Specifications

ManualsBrandsMaxxus ManualsExercise BikePRO SPK-23

351

352

353

354

355

356

357

358

359

360

the user’s browser sending a request through the Internet to the Web server. If the page is a

PHP script, the Web server will delegate processing the page to the PHP engine.

The PHP script might read or write data to disk. It might also include() or require() other

PHP or HTML files. It will also send SQL queries to the MySQL daemon and receive

responses. The MySQL engine is responsible for reading and writing its own data on disk.

This system has three main parts:

• The user’s machine

• The Internet

• Your system

We will look at security considerations for each separately, but obviously the user’s machine

and the Internet are largely out of your control.

The User’s Machine

From our point of view, the user’s machine is running a Web browser. We have no control over

other factors such as how securely the machine is set up. We need to bear in mind that the

machine might be very insecure or even a shared terminal at a library, school, or café.

Many different browsers are available, each having slightly different capabilities. If we only

consider recent versions of the most popular two browsers, most of the differences between

them only affect how HTML will be rendered and displayed, but there are security or function-

ality issues that we need to consider.

You should note that some people will disable features that they consider a security or privacy

risk, such as Java, cookies, or JavaScript. If you use these features, you should either test that

your application degrades gracefully for people without these features, or consider providing a

less feature rich interface that allows these people to use your site.

Users outside the United States and Canada might have Web browsers that only support 40-bit

encryption. Although the U.S. Government changed the law in January 2000 to allow export of

strong encryption (to non-embargoed countries) and 128-bit versions are now available to most

users, some of them will not have upgraded. Unless you are making guarantees of security to

users in the text of your site, this need not concern you overly as a Web developer. SSL will

automatically negotiate for you to enable your server and the user’s browser to communicate at

the most secure level that they both understand.

We cannot be sure that we are dealing with a Web browser connecting to our site through our

intended interface. Requests to our site might be coming from another site stealing images or

content, or from a person using software such as cURL to bypass safety measures.

Implementing Secure Transactions with PHP and MySQL

HAPTER 15

MPLEMENTING

ECURE

TRANSACTIONS

329

19 7842 CH15 3/6/01 3:40 PM Page 329