SSL & PHP or JAVA
I have been asked by a friend to make a database for them, but i was thinking about the best method of creating a frontend for it. The database needs to be scaleable, and easily accessible, at first i thought about a MySQL database with a PHP frontend. This was until a friend told me that JAVA would provide more security. security is important as it will be implemented into a school, to store marks etc. Now JAVA may provide more security than PHP but if i used the php over an SSL link would this be secure enough? I would obviously implement a login system so only people with correct access should be able to access it, but others may be able to view the data across the connection. which would be better for this?
Any views welcome.
Cheers in advance.
If you have security concerns in the front-end at all, you probably have the wrong architectural idea to begin with anyway.
In my opinion, the back-end should be secure enough in itself to not having to worry about the front-end, except of course if it's about people being able to listen to network traffic, but if that's the concern, then, yes, SSL would certainly solve that.
For example, if you implement the security and logons directly in MySQL, then the PHP front-end wouldn't even have to concern itself with security, after all. It would just be an interface.
Yes mysql will be ok with php and ssl.
set up an apache server and with mysql. set decent usernames and passwords for mysql then diable the network listener on mysql.
activate ssl. set up a firewall to block all network access but ssl. (ftp won't work so you'll have to transfer on a floppy or something).
then use mod_auth_mysql with apache to provide basic authentication but over ssl.
php will do the rest.
It is quite difficult to implement custom security code across an entire system - you always end up forgetting something or people don;t log out so the cookies are still there etc.
This sesms to convince me about the security a bit, but with the source code being on the server, there will be some sort of connection details for the MySQL database in this source code. Is there anyway of connecting to the database, but locking down the relevant database until a successful login? This is because the database will be used to store grades etc, and will eventually be accesible over the internet. obviously you don't want ANYONE and EVERYONE getting access to grades etc.
Thanks for the help so far, but if anyone could shed some light on this, would be great.
yes the username / password for mysql is stored in the code. but if there are no crappy weak logins on the server then no one can see the code. php is interpretted on the web server and only static html is transmitted to the client. there is no way anyone can see the un or pwds from that code.
also, we are not talking about bank details here. we are talking about school grades.
if a kid wants to know stuff badly enough, they'll walk into the server room and nick the entire box.
yeh, i guess that's a fair enough point, but then if a parent was to c that their child was performing averagely compared to the rest of the class, they may go on an unnecesary rant and rave as to why their child is 'underperforming'. But nevermind.
I have a mate who sez SLOX 4 schools exists, so may solve the prob.