Results 1 to 7 of 7

Thread: PHP and MySQL SSL Security

  1. #1
    Member paradiselost's Avatar
    Join Date
    Apr 2004
    Location
    Lincoln, NE
    Posts
    31

    Default PHP and MySQL SSL Security

    Hello,

    I'm wanting to store some potentially sensitive information in a mysql database (not credit card numbers). I know that I can secure the transmission to the server with SSL, but what happens between apache/php and mysql? Is that connection secure? Since Dathorn has shared servers I don't really want to put this information here if the data is secure all the way to the server, but exposed in cleartext from php to mysql and back.

    Does anyone know about this?

    Thanks,

    James
    --
    ** DEVTRENCH **
    --
    James Ehly

  2. #2
    Senior Member
    Join Date
    Sep 2005
    Location
    Russia, Nizhny Novgorod
    Posts
    315

    Default

    As far as I know, the IPC on Linux basically works through sockets. In a nutshell, a socket is a kind of a special file which you can read and write to communicate with another running process. On one hand I do not think that there is some special security measures taken to scramble or encrypt the communication going through those sockets, but on other hand, as far as I know you have to posses the root privileges to be able to eavesdrop this communication.

    So unless the server you are on is badly hacked (the attacker gained root privileges) this kind of communication is secure. But if it's hacked you don't even need to eavesdrop anyway, because if you are root you can access no matter which database directly.

    I think that Andrew can correct me if I'm wrong and elaborate on this issue.

  3. #3
    Senior Member
    Join Date
    Apr 2004
    Location
    Manchester, UK
    Posts
    168

    Default

    Maybe look at encrypting the sensitive info in the database?? - then even if someone gets access to the db you're still protected

  4. #4
    Senior Member
    Join Date
    Sep 2005
    Location
    Russia, Nizhny Novgorod
    Posts
    315

    Default

    This makes no sense, because in order to encrypt the data before populating the database you still need your private key to be stored in your directory on Dathorn's server. So if someone manage to hijack the access to your database, he can obtain your private key as well and decrypt the said data.

  5. #5
    Member paradiselost's Avatar
    Join Date
    Apr 2004
    Location
    Lincoln, NE
    Posts
    31

    Default

    Quote Originally Posted by Elite View Post
    Maybe look at encrypting the sensitive info in the database?? - then even if someone gets access to the db you're still protected
    Yes, encrypting data in the database is a must. But what I want to know is if the data is secure in transmission to mysql. If you can't tell I'm paranoid.

    Quote Originally Posted by ZYV
    This makes no sense, because in order to encrypt the data before populating the database you still need your private key to be stored in your directory on Dathorn's server
    Actually, if you encrypt with GPG you can use the public key to encrypt and use the private key offline to decrypt.

    @ZYV Thanks for your explanation of sockets. That the kind of think I'm looking for. Are there any other Linux gurus on these forums that can confirm this?

    Thanks,

    James
    --
    ** DEVTRENCH **
    --
    James Ehly

  6. #6
    Senior Member
    Join Date
    Sep 2005
    Location
    Russia, Nizhny Novgorod
    Posts
    315

    Default

    Quote Originally Posted by paradiselost View Post
    Actually, if you encrypt with GPG you can use the public key to encrypt and use the private key offline to decrypt.
    OK, you right, I thought that you would need to access this data from the website after it is written into the database. If it's not the case, then encrypting it with the public key is definitively a good idea.

    Quote Originally Posted by paradiselost View Post
    @ZYV Thanks for your explanation of sockets. That the kind of think I'm looking for. Are there any other Linux gurus on these forums that can confirm this?
    You may wish to check out those links:

    http://en.wikipedia.org/wiki/Unix_domain_socket
    http://beej.us/guide/bgipc/output/ht.../unixsock.html

    and so on.

  7. #7
    Member paradiselost's Avatar
    Join Date
    Apr 2004
    Location
    Lincoln, NE
    Posts
    31

    Default

    Thanks for the links!
    --
    ** DEVTRENCH **
    --
    James Ehly

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •