Securing a web based PHP MySQL frontend?

Toggle sidebar Toggle sidebar
quadomatic

quadomatic

Senior member
May 13, 2007
993
0
76
I do a lot of database work with MySQL at my job. A fair bit involves making frontends for manipulating data in MySQL databases. They're particularly fond of MS Access.

Having little experience with MS Access myself, I find building the frontend using MS Access over an ODBC connection very tedious. It seems like I could write most of the data entry and reporting features in PHP much easier, and it would probably be easier for employees to use.

However, my boss feels averse to this due to security issues, since a PHP document stored on a server would be less secure.

I was wondering if any of you know how one would go about setting up a secure web server with PHP support, accessible only via the local network. If this could be done, would it be fine to use PHP over Access?

Thanks
 
Markbnj

Markbnj

Elite Member <br>Moderator Emeritus
Moderator
Sep 16, 2005
15,682
14
81
www.markbetz.net
I guess I'm missing something. With Access don't you have to propagate the database credentials out to every installed copy of the client? With a web-based portal the credentials would be stored in one place, i.e. the config of the php app, and yes it's possible to make those secure through directory permissions and other means.
 
quadomatic

quadomatic

Senior member
May 13, 2007
993
0
76
Our Access frontends connect to a MySQL database being served from elsewhere. The credentials aren't stored in the .mdb files themselves, but in the MySQL ODBC Driver. Credentials are managed in the PC's control panel.

And I probably shouldn't have said "web based" in the title. I more meant a local server only available to the building's LAN.
 
Nothinman

Nothinman

Elite Member
Sep 14, 2001
30,672
0
0
However, my boss feels averse to this due to security issues, since a PHP document stored on a server would be less secure.
Click to expand...

Why would it be less secure?

The file has to be stored somewhere and in the web server case it's still on a server and still protected by whatever permissions you have implemented on it. Whether you access the file via HTTP or CIFS is irrelevant. If anything it would probably be better since you won't have credentials stored on every PC.

Now, if your PHP app does stupid things with regards to security that's a whole different story.
 
GaryJohnson

GaryJohnson

Senior member
Jun 2, 2006
940
0
0
It should be trivial to setup a firewall rule to block anything other than requests on port 80/443 from anything other than local IPs.
 
Nothinman

Nothinman

Elite Member
Sep 14, 2001
30,672
0
0
GaryJohnson said:
It should be trivial to setup a firewall rule to block anything other than requests on port 80/443 from anything other than local IPs.
Click to expand...

As long as you're not doing something stupid like have all of your internal hosts using public IPs, that shouldn't be necessary because the border firewall won't have a static setup on it unless you explicitly do that.
 
Markbnj

Markbnj

Elite Member <br>Moderator Emeritus
Moderator
Sep 16, 2005
15,682
14
81
www.markbetz.net
quadomatic said:
Our Access frontends connect to a MySQL database being served from elsewhere. The credentials aren't stored in the .mdb files themselves, but in the MySQL ODBC Driver. Credentials are managed in the PC's control panel.

And I probably shouldn't have said "web based" in the title. I more meant a local server only available to the building's LAN.
Click to expand...

Yeah that's my point, and I think Nothinman's as well. I don't care what file the creds are stored in. The bottom line that your boss seems unaware of is that the credentials are configured into every client, as opposed to being stored in a single web server configuration file that can be strongly secured. The web client architecture is inherently more secure than a fat client architecture. Either can be made more or less secure through care or the lack of it, but there are more opportunities for human error to release data into the wild in the fat client scenaro.
 
quadomatic

quadomatic

Senior member
May 13, 2007
993
0
76
I talked to my boss more about it this morning. I think his real concern is actually that faculty want to be able to create their own queries and such. It's possible that in designing the frontend in Access (or in PHP), I will leave out queries that faculty want.

If the frontend is in Access, it's easy for faculty to make their own queries.
 
Nothinman

Nothinman

Elite Member
Sep 14, 2001
30,672
0
0
Well that's a whole other can of worms and pretty much kills any data security you might try to implement. All you need is one bad UPDATE query and all your data's gone.
 
U

uclabachelor

Senior member
Nov 9, 2009
448
0
71
quadomatic said:
I talked to my boss more about it this morning. I think his real concern is actually that faculty want to be able to create their own queries and such. It's possible that in designing the frontend in Access (or in PHP), I will leave out queries that faculty want.

If the frontend is in Access, it's easy for faculty to make their own queries.
Click to expand...

You have a boss that's concerned about security, yet allows users to create their own queries? Ironic.
 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom