Creating a secure members area

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Locked
mameha
Forum Newbie
Posts: 13
Joined: Thu Aug 24, 2006 1:36 am

Creating a secure members area

Post by mameha »

I'm having some political problems at work.

My company already has a big local website in the home country which I have nothing to do with - that site is 100% HTML static and has no login area etc.

Now Ive been brought in to make an international version (from scratch, nothing is shared with the local site) for several overseas countries. I want to make a members system to provide more sensitive info only to members, and also to provide extra services to big corporate customers. In future I want to also increase this to add extra services to distributors. So it would be a level 0-10 access level type system. Higher management and the big boss are all into this idea.

Problem is the guys who make the local website, and their mates the general 'System dept.' people, are very against the members area and are throwing words like 'customer privacy' at me and basically saying we will get hacked and the customer data leaked and we will get sued / lose customers etc etc.

My counter argument is that there are tons of websites using a members area, so it cant be illegal and its not impossible to make it secure. However, due to this pressure I have removed the members area for now. They control the server so I have no SSH access and can only secure things 'my side' in the PHP code. Ive done obvious stuff like clean up inputs with mysql_real_escape_string, htmentities, addslashes, and theres some basic protection against XSS. One guy in their team said I should be using an open source CMS rather than writing my own code.

So I want to hear your opinions on how to provide such a members area securely with PHP / MySQL. Also, I'd like to know if this kind of thing is better done with JSP/Tomcat (Ive used this in the past and am kind of looking for an excuse to go back to it).
gunman
Forum Newbie
Posts: 10
Joined: Fri Aug 26, 2005 12:07 pm

Post by gunman »

What would you use for a such an area depend on also how much sensitive data would you show on the area? There is no phrase like absolute security in our days. I prefer to work with mine own created scripts, but also do not forget to check what have achieve my colleagues all around the world. If you are not sure in your capabilities i would recommend you to use some ready application.

Success
phait
Forum Commoner
Posts: 46
Joined: Wed Apr 07, 2004 4:41 am
Location: watford / leicester, UK

Post by phait »

hi,
why are posting an identical thread. You already started this discussion here:
viewtopic.php?t=60650

if you wanted to bump it why not just do so in the original post?

cheers,
phait
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

This should have been locked. :?

Thanks for bringing that up phait.
Locked