Furry sites, even quite large ones that fans rely on, are typically run on a technical basis by one or maybe two people on a shoestring budget, often as a spare-time project. In fan commerce, the website is typically not the product itself, and may have been a one-off contract. Both of these situations are conducive to flawed coding and use of outdated technology.
There are exceptions, obviously; Bad Dragon is responsible for so many sites that they have a professional admin team - but even there, the programming of a fan site is done by site staff, who may not be qualified to write secure applications.
I know enough to doubt my own abilities when writing secure code, so I tend to punt to widely-developed application frameworks such as Drupal and MediaWiki, while trying to maintain standards on the administration side. Beware any site festooned with "tested for security" badges.
Furry sites, even quite large ones that fans rely on, are typically run on a technical basis by one or maybe two people on a shoestring budget, often as a spare-time project. In fan commerce, the website is typically not the product itself, and may have been a one-off contract. Both of these situations are conducive to flawed coding and use of outdated technology.
There are exceptions, obviously; Bad Dragon is responsible for so many sites that they have a professional admin team - but even there, the programming of a fan site is done by site staff, who may not be qualified to write secure applications.
I know enough to doubt my own abilities when writing secure code, so I tend to punt to widely-developed application frameworks such as Drupal and MediaWiki, while trying to maintain standards on the administration side. Beware any site festooned with "tested for security" badges.