PHP and MySQL SSL Security

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • paradiselost
    Member
    • Apr 2004
    • 31

    PHP and MySQL SSL Security

    Hello,

    I'm wanting to store some potentially sensitive information in a mysql database (not credit card numbers). I know that I can secure the transmission to the server with SSL, but what happens between apache/php and mysql? Is that connection secure? Since Dathorn has shared servers I don't really want to put this information here if the data is secure all the way to the server, but exposed in cleartext from php to mysql and back.

    Does anyone know about this?

    Thanks,

    James
    --
    ** DEVTRENCH **
    --
    James Ehly
  • ZYV
    Senior Member
    • Sep 2005
    • 315

    #2
    As far as I know, the IPC on Linux basically works through sockets. In a nutshell, a socket is a kind of a special file which you can read and write to communicate with another running process. On one hand I do not think that there is some special security measures taken to scramble or encrypt the communication going through those sockets, but on other hand, as far as I know you have to posses the root privileges to be able to eavesdrop this communication.

    So unless the server you are on is badly hacked (the attacker gained root privileges) this kind of communication is secure. But if it's hacked you don't even need to eavesdrop anyway, because if you are root you can access no matter which database directly.

    I think that Andrew can correct me if I'm wrong and elaborate on this issue.

    Comment

    • Elite
      Senior Member
      • Apr 2004
      • 168

      #3
      Maybe look at encrypting the sensitive info in the database?? - then even if someone gets access to the db you're still protected

      Comment

      • ZYV
        Senior Member
        • Sep 2005
        • 315

        #4
        This makes no sense, because in order to encrypt the data before populating the database you still need your private key to be stored in your directory on Dathorn's server. So if someone manage to hijack the access to your database, he can obtain your private key as well and decrypt the said data.

        Comment

        • paradiselost
          Member
          • Apr 2004
          • 31

          #5
          Originally posted by Elite
          Maybe look at encrypting the sensitive info in the database?? - then even if someone gets access to the db you're still protected
          Yes, encrypting data in the database is a must. But what I want to know is if the data is secure in transmission to mysql. If you can't tell I'm paranoid.

          Originally posted by ZYV
          This makes no sense, because in order to encrypt the data before populating the database you still need your private key to be stored in your directory on Dathorn's server
          Actually, if you encrypt with GPG you can use the public key to encrypt and use the private key offline to decrypt.

          @ZYV Thanks for your explanation of sockets. That the kind of think I'm looking for. Are there any other Linux gurus on these forums that can confirm this?

          Thanks,

          James
          --
          ** DEVTRENCH **
          --
          James Ehly

          Comment

          • ZYV
            Senior Member
            • Sep 2005
            • 315

            #6
            Originally posted by paradiselost
            Actually, if you encrypt with GPG you can use the public key to encrypt and use the private key offline to decrypt.
            OK, you right, I thought that you would need to access this data from the website after it is written into the database. If it's not the case, then encrypting it with the public key is definitively a good idea.

            Originally posted by paradiselost
            @ZYV Thanks for your explanation of sockets. That the kind of think I'm looking for. Are there any other Linux gurus on these forums that can confirm this?
            You may wish to check out those links:




            and so on.

            Comment

            • paradiselost
              Member
              • Apr 2004
              • 31

              #7
              Thanks for the links!
              --
              ** DEVTRENCH **
              --
              James Ehly

              Comment

              Working...