#1
  1. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2001
    Posts
    22
    Rep Power
    0

    Online transactions


    Other than a merchant account, an SSL certificate registered with the proper authority such as verisign, and a credit card gateway to process the card are there any other security issues I should be aware of before setting up a site to handle online transactions?

    Thanks
  2. #2
  3. No Profile Picture
    Apprentice Deity
    Devshed Loyal (3000 - 3499 posts)

    Join Date
    Jul 1999
    Location
    Niagara Falls (On the wrong side of the gorge)
    Posts
    3,237
    Rep Power
    19
    Don't store credit card details.
  4. #3
  5. No Profile Picture
    Slacker
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2001
    Location
    Sweden
    Posts
    76
    Rep Power
    14
    Make sure your scripts are secure....
  6. #4
  7. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2002
    Posts
    95
    Rep Power
    12
    how do you make sure your scrips are secure? Are there common things to check for? And also, how safe is your host.
    C:\DOS C:\DOS\RUN RUN\DOS\RUN
    http://www.dandland.com
  8. #5
  9. No Profile Picture
    Slacker
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2001
    Location
    Sweden
    Posts
    76
    Rep Power
    14
    Well, the most important thing is to make sure users can't throw any data they want into whatever forms you use. An easy example is the zip code. If you accept anything, I can write "dshsdfh" if I want. Now, many restrict it to just numbers, which is a step in the right direction. But, since zipcodes are the same all the time, you can specify that you won't accept a zipcode liking like "11 211 2 2", in other words, non standard. It's both a security hazard and a hassle for your database, which you want free of errors.

    Another good idea is to make sure people use the correct letters when wrighting their names or whatever. If you don't, someone might send some funny characters like " 0 1 ' # % | & or ; and so on that might break your script...and worse, if used "properly" it can be used to execute commands on the server.

    Oh, and never save important data in plaintext in your database... encrypt them.

    Another thing that I do when I program is to never have passwords in my scripts. I put them in a file outside the webstructure, and sometimes, when security is really really impirtant I encrypt the file aswell. Encrypting the file do strike hard on the server if you have many hits on it though, so this is a judgement call on the necessety, but I would always opt for a paranoid view in matters like that.

    If you are a non-programmar and have just ordered the script from someone, you can either hire another firm to check the code for security issues...or you can just hope that the firm did a good job. Any serious programmer should have programmed these checks for something as important as credit card details though, so if you've hired a good firm, you should (hopefully) be secure.

    Then, as for the servers, same goes there... if you aren't a security expert, you can either hire people that are, or trust that you have a good sysadmin/web hotell admin.
  10. #6
  11. No Profile Picture
    Slacker
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2001
    Location
    Sweden
    Posts
    76
    Rep Power
    14
    Good sticker about this

    [Everyone] Must read Security Notes

IMN logo majestic logo threadwatch logo seochat tools logo