We build. You grow.

Get best community software here

Start a social network, a fan-site, an education project with oxwall - free opensource community software

Oxwall security | Forum

Topic location: Forum home » Support » General Questions
Atul V
Atul V May 26 '16
Hello All,


I have just discovered Oxwall as part of my quest for a starting point for creating a private social network for a rather publicity shy bunch of professionals.  I like most of what I see and I am planning to download it and try it out for myself.  However, in the mean time I am hoping that someone here might be able to provide quick answers to the following


a. As far as I can tell Oxwall uses a MySQL backend.  Is it/or can it be fully encrypted so in the event of the DB falling in the wrong hands you are not handing over the keys to the kingdom.

b. Does Oxwall allow for/or can it re-engineered to allow for two factor authentication?


I am a pretty decent PHP & MySQL developer so I can handle such and other issues myself.  I am curious to know how good the support community out here is.


Thanks in advance.

dave Leader
dave May 26 '16
Hi Atul and welcome to Oxwall :)


Regarding your questions,


Ross our team member for the forums will have to chime in on these as he would have a better idea but i can atleast offer my thoughts to you.  


A.  I have never tried to encrypt the backend with something like ionCube. But my initial guess is that the updates from oxwall might fail and also the cron might have an issue with it as well as the plugins.  I am not saying it cant be done but it might be an interesting integration challenge. But of course ross will know much better than me.


B. This is def something for ross to answer, i would not know where to start on that one. 


Regarding support - If you are in the USA as i am, then they work when we sleep. I am a night owl so i am up with them.  The support here is fair, you will see if you poke around that questions get answered.  There may be times you may have to wait a bit, but we also have volunteers such as myself and other community members that like to help people.  


Even though they may not know the answer, they will try to help and learn together because they know that working together everyone wins.   We also have some Oxwall veterans around that will help as well. 


Like all entities on the web Oxwall faces many of the same challenges. The team is small but they do a pretty fair job considering their size and what they have to do. People come and people go as with all communities and that includes staff members and community members.  And it is times like these that really show the dedication and devotion of other community members that love this software.  


As you know being a developer yourself all things have issues and just when you get something pretty perfect someone deprecates something or times change, needs change, and we have to start all over again. :)


I find that most of the issues either have to do with very very large sites as in 10-20 thousand members at times or sites that have a funky setup.  I very rarely have an issue with the software myself. But for those (and forgive me here as i am really rusty on these things)  those that have Xampp, wamp, windows installs, or some other really funky setup that push the bounds of the software are the ones i notice with most of the issues.   


I find that if you are going to run this on a linux, apache, cpanel setup then you should have very little issue.  And of course that is what i am used to and feel comfortable with as well so that could be a big reason for that.  Also because now that im over 50+ i want everything automated so i don't have to think too much :)


I think if you give Oxwall a real chance you will learn to love it as many of us do. Also in time when you feel comfortable we always need more good honest plugin develpers that will support their products. There are plenty of people on here to help you with that too when you feel ready :) 


Again welcome to Oxwall, hope youll stick around a while :)



The Forum post is edited by dave May 26 '16
Darryl B Leader
Darryl B May 26 '16
Dave answered most, but there is a plugin in the store for two factor authentication. There are a couple more for SMS verification.

https://developers.oxwall.com/store/item/861
dave Leader
dave May 26 '16
Good find DB :)
Atul V
Atul V May 26 '16
Thank you, Dave & Darryl.  It is good to know that two factor authentication can be taken care of so easily.  Perhaps my other question was less clear:


what I meant was does Oxwall by default encrypt everything that goes into the database?  If not, does its architecture use a nice clean DB access layer that would allow me to engineer such encryption myself by simply replacing that layer?


There are those who would argue at this point that database encryption entails a performance hit.  While that is true for the job I presently have at hand that is not an issue.  The particular group of professionals to whose needs I am catering here have very deep pockets so throwing more server firepower to absorb the performance hit is not an issue.


Naturally, there is an issue with file uploads - there are those who will argue that if the system is compromised unencrypted files can be snooped upon before they reach the server.  The solution I would implement at that end would be to subject them to encryption before they leave the user's browser.  If OxWall has a good plugin architecture - and from what I have seen it does - this should not be too difficult.


Finally, Dave - even if I wanted to encrypt the entire codebase (which I don't think is required) I would not go down the route of IonCube which I feel does little more than offer the perception of security since it is so easy to reverse the code obfuscation that it performs.  


The weak link in an interpreted language like PHP is the fact that anyone who can grab the server side code has immediate access to the database - just grep around to find out where PDO is being used to get a database connection and you are in business.  The solution I have tended to implement to suppress this issue in recent years is to perform all DB operations in a PHP plugin written in Zephir.


Thank you once again for the answers.  If anyone has a contribution to make to the issue of database encryption I would be most grateful.

The Forum post is edited by Atul V May 26 '16
ross Team
ross May 30 '16
We do not encrypt everything that goes into database. 

However this can be implemented. 

Our devs say this can be done via ow_database class in ow_core/database.php file

Atul V
Atul V May 31 '16
Thanks, Ross.  I checked out ow_core/database.php.  I can see that encryption would be relatively easy to implement.  The thing that I am really starting to like about OxWall... - whenever I see the code I find myself thinking "that is the way I would write it".  Rewriting database.php and even moving it to a PHP extension written in Zephir should not be too difficult.  
ross Team
ross Jun 1 '16
Great, we would really appreciate if you share your findings and the end result. I believe our community members will find it very useful. 
ovile
ovile Nov 9 '21
Like this post how to get free robux in roblox online