>I am getting started on a project on PHP that requires very very high >levels of security. I cannot give you exact details but the basics is >that it deals with credit cards. > >I want some advice and tips from experts on the following >The server will be Red Hat Linux 7.3 > >1) The site will have to take very high traffic and possibly thousands of >transactions per hour >-> Which is the best free db to use (I am guessing MySQL)
Investigate PostgreSQL as well - it's also free, and implements some SQL niceties such as subselects that do not exist in MySQL. It's slightly more obtuse than MySQL (similar in some ways to Oracle from my limited experience), but if you're doing credit card transactions, you are going to want to use the commit/rollback features. >2) I store the db password and login info in a database.inc.php file. Is >there any way I can prevent a person from getting the db pass even after >he gets this file? A few methods: place the file outside of your docroot, ensure that it's not publicly available through any other means (secure that server well), set your DB access variables in httpd.conf, or .htaccess and then prevent apache from serving /those/. >3) Does anyone know a book that focuses of writing secure code. O-reilly has a few. Have it audited by someone else. Watch out for SQL injection. >5)How do I know the code that I am writing and my server is safe. Are >there any services out there that would help me evaluate this. Hire an auditor, keep your featureset down. Use SSL. Read up on known methods of session hijacking. (php.net/session mentions some) Consider using one of the BSD variants in favor of Linux - I think NetBSD (?) is the one known for lock-tight security settings out of the box, but I'm not entirely sure. Find someone experienced with BSD, and have them set it up for you. --------------------------------------------------------------------- michal migurski- contact info and pgp key: sf/ca http://mike.teczno.com/contact.html -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
