So DNA Lounge has an online store, where we sell tickets to all of our events (we sell a lot of those), and a tiny amount of physical merch (like, a handful of shipments a month).
The store is a giant pile of PHP code that started out as the online store for Unspun Records in like 1997 or something. John and I have been beating on this pile of shit ever since, and we've made it pretty secure, but it's still a pile of shit and every time I have to touch it, part of me dies inside.
But we operate our own store because giving a percentage of your sales to someone else just to process checkouts for you is a sucker move.
It's a pile of shit, but it's our pile of shit.
It doesn't do all kinds of jQuery alpha-fades and slide things around on you, like you uppity kids enjoy so much these days, but it works and it's easy to understand.
But wouldn't it be nice if we had the option to save all of that for you, and not make you enter your card and addresses every time? Yeah, it would. Fun fact: internally, Amazon used to refer to the "one click checkout" button as "The Money Vacuum".
So, you know what I don't want to do? Write a login and user management system. Because it needs, at a bare minimum to be useful in this modern world: create/edit saved CC, shipping and billing addresses, email; verify email addresses any time they change; change passwords; emailed password reset tokens; login throttling; log in with Facebook; prompt for all the extra info that Facebook doesn't provide; oh, and the knowledge that the Facebook API gets rewritten from scratch every two years.
I mean, none of that is rocket surgery, but man, I really just don't wanna.
So about a year ago, someone suggested "PHP-Login" as something that might be relatively small and easy to integrate with our existing pile of shit. I looked at it for a minute, and the feature list sounded pretty nice, but the thought of digging through someone else's PHP code and deciding if I thought it was secure enough to trust my own store with it sounded really unpleasant, so I left it on my todo list and ignored it for another year.
Well the other day I came back to it for a second look, and guess what? In true Open Sores style, since the last time I looked at this project, it has been rewritten from scratch! You didn't see that coming, did you? Yeah. You did. You really did. So now it's called "Huge", which is about the least confidence-inspiring name imaginable.
So I'm reading through the README, hoping against hope that what I read will let me convince myself that this sounds like something I could trust, and these are the gems that jump out at me from that reading:
It is littered with smilies. I know I'm just an unfrozen caveman, but that's like dotting your eyes with hearts on a resumé.
With a straight face, and no emoticon, this piece of security software suggests that you install it by doing
"wget | sudo sh".
I'm just gonna leave this here:
A real documentation is in the making. Until then, please have a look at the code and use your IDE's code completion features to get an idea how things work, it's quite obvious when you look at the controller files, the model files and how data is shown in the view files. A big sorry that there's no documentation yet, but time is rare :)
Hopefully a real grammar is also making. Smiley not smiley.
Also: "There's no reason to complain (!) about free open-source software."
So I don't mean to bust on this guy too much, because he's being honest about what this project is: it's someone's Learning Experience. There's nothing wrong with that. Everyone's got to learn somehow, and writing things is the only way to do it. But that makes it a toy, not a product.
And that means the answer to the question of, should anyone use this in production, with actual money on the line, is: "are you insane?"
As learning experiences go, I know I'd trust my learning experience more than someone else's, but like I said, wow, I just really don't wanna. I know it would make my business better, but actually doing the work sounds about as pleasant as a root canal.
I guess what I'm saying here is, everything is terrible.