Security

[mme]

Hi,

 

I am currently working on an Invoice System using PHP and MySQL. However I was just wondering if the system I am using is secure enough.

 

The Client gets a link like this:

 

mysite.com/?customerid=b3e470c55aad30eb38ee52eec1d8cb52

 

Each client has a unique "id" I also have an ID for the administrative back-end.

 

I do clean the GET variable before querying the database though.

 

Do I need to secure this with anything else or is this enough, as this is my first time creating anything with PHP and MySQL together.

 

Thanks,

 

mme

[JTallis]

I imagine that's an ID that's been encrypted, right? That would be more secure than it just being the actual ID. Eventually after so many invoices, people will be able to type in a random ID and it'll bring up someones invoice. You don't want that. If it's encrypted, that's better, maybe add in the customers Email Address too.

 

So for guessers, it's not only just the invoice ID, they need the invoice customers email too. If anyone gets through that, then .. it's just tough luck I guess.

 

I'm not a master with invoices, but that's my throw-in for you.

 

[mme]

Thanks for your quick reply,

 

I have implanted the new changes so now the customer ID is encrypted and their email address is required.

 

Thanks,

 

mme

[JTallis]

If you wanted to go slightly more secure, forget the Email, and send an Email to the customer containing a password. This password would need to be used to access the invoice. So the URL needs to contain an encrypted invoice ID, and the customer needs to input their password. The password would be in the invoice table in the database or whatever is containing the invoices. So you can check if it's a valid login.

 

Sorry I didn't think of this before hand.

[mme]

Thanks for all your help,

 

I have now done both, email and a password.

 

Thanks,

 

mme