MySQL for Bank Code

wow that was way too long… rewrite:

I’m hacking together some bank code that’s going to be managing deposits & withdrawls coming from some third party accounting service via HTTP post data.

It’s going to be somewhat high traffic, privy to malevolant users, and there will undoubtedly be numerous hack attempts on the system. Also, this isn’t going to be my money, and it’s more money than i could afford to lose out of my pocket if something goes wrong.

Two things i’ve been told are 1) “check your post headers”, and 2) “lock your table”. I’m not sure how to do either of these, but i can probably find out. anything else i should know or traps people have fallen into with this type of thing? I need to have it robust incase a deposit is sent & my server is down or times out (i think i can handle that with some basic code inside the 3rd party site by processing a refund as soon as i’m certain the deposit timed out). Thanks in advance!

// What do you mean by “RL”? Hang on, lemme check wikipedia…

The only suggestion I have is that you make sure you set up your tables as InnoDB, so you can use transactions in your SQL, that way you can “rollback” the whole transaction if something isn’t right:

start transaction;
update balances set amount = ( amount + 100 ) where account_id = 1;
update balances set amount = ( amount - 100 ) where account_id = 2;

As for checking POST headers, it sounds like you need to read up on SQL injection: you need to escape and sanitize whatever input you receive before passing it to the database.

Another thing to do is keep a log of all transactions, preferably on another system entirely so that if (ok, WHEN) you’re hacked, you have records of who did what when and can replay transactions into your DB.

Backup often, preferably where a compromise won’t be able to get to the data.

PLEASE rethink using shared hosting for managing other people’s money. Please, please, please - someone’s gonna get screwed, and it’s probably you.

Wholly - Use promo code WhollyMindless for full 97$ credit until 12/11/07.

This. ↑

This. ↑ Say it again, Brother! This. ↑