DSN-less connection to MS Access DB via PHP - security problem

Posted on 2004-04-30
Medium Priority
Last Modified: 2013-12-12
Top 'o the morning' to you (or afternoon (or well past midnight - we do work in IT after all)),

THE SITUATION: I'm connecting to a MS Access DB, via PHP, using a DSN-less connection (only DSN-less connections are allowed with my ISP).  The Access DB is set up to have two users, Admin (for updating stock, etc), and 'website', a read-only user with no privileges to speak of - the web pages should ONLY be able to read data from the DB, NOT make ANY changes WHATSOEVER. The code below is the only method I've got to work with my deeply unhelpful ISP (they run php v4.3.4), and believe me, I've tried EVERY possible method of DSN-less connection.

<code follows...>

$db_connection = new COM("ADODB.Connection");

$db_connstr = "DRIVER={Microsoft Access Driver (*.mdb)}; DBQ=". realpath("../database.mdb") ." ;DefaultDir=". realpath("../");
$rs = $db_connection->execute("SELECT this, and_that FROM some_table");
$rs_fld0 = $rs->Fields(0);
$rs_fld1 = $rs->Fields(1);
while (!$rs->EOF) {

/* do some stuff with the results to make it look nice on screen */
/* but as an example... */

  print "$rs_fld0->value $rs_fld1->value\n";

  $rs->MoveNext(); /* updates fields! */

<end code>

This is taken from an example in php.net and I haven't changed it to any great degree.  It works just fine.  The problem is...

THE PROBLEM:  The code above does not give any scope for a username and password for connecting to this DB.  What's more, despite the fact that I've set up this DB to have only two users (opening it 'manually' requires a user ID and password), the code above connects to the DB without a user ID or password being supplied.  I changed the SQL statement from a SELECT statement to a DROP TABLE statement (just to check) and it deleted the table - again, the code supplies no user ID or password.  This is obviously unacceptable.

THE SOLUTION (please!): At the mo, I've just made the DB file read only for all users on the server, but my client needs to be able to update it fairly often, and while he's got enough computer savvy to ftp a new version to the server, it'd be a pain for him to have to CHMOD the file every time he does this.  Furthermore, in future the website might be upgraded to provide users with more functionality, and then I'll want to be able to update fields, etc.  I need some code that'll connect to the DB, but require a username and password, not with a security risk like the above.

Many thanks in advance (and, indeed, for reading this rather long question!),

Question by:garethdart24
  • 3

Assisted Solution

jkna_gunn earned 585 total points
ID: 10958216
i use the inbuilt functions of php not the COM objects

so odbc_connect($dsn,$username,$password);

if you dont want to use that then maybe you will need to add this to your dsn string

Author Comment

ID: 10958346
Believe me, I'd love to use odbc_connect etc (as I originally did when developing the site) but my ISP only allows DSN-less connections, and only using COM and ADODB as in the example (odbc DSN-less connections don't work - that was the first method I tried).  I asked them to register the DB as a system DSN, but due to 'security considerations' they only allow DSN-less connections.  If I hadn't stumped up for a year's hosting, I'd use a different ISP.

I could add a UID and PWD value to my dsn string, but the fact remains that without these there, the code still connects to the DB, and although I'm not keeping state secrets in this database, my gut feeling is that this is a security risk and I want to change it.

Many thanks for your suggestions, though.

Accepted Solution

mokelly1 earned 600 total points
ID: 10963365
I think what you are looking for is here.


I use this dns-less connection to a nonsecure access database but there is a place for me to put the userid and password.

My code looks like this:

$db = &ADONewConnection("ado_access");
$access = 'YOURPATH';
$myDSN =  'PROVIDER=Microsoft.Jet.OLEDB.4.0;' . 'DATA SOURCE=' . $access . ';';      
if (@$db->PConnect($myDSN, "", "", ""))
   print "ADO version=".$db->_connectionID->version."<br>";

Hope this helps.  Good Luck! - Mo

Author Comment

ID: 10970948
I'll try that and see if it works.



Author Comment

ID: 10993000
Thanks guys,

I've split the points because:

a) The first answer is what I'm doing at the moment as a stop-gap solution

b) I'm going to b*tch at my ISP until they agree to implement ADODB in such a way as to allow secure connections along the lines of the second answer



Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Originally, this post was published on Monitis Blog, you can check it here . In business circles, we sometimes hear that today is the “age of the customer.” And so it is. Thanks to the enormous advances over the past few years in consumer techno…
The viewer will learn how to count occurrences of each item in an array.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…
Suggested Courses

588 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question