Quoting Dr. Larry Ozeran (loze...@clinicalinformatics.com): > Since we are serving data that can change every few minutes, we > can't move to static pages. Since we are providing that data to > users from multiple originating sources, we pretty much have to be > internet-facing. We have put security procedures in place, but I > know that security is more an ongoing process than an endpoint and > there is always more that will need to be done. If there is a better > way to meet the needs of users other than MySQL+PHP, I am always > open to new ideas.
Meaning no criticism, I notice in looking upthread (http://lists.lugod.org/pipermail/vox-tech/2016-May/017013.html) that you mention only that your use-case involves PHP-served pages, but not what drives that particular choice of software. Sometimes, a local site uses PHP because it runs developed software resting on the PHP interpreter, e.g. Wordpress, MediaWiki, etc. Other times, that choice resulted from 'Data for each page must be pulled on a per-visit basis from MySQL, therefore some HTTP-invoked process must do a SQL query and assemble page contents and we happened to use PHP to do that because our Web guy knew how to do that.' And I'm sure there are other scenarios -- but dynamic is not synomyous with PHP in any event. Irrespective of how you arrived at that choice, obviously you would not lightly decide to rearchitect. A number of guides to tigthening PHP security to reduce risk exist and may be useful. My own modest effort, last updated when PHP5 was new, is here: 'PHP Security' on http://linuxmafia.com/kb/Web/ . _______________________________________________ vox-tech mailing list vox-tech@lists.lugod.org http://lists.lugod.org/mailman/listinfo/vox-tech