Forum Moderators: coopster
I've worked with PHP abit and just recently I've done some mySQL work for classes and I have a better feel for it now than before. I'm thinking of redoing my db that used to be on a flat file to mySQL. I've worked with mySQL syntax and some php, but nothing with each other. I looked up simple tutorials that showed you how to connect to mySQL db with small functions/etc. Here is snippet of something simple:
<?php
mysql_connect("localhost", "admin", "1admin") or die(mysql_error());
echo "Connected to MySQL<br />";
?>
This database that I'm writing will have a limited priv. that is only acquired through localhost and no ext. connections. I wanted to someone have it read from a file with encrypted login/pass. I know there are some md5 encryption out there and I already created the conversion of the login/pass to md5 hash. I'm not sure if that is the best way to do it. Both our workers and students will be able to access the diff. php db pages and the pages must store the login/pass. I was hoping someone could direct me on the best way to implement this workorder database with php and mySQL and any security hints or snippets of code or tutorial would help me. Only recently have I worked with PHP and mySQL. I'm still new in both areas, but I'm more familiar with it now than few months before. Thank you for your time.
include '/share/dir/dir/dbData.incl.php';
mysql_connect($nmHost, $nmUser, $txPassword) or die(mysql_error()); (note i havent checked the order of params there)
where dbData.incl.php is something like:
$nmHost = "localhost";
$nmUser = "admin";
$txPassword = '1admin';
I hope this makes sense - basically, remove the data from the publically readable area of the webserver.
The file still needs to be world-readable for the webserver to be able to read it (or you could get extra clever and make the file's group the same as the webserver) but it is placed in a directory that cannot be viewed from the web.
HIH!
dbcfg.php
---------
$db = array(
'hostname' => 'localhost',
'username' => 'testuser',
'password' => 'blahblah',
'database' => 'mydata',
);
functions.php
-------------
function dbconn() {
if(!include_once('/path/to/dbcfg.php')) {
die('Error include file...');
}
if (!$link = mysql_connect($db['hostname'],$db['username'],['password'])) {
die('Error connecting...');
}
if (!mysql_select_db($db)) {
die('Error selecting...');
}
return $link;
}
file.php
--------
include('/path/to/functions.php');
$link = dbconn();
That's a very simplified version, but it shows the idea. You want the db config outside of the web root and then optionally, include the file via a function like above to keep the config's variable scope unavailable outside of the function.
For encrypting other username/password for user accounts, etc. An MD5 comparison on the password is sufficient.
$db = array(
'hostname' => 'localhost',
'username' => 'testuser',
'password' => 'blahblah',
'database' => 'mydata',
);
Could be written as :
$db = array(
'hostname' => 'md5 hash',
'username' => 'md5 hash',
'password' => 'md5 hash',
'database' => 'md5 hash',
);
Also after the admin account has been setup to check the system. I wanted to create a user profile setup where I add users and I want their information hashed. Is there a simple command that allows the values to be hashed and sent to the mySQL db. Thanks for your time once again.
Login.php -> Calls connect.php that knows how to access the database to check if the registered user is in the system
Connect.php -> has the code that actually connects to the db to check for a connection.
For security reason, I know you don't want to put the connection code with the login/pass open to the public. So I wanted to have Connect.php be an included function in Login.php, for more security, I wanted to know if I had an md5 hash of the login/pass in Connect.php. Would Login.php be able to translate it and connect to the database. I just didn't want the generic mySQL connection be seen publicly, if someone had access to the server. Thank you for your time.
If you have FTP access one level above your web root directory, then simply store the database connection info there, unencrypted. Then it's not readable from a web browser.
If it's not stored outside of the web root, no amount of encryption or hashing will protect it unless you specifically deny web access to that type of file via .htaccess or URLScan for IIS. Then you can still include it but it will not be served via the web server. And of course for that method, you wouldn't need to hash/encrypt it.
User Accounts:
When you create/add/whatever a user account, store their username, but md5() the password before storing it. Then, when you need to compare it, md5() the submitted password before the comparison. This will automatically make it case sensitive, by the way.
Hope that helps :)
