Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

DSN-less connection to MS Access DB via PHP - security problem

Posted on 2004-04-30
5
40,064 Views
Last Modified: 2013-12-12
Top 'o the morning' to you (or afternoon (or well past midnight - we do work in IT after all)),

THE SITUATION: I'm connecting to a MS Access DB, via PHP, using a DSN-less connection (only DSN-less connections are allowed with my ISP).  The Access DB is set up to have two users, Admin (for updating stock, etc), and 'website', a read-only user with no privileges to speak of - the web pages should ONLY be able to read data from the DB, NOT make ANY changes WHATSOEVER. The code below is the only method I've got to work with my deeply unhelpful ISP (they run php v4.3.4), and believe me, I've tried EVERY possible method of DSN-less connection.

<code follows...>

$db_connection = new COM("ADODB.Connection");

$db_connstr = "DRIVER={Microsoft Access Driver (*.mdb)}; DBQ=". realpath("../database.mdb") ." ;DefaultDir=". realpath("../");
$db_connection->open($db_connstr);
$rs = $db_connection->execute("SELECT this, and_that FROM some_table");
$rs_fld0 = $rs->Fields(0);
$rs_fld1 = $rs->Fields(1);
while (!$rs->EOF) {

/* do some stuff with the results to make it look nice on screen */
/* but as an example... */

  print "$rs_fld0->value $rs_fld1->value\n";

  $rs->MoveNext(); /* updates fields! */
}
$rs->Close();
$db_connection->Close();

<end code>

This is taken from an example in php.net and I haven't changed it to any great degree.  It works just fine.  The problem is...

THE PROBLEM:  The code above does not give any scope for a username and password for connecting to this DB.  What's more, despite the fact that I've set up this DB to have only two users (opening it 'manually' requires a user ID and password), the code above connects to the DB without a user ID or password being supplied.  I changed the SQL statement from a SELECT statement to a DROP TABLE statement (just to check) and it deleted the table - again, the code supplies no user ID or password.  This is obviously unacceptable.

THE SOLUTION (please!): At the mo, I've just made the DB file read only for all users on the server, but my client needs to be able to update it fairly often, and while he's got enough computer savvy to ftp a new version to the server, it'd be a pain for him to have to CHMOD the file every time he does this.  Furthermore, in future the website might be upgraded to provide users with more functionality, and then I'll want to be able to update fields, etc.  I need some code that'll connect to the DB, but require a username and password, not with a security risk like the above.

Many thanks in advance (and, indeed, for reading this rather long question!),

garethdart24
0
Comment
Question by:garethdart24
  • 3
5 Comments
 
LVL 6

Assisted Solution

by:jkna_gunn
jkna_gunn earned 195 total points
ID: 10958216
i use the inbuilt functions of php not the COM objects

so odbc_connect($dsn,$username,$password);

if you dont want to use that then maybe you will need to add this to your dsn string
Uid=test;Pwd=test123;
0
 
LVL 1

Author Comment

by:garethdart24
ID: 10958346
Believe me, I'd love to use odbc_connect etc (as I originally did when developing the site) but my ISP only allows DSN-less connections, and only using COM and ADODB as in the example (odbc DSN-less connections don't work - that was the first method I tried).  I asked them to register the DB as a system DSN, but due to 'security considerations' they only allow DSN-less connections.  If I hadn't stumped up for a year's hosting, I'd use a different ISP.

I could add a UID and PWD value to my dsn string, but the fact remains that without these there, the code still connects to the DB, and although I'm not keeping state secrets in this database, my gut feeling is that this is a security risk and I want to change it.

Many thanks for your suggestions, though.
0
 
LVL 5

Accepted Solution

by:
mokelly1 earned 200 total points
ID: 10963365
I think what you are looking for is here.

http://www.databasejournal.com/features/php/article.php/2222651

I use this dns-less connection to a nonsecure access database but there is a place for me to put the userid and password.

My code looks like this:

include("ADOdb/Adodb.inc.php");
$db = &ADONewConnection("ado_access");
$access = 'YOURPATH';
$myDSN =  'PROVIDER=Microsoft.Jet.OLEDB.4.0;' . 'DATA SOURCE=' . $access . ';';      
if (@$db->PConnect($myDSN, "", "", ""))
{
   print "ADO version=".$db->_connectionID->version."<br>";
}

Hope this helps.  Good Luck! - Mo
0
 
LVL 1

Author Comment

by:garethdart24
ID: 10970948
I'll try that and see if it works.

Thanks,

Gareth
0
 
LVL 1

Author Comment

by:garethdart24
ID: 10993000
Thanks guys,

I've split the points because:

a) The first answer is what I'm doing at the moment as a stop-gap solution

b) I'm going to b*tch at my ISP until they agree to implement ADODB in such a way as to allow secure connections along the lines of the second answer

Cheers,

Gareth
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
The viewer will learn how to dynamically set the form action using jQuery.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question