PHP ODBC Security Concern

I would like to create a form to submit trouble tickets to a SQL Server 2008 database.  I've used odbc_connect in PHP before to do simple INSERT INTO statements. This time however I want to validate data before I insert. Which brings me to my security concern.

I embed a user/pass in the odbc_connect. This user has insert only rights on the SQL table. So worst case if it is compromised it would only be allowed to insert data. Now I need to also give it read ability to some semi-sensitive tables.

So question one. Can the PHP source be read and the user/pass compromise? My research says no as long as the server is properly secured and no public domain has rights.  

If that is true then is there any worry about embedding the password in the PHP code?
bhiebAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

GaryCommented:
The only way it can be read is if someone has direct access to the server either thru a console or ftp.
Barring something going drastically wrong with the server where php is no longer processed then no one can see the php code.
0
bhiebAuthor Commented:
So I guess my last question would be. Is this how it is normally done. When you/others need to process database data in PHP do you just embed the user/pass into the odbc_connect?
0
GaryCommented:
Yep, you have to pass it somehow and the only way is in the php code - at some point you have to include the user/pass.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Dave BaldwinFixer of ProblemsCommented:
I agree with Gary123, the username and password has to be in the PHP SQL connect code at some point.  It is in the hundreds of PHP and SQL files that I have written.
0
bhiebAuthor Commented:
Thanks, since this is my first PHP/SQL read, I just wanted to be sure.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
PHP

From novice to tech pro — start learning today.