Ecommerce is booming! I’ve been talking about webpage templates,
particularly ecommerce templates recently, including osCommerce,
PHP, Zen Cart templates and CRELoaded templates. Lots of ecommerce websites startup everyday. And sure, there are busts everyday, but there are thousands of successful ecommerce pages out there besides Amazon and Ebay.

Any system of money flow attracts criminal attention. Aside from theft of your identity, a hacker can steal the identities of your customers. So let’s talk about security for a minute. Here’s an idea that might help your security.

The best method of hack prevention involves making entries into your robots.txt file so that search engines cannot index login pages, user administration systems, and admin backend. This is one way to deny access to a system page:
User-agent: *
Disallow: /admin/
Disallow: /contact/
Disallow: /client_section/
Disallow: login.php
#etc

This keeps any search engine that pays attention to the robots.txt file from indexing the pages in the site, which will help keep hackers out.

A word about Hacking: SQL Injection is one of the most common hacks against dynamic websites. And it can hang even major websites. It’s the most basic hack in the hacker’s book of tricks. Example: What about your login form - most coders name their form fields the same as their database fields, this can reveal a lot about your underlying structure.

With some basic queries the hacker can then go directly into your admin system. How can you avoid this? Consider all incoming data from the user as a potential hack, clean up your data. You can write a signature and pattern matching algorithm, but it’s easy to get around that. The best way to protect yourself is to clean fields that you know should not contain SQL key words.

SELECT, OR, AND,INSERT, CREATE, DELETE, FROM, WHERE, LIKE, EXEC, SP_, XP_, SQL, ROWSET, OPEN, BEGIN, END, DECLARE

and clean out symbols as well

; — + ‘ ( ) = > < @

A simple call to the function takes out the bad stuff, and your left with clean code.

Also, SQL injection is not limited only to forms. Clean your GET, POST, and COOKIE variables and pass as little through the URL as possible.

Keepin’ On Keepin’ On,
Arthur Browning