Page 1 of 1

Just finished my first shopping cart

Posted: Mon May 10, 2010 11:28 pm
by CGA_bot
I just finished coding my first MySQL / PHP project. It's a shopping cart for a website I designed for a client. I'm concerned about security because I'm fairly ignorant on the subject. I'm trying to do research but there seems to be a ton of information to take in. What do you guys do when you're done coding something to test it for vulnerabilities?

The only precaution I've taken so far is that the website has an ssl certificate and always runs in https. The forms in the checkout portion have some javascript validation, but I don't know if that matters. A bot can just turn off js right?

Is there a checklist of things I should be checking?

Thanks in advance. :)

Re: Just finished my first shopping cart

Posted: Tue May 11, 2010 4:52 am
by timWebUK
Ensure that all validation is carried out server-side as well as client-side. As you stated, Javascript can eaisly be disabled, bypassing any checks you have in place.

Re: Just finished my first shopping cart

Posted: Tue May 11, 2010 1:46 pm
by CGA_bot
So, is that it? And my database is safe?

Re: Just finished my first shopping cart

Posted: Thu May 13, 2010 4:05 am
by timWebUK
Well you haven't posted any code so we can't tell. But if we assume you the validation who have is validating and escaping all user input and encoding any output, then yes your database is safe.

All TSL/SSL does is encrypt the connection so that your packets cannot be intercepted and read. (For passwords, usernames and any other sensitive bits of information.)

Security is a huge subject and cannot simply be covered by a checklist, just keep reading and reading about it all! You'll pick up new techniques and if you get stuck, post on here, I'm sure someone can help if you're specific.

Re: Just finished my first shopping cart

Posted: Thu May 13, 2010 2:58 pm
by CGA_bot
Thanks. :) The website is live now and I found a pretty good checklist to cover the major areas of attack used by "hackers".

Here's the list I was using:
http://www.codingforums.com/showthread.php?t=176717
There's a lot of good stuff linked in that thread.

Re: Just finished my first shopping cart

Posted: Sun May 16, 2010 12:58 pm
by kaisellgren
Security is a huge topic as you have noticed. It takes time to understand most of it. However, to get you started, take a look at here.
timWebUK wrote:All TSL/SSL does is encrypt...
Nitpicking, it's TLS and not TSL. :wink:

Re: Just finished my first shopping cart

Posted: Mon May 17, 2010 5:13 am
by timWebUK
kaisellgren wrote:
timWebUK wrote:All TSL/SSL does is encrypt...
Nitpicking, it's TLS and not TSL. :wink:
Woops! Thanks, haha.