Secure MySQL connection from PHP script? 1

[DPisarev]

Hi all,

I'm wondering how secure data transmissions are between the web server and the MySQL database if one uses the regular mysql_connect() method?

Since, as I suspect, this default PHP implementation of a database connection is not secure, what alternatives are available?

I need to write a server-side script that will talk to a DB that resides on a separate server via a secure channel. Can PHP do this, or should I use JSP?

Thanks in advance,
Dmitri.

 

[ericbrunson]

secure" meaning encrypted?

 

[DPisarev]

Yes, secure = encrypted, at the very least.

 

[ericbrunson]

http://www.zend.com/manual/ref.mysql.php

According to this doc, if you're running PHP >4.3.0 and the mysql client has been compiled with SSL support, it is available.

 

[DPisarev]

Thanks, Eric.

However, I'm wondering if anyone has ever used such encryption in real life? It seems to me that most websites these days don't use it, wouldn't you say?

Dmitri.

 

[ericbrunson]

Most web sites don't use SSL, but we're not talking about HTTP over SSL, you're talking about mysql over SSL. I don't think most developers use that, either. I don't because my db traffic goes over a switched network on RFC 1918 subnet, so I don't worry about encrypting it.

 

[DPisarev]

Is it MySQL that lacks SSL support or PHP? If it's the latter, then I guess I should go for JSP?

Thanks in advance,
Dmitri.

 

[ericbrunson]

Neither lack SSL. Most people just don't bother with it.

 

[DPisarev]

Are there any function calls in PHP one can use to programmatically ensure SSL is used?

 

[ericbrunson]

I don't know.

 

[DPisarev]

Hmm. Well, thanks anyway for the pointers you've given, Eric.

Does anyone else know how to encrypt PHP-to-MySQL traffic, in real life terms?

Dmitri.

 

[medic]

DPisarev,

Are there any function calls in PHP one can use to programmatically ensure SSL is used?

You don't have to do it in PHP. In IIS, for example, you can designate which virtual folders you want SSL access required. You can also do this on the client-side scripting by checking the value of window.location.protocol object property.

 

[lgarner]

I think you're mixing http via SSL vs. MySQL via SSL. Yes, you can ensure that SSL is used with PHP. This way, you know that the end user is using "

https://yourwebsite".

For PHP communicating with MySQL, I don't think so. You write the PHP code, so you know how you're comunicating between the web server and the database server. The end user doesn't talk to your database server.

 

[ingresman]

You could create a set of web services and access via SSL (HTTPS) to the remote mysql box(which will have a web server on it but only for this work).
Also interesting comment

Can PHP do this, or should I use JSP?

I would assume that JSP would use JDBC to access mysql and so use the same underlying protocol?
Final one, any implications on using certificates (and hence cost) to do this kind of stuff?

 

[ericbrunson]

PHP can use an SSL connection to a remote database, I posted the link to the MySQL manual page above. For that link you could generate your own cert, since you're the only one who has to trust it.

 

[ingresman]

fair enough if you host the box, some isp's would prefer "real" certs i'd guess

 

[ericbrunson]

Yeah, for something externally facing, but for securing your own internal traffic why pay verisign to certify to you that you are who you claim to be?

 

[DPisarev]

Thanks for the link, Eric. Now I believe it is indeed what I was looking for.