Hackers still targeting ecommerce websites

Discussion in 'Ecommerce Forum' started by dotcomdude, Sep 12, 2018.

  1. dotcomdude

    dotcomdude UKBF Regular Free Member

    251 31
    I'd say these are the 5 I see most often (and I'm not a developer):
    • Not properly sanitising input data
    • Not hashing passwords
    • Not validating parameters in URLs
    • Not securing form input
    • Using clear text in cookies
     
    Posted: Sep 14, 2018 By: dotcomdude Member since: Jul 27, 2018
    #21
  2. Steven001

    Steven001 UKBF Regular Full Member

    162 9
    Things like using prepared statements or better yet, PDO.
    Also, not that it should even be required to mention these days but I have seen some people still using the old MySQL prefix instead of MySQLi. There's heaps of other stuff that could be mentioned. Cookies is another one - only secure cookies should be used these days - if you don't have an SSL you shouldn't be using cookies.
     
    Posted: Sep 14, 2018 By: Steven001 Member since: Aug 1, 2018
    #22
  3. Inva

    Inva UKBF Regular Free Member

    369 62
    It's SQL programming techniques which protect and not PHP ones. SQL does not need PHP to begin with. Btw none of the things mentioned above helps against SQL injection except prepared statements :) The most common protection is to escape the input string and place it around hard coded quotes. In any case, there is no absolute or guaranteed protection.

    PDO is a bad choice 99,99% of the time. Its reason of being is to be an abstract layer between the application and database, enabling the same code to work with multiple database systems without change. The drivers for PDO are not written by the database developer so usually they are of poorer quality and have less features. And since the vast majority of applications will never change database system to begin with, using PDO simply makes no sense most of the time.

    The majority of the time a custom coding developer will be much more knowledgeable than a WP developer or some such, as the knowledge entry barrier to be a "WP developer" is much lower compared to a "custom developer".
     
    Posted: Sep 14, 2018 By: Inva Member since: Aug 10, 2018
    #23
  4. Steven001

    Steven001 UKBF Regular Full Member

    162 9
    SQL is just a database while PHP is the language that communicates with that database. PHP is where the security is as it's the single point of access to all SQL databases and tables within.

    Prepared statements are just the beginning, combining them with PDO and so hiding your critical extension data to the database and table through a shorthand coding function is way better than directly referencing the connecting protocols from a file... making include db.php at the application level defunct. This is great for security.
     
    Posted: Sep 15, 2018 By: Steven001 Member since: Aug 1, 2018
    #24
  5. Inva

    Inva UKBF Regular Free Member

    369 62
    I believe you have some things wrong sir. SQL is not a database, it's a language (Simple Query Language). The database is MySQL (or another). PHP simply sends the SQL commands which you write to the database. "The security" is not in PHP in any way. Good security is multi layered. In PHP you should do validation and escaping. But that alone is not enough. Without putting those single quotes around the value in SQL, you have an injection vulnerability. So you did everything right in PHP but are still vulnerable.

    Regarding what you said about PDO, i didn't understand it and it made no sense to me :) PDO does not improve security in any way.
     
    Posted: Sep 15, 2018 By: Inva Member since: Aug 10, 2018
    #25
  6. Steven001

    Steven001 UKBF Regular Full Member

    162 9
    You can call MySQL a language if you like but most people regard it as a database system with PHP being the language which communicates with it. Another popular system would be the combination of Microsoft's .NET database system and the C# language - same principle.

    Without good security in PHP a site is vulnerable to attack so I completely disagree with your statement. Writing good quality, secure PHP is critical to mitigating hacks and so if you're trying to tell me that prepared statements don't improve security you may as well be telling me the sun shines at night!

    I agree that "Good security is multi layered" but it's not a particularly revealing statement and doesn't help anyone understand where to start with security.
    Here's a few security musts I am willing to share :)

    • .htaccess - all non https pages 301 to https version,hide php version,set content security policy,set xxs protection,turn off indexes - there's much more than this.
    • PHP - prepared statements,strip tags,mysqli_real_escape_string,PDO database connection,https cookies only - a small sample.
    • MySQL accounts - connect using privilege limited accounts for the type of task, search is the most hacked input on a website, remove privileges to just allow select and show view because that's all you need.
     
    Posted: Sep 15, 2018 By: Steven001 Member since: Aug 1, 2018
    #26
  7. monicajenner66

    monicajenner66 UKBF Newcomer Free Member

    12 0
    My friend had an eCommerce website in past , he downloaded a free ecommerce templete to upload on his hosting, two months after the website launched, some official came to him and arrest him without telling him the reason of arrest. after time they reveals that some hackers edit a code in his free downloaded theme, and they were stealing money through his website that's why they caught him..
     
    Posted: Mar 7, 2019 By: monicajenner66 Member since: Mar 7, 2019
    #27
  8. 1977

    1977 UKBF Regular Full Member

    199 21
    Out of interest how does Shopify square up to hackers compared to the likes of Magento?

    As a side note, I’ve recently worked with a well known American audit & SEO “expert” and 1 of the first things he did was to advise me to block countries like Russia, Ukraine etc because of the sheer number of attack’s that come from them, including on 1 of my old sites.
     
    Posted: Mar 7, 2019 By: 1977 Member since: May 10, 2012
    #28
  9. fisicx

    fisicx It's Major Clanger! Staff Member

    30,589 8,983
    I don’t believe a word of this.
     
    Posted: Mar 7, 2019 By: fisicx Member since: Sep 12, 2006
    #29
  10. NickGrogan

    NickGrogan UKBF Ace Free Member

    1,933 429
    But its on the internet, it must be true.
     
    Posted: Mar 7, 2019 By: NickGrogan Member since: Nov 15, 2012
    #30
  11. monicajenner66

    monicajenner66 UKBF Newcomer Free Member

    12 0
    parden my english, but that was a story of my friend. he faced a big problem due to hackers thats why i answer in this thread.
     
    Posted: Mar 7, 2019 By: monicajenner66 Member since: Mar 7, 2019
    #31