With all the benefits of e-commerce there are dangers such as identity theft for consumers and cyber attacks on websites. Site owners need take preventative measures. Wellman presents some security procedures and scripts for PHP driven sites.
if (empty($password)) { die("No Password specified");}
if ((strlen($password) < 5) || (strlen($password) > 15))
{ die("Password too long/short");}
?>
<?php
$host="";
$uname="root";
$pass="";
$database="nameofyourdatabase";
$connection= mysql_connect($host,$uname,$pass)
or die("Database connection failed! <br>")
$result=mysql_select_db($database)
or die("Database could not be selected");
$query = "SELECT password from login where customerid="" .$customerid ." ' ";
$result = mysql_query($query);
if($row=mysql_fetch_array($result))
{
if(!(md5($password) == $row["password"]))
{
die("Wrong Password!");
}
}
else
{
die("User does not exist!!"); }
?>
This script will first check that a password has been entered, and then that it is more than 5 characters long but less than 15. A password with less than 5 digits would be too insecure, and a password of more than 15 characters would take longer to generate a hash for and would take up more storage space. The stored hash that matches the username is extracted from the database, and a new hash is generated from the password that has been supplied. If the two match, the user is authenticated; if not, an appropriate error message is displayed.
You will not be able to use this form of encryption if you are storing information securely that you will need to able to use yourself such as customer addresses and credit card information. Fortunately, PHP provides programmers with a set of functions to encrypt and decrypt data via the mcrypt library. This form of encryption is not completely secure, but it is fairly powerful. Please note that in order to use the mcrypt-related functions, the library must be installed on your system and PHP must have been compiled with mcrypt support. The following section of code gives a basic example of this type of encryption and subsequent decryption:
This type of encryption, known as Symmetric Encryption, relies on the key value remaining a secret. This can lead to problems as the key value must be saved somewhere that the server has access to; thus, if someone takes control of your server, they could potentially locate your key and then decrypt your data.
Some of your security controls will need to be implemented at server rather than application level. This includes tasks such as authorization, basically lists of actions specified visitors are able to perform. These are commonly referred to as ACL's (Access Control Lists). Logging of suspicious activity is something that is sometimes defined in your server set up and is often a default setting. Logging can also be achieved via software, or functions can be written to scan log files and turn the results into html for viewing in a browser. Again, monitoring of the server is usually done via software solutions. There is a plethora of server monitoring software available that cover everything from checking that URL's are working to error notification and site diagnostics.
Conclusion
I hope this article has given you an overview of some basic site security procedures, and has hopefully given you something to think about when setting up an e-commerce site. Obviously I haven't covered every scenario and security procedure available.
