Also, be VERY careful what things you have running in TMS WebCore - make sure to turn off debug build when you ship the pages to an end user. If you do not do that or accidentally include the .map file you will expose all of your Delphi source code to end users. Five minutes later your system will be pwned by hackers.
I would make sure as much as possible is dealt with server side and only the bare minimum UI-related stuff is handled client side.
You could also consider WebStencils for some parts since it’s rendered server-side, whereas TMS WebCore (which I am a big fan of) is entirely running in the browser as unobfuscated minified JavaScript. For a payment app this is a vulnerability you need to consider and mitigate where possible.
Be VERY diligent about using HTTPS everywhere and look for CORS to prevent MITM attacks as well as making sure all user-entered inputs are sanitized to prevent SQL injection and other exploits.
Thanks Ian, I do most of that stuff anyway. But I must admit, I could use Webstencils for some bits. Have to play with it one day. At the moment, my inclination is to fall to PHP, just because its familiar and I now have a mass of functions and pages in my library.
I always use Beyond Compare to transfer files - so the map files never go to the server, because it is masked off. I am using auto-versioning in TMSWebcore. And it doesn’t delete the previous js or map files. I realised a few days ago, I had several 10s of Gigs of map files as they are not visible in any of my Beyond Compare sessions.
None of the DB stuff (except for edit and list) is via sql across the net. Its always end-points executing stored procedures/functions with parameterized queries (on top of my routine to sanitise the user input). Later, I will replace the edit and list with stored procedures as well. I just have to finish off some stuff so that the Client can start using the system.
They are already getting bookings for fire and they really want to start using the system. They do at least 18 types of bookings. I have finished forms for 5 of them. But the forms are so complicated to code and to look nice, being in the “air-space”. More complicated then I have ever done before for CRUD style stuff. And hopefully, my stuff doesn’t look computerize. It seems like a long time ago, when I read “Why software sucks and what you can do about it”, my brain flipped and I started thinking of UI from the user perspective.
The feedback from the client was that it looks really nice, so its a good start.
I havent attacked it with OWASP yet, but its in my list.
Thanks, I looked at it, it hadn’t been updated for a year and the note said that the author had only implemented what he needed. I wasn’t looking forward to extending or even debugging someone else code.
So, I got Claude to draft it up. It probably pilfered this one and others from other languages. I got it to do
A core generic class/interface for payments
A class, based on that, for Stripe
An integration unit to the XData REST server
A Test unit
to test basic functionality with no connection
to test full functionality in the Stripe sandbox
Thats working. I understand the code and have refactored it to my style - that is almost no comments. The names of the identifier and procedure is the comment.
It took 4 hours, so still about 4 times faster than if I had typed it all in. Mind you it had a few doozey of bugs. I told it how I had fixed them. I forgot to say, dont alter the code.
So it fixed the code, then explained to me what the fix was and said it had fixed MY code.
I gets into a rut sometimes, which is surprising. Because, at that point, in essence, its no better than my Eliza code (Fortran) on a Teletypewriter for Open Day at Uni (in the 70s). Where the visitors thought there was a person at the other end. I enhanced it immensely for my 4 kids, around 2004 with linked lists (Pascal) and all the information I knew about them, including their friends details. It kept them busy for hours.
I tell it “I already told you that doesn’t work”. One interchange later, it tells me the same thing. So I inform it again and one interchange later it says the same thing. Once I got so frustrated, I told it “If it was a person, I would smack it on the head”. And because of that rut, it misses the simplest of things.
Anyway. Today I wrote a segment all on my own just to confirm that I am benefitting from using Claude. I would have achieved more with Claude.
Because of time taken to type it all in.
Because it s very good at writing test code for a new class. Its more exhaustive then I would have the patience to write.
And because of that rut, it misses the simplest of things.