dotkpay Posted February 3, 2012 Share Posted February 3, 2012 Hello, Am writing a script that is supposed to connect to a remote database without having the credentials (host, user & password) written in the code itself. There are two ideas I picked up from the net and the first is to enable allow_url_fopen in the remote server's php.ini and then have a file with the database credentials that I can fopen with this script and read from it then connect to the database on that same server. But am afraid this might be a security gap since anyone with that file's address will be able to read from it and connect to the database. Is the allow_url_fopen method really secure? The other means is CURL but I am not sure it will work well with my current structure. Please advise me on the best means to connect to this database. Thanks in advance. Quote Link to comment Share on other sites More sharing options...
trq Posted February 3, 2012 Share Posted February 3, 2012 Why don't you store the username and password locally? Quote Link to comment Share on other sites More sharing options...
dotkpay Posted February 3, 2012 Author Share Posted February 3, 2012 Because the application will be run as a compiled executable on users' desktops. Decoding the script from an exe format back to the source is next to impossible but a very skilled hacker can decode only a small part of it, most probably the part with the credentials and gain access to the remote database. It would work to store the credentials locally if the application is to be hosted on a web server as well but its potentially hazardous in a desktop environment. Quote Link to comment Share on other sites More sharing options...
trq Posted February 3, 2012 Share Posted February 3, 2012 Exposing your username and password via the web sounds hazardous IMO. It would be simple for someone to get your credentials that way. Quote Link to comment Share on other sites More sharing options...
dotkpay Posted February 3, 2012 Author Share Posted February 3, 2012 Thanks Thorpe, So you think I should take a chance and distribute an encoded executable with allow_url_fopen enabled and hope none of my users is that good a hacker or is CURL a better option. Quote Link to comment Share on other sites More sharing options...
trq Posted February 3, 2012 Share Posted February 3, 2012 CURL wouldn't make any difference. It is very simple for someone to intercept there own network traffic. I'm sure there are options around, it's just not something Ive really thought about. Quote Link to comment Share on other sites More sharing options...
kicken Posted February 3, 2012 Share Posted February 3, 2012 If you want to have a remote file with the details, it will have to be encrypted and then decrypted by your app after download. The method you use to download it (curl vs allow_url_fopen) makes no difference, as both are just a simple http request. IMO, your probably better off just embedding it into the source directly. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.