May 7th, 2003, 02:32 PM
database security, what to choose?
I am creating a dynamic web site for my final year project. It is supposed to be capable of selling cds and concert tickets on the web and give out information on venues and artists. The database that i chose to use was oracle 8i and php to display the info. This was due to the fact that i already had a little experience with this and my department doesn't support any other database for use on the web.
The problem that i now have is that the department want me to put in my report why i chose oracle/php over msaccess/asp. At least a 1000 words! I have no experience with msaccess or asp and so it has been hard. Obviously i have been reading lots of books, but most of these just say how both work, not whats good and bad.
The questions i have are,
which combination is the most secure, or easy to secure?
Are there any known holes not plugged?
Also any personal opinions on which you think is best please let me know, i need to look at this from every aspect, not only a security point of view.
May 7th, 2003, 02:40 PM
i like your idea, it's quite good.
Firstly, look at encrypting data for sales, then see if you can get this e-Signature program.
As for Oracle, hopefully other members can tell you about it, sorry i can't
May 7th, 2003, 03:09 PM
The fact that access isn't a true relational DB, and has no security would be a good start, Then add to that the limite on concurant useres in acces and you should have a good report. Include a cost analyisis between tools (visual studio expensive, PHP cheep and runs faster). To get the same preformance out of a MS product that you got from Orical/PHP you would need SQL Server 2000, Visual studieo, and probably site server or application center.
Who is more trustworthy then all of the gurus or Buddha’s?
May 7th, 2003, 04:50 PM
Despite their rhetoric, Oracle doesn't have a good very good security record.
Your best bet is to ensure that external users cannot access the database, even if they know all the passwords to it. You would be well advised to use a firewall.
Also ensure that all the many oracle default accounts are secure with a password. This includes "system" *and* "sys" (A mistake people often make is to secure only the more-often-used "system"). There are also some more default accounts ("scott", perhaps).
May 7th, 2003, 05:49 PM
One important point often neglected by (web) developpers is to NOT use the SA (mssql) or admin? (oracle) account (or for that matter any default admin account for the database you're using) for the web app login to the database. Instead create a new account with only the required permissions on the required tables for the web app. If a table shouldn't be modified by the web app for any web user, then revoke the web app's database user modify rights for that table.
This gives more depth to your security if someone were to find a whole in web app, (sql injection for example)... not to mention dangerous administrative stored procedures (plenty of them in mssql) that the sa account can execute...
Another thing considered to be safer is to only use stored procedures to manipulate the database, and not give any rights on the table themselves. This restricts what can and can't be done to the data. Of course since it is rather restrictive, it isn't always practical to do but it's in the toolbox...
Credit travels up, blame travels down -- The Boss
May 7th, 2003, 08:35 PM
Thanks for your help guys, I'm sure i can pull together a 1000 words now.
If anyone else has any ideas though don't hesitate to put them in.
May 7th, 2003, 08:42 PM
When discussing asp vs php, you could look at availabilty of hosting sites as one point, I had a lot of trouble finding somewhere that would host asp pages.
Also you could mention scalablility, when discusing why you ruled out access. I seem to remember trying to use access for something like a full outer join query or something like that and it failing. I just remember it not being conistent with msSQL server.
I agree with ammo about the stored proceedures, make sure the users don't inject SQL commands into any input to your interface that can reach the DB as part of a command.
When looking at holes not plugged, you could include some kind of response time analysis of the develeopers of the various systems to holes and how frequently these holes appear. I suspect it may support your choice .
May 8th, 2003, 10:57 AM
IMHO postgreSQL is the way to go..
works great with php ..
Has a (quite) good security rep.. And has more options then MySQL..
and the best part.. It's FREE !!
ASCII stupid question, get a stupid ANSI.
When in Russia, pet a PETSCII.
Get your ass over to SLAYRadio
the best station for C64 Remixes !