From owner-freebsd-questions@FreeBSD.ORG Tue Sep 7 06:50:13 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C9E5916A4CE for ; Tue, 7 Sep 2004 06:50:13 +0000 (GMT) Received: from skutsje.san.webweaving.org (skutsje.san.webweaving.org [209.132.96.45]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9DB6343D39 for ; Tue, 7 Sep 2004 06:50:13 +0000 (GMT) (envelope-from dirkx@webweaving.org) Received: from skutsje.san.webweaving.org (localhost [127.0.0.1]) i876cAIc049657 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 6 Sep 2004 23:38:10 -0700 (PDT) (envelope-from dirkx@webweaving.org) Received: from localhost (dirkx@localhost)i876cAHJ049654; Mon, 6 Sep 2004 23:38:10 -0700 (PDT) (envelope-from dirkx@webweaving.org) X-Authentication-Warning: skutsje.san.webweaving.org: dirkx owned process doing -bs Date: Mon, 6 Sep 2004 23:38:10 -0700 (PDT) From: Dirk-Willem van Gulik X-X-Sender: dirkx@skutsje.san.webweaving.org To: FreeBSD Mail Lists In-Reply-To: <32b19d296fd997fbb8e7d362d85321ef@untoldfaith.com> Message-ID: <20040906233205.H1926@skutsje.san.webweaving.org> References: <32b19d296fd997fbb8e7d362d85321ef@untoldfaith.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: Questions Subject: Re: Update Databases from Webserver X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Sep 2004 06:50:13 -0000 On Mon, 6 Sep 2004, FreeBSD Mail Lists wrote: > I would like to see how other people are updating backend databases > (postgresql on FreeBSD, internal network) from a webserver (apache,php > on FreeBSD, dmz network) through a firewall. Pretty much what I am > trying to learn is how to take private information (credit card numbers, > etc.) and write it to a backend database without leaving any huge holes > for hacking. Should this be done or am I barking up the wrong tree, > should there be an intermediary step? I have been trying to find > information books/web that gives a real nuts and bolts way of trying to > do this stuff and am not having a lot of luck. Any pointers books or > sites would be appreciated. First thing to consider - do you -have- to store things like credit card numbers ? Most clearing houses can be negotiated with on-line; during the transaction and all you need to capture is an authorization ack. That already makes things a lot safer. Secondly - carefully consider what you need to have on your webserver; do you really have to store a name/address there long term; or is a login and some preferences enough ? Thirdly consider making the flow a one way street: using things like a PGP email with just the public key on the web server; i.e. shunt any private information into an encrypted email - send it to your systems in-house; and only have the decryption key behind the firewall; and thus only keeping the bare essentials on your server. Dw