0

What are some practices I should use in a product registration system I'm building? I likely can't stop all malicious hacking, but I'd like to slow them down a great deal. (Note, I know only PHP.) I'm talking about things like encrypting traffic, testing the encryption from hacking like a man-in-the-middle attack, etc. The other concern I have is that this needs to work on most PHP5-based web hosting environments, which may not have mcrypt installed.

PhD
  • 2,531
  • 2
  • 18
  • 32
Volomike
  • 253
  • 1
  • 8
  • 1
    Make your own encryption algorithm! – Jeffrey Sweeney Mar 22 '12 at 19:39
  • These all seem like general security questions, what kind of unique challenges might a product registration system have over any other kind of web application? – aceinthehole Mar 22 '12 at 19:43
  • The top few answers to [this question](http://programmers.stackexchange.com/questions/46716/what-should-every-programmer-know-about-web-development) have some really good information about security best practices that you can and should apply to any web application. – CFL_Jeff Mar 23 '12 at 12:13
  • PHP is the least secure language runtime out there, and the field of encryption is one of the the hardest to get right without a Phd in advanced mathematics. Hosting environment without mcrypt? Really? How secure could that possibly be in other areas! This is asking how to protect the Hope Diamond with wet toilet paper stored in a cardboard box out on the street in New York City with a big sign that says "Hope Diamond" on the side in 15 different languages! –  Jun 30 '12 at 12:24

1 Answers1

1

To encrypt traffic and prevent MITM attacks you need to require SSL to access your app and get a certificate from a certification company (i.e. Verisign). This isn't done through code though, its configured on the hosting server.

Other security measures you need to take are to parametrize everything you put in a SQL statement to prevent SQL injection. you will also need to ensure that you ensure a user is authorized to view every page so incrementing some id in the url doesn't result in showing unauthorized information. You also need to use a salted hash to stored user passwords, and properly hash or encrypt other sensitive information in the database appropriately. Do not store old passwords. Make sure that security patches are applied in a timely manner, ensure your code is not susceptible to newly discovered vulnerabilities when they are revealed. Limit access as much as possible, separate duties as much as possible.

That's all the basic security stuff off the top of my head

Ryathal
  • 13,317
  • 1
  • 33
  • 48