Hi,

My web progamming experience hasn't been too long. It will be 2 years this December when I first started. Before that I programmed in VB and Matlab, no C++ some FORTRAN though.
I am making my first online store (php+ajax) and I feel pretty proud of myself. I finished the backend, I completed the navigational part of the frontend and I am not worried I can't finish it.

What worries me are the security issues and ESPECIALLY how in the world do I make clients pay with credit cards? Does the site owner even get to see the number or does it go straight to a bank? If I would attempt to do this myself how would I even start? I took some cryptography classes in college but I don't remember any of it. Any suggestions are welcome. I do not live in an English speaking country so I can't redirect customers to something in English.

As for non-credit card security, how do I know when it is secure? I prevent mysql injection, I understand hash functions and base encoder (though I don't know when to pick one over the other) and I use them for username and password protection. What else should I be studying?

I'm sorry if this message is a little long and not very interesting as a topic for the coffee lounge, since I didn't know exactly what to ask I thought I'd post it here, but I am very curious what you experts have to say about how I should proceed. I mean at least to me it is very interesting :)
Thanks.

What worries me are the security issues and ESPECIALLY how in the world do I make clients pay with credit cards? Does the site owner even get to see the number or does it go straight to a bank? If I would attempt to do this myself how would I even start? I took some cryptography classes in college but I don't remember any of it. Any suggestions are welcome. I do not live in an English speaking country so I can't redirect customers to something in English.


The standard practice is to not store credit cards in the database if at all possible (and if so, encrypt with some strong encryption). Store the last 4 digits and the type (visa, mastercard, etc.)

For handling the credit card transactions, check out authorize.net - they're a pretty easy processor to work with and their rates are reasonable. You submit the credit card information over an SSL-encrypted channel, they return whether the transaction was successful or not.


As for non-credit card security, how do I know when it is secure? I prevent mysql injection, I understand hash functions and base encoder (though I don't know when to pick one over the other) and I use them for username and password protection. What else should I be studying?

This is one of those open-ended problems. There will always be someone out there who can figure a way through whatever security you have set up. The thing is to make it inefficient to do so (i.e., pick on easier targets). securing username & password data, requiring strong passwords, requiring SSL for logins and credit-card data are all a good start. Also don't just store a simple "authenticated=1, username=foo" type variable in the session cookie - that makes your login pretty well useless.

For the most part, web security is about common-sense.

-Doug