Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

how to secure my credintials while connecting using pdo

Posted on 2007-11-22
6
Medium Priority
?
267 Views
Last Modified: 2008-05-02
hi all,

this is  a snippet of pdo database example using mysql I got from a book

attached as snippet to this message

and this is a paragraph of the same book:

In the database connection examples we just saw, I included my access credentials
within the DSN, or in the $user and $pass variables, but I did so for illustration
purposes only. This is not standard—or appropriate—practice, since this inform­
ation can by misused by malicious parties to access your database.

now my question is how can I make that example secured as much as I can?
what is the most secure way to pass my credintials to the dsn?

can you please send me an example to illustrate the details or point me to a link that do that ?

thanks in advance
best regards
HG

<?php
$dsn = 'mysql:host=localhost;dbname=world;';
$user = 'user';
$password = 'secret';
try
{
  $dbh = new PDO($dsn, $user, $password);
}
catch (PDOException $e)
{
  echo 'Connection failed: ' . $e->getMessage();
}
?>

Open in new window

0
Comment
Question by:shang3000
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 

Author Comment

by:shang3000
ID: 20334137
sorry for typos here is the pragraph in readable format:
In the database connection examples we just saw, I included my access credentials
within the DSN, or in the $user and $pass variables, but I did so for illustration
purposes only. This is not standard or appropriate practice since this information can be  misused by malicious parties to access your database.
0
 
LVL 49

Expert Comment

by:Roonaan
ID: 20342281
There are several ways.

Some people prefer having the mysql user and mysql pwd in your php environment by setting them in vhost conf or similar places. Others just put the user and passwd in a file that is only accessible to your webserver user and is outside of the webroot.
A third option is to have your end user type in the actual username/password. This is a situation only appropriate to tools with few users.

-r-
0
 

Author Comment

by:shang3000
ID: 20342352
hi Roonaan,
thanks for reply,
can you please give me more details about each method
if there is any links, articles, books that would be great
best regards
HG
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 49

Expert Comment

by:Roonaan
ID: 20342738
The second method is just putting a credentials.php somewhere outside your webroot. Then include it like: require '/path/to/config/outside/webroot/credentials.php';

The third is by having a authentication form, where the username and password are validated by seeing if you are able to connect to your database using those credentials.

The first mode I have personally not installed. If i recall correctly, you can use apache configuration files to set some "constants", which can be read from php using getenv.

0
 

Author Comment

by:shang3000
ID: 20342764
hi roonaan,
thanks again for reply,

1.
>>>The second method is just putting a credentials.php somewhere outside your webroot. Then
>>>include it like: require '/path/to/config/outside/webroot/credentials.php';
I think I'm getting this one
does this code work fine (please correct me if I'm wrong)
 require (/../pwd.php);

2.
>>>The third is by having a authentication form, where the username and password are validated
>>>by seeing if you are able to connect to your database using those credentials.
this one Is not clear for me would you please give me an example to distinguish the difference between this method and the others

3.
>>>The first mode I have personally not installed. If i recall correctly, you can use apache
>>> configuration files to set some "constants", which can be read from php using getenv.
can you guid me where to get a sample of code for that I didn't use this metho befor

4. what about encryption/decryption  and how can work with it in that issue

please help me in those points and that would be greate and if you can guide me to links or articles or books that talk about that  I'd be thankful for you

best regards
HG
0
 
LVL 49

Accepted Solution

by:
Roonaan earned 2000 total points
ID: 20342823
The second method will not store the mysql login anywhere, but realy on your end-user to input correct mysql login credentials. You then use the credentials entered by the end user for your mysql connection.                

Encryption/decryption would make sense if you wouldn't have to enter the encryption key inside your php script. If you can encrypt your php itself using ioncube or similar tools, then that would be an option.

You can find quite some articles on mysql/php security from google.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
Originally, this post was published on Monitis Blog, you can check it here . In business circles, we sometimes hear that today is the “age of the customer.” And so it is. Thanks to the enormous advances over the past few years in consumer techno…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question