In the previous article I analyzed the relationship between PHP & MySQL server and a generic client with Internet browser.
I emphasized the possibility of PHP programs not to leave processing residues or logs on the client, except for the usual traces recorded by the browser and possibly by cookies that have now become the fashion to guarantee the uniqueness of the connection.
This feature allows PHP to manage the whole issue of security and privacy at home, ie on the server, in a relatively simple and rational way.
The implementation of server-client security in PHP & MySQL environment can be divided into three sections: access from the client to the server with username / password, unique session opening for individual clients, security in data processing and referral to the specific client.
1. Access from the client to the server
However, the critical point remains access to the user program residing on the server, which invariably involves sending the user key / password pair over the network from your device (PC or mobile phone).
With the use of VNP (Virtual Network Protocol) connections and therefore characterized by more or less complex encodings and encrypted in double keys, the contrast to interception on the network remains high and the weak point remains the fraudulent copying of the keys when they typing, or the insertion of “mirror” software on the user device capable of recovering the same keys before their encryption, obviously without the user’s knowledge.
This last violation can be generated by other malicious programs, often not intercepted by antivirus. It should always be borne in mind that an antivirus is only updated after a new virus is released, therefore it can only be overcome with greater user attention.
The use of VPN channels is an excellent guarantee against the interception of messages on the network but this technology is not always available and sometimes requires the purchase of software packages to be installed on your device.
In the following I will deal with security only on standard Internet connections, especially since not even using a sophisticated “sniffer”¹ is it possible to decode a sequence of VPN messages in “realtime”².
Internet systems generally work on the “on demand” principle, ie the initiative is taken by the user who requests – through his device – a service from the server.
¹ The “sniffer” is the jargon name for a network analyzer capable of reading data in transit and storing it for subsequent analysis.
² Real Time indicates the time in which the content of an information remains valid, after which it will be unusable for the intended purposes.
At first sight it may seem quite simple but it is not so because the first network device to be interested is the Modem (MODulator – DEModulator) with which the device connects to the Internet.
The Modem is to all intents and purposes a Router because it not only extracts IP messages (Internet Protocol, e.g. 220.127.116.11, a client in Prague) addressed to it from the primary network (eg ADSL fiber optic) but will manage internal memory blocks in which he will write messages addressed to user devices connected to him via WiFi (formerly High Fidelity, now Wireless) or directly via RJ45 Ethernet LAN cables. The Modem address is the unique IP with which the server will receive and transmit the data to one of the clients connected and in session, it will be the Router component of the Modem that takes into account which device is interested in that data, adding the number of session. Said IP changes every time the Modem is reset because after about 30 seconds from restart, it starts the connection sequence to the server by sending it a series of “I’m alive” messages which, received by the addressed server and cancellation of the old connection, which generally occurs at timeout after about 180 seconds, will cause the opening of a new network buffer on the same and therefore the assignment of another IP to the client modem.
Understanding this sequence is important for security purposes because access to a program residing on the server must NOT send data to other clients and must keep each client session compartmentalized, bearing in mind that an ordinary Modem can also connect 4 devices and that cell phones they have an internal Modem and an independent WiFI connection.
The issue of session separation is also important in relation to the use of the MySQL database or others. In effect, access to the tables can be simultaneous and some unfortunate conditions may occur, for example: a common table remains blocked, the extracted data relates to a query generated by another user.
I will analyze these conditions in the next article.