Ecommerce security issues

When designing an ecommerce website you should pay higher attention to the security issues and invulnerability of your website to hacker attack attempts.

Website security is a very big subject for discussions. Here we shall touch a couple of security issues which are the most important:

• SQL-injections
  
  SQL injection is the name for a general class of attacks that can allow nefarious users to retrieve data, alter server settings, or even take over your server if you're not careful. SQL injection is not a SQL Server problem, but a problem with improperly written applications.
  
  Here is it how it works. Assume that you have a getproduct.php script which shows product information when you pass productID parameter to this script:
  
  

  <?php     /* ... database connection section ... */     $q = mysql_query("SELECT * FROM `PRODUCT` WHERE productID=".$_GET["productID"])             or die (mysql_error());     $row = mysql_fetch_row($q);     ... ?>

  
  
  Running getproduct.php?productID=5 will fetch a product from the database with the productID equalling 5, and show its information.
  
  But what will happen if you run getproduct.php as such
  getproduct.php?productID=5;show tables;
  getproduct.php?productID=5;delete from some_important_table;
  In this case output will be limited only to imagination and skills of a hacker who have found such vulnerability in your application.
  
  How to protect yourself from SQL injections? The answer is proper data validation.
  Before executing a SQL query you must make sure it is safe to execute.
  Check input data and transform it to a safe form if required.
  
  For example, where input variable is assumed to be an integer number, don't hesitate to add following line before running a SQL query:
  
  $input_variable = (int) $input_variable;
  
  For transforming string data you can use mysql_escape_string() function:
  
  $input_variable = mysql_escape_string( $input_variable );
  
  When dealing with string data, transform it into safe mode according to magic_quotes_gpc and magic_quotes_runtime values defined in PHP settings on your server. Be careful with escape symbols such as ', ", .
  
  
• Cross side scripting (XSS)
  
  Cross site scripting (XSS) is a type of computer security exploit where information from one context, where it is not trusted, can be inserted into another context, where it is. From the trusted context, an attack can be launched.
  
  Here is an example:
  When placing an order customer input following string into `Name` field of the checkout form:
  
  

  Hack <script>window.alert('You`ve been hacked!');</script> attempt!

  
  
  After the order is saved into the database, administrator verifies order information in the back end.
  When viewing order details, administrator will see only Hack attempt! in the `Customer name` field information plus an alert window:
  
  
  
  Such technique allows you to catch different data including cookies.
  
  Controlling XSS attempts is rather easy. You should merely transform data to a safe form before outputting it, namely replace all potentially insecure symbols. I encourage you to always replace < and > with &lt; and &gt; accordingly.
  
  It is all that simple.

Described vulnerabilities and approaches to fix them are must follow! Make data validation and proper customization a rule when designing web applications. This is very important!