Hi All,
Currently I have a php based system with the db is hidden from outside world and only accessible locally after the vpn. The issue now I need to create a web based registration which will stay on another different server but I need to insert those data into the backend db. The problem now I only allow local ip of the web server to allow access to the db. How to secure this registration form data insertion which sits on a different server?

If you save informations from the web server that is behind the vpn, what is the purpose of the other server?
Or you want to synchronize data? I mean update db with informations already stored in the other server?

Hi Keefaz,
Ok let me explain.

1. First there the website which is purely html and static content. In it there is a registration form and user will key in their personal particulars and submit for verification which must be inserted into the db.

2. There is application site where there is a login page with user name and password which will be generated after user is verified. This web server will have both public and local ip. Thus I have enable that its local ip to be accessible to the db which will be also accessible locally only.

I still find this confusing. Please describe each host and their IP addresses and services separately and clearly.

Here is what I think you have said:

So this is a web server with static content to which information is submitted in an HTML form.

Let's call it HOST1 at IPADDR1.

"The db" would appear to refer to the database on another host described below...

Here you seem to describe a separate host with two IP addresses, one public and one local (via VPN).

Let's call it HOST2 with IPPUBLIC and IPLOCAL.

"The DB" appears to reside on HOST2, but you indicate that it, the DB, is only accessible locally via IPLOCAL, but not via IPPUBLIC.

Your question seems to be how to submit form data to HOST1 and have it inserted to DB on HOST2, is that right?

If not, please try to describe your setup more clearly and precisely.

Or, maybe, "local IP" is just 127.0.0.1 ??
Isn't it typical for the access to a database on a web server to be limited to localhost...at least that's the way I've always configured them.

Form on HOST1 calls script on HOST2 which updates the database...
Since the script is running on HOST2, it is "local" to the database.

Not sure where/how the "verification" is supposed to happen, tho. Is that a manual (human) process?

We definitely need more information.

But after posting form, the page is served by HOST2, so why not use HOST2 in the first place?

1 members found this post helpful.

Hi Keefaz,
I know I can use this method <form method="POST" action="http://HOST2/script_name.php"> that is from HOST1. The issue is HOST1 does not have a local ip so the db is not allowed to accept any external ip connections. I am thinking to run the form on HOST2 itself. Meaning from HOST1 when user click for the form it will bring to HOST2. Is it possible not to show the ip of the HOST2. Yes once they have filled the form the verification is by human process.

You said that HOST2 has both public and local ip, so no reason to hide public ip (local ip is still hidden)

Another solution is to use network library like curl to pass post variables from HOST1 to HOST2 and vice versa, it will get complicated, HOST1 will need server side scripting engine (PHP...), but it's doable.

Not sure, what you mean with that

If the script is run on HOST2, then it will be local to the db, yes? That it is called from HOST1 shouldn't matter.
That ^^ is the answer to your original question, right?

But, tell us the process flow from the HOST1 input form through verification and database update, please. I feel we don't have the entire picture.

1 members found this post helpful.

@OP: You have begun to use the imagined HOST# terminology I used as an example above, but without confirming whether it was correct or explaining your actual system requirements.

This leaves us all still guessing about what you are actually trying to accomplish. As stated by others, we still do not have the complete picture.

Please see the Site FAQ and links it provides for asking a complete well formed question and responding to those trying to help.

Perhaps you could describe the process as seen by the visitors, when submitting their data and when logging in after verification, including what URL they visit in each case. Then describe it from the admin perspective, how they first receive the personal data, how they process it into a verified state and make use of it, and what access they have to each machine at each step.

1 members found this post helpful.

Hi Keefaz,
Yes looks like I need to run on HOST2 itself ready because curl will get complicated too.
What I meant by this is that once the user register it will go into the db then the administrator will need to verify the details.

Hi Scasey,
Yes I think it will need HOST2 cause only HOST2 has the access to the db. The entire picture is like this I have a website and in it I have a registration form which I need to capture the details and store it into a db. So that the entire picture hope I am clearer now ?

Hi Astrogreek,
Ok let me explain in details

1. HOST1.
Is a pure website and in it there is a registration form. I need to capture this details and store into the db. User will key in their details and the admin will then approve. Upon approval email it sent with the user name and also default password to the registered user.

2. HOST2.
This is where application is residing. User can key in their login details and get into it to use the application.

I hope I am clearer now ?

Maybe HOST1 could be configured to send a create account request email to the admin and uppon approval, user log in HOST2?
HOST1 will still need some scripting engine to send the email

Or do both in HOST2 as it is application ready so scripting engine is already set

Hi Keefaz,
Yes looks like I will do on HOST2 cause only it has the db access HOST1 does not have it because when user register their details goes into the db first then only admin picks from the db and do the approval.