Say, I want to have code and db backups? Where should I store them so that if a hacker hacked my site and have access to php and mysql I could restore them. Local server does not fit. Considering third-party services (DB, Google drive) a hacker would have success to them in case he hackes a server. If you could suggest where to store third-party API credential so that a hacker could not access them I would appreciate that.
But beside that is there a way to make and store backups by a server in a safe place (so that hacker could not get them)? As I see the only way is to make backups by outer services: from another server. I could do it from my computer. But it is a wrong solution. After I finished a project I should not have access to it. And in general It is not the best solution to rely on my computer at all.
I could not find anything worth in the internet. Is there a way to securely manage backups only from a (one) working server?
Related
Long time reader first time asker, if my question is silly or missing info or miss titled lemme know and I'll fix it.
Okay, so I'm working at a community center for the next 8 weeks as a tech help assistant, I'm also a CS student.
They have a web application that is quite old running locally on an iis server (version 7). It's for keeping track of their members, events and registration It's written in asp.net and is using and Access database. They also have a wordpress website (php, mysql, apache) for advertising events and sharing information about what's going on in the community.
What they would like is to link their wordpress to the local application. I've been racking my brain about if this is even possible or not. I'm leaning towards not possible because the local application and shouldn't be outward facing as it has sensitive data on it and was not designed to be secure in the face of would-be hackers.
The only solution that I could think of is create a "walled off" section of the computer hosting the local application. Also an outward facing port that accepts incoming data from the wordpress site that is then passed onto the access database as an update (increasing a counter for the amount of people registered to a program). It needs to be possible for a file to have some kind of global (from the web) executable permissions and have all the other files on the localhost computer locked down from this global permission.
We would also need to be able to get 2 boolean values from the local app for the wordpress site. This is for if the program/camp/whatever is full and if the update was unsuccessful in the event of something going wrong. I'm just not sure if something like that is even possible and where to start with that. The most important thing is that it's secure.
If a secure API could work I have time to create something like that.
I don't have enough time to upgrade their local system to make it safe enough to be online because I have to run tech help sessions. I know that is the most realistic option.
Thanks very much
What they would like is to link their wordpress to the local
application. I've been racking my brain about if this is even possible
or not. I'm leaning towards not possible because the local application
and shouldn't be outward facing as it has sensitive data on it and was
not designed to be secure in the face of would-be hackers.
I think you've hit the nail on the head right there. It looks like you have a decent understanding of the situation but not of their internal app. The fact is that it's hard to scope something like this without getting in and getting details. Step 1 would be to see if you can talk to whoever it is that built the thing and get their feedback. It might be secure enough to expose some sort of connection.
Really there's not enough information here to determine a good answer, and you should be wary of anyone that says it's secure. There are a ton of factors that go into web security.
You might be able to throw together a basic RESTful API with authentication to send only to the wordpress site's IP. But if it's sharing the IP that information can be consumed by third parties so you'll have to decide if that is an okay risk.
I wouldn't try and expose everything and partition with apache. A basic RESTful API with authentication would be best at first glance IMO. That way you only show consumable data and limit what can be used.
Current scenario :
There is a webservice (build in php/mysql). User filled data is stored on a remote server.
Issue is user has extremely bad internet connection, webservice is down most of the time. Is there a way to store data locally and sync it when internet is available?
Please note, user might not have database installed on his machine also there is no localserver to work with.
Even if user had some type of RDBMS installed on the box, you probably wouldn't have any way to communicate with it. You can use the HTML 5 Storage API, but it will not solve the connection issues.
And since localStorage (which you probably would use) is available directly only from JavaScript, you would have to make a complicated and fully functional JS application to utilize it.
Note: based on your profile, I would estimate that your JavaScript skills would not be adequate for such task.
If your target audience is mobile users, then you have another alternative: create a native application.
You would still be able to use HTML for the interface (using built in web browser components). But it also would let you have SQLite DB and file storage available on the mobile device, where you can cache the necessary data.
look at the features in HTML 5 for local storage
Typically I would go with IndexDB and then push the local data to the server once the connection is back
http://diveintohtml5.info/storage.html - Should give you a brief about the features and implementation.
I'm making an web application, it's a kind of online shop using PHP, jQuery, AJAX and JavaScript.
I want to launch my site on only one PC on local host. How should I set my site so that it only runs on my single PC?
Even if anybody copy my code files and database files to his/her own PC it should not run on their PC. How to do this?
The one way I know is by using the IP address. but I not quite sure about this method works or not.
If someone gains access to your source code then there is nothing that you can do to stop them.
When hosting it on your own you can prevent external access but beyond that there is nothing you can do.
You can use an encoder script to encrypt your source code, and some of these come with an ability to lock down to MAC address. I think they are all commercial solutions, though; start with IonCube and SourceGuardian. Zend might have something as well.
I would imagine each of these solutions would have comprehensive tutorials on their respective sites. Your workflow is basically to check out a copy of your source code from version control, and encode that folder as part of your build process.
Technically, encrypted code can be reverse-engineered, since the encryption key is built into the code. However, it is a lot of work for someone to do so, and even if they decode it, they won't have your comments or your meaningful variable/method/class names.
Make sure no one gains access to that PC (where your application resides). Only in that case you can protect your application from being run by unauthorized person. Once you take this security measure then you can easily disable your application from being accessed from any other LAN computers by using your IP. This is how professional servers works so should you.
You can change the webserver binding to localhost 127.0.0.1 only.
Alternative way you can create a filter rule that the server only accepts remote from localhost/127.0.0.1
With apache you can do this by .htaccess or directory/server rules.
When you want to share that code, you need to encrypt it with zend-guard or equal tools. there is also some licence management inside it, where you can bind licences to machines.
I am making a web application and i want it to be secure, so i ll be using SSL and, will hash passwords. But my server is managed by a different company and it's a shared hosting server, they have direct access to database. I want to prevent any possible loss of sensitive information so i am thinking about encrypting all the data in the database.
Is this a good way to keep data secure?
are there any other ways to protect data in database?
I am using PHP, MYSQL, Apache, and Linux
please provide details. also if am thinking in the wrong direction pls tell that too.
Thanks in advance
This is not a big privacy issue
The internet is composed of some few websites / web applications using self hosted solutions with fully personal servers (owned and operated in their own NOC).
Everyone else is using some form or another of shared, virtualized, semi-private, semi-dedicated, collocated hosting. In every case the hosting company has full access to everything, they have physical access to the servers -- no amount of protection can help you there.
Shared hosting might be the easiest to access from the hosting company's perspective. But that's not relevant, their policies should prevent them from operating in bad faith because if they wouldn't it wouldn't really matter if it was the easiest or the hardest to access it would only matter how interesting the data you have is to them (or some random employee of theirs).
Finding a solution to the above non-issue
Some approaches might use:
Mounting an encrypted filesystem as a folder and setting up MySQL to use that folder to store its data;
MySQL encryption functions to encrypt the data in a particular cell or column;
a library on top of SQLite that had an encryption feature which would encrypt the entire database file;
On the other hand if your PHP files would be on the same server and the database decryption password would be stored inside your PHP files, any "intruder" could find it and use it if they wanted it.
You'd have to store the password on a different server or obtain it from the user in order to not have it present inside the local PHP files. This would obviously still be available at runtime; if the "intruder" is a programmer he will be able to retrieve it fairly easily.
So I am developing some software in php and mysql. The clients web application is hosted on their server but basically I want an easy way to turn their site off if they don't pay. I wanted to be able to host a say config file on my server that has maybe an array of data that says how long their subscription is good for, what they have access to etc. I obviously don't want to save this information directly on their server because they could manipulate the config to have whatever they want. Their are a number of other things I would be using this for but for the most part these are the most important parts. Also if there is a better way I am always open to any suggestions.
Thanks in advance!