PHP ODBC Security Concern

I would like to create a form to submit trouble tickets to a SQL Server 2008 database.  I've used odbc_connect in PHP before to do simple INSERT INTO statements. This time however I want to validate data before I insert. Which brings me to my security concern.

I embed a user/pass in the odbc_connect. This user has insert only rights on the SQL table. So worst case if it is compromised it would only be allowed to insert data. Now I need to also give it read ability to some semi-sensitive tables.

So question one. Can the PHP source be read and the user/pass compromise? My research says no as long as the server is properly secured and no public domain has rights.  

If that is true then is there any worry about embedding the password in the PHP code?
Who is Participating?
GaryConnect With a Mentor Commented:
Yep, you have to pass it somehow and the only way is in the php code - at some point you have to include the user/pass.
The only way it can be read is if someone has direct access to the server either thru a console or ftp.
Barring something going drastically wrong with the server where php is no longer processed then no one can see the php code.
bhiebAuthor Commented:
So I guess my last question would be. Is this how it is normally done. When you/others need to process database data in PHP do you just embed the user/pass into the odbc_connect?
Dave BaldwinConnect With a Mentor Fixer of ProblemsCommented:
I agree with Gary123, the username and password has to be in the PHP SQL connect code at some point.  It is in the hundreds of PHP and SQL files that I have written.
bhiebAuthor Commented:
Thanks, since this is my first PHP/SQL read, I just wanted to be sure.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.