Page 1 of 1

Securing an e-commerce website

Posted: Wed Jun 15, 2011 4:21 pm
by Zander1983
Hi
I was wondering, what are the main fundamental security features which should be in place on a php website? I have an e-commerce site, and the security measures i use are:

1. SSL
2. Any data from suer is cleansed with mysql_real_escape_string()
3. MD5 used to encrypt passwords

Am I missing anything? Is this enough? With database tables, do I only need to encrypt password fields? Are all other field ok as they are?

Cheers
Mark

Re: Securing an e-commerce website

Posted: Thu Jun 16, 2011 11:04 am
by Apollo
That's pretty much the basics (besides using common sense of course), however:
Zander1983 wrote:3. MD5 used to encrypt passwords
see point 1 of these security guidelines.

Re: Securing an e-commerce website

Posted: Thu Jun 16, 2011 11:40 am
by flying_circus
Zander1983 wrote:2. Any data from suer is cleansed with mysql_real_escape_string()
If you have the ability, you should migrate to to the mysqli (MySQL Improved) extension.

Re: Securing an e-commerce website

Posted: Thu Jun 16, 2011 12:02 pm
by social_experiment
If you are using an existing CMS with a component such as Virtuemart make sure that it is setup correctly and look out for updates that will fix existing vulnerabilities.
Zander1983 wrote:With database tables, do I only need to encrypt password fields? Are all other field ok as they are?
If you do have a e-commerce site it is probably a good idea to encrypt details such as credit card numbers if they are stored in the database. Encryption is not the same as hashing which is what you are doing with passwords.

Re: Securing an e-commerce website

Posted: Thu Jun 16, 2011 12:25 pm
by flying_circus
social_experiment wrote:If you do have a e-commerce site it is probably a good idea to encrypt details such as credit card numbers if they are stored in the database.
It's never a good idea to store credit card numbers in the database. Recieve them from a secure form post, hand them over to your payment processor, and forget about them.

Re: Securing an e-commerce website

Posted: Thu Jun 16, 2011 12:27 pm
by twinedev
If you are doing any credit card handling on your site (where the info is collected and/or stored on your server), you need to make sure you are following PCI compliance rules https://www.pcisecuritystandards.org/merchants/ (yeah, get ready for a lot of reading)

When in doubt when it comes to card info, outsource it to a place that deals with it daily. My site, I offer 3rd party cc processing like payapl. While I could write my own (did several for past employer), I don't want to have to lock down my server as much as required.

-Greg

Re: Securing an e-commerce website

Posted: Thu Jun 16, 2011 4:49 pm
by Zander1983
thanks for this advice. Greg, I'm also using paypal to take care of payments so I will not need to save credit card details. Regarding hashing, sounds like MD5 is no good. I'll look into using a different one

Re: Securing an e-commerce website

Posted: Fri Jun 17, 2011 5:30 pm
by social_experiment
flying_circus wrote:It's never a good idea to store credit card numbers in the database. Recieve them from a secure form post, hand them over to your payment processor, and forget about them.
Yeah, just in case the OP was storing them but it seems they aren't.