FBDSC Security
From FreeBert Wiki
Contents |
[edit] Security
There are a few areas to consider when looking at security. Firstly, you want to prevent against SQL injection attacks. That is the goal of the cleanvalue() php function (located near the bottom of the Local_Settings.php file). There is also the security / validity of data being passed to add to the cart. Finally there is the concerns of restricting access to the admin section.
The very best method to avoid fraud is to have a public 'shipping terms' policy that reserves the right to refuse & refund any order. Simply manually review each order, if you find one you believe to be fraud, refund the order and ban the customer account
Note: Many if not all the security concerns listed below are standard security concerns for any PHP or SQL enabled websites. They are listed below for your info:
[edit] SQL Injection Attacks
Any page that takes input when connecting to a database is potentially vunerable to an SQL-Injection attack. To reduce the chance of SQL injection attack, all inputs passed via POST & GET are passed through the cleanvalue() function, which strips the input of any characters commonly used in injection attacks (like single quotes, double quotes, the pipe symbol). Strict input validation is the best defense against SQL injection attacks. If you would like to further add to or alter the cleanvalue() function, it is located near the bottom of the Local_Settings.php file.
[edit] Add To Cart Vulerability
Adding items to the cart is done by posting variables via add-to-cart buttons to your shopping cart. It is possible to fake such a post from another website, thus adding falsified info to the cart (such as lower prices). There are a few workarounds to provide better security, but most if not all entail adding additional code to both the Add to cart buttons as well as the shopping cart itself.
If you feel you want more automatic security, consider integrating one or more of the suggestions below into your site & cart:
[edit] Turing / Captcha Test
Commonly used in many websites, Captcha tests are intended to keep out unwanted and automatic posts from your website. They typically display a box with images of letters and/or numbers, often skewed or otherwise altered to make reading by machines difficult / impossible. The user is prompted to correctly type in the string of letters and/or numbers before the post is allowed. The idea here would be to add a captcha test with each add to cart button.
Pros: Captcha tests help to ensure that your users are human, and are sending add-to-cart posts from your own website.
Cons: Many if not most available captcha tests have already been 'beaten' by hacker-scripters. There currently exists programs that can successfully read those altered strings of text and numbers, bypassing the whole point of having the test. Likewise, depending on how the captcha code works, it may still be possible for a hacker to successfully send a post from another website that still fools the captcha code.
Finally, the captcha test adds one more step for your customer to work through before adding items to the cart. If a customer has a hard time successfully completing the captcha code, they may lose interest in your item and abandon their purchase attempt.
[edit] Limiting Info Sent in Add-To-Cart Post
Another technique in securing add-to-cart posts is to NOT post all the item data in the add-to-cart post. Instead, you could create a custom step in the add-to-cart process that takes as input only the serialnum and quantity of the item in question. The process could then connect to your items database, look up the added item via its serialnum, and draw the correct title, price, etc directly from the database, and pass THAT data to the Add-To-Cart function.
Pros: This goes a long way to avoiding the problem of altered / falsified data being posted to the add-to-cart function.
Cons: This technique may slow down the add to cart process, espially when adding multiple items to the cart at once (batch add-to-cart).
