Security issues within websites

Nixon

Hey all,

I am currently developing a Guitar Classifieds website. It is only my second major project, my first one being a fairly complicated site for an online game (http://outlink.coolfreepage.com). Now, the difference between my first project and my second is that my classifieds will be taking in money from REAL people. This means, customer satisfaction, SECURITY and a perfectly working website. The customer satisfaction and the working website I can just about manage, but I have never had to deal with security issues before. I am not going to be storing credit card details (whew!) so my databases just have address telephone numbers ect... I was just wondering how secure I should make it and how I would do it. I have login scripts and as I said a classified section. My login script just compromises of check a username and password against a database and storing it in a session. Is there anything I need to considor, for example people putting code into my login box, but would strip_code() sort this for me? I know this is a very long post (got a bit carried away) but I would appreciate ANY information from people with currently up and running websites.

Thank You.

drawmack

prevent against sql insertion attacks, make sure you don't leave any silly backdoors laying around where the hacker can bypass the log in script.

Other then that, do a full scale security test of the system running the code and make your code just a bit more secure then that and you'll be okay.

Nixon

So any specific security issues that usually get people?

superwormy

As secure as you feel is neccessary. We dont' know what / who you're storing information about / for so we can't really say. How pissed would your customers be if you leaked their phone numbers?

SQL interjection atttacks

register_globals issues

allowing blank passwords

using easy-to-guess passwords for database

leaving .inc files in www accessible places

leaving password files in www accessible places

relying on IP addresses, HTTP_USER_AGENTs, etc.

using sessions / logins that never ever expire

its nice also sometimes to use sleep() or something similar to lengthen the time it takes to allow a login. Slows down brute force attacks

you might also consider something like:


if ($username_tried_to_login_fourty_times_in_last_ten_minutes)
{

lock_this_account ();

}

Weedpacket

checkthisout