This question stems from a job interview I had. The interviewer asked me about a website I had built.
I was fresh out of school and was still doing a lot of things wrong because I didn’t know any better and
had no one to ask. When I laid out the website for my interviewer on the whiteboard he was surprised that
I didn’t use a web service to access my database. He suggested that this was not secure
but didn’t go into detail. They thought had never occurred
to me to do this as a security measure and I thought I was wrong for not doing it. My code was all one one page.
No MVC, my php connections and all my php/mysql select, inserts, etc were all written in php on the same file
as my html / javascript and everything else (wrong for various reasons but not the topic at the moment).
My page was protected by https and I thought that was enough. Also looking back on it he may not
have known my database was on the localhost. The confusion in the question steams from my lack of knowledge
at the time and now.
So the real question (I guess) should be, did I need to have a webservice like Soap acting
as an in between my database to make my site secure(even though it was a localhost)? My assumption being that
the soap server would do all of the mysql statements and return the values I was interested in. Or alternatively the SAOP Sever would
get the Mysql database to execute mysq functions and the values (which would I think add real security value).
I thought that because I was using server side php and https that I would be secure
(other than things like a mysql injection but I had other things to account for that like mysql_real_escape_string()
and some other stuff).
In Short
My question is would using soap to separate things between the main page file and the file that
actually did the php mysql select statements on a localhost add any security value vs https. Couldn’t I just get the php to
connect and then use the Mysql server to execute some mysql functions with the pages protected with https ? Wouldn’t that be secure ?
Aside from me not using an MVC model can you offer some sage advice on the https vs SOAP?
I am trying to do some self-study in php. I am working in another language now mainly writing scripts.
I have a really passion for php and I want to learn but don’t know where to reliably turn.
Thanks
You are mixing the concepts of protecting access to your database, and protecting access to your web service.
You must follow best-practices to protect your database, no matter what web service architecture you use (prevent SQL injection, certainly don’t expose credentials, physically separate the DB from the web service server via a firewall, etc.).
If your web service is not meant to be available to the general public, you must separately control access to the web service. Both SOAP and REST provide solid mechanisms to do just that.
SOAP itself does not protect access to files on the server. It provides a mechanism to protect access to the web service.
UPDATE
It is a silly notion to require a web service between a website and a database for “security” purposes. A web service should be thought of as an alternative interface for accessing functionality, not as a security layer.
In fact, unless you hide your web service from the public, hackers will just attack the web service rather than (or in addition to) the website. If you do hide it from public view, you have invested quite a bit of Engineering effort for zero benefit.
From an architectural perspective it is wise to separate data access from the user interface (whether or not the layers run on the same or different machines). In the ASP.Net world, the Repository and Unit of Work patterns are quite common. I’m not sure which patterns are commonly used in PHP. Creating a separate web service for only for DB isolation is certainly not such a pattern.