Jump to content

Keeping My Connection Info Safe

verdrm

By verdrm
in PHP Coding Help

 Share

Recommended Posts

verdrm Regular Member

verdrm

Posted
Posted

I am working on a CMS for use with my clients' websites. Although I host the CMS system on my server, their websites are hosted with other providers. I have setup my CMS system to provide a hash value which corresponds with their CMS account, and I place that hash value on their PHP files so that only posts from their accounts show up on their pages (ex. News posts, Announcements, etc.). The problem is that I have to add my server's MySQL connection info to their web pages and I can't be sure that they are the only ones able to view that data (other employees, friends, etc.).

 

Can anyone think of an alternative to placing the data directly on the web pages? Is there another way to still 'connect' the pages to the MySQL database without exposing my connection info?

Link to comment
Share on other sites
verdrm Regular Member

verdrm

Posted
  • Author
Posted

I was thinking about require_once 'filename' but I'm not sure if that works only because the file would not be on their web server. I guess I could try. The only problem with requiring a file from my remote web server is that they can in-turn see where that file is, and if the wrong person saw what variables I was collecting from it they could still obtain the db connect information. Does that make sense?

 

Any other thoughts?

Link to comment
Share on other sites
verdrm Regular Member

verdrm

Posted
  • Author
Posted

That's true, they can't actually see my connection info, but see what the previous posters are saying is incorrect. Even though the people who I give the files to cannot see my connection info, they still can see in my PHP files what 'information' I am requesting. They could just write a script echoing $username, $password, $host, etc. and see the information. I need a way for my PHP files to still interact with MySQL without a user at their end finding my connection info.

 

To sum that up:

 

If I add to index.php on their end " require_once 'domain.com/dbconnect.php' ", and then request in that file $host, $username, etc. they could just write another line echoing that info (echo $host;).

 

I guess my scenario just isn't possible yet? Could I encrypt my connection info and then decrypt it on their side? If so, how would I do that without those users being able to see my decryption method?

 

Link to comment
Share on other sites
corbin Regular Member

corbin

Posted
Posted

Without extending MySQL, (this is pretty close minded in a way), to put it simply, if you make the connection on their side, they will know your information.

 

You could make it post the data to a page on your site and then back to their site, or you could simply use curl or something like that (even straight headers if you needed to do minimal stuff), and then your script would handle inserting data.  You would need to make sure to authenticate their script so that if someone found your server's script they couldn't do anything.

 

There might be a better way, but that's all I can think of.

Link to comment
Share on other sites
teng84 Member

teng84

Posted
Posted

heres my question for you and i guess this might also an answer

 

how can they wirte an script on your domain etc.. server script cant be changed in clients side

once the browser runs it will interpret your code as printed html so theres no way they can add a script echoing just what you say. if your problem is applicable then all sites are in danger i guess and i believe this also use kthe most common and effective way of defining connectin which turns out as your problem.

 

but if they can open your page (your script) what ever hashing you do i believe its useless

Link to comment
Share on other sites
verdrm Regular Member

verdrm

Posted
  • Author
Posted

teng84,

 

They aren't writing a script on my domain or server. They could write a script on their server because they would have scripts of mine with connection info to my MySQL server. I'm just trying to be mindful of possible security threats -- I realize that either way they can see on their end how their scripts interact with MySQL on my end.

Link to comment
Share on other sites
deadonarrival Member

deadonarrival

Posted
Posted

It's not ideal, but to add an extra layer of security you could "hide" a salt, or encryption, in the scripts.

 

IE you have a dbconnect file

$user = "myusername";

$password = "mypass"; (can be anything)

$host....

etc.

 

Then somewhere else in the script, hash this, md5 would do.

$password = md5($password);

 

The md5'd version being the actual password to your server.

 

If nothing else it makes a casual "oh look, password information" user go "eh?" and maybe assume you know something they dont and give up.

 

Another idea might be to add other things...

$password = $user.$password; could help... and use that as your db password

 

They aren't the kind of thing that would put off a determined nasty person... but most people won't trawl through your code looking for where you edit the password, they'll just assume they're doing something wrong and give up.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.