On Wed, Apr 22, 2009 at 10:25 AM, Jan G.B. <ro0ot.w00t@xxxxxxxxxxxxxx> wrote: > 2009/4/21 Per Jessen <per@xxxxxxxxxxxx>: >> Jan G.B. wrote: >> >>> A web application that uses an external db server would be quite ... >>> uhm... slow! Anyone did this, yet? ;) >> >> Certainly, and it's not slow. It depends entirely on your connection to >> the public internet. >> >> > > As we're speaking of the internet, it also depends on the route and so > it depends on servers which are not underlying your administration (in > most cases at least). > Having several servers with gigabit internet access also might be more > expensive than a cat6 patch cable and a gigabit nic. So this setup > would be just mad. > > Regards > There are definitely other ways to make the communication secure, whether you route it through an local subnet, configure a totally private network using secondary NICs, encrypt the connection, host both on the same machine and use a local loopback address, etc. If you've done one or more of these things to secure the pathway between the web server and the database, and if you know that no one is going to come behind you and reconfigure things, then you can probably rest fairly comfortably passing unhashed/unencrypted values to MySQL all you want. I only made the suggestion as a matter of defensive programming, since not everyone developing with PHP knows and/or has control over how PHP and MySQL communicate. For many sites, a developer writing an app has no idea whether the web server and database are on the same physical machine, let alone how the two services communicate. What's more, in some of these environments, what is true today could change tomorrow. (The issue of query logs is another good point, too.) All I'm saying is if you hash/encrypt the value in PHP rather than passing it off to MySQL in open text, you don't have to worry about whether the connection is (or becomes) sniffable. For that matter if you're going to bring up performance, I know many DBAs who would argue this as performance issue as well. Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
