Creating a secure members area
Posted: Tue Dec 12, 2006 12:14 am
I'm having some political problems at work.
My company already has a big local website in the home country which I have nothing to do with - that site is 100% HTML static and has no login area etc.
Now Ive been brought in to make an international version (from scratch, nothing is shared with the local site) for several overseas countries. I want to make a members system to provide more sensitive info only to members, and also to provide extra services to big corporate customers. In future I want to also increase this to add extra services to distributors. So it would be a level 0-10 access level type system. Higher management and the big boss are all into this idea.
Problem is the guys who make the local website, and their mates the general 'System dept.' people, are very against the members area and are throwing words like 'customer privacy' at me and basically saying we will get hacked and the customer data leaked and we will get sued / lose customers etc etc.
My counter argument is that there are tons of websites using a members area, so it cant be illegal and its not impossible to make it secure. However, due to this pressure I have removed the members area for now. They control the server so I have no SSH access and can only secure things 'my side' in the PHP code. Ive done obvious stuff like clean up inputs with mysql_real_escape_string, htmentities, addslashes, and theres some basic protection against XSS. One guy in their team said I should be using an open source CMS rather than writing my own code.
So I want to hear your opinions on how to provide such a members area securely with PHP / MySQL. Also, I'd like to know if this kind of thing is better done with JSP/Tomcat (Ive used this in the past and am kind of looking for an excuse to go back to it).
My company already has a big local website in the home country which I have nothing to do with - that site is 100% HTML static and has no login area etc.
Now Ive been brought in to make an international version (from scratch, nothing is shared with the local site) for several overseas countries. I want to make a members system to provide more sensitive info only to members, and also to provide extra services to big corporate customers. In future I want to also increase this to add extra services to distributors. So it would be a level 0-10 access level type system. Higher management and the big boss are all into this idea.
Problem is the guys who make the local website, and their mates the general 'System dept.' people, are very against the members area and are throwing words like 'customer privacy' at me and basically saying we will get hacked and the customer data leaked and we will get sued / lose customers etc etc.
My counter argument is that there are tons of websites using a members area, so it cant be illegal and its not impossible to make it secure. However, due to this pressure I have removed the members area for now. They control the server so I have no SSH access and can only secure things 'my side' in the PHP code. Ive done obvious stuff like clean up inputs with mysql_real_escape_string, htmentities, addslashes, and theres some basic protection against XSS. One guy in their team said I should be using an open source CMS rather than writing my own code.
So I want to hear your opinions on how to provide such a members area securely with PHP / MySQL. Also, I'd like to know if this kind of thing is better done with JSP/Tomcat (Ive used this in the past and am kind of looking for an excuse to go back to it).