SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Enthusiast icky_thump's Avatar
    Join Date
    Nov 2007
    Location
    St. Louis, MO, USA
    Posts
    98
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Online Job Application Form that feeds database

    Hey all,

    My HR dept. is asking if they can have a job application form be built that would feed into a database.
    My concern with this is with regards to security. I know you have to script properly to avoid injections and whatever techniques hackers might use.

    From a bigger picture though, do we have to have certain certification in place for handling sensitive info?
    Social Security Numbers is the first thing that comes to mind.

    Handing sensitive info is new to me, so I'm muddling through it all right now reading HITECH certification and if that applies or whatever else we have to do to get and maintain compliance.

    Any feedback is appreciated.
    Thanks!
    Pandora can't go back into the box - he only comes out.

  2. #2
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,653
    Mentioned
    19 Post(s)
    Tagged
    3 Thread(s)
    i_t,

    SQL injection attacks are relatively easy to thwart if you understand that you MUST run data through your equivalent of mysqli_real_escape_string then testing the string for expected content (validation of input before touching the database).

    A secure server certificate is not required (but may make applicants feel safer) but a Privacy Policy statement (and internal controls to enforce it) is a must.

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator

  3. #3
    SitePoint Enthusiast icky_thump's Avatar
    Join Date
    Nov 2007
    Location
    St. Louis, MO, USA
    Posts
    98
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hey thanks DK! Appreciate your feedback!

    The guy who hosts all my sites went on and on about HITECH. He said that he spent about 6 hour researching it awhile back and decided against it as it was such a major ordeal to get and stay certified.

    I have no knowledge in this area so I thought I find some knowledge on here.

    Basically, he tells his customers that he won't handle SSN, credit cards and health records passing through or being stored on his servers as he could end up getting in big trouble because of HITECH certification.
    Pandora can't go back into the box - he only comes out.

  4. #4
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,653
    Mentioned
    19 Post(s)
    Tagged
    3 Thread(s)
    i_t,

    Sounds like a lot of BS to me. IMHO, find a good host and use your own Secure Server certificate. THEN be sure that you handle sensitive information with some pretty good encryption, i.e., seeds which can identify you as the owner of the data so that only you can read it.

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator

  5. #5
    SitePoint Addict
    Join Date
    Apr 2009
    Posts
    357
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    If you are dealing with sensitive user personal information on a website, be very, very careful. If your site has any kind of breach that exposed any personal data, the penalties will be severe. And if it turns out you didn't do some security stuff that you should have done, the penalty could be more than just $. Listen to the guy that hosts your websites is my recommendation.
    Doug G
    =====
    "If you ain't the lead dog, the view is always the same - Anon


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •