Originally Posted by Ace.....
Is it possible to setup a dbase that is not accessible to any two bit hacker?
What's the current status on dbase security on typical hosted site solutions?
I'm using the global service GoDaddy, primarily cos it was cheap, and the domain name acquisition was all linked in.
I chose the linux offering, and I believe they run all the latest software versions, and do offer TLS/SSL at additional cost.
Was this one of those 'cheap' servers that you had in mind?
godaddy is the prime example of what i was talking about, they have been breached several times; i know from personal experience.
the dbase itself is not the issue, mysql patches up any problems before they get out of hand. It's the php that gives away the keys to the kingdom. I can't tell you how many PHP snippets i've seen posted in forums that simply concat $GET_['someParam'] into the SQL statement. a chain is only as strong as its weakest link.
you can ramp up security on any plan or server. If on a server you don't trust, host the DB on another, non-public site and use POST to talk from your public server to the safe server's DB. that gives you an extra layer of protection because if your public site is compromised, all it can do is request the pre-set actions you defined in the private server's http interface, which hopefully won't include "drop table users"...
i think that getting the password and user list off of the site is good all around. It reduces the site's legal liability significantly in most jurisdictional situations. It puts security in the hands of security experts instead of busy site developers. Finally, it's just easier for the user to click a few oauth2 (or whatever) buttons, with remembered values, than to have to type in names, passwords, or email accounts.
easier UX equals better security and fewer post-it-notes on the sides of monitors.