I am developing an internet site which calls .PHP scripts to inject data right into a MySQL database.
Because there's no security on these .PHP scripts, anybody on the planet could run them over the internet when they understood the correct parameter names and inject data into our database.
I understand hardly any about security so I am searching for a strategy to secure these "web services".
I have read that using SSL might be what you want but I am unsure.
If anybody might make a recommendation and point me to some tutorial or website regarding how to implement i could be greatly appreciative.
We're using Apache web server incidentally in the event that matters.
SSL won't solve the issue alone. If a person can hit
http://yoursite.com/service.php, they are able to also hit
https://yoursite.com/service.php. SSL simple guarantees the actual data groing through the wire is encoded. But an encoded injection request will have a similar effect like a standard unencrypted one - you will still have data injected in to the database.
The thing you need is really a password system of some kind. A simplistic minimal system would need a secret word to become sent together with each request, and then any request without that word will get declined/overlooked. however, then you've to help keep this secret word secret, and absolutely nothing on the internet stays secret for very lengthy.
Next is setting a particular answer to each approved user of the service. Nothing would avoid the customers from discussing their key with other people, however there is a per-user key that you could find and pummelled the one who DID share their key.
Past that, you should use HTTP level authentication, combined with per-user access secrets, that ought to prevent casual poking in the API. With no http-level password, the API script isn't even invoked, as well as when it's, the correct API key should be present too.