Since a few months ago, I have a dilemma. I want to make a project that will access a database. As the db will be accessed by many computers, not all in the same physical building, the db must be on a server. In my profession, we use some servers for mail, hosting, etc. Those servers, running Linux (RedHat x64) offer db hosting that can be accessed only by php and edited by phpmyadmin, no other way. So, in my case, there are two solutions:
1) make a php project that will access the db and do all the work (authentication, show data, forms for input, etc).
2) make a PB app which will communicate with a web service that will do read/write from /to the db.
In both cases, security is needed. The server supports TLS but pages are shown via http, no https. So my php files will have no security. On the other hand, the web service needs to run 24/7. I don't have the right to do it. I don't know how to do. I have tried to contact with the server stuff with no success. I prefer the second one as it is easier to make the client and the web service (don't know to connect with TLS but I know to use AES, even QAES which was posted in Tips and tricks a few weeks ago with PB's native network commands).
So, if you were me, what would you do? 
(If I were me, I would change planet to find peace of mind.)
			
			
									
									
						Let me tell you my dilemma
- doctorized
- Addict 
- Posts: 882
- Joined: Fri Mar 27, 2009 9:41 am
- Location: Athens, Greece
- doctorized
- Addict 
- Posts: 882
- Joined: Fri Mar 27, 2009 9:41 am
- Location: Athens, Greece
Re: Let me tell you my dilemma
A friend gave me a good advice. Have a php file in the web service role to do the db job for PB clients. I am thinking of this: php needs db name and password to access the db. Also the user needs authentication. So, the PB client makes a string like:that string will be AES encrypted and then pass through Base64 to become text, I add initial's string CRC code (for validity) at the end of Base64 and send it to the php. The php file will decrypt the string and use it to run the query. If db name and password are wrong or username and password are wrong then no query execution.
There is a disadvantage in this solution. Db name and password must be known to the client. I am thinking to store them in pre-encrypted Base64 string with AES (different key) and some other XOR procedures that I have. If someone downloads php file, these strings will be useless without my app.
So, what do you think?
			
			
									
									
						Code: Select all
dbname="...."|dbpass="..."|username="...."|userpass="..."|query="....."There is a disadvantage in this solution. Db name and password must be known to the client. I am thinking to store them in pre-encrypted Base64 string with AES (different key) and some other XOR procedures that I have. If someone downloads php file, these strings will be useless without my app.
So, what do you think?
Re: Let me tell you my dilemma
Maybe u can use a unique UserId instead of Password and Username.
			
			
									
									
						Re: Let me tell you my dilemma
dbname and dbpass should already known on the server (via config file in a secured folder).
Only a username and a password is needed .... (make an account table in your database for this)
so all the db stuff is doing with php and pb is only to send the requests.
			
			
									
									
						Only a username and a password is needed .... (make an account table in your database for this)
so all the db stuff is doing with php and pb is only to send the requests.
Re: Let me tell you my dilemma
One other idea:
replace the libmariadb and lib with the one from:
https://mariadb.com/download-confirmati ... 11.57%20MB
Then setup your server for a tls connection.
This dll is compiled with secure connections enabled.
This means that, if it is possible, the connection is done via TLS.
I can not try it at the moment.
			
			
									
									
						replace the libmariadb and lib with the one from:
https://mariadb.com/download-confirmati ... 11.57%20MB
Then setup your server for a tls connection.
This dll is compiled with secure connections enabled.
This means that, if it is possible, the connection is done via TLS.
I can not try it at the moment.
- doctorized
- Addict 
- Posts: 882
- Joined: Fri Mar 27, 2009 9:41 am
- Location: Athens, Greece
Re: Let me tell you my dilemma
before entering phpmyadmin the db managing system tells me the db name and password. Without them the php cannot connect.Bisonte wrote:dbname and dbpass should already known on the server (via config file in a secured folder).
Only a username and a password is needed .... (make an account table in your database for this)
exactly!Bisonte wrote:so all the db stuff is doing with php and pb is only to send the requests.
I don't have hands on the server, I am just a user, not admin. Can I still install it on Linux? The server has cURL, can it be useful?infratec wrote:One other idea:
replace the libmariadb and lib with the one from:
https://mariadb.com/download-confirmati ... 11.57%20MB
Then setup your server for a tls connection.
This dll is compiled with secure connections enabled.
This means that, if it is possible, the connection is done via TLS.
I can not try it at the moment.
EDIT : the server supports TLS, I've seen it in Filezilla when it connects to upload files.
How will the user authenticate? Create a hush with the credentials and save it to the db?Mijikai wrote:Maybe u can use a unique UserId instead of Password and Username.



