Rick, thanks again for your insights.
You are, of course, correct that we would not redesign our software
without a significant and deep assessment of benefits and costs (money,
time, resources, etc.). Most of the PHP, MySQL, and related code has
been developed in house. I probably coded 10-15% myself. The intent of
my comment was simply to indicate that we do not blindly accept that
there is no better option than what we are doing. If there are strong
arguments to support considering making a switch, I would not exclude
that possibility without reviewing the pros and cons simply because we
have a large legacy investment. I consider your response (below) to fall
into the 'cons' (to switching) category and will definitely compare your
PHP security recommendations against what we currently are and are not
doing.
Thanks,
Dr. Larry Ozeran
President, Clinical Informatics, Inc.
(530) 671-9244
On 6/2/2016 07:02, Rick Moen wrote:
Quoting Dr. Larry Ozeran (loze...@clinicalinformatics.com):
Since we are serving data that can change every few minutes, we
can't move to static pages. Since we are providing that data to
users from multiple originating sources, we pretty much have to be
internet-facing. We have put security procedures in place, but I
know that security is more an ongoing process than an endpoint and
there is always more that will need to be done. If there is a better
way to meet the needs of users other than MySQL+PHP, I am always
open to new ideas.
Meaning no criticism, I notice in looking upthread
(http://lists.lugod.org/pipermail/vox-tech/2016-May/017013.html) that
you mention only that your use-case involves PHP-served pages, but not
what drives that particular choice of software.
Sometimes, a local site uses PHP because it runs developed software
resting on the PHP interpreter, e.g. Wordpress, MediaWiki, etc.
Other times, that choice resulted from 'Data for each page must be
pulled on a per-visit basis from MySQL, therefore some HTTP-invoked
process must do a SQL query and assemble page contents and we happened
to use PHP to do that because our Web guy knew how to do that.' And
I'm sure there are other scenarios -- but dynamic is not synomyous with
PHP in any event.
Irrespective of how you arrived at that choice, obviously you would not
lightly decide to rearchitect.
A number of guides to tigthening PHP security to reduce risk exist and
may be useful. My own modest effort, last updated when PHP5 was new, is
here: 'PHP Security' on http://linuxmafia.com/kb/Web/ .
_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech
_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech
