Lock Down Your Website - Preventative Measures (Page 3 of 4 )
If you are running (or planning to run) a PHP driven e-commerce store, you must account for the following security features:
- An authentication system that allows users to log into your site
- Routines that allow only properly authenticated users to access or update sensitive information
- Data encryption to securely store highly sensitive information such as credit card numbers
- Logging routines that record usage information to allow analysts to detect possibly malicious patterns of use
- Monitoring software that alerts administrators to malicious behavior in real-time
- Encrypted connections for transmitting sensitive information
To begin with, never use the GET method for sending sensitive information, always use POST to enclose the information in the HTTP header rather that the URL query string. The POST method is not necessarily more secure; it just doesn't display the information for all to see. Using the GET method to send a username and password to the PHP engine would be like posting a $100 bill in a transparent envelope.
In order to allow an authentication system, several things will need to be implemented: a form in which the user can register their username and password, and another form to sign into the site; a table in your database to store the usernames and associated passwords of users, and a secure way of storing this information; and PHP scripts that enter new information into the table and checks the table when a user tries to sign in.
I won't go into the html side of things here, but a simple PHP script to enter a new username and password into the table could be as follows:
<?php
$host=" ";
$uname= "root";
$pass=" ";
$database="nameofyourdatabase";
$tablename="nameofyourtable";
$connection= mysql_connect ($host, $uname, $pass)
or die ("Database connection failed! <br> ");
$result=mysql_select_db ($database)
or die ("Database could not be selected");
$query = "INSERT INTO nameofyourtable VALUES (' ".$customerid." ',' ".md5 ($password)." ') ";
if (!$query)
{
die(" Query could not be executed.<br>");
}
?>
The above code checks that the password field is not empty and that the password and confirm password are the same. The information is then written to the table and the password is stored as an MD5 hash using the md5() function. You then also need a PHP script to check the username and password when visitors sign in. This type of hash is known as a one way hash and is useful as a way of storing passwords because you'll never need to know what the visitor's password is.
Next: One Way Hash >>
More Security Articles
More By Dan Wellman
