Results 1 to 9 of 9
  1. #1
    Join Date
    Sep 2011
    Posts
    5

    Unanswered: Payday Loan website created with MySQL.

    I`ve recently paid for a website to be created for a payday loan company.

    The database is being built using MySQL instead of MS Access as I requested.

    I requested MS access as I have minor knowledge in it can could pull reports and queries as I see fit.

    My fear right now is that the database appears to be ALL online and no offline capabilities in that I need to log on to look at data. I`m very nervous that going with MySQL may leave my site to be easily hacked vs. MS access.

    I have no knowledge of MySQL at all so I`m looking for advice and help in this matter.

    Any info to help would be greatly appreciated.

  2. #2
    Join Date
    Mar 2003
    Location
    The Bottom of The Barrel
    Posts
    6,102
    Provided Answers: 1
    Ask for a way to copy the data locally if that's your concern. Whether or not you have a local copy of the data does not influence how easy it is to hack your site, only how easy it is to recover if you do lose everything.

    I strongly suggest you work with your provider to establish a comprehensive approach to securing your assets. Now. The fact that you appear to be thinking about security for a financial services website after the fact is... troubling.
    oh yeah... documentation... I have heard of that.

    *** What Do You Want In The MS Access Forum? ***

  3. #3
    Join Date
    Sep 2011
    Posts
    5
    Actually Security has always been my concern. So much so that I feel I need a second company to look over the coding to ensure there has been no 'back door' added for them to log on.

    As for hackers I was informed that if I get an SSL certificate for the site this will greatly reduce the risk.

    Is it possible with MYSQL to have that in order to log in as admin you must carry a certain IP address or something to that effect to make it so I am the only one possible to log into the admin side (where all the financial data is kept)

  4. #4
    Join Date
    Feb 2004
    Location
    In front of the computer
    Posts
    15,579
    Provided Answers: 54
    If it is used correctly, an SSL certificate adds an obstacle for hackers. Unless a site is designed "cradle to grave" with security in mind, adding security in any form as an afterthought is probably only going to be a nuisance to an experienced hacker.

    If you control every part of the hardware that runs every part of your web site (from the database through the application server and the web server to the router that connects the whole conglomeration to "the Internet" then you have a good shot at controlling security. If you don't have physical control of those pieces and especially if those are contracted via a party that you don't trust absolutely then trying to add security seems futile to me.

    My guess is that your web site is hosted on servers owned by a third party. If that is the case, then the administrators and probably the tech support people for the hosting company have access to every bit of code and data on their servers and there is NOTHING that you can do to change that. As a corollary to that, any hacker that can get control of your host has complete control of your data, code, and site.

    -PatP
    In theory, theory and practice are identical. In practice, theory and practice are unrelated.

  5. #5
    Join Date
    Sep 2011
    Posts
    5
    Will I find this problem with any DB I go with? The reason why I wanted to go with a DB such as access is because I was under the impression I could have the front end (user inputs data) sent to the back end Access DB that is on my PC. Having the database on my PC gives me complete control and safe from hackers. Or is that not right at all.

  6. #6
    Join Date
    Feb 2004
    Location
    In front of the computer
    Posts
    15,579
    Provided Answers: 54
    The problems that I cited have to do with hosting and application design in general. The choice of database, programming language, etc can mitigate or increase the basic risk with a given platform, but only to a limited extent.

    Placing the database on another machine (yours) that is accessible via the Internet does nothing to improve the security of the web site and actually exposes your own PC to much more risk.

    -PatP
    In theory, theory and practice are identical. In practice, theory and practice are unrelated.

  7. #7
    Join Date
    Sep 2011
    Posts
    5
    When you speak of SSL certificate being used correct, is that something on my end that needs to be done correct or on the host / servers end to set it up correctly.

  8. #8
    Join Date
    Feb 2004
    Location
    In front of the computer
    Posts
    15,579
    Provided Answers: 54
    The SSL configuartion is done completely on the host side, the client (even you as a super-user) configuration only uses the SSL certificate that is installed on the host.

    Based on the questions that you've got and the level of geek needed to resolve them, you need a consultant instead of a conversation on the internet. You need someone to do a "cradle to grave" analysis of your set up to find any gaps in security and then provide you with a remediation plan for those gaps. This really isn't something that you (or any end user) can do, the risk is too great.

    -PatP
    In theory, theory and practice are identical. In practice, theory and practice are unrelated.

  9. #9
    Join Date
    Sep 2011
    Posts
    5
    Last I knew besides for the security problems that you are concerned with access was very limited on the number of concurrent connections that can be made to the DB at once. So if you are making a website each user running a query at each point in time would be using a connection. I think the limit was something like 10, so that might be another reason not to go with access... Also from the security standpoint you could run your application on one server and possibly run the DB on an MYSQL server either within your secured network or somewhere that is more trusted than a shared host. That still isnt 100$ secure because you do need to store your database connection credentials somewhere on the application server and like the previous post said, anyone from your hosting company could get the credentials from the file and then still log into the DB server. I think you can limit to certain IP's but that wouldnt help much because people at your ISP would have access to login from the IP that they own and you would need to give access to that IP otherwise your PHP/ASP etc would not be able to log into the the DB itself and your scripts would not work. The above scenario is sort of like you explained about running it on your own PC. I do know there are also some limitations to MYSQL that have to do with once the DB's get large so depending on how large you get these tables you might want to do with MSSQL but maybe that has been fixed since the latest version of MYSQL

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •