Jump to content

Storing a mysql password

BelowZero

By BelowZero
in PHP Coding Help

 Share

Recommended Posts

BelowZero Member

BelowZero

Posted
Posted

I need to find a way to store a password for connection to a remote database. I'm writing a program that will create a database on whatever server the user is using. Obviously, they will have to provide their username and password in order to create the database and have access to it. I need my program to get the information once (when they use the setup utility), then be able to store it so they can automatically connect to the database whenever my program is used. I plan using a php file for storage and include() to gain access to the info. I just don't have an idea for getting the information into the php file in the first place.

 

Thanks for any ideas!

 

Link to comment
Share on other sites
ManiacDan Regular Member

ManiacDan

Posted
Posted

Accept the root username and password.

 

Create yourself a database and a user unique to your application.

 

Discard the root credentials.

 

Proceed with the standard username for your application (and a random password hopefully).

Link to comment
Share on other sites
Psycho Prolific Member

Psycho

Posted
Posted

I would also suggest that if you are storing passwords that you need to retrieve later, you should be encrypting them (not hashing) to provide some level of security.

 

Normally, when storing user passwords for authentication purposes you would "hash" them, which is also referred to as a one-way encryption. Theoretically, a hashed value cannot be unhashed to get the original value. There are many conversations on this and the best practices and the risks, so I don't want this to devolve into one of those discussions. With a hashed value, no one should be ever be able to retrieve the users password (not even the admin).

 

But, since you need the passwords in order to authenticate into a database you will need the original value. So, you need a way to encrypt and decrypt.

Link to comment
Share on other sites
scootstah Member

scootstah

Posted
Posted

I would also suggest that if you are storing passwords that you need to retrieve later, you should be encrypting them (not hashing) to provide some level of security.

 

Normally, when storing user passwords for authentication purposes you would "hash" them, which is also referred to as a one-way encryption. Theoretically, a hashed value cannot be unhashed to get the original value. There are many conversations on this and the best practices and the risks, so I don't want this to devolve into one of those discussions. With a hashed value, no one should be ever be able to retrieve the users password (not even the admin).

 

But, since you need the passwords in order to authenticate into a database you will need the original value. So, you need a way to encrypt and decrypt.

 

Maybe I'm wrong, but I think he is talking about the database credentials. You don't really need to encrypt those, because if they have access to the file in the first place they also have the means to decrypt it.

Link to comment
Share on other sites
Psycho Prolific Member

Psycho

Posted
Posted

Right, the credentials don't need to be encrypted if they're right there in the file.  If you're storing the credentials to OTHER services in the database, encrypt them there, but db passwords should always be plaintext.

 

I disagree, he is storing database credentials provided by users to their databases. Granted, if a malicious user obtained the credentials and the source code for encrypting/decrypting them, then it is a trivial task to get the values. Once you ask the user for information, any information, you need to be a good steward of their information and provide appropriate security measures based upon the risks if the information is exposed. Many sites store CC information which they will need to use in plain text for future purchases by the user, and they damn well better be encrypting that information and only decrypting it when they need to use it. I see no reason to not do the same for protecting the credentials submitted by users which could compromise their databases.

 

But, this is not my application, so I have no stake in it or the consequences if any information is leaked. This is just my opinion.

Link to comment
Share on other sites
scootstah Member

scootstah

Posted
Posted

Hmm, I guess I read his post wrong. It seems a little vague to me. I read it as he was making an installer for an application which stores the credentials in a file.

 

EDIT: But once again, if you are storing them in a file then it doesn't matter if you encrypt them or not, unless you keep the encryption key off-site. If they have access to the file system to download the file where they are, they also have access to the encryption algorithm and the key.

Link to comment
Share on other sites
ManiacDan Regular Member

ManiacDan

Posted
Posted

I took it the way scoot took it.  There are two scenarios:

 

1)  he's writing a software package that will be installed "locally" on the customer's webserver.  It needs to accept creds to the user's database, make itself a new user, then discard the user's creds and store its own in plaintext in a file.

 

2)  He's writing an application on HIS server which will remotely connect to someone else's database and perform actions.  In this case, remote creds need to be encrypted in the database, and preferably have a database that's not accessible to the outside world except through the webserver.

Link to comment
Share on other sites
Psycho Prolific Member

Psycho

Posted
Posted

Ah, I see. Well, when I read this

I need to find a way to store a password for connection to a remote database.

I took it as meaning the database was remote/external to his application (that he is hosting) - i.e. the user's database. If it was to just set up the database connection when the user is setting up the application (application and DB) on their servers I would not have used the word "Remote" because the DB server could very well be on the same machine. Ah well, doesn't really matter if the OP doesn't respond.

Link to comment
Share on other sites
BelowZero Member

BelowZero

Posted
  • Author
Posted

No, I'm still here. Just had to be out of town for awhile.

 

 

1)  he's writing a software package that will be installed "locally" on the customer's webserver.  It needs to accept creds to the user's database, make itself a new user, then discard the user's creds and store its own in plaintext in a file.

 

This is what I'm trying to do.

 

The program will be installed on the user's webserver. After that I will have no need for the creds, but they will still need to be stored in a way that the new user will have access to their database without having to re-enter the password every time it connects.

 

I will try file-put-contents and see how that works. Thanks for the advice and the lively conversation.

Link to comment
Share on other sites
scootstah Member

scootstah

Posted
Posted

Typically you will have an "install" script that must be run before the application can be used. Usually, among other things, that install script will ask for the MySQL credentials. Then they will be saved to a file (using file_put_contents()) which your main application includes.

Link to comment
Share on other sites
BelowZero Member

BelowZero

Posted
  • Author
Posted

Thanks scootstah.

 

Would this be the proper syntax to use?

(Variables coming from the setup page)


$server = $_POST["server"];
$username = $_POST["username"];
$password = $_POST["password"];

file_put_contents("/test/databasedata.php",$server);
file_put_contents("/test/databasedata.php",$username);
file_put_contents("/test/databasedata.php",$password);

Thanks.

Link to comment
Share on other sites
scootstah Member

scootstah

Posted
Posted

No. You'd need something like this:

<?php

$server = $_POST["server"];
$username = $_POST["username"];
$password = $_POST["password"];

$data = "<?php\n
\n
\$server = '$server';\n
\$username = '$username';\n
\$password = '$password';\n";

file_put_contents("/test/databasedata.php", $data);

Link to comment
Share on other sites
premiso Regular Member

premiso

Posted
Posted

No. You'd need something like this:

 

Or skip all the \n nonsense and use heredoc:

 

<?php

$server = $_POST["server"];
$username = $_POST["username"];
$password = $_POST["password"];

$data = <<<DATA 
<?php

\$server = '$server';
\$username = '$username';
\$password = '$password';
DATA;

file_put_contents("/test/databasedata.php", $data);

Link to comment
Share on other sites
BelowZero Member

BelowZero

Posted
  • Author
Posted

New problem...

 

It appears that all the connection data is being stored properly, but now I can't connect to the database.

My databasedata file holds:

$server = localhost;

$username = somename;

$password = somepassword;

 

and I am including this into the opendatabase file

include("databasedata.php");
$con = mysql_connect("$server","$username","password");

 

and I end up with this message: (actual username and password changed)

 

< $server = localhost; $username = somename; $password = somepassword; ?>

Warning: mysql_connect() [function.mysql-connect]: Access denied for user 'somename'@'localhost' (using password: YES) in /var/www/html/test/opendatabase.php on line 4

Could not connect: Access denied for user 'somename'@'localhost' (using password: YES)

 

I'm thinking maybe it's a problem with where or wherenot quotes are being included?

Or could it be something else? Thanks.

Link to comment
Share on other sites
BelowZero Member

BelowZero

Posted
  • Author
Posted

Well, now there's a new problem...

 

It appears that my login info is being stored correctly. I have a "databasedata" file that contains:

$server = localhost;

$username = somename;

$password = somepasswork;

 

I include that file into my opendatabase file:

include("databasedata.php");
$con = mysql_connect("$server","$username","password");

 

When I try to connect I get this message: (actual username and password changed)

 

< $server = localhost; $username = somename; $password = somepassword; ?>

Warning: mysql_connect() [function.mysql-connect]: Access denied for user 'somename'@'localhost' (using password: YES) in /var/www/html/test/opendatabase.php on line 4

Could not connect: Access denied for user 'somename'@'localhost' (using password: YES)

 

Could there be a problem with where or wherenot quotes are being used?

Or could it be another problem? Thanks.

Link to comment
Share on other sites
BelowZero Member

BelowZero

Posted
  • Author
Posted

another problem...

This code is putting the data into the "databasedata.php" file just fine to begin with, but after awhile the file is getting overwritten.

Instead of $server = "localhost"; it is overwritten to $server="";. It overwrites every variable.

I am using include() to call the file. Obviously the file gets called whenever I need to connect to the database for updates.

It works fine for a while, then suddenly I can no longer connect.

Not sure where to turn next...

<?php

//--Creates a file to store Login Information--\\
$data = <<<DATA
<?php
\$server = "$server";
\$username = "$username";
\$password = "$password";
?>
DATA;

file_put_contents("databasedata.php", $data);

?>

Thanks.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.