Home arrow Security arrow Page 4 - Lock Down Your Website

One Way Hash - Security

With all the benefits of e-commerce there are dangers such as identity theft for consumers and cyber attacks on websites. Site owners need take preventative measures. Wellman presents some security procedures and scripts for PHP driven sites.

TABLE OF CONTENTS:
  1. Lock Down Your Website
  2. Popular Cyber Attacks
  3. Preventative Measures
  4. One Way Hash
By: Dan Wellman
Rating: starstarstarstarstar / 75
June 01, 2004

print this article
SEARCH DEV SHED

TOOLS YOU CAN USE

advertisement

The following code can be used:

<?php

if (empty($password)) { die("No Password specified");}

if ((strlen($password) < 5) || (strlen($password) > 15))

{ die("Password too long/short");}

?>

<?php

$host="";

$uname="root";

$pass="";

$database="nameofyourdatabase";

$connection= mysql_connect($host,$uname,$pass)

or die("Database connection failed! <br>")

$result=mysql_select_db($database)

or die("Database could not be selected");

$query = "SELECT password from login where customerid="" .$customerid ." ' ";

$result = mysql_query($query);

if($row=mysql_fetch_array($result))

{

if(!(md5($password) == $row["password"]))

{

die("Wrong Password!");

}

}

else

{

die("User does not exist!!"); }

?>

This script will first check that a password has been entered, and then that it is more than 5 characters long but less than 15. A password with less than 5 digits would be too insecure, and a password of more than 15 characters would take longer to generate a hash for and would take up more storage space. The stored hash that matches the username is extracted from the database, and a new hash is generated from the password that has been supplied. If the two match, the user is authenticated; if not, an appropriate error message is displayed. 

You will not be able to use this form of encryption if you are storing information securely that you will need to able to use yourself such as customer addresses and credit card information. Fortunately, PHP provides programmers with a set of functions to encrypt and decrypt data via the mcrypt library. This form of encryption is not completely secure, but it is fairly powerful. Please note that in order to use the mcrypt-related functions, the library must be installed on your system and PHP must have been compiled with mcrypt support. The following section of code gives a basic example of this type of encryption and subsequent decryption:

<?php

$key_value = "KEYVALUE";

$plain_text = "PLAINTEXT";

$encrypted_text = mcrypt_ecb(MCRYPT_DES, $key_value, $plain_text, MCRYPT_ENCRYPT);

echo ("<p><b> Text after encryption  :  </b>");

echo ( $encrypted_text );

$decrypted_text = mcrypt_ecb(MCRYPT_DES, $key_value, $encrypted_text, MCRYPT_DECRYPT);


echo ("<p><b> Text after decryption  :  </b>");

echo ( $decrypted_text );

?>

This type of encryption, known as Symmetric Encryption, relies on the key value remaining a secret. This can lead to problems as the key value must be saved somewhere that the server has access to; thus, if someone takes control of your server, they could potentially locate your key and then decrypt your data. 

Some of your security controls will need to be implemented at server rather than application level. This includes tasks such as authorization, basically lists of actions specified visitors are able to perform. These are commonly referred to as ACL's (Access Control Lists). Logging of suspicious activity is something that is sometimes defined in your server set up and is often a default setting. Logging can also be achieved via software, or functions can be written to scan log files and turn the results into html for viewing in a browser. Again, monitoring of the server is usually done via software solutions. There is a plethora of server monitoring software available that cover everything from checking that URL's are working to error notification and site diagnostics.

Conclusion

I hope this article has given you an overview of some basic site security procedures, and has hopefully given you something to think about when setting up an e-commerce site. Obviously I haven't covered every scenario and security procedure available.



 
 
>>> More Security Articles          >>> More By Dan Wellman
 

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort
   

SECURITY ARTICLES

- Secure Your Business for Data Privacy Day
- Google Testing Security Fob Password Alterna...
- Security News Highlights Concerns
- Going to Extremes for Data Security
- Skipfish Website Vulnerability Scanner
- Critical Microsoft Visual Studio Security Pa...
- US Faces Tech Security Expert Deficit
- LAN Reconnaissance
- An Epilogue to Cryptography
- A Sequel to Cryptography
- An Introduction to Cryptography
- Security Overview
- Network Security Assessment
- Firewalls
- What’s behind the curtain? Part II

Developer Shed Affiliates

 


Dev Shed Tutorial Topics: