/    Sign up×
Community /Pin to ProfileBookmark

is PHP safe for a noob?

Copy linkTweet thisAlerts:
Oct 18.2011

Hello!

I’ve got a site with a shopping cart that I’ve purchased. I’m using WordPress to post products, descriptions, etc. I’m finding that WordPress is kind of clunk and restrictive. I’ve used Expression Engine in the past and preferred it and I’m considering going back.

However, I also have a little bit experience with HTML and PHP, and what I need to build for a site is fairly simple. I’m tempted to just build it myself and pass information on to my shopping cart. Especially because what I want to build is really simple and I think the site would run a lot faster.

My primary concern with building the site myself using PHP is security. My shopping cart and content management systems I’ve used in the past tend to have security updates about things I know nothing of. Also, due to my job, I don’t have time to keep track of web security issues.

Would security issues be a reason to not build my own site and use software such as Expression Engine or WordPress?

Thanks!

Jon

to post a comment
PHP

4 Comments(s)

Copy linkTweet thisAlerts:
@developerguruOct 20.2011 — Yes security is an issue for your shopping cart.

You are saying that you do not have time to take care of these issues then it will be better if you hire someone to do that part.

I mean to say that create the site by yourself and hire someone for payment gateway integration, so that security won't be a problem on your site.
Copy linkTweet thisAlerts:
@jon68-2authorOct 25.2011 — Thanks!

According the Shopping cart developer, I just need to post PHP data to the index page of the cart along with a product number. So it won't be very complicated integration. All the sign in, credit card stuff happens in the shopping cart itself and the shopping cart vendor handles that for me.

Thanks!
Copy linkTweet thisAlerts:
@eval_BadCode_Oct 26.2011 — Yes. Your one big security concern (unless you are also hosting the site yourself), should be data plane attacks moving into the control plane. Typically this is done through a string (sometimes binary data, very rarely float or double), or by not typing data (php does NOT type data... SQL Injection is an example, but not the only attack.

you may have to be explicit and say:

$item_no = (int) $_POST['item_no'];

not just this, but then you must also make a backup plan, what is item_no does not exist? For example, (int) will turn "-500" into -500, but most likely, all of the item_no are unsigned (positive) integers. If the cart handles this, then you've made a good purchase, if not then you have a bit more work to do.

I'm not sure what your relationship with the person who sold the cart is, but it might be worth a little bit more money to ask them to come back and audit your cart after you make changes. There are some things you can do to assist them with this- the most amazing of which is so simple and effective.

there's a program called "tree" which you have likely seen before.
[CODE]
├── classes
│** ├── AbstractDataParser.php
│** ├── buttonWidget.php
│** ├── dialogWidget.php
│** ├── FileUpload.php
│** ├── Route.php
│** ├── tabsWidget.php
│** ├── tpl
│** │** ├── button.tpl.php
│** │** ├── datepicker.tpl.php
│** │** ├── dialog.tpl.php
│** │** ├── generic-js.tpl.php
│** │** ├── generic.tpl.php
│** │** └── tabs.tpl.php
│** ├── UnauthorizedAccessException.php
│** ├── UserEdit.php
│** ├── User.php
│** ├── VistaDataCustodian.php
│** ├── VistaDataParser.php
│** └── widgetAbstract.php
├── css
│** ├── dot-luv
│** │** ├── images
│** │** │** ├── ui-bg_diagonals-thick_15_0b3e6f_40x40.png
│** │** │** ├── ui-bg_dots-medium_30_0b58a2_4x4.png
│** │** │** └── ui-icons_ffffff_256x240.png
│** │** └── jquery-ui-1.8.13.custom.css
│** └── reportc.css
├── EditUsers.php

and so on
[/CODE]

The syntax is: tree -H baseurl.com > tree.html

Now if you view tree.html, using a browser, it will show a link to every file on your site (some of which may not be accessible for good reasons).

It's amazingly simple, yet catches so so so so so many stupid mistakes. (Why did I leave that development file in the production site (*COUGH* american express). Why doesn't this folder have a [deny from all] in a .htaccess file, and so on.

Edit:

"""Would security issues be a reason to not build my own site and use software such as Expression Engine or Wordpress?"""

I always find wordpress sites vulnerable... Which is unfortunate. Sometimes it takes me 12 hours to find a vulnerability, and sometimes it's just a crumby little reflective XSS attack, but that can escalate so fast and get out of control with a little bit of social engineering (tricking you into visiting a tinyurl/asdf123 type URL).
Copy linkTweet thisAlerts:
@SecarBlueOct 27.2011 — Forget about wordpress, it have security gaps!
×

Success!

Help @jon68-2 spread the word by sharing this article on Twitter...

Tweet This
Sign in
Forgot password?
Sign in with TwitchSign in with GithubCreate Account
about: ({
version: 0.1.9 BETA 5.5,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});
changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...
recent_tips: (
tipper: @Yussuf4331,
tipped: article
amount: 1000 SATS,

tipper: @darkwebsites540,
tipped: article
amount: 10 SATS,

tipper: @Samric24,
tipped: article
amount: 1000 SATS,
)...