Aaron Posted March 12, 2003 Posted March 12, 2003 Hi! I am currently volunteering at a non-profit organization thats wants to convert its MS Access database to a web database application. I would like to use PHP/MySQL to do this, since these are what I am most familiar with, but I know that probably the most practical thing to do is use ASP and keep using the current MS Access database. My biggest concern right now is security: I have practically no experience with security, and this database contains personal information like Social Security Numbers. If security were not much of a concern, then I would defintely go ahead with PHP/MySQL. If we go ASP/Access, there is another volunteer who I will work with, who uses ASP/Access and DOES know about security(he has his own web development company). He will address all security concerns so all I have to do is basically use ASP to make the application. That said, I still want to use PHP/MySQL! So I just want to ask: what do I need to know about security? Since the information will be stored in a MySQL database, am I right to assume that the security of this information is basically out of my control, and is in the hands of the TCH servers (if we do use PHP/MySQL, we will definitely open a TCH account)? Secondly, what do I need to know about SSL? The users will need to add/update information in the database through forms on the website, and I know that I need SSL to make sure the passing of this information is secure. I apologize if I am asking too much; I normally just research online and learn everything by myself. But because this is not a personal project and a whole organization is affected, I just wanted to ask people who have more experience with security concerns. In addition, we need to decide what route we will take asap. Any help/advice would be greatly appreciated! Aaron Romero romero-online.com Quote
KevinW Posted March 12, 2003 Posted March 12, 2003 Perhaps the first question is: what problem(s) do they want to solve by making their database available via the web? Most secured databases are never put on a public web site; rather they sit on a separate server behind a firewall. The Internet web site would use custom code to display the forms to users on their web browsers, and to then send requests to this database sever (for queries, updates, etc.). In other words, if the publish web site is violated, there is no data there to steal. Whether you wish to use Access/SQL or MySQL/Php, you have similar security issues to address. -kw Quote
Aaron Posted March 12, 2003 Author Posted March 12, 2003 Thanks for replying! The reason why they want to "go online" is they want some parts of the database accessible to the public. Currently, they have potential volunteers submit applications by mail, but they would like the ability to let them apply online. Second, they also want to give volunteers, donors, and others, the ability to update their contact information online. Finally, they want the ability to access the database while "on the road." I realize that the same security issues will be present no matter what route we take. I guess I should present my dilemma this way: I can either a. Use PHP/MySQL - learn about security , or b. Use ASP/Access - learn ASP Thus, my question is, how much do I need to learn about security? If it's not that much, then I will definitely go with the former. You also raise the point I have not even considered: setting up their own database server. I think this is quite possible because they have a T1 connection. Before opening an account with TCH, I hosted my website on my laptop (I had a cable connection then) and it sufficed for a while ... I guess this would be kind of like the same thing? If we do this, is a firewall all we need? Thanks again for your help! Aaron Quote
Lianna Posted March 13, 2003 Posted March 13, 2003 Sidenote, Aaron: ASP will only work on Windows OS based servers, not UNIX/Linux. Just another thing to consider. Lianna Quote
chuckmalani Posted March 14, 2003 Posted March 14, 2003 also be careful, (and I don't know every detail about this), but if you have php scripts on a shared server, anyone who has access to the server, can view your scripts. So based on that, if you needed to log into a MySQL DB from a php interface, those DB passwords could potentially be compromised. There is something about running PHP on the server in "Safe Mode", but I also do not really know what this is. Thankfully, I do not have sensative private data on my DB's and in my scripts, so I have not had to explore this yet. Hope this helps, and if anyone knows more specifics, I'd love to know them, or a good resource to read up on it. chuck Quote
Ayman_ Posted March 14, 2003 Posted March 14, 2003 Here is a most awesome read on MySQL Security http://www.net-security.org/article_out.php?id=226 Quote
borfast Posted March 14, 2003 Posted March 14, 2003 Well, the first thing I can tell you to learn about security is: don't use an Access database! Actually, don't use IIS, either... OK, don't start a flame war here about how good or bad MS products are, ok? Seriously, now. About the PHP scripts being visible to every user on the server: that only happens if the server is not configured properly. TCH's servers don't allow me to see any files that don't belong to me, whether I use FTP or CPanel to browse the filesystem. So you don't need to worry about that, your passwords would be secure in a PHP script. Well, at least as secure as anything on a webserver can be As for the rest of your problem, a good approach would be to, as kweilbacher already said, to keep the database server behind a firewall, not available to the outside, and create your scripts (on the TCH server) to access the database through a 'proxy' or something... or you can also configure your database server to allow only your webserver to access the database, though this poses a security risc... Quote
KevinW Posted March 14, 2003 Posted March 14, 2003 SPitwad ... Good link. I've added the link to the TCH Help Web Site's PHP/MySQL page. -kw Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.