Hi
I was wondering, what are the main fundamental security features which should be in place on a php website? I have an e-commerce site, and the security measures i use are:
1. SSL
2. Any data from suer is cleansed with mysql_real_escape_string()
3. MD5 used to encrypt passwords
Am I missing anything? Is this enough? With database tables, do I only need to encrypt password fields? Are all other field ok as they are?
Cheers
Mark
Securing an e-commerce website
Moderator: General Moderators
-
Zander1983
- Forum Newbie
- Posts: 20
- Joined: Mon Mar 21, 2011 2:26 pm
Re: Securing an e-commerce website
That's pretty much the basics (besides using common sense of course), however:
see point 1 of these security guidelines.Zander1983 wrote:3. MD5 used to encrypt passwords
- flying_circus
- Forum Regular
- Posts: 732
- Joined: Wed Mar 05, 2008 10:23 pm
- Location: Sunriver, OR
Re: Securing an e-commerce website
If you have the ability, you should migrate to to the mysqli (MySQL Improved) extension.Zander1983 wrote:2. Any data from suer is cleansed with mysql_real_escape_string()
- social_experiment
- DevNet Master
- Posts: 2793
- Joined: Sun Feb 15, 2009 11:08 am
- Location: .za
Re: Securing an e-commerce website
If you are using an existing CMS with a component such as Virtuemart make sure that it is setup correctly and look out for updates that will fix existing vulnerabilities.
If you do have a e-commerce site it is probably a good idea to encrypt details such as credit card numbers if they are stored in the database. Encryption is not the same as hashing which is what you are doing with passwords.Zander1983 wrote:With database tables, do I only need to encrypt password fields? Are all other field ok as they are?
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
- flying_circus
- Forum Regular
- Posts: 732
- Joined: Wed Mar 05, 2008 10:23 pm
- Location: Sunriver, OR
Re: Securing an e-commerce website
It's never a good idea to store credit card numbers in the database. Recieve them from a secure form post, hand them over to your payment processor, and forget about them.social_experiment wrote:If you do have a e-commerce site it is probably a good idea to encrypt details such as credit card numbers if they are stored in the database.
Re: Securing an e-commerce website
If you are doing any credit card handling on your site (where the info is collected and/or stored on your server), you need to make sure you are following PCI compliance rules https://www.pcisecuritystandards.org/merchants/ (yeah, get ready for a lot of reading)
When in doubt when it comes to card info, outsource it to a place that deals with it daily. My site, I offer 3rd party cc processing like payapl. While I could write my own (did several for past employer), I don't want to have to lock down my server as much as required.
-Greg
When in doubt when it comes to card info, outsource it to a place that deals with it daily. My site, I offer 3rd party cc processing like payapl. While I could write my own (did several for past employer), I don't want to have to lock down my server as much as required.
-Greg
-
Zander1983
- Forum Newbie
- Posts: 20
- Joined: Mon Mar 21, 2011 2:26 pm
Re: Securing an e-commerce website
thanks for this advice. Greg, I'm also using paypal to take care of payments so I will not need to save credit card details. Regarding hashing, sounds like MD5 is no good. I'll look into using a different one
- social_experiment
- DevNet Master
- Posts: 2793
- Joined: Sun Feb 15, 2009 11:08 am
- Location: .za
Re: Securing an e-commerce website
Yeah, just in case the OP was storing them but it seems they aren't.flying_circus wrote:It's never a good idea to store credit card numbers in the database. Recieve them from a secure form post, hand them over to your payment processor, and forget about them.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering