School of Information Systems

Implementing Secure Transactions with PHP and MySQL

Security is an essential part of any transaction that takes place over the internet. Customers will lose his/her faith in e-business if its security is compromised. There are several important things that need to be concerned regarding the security in e-transaction such as :

  1. Confidentiality − Information should not be accessible to an unauthorized person. It should not be intercepted during the transmission.
  2. Integrity − Information should not be altered during its transmission over the network. So the output will show the same result as expected.
  3. Availability − Information should be available wherever and whenever required within a time limit specified.
  4. Authenticity − There should be a mechanism to authenticate a user before giving him/her an access to the required information.
  5. Non-Repudiability − It is the protection against the denial of order or denial of payment. Once a sender sends a message, the sender should not be able to deny sending the message. Similarly, the recipient of message should not be able to deny the receipt.
  6. Encryption − Information should be encrypted and decrypted only by an authorized user.
  7. Auditability − Data should be recorded in such a way that it can be audited for integrity requirements.

Implementing security with PHP and MySQl

            Implementing security in the e-transactions can be start by implementing security steps in the PHP and MySQL Server. These are the basic steps for implementing secure transactions in PHP and MySQL

  • Identifying Visitors

The Web  servers can find out many information regarding the computers and networks that connect to them, However A web browser usually identifies itself telling the server what browser, browser version, and operating system a user is running. You can often determine what resolution and color depth visitors’ screens are set to and how large their web browser windows are by using JavaScript.

Dr Aleksej Heinze, co-director of the Centre for Digital Business at Salford University’s business school, says you should concentrate on gleaning information about the “three Vs” when you view your site’s statistics. These are: the volume of visitors – how many people visit your site; the value of visitors – what do they spend; and visibility – how visible is your brand for search engines, social media networks and other sources of traffic?

In these cases, we need to concentrate about the volumes of the customers, the higher the value the riskier, because your server need to maintain those transactions and at the same keeping a secure system for those customers.

  • Implementing Access Control

Simple access control is not difficult to implement. By inserting a code on your web server, access control will be granted to several users based on their responsibilities. Implementing access control is needed to ensure authenticity for the transactions. There are several ways to implement access control such as : email authentication, phone authentication, card swipe authentication, fingerprints, etc.

  • Using basic authentication in PHP

Authentication facilities are built into HTTP. Scripts or web servers can request authentication from a web browser. The web browser is then responsible for displaying a dialog box or similar device to obtain required information from the user. Although the web server requests new authentication details for every user request, the web browser does not need to request the user’s details for every page. The browser generally stores these details for as long as the user has a browser window open and automatically resends them to the web server as required without user interaction, although this will increase the risk if another person use the browser without the user’s concern.

  • Implementing Secure Transactions with PHP

Providing secure transactions using the Internet is a matter of examining the flow of information in your system and ensuring that, at each point, your information is secure. In the context of network security, there are no absolutes. No system is ever going to be impenetrable. By secure, we mean that the level of effort required to compromise a system or transmission is high compared to the value of the information involved

These are the illustration of data flow in the e-transactions :

  • Using Secure Sockets Layer (SSL)

The Secure Sockets Layer protocol suite was originally designed by Netscape to facilitate secure communication between web servers and web browsers. It has since been adopted as the unofficial standard method for browsers and servers to exchange sensitive information.

To be able to create an SSL connection a web server requires an SSL Certificate. When you choose to activate SSL on your web server you will be prompted to complete a number of questions about the identity of your website and your company. Your web server then creates two cryptographic keys – a Private Key and a Public Key.

The complexities of the SSL protocol remain invisible to your customers. Instead their browsers provide them with a key indicator to let them know they are currently protected by an SSL encrypted session – the lock icon in the lower right-hand corner, clicking on the lock icon displays your SSL Certificate and the details about it. All SSL Certificates are issued to either companies or legally accountable individuals.

Typically an SSL Certificate will contain your domain name, your company name, your address, your city, your state and your country. It will also contain the expiration date of the Certificate and details of the Certification Authority responsible for the issuance of the Certificate. When a browser connects to a secure site it will retrieve the site’s SSL Certificate and check that it has not expired, it has been issued by a Certification Authority the browser trusts, and that it is being used by the website for which it has been issued. If it fails on any one of these checks the browser will display a warning to the end user letting them know that the site is not secured by SSL.

Alvia Shanardi Wijaya