Solved

DSN-less connection to MS Access DB via PHP - security problem

Posted on 2004-04-30
5
40,033 Views
Last Modified: 2013-12-12
Top 'o the morning' to you (or afternoon (or well past midnight - we do work in IT after all)),

THE SITUATION: I'm connecting to a MS Access DB, via PHP, using a DSN-less connection (only DSN-less connections are allowed with my ISP).  The Access DB is set up to have two users, Admin (for updating stock, etc), and 'website', a read-only user with no privileges to speak of - the web pages should ONLY be able to read data from the DB, NOT make ANY changes WHATSOEVER. The code below is the only method I've got to work with my deeply unhelpful ISP (they run php v4.3.4), and believe me, I've tried EVERY possible method of DSN-less connection.

<code follows...>

$db_connection = new COM("ADODB.Connection");

$db_connstr = "DRIVER={Microsoft Access Driver (*.mdb)}; DBQ=". realpath("../database.mdb") ." ;DefaultDir=". realpath("../");
$db_connection->open($db_connstr);
$rs = $db_connection->execute("SELECT this, and_that FROM some_table");
$rs_fld0 = $rs->Fields(0);
$rs_fld1 = $rs->Fields(1);
while (!$rs->EOF) {

/* do some stuff with the results to make it look nice on screen */
/* but as an example... */

  print "$rs_fld0->value $rs_fld1->value\n";

  $rs->MoveNext(); /* updates fields! */
}
$rs->Close();
$db_connection->Close();

<end code>

This is taken from an example in php.net and I haven't changed it to any great degree.  It works just fine.  The problem is...

THE PROBLEM:  The code above does not give any scope for a username and password for connecting to this DB.  What's more, despite the fact that I've set up this DB to have only two users (opening it 'manually' requires a user ID and password), the code above connects to the DB without a user ID or password being supplied.  I changed the SQL statement from a SELECT statement to a DROP TABLE statement (just to check) and it deleted the table - again, the code supplies no user ID or password.  This is obviously unacceptable.

THE SOLUTION (please!): At the mo, I've just made the DB file read only for all users on the server, but my client needs to be able to update it fairly often, and while he's got enough computer savvy to ftp a new version to the server, it'd be a pain for him to have to CHMOD the file every time he does this.  Furthermore, in future the website might be upgraded to provide users with more functionality, and then I'll want to be able to update fields, etc.  I need some code that'll connect to the DB, but require a username and password, not with a security risk like the above.

Many thanks in advance (and, indeed, for reading this rather long question!),

garethdart24
0
Comment
Question by:garethdart24
  • 3
5 Comments
 
LVL 6

Assisted Solution

by:jkna_gunn
jkna_gunn earned 195 total points
Comment Utility
i use the inbuilt functions of php not the COM objects

so odbc_connect($dsn,$username,$password);

if you dont want to use that then maybe you will need to add this to your dsn string
Uid=test;Pwd=test123;
0
 
LVL 1

Author Comment

by:garethdart24
Comment Utility
Believe me, I'd love to use odbc_connect etc (as I originally did when developing the site) but my ISP only allows DSN-less connections, and only using COM and ADODB as in the example (odbc DSN-less connections don't work - that was the first method I tried).  I asked them to register the DB as a system DSN, but due to 'security considerations' they only allow DSN-less connections.  If I hadn't stumped up for a year's hosting, I'd use a different ISP.

I could add a UID and PWD value to my dsn string, but the fact remains that without these there, the code still connects to the DB, and although I'm not keeping state secrets in this database, my gut feeling is that this is a security risk and I want to change it.

Many thanks for your suggestions, though.
0
 
LVL 5

Accepted Solution

by:
mokelly1 earned 200 total points
Comment Utility
I think what you are looking for is here.

http://www.databasejournal.com/features/php/article.php/2222651

I use this dns-less connection to a nonsecure access database but there is a place for me to put the userid and password.

My code looks like this:

include("ADOdb/Adodb.inc.php");
$db = &ADONewConnection("ado_access");
$access = 'YOURPATH';
$myDSN =  'PROVIDER=Microsoft.Jet.OLEDB.4.0;' . 'DATA SOURCE=' . $access . ';';      
if (@$db->PConnect($myDSN, "", "", ""))
{
   print "ADO version=".$db->_connectionID->version."<br>";
}

Hope this helps.  Good Luck! - Mo
0
 
LVL 1

Author Comment

by:garethdart24
Comment Utility
I'll try that and see if it works.

Thanks,

Gareth
0
 
LVL 1

Author Comment

by:garethdart24
Comment Utility
Thanks guys,

I've split the points because:

a) The first answer is what I'm doing at the moment as a stop-gap solution

b) I'm going to b*tch at my ISP until they agree to implement ADODB in such a way as to allow secure connections along the lines of the second answer

Cheers,

Gareth
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

I imagine that there are some, like me, who require a way of getting currency exchange rates for implementation in web project from time to time, so I thought I would share a solution that I have developed for this purpose. It turns out that Yaho…
Part of the Global Positioning System A geocode (https://developers.google.com/maps/documentation/geocoding/) is the major subset of a GPS coordinate (http://en.wikipedia.org/wiki/Global_Positioning_System), the other parts being the altitude and t…
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now