I am developing a small application that is going to serve as viewer (sort of dashboard) for a web application that uses MySQL as back end database. The application will only be doing SELECT’s, no INSERT’s or UPDATE’s or anything that changes the data. I know that the preferred way to architect this application would be to create a web service that has access to the database and then have the client app call the web service. This way you can really secure you MySQL database allowing only localhost access.
On the other hand, having a web service raises the complexity and resources needed for the application a lot. I not only have to write the process twice, I have to write two sets of test suites plus integration tests, and since the client is written in .net c# and the back end in php I have to develop some kind of interchange format and keep switching between two languages and IDEs throughout the development process.
I am probably going to write the service, but what I wanted to know is what the experience out there has been? Am I crazy just to consider accessing MySQL directly from a client or the fine engineers at Oracle have done a decent job securing their database, at least for users with only read rights.
If you use direct access to your mysql database just to select tables, you will need users that only have the right permission access to ensure the access security.
But you need to keep in mind that if you open the database port for external access, any security failure from your database will be exposed.
If you need other rules for example an specificity select that only select the group access from an user, you will need to write procedures in your database that read parans, and keep in mind that if some user exploit your application, he will be able to pass other parans for consulting your database.
No only oracle or mysql, all databases have lot of security options to give external access, but to use for complex applications is even more difficult than make a service layer to ensure the security access.
And you don't have crypt communication in the direct SQL query consulting as default.
Just make sure the user it accsesses the database from doesn't have permission to do anything it doesn't need to do such as drop tables.
a user with read only rights should do the trick
Related
Current scenario :
There is a webservice (build in php/mysql). User filled data is stored on a remote server.
Issue is user has extremely bad internet connection, webservice is down most of the time. Is there a way to store data locally and sync it when internet is available?
Please note, user might not have database installed on his machine also there is no localserver to work with.
Even if user had some type of RDBMS installed on the box, you probably wouldn't have any way to communicate with it. You can use the HTML 5 Storage API, but it will not solve the connection issues.
And since localStorage (which you probably would use) is available directly only from JavaScript, you would have to make a complicated and fully functional JS application to utilize it.
Note: based on your profile, I would estimate that your JavaScript skills would not be adequate for such task.
If your target audience is mobile users, then you have another alternative: create a native application.
You would still be able to use HTML for the interface (using built in web browser components). But it also would let you have SQLite DB and file storage available on the mobile device, where you can cache the necessary data.
look at the features in HTML 5 for local storage
Typically I would go with IndexDB and then push the local data to the server once the connection is back
http://diveintohtml5.info/storage.html - Should give you a brief about the features and implementation.
I am making a web application and i want it to be secure, so i ll be using SSL and, will hash passwords. But my server is managed by a different company and it's a shared hosting server, they have direct access to database. I want to prevent any possible loss of sensitive information so i am thinking about encrypting all the data in the database.
Is this a good way to keep data secure?
are there any other ways to protect data in database?
I am using PHP, MYSQL, Apache, and Linux
please provide details. also if am thinking in the wrong direction pls tell that too.
Thanks in advance
This is not a big privacy issue
The internet is composed of some few websites / web applications using self hosted solutions with fully personal servers (owned and operated in their own NOC).
Everyone else is using some form or another of shared, virtualized, semi-private, semi-dedicated, collocated hosting. In every case the hosting company has full access to everything, they have physical access to the servers -- no amount of protection can help you there.
Shared hosting might be the easiest to access from the hosting company's perspective. But that's not relevant, their policies should prevent them from operating in bad faith because if they wouldn't it wouldn't really matter if it was the easiest or the hardest to access it would only matter how interesting the data you have is to them (or some random employee of theirs).
Finding a solution to the above non-issue
Some approaches might use:
Mounting an encrypted filesystem as a folder and setting up MySQL to use that folder to store its data;
MySQL encryption functions to encrypt the data in a particular cell or column;
a library on top of SQLite that had an encryption feature which would encrypt the entire database file;
On the other hand if your PHP files would be on the same server and the database decryption password would be stored inside your PHP files, any "intruder" could find it and use it if they wanted it.
You'd have to store the password on a different server or obtain it from the user in order to not have it present inside the local PHP files. This would obviously still be available at runtime; if the "intruder" is a programmer he will be able to retrieve it fairly easily.
I am working on an Android application that will allow users to gain access to certain sets of files and then sync them with their device for offline use. Thus, when they first download my app, they will have no account or files, they will have to create an account, then enter an access code to gain access to certain file directories for download.
I have the majority of UI of the app completed, and it now needs to be 'plugged in' to a backend. I am a little familiar with PHP as I have done a few dynamic websites, so I am familiar with working with phpmyadmin, but I really want to make this backend schema well made and able to handle business.
I don't know where to start to design the relational databases and all the other factors I may have not even thought about yet. Does anyone have any good references, tutorials, anything that may help me take this next step?
if you want to learn about data base modeling, these websites can give you a good start example2 example3
or do you wish to learn about SQL coding?
I am considering a way of taking an existing php and mysql application that was developed for use in-house (and thus has a single database with nothing built in in terms of multi-tenancy).
I figured that it's possible and maybe in some way better to run each client of their own database. What I want to know is how best to handle the login of a user given the credentials supplied could be in any one of the databases and in some cases possibly multiple databases.
I had thought along the lines of iterating through each database and checking for valid credentials. If the credentials exist in multiples then return a list that the user chooses from, or if it exists only once then just logging in.
Is that a valid solution? Will it start to perform badly IF the application was to expand to have thousands of users across hundreds of databases?
I recommend installing a different instance of the app for each client, with their own database.
Each client should be given their own url to access the app, instead of having them all access in from 1 location, but pointing to multiple databases.
This will adress a few problems that you might encounter if you run all your clients from 1 location (multiple databases)
What happend if the different client has accounts with the same name? Which account will take precedence?
What happens if the client want to take over the app and host it seperately from the rest of the clients. How can you easily seperate out this client into a sepetare installation?
Another point to note, connecting and disconnecting to databases are expensive. If you have to do so 100 times when the user logs in to find out which database that user is in. It might bogg down the system or your database server.
I am currently working on 2 web servers, One Coldfusion and the other PHP.
Right now, the Coldfusion server is my main server where users log in to access restricted data.
However, I have also begun using a PHP server and want to make it transparent for users to access a specific page on that server - that server requires log in information as well.
I do not want the users to log in twice.
Is there a way to accomplish this ?
Thx
UPDATE: Working in an Intranet environment, so I can't use any public solution.
UPDATE: Reason I am asking for this is because we are moving from a MSQL / Coldfusion environment (Initial server) to a PHP / ORACLE (new server). So I have 2 user tables as well (although they contain mostly the same information).
I am trying to faze out the use of our initial server in favor of our new server transparently to the user and thus I have to work in parallel for the time being.
Most single-sign-on solutions work a bit like this...
Main system authenticates use
User opts initiates a need to move to system 2
Main system authenticates the user with system 2 in the background
System 2 supplies a random, long and disposable token to Main system
Main system redirects the user, with the token, to system 2
System 2 checks the token (and other factors such as IP address) to validate the session
System 2 disposes of the token to ensure it can't be replayed
You would want to ensure that the transmission channels had some security on, especially where Main system and system 2 are talking to each other. You would want that to be a secure transport.
Store sessions in a database, and share them between the two apps.
You could use xml-rpc to get user data and log the user into the other site when they have a login cookie for the first one and vice versa.
Php manual page for XML-rpc
Here is what I have done, in running my own game server, had users on sql server, and on mysql, and wanted to integrate them both.
I made sure that if a user was created on 1 system, was also created on the other.
So you can modify code in both applications, to automatically create a user in other system if it is created on here.
Depending if both servers share a domain, can you do cross-domain sessions or cookies...But my best guess is to store and retreive data...
Or..
as a person logins/registers record their current ip address, on both servers, then check if this person was on the other server within 2-5 minutes, if so, use the ip address to identify them....
This system is tricky because timing is important, so your not leaving a huge hole in your security....But for short term, going between servers, this is simplest solution, in my own opinion.
Good Luck.
If you are on an intranet, you can actually sniff out the network username of the user from the PC they are logged into the network on using PHP. This assumes that:
You are using IIS to host your PHP application.
Your users are using Windows.
Check the section "2.2 Enabling Support for Detecting Usernames" here.
After that, all you need to do is investigate if the same is possible from Coldfusion, and you have the basis of an SSO solution based on the network usernames.
How about implementing an OpenID solution, much like the one apparent on StackOverflow?
You may benefit from dropping a shared object on the client machine via Flash or Flex. This object could then be read from ColdFusion/PHP/Python on servers that otherwise had no connection to each other or access to a common database.
Here is a simple example from the Adobe Docs
Maintain local persistence. This is
the simplest way to use a shared
object, and does not require Flash
Media Server. For example, you can
call SharedObject.getLocal() to create
a shared object in an application,
such as a calculator with memory. When
the user closes the calculator, Flash
Player saves the last value in a
shared object on the user's computer.
The next time the calculator is run,
it contains the values it had
previously. Alternatively, if you set
the shared object's properties to null
before the calculator application is
closed, the next time the application
runs, it opens without any values.
Another example of maintaining local
persistence is tracking user
preferences or other data for a
complex website, such as a record of
which articles a user read on a news
site. Tracking this information allows
you to display articles that have
already been read differently from
new, unread articles. Storing this
information on the user's computer
reduces server load.
Full Information: http://livedocs.adobe.com/flex/3/langref/flash/net/SharedObject.html