Securing an e-commerce website

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Zander1983
Forum Newbie
Posts: 20
Joined: Mon Mar 21, 2011 2:26 pm

Securing an e-commerce website

Post by Zander1983 »

Hi
I was wondering, what are the main fundamental security features which should be in place on a php website? I have an e-commerce site, and the security measures i use are:

1. SSL
2. Any data from suer is cleansed with mysql_real_escape_string()
3. MD5 used to encrypt passwords

Am I missing anything? Is this enough? With database tables, do I only need to encrypt password fields? Are all other field ok as they are?

Cheers
Mark
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: Securing an e-commerce website

Post by Apollo »

That's pretty much the basics (besides using common sense of course), however:
Zander1983 wrote:3. MD5 used to encrypt passwords
see point 1 of these security guidelines.
User avatar
flying_circus
Forum Regular
Posts: 732
Joined: Wed Mar 05, 2008 10:23 pm
Location: Sunriver, OR

Re: Securing an e-commerce website

Post by flying_circus »

Zander1983 wrote:2. Any data from suer is cleansed with mysql_real_escape_string()
If you have the ability, you should migrate to to the mysqli (MySQL Improved) extension.
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: Securing an e-commerce website

Post by social_experiment »

If you are using an existing CMS with a component such as Virtuemart make sure that it is setup correctly and look out for updates that will fix existing vulnerabilities.
Zander1983 wrote:With database tables, do I only need to encrypt password fields? Are all other field ok as they are?
If you do have a e-commerce site it is probably a good idea to encrypt details such as credit card numbers if they are stored in the database. Encryption is not the same as hashing which is what you are doing with passwords.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
User avatar
flying_circus
Forum Regular
Posts: 732
Joined: Wed Mar 05, 2008 10:23 pm
Location: Sunriver, OR

Re: Securing an e-commerce website

Post by flying_circus »

social_experiment wrote:If you do have a e-commerce site it is probably a good idea to encrypt details such as credit card numbers if they are stored in the database.
It's never a good idea to store credit card numbers in the database. Recieve them from a secure form post, hand them over to your payment processor, and forget about them.
User avatar
twinedev
Forum Regular
Posts: 984
Joined: Tue Sep 28, 2010 11:41 am
Location: Columbus, Ohio

Re: Securing an e-commerce website

Post by twinedev »

If you are doing any credit card handling on your site (where the info is collected and/or stored on your server), you need to make sure you are following PCI compliance rules https://www.pcisecuritystandards.org/merchants/ (yeah, get ready for a lot of reading)

When in doubt when it comes to card info, outsource it to a place that deals with it daily. My site, I offer 3rd party cc processing like payapl. While I could write my own (did several for past employer), I don't want to have to lock down my server as much as required.

-Greg
Zander1983
Forum Newbie
Posts: 20
Joined: Mon Mar 21, 2011 2:26 pm

Re: Securing an e-commerce website

Post by Zander1983 »

thanks for this advice. Greg, I'm also using paypal to take care of payments so I will not need to save credit card details. Regarding hashing, sounds like MD5 is no good. I'll look into using a different one
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: Securing an e-commerce website

Post by social_experiment »

flying_circus wrote:It's never a good idea to store credit card numbers in the database. Recieve them from a secure form post, hand them over to your payment processor, and forget about them.
Yeah, just in case the OP was storing them but it seems they aren't.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
Post Reply