleasing then I would switch, making the gateway log load faster would be nice too! Also financials, if it were cheaper that wouldn't hurt either.

  18. #43
    Join Date
    Feb 2008
    Location
    Houston, Texas, USA
    Posts
    3,262
    Writing software from scratch is extremely difficult and is overwhelming. You have to realize that you're probably in it for at least a couple of years before you start seeing some cash flow.

    My advice is to start by building a front end to WHMCS by leveraging their API. Then start by methodically replacing each API call with your own code (don't copy/paste code please). You'll be able to prioritize your work and track progress. The work will be all cut out for you.

    By the time you've implemented all API calls, you'll have something to show people here. One clear advantage to this approach is you might be able to gain market share by pushing your app as a drop in replacement (running in front of WHMCS). You position yourself by fixing bugs ahead of WHMCS and even push new features. At least until you're off the API and then you're in full control.
    UNIXy - Fully Managed Servers and Clusters - Established in 2006
    Server Management - Unlimited Servers. Unlimited Requests. One Plan!
    cPanel Varnish Plugin -- Seamless SSL Caching (Let's Encrypt, AutoSSL, etc)
    Slow Site or Server? Unable to handle traffic? Same day performance fix: joe@unixy

  19. #44
    Join Date
    Apr 2012
    Location
    Toronto, Canada
    Posts
    501
    Quote Originally Posted by WHMCS-John View Post
    Hi,
    I'm sorry to hear you say that, I had a look at your account and can't see anywhere you expressed dissatisfaction with the responses we gave in any of the tickets you opened. In fact one of your responses was:



    If you would be so kind as to PM your ticket IDs and feedback to me, I'd be very interested in seeing how we can improve in future in your eyes.
    Something tells me John that posting private responses from customers is breaking some laws. Many forums frown on even posting PM's publicly nevermind PRIVATE customer tickets.
    Doesn't matter if it's a full or partial quote. You shouldn't be copying ANY customer tickets/info and posting it in public forums.

    May want to rethink reposting ANYTHING customers say privately via your support system.

  20. #45
    Join Date
    Nov 2004
    Location
    Finland
    Posts
    536
    For our needs i would need at least the following:

    Overview / High level descriptions:
    * Helldesk: At the very minimum of comparative quality to WHMCS
    * Invoicing has to be pretty much the same as on WHMCS - that thing actually works nicely for us
    * Decent product management (WHMCS lacks in so many areas)
    * Decent server management (WHMCS one is unusable for us, due to the sheer volume of servers we have)
    * Easily customized customer registration & data fields (dynamic to begin with, quite simple actually)
    * Proper modifications support, overrides, modules and hooks everywhere: So upgrading would actually be an option
    * Display only multi currency, can display other currencies, but all payments are actually handled in main currency option
    * Auto-accept, auto setup product actually can be configured to auto-accept the order as well (we are wasting so many hours clicking accept!)
    * Proper search all around, with include & exclude filters
    * Working, proper reports


    Some more detailed:

    Payments/Invoicing/Transactioning:
    * Following payment modules: Paypal, Bitpay, Checkout.fi, Manual
    * Regional/Country specific payment modules
    * Paypal payment module has to have configuration for the subscription/one time, allowing more time for customer to choose etc.
    * Full transactions list and management of transactions
    * Automatic VIES VAT check, customer VAT displayed on invoice (by default)

    Management features:
    * Ability to hide old products from everywhere but from a special management page
    * Ability to hide old servers from everywhere (or even delete)
    * No need to tie in user to specific server

    Marketing/Sales:
    * Robust, flexible affiliate system (WHMCS is rather limited)
    * Mass mailing system which is actually efficient (and doesn't have the WHMCS bugs, once we mailed service account details of one customer to almost all in the on going mailing due to WHMCS bug... Yea.... Since then we never handle any account stuff while doing a mail out, not even tickets!!)
    * Coupons, Specials

    Code, Architecture:
    * Decent software architecture - not overtly abstracted, not too little
    * Smarty templating - actually using it, and using it sanely
    * Smarty debug mode which works (certain types of views can make smarty debug unusable)
    * API: All that is accessible via browser, is also automatically in API, actually easy to do with proper software architecture
    * All variables, table names, etc. sensibly named, camelCase preferred, non abbreviated except from the most usual which are used in the spoken language
    * Proper database partitioning
    * Properly optimized database
    * Good module and mofications documentation
    * Sane module architecture


    If certain features would actually be usable in WHMCS, we would def use it, and enter more data into the system than we currently do. Currently unusable features include such as server listings (and thus their monitoring as well), products are encumbered to the point we want to avoid adding new ones (even with just 100+ it's a bit of pain in the ass, and as this grows annually as new services replace old ones ...)

    There are as many ways to use software as there are users, so i can understand why certain things don't work for us in WHMCS, but usually these could be fixed, even rather simply.

    With proper software architecture and design doing polishing like that, adding new features etc. becomes much much much easier as well than monolithic, dinosaur age, preschool code WHMCS uses.

    If i had time i would be working myself to make a better system - but as it is, my time is better spent elsewhere.
    Shame as lately i've wanted to get back to coding, and i have lots of experience and skill in that area, but when i have time to code, it's better spent working on our backend stuff.
    Pulsed Media: Dedicated Servers and Seedboxes

Page 2 of 2 FirstFirst 12

Similar Threads

  1. Should I switch from WHMCS?
    By M Bacon in forum Running a Web Hosting Business
    Replies: 79
    Last Post: 05-27-2012, 07:55 AM
  2. $100USD switch compare $3000USD switch, whats the main difference?
    By WCHost in forum Hosting Security and Technology
    Replies: 20
    Last Post: 02-14-2006, 10:21 PM
  3. King Kong the Original 1933 or King Kong Peter Jackson ?
    By generouswebhostin in forum Web Hosting Lounge
    Replies: 18
    Last Post: 12-29-2005, 12:50 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •