[dev] Suckless e-comerce script proposal

From: Joseph Graham <joseph_AT_xylon.me.uk>
Date: Thu, 22 Sep 2016 12:14:11 +0100

Hey all,

I would like some feedback on some ideas I have for a script to make a very
simple, but very secure, e-commerce website. Maybe it can be "slecommerce".

The principal is: most of the website is static. Static index pages. Static
item description pages. The item description pages link to a CGI script* with
an ID for the product in a query string. So for example
/cgi-bin/order?item=burgundy_shoes_23

The cgi script has a very simple text database containing:
id
name
price
stock count

Script takes the user throught three steps:
1. filling out their details (simple question asked to check for human)
2. confirming that their details are correct
3. telling them that their order has been placed and giving them
   payment details to pay by bank transfer

At stage three the user's data is saved on the server and the stock count info
is updated.

Becuase payment is by bank transfer user's data does not contain any financial
information, just address, name and email etc. However for privacy perhaps
user's data can be encrypted with asymmetric encryption before writing to disk?

Script always checks stock immediately when called. If no stock, tells user and
doesn't let the give any info.

Advantages of this design:
-One CGI script, everything else static.
-Entire site requires no cookies or javascript.
-Secure because user does not have to give any financial info, and shop's bank
details are given over SSL.

Limitations of this design:
-Can only buy one item at a time, no shopping basket. For shopping basket we
would need cookies.
-Payment by bank transfer.
-Stock control is updated before payment received, so on non-payment sysadmin
must manually update stock-control.
-If an item is out of stock, the user will not know until they try to buy it
(because item description pages are static)

Propose python3 for the script because it has excellect unicode handling, and good
templating and RSA libraries available.

I should mention I already made a shop that works like this[1]. Script is 407
LOC of python3, plus the jinja2 templating engine[2] and cryptography
library[3] for assymetric encryption of user's data. Also sends emails. On this
site the stock control is binary because there is only one of each item, so I
was able to use UNIX file rename as an atomic stock control operation. Works
fine even in eLinks. I haven't published the code of this implementation yet.

Tell me what ya think, guys!

*or self-serving HTTP script
[1] https://www.freedcomputer.uk
[2] http://jinja.pocoo.org/
[3] https://cryptography.io/en/latest/

-Joseph Graham

P.S. I haven't really introduced myself here before. Hi everyone!
Received on Thu Sep 22 2016 - 13:14:11 CEST

This archive was generated by hypermail 2.3.0 : Thu Sep 22 2016 - 13:24:11 CEST