Site security from competition

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
Bill H
DevNet Resident
Posts: 1136
Joined: Sat Jun 01, 2002 10:16 am
Location: San Diego CA
Contact:

Site security from competition

Post by Bill H »

I realize this question is pretty vague, but in a general sense...

Given I have a customer database in a MySQL db on a shared server, accessed by a system of PHP scripts. The scripts require logging in and each script is protected by requiring the presence of a $_SESSION var created by the login. How secure is my information against being accessed by one of my competetitors? (i.e. so they can find out who I'm selling to?)

Any guidance you can provide will be appreciated.
User avatar
Buddha443556
Forum Regular
Posts: 873
Joined: Fri Mar 19, 2004 1:51 pm

Post by Buddha443556 »

Your on a shared server expect no privacy. No matter how tight your scripts are coded, doesn't change the fact your on a shared server.

If I may ask, what are you selling?
User avatar
Bill H
DevNet Resident
Posts: 1136
Joined: Sat Jun 01, 2002 10:16 am
Location: San Diego CA
Contact:

Post by Bill H »

My client is in the "mystery shopping" business. Not very high profile, and competition is not very sophisticated, so I'm not sure how concerned they need to be. Trade off would be to install IIS, PHP and MySQL on their office system, but they've gotten spoiled by the ability to work from home as easily as from their office. And I know they don't want the risk of opening up remote access to their office system.
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Try a dedicated server or colocation. Usually, it's a lot better than hosting it from your basement (no fear of being slashdotted either).
User avatar
Buddha443556
Forum Regular
Posts: 873
Joined: Fri Mar 19, 2004 1:51 pm

Post by Buddha443556 »

Bill H wrote:Not very high profile...
They have to be high profile enough to do business which is pretty high profile.
Bill H wrote:... and competition is not very sophisticated ...
Never underestamate the competition. Since their "secret shoppers" you may want to add their customer's competition to the threat list.
Bill H wrote:Trade off would be to install IIS, PHP and MySQL on their office system, but they've gotten spoiled by the ability to work from home as easily as from their office. And I know they don't want the risk of opening up remote access to their office system.
If they're accessing the internet from their office system then they already have open up remote access to their office system.

Having made those points ...

It's really the customers decision, you just have to make sure they understand their options and the associated risks and benefits. If they are comfortable with the internet setup then what can you do to reduce the risk even futher?

And as Ambush Commander said...
Try a dedicated server or colocation. Usually, it's a lot better than hosting it from your basement (no fear of being slashdotted either).
... which would lessen the risk.
Post Reply