Hi,

I'm a little paranoid about my programming. I'm about to take on a project that consists of a membership area that in order for members to view, they must pay for a subscription fee. I'm thinking about using a third party cc billing company and once a user signs up, it has a script that will update the members database to tell my web application that he/she signed up.

Now since this will deal with money, there are always potential hackers who would want to eliminate competitoin or even receive free service. Thats just my thinking...you can call it paranoia. But the thing is, I'm confident that I can do the programming, but its how well I can do it. How would I know if its secure enough? That leads to my question whether if there are private companies that check how secure an application is and then tells you the loopholes you must fix? Or Can I do this myself? I'm assuming I'll need to read lots of hacking books and then see if those hacking tricks apply to my web application.

Basically I got most security features checked off my list:

tainting
ssl
warnings
use strict
form checking every inputted variable
cgi.pm to disallow uploads and to have a certain max length to avoid D
+OS
mysql queries using placeholders and/ or having = '$taint_input'
mysql user passwords using md5      
session management using md5 session code  (cgi::session)
mysql is password protected (password is not shown in any perl scripts
+)
[download]

The real downer is this is on a win2k system. Is apache more secure? I may recommend the company I'm working for to move it to a apache server. But the mysql database is located somewhere elsewhere other then the web server machine (I heard this was better).

Any recommendations of articles or books to read about security with membership sort of sites will be real nice.

Thank you all,
perleager

Edited by Arunbear: Changed title from 'Paranoia', as per Monastery guidelines

---

---

• Are you posting in the right place? Check out Where do I post X? to know for sure.
• Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:

  <code> <a> <b> <big> <blockquote> <br /> <dd> <dl> <dt> <em> <font> <h1> <h2> <h3> <h4> <h5> <h6> <hr /> <i> <li> <nbsp> <ol> <p> <small> <strike> <strong> <sub> <sup> <table> <td> <th> <tr> <tt> <u> <ul>

• Snippets of code should be wrapped in <code> tags not <pre> tags. In fact, <pre> tags should generally be avoided. If they must be used, extreme care should be taken to ensure that their contents do not have long lines (<70 chars), in order to prevent horizontal scrolling (and possible janitor intervention).
• Want more info? How to link or How to display code and escape characters are good places to start.