Re: Security concerns...

transpar3nt wrote:
Hello all, first time poster, long time reader. I have been studying
PHP and web development for a while now but have never taken on a paid
project with it until now. I have been asked by a dermatology clinic
to redesign their website with a portion that allows the patient to
create an account with the site and enter their personal information
so it is ready for the doctors to access when the patient arrives for
a check up.

My concern is that this requires some pretty sensitive information
being submitted and stored in our database. We plan to use SSL for
that whole segment of the site and MD5'd passwords and salted
encryption for the data, but I was wondering if you guys had any
suggestions on how I may take security to the next level with the
resources at hand (PHP/MySQL back-end, Network Solutions is the host).
Speaking of NS, the doctors asked that I cut cost as best I can and NS
has a free shared SSL cert. available that would just use a different
URL (under their fixed IP domain).. would that be a viable low-cost
solution or is there a security concern with a shared certificate?

My last question is about PDF. When the customer enters their patient
history, etc. into the site the doctors would like it to generate a
PDF file with all their info so all the patient has to do is print it
out and bring it in all nice and pretty. I know full well how to pull
that off with ColdFusion, but I was hoping there would be an easy
solution with PHP to do the same thing. All I can find so far is very
in-depth and complex work-arounds.

Thanks for any help that you may provide!!!

- Keith
casperghosty at gmail , com


Keith,

If you're in the U.S., you are correct to be worried about security. Before starting on anything dealing with the medical profession, you need to research HIPAA regulations and insure you follow them.

And BTW - I would never collect any of this information on anything but an in-house host. You need physical security of the host, also.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@xxxxxxxxxxxxx
==================

.

Relevant Pages

  • Re: Transfering Website, PHP Configuration
    ... files,and what configurations need to be made in order to do the ... Your new host probably has a control panel (if they ... Sure this has to do with PHP. ... About the theory of different Security Settings. ...
    (comp.lang.php)
  • Re: Swans site wildflowerstew.org hacked!
    ... I'd call another host, tell them what happened at your current site ... including the Php thing you were told, and ask them what security they ... They'll probably either confirm the Php ... Prev by Date: ...
    (alt.gathering.rainbow)
  • TSLSA-2005-0059 - multi
    ... Affected versions: Trustix Secure Linux 2.2 ... PHP is an HTML-embedded scripting language. ... use of Rest with FTP servers and Range with HTTP servers to retrieve files ... - New Upstream and Multiple Vendor Security Fixes ...
    (Bugtraq)
  • [NEWS] PHP Security Vulnerability in Multipart FORM Data Handling
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The PHP Group has learned of a serious security vulnerability in PHP ... code with the privileges of the web server. ...
    (Securiteam)
  • TSLSA-2007-0017 - multi
    ... Affected versions: Trustix Secure Linux 2.2 ... PHP is an HTML-embedded scripting language. ... SECURITY Fix: Arnaud Giersch has reported a weakness in ELinks, ... The Common Vulnerabilities and Exposures project ...
    (Bugtraq)