Page 1 of 1

Creating a secure members area

Posted: Tue Dec 12, 2006 12:14 am
by mameha
I'm having some political problems at work.

My company already has a big local website in the home country which I have nothing to do with - that site is 100% HTML static and has no login area etc.

Now Ive been brought in to make an international version (from scratch, nothing is shared with the local site) for several overseas countries. I want to make a members system to provide more sensitive info only to members, and also to provide extra services to big corporate customers. In future I want to also increase this to add extra services to distributors. So it would be a level 0-10 access level type system. Higher management and the big boss are all into this idea.

Problem is the guys who make the local website, and their mates the general 'System dept.' people, are very against the members area and are throwing words like 'customer privacy' at me and basically saying we will get hacked and the customer data leaked and we will get sued / lose customers etc etc.

My counter argument is that there are tons of websites using a members area, so it cant be illegal and its not impossible to make it secure. However, due to this pressure I have removed the members area for now. They control the server so I have no SSH access and can only secure things 'my side' in the PHP code. Ive done obvious stuff like clean up inputs with mysql_real_escape_string, htmentities, addslashes, and theres some basic protection against XSS. One guy in their team said I should be using an open source CMS rather than writing my own code.

So I want to hear your opinions on how to provide such a members area securely with PHP / MySQL. Also, I'd like to know if this kind of thing is better done with JSP/Tomcat (Ive used this in the past and am kind of looking for an excuse to go back to it).

Posted: Mon Dec 18, 2006 3:17 am
by gunman
What would you use for a such an area depend on also how much sensitive data would you show on the area? There is no phrase like absolute security in our days. I prefer to work with mine own created scripts, but also do not forget to check what have achieve my colleagues all around the world. If you are not sure in your capabilities i would recommend you to use some ready application.

Success

Posted: Mon Dec 18, 2006 11:25 am
by phait
hi,
why are posting an identical thread. You already started this discussion here:
viewtopic.php?t=60650

if you wanted to bump it why not just do so in the original post?

cheers,
phait

Posted: Mon Dec 18, 2006 11:28 am
by feyd
This should have been locked. :?

Thanks for bringing that up phait.