Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

web technologies + security concerns

  • 14-08-2008 11:21am
    #1
    Registered Users, Registered Users 2 Posts: 648 ✭✭✭


    hi,

    im in the feasibility study period for a big website - it would involve 10's of thousands of users from schools and universities - the unis would have lots of sensitive info (not credit card info) just purchasing stats etc etc

    - what are the secuirty concerns i need to address here - and what are the tech solutions ? https authentication, ssl cert


    - is php+mysql the best solution considering there would be tables with several million records over time
    what are the big sites running ? anyone every come across some articles discussing building websites for large user bases ?

    tnx


Comments

  • Registered Users, Registered Users 2 Posts: 7,740 ✭✭✭mneylon


    How many concurrent users?

    You'll probably need to google articles related to scaling :)


  • Registered Users, Registered Users 2 Posts: 2,413 ✭✭✭Stab*City


    i have built large multi-lingual sites which get 1000's of hits a day.. my weapons of choice are asp.net, CSS & XML front ends with a sql back end database.. most of these sites are hosted on our own servers.. which is an advantage.. an ssl connection is vital if the information is sensitive.. as for scaling we never have any problems as all of the above are very robust and can handle large amounts of data with ease.. hope this helps.. would you be doing all the work yourself or are you planning to outsource some of it.. reason im asking is it sounds like alot of work for one person..


  • Registered Users, Registered Users 2 Posts: 7,740 ✭✭✭mneylon


    Stab*City wrote: »
    as for scaling we never have any problems as all of the above are very robust and can handle large amounts of data with ease..

    huh?

    Just because the technology might be able to handle large quantities of data does not mean that choosing it will negate issues

    If you don't plan to scale you will hit brickwalls and bottlenecks


  • Registered Users, Registered Users 2 Posts: 2,793 ✭✭✭oeb


    As blacknight says scaling is one of the main issues. Any site of that size is likley going to need to run on multiple servers.

    With regard to security, there are a number of place a website can be attacked.

    Through your code
    This is typicially down to security holes you do not close properly (SQL injection, session hijacking, forgetting to check if a person is logged in, not hashing passwords etc) This can be avoided by getting someone who knows what they are doing to write the system, and by following it up with penetration testing. There are companies who specialise in this.

    Through your platform
    This is down to things such as holes that may be discovered in the technoligys you are using. For example, a bug may appear in your database software, or due to an unpatched security hole in your operating system. This can be rectified by either keeping all your systems up to date with the latest security patches, or by paying someone else to do it. Most hosting providers offer some form of managed hosting that includes security updates. I'm sure if you speak to them directly they will be happy to advise you. Once again there are companies who specialise in auditing and testing this, just make sure you check with your hosting provider before he assumes it's under attack by actual hackers =)

    Through your users
    This relates to things like unsafe password management (For example a school official having his name or the name of his school as the password, or an official who keeps his password written on a sticky note attached to his monitor). This also covers attacks at the users side (Trojans, keyloggers etc). TBH, there is not a whole lot that can be done with this. You can force people to use longer passwords with letters+numbers, you can force users to change their passwords on a regular basis and you can also do things like monitor logins (What IP they come from etc) and flagging them for your attention. That fleshy thing in front of the keyboard is often the weakest link in any well written system. About all you can do here is educate and cover yourself in your terms and conditions.

    Through the communication
    This relates to information that may be 'Sniffed' between your user and your server. This can be done by packet monitoring. There are plenty of ways to help protect you against this. For example SSL is a quick and easy method, and there are several code related methods too (For example Challenge-Response Authentication).


    Other precautions can of course be taken (For example encrypting the information in the databases, requiring a second (different) password to access sensitive information etc). It might be worth noticing that alot of things that will increase the security of your application are likely to make your software more hardware dependant.

    For example, an LAMP server serving out web pages pulling the info from the database will be able to support more concurrant users than one that also has to pass that database info through mcrypt, or even one that is serving all the pages through SSL!

    Hope this was of some help, let me know if you have any questions.


  • Registered Users, Registered Users 2 Posts: 2,413 ✭✭✭Stab*City


    blacknight wrote: »
    huh?

    Just because the technology might be able to handle large quantities of data does not mean that choosing it will negate issues

    If you don't plan to scale you will hit brickwalls and bottlenecks

    i think by choosing these technologies as opposed to php & mysql you would negate alot of issues.. obviously the software alone cant solve every problem that may arise from a site of the intended size.. but good tools will no doubt ease the fallout..

    i wasnt telling anybody that my way is best i was just telling what i use in hope that it may help the OP.. all the technologies i mentioned are v v scalable..


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 2,793 ✭✭✭oeb


    Stab*City wrote: »
    i think by choosing these technologies as opposed to php & mysql you would negate alot of issues.. obviously the software alone cant solve every problem that may arise from a site of the intended size.. but good tools will no doubt ease the fallout..

    i wasnt telling anybody that my way is best i was just telling what i use in hope that it may help the OP..

    These days a LAMP server is more than capable of maniging huge amounts of traffic, and is generally cheaper to run too. I have many sites with thousands and thousands of uniques per day running from LAMP, and I have plenty of high traffic high intensity web applications running on the same.


  • Registered Users, Registered Users 2 Posts: 7,740 ✭✭✭mneylon


    Stab*City wrote: »
    i think by choosing these technologies as opposed to php & mysql you would negate alot of issues.. obviously the software alone cant solve every problem that may arise from a site of the intended size.. but good tools will no doubt ease the fallout..

    i wasnt telling anybody that my way is best i was just telling what i use in hope that it may help the OP.. all the technologies i mentioned are v v scalable..
    I'm sorry, but that's absolute rubbish.

    Php + MySQL (and other OSS technologies) power some of the biggest sites and services online.

    M$ technologies might market themselves as coming with all sorts of extra "bling", but the reality is that the technology itself isn't the key deciding factor. The quality of the code and deployment is.

    Now you may feel comfortable using M$ technology and that is fine, but bluntly stating that they will scale and scale better than a LAMP solution is just not realistic

    if you want to go down the entire proprietary vs OSS route and had talked about Oracle, then maybe ...


  • Registered Users, Registered Users 2 Posts: 2,413 ✭✭✭Stab*City


    oeb wrote: »
    These days a LAMP server is more than capable of maniging huge amounts of traffic, and is generally cheaper to run too. I have many sites with thousands and thousands of uniques per day running from LAMP, and I have plenty of high traffic high intensity web applications running on the same.

    Likewise.


  • Registered Users, Registered Users 2 Posts: 2,413 ✭✭✭Stab*City


    blacknight wrote: »
    I'm sorry, but that's absolute rubbish.

    Php + MySQL (and other OSS technologies) power some of the biggest sites and services online.

    as does the tools i mentioned
    blacknight wrote: »
    M$ technologies might market themselves as coming with all sorts of extra "bling", but the reality is that the technology itself isn't the key deciding factor. The quality of the code and deployment is.

    exactly.. the marketing over at MS had very little to do with my selection.. the .net class libraries in my book are far superior to php functions even with addtional libraries tacked on.. plus they are much more organised.. the .net framework was built to handle many forms of code.. the web forms system built into .net has nothing in php to rival it.. then lets not forget ado.net as well for that solid database connection.. but your right its all about the code.. with good code it is half the hassle of php to get a good front end built on.. also .net is much faster.. all .net apps are compiled as oppossed to php witch need to be interperted .. to achieve the same speed using php additional software must be running on the server again adding to running costs..
    blacknight wrote: »
    Now you may feel comfortable using M$ technology and that is fine, but bluntly stating that they will scale and scale better than a LAMP solution is just not realistic
    php is just a scripting language as oppossed to .net which uses object orientated languages which give more control and useability..


  • Closed Accounts Posts: 35 dkell


    Here's a list of readings on Web Scalability - some interesting stuff...


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 2,793 ✭✭✭oeb


    Stab*City wrote: »
    as does the tools i mentioned



    exactly.. the marketing over at MS had very little to do with my selection.. the .net class libraries in my book are far superior to php functions even with addtional libraries tacked on.. plus they are much more organised.. the .net framework was built to handle many forms of code.. the web forms system built into .net has nothing in php to rival it.. then lets not forget ado.net as well for that solid database connection.. but your right its all about the code.. with good code it is half the hassle of php to get a good front end built on.. also .net is much faster.. all .net apps are compiled as oppossed to php witch need to be interperted .. to achieve the same speed using php additional software must be running on the server again adding to running costs..


    php is just a scripting language as oppossed to .net which uses object orientated languages which give more control and useability..


    Christ man, at least research what you are talking about.

    Both systems are compareable speedwise and capeability wise. Development platform is pretty much only dependant on personal prefrence. Both platforms are proven in very very large scale applications, both have minor advantages and disadvantages over each other. The OP did not ask for a language war, he asked for advice on security.

    For the record, read up on things like Zend, Cake, Pear, PHP 5 (And the upcoming 5.3).

    And here was me always under the impression that the comparable thing to an ASP 'web form' was any PHP page.

    And sure, to speed up PHP you might require additional software, this does not change the facts relating to the difference in footprint and software costing to set up the platform in the first place.

    Lets just leave it with the fact that all platforms, weather you want to go with Java, ColdFusion, .NET or PHP have been proven in the field. Base your decision based on the skillset of your developers and what they are capably of doing in their language of choice. There is no good or bad platform, there is only good and bad developers.


  • Registered Users, Registered Users 2 Posts: 2,413 ✭✭✭Stab*City


    oeb wrote: »
    Christ man, at least research what you are talking about.

    Both systems are compareable speedwise and capeability wise. Development platform is pretty much only dependant on personal prefrence. Both platforms are proven in very very large scale applications, both have minor advantages and disadvantages over each other. The OP did not ask for a language war, he asked for advice on security.

    For the record, read up on things like Zend, Cake, Pear, PHP 5 (And the upcoming 5.3).

    And here was me always under the impression that the comparable thing to an ASP 'web form' was any PHP page.

    And sure, to speed up PHP you might require additional software, this does not change the facts relating to the difference in footprint and software costing to set up the platform in the first place.

    Lets just leave it with the fact that all platforms, weather you want to go with Java, ColdFusion, .NET or PHP have been proven in the field. Base your decision based on the skillset of your developers and what they are capably of doing in their language of choice. There is no good or bad platform, there is only good and bad developers.

    how can a pre compiled application be the same speed as a php app that needs to be interpreted at runtime?? for the record i have read plenty about these php extensions.. and i have researched all of what i have said.. and i have givin reasons as to why i think what i do.. i have gave reasons why i think .net is better.. im not trying to twist anyones arm..


  • Registered Users, Registered Users 2 Posts: 2,413 ✭✭✭Stab*City


    oeb wrote: »
    The OP did not ask for a language war, he asked for advice on security.
    so why add fuel to the fire.


  • Registered Users, Registered Users 2 Posts: 2,413 ✭✭✭Stab*City


    is php+mysql the best solution considering there would be tables with several million records over time
    what are the big sites running ? anyone every come across some articles discussing building websites for large user bases ? tnx

    oeb maybe if u actually read the OP..


  • Registered Users, Registered Users 2 Posts: 2,919 ✭✭✭Bob the Builder


    blacknight wrote: »
    huh?

    Just because the technology might be able to handle large quantities of data does not mean that choosing it will negate issues

    If you don't plan to scale you will hit brickwalls and bottlenecks

    *cough* O2 Ireland *cough*

    Scaling, Performance/Speed and Downtime are the two biggest things in my unexperienced squeaky opinion.

    You want to access the information quickly, without errors, and downtime. You want to be able to expand easily without jeopardizing your existing structure. Customers/Users want to be able to have control, and yet not enough control to mess up the server.

    The Backend structures have to be consistent and easy to handle, especially when plugging programming languages in. Also, the bigger the situation on your hands, the more streamlined the database should be.

    For example, compare Google, with an ordinary small scale workplace where they collaborate. Google has a reputation for high performance, high control, large infrastructure, simple interface.

    Of course, I haven't a clue, but if I was doing it in the morning, that would be some of my primary concerns.


  • Registered Users, Registered Users 2 Posts: 648 ✭✭✭ChicoMendez


    thanks lads -

    some very interesting discussions above- they have given be a good idea of the area to research

    thanks oeb - that was a good post on areas to address

    thanks dkell - good bedtime reading there

    tnx


Advertisement