Implementing Secure Transactions with PHP and MySQL CHAPTER 15 335 Our data Packetize Data Packets M Compress y Page | Implementing Secure Transactions with PHP and MySQL 335 Chapter 15 Our data Data Packets Compressed data Message Authentication Code Encrypted Packets TCP Packets Figure SSL breaks up compresses hashes and encrypts data before sending it. One thing you might notice from the diagram is that the TCP header is added after the data is encrypted. This means that routing information could still potentially be tampered with and although snoopers cannot tell what information we are exchanging they can see who is exchanging it. The reason that SSL includes compression before encryption is that although most network traffic can be and often is compressed before being transmitted across a network encrypted data does not compress well. Compression schemes rely on identifying repetition or patterns within data. Trying to apply a compression algorithm after data has been turned into an effectively random arrangement of bits via encryption is usually pointless. It would be unfortunate if SSL which was designed to increase network security had the side effect of dramatically increasing network traffic. Although SSL is relatively complex users and developers are shielded from most of what occurs as its external interfaces mimic existing protocols. In the relatively near future SSL is likely to be replaced by TLS Transport Layer Security but at the time of writing TLS is a draft standard and not supported by any servers or browsers. TLS is intended to be a truly open standard rather than a standard defined by one organization but made available for others. It is based directly on SSL but contains improvements intended to overcome weaknesses of SSL. 15 Implementing Secure Transactions 336 E-commerce and Security Part III Screening User Input One of the principles of building a safe Web application is that you should never trust user input. Always screen user data before putting it in a file or database or passing it through a system execution command. We ve talked in