need to learn about secure web programming

[KBTibbs]

Hi.

I'm a junior in college working toward a degree in CS, but I've never done any web development before. As it's Jr. year, we need to start working on whipping up our proposals for senior projects. I've been in contact with a friend at a company (that I have a good shot at getting a job at after graduation) about possible things I could do that would 1) be my project, and 2) be useful to them.

They are looking at secure web development (users entering CC numbers and such into the database, as well as web served reports for clients).

Needless to say, dealing with CC #'s is a little daunting (what if I screw up and they get stolen, etc.). So, I want to spend this summer working on this, so I can show up and not be a complete idiot.

So, do any of you know of some good books on SSL (or anything else related) or maybe even a backend product that I could research/decide if I want to use?

Thanks a bunch,

KBTibbs

 

[n0cmonkey]

Maybe.
OpenSSL

Apache (the most popular web server in the world) uses OpenSSL, and probably has a module for it in the default install. I'm not sure how much work you'd really have to do with it instead of just the web programming...

 

[kamper]

For the most part, as a programmer, you don't worry about ssl. It'd better damn well be there when you go online with cc payment but it doesn't change your job much. That first book n0c linked looks pretty good, although it's getting a bit old.
What you do have to worry about is a security framework that does things like authentication within your application. .NET and j2ee both provide a lot of stuff for you and it helps to know how to use it (although that may be a bit of a jump if you haven't done any enterprise work before). Most of that stuff will apply to any enterprise-style app, not just web apps.

Some specific things I'd tips I'd give for programming for the web specifically:
-never ever trust input from the client
-validate every parameter that comes in
-don't rely on any functionality that runs on the client-side, like javascript for example (you use javascript to make your app run more smoothly but a client that changes what your javascript does should never be able to trick the server)

Here's the classic example of not validating client input. Let's say you have a login form and it sends back parameters called username and password. Your job is to use these to query the database and validate the user. Assuming you've already grabbed the parameters into appropriately named strings, you write your query:

sql = "select * from user where username = '" + username + "' and password = '" + password + "';";

I can now log into your system without a password, possibly without a valid username because you made assumptions about what I (the client) would or wouldn't pass back. See the hole?

 

[KBTibbs]

What about PHP? Would it be appropriate for the task?

 

[notfred]

Originally posted by: KBTibbs
What about PHP? Would it be appropriate for the task?

It's irrelevent to using SSL encryption. Once the data gets from the browser to the webserver, it's decrypted before your PHP application gets a hold of it.