0

I'm doing a website project in PHP, front/back-end from scratch, which will require secure database connections. I've set up my MySQL database with XAMPP, and have gotten an understanding on how to avoid SQL injections. As of now, when a user signs up to my website, I send them an auto-generated email with a link containing a GET request. This GET request contains non-sensitive information to validate the user to the database which I have managed successfully.

Now, I've learned that to increase security, I should use SSL/TLS encryption on all communications between server/client and this is where I'm confused. AFAIK PHP offers mysqli_ssl_set to establish an encrypted connection to MySQL. And MySQL can be configured to force only SSL/TLS connections (Please alert me if I'm wrong).

How do I make sure that my information sent to the client is SSL encrypted? I'm planning on moving my project to a hosting service. Will they provide the correct certificates needed to encrypt my information to the world wide web? On which subject do I need to further develop my understanding of these concepts?

Dharman
  • 30,962
  • 25
  • 85
  • 135
siph
  • 11
  • 2
  • This is more about using HTTPS and redirecting HTTP. – Nigel Ren Feb 26 '22 at 16:51
  • @NigelRen Can you elaborate please? – siph Feb 26 '22 at 16:55
  • Probably https://stackoverflow.com/questions/2621706/good-guide-for-web-app-security is relevant. – Nigel Ren Feb 26 '22 at 16:59
  • `https` is doing what u need, mainly on paid hosting need just few clicks to made a `https`-subdomain. (they will generate certificates and all the stuff needed) – Traian GEICU Feb 26 '22 at 17:31
  • https://dev.mysql.com/doc/refman/8.0/en/using-encrypted-connections.html You should also use a framework (eg Symfony) so you cover some grounds automatically as frameworks stick to best practices – Chinmay Feb 26 '22 at 18:08
  • 1
    SSL/TLS is a way to secure a connection. A user connects to your web server over HTTP, and it is recommended to secure that connection by using TLS. Users _dont’t_ connect to the database, your code does. If the database and web server are on the same server, you (probably) don’t need TLS for that connection. If the database is elsewhere, it depends on whether you trust the underlying transport. – Chris Haas Feb 26 '22 at 18:44
  • Thanks everyone for good input. @ChrisHaas In general, can I count on my hosting provider to handle that encryption? – siph Feb 26 '22 at 19:45
  • Don’t count on your host for anything. Some hosts (where some is all/many/most/none) don’t really know anything necessarily about programming, many are just selling CPU, memory and disk space. There are great hosts out there, too. Just don’t rely on them, until you know you can trust them. Unless you many tell PHP to connect to MySQL using encryption, the default is to not encrypt. But, like I said, if you are local, it probably isn’t an issue. – Chris Haas Feb 27 '22 at 02:43

0 Answers0