July 18th, 2003, 06:59 PM
database and php security
I am a web hosting reseller and I have a possible client asking about security for his data stored in a MySql database and accessed by php. This data will be from a small county government and will only contain public documents.
Each domain on my host gets its own database but no control over the database installation so I really don't know - besides the version - what I'm looking at.
I know to use phpinfo file to get that info. I know that the databases are all accessed via localhost, php 4.2.3 is operating in safe mode and the mysql version is 3.23.39.
What else can I tell about the possible security problems with this system by looking at the info file?
Secondly, I use a wide variety of php open source code on this server and I have no earthly idea how safe this stuff is. I am no programmer but I'm learning fast how to work with already made files.
Please, some words of advice!
July 19th, 2003, 10:19 AM
You can restrict access to the MySQL server to either localhosts or from the webservers. If it is possible I would recommend using ssl to run your scripts.
July 20th, 2003, 04:27 PM
Okay, localhost is what is happening. I can to go to ssl as well when accessing and using the admin functions. Anybody else got words of wisdom? Thank you, Victor
July 27th, 2003, 01:03 AM
What are you looking for?
Both PHP and MySQL can be upgraded to more recent (and probably more secure) versions, as you are not running the latest stable version of either.
Probably not a great deal. The security of each aspect of your system would need to be analysed by a professional in order to highlight areas of weakness.
Since PHP runs with the privileges of the web server, this limits the amount of damage it can do to the amount of damage that the "nobody" user can do - however this depends very much on what this user can do with regards to reading and writing files. For example, users can overwrite each other's files via PHP if their permissions are 777.