security stuffs in making a website?

[Udon]

i have a project, and we need to make a website like ebay. its just for reporting and stuff and we don't necessarily need to make it operational. i just want to tell them that is secure and stuff. like using paypal and how to make chatting secure. any ideas?

[Discord]

Are you asking us to sum up the entire university course in "Information-Systems Security" in one post? Making a website like ebay takes a lot of work of a large number of people, most of which being diploma specialists.

Who are you doing the project for anyway?

[Baloki]

Are you asking us to sum up the entire university course in "Information-Systems Security" in one post?

I can sum that up in one post, lik the interwez is full of hackers lulz, use Linux.

Making a website like ebay takes a lot of work of a large number of people, most of which being diploma specialists.

Not really, theres alot of Open Source shopping systems out there now that are free to use, to make it the size of e-bay however is a different matter.


In response to the initial post, research the components you need and figure out how to integrate them together, also try and make sure your server is secure and use SSL or SSI or whatever it's called along with https. For futher reading I would recommend Google or a good library.

[o_O]

I can sum that up in one post, lik the interwez is full of hackers lulz, use Linux.

:}

It really depends how in-depth you want to get.

• Demonstrate that your site is protected from attacks like SQL injection by escaping quotes and slashes in your input.
• Restrict permissions to stuff that shouldn't be public.
• Javascript injection can be circumvented by encrypting sensitive data that needs to be passed via POST or GET.
• Use SSL.
• Make your PHP scripts is safe by not defining variable names from user input.
• Turn register_globals, magic_quotes_gpc on and make use of escape slashesm etc.
• Use session control in an encrypted URL or cookie.
• Restrict forms calling your script to only those in your domain - prevents people making their own forms and using them on your script.
• Avoid file uploads if you can.

I'm sure you can think of more. PHP can do it all for you.

[Renmiri]

Bottom line: Get help from someone who has done it before. There is no way you will learn all you need to know here in this thread.

[o_O]

There are quite a few web security papers and seminar transcripts available which explain everything in detail, but unless you know/learn PHP, the mechanics of HTTP requests, DOM and SSL protocols you probably won't understand them. As Renmiri said though, it would be almost impossible to glean a full understanding of these things from here.

If you aren't that far along yet, chances are you don't need to elaborate that much, but if you are I definitely recommend reading a few papers.

[Baloki]

If you aren't that far along yet, chances are you don't need to elaborate that much, but if you are I definitely recommend reading a few papers.

Or even a few techie blogs, as they'll point out interesting things they've noticed/found out.