[Various Website Security Questions]

Thanks guys,  I've figured out all of my issues except for my 4th question regarding:

 

Changing MySQL so that it is only accessible from localhost or 127.0.0.1. Afterward, being able to change options –skip-name-resolve and – skip-networking.

 

I've contacted my host's technical support, but they seemed clueless as to what I was talking about...

 

Do I change this setting simply by using the sql.safe_mode in my php.ini file?... or is this something different?  Also, I'm assuming that my hosting company's default setting would be the safer setting, but I'd still like to make sure.

[Various Website Security Questions]

I'm using WAMP server, so I restarted the server by rebooting my computer.  The session data is still being stored in the old /tmp folder.

 

Also, I'm using this line in the php.ini file:

 

disable_functions = system,exec,register_globals,phpinfo

 

but when I test it by calling phpinfo() on one of my test pages, it still echos out the php info.

 

It's as if any changes I'm making to the php.ini file are being ignored...

 

Any idea what I have to do to have my changes I make to the php.ini file actually make a difference?

[Various Website Security Questions]

I've contacted my hosting company, but their technical support says code-writing/scripting is outside the scope of their support.  I do have a general php.ini file to start with though.

 

Anyway, I've done some research and have come a little further.

 

In the php.ini file if I change this line:

 

session.save_path = "/tmp"

 

to:

 

session.save_path = "/private"

 

Surfing the website still ends up saving the sessions in the original "/tmp" folder.  However; when I add these two lines of code on every php file that uses sessions:

 

session_save_path('../private');
ini_set('session.gc_probability', 1);

 

It works.

 

So, why wouldn't the php.ini alteration change the directory that the session is saved in?  This alteration would have been a much easier fix than the second method (since I have to add the code to many many files).
 

[Various Website Security Questions]

Thank you Antonio,

 

I appreciate the basic explanation of each question, but I still don't know how to write the code in a php.ini file.  I'm unfamiliar with how to write code in a php.ini file.  Is there an example php.ini file to download which does the first 3 things I've asked about?

 

Thank you

[Various Website Security Questions]

I have various questions, inspired by the book “Effortless E-Commerce With PHP and MySQL”, regarding website security.

 

 

Question #1

 

On page 34, it discusses using the open_basedir setting.

How is this achieved exactly?

... I am assuming this is something you write into a php.ini file, but there was not a php.ini file in the downloadable example scripts. What would the code in the php.ini file look like exactly?

 

 

Question #2

 

On page 35, it discusses changing a setting to disable register_globals.

How is this achieved exactly?

 

 

Question #3

 

On page 36, it discusses changing the sessions directory.

First, is this referring to this kind of session? :

 

$_SESSION['myName'] = “Johnny”;

 

Second, how is this done? Do I get this directory changed by talking to the tech support peeps at my hosting company?

 

 

Question #4

 

On page 36, it discusses changing MySQL so that it is only accessible from localhost or 127.0.0.1. Afterward, being able to change options –skip-name-resolve and – skip-networking.

How is this done? Is all of this done via the hosting company's c-panel or working with the hosting company's tech support?

 

 

Thank you for getting me pushed in the right direction.

[Any Companies Who Test Your Sites Security?]

Haven't done any research yet.  Figured It'd be more time efficient if I got a head start with someone else's research if they had already gained experience with testing suites.

 

I like the video by the way Buttercream Cupcake.  LOL!

[Any Companies Who Test Your Sites Security?]

Thank you for your input guys!

 

I understand that doing the security myself would be best (if I knew PHP and MySQL as well as Larry Ullman), but as I mentioned, I don't know it well enough to be comfortable with that.

 

Are there any "website security test suites" that anyone can recommend and trusts?  I'd hate to come across some security test suite that just takes my money, then installs viruses into my website or something.  I think it's safe to assume there are bad guys out there who try to do malicious things such as that...

[Fuzzy On Pci Compliance]

Thank you Larry!  You're very helpful!

 

Are there any PCI Compliance companies in particular who you'd recommend?

[When Customer Is Charged Relative To When Item Is Shipped]

Hello,

 

I got the impression from the book that I wasn't allowed to actually charge the customer's credit card until I actually shipped the item to them.

 

The Paypal tech-support's opinion on this was that I could first charge the customer, and later ship the item (as long as it wasn't a ridiculous length of time afterwards).

 

Can someone give some feedback on this?

[Fuzzy On Pci Compliance]

I'm still a little fuzzy on how to become PCI Compliant.

 

Does this sound right?:

 

1.  I build my website

 

2.  I get my website hosted

 

3.  I call up some PCI-Compliance company and tell them I want my site to be PCI Compliant

 

4.  The company analyzes my website's code, and analyzes my hosting situation

 

5.  They give me a "thumbs up" or a "thumbs down" (in which case they tell me what I need to change to get a "thumbs up".

 

Thanks

[Sessions Directory?]

Thank you Larry!

 

I'll be asking my hosting company about how I change where PHP stores those text files.

[Any Companies Who Test Your Sites Security?]

I really like your book!

 

I wish I knew PHP & MySQL as well as you do!

 

Anyway, I intend to have an e-commerce site going someday and security is of course something I'm paranoid about.  I don't trust myself with handling all the security because I'd never feel peace of mind.

 

Are there companies who test the security of your website for you?  You know... who try to mess things up, look for holes, try to get the information you're protecting, etc., then report to you what needs to be changed.

 

You'd have to trust these companies of course...

 

Thanks

[Sessions Directory?]

Hi All

 

I'm on page 41 (in Security Fundamentals).

 

Referring to:

"For sensitive data being stored, but not stored in a database, change your sessions directory, and use the Web root directory's parent folder (see Figure 2.5)."

 

Could someone elaborate on what this means?  I'm not sure what a sessions directory is.

 

When it refers to "sessions", is it talking about session variables that we can create?... like if I wanted to store the logged-in users first name in $_SESSION['userFirstName']?

 

Is temporarily storing potentially sensitive data in session variables not secure?

 

I'm pretty new at this, so please use plenty of laymen terms

 

Thank you so much.