Manualshelf

Specifications

ManualsBrandsMaxxus ManualsExercise BikePRO SPK-23
351352353354355356357358359360
One specific thing to consider when installing PHP is that it is generally more secure, as well
as much more efficient, to install PHP as a SAPI module for your Web server than to run it via
the CGI interface.
The primary thing you need to worry about is what your own scripts do or dont do.
What potentially sensitive data does our application transmit to the user over the Internet?
What sensitive data do we ask users to transmit to us? If we are transmitting information that
should be a private transaction between us and our users or that should be difficult for an inter-
mediary to modify, we should consider using SSL.
We have already talked about using SSL between the users computer and the server. You
should also think about the situation where you are transmitting data from one component of
your system to another over a network. A typical example arises when your MySQL database
resides on a different machine from your Web server. PHP will connect to your MySQL server
via TCP/IP, and this connection will be unencrypted. If these machines are both on a private
local area network, you need to ensure that network is secure. If the machines are communicat-
ing via the Internet, your system will probably run slowly, and you need to treat this connec-
tion in the same way as other connections over the Internet.
PHP has no native way of making this connection via SSL. The fopen() command supports
HTTP but not HTTPS. You can, however, use SSL via the cURL library. We will look at the
use of cURL in Chapter 17.
It is important that when our users think they are dealing with us, they are dealing with us.
Registering for a digital certificate will protect our visitors from spoofing (someone else imper-
sonating our site), allow us to use SSL without users seeing a warning message, and provide an
air of respectability to our online venture.
Do our scripts carefully check the data that users enter?
Are we careful about storing information securely?
We will answer these questions in the next few sections of this chapter.
Using Secure Sockets Layer (SSL)
The Secure Sockets Layer protocol suite was originally designed by Netscape to facilitate
secure communication between Web servers and Web browsers. It has since been adopted as
the unofficial standard method for browsers and servers to exchange sensitive information.
Both SSL version 2 and version 3 are well supported. Most Web servers either include SSL
functionality, or can accept it as an add-on module. Internet Explorer and Netscape Navigator
have both supported SSL from version 3.
E-commerce and Security
P
ART III
332
19 7842 CH15 3/6/01 3:40 PM Page 332