Learn how to a build a cloud-first strategyRegister Now


DSN-less connection to MS Access DB via PHP - security problem

Posted on 2004-04-30
Medium Priority
Last Modified: 2013-12-12
Top 'o the morning' to you (or afternoon (or well past midnight - we do work in IT after all)),

THE SITUATION: I'm connecting to a MS Access DB, via PHP, using a DSN-less connection (only DSN-less connections are allowed with my ISP).  The Access DB is set up to have two users, Admin (for updating stock, etc), and 'website', a read-only user with no privileges to speak of - the web pages should ONLY be able to read data from the DB, NOT make ANY changes WHATSOEVER. The code below is the only method I've got to work with my deeply unhelpful ISP (they run php v4.3.4), and believe me, I've tried EVERY possible method of DSN-less connection.

<code follows...>

$db_connection = new COM("ADODB.Connection");

$db_connstr = "DRIVER={Microsoft Access Driver (*.mdb)}; DBQ=". realpath("../database.mdb") ." ;DefaultDir=". realpath("../");
$rs = $db_connection->execute("SELECT this, and_that FROM some_table");
$rs_fld0 = $rs->Fields(0);
$rs_fld1 = $rs->Fields(1);
while (!$rs->EOF) {

/* do some stuff with the results to make it look nice on screen */
/* but as an example... */

  print "$rs_fld0->value $rs_fld1->value\n";

  $rs->MoveNext(); /* updates fields! */

<end code>

This is taken from an example in php.net and I haven't changed it to any great degree.  It works just fine.  The problem is...

THE PROBLEM:  The code above does not give any scope for a username and password for connecting to this DB.  What's more, despite the fact that I've set up this DB to have only two users (opening it 'manually' requires a user ID and password), the code above connects to the DB without a user ID or password being supplied.  I changed the SQL statement from a SELECT statement to a DROP TABLE statement (just to check) and it deleted the table - again, the code supplies no user ID or password.  This is obviously unacceptable.

THE SOLUTION (please!): At the mo, I've just made the DB file read only for all users on the server, but my client needs to be able to update it fairly often, and while he's got enough computer savvy to ftp a new version to the server, it'd be a pain for him to have to CHMOD the file every time he does this.  Furthermore, in future the website might be upgraded to provide users with more functionality, and then I'll want to be able to update fields, etc.  I need some code that'll connect to the DB, but require a username and password, not with a security risk like the above.

Many thanks in advance (and, indeed, for reading this rather long question!),

Question by:garethdart24
  • 3

Assisted Solution

jkna_gunn earned 585 total points
ID: 10958216
i use the inbuilt functions of php not the COM objects

so odbc_connect($dsn,$username,$password);

if you dont want to use that then maybe you will need to add this to your dsn string

Author Comment

ID: 10958346
Believe me, I'd love to use odbc_connect etc (as I originally did when developing the site) but my ISP only allows DSN-less connections, and only using COM and ADODB as in the example (odbc DSN-less connections don't work - that was the first method I tried).  I asked them to register the DB as a system DSN, but due to 'security considerations' they only allow DSN-less connections.  If I hadn't stumped up for a year's hosting, I'd use a different ISP.

I could add a UID and PWD value to my dsn string, but the fact remains that without these there, the code still connects to the DB, and although I'm not keeping state secrets in this database, my gut feeling is that this is a security risk and I want to change it.

Many thanks for your suggestions, though.

Accepted Solution

mokelly1 earned 600 total points
ID: 10963365
I think what you are looking for is here.


I use this dns-less connection to a nonsecure access database but there is a place for me to put the userid and password.

My code looks like this:

$db = &ADONewConnection("ado_access");
$access = 'YOURPATH';
$myDSN =  'PROVIDER=Microsoft.Jet.OLEDB.4.0;' . 'DATA SOURCE=' . $access . ';';      
if (@$db->PConnect($myDSN, "", "", ""))
   print "ADO version=".$db->_connectionID->version."<br>";

Hope this helps.  Good Luck! - Mo

Author Comment

ID: 10970948
I'll try that and see if it works.



Author Comment

ID: 10993000
Thanks guys,

I've split the points because:

a) The first answer is what I'm doing at the moment as a stop-gap solution

b) I'm going to b*tch at my ISP until they agree to implement ADODB in such a way as to allow secure connections along the lines of the second answer



Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Part of the Global Positioning System A geocode (https://developers.google.com/maps/documentation/geocoding/) is the major subset of a GPS coordinate (http://en.wikipedia.org/wiki/Global_Positioning_System), the other parts being the altitude and t…
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to dynamically set the form action using jQuery.
Suggested Courses
Course of the Month21 days, 6 hours left to enroll

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question