Welcome to WebmasterWorld Guest from 18.104.22.168
I'm developing an e-commerce site with PHP and MySQL and am needing some advice at to whether i've got my head around security. I was wondeing if I've done enough and if there was anything i've missed.
Here's my biggest worry and what i've done to try to combat it.
on every new page a new session id is generated through
the old session is destroyed and all data is copied to the new session.
When a user logs in they are SSL secured and are SSL secured until they logout (or leave the site).
In my mind this will stop session hyjacking as if the hacker manages to get the session ID before the user logs on it will be useless as it will change on the next click (being the log in click). When the user logs in the hacker will then need to contend with 128bit crypt on all Headers to get the session ID. Is this enough?
I'm still a little worried as to the security and am wondering if there is anything more I can do to secure up the site.
Passwords are stored in a MD5 hash with 2 character salt.
The userid is stored in the session when they login to use in any SQL scripts.
I've read that storing the session ID, UserId in a table and referencing it that way is good thing to do? If I change the session ID each time then i'd be forever reaching to my database.
Thanks if anyone can offer advice...
joined:Feb 2, 2005
SSL and "smart" session handing will not help much against 'man in the middle' attacks. So i suggest pay a lot of attention into securying the server and php variable/input/error handling.
Are you talking about SQL Injection and input validaiton?That is something that I must admit it's a bit lax on at the moment. I have a DB class but I need a SQL Injection checker function in there me thinks.
Does anyone have a nice function that will do this?
joined:Feb 2, 2005
You will avoid SQL injection if you will validate prepare for using in queries user input. Some nice classes for that can be found in php pear [pear.php.com], hotscripts [hotscripts.com] and so on. For example pear DB class automaticaly prepares all variables passed to the query against SQL injection.