mme Posted October 2, 2010 Share Posted October 2, 2010 Hi, I am currently working on an Invoice System using PHP and MySQL. However I was just wondering if the system I am using is secure enough. The Client gets a link like this: mysite.com/?customerid=b3e470c55aad30eb38ee52eec1d8cb52 Each client has a unique "id" I also have an ID for the administrative back-end. I do clean the GET variable before querying the database though. Do I need to secure this with anything else or is this enough, as this is my first time creating anything with PHP and MySQL together. Thanks, mme Quote Link to comment Share on other sites More sharing options...
JTallis Posted October 2, 2010 Share Posted October 2, 2010 I imagine that's an ID that's been encrypted, right? That would be more secure than it just being the actual ID. Eventually after so many invoices, people will be able to type in a random ID and it'll bring up someones invoice. You don't want that. If it's encrypted, that's better, maybe add in the customers Email Address too. So for guessers, it's not only just the invoice ID, they need the invoice customers email too. If anyone gets through that, then .. it's just tough luck I guess. I'm not a master with invoices, but that's my throw-in for you. Quote Link to comment Share on other sites More sharing options...
mme Posted October 2, 2010 Author Share Posted October 2, 2010 Thanks for your quick reply, I have implanted the new changes so now the customer ID is encrypted and their email address is required. Thanks, mme Quote Link to comment Share on other sites More sharing options...
JTallis Posted October 2, 2010 Share Posted October 2, 2010 If you wanted to go slightly more secure, forget the Email, and send an Email to the customer containing a password. This password would need to be used to access the invoice. So the URL needs to contain an encrypted invoice ID, and the customer needs to input their password. The password would be in the invoice table in the database or whatever is containing the invoices. So you can check if it's a valid login. Sorry I didn't think of this before hand. Quote Link to comment Share on other sites More sharing options...
mme Posted October 3, 2010 Author Share Posted October 3, 2010 Thanks for all your help, I have now done both, email and a password. Thanks, mme Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.