Today’s topic is kind of short, but a very important one. If you are not living under a rock, then you know about Sony’s problem with their Playstation online services getting hacked and being down for some time. A new concern now is that this has exposed the credit card numbers of the membership. Something that can definitely cost some good will and trust. However, Sony is a major corporation, and can recover from this. Can your business, if something like this were to happen?
I still see multiple instances of applications (And not just PHP applications) where carelessness has overtaken common sense. The web is no longer just a set of reading materials. It is now more than that with interactive applications and a flow of data that travels in all directions. So why is it that a huge problem is a lack of security for this interaction? The biggest thing I still see is with forms. Multiple sites ask to sign up for something, like a list, and email notification, account to get in to the site, etc. And one of the most powerful things today is information. And this does not mean just credit cards and government identification numbers. These can include names, emails, addresses, cities, passwords, secret phrases for confirmation, etc. Harvesting this can lead to identity fraud, selling to spam lists, etc. Secure your forms! It does not take much time, and can pay off, especially for the small businesses who will not have the money or name recognition of the larger corporations.
Easier said than done, I suspect some are saying. Well, yes and no. This should not be an after thought it should be first. In the PHP language, functions exist to help in this. Some ideas for securing forms: mysql_real_escape_string, pg_escape_string. In fact, if you are using PHP, then make sure to understand the different options available for your database.
That is not all though. You should also use a parametrized approach for inserts and updates. A quick example of this:
$sql = "UPDATE sometable SET somefield = ? WHERE value=?"; $parameters = array($_POST['data1'], $_POST['data2']); $dbo->query($sql, $parameters);
Now that was not too hard was it? However, security is not something to pass over. You should understand what data you are collecting, and validate the data, and then securely save the data. Validating it can be as easy as making sure it is an integer value, email, certain number of characters. Items like that can go a long way to verify what you are getting is what you need, and will not harm your application. For example, if a form had a field for first name, last name, country, email address, you can safely validate those fields. First name, last name should only be characters. Those fields should not have special characters, numbers, etc. Email address should be validated against a regular formed email address. You can even go one step further to verify it is a valid email address and exists somewhere out in the cloud.
Big lesson though, secure the data. Secure your application. Do not let a shortcut become your Sony Playstation meltdown.