shang3000
asked on
how to secure my credintials while connecting using pdo
hi all,
this is a snippet of pdo database example using mysql I got from a book
attached as snippet to this message
and this is a paragraph of the same book:
In the database connection examples we just saw, I included my access credentials
within the DSN, or in the $user and $pass variables, but I did so for illustration
purposes only. This is not standard—or appropriate—pra ctice, since this informÂÂÂ
ation can by misused by malicious parties to access your database.
now my question is how can I make that example secured as much as I can?
what is the most secure way to pass my credintials to the dsn?
can you please send me an example to illustrate the details or point me to a link that do that ?
thanks in advance
best regards
HG
this is a snippet of pdo database example using mysql I got from a book
attached as snippet to this message
and this is a paragraph of the same book:
In the database connection examples we just saw, I included my access credentials
within the DSN, or in the $user and $pass variables, but I did so for illustration
purposes only. This is not standard—or appropriate—pra
ation can by misused by malicious parties to access your database.
now my question is how can I make that example secured as much as I can?
what is the most secure way to pass my credintials to the dsn?
can you please send me an example to illustrate the details or point me to a link that do that ?
thanks in advance
best regards
HG
<?php
$dsn = 'mysql:host=localhost;dbname=world;';
$user = 'user';
$password = 'secret';
try
{
$dbh = new PDO($dsn, $user, $password);
}
catch (PDOException $e)
{
echo 'Connection failed: ' . $e->getMessage();
}
?>
There are several ways.
Some people prefer having the mysql user and mysql pwd in your php environment by setting them in vhost conf or similar places. Others just put the user and passwd in a file that is only accessible to your webserver user and is outside of the webroot.
A third option is to have your end user type in the actual username/password. This is a situation only appropriate to tools with few users.
-r-
Some people prefer having the mysql user and mysql pwd in your php environment by setting them in vhost conf or similar places. Others just put the user and passwd in a file that is only accessible to your webserver user and is outside of the webroot.
A third option is to have your end user type in the actual username/password. This is a situation only appropriate to tools with few users.
-r-
ASKER
hi Roonaan,
thanks for reply,
can you please give me more details about each method
if there is any links, articles, books that would be great
best regards
HG
thanks for reply,
can you please give me more details about each method
if there is any links, articles, books that would be great
best regards
HG
The second method is just putting a credentials.php somewhere outside your webroot. Then include it like: require '/path/to/config/outside/w ebroot/cre dentials.p hp';
The third is by having a authentication form, where the username and password are validated by seeing if you are able to connect to your database using those credentials.
The first mode I have personally not installed. If i recall correctly, you can use apache configuration files to set some "constants", which can be read from php using getenv.
The third is by having a authentication form, where the username and password are validated by seeing if you are able to connect to your database using those credentials.
The first mode I have personally not installed. If i recall correctly, you can use apache configuration files to set some "constants", which can be read from php using getenv.
ASKER
hi roonaan,
thanks again for reply,
1.
>>>The second method is just putting a credentials.php somewhere outside your webroot. Then
>>>include it like: require '/path/to/config/outside/w ebroot/cre dentials.p hp';
I think I'm getting this one
does this code work fine (please correct me if I'm wrong)
require (/../pwd.php);
2.
>>>The third is by having a authentication form, where the username and password are validated
>>>by seeing if you are able to connect to your database using those credentials.
this one Is not clear for me would you please give me an example to distinguish the difference between this method and the others
3.
>>>The first mode I have personally not installed. If i recall correctly, you can use apache
>>> configuration files to set some "constants", which can be read from php using getenv.
can you guid me where to get a sample of code for that I didn't use this metho befor
4. what about encryption/decryption and how can work with it in that issue
please help me in those points and that would be greate and if you can guide me to links or articles or books that talk about that I'd be thankful for you
best regards
HG
thanks again for reply,
1.
>>>The second method is just putting a credentials.php somewhere outside your webroot. Then
>>>include it like: require '/path/to/config/outside/w
I think I'm getting this one
does this code work fine (please correct me if I'm wrong)
require (/../pwd.php);
2.
>>>The third is by having a authentication form, where the username and password are validated
>>>by seeing if you are able to connect to your database using those credentials.
this one Is not clear for me would you please give me an example to distinguish the difference between this method and the others
3.
>>>The first mode I have personally not installed. If i recall correctly, you can use apache
>>> configuration files to set some "constants", which can be read from php using getenv.
can you guid me where to get a sample of code for that I didn't use this metho befor
4. what about encryption/decryption and how can work with it in that issue
please help me in those points and that would be greate and if you can guide me to links or articles or books that talk about that I'd be thankful for you
best regards
HG
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
In the database connection examples we just saw, I included my access credentials
within the DSN, or in the $user and $pass variables, but I did so for illustration
purposes only. This is not standard or appropriate practice since this information can be misused by malicious parties to access your database.