#1
  1. No Profile Picture
    Easy Prowler
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2001
    Posts
    16
    Rep Power
    0

    secure connection to MySQL


    I need some explanation: should I encrypt data, if:

    1) MySQL server is on the same machine as HTTP server (IP: localhost);
    2) I transfer data to/from MySQL server located on other machine?

    If yes, what must I do?
    (I`ll be thankful for any example)

    For examle: my script has received some confidential information (thru SSL sesssion) and is to put it to database (this information doesn`t have to be stored in encrypted form).

    One more thing: what about logging to DB (username and password)? Does anybody can see them, if connection isn`t encrypted?


    What else should I know to have this connection really safe?
  2. #2
  3. Modding: Oracle MsSQL Firebird
    Devshed Supreme Being (6500+ posts)

    Join Date
    Jun 2001
    Location
    Outside US
    Posts
    8,527
    Rep Power
    539
    Ok, allright, I'm not an expert but common sense suggests me to say:
    First of all you should do a search through those forums: php, mysql and security, just to read something and clear (or mess up more) your ideas.
    Then you should do a security assessment on your business.
    I mean, ask yourself what kind of data you are collecting, what does the law say about what you are doing, how the owners of data could be hurt in case of ... and how their lawyers can strike back at you and so on ....
    Then do another assessment on your system, i.e. can the box be stolen (phisically) can the operating system be hacked, security holes in applications ...
  4. #3
  5. No Profile Picture
    Easy Prowler
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2001
    Posts
    16
    Rep Power
    0
    Of course you`re right. But security & system assessment (the way You have described it) is the deep background of my question.

    I`ve also searched DevShed Forums. Maybe I`m inattentive or impatient, but I`ve hardly find nothing interesting.

    I suppose my issue is a part of a wider field: server-to-server connection and is a good occasion to present some important notes concerning this topic.
  6. #4
  7. Modding: Oracle MsSQL Firebird
    Devshed Supreme Being (6500+ posts)

    Join Date
    Jun 2001
    Location
    Outside US
    Posts
    8,527
    Rep Power
    539
    The php - mysql communication, if they are on the same server, is secure as long as no one gets into your system, that's why you need an assessment.
    It's not the deep background, it's a must to avoid wasting time and obtaining some real security, without you risk of doing like those guys who buy an antivirus and then do not update virus definitions, or whorse, choose the wrong time interval to check for updates (!!!) ...
  8. #5
  9. No Profile Picture
    Easy Prowler
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2001
    Posts
    16
    Rep Power
    0
    Your remarks are really important, but just in Your latest reply I`ve found a partly answer to my problem:
    The php - mysql communication, if they are on the same server, is secure as long as no one gets into your system (...).
    The second option is still open.
  10. #6
  11. No Profile Picture
    Apprentice Deity
    Devshed Loyal (3000 - 3499 posts)

    Join Date
    Jul 1999
    Location
    Niagara Falls (On the wrong side of the gorge)
    Posts
    3,237
    Rep Power
    19
    As to your second configuration (web server and MySQL server on seperate machines): it depends....

    Seriously, if the machines are behind the same switch than it should not be necessary to have a secure (encrypted) connection since no packets passing between the two will be sent beyond the switch. This does assume that you have complete control over any other devices connected to the same switch.

    However, should the two machines be connecting via the internet, then a secure connection would be necessary for transferring sensitive data.
  12. #7
  13. No Profile Picture
    Easy Prowler
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2001
    Posts
    16
    Rep Power
    0
    Thanks for answering, rod k.

    Let me follow the second option. How to make (in detail) secure connection between Apache+PHP server and MySQL server (different locations, firewall impossible).

    I know there`s CURL available in PHP. But I have no idea how to use it with MySQL functions. And that`s not the best idea for people who use Python instead of PHP...

    Or maybe secure connection should belong to Apache`s work?
  14. #8
  15. No Profile Picture
    Easy Prowler
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2001
    Posts
    16
    Rep Power
    0
  16. #9
  17. No Profile Picture
    Apprentice Deity
    Devshed Loyal (3000 - 3499 posts)

    Join Date
    Jul 1999
    Location
    Niagara Falls (On the wrong side of the gorge)
    Posts
    3,237
    Rep Power
    19
    Another option is to use IPSec between the two servers.
  18. #10
  19. No Profile Picture
    Easy Prowler
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2001
    Posts
    16
    Rep Power
    0
    rod K, could you write something more about IPSec?
  20. #11
  21. No Profile Picture
    Apprentice Deity
    Devshed Loyal (3000 - 3499 posts)

    Join Date
    Jul 1999
    Location
    Niagara Falls (On the wrong side of the gorge)
    Posts
    3,237
    Rep Power
    19
    Well, I could but it wouldn't be very useful as I haven't much experience with it. The thing to do would be to check the docs of your OS as it is a kernal option and has to be set at compile time for *nixes. If you are using an MS OS there are several commercial options that you can use. PGPnet comes to mind...
  22. #12
  23. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2001
    Location
    ny
    Posts
    15
    Rep Power
    0

    machines on the same switch


    You shouldn’t rely on a switch to provide security for your network. The intent behind a switch is to optimize network bandwidth not security. It is true that most common packet sniffers will not work across switches but there are several tools around that will and depending on the type if switch you have there are varying degrees of difficulty for an attacker to make these tools work.

    There are some good articles online to this effect, if you look try google.
    Last edited by jondoor; February 23rd, 2002 at 10:05 AM.

IMN logo majestic logo threadwatch logo seochat tools logo