I have taken over the website duties at work. I am still learning PHP
and MySQL. I want to have a form where the user enters some finacial
info and it is stored in a database. It, obviously, needs to be
secure. I know how to make the input form secure. But what about
retrieving the data? I was thinking I would use a password-protected
secure form for that. Is that enough? What if I happen to view the
records using PhpMyAdmin? Does that constitute an insecure
transmission? Any other thoughts regarding the security of a setup
like this would also be greatly appreciated.
Thanks,
Peter 8 1943
On 23 Oct 2005 06:25:40 -0700, "peter" <pl*****@yahoo.com> wrote: I have taken over the website duties at work. I am still learning PHP and MySQL. I want to have a form where the user enters some finacial info and it is stored in a database. It, obviously, needs to be secure. I know how to make the input form secure. But what about retrieving the data? I was thinking I would use a password-protected secure form for that. Is that enough? What if I happen to view the records using PhpMyAdmin? Does that constitute an insecure transmission? Any other thoughts regarding the security of a setup like this would also be greatly appreciated.
Use your PHP skills to write a secure form and access the mysql
database that way. Put it on an SSL protected port for added
security.
I've added the new comp.databases.mysql group so you can get answers
to the mysql questions there.
--
gburnore at DataBasix dot Com
---------------------------------------------------------------------------
How you look depends on where you go.
---------------------------------------------------------------------------
Gary L. Burnore | ÝÛ³ºÝ³Þ³ºÝ³³Ýۺݳ޳ºÝ³Ý³Þ³ºÝ³ÝÝÛ³
| ÝÛ³ºÝ³Þ³ºÝ³³Ýۺݳ޳ºÝ³Ý³Þ³ºÝ³ÝÝÛ³
Official .sig, Accept no substitutes. | ÝÛ³ºÝ³Þ³ºÝ³³Ýۺݳ޳ºÝ³Ý³Þ³ºÝ³ÝÝÛ³
| ÝÛ 0 1 7 2 3 / Ý³Þ 3 7 4 9 3 0 Û³
Black Helicopter Repair Services, Ltd.| Official Proof of Purchase
================================================== =========================
>I have taken over the website duties at work. I am still learning PHP and MySQL. I want to have a form where the user enters some finacial info and it is stored in a database. It, obviously, needs to be secure. I know how to make the input form secure. But what about retrieving the data? I was thinking I would use a password-protected secure form for that. Is that enough? What if I happen to view the
You need to worry about two different connections, independently:
- The web-server-to-browser connection. https and good authentication
is good enough for this.
- The database-to-web-server connection. MySQL can use SSL for the
database connection. Use of https on the web server does NOT protect
the database connection.
If the database-to-web-server connection is LOCAL (both on the same
server), is security really an issue? If you don't trust the people
who can use shell logins into the box, you probably have much worse
problems than snooping localhost, like cracking MySQL directly. If
the database-to-web-server connection goes over your local LAN only,
security may not be an issue if you have good physical security and
few employees who don't have access to the info anyway. If the
database-to-web-server connection is over the Internet, you have a
problem. Use SSL or SSH tunnels for the MySQL connection.
records using PhpMyAdmin?
If PhpMyAdmin is not set up on a secure (https) web server, it's insecure.
If the database connection to the web server goes over the Internet and
it's not encrypted, it's insecure.
Does that constitute an insecure transmission? Any other thoughts regarding the security of a setup like this would also be greatly appreciated.
Gordon L. Burditt
In article <11**********************@f14g2000cwb.googlegroups .com>,
"peter" <pl*****@yahoo.com> wrote: I have taken over the website duties at work. I am still learning PHP and MySQL. I want to have a form where the user enters some finacial info and it is stored in a database. It, obviously, needs to be secure. I know how to make the input form secure. But what about retrieving the data? I was thinking I would use a password-protected secure form for that. Is that enough? What if I happen to view the records using PhpMyAdmin? Does that constitute an insecure transmission? Any other thoughts regarding the security of a setup like this would also be greatly appreciated.
Thanks,
Peter http://shiflett.org/articles
has great articles on php and security issues. Specific to your
question, there's http://shiflett.org/articles/security-corner-jul2004 http://shiflett.org/articles/security-corner-apr2004
--
DeeDee, don't press that button! DeeDee! NO! Dee...
Both the database and the server are hosted, if that is the right term.
So I'm not sure what to make of it.
Peter
>Both the database and the server are hosted, if that is the right term. So I'm not sure what to make of it.
So what argument do you pass to mysql_connect() or mysqli_connect()
for the host name of the database? "localhost"? If so, they're
on the same server. If not, and it's a host name, do the web server
and the database server have IP addresses in the same class C?
(first 3 octets the same)? If so, they may well be on the same
LAN, which is a lot safer than having it go across the Internet.
In any case, with a hosted setup, you're stuck trusting the
administration of either the web server or the database server. If
they steal credit card numbers from your site, you're stuck, and
there's not much you can do but find another host.
Gordon L. Burditt
Thank you for taking the time to answer my questions. I do use
"localhost". So my main concern is trusting the hosting company? That
and the security of the transmission when I retrieve the data?
Peter
>Thank you for taking the time to answer my questions. I do use "localhost".
Then you don't really have to worry much about the link between
the web server and the database: they're on the same machine.
That's pretty hard to sniff, and if they can sniff it, they
can probably crack the database directly anyway.
You still have to worry about the link between the web server
and the browser (use https and authentication). I think you've
dealt with that.
You still have to worry about more direct access to either the web
server or the database server (which in your case are the same
machine). This includes such things as admins on those servers,
someone breaking in and stealing the hard disk containing the
database, corporate takeovers of the hosting company by someone
unethical (they own the hard disk with your database now), logging
code (viruses) inserted into the web server, etc. With a hosting
company you're pretty much stuck with trusting them after making
your best choice of a host. If you do your own hosting, deal with
your physical security and trusting your employees.
So my main concern is trusting the hosting company? That and the security of the transmission when I retrieve the data?
Gordon L. Burditt
Ok, Gordon, I have a much better understanding of what I need to do.
Thank you. Thank you Michael and Gary also.
Peter This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: Sarah Tanembaum |
last post by:
I was wondering if it is possible to create a secure database system
using RDBMS(MySQL, Oracle, SQL*Server, PostgreSQL etc) and web
scripting/programming language(Perl, PHP, Ruby, Java, ASP, etc)...
|
by: Lyle H. Gray |
last post by:
We load a table from a text file using Data Transformation Services. The
source file is already sorted by primary key order.
After the DTS load, the default retrieval order on the target table...
|
by: Relaxin |
last post by:
It is just me or has MS created some of the worst ways to access and display
data?
You can use a DataSet, but if you want to sort or filter the data to must
use a DataView which is created from...
|
by: Brett |
last post by:
If I want to easily swap the database I'm using, what is the best method for
developing that tier in my application?
I'll have basically a 4 tier app:
1. presentation
2. business logic
3. data...
|
by: VB Programmer |
last post by:
I often use session variables to store the user's security level, and other
important info. How secure are session variables? Can someone decrypt it
and get the information? (This would be...
| |
by: Spiffytech |
last post by:
I'm trying to retrieve emails via the POP3 protocol from a Windows 2003 POP3
Server.
I get a positive response from the server when sending all the commands
until the "PASS" command. When I send...
|
by: grace |
last post by:
i am wondering why my database retrieval becomes too slow...we set up
a new server (ubuntu, breezy badger) machine where we transferred all
our files from the old server.. Our new server uses Asus...
|
by: ilenx |
last post by:
i wouldn't consider myself a php newbie, but i'm admittedly a novice.
i'm posting secure form data to http://gateway.securenet.com/payment.scrnt, to process a credit card transaction; when i post...
|
by: Peter Duniho |
last post by:
Is there a straightfoward API in .NET that allows for inspection of a
database? That is, to look at the structure of the database, without
knowing anything in advance about it? For example,...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
| |
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence...
| |