Home arrow Security arrow Page 3 - Lock Down Your Website

Preventative Measures - Security

With all the benefits of e-commerce there are dangers such as identity theft for consumers and cyber attacks on websites. Site owners need take preventative measures. Wellman presents some security procedures and scripts for PHP driven sites.

TABLE OF CONTENTS:
  1. Lock Down Your Website
  2. Popular Cyber Attacks
  3. Preventative Measures
  4. One Way Hash
By: Dan Wellman
Poor Best
Rating: starstarstarstarstar / 75
June 01, 2004

print this article
SEARCH DEV SHED

TOOLS YOU CAN USE

advertisement

If you are running (or planning to run) a PHP driven e-commerce store, you must account for the following security features:

  • An authentication system that allows users to log into your site
  • Routines that allow only properly authenticated users to access or update sensitive information
  • Data encryption to securely store highly sensitive information such as credit card numbers
  • Logging routines that record usage information to allow analysts to detect possibly malicious patterns of use
  • Monitoring software that alerts administrators to malicious behavior in real-time
  • Encrypted connections for transmitting sensitive information

To begin with, never use the GET method for sending sensitive information, always use POST to enclose the information in the HTTP header rather that the URL query string. The POST method is not necessarily more secure; it just doesn't display the information for all to see. Using the GET method to send a username and password to the PHP engine would be like posting a $100 bill in a transparent envelope.

In order to allow an authentication system, several things will need to be implemented: a form in which the user can register their username and password, and another form to sign into the site; a table in your database to store the usernames and associated passwords of users, and a secure way of storing this information; and PHP scripts that enter new information into the table and checks the table when a user tries to sign in.

I won't go into the html side of things here, but a simple PHP script to enter a new username and password into the table could be as follows:

<?php

$host=" ";

$uname= "root";

$pass=" ";

$database="nameofyourdatabase";

$tablename="nameofyourtable";

$connection= mysql_connect ($host, $uname, $pass)

or die ("Database connection failed! <br> ");

$result=mysql_select_db ($database)

or die ("Database could not be selected");

$query = "INSERT INTO nameofyourtable VALUES (' ".$customerid." ',' ".md5 ($password)." ') ";

if (!$query)

{

die(" Query could not be executed.<br>");

}

?>

The above code checks that the password field is not empty and that the password and confirm password are the same. The information is then written to the table and the password is stored as an MD5 hash using the md5() function. You then also need a PHP script to check the username and password when visitors sign in. This type of hash is known as a one way hash and is useful as a way of storing passwords because you'll never need to know what the visitor's password is.



 
 
>>> More Security Articles          >>> More By Dan Wellman
 

blog comments powered by Disqus
   

SECURITY ARTICLES

- Secure Your Business for Data Privacy Day
- Google Testing Security Fob Password Alterna...
- Security News Highlights Concerns
- Going to Extremes for Data Security
- Skipfish Website Vulnerability Scanner
- Critical Microsoft Visual Studio Security Pa...
- US Faces Tech Security Expert Deficit
- LAN Reconnaissance
- An Epilogue to Cryptography
- A Sequel to Cryptography
- An Introduction to Cryptography
- Security Overview
- Network Security Assessment
- Firewalls
- What’s behind the curtain? Part II
Find More Security Articles

Developer Shed Affiliates

 

© 2003-2013 by Developer Shed. All rights reserved. DS Cluster - Follow our Sitemap

Dev Shed Tutorial Topics: