BelowZero Posted March 15, 2012 Share Posted March 15, 2012 I need to find a way to store a password for connection to a remote database. I'm writing a program that will create a database on whatever server the user is using. Obviously, they will have to provide their username and password in order to create the database and have access to it. I need my program to get the information once (when they use the setup utility), then be able to store it so they can automatically connect to the database whenever my program is used. I plan using a php file for storage and include() to gain access to the info. I just don't have an idea for getting the information into the php file in the first place. Thanks for any ideas! Quote Link to comment Share on other sites More sharing options...
ManiacDan Posted March 15, 2012 Share Posted March 15, 2012 Accept the root username and password. Create yourself a database and a user unique to your application. Discard the root credentials. Proceed with the standard username for your application (and a random password hopefully). Quote Link to comment Share on other sites More sharing options...
scootstah Posted March 15, 2012 Share Posted March 15, 2012 I just don't have an idea for getting the information into the php file in the first place. You would use file_put_contents for that. Quote Link to comment Share on other sites More sharing options...
Psycho Posted March 15, 2012 Share Posted March 15, 2012 I would also suggest that if you are storing passwords that you need to retrieve later, you should be encrypting them (not hashing) to provide some level of security. Normally, when storing user passwords for authentication purposes you would "hash" them, which is also referred to as a one-way encryption. Theoretically, a hashed value cannot be unhashed to get the original value. There are many conversations on this and the best practices and the risks, so I don't want this to devolve into one of those discussions. With a hashed value, no one should be ever be able to retrieve the users password (not even the admin). But, since you need the passwords in order to authenticate into a database you will need the original value. So, you need a way to encrypt and decrypt. Quote Link to comment Share on other sites More sharing options...
scootstah Posted March 15, 2012 Share Posted March 15, 2012 I would also suggest that if you are storing passwords that you need to retrieve later, you should be encrypting them (not hashing) to provide some level of security. Normally, when storing user passwords for authentication purposes you would "hash" them, which is also referred to as a one-way encryption. Theoretically, a hashed value cannot be unhashed to get the original value. There are many conversations on this and the best practices and the risks, so I don't want this to devolve into one of those discussions. With a hashed value, no one should be ever be able to retrieve the users password (not even the admin). But, since you need the passwords in order to authenticate into a database you will need the original value. So, you need a way to encrypt and decrypt. Maybe I'm wrong, but I think he is talking about the database credentials. You don't really need to encrypt those, because if they have access to the file in the first place they also have the means to decrypt it. Quote Link to comment Share on other sites More sharing options...
ManiacDan Posted March 15, 2012 Share Posted March 15, 2012 Right, the credentials don't need to be encrypted if they're right there in the file. If you're storing the credentials to OTHER services in the database, encrypt them there, but db passwords should always be plaintext. Quote Link to comment Share on other sites More sharing options...
Psycho Posted March 15, 2012 Share Posted March 15, 2012 Right, the credentials don't need to be encrypted if they're right there in the file. If you're storing the credentials to OTHER services in the database, encrypt them there, but db passwords should always be plaintext. I disagree, he is storing database credentials provided by users to their databases. Granted, if a malicious user obtained the credentials and the source code for encrypting/decrypting them, then it is a trivial task to get the values. Once you ask the user for information, any information, you need to be a good steward of their information and provide appropriate security measures based upon the risks if the information is exposed. Many sites store CC information which they will need to use in plain text for future purchases by the user, and they damn well better be encrypting that information and only decrypting it when they need to use it. I see no reason to not do the same for protecting the credentials submitted by users which could compromise their databases. But, this is not my application, so I have no stake in it or the consequences if any information is leaked. This is just my opinion. Quote Link to comment Share on other sites More sharing options...
scootstah Posted March 15, 2012 Share Posted March 15, 2012 Hmm, I guess I read his post wrong. It seems a little vague to me. I read it as he was making an installer for an application which stores the credentials in a file. EDIT: But once again, if you are storing them in a file then it doesn't matter if you encrypt them or not, unless you keep the encryption key off-site. If they have access to the file system to download the file where they are, they also have access to the encryption algorithm and the key. Quote Link to comment Share on other sites More sharing options...
ManiacDan Posted March 15, 2012 Share Posted March 15, 2012 I took it the way scoot took it. There are two scenarios: 1) he's writing a software package that will be installed "locally" on the customer's webserver. It needs to accept creds to the user's database, make itself a new user, then discard the user's creds and store its own in plaintext in a file. 2) He's writing an application on HIS server which will remotely connect to someone else's database and perform actions. In this case, remote creds need to be encrypted in the database, and preferably have a database that's not accessible to the outside world except through the webserver. Quote Link to comment Share on other sites More sharing options...
Psycho Posted March 15, 2012 Share Posted March 15, 2012 Ah, I see. Well, when I read this I need to find a way to store a password for connection to a remote database. I took it as meaning the database was remote/external to his application (that he is hosting) - i.e. the user's database. If it was to just set up the database connection when the user is setting up the application (application and DB) on their servers I would not have used the word "Remote" because the DB server could very well be on the same machine. Ah well, doesn't really matter if the OP doesn't respond. Quote Link to comment Share on other sites More sharing options...
ManiacDan Posted March 15, 2012 Share Posted March 15, 2012 But then he has a configuration utility and it's just a big mess. Either way, he appears to be gone, we've laid out the two scenarios and given him the file-put-contents solution. Quote Link to comment Share on other sites More sharing options...
BelowZero Posted March 16, 2012 Author Share Posted March 16, 2012 No, I'm still here. Just had to be out of town for awhile. 1) he's writing a software package that will be installed "locally" on the customer's webserver. It needs to accept creds to the user's database, make itself a new user, then discard the user's creds and store its own in plaintext in a file. This is what I'm trying to do. The program will be installed on the user's webserver. After that I will have no need for the creds, but they will still need to be stored in a way that the new user will have access to their database without having to re-enter the password every time it connects. I will try file-put-contents and see how that works. Thanks for the advice and the lively conversation. Quote Link to comment Share on other sites More sharing options...
scootstah Posted March 16, 2012 Share Posted March 16, 2012 Typically you will have an "install" script that must be run before the application can be used. Usually, among other things, that install script will ask for the MySQL credentials. Then they will be saved to a file (using file_put_contents()) which your main application includes. Quote Link to comment Share on other sites More sharing options...
BelowZero Posted March 16, 2012 Author Share Posted March 16, 2012 Thanks scootstah. Would this be the proper syntax to use? (Variables coming from the setup page) $server = $_POST["server"]; $username = $_POST["username"]; $password = $_POST["password"]; file_put_contents("/test/databasedata.php",$server); file_put_contents("/test/databasedata.php",$username); file_put_contents("/test/databasedata.php",$password); Thanks. Quote Link to comment Share on other sites More sharing options...
scootstah Posted March 16, 2012 Share Posted March 16, 2012 No. You'd need something like this: <?php $server = $_POST["server"]; $username = $_POST["username"]; $password = $_POST["password"]; $data = "<?php\n \n \$server = '$server';\n \$username = '$username';\n \$password = '$password';\n"; file_put_contents("/test/databasedata.php", $data); Quote Link to comment Share on other sites More sharing options...
premiso Posted March 16, 2012 Share Posted March 16, 2012 No. You'd need something like this: Or skip all the \n nonsense and use heredoc: <?php $server = $_POST["server"]; $username = $_POST["username"]; $password = $_POST["password"]; $data = <<<DATA <?php \$server = '$server'; \$username = '$username'; \$password = '$password'; DATA; file_put_contents("/test/databasedata.php", $data); Quote Link to comment Share on other sites More sharing options...
BelowZero Posted March 16, 2012 Author Share Posted March 16, 2012 Whew...Thanks everyone! It is now saving my info as needed. Appreciate your help. Quote Link to comment Share on other sites More sharing options...
BelowZero Posted March 16, 2012 Author Share Posted March 16, 2012 New problem... It appears that all the connection data is being stored properly, but now I can't connect to the database. My databasedata file holds: $server = localhost; $username = somename; $password = somepassword; and I am including this into the opendatabase file include("databasedata.php"); $con = mysql_connect("$server","$username","password"); and I end up with this message: (actual username and password changed) < $server = localhost; $username = somename; $password = somepassword; ?> Warning: mysql_connect() [function.mysql-connect]: Access denied for user 'somename'@'localhost' (using password: YES) in /var/www/html/test/opendatabase.php on line 4 Could not connect: Access denied for user 'somename'@'localhost' (using password: YES) I'm thinking maybe it's a problem with where or wherenot quotes are being included? Or could it be something else? Thanks. Quote Link to comment Share on other sites More sharing options...
BelowZero Posted March 16, 2012 Author Share Posted March 16, 2012 Well, now there's a new problem... It appears that my login info is being stored correctly. I have a "databasedata" file that contains: $server = localhost; $username = somename; $password = somepasswork; I include that file into my opendatabase file: include("databasedata.php"); $con = mysql_connect("$server","$username","password"); When I try to connect I get this message: (actual username and password changed) < $server = localhost; $username = somename; $password = somepassword; ?> Warning: mysql_connect() [function.mysql-connect]: Access denied for user 'somename'@'localhost' (using password: YES) in /var/www/html/test/opendatabase.php on line 4 Could not connect: Access denied for user 'somename'@'localhost' (using password: YES) Could there be a problem with where or wherenot quotes are being used? Or could it be another problem? Thanks. Quote Link to comment Share on other sites More sharing options...
scootstah Posted March 16, 2012 Share Posted March 16, 2012 You don't need the quotes. Just do $con = mysql_connect($server,$username,$password); Quote Link to comment Share on other sites More sharing options...
BelowZero Posted March 16, 2012 Author Share Posted March 16, 2012 Duh...shoulda seen that. Works great now. Thanks! Quote Link to comment Share on other sites More sharing options...
BelowZero Posted March 21, 2012 Author Share Posted March 21, 2012 another problem... This code is putting the data into the "databasedata.php" file just fine to begin with, but after awhile the file is getting overwritten. Instead of $server = "localhost"; it is overwritten to $server="";. It overwrites every variable. I am using include() to call the file. Obviously the file gets called whenever I need to connect to the database for updates. It works fine for a while, then suddenly I can no longer connect. Not sure where to turn next... <?php //--Creates a file to store Login Information--\\ $data = <<<DATA <?php \$server = "$server"; \$username = "$username"; \$password = "$password"; ?> DATA; file_put_contents("databasedata.php", $data); ?> Thanks. Quote Link to comment Share on other sites More sharing options...
scootstah Posted March 21, 2012 Share Posted March 21, 2012 There's nothing wrong with that code. You are not calling that later are you? Quote Link to comment Share on other sites More sharing options...
BelowZero Posted March 21, 2012 Author Share Posted March 21, 2012 No, it only gets called once. I'm currently checking the code to make sure. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.