Just finished my first shopping cart

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
CGA_bot
Forum Newbie
Posts: 4
Joined: Sat Apr 10, 2010 7:02 pm

Just finished my first shopping cart

Post by CGA_bot »

I just finished coding my first MySQL / PHP project. It's a shopping cart for a website I designed for a client. I'm concerned about security because I'm fairly ignorant on the subject. I'm trying to do research but there seems to be a ton of information to take in. What do you guys do when you're done coding something to test it for vulnerabilities?

The only precaution I've taken so far is that the website has an ssl certificate and always runs in https. The forms in the checkout portion have some javascript validation, but I don't know if that matters. A bot can just turn off js right?

Is there a checklist of things I should be checking?

Thanks in advance. :)
User avatar
timWebUK
Forum Contributor
Posts: 239
Joined: Thu Oct 29, 2009 6:48 am
Location: UK

Re: Just finished my first shopping cart

Post by timWebUK »

Ensure that all validation is carried out server-side as well as client-side. As you stated, Javascript can eaisly be disabled, bypassing any checks you have in place.
CGA_bot
Forum Newbie
Posts: 4
Joined: Sat Apr 10, 2010 7:02 pm

Re: Just finished my first shopping cart

Post by CGA_bot »

So, is that it? And my database is safe?
User avatar
timWebUK
Forum Contributor
Posts: 239
Joined: Thu Oct 29, 2009 6:48 am
Location: UK

Re: Just finished my first shopping cart

Post by timWebUK »

Well you haven't posted any code so we can't tell. But if we assume you the validation who have is validating and escaping all user input and encoding any output, then yes your database is safe.

All TSL/SSL does is encrypt the connection so that your packets cannot be intercepted and read. (For passwords, usernames and any other sensitive bits of information.)

Security is a huge subject and cannot simply be covered by a checklist, just keep reading and reading about it all! You'll pick up new techniques and if you get stuck, post on here, I'm sure someone can help if you're specific.
CGA_bot
Forum Newbie
Posts: 4
Joined: Sat Apr 10, 2010 7:02 pm

Re: Just finished my first shopping cart

Post by CGA_bot »

Thanks. :) The website is live now and I found a pretty good checklist to cover the major areas of attack used by "hackers".

Here's the list I was using:
http://www.codingforums.com/showthread.php?t=176717
There's a lot of good stuff linked in that thread.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Just finished my first shopping cart

Post by kaisellgren »

Security is a huge topic as you have noticed. It takes time to understand most of it. However, to get you started, take a look at here.
timWebUK wrote:All TSL/SSL does is encrypt...
Nitpicking, it's TLS and not TSL. :wink:
User avatar
timWebUK
Forum Contributor
Posts: 239
Joined: Thu Oct 29, 2009 6:48 am
Location: UK

Re: Just finished my first shopping cart

Post by timWebUK »

kaisellgren wrote:
timWebUK wrote:All TSL/SSL does is encrypt...
Nitpicking, it's TLS and not TSL. :wink:
Woops! Thanks, haha.
Post Reply