December 17th, 2001, 09:08 AM
secure connection to MySQL
I need some explanation: should I encrypt data, if:
1) MySQL server is on the same machine as HTTP server (IP: localhost);
2) I transfer data to/from MySQL server located on other machine?
If yes, what must I do?
(I`ll be thankful for any example)
For examle: my script has received some confidential information (thru SSL sesssion) and is to put it to database (this information doesn`t have to be stored in encrypted form).
One more thing: what about logging to DB (username and password)? Does anybody can see them, if connection isn`t encrypted?
What else should I know to have this connection really safe?
December 17th, 2001, 09:26 AM
Ok, allright, I'm not an expert but common sense suggests me to say:
First of all you should do a search through those forums: php, mysql and security, just to read something and clear (or mess up more) your ideas.
Then you should do a security assessment on your business.
I mean, ask yourself what kind of data you are collecting, what does the law say about what you are doing, how the owners of data could be hurt in case of ... and how their lawyers can strike back at you and so on ....
Then do another assessment on your system, i.e. can the box be stolen (phisically) can the operating system be hacked, security holes in applications ...
December 17th, 2001, 10:36 AM
Of course you`re right. But security & system assessment (the way You have described it) is the deep background of my question.
I`ve also searched DevShed Forums. Maybe I`m inattentive or impatient, but I`ve hardly find nothing interesting.
I suppose my issue is a part of a wider field: server-to-server connection and is a good occasion to present some important notes concerning this topic.
December 17th, 2001, 10:55 AM
The php - mysql communication, if they are on the same server, is secure as long as no one gets into your system, that's why you need an assessment.
It's not the deep background, it's a must to avoid wasting time and obtaining some real security, without you risk of doing like those guys who buy an antivirus and then do not update virus definitions, or whorse, choose the wrong time interval to check for updates (!!!) ...
December 17th, 2001, 11:37 AM
Your remarks are really important, but just in Your latest reply I`ve found a partly answer to my problem:
The second option is still open.
January 19th, 2002, 07:47 AM
As to your second configuration (web server and MySQL server on seperate machines): it depends....
Seriously, if the machines are behind the same switch than it should not be necessary to have a secure (encrypted) connection since no packets passing between the two will be sent beyond the switch. This does assume that you have complete control over any other devices connected to the same switch.
However, should the two machines be connecting via the internet, then a secure connection would be necessary for transferring sensitive data.
January 21st, 2002, 04:17 AM
Thanks for answering, rod k.
Let me follow the second option. How to make (in detail) secure connection between Apache+PHP server and MySQL server (different locations, firewall impossible).
I know there`s CURL available in PHP. But I have no idea how to use it with MySQL functions. And that`s not the best idea for people who use Python instead of PHP...
Or maybe secure connection should belong to Apache`s work?
February 22nd, 2002, 06:38 AM
February 22nd, 2002, 09:26 AM
Another option is to use IPSec between the two servers.
February 22nd, 2002, 09:35 AM
rod K, could you write something more about IPSec?
February 22nd, 2002, 09:39 AM
Well, I could but it wouldn't be very useful as I haven't much experience with it. The thing to do would be to check the docs of your OS as it is a kernal option and has to be set at compile time for *nixes. If you are using an MS OS there are several commercial options that you can use. PGPnet comes to mind...
February 23rd, 2002, 10:59 AM
machines on the same switch
You shouldn’t rely on a switch to provide security for your network. The intent behind a switch is to optimize network bandwidth not security. It is true that most common packet sniffers will not work across switches but there are several tools around that will and depending on the type if switch you have there are varying degrees of difficulty for an attacker to make these tools work.
There are some good articles online to this effect, if you look try google.
Last edited by jondoor; February 23rd, 2002 at 11:05 AM.