On Wed, Apr 22, 2009 at 10:25 AM, Jan G.B. <ro0ot.w...@googlemail.com> wrote:
> 2009/4/21 Per Jessen <p...@computer.org>:
>> Jan G.B. wrote:
>>> A web application that uses an external db server would be quite ...
>>> uhm... slow! Anyone did this, yet? ;)
>> Certainly, and it's not slow. It depends entirely on your connection to
>> the public internet.
> As we're speaking of the internet, it also depends on the route and so
> it depends on servers which are not underlying your administration (in
> most cases at least).
> Having several servers with gigabit internet access also might be more
> expensive than a cat6 patch cable and a gigabit nic. So this setup
> would be just mad.
There are definitely other ways to make the communication secure,
whether you route it through an local subnet, configure a totally
private network using secondary NICs, encrypt the connection, host
both on the same machine and use a local loopback address, etc. If
you've done one or more of these things to secure the pathway between
the web server and the database, and if you know that no one is going
to come behind you and reconfigure things, then you can probably rest
fairly comfortably passing unhashed/unencrypted values to MySQL all
I only made the suggestion as a matter of defensive programming, since
not everyone developing with PHP knows and/or has control over how PHP
and MySQL communicate. For many sites, a developer writing an app has
no idea whether the web server and database are on the same physical
machine, let alone how the two services communicate. What's more, in
some of these environments, what is true today could change tomorrow.
(The issue of query logs is another good point, too.) All I'm saying
is if you hash/encrypt the value in PHP rather than passing it off to
MySQL in open text, you don't have to worry about whether the
connection is (or becomes) sniffable.
For that matter if you're going to bring up performance, I know many
DBAs who would argue this as performance issue as well.
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php