If I want to have a form's data sent to a secure database, how do I go about doing this?

Try this free open source PHP form processing script that stores data in MySQL database (http://www.formtools.org/) or search hotscripts.com for another form processing script that you may like.

Thank you for your response, Yvette. I have already created the form using phpFormGenerator, I just didn't know if the DBs on Powweb are secure; some of the info on the form is sensitive data (credit card info), and I want to make sure there will be no security issues.

Are your php forms protected? You don't want anyone to be able to view your database login information. PowWeb doesn't allow anyone to remotely connect to a database, either. That means better security.

define "protected"
:D

Some guy with a helmet, a suit of armor and a sword says, "Halt, who goes there?". If you don't know the secret password, off with your head! :D

phpFormGenerator will create your database for you. You need to define your $hostname, $username, $password variables and your database name in the admin folder. Be sure your scripts are chmod to 755 and not 777 for better security.

If you used the phpFormGenerator and opted not to create a database, you may need to start a NEW form which is basically a copy of the old form, but your database will be created.

I didn't use this script. If the database option is chosen, I believe the email notice sent will ask you to login to the database admin to view the form submissions. That is how it should be.

Ahhhh... I was looking for the guy with the helmet.... he definitely would have been easier to spot than something in the coding!

OK, so I do have the hostname/username/password variables in the admin folder. How do I check that my scripts are chmod to 755 and not 777?

Also, does this ensure that when the form data is sent, that it is encrypted? Or is this another realm of security I got to figure out?

Ahhhh... I was looking for the guy with the helmet.... he definitely would have been easier to spot than something in the coding!


I agree. There is no such thing as secure as long as your information is accessible via Internet. But there are methods to increase security.

How do I check that my scripts are chmod to 755 and not 777?


Use an FTP program such as FileZilla, highlight/select a folder or file on the web server, right-click and select File Attributes. If using CuteFTP or another program, you may select CHMOD. PHP scripts are usually set to 644. CGI/Perl scripts are usually set to 755. Directories (folders) are usually set to 755.

Also, does this ensure that when the form data is sent, that it is encrypted?

Many people don't encrypt an entire database. In fact, some people rely on the admin login into the secure server to access the database and don't encrypt anything. Some people just encrypt passwords. Logging into the admin section of your website using the secure URL is weak security, but better than logging into your webmail that is not on the secure URL.

There are different methods of encryption. One is called MCrypt (http://mcrypt.sourceforge.net/) and is explained in an article (http://www.informit.com/articles/article.asp?p=712187&seqNum=5&rl=1) for better understanding. Another is called DeGPG (http://www.geckotribe.com/degpg/README.degpg.html) that uses GPG and Perl with your MySQL database.

One script (http://secure-password-store.l-m-photonics-ltd.qarchive.org/) encrypts the login to the database, but it also allows you to import or export your database in plain or encrypted format. Encrypted data is also referred to as cipher text.

PHP encryption for the common man (http://www-128.ibm.com/developerworks/opensource/library/os-php-encrypt/) will explain the options I listed. There are more resources below the article.

Remember that whatever data is encrypted must be decrypted. You wouldn't share personal data, so that should be encrypted. You may want to allow visitors to search articles on your website, so you would not encrypt articles stored in a database.

Regardless of the security used, you should really use a payment processor instead of a database security for handling financial transactions--- I would have to offer that storing peoples' Credit Card numbers on a web accessible system is to be avoided wherever possible. At most they should cache a cookie on their side that they authenticate using an SSL connection.

As always ...

some of the info on the form is sensitive data (credit card info)

Regardless of the security used, you should really use a payment processor instead of a database security for handling financial transactions--- I would have to offer that storing peoples' Credit Card numbers on a web accessible system is to be avoided wherever possible.

I should have mentioned that credit card info and social security numbers should never be stored online, yet some people still do that. I have discussed this in other threads - see e-commerce or other stuff I posted.

Are you passing the credit card number to an online payment processor or are you storing the numbers to process in-house via telephone? I suspect the latter is what you are doing. (sigh)