-5

We are doing a PHP project with simple user signup, sign-in, and account page. We are also collecting PayPal, email id, bank account name, and account number to pay money for them.

I read a lot of Google links saying that hackers will hack mainly to get credit card details, for sending free emails, etc. As we dont save any credit card information, do we still need to worry too much about security? Do we need to worry about code quality, SSL or server related security?

We are using PDO and saving passwords in MD5 format.

Anders
  • 64,406
  • 24
  • 178
  • 215
USer345738380
  • 93
  • 5
  • 3
    Hackers will hack your site, just to have a PHP shell running on your site enslaving it to a bot net, doing illegal things with your server. MD5 is pathetic for password hashing, use bcrypt at least. Yes, you absolutely need to be concerned about security. – Alexander O'Mara Oct 28 '16 at 12:51
  • @AlexanderO'Mara okay, than we will go with `bcrypt` or `PASSWORD_DEFAULT` or do you suggest `argon2` ? , also i am beginner in php.... – USer345738380 Oct 28 '16 at 12:55
  • also is hackers hack one site at a time , or they will hack multiple sites at once, how actually it work ? @AlexanderO'Mara – USer345738380 Oct 28 '16 at 13:23
  • 3
    "Hackers" will do everything and anything, some will do single site, others will do multi sites, some do it for fun, others to grow their skills, others for money, others out of malice, some will only run php exploits, others linux, others sql, others everything, some will only use known attacks, others will have found some themselves, some will be humans attacking you specifically, others (most) will just be a program trying everything on everyone. "hackers" are as diverse as anything, there is no 1 way or reason "hackers" do what they do. – Topher Brink Oct 28 '16 at 13:39
  • If your site accepts PayPal, I assume you also store some personal information about people. Hackers like getting any information they can, so they can do stuff like sell the info or send spam (and a whole lot more). As soon as the site is accessible by people on the internet, you need to secure it as best you can. This includes SSL, penetration testing, using something better than MD5 (such as bcrypt) and preferably getting an independent security consultant to have a look. [here](https://www.troyhunt.com/tag/security/) are some interesting security articles by Troy Hunt. – Cas Oct 28 '16 at 13:56
  • @TopherBrink That's fantastic information, thanks a lot...... – USer345738380 Nov 02 '16 at 05:14
  • @cascer1 as you said, i will take some security measures..... thanks a lot...... – USer345738380 Nov 02 '16 at 05:14

3 Answers3

4

To answer your question: NO, hackers have a lot of reasons to attack a site. Credit card information is only one of those.

Having recently completed a PHP project myself, we made sure to use the following tactics in order to secure our site: (note that we did not store credit card information)

  • Get a valid SSL certificate, redirect all insecure requests to https and enable HSTS
  • Validate ALL user input. I don't care whether it's a username or a comment or an IP address header. EVERYTHING needs to be validated before it touches your processing code.
    • PHP has some useful filters for validating and sanitizing a lot of different data
    • Do not depend on client-side validation. Malicious users can very easily bypass this.
  • Use a WAF with the OWASP ModSecurity core rule set
    • While a WAF helps stop a lot of common attacks, it should only be used on top of a well-designed program. Your site should be safe from these attacks without using a WAF.
  • Make sure cookies are httponly and secure
  • Use parameterized queries when dealing with user input. PDO can't protect you if you simply stick a string of user input in your query and then pass it over.
    • Ideally, you should also use parameterized queries whenever you send any data to the database. AFAIK it doesn't noticeably affect performance and it might save you against SQL injections.
  • Ask an independent security tester to have a look at your site. They might see problems you didn't notice
  • NEVER copy-paste code without understanding what it does. You can only properly secure your code if you know where the potential issues are.
  • Don't store anything that you don't have to. The more you keep, the higher-value your data is to others

Other than that, I've become quite a bit more security-aware after reading security blogs (I think Troy Hunt has an excellent blog) and following a half-year long ethical hacking course.

There are obviously many more ways of securing your website, but this is everything I could think of at the time of writing.

Cas
  • 156
  • 3
3

Hackers hack for many reasons - to use your site to mask other activities, to gain personal information, to find lists of email/passwords they can use elsewhere, to make statements, to find information about banking information, to find other personal information, just for fun...

If you do not pay attention to security, you will be hacked. If you do not follow best practices, you will be hacked. You absolutely should not use MD5 - use a password hashing algorithm designed specifically for the purpose - MD5 is broken, use PBKDF2 or similar. You need to care about the OWASP Top Ten - SQL Injection in particular.

From the sounds of it, you need to either spend a lot of time educating yourself - start at the OWASP site - or you need to hire a security expert.

crovers
  • 6,311
  • 1
  • 19
  • 29
  • we almost done our project using googles code, looks like need to do lot of refactoring , we will try that... – USer345738380 Oct 28 '16 at 13:01
  • 1
    "googles code"?!?!? what do you mean by this? do you mean you just searched and copy pasted? – Topher Brink Oct 28 '16 at 13:04
  • @TopherBrink yes, i almost done the same..... – USer345738380 Oct 28 '16 at 13:06
  • @TopherBrink i heard most of developers dont write code, they just copy-paste form google..... also i needed to finish project soon, so i just used google..... – USer345738380 Oct 28 '16 at 13:09
  • also is hackers hack one site at a time , or they will hack multiple sites at once, how actually it work ? @AlexanderO'Mara – USer345738380 Oct 28 '16 at 13:24
  • There are a huge variety of people who 'hack' sites - the motivations, the techniques and the methods vary widely. Most will start with automated attacks using tools like OWASP ZAP - these can be run against many, many sites at once. Technologies like Web Application Firewalls can help, but not prevent these automated attacks. Hackers may also use other sites they have hacked to automatically scan for other vulnerable sites. Particularly vulnerable devices have been known to be hacked with 5-10 minutes of coming online. Be careful out there. – crovers Oct 28 '16 at 13:29
  • 2
    copying and pasting is a VERY bad way to program. Most developers do look things up and use the examples given but this is when they don't know how to do something. Most of the time they use the examples given as inspiration on how to do things. But most of the code is hand written from memory. – Topher Brink Oct 28 '16 at 13:50
  • 1
    @USer345738380 looming deadlines and lack of experience are not an excuse for poor basic coding when you are collecting things like bank details and connecting to people's PayPal. You are setting yourself up to have all your users' bank accounts drained by hackers. I think it's time to back away from this project until you are more confident in your ability to tackle this level of project. – schroeder Oct 28 '16 at 17:32
  • @schroeder Thanks a lot , i ll take some security measures.... – USer345738380 Nov 02 '16 at 05:25
3

No.

You need to do a risk assessment. There are a variety of different methodologies out there, but in general they will all include the following steps.

  1. What value does your website provide?
  2. Who has an interest/motivation to degrade that value?
    1. hackers may choose to hack your site to prove they can.
    2. hackers may choose to hack your site to provide services to others (you've put a server on the internet - the hacker could delete your site and run his own site from your server; I'm aware of cases of pornography sites that are hosted by unwitting people).
    3. Hackers may choose to hack your site to gain access to data that is valuable (that can be credit card number, but can also be other information.
    4. Hackers may choose to hack your site because there is an advantage to degrading the integrity of the information on your site. (altering, limiting, etc.) If the information you provide is of value, then there is generally some value in corrupting that information. Competitors may want to increase their relative value by diminishing your value.
    5. Hackers may choose to hack your site because they can gain an advantage by decreasing your availability. (The whole movie "The Sting" was based on this).
    6. Who else provides services/goods/value that is in competition with yours? Who will be damaged by the services/goods/value you provide?
  3. If you wanted to damage the value of your website, what would you do?

At this point you're getting at the real risk. You may wish to examine the Microsoft STRIDE model, the NIST 800-37 model, OCTAVE, FAIR, or a dozen other models to help you to understand the risks/vulnerabilities.

You may wish to google "hackers" - that will give you a broader, better picture of hacker behavior than the simple model you propose.

MCW
  • 2,572
  • 1
  • 15
  • 26