Welcome to WebmasterWorld Guest from 35.172.100.232

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

Security Help

     
8:14 am on Aug 24, 2005 (gmt 0)

New User

10+ Year Member

joined:June 2, 2005
posts:9
votes: 0


Hi,

I'm developing an e-commerce site with PHP and MySQL and am needing some advice at to whether i've got my head around security. I was wondeing if I've done enough and if there was anything i've missed.

Session Security...

Here's my biggest worry and what i've done to try to combat it.

on every new page a new session id is generated through

session_regenerate_id();

the old session is destroyed and all data is copied to the new session.

When a user logs in they are SSL secured and are SSL secured until they logout (or leave the site).

In my mind this will stop session hyjacking as if the hacker manages to get the session ID before the user logs on it will be useless as it will change on the next click (being the log in click). When the user logs in the hacker will then need to contend with 128bit crypt on all Headers to get the session ID. Is this enough?

I'm still a little worried as to the security and am wondering if there is anything more I can do to secure up the site.

Passwords are stored in a MD5 hash with 2 character salt.

The userid is stored in the session when they login to use in any SQL scripts.

I've read that storing the session ID, UserId in a table and referencing it that way is good thing to do? If I change the session ID each time then i'd be forever reaching to my database.

Thanks if anyone can offer advice...

8:40 am on Aug 24, 2005 (gmt 0)

New User

joined:Feb 2, 2005
posts:24
votes: 0


You should worry about server security and PHP security.

SSL and "smart" session handing will not help much against 'man in the middle' attacks. So i suggest pay a lot of attention into securying the server and php variable/input/error handling.

9:15 am on Aug 24, 2005 (gmt 0)

New User

10+ Year Member

joined:June 2, 2005
posts:9
votes: 0


Thanks for the reply....

Are you talking about SQL Injection and input validaiton?That is something that I must admit it's a bit lax on at the moment. I have a DB class but I need a SQL Injection checker function in there me thinks.

Does anyone have a nice function that will do this?

9:36 am on Aug 24, 2005 (gmt 0)

New User

joined:Feb 2, 2005
posts:24
votes: 0


Yes.

You will avoid SQL injection if you will validate prepare for using in queries user input. Some nice classes for that can be found in php pear [pear.php.com], hotscripts [hotscripts.com] and so on. For example pear DB class automaticaly prepares all variables passed to the query against SQL injection.

 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members