c_pattle Posted July 27, 2010 Share Posted July 27, 2010 I'm building an e-commerce website using php and mysql and I'm a bit worried about security issues. The website is going to be handling personal information so I want to make sure that it's secure and that no-one can get hold of it. I don't really have any idea about and security issues or problems that I could run into and perhaps you could point me in the direction or some tutorials that would be really great. Also if anyone here has been in the same situation what did you do to make your site as secure as possible? Thanks for any help. Quote Link to comment Share on other sites More sharing options...
mattspriggs28 Posted July 27, 2010 Share Posted July 27, 2010 One thing you could do is to use mysql_real_escape_string in your database queries to prevent any injection attacks. For example, instead of: $qry = "Select * from table where id = " . $id . " and status = '" . $status . "'"; $res = mysql_query($qry); You could use: $qry = sprintf("Select * from table where id = %s and status = '%s'", mysql_real_escape_string($id), mysql_real_escape_string($status)); $res = mysql_query($qry); This will strip out any special characters that may be used to try an injection attack such as apostrophe, minus etc. Quote Link to comment Share on other sites More sharing options...
phil88 Posted July 27, 2010 Share Posted July 27, 2010 Just as an extension to mattspriggs28's post - the main thing to know is never trust any data given to your website by the user. That data can be tampered with by the user and, if you're not careful, could cause havoc with your app. Running user supplied parameters through mysql_real_escape_string() like mattspriggs said is a good idea as it helps prevent the 'havoc' by escaping any characters that could modify the SQL query into something unplanned. Quote Link to comment Share on other sites More sharing options...
AtlasC1 Posted July 27, 2010 Share Posted July 27, 2010 I would also avoid printing any user input directly back to the screen, without first stripping it of its HTML tags. For a really simple example, say you have the user search for an item in a catalog, then consider the resulting code: <?php echo 'Search results for' , $_POST['searchTarget'] , '<br/>'; foreach($searchResults as $result) { // code to print results to screen } ?> What if the user had input something like this into the searchTarget field?: <script type="text/javascript> *insert malicious script here* </script> You should use something along the lines of htmlentities() or strip_tags() to get rid of any HTML tags. // user inputs <strong>Hello</strong> echo 'Search results for' , htmlentities($_POST['searchTarget']) , '<br/>'; // results in <strong>Hello</strong> echo 'Search results for' , strip_tags($_POST['searchTarget']) , '<br/>'; // results in Hello It's also a good idea to get rid of the "/" character in any strings the user inputs, as this is often used for directory navigation str_replace('/', '', $_POST['userInput']); These practices will help protect your site from scripting attacks. -jm Quote Link to comment Share on other sites More sharing options...
c_pattle Posted July 27, 2010 Author Share Posted July 27, 2010 Thanks for your posts. A lot of useful information there Quote Link to comment Share on other sites More sharing options...
CONFUSIONUK Posted July 30, 2010 Share Posted July 30, 2010 It's also a good idea to get rid of the "/" character in any strings the user inputs, as this is often used for directory navigation str_replace('/', '', $_POST['userInput']); These practices will help protect your site from scripting attacks. Could you not just use stripslashes() to remove slashes Quote Link to comment Share on other sites More sharing options...
CONFUSIONUK Posted July 30, 2010 Share Posted July 30, 2010 Sorry that removes backslashes Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.