Online database question (not related to Avatar)

[baja_yu]

Hi guys. I have a serious question that I didn't know where else to place on the forum.

I haven't worked much with DBs or PHP/ASP, but I'm interested if there's a way to prevent your data from being ripped, most easily by someone at the company hosting your website.

Since the DB is publicly searchable and such, there's no real way of preventing someone from scraping it, and regarding hosting I guess the only way is having your own server inaccessible phyisicaly to others. And what when a part of the DB holds info like user accounts?

Or there's maybe a much much simpler way that I, as a noob, amm not aware of.

So anyone with any ideas or thoughts, feel free to post. I'm not looking for anything specific.

[mendhak]

General Dev is what you want.

[dilettante]

Seems to me this is a kind of tough thing to accomplish using outside hosting.

User accounts, or at least their passwords, can be somewhat protected by using a one-way crypto hash like MD5 or something "harder." Check elsewhere for details, but I think the general idea is that a logon from a client sends you the user ID and a hash created based on a "salt" value, the user ID, and the password. Your server code takes the submitted hash and a different "salt" string, then hashes this again to create a second hash. You look up the user record in the DB by user ID, and match the second hash against the hash stored in the DB. The user's actual password is never sent over the wire or stored in the DB.

These second-level hashes are set when the user account is defined and upon password changes. The same general approach is followed of course.


That sort of technique is useless for much besides validating user input like logons of course. You could use some form of encrypted database or even encrypt the data in individual fields... but your server-side code would need the encryption key. This means anybody at the hosting company (or anyone who can get hold of your source stored there) could easily crack it wide open.

I suppose when it comes right down to it external hosting just isn't the best place to keep your plans for world domination.

[baja_yu]

Thanks dilettante for your reply. I was thinking about the same approach for passwords, but like you said, if I encrypt the data, the webpage scripts would have to hold the key for decryption so that doesn't work. One way would be to have the page files and the database on different servers/hosting companies (so no person has access to both) if that's possible at all, but would be too much hassle.

Since the data is only sensitive localy (protection against local competitors), it would probably be best/enough to host everything in a different country.

Thanks again for your suggestions.

[techgnome]

Don't encrypt... hash... make it one-way.... when a user then logs in, their password they entered gets hashed and compared to the stored hash. That way you don't decrypt anything, and even if some one sneaks a peak at the data, the passwords are useless.

"Since the DB is publicly searchable and such" -- that's news to me... mine isn't... it sits behind a firewall, so it can only be gotten at from inside the network.

If the data is THAT sensitive... store it yourself on your own servers.

-tg

[Nightwalker83]

@ baja vu,

I was thinking the same thing! I have hosted my websites on free web hosts and notice that they change your websites and add their own code to them without permission. I haven't noticed whether my php scripts for my database have been compromised though.

Also, about users accounts, I know that phpmyadmin allows you to add information to the users table and create your own users and passwords. However, for on-line hosts this is method is disabled.

[baja_yu]

@techgnome, the data isn't that strictly confident. For example, a database that Wikipedia has of it's articles. Visitors need to see data from it, I know it can be scraped, but I want at least to prevet someone from just simply copying it. Since the data will only be localy relevant, I don't think a host from another country would be interested in it.

@Nightwalker83, I will be using a paid host of course. Nowdays its cheap enough that anyone can afford it. Using a free host is just not worth the hassle.

[Nightwalker83]

@Nightwalker83, I will be using a paid host of course. Nowdays its cheap enough that anyone can afford it. Using a free host is just not worth the hassle.

Well, I would think that you get what you paid for! The more you pay the better the security and honesty on the host would be. That being said I paid $31.62 USD for 3 months hosting.