Security for an auction site

Not for 'how-to' coding questions but PHP theory instead, this forum is here for those of us who wish to learn about design aspects of programming with PHP.

Moderator: General Moderators

Post Reply
malcolmboston
DevNet Resident
Posts: 1826
Joined: Tue Nov 18, 2003 1:09 pm
Location: Middlesbrough, UK

Security for an auction site

Post by malcolmboston »

I am currently building an auction site and am seriously thinking about the security i should employ.

I have a few questions.

1) Obviously i will be behind an SSL environment for the site, but is it only need for logging in and when inputting / sending sensitive information such as payment details or should i put the whole site behind SSL?

2) For cookies would you recommend a checksum for each cookie which is validated against a database? This way i would'nt need to store the password in the cookie and could validate agaoinst the checksum and username combo

3) Sesssions, Is there anything i should do out of the ordinary?

4) Url's, I currently use URL's like this -: "item.php?id=3243"
should i be doing it another way as i see sites like MSN (high security sites) utilise a much longer gobbledy gook string?

I think thats it, any replies wuld be great.

Mal
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

  1. I can go either way on this. It's sometimes annoying switching between secure and unsecure modes (just make sure all the page content and images don't ask the browser to switch states on the pages)
  2. I'm a fan of rolling checksums. Each page query gets a new checksum, different from the last, and the ones before it.
  3. nothing out of the ordinary I can really think of. Protect everything from a possible register globals change. Do a lot of intense testing for sql injection and the like.
  4. I think that's generally fine, however there is an upper limit to that number. Depending on if you recycle the id's (probably not) you may want to consider a numbering that has a much larger range.. like UUID's or something.
As I said in IM a while ago, until you become big enough to have your own transaction servers and things, I'd avoid storing any sensitive information on the server itself. Unless your host has seriously good security, in which case, you may want to consult them for help securing it up more.. :)
Post Reply