Welcome Guest!
Please login
If you do not have an account yet on The Web Squeeze forums, please Register! It's FREE and there are many benefits:
- Receive Fast Advice
- Learn Programming Languages
- Get Professional Website Reviews
- Quick Troubleshooting Assistance
Encrypting Mysql Database Password
This is a discussion on Encrypting Mysql Database Password, within the MySQL section. This forum and the thread "Encrypting Mysql Database Password" are both part of the Programming Your Website category.
![]() ![]() |
Jun 22 2009, 07:12 PM
Post
#1
|
|
![]() Professional Squeeze ![]() ![]() ![]() ![]() ![]() ![]() Posts: 1,330 Joined: 13-February 08 From: Borneo |
My question is HOW?
How do I HIDE/ENCRYPT my MySQL Database Password so that I am the only one in this world knows it and be able to access the database and do stuff inside? If I do the method like below, someone else can dig the database password and gain access into my database. Any way of solving issue like this? Thanks. CODE <%
'//1.Define Constant Value Const DB_SERVER = "localhost" Const DB_NAME = "database_name" Const DB_USER = "root" Const DB_PASS = "mysql_password" '//2. Database Connection Dim Conn, ConnectionString ConnectionString = "DRIVER={MySQL ODBC 3.51 Driver}; SERVER="& DB_SERVER &"; DATABASE="& DB_NAME &"; OPTION=4; UID="& DB_USER &"; PASSWORD="& DB_PASS &";" Set Conn = Server.CreateObject("ADODB.Connection") Conn.Open(ConnectionString) %> -------------------- |
|
|
Jun 23 2009, 04:17 AM
Post
#2
|
|
|
Professional Squeeze ![]() Posts: 1,267 Joined: 15-February 08 From: UK |
If possible, put the mySQL connection details in one file only, and place that file somewhere above the level of the web root. This means the file will be completely inaccessible to anyone browsing over the web. Of course, if they knew your FTP login details, they could still access it (and everything else).
It's a good practice to put all your back-end files above the web root (PHP scripts, etc.). Only front-end stuff (HTML, CSS, javascript, images...) belongs at (or below) the level of the web root. Of course, your HTML documents may contain small amounts of PHP, and that's fine. You then use includes to...er, include this file in your pages. To make this work, you need to know the full directory path on the server. For example, it might be something like: /home/yoursite/bin/mySQLconnect.php (if you placed the connection file in the bin directory). Better yet, make a database object. You can then keep all the code for connecting to the database encapsulated in (and private to) this object, so that when you want to connect to the database, you just write something like this: CODE $db->connect(); This is the approach used by PHP frameworks (of course, the database object lives in a file above the web root). You can also encrypt the database password. I'm a bit shaky on the theory here, but a simple method is to generate an md5 hash of your password. Instead of storing the raw password in your file, you store the hash. In your database connection function/method, you decode the hash. Let's say your password was "my-weak-password". In PHP, for example, you would generate a hash by running md5("my-weak-password"). You then take the output (say, "f13jhvg0be8r32lfdgu9") and store it as your password ($db-password). In your connection function/method, instead of supplying the argument "$db-password", you supply the argument "base64_decode($db-password)". You can make this encryption much more secure by adding a salt. |
|
|
Jun 23 2009, 04:41 AM
Post
#3
|
|
![]() Professional Squeeze ![]() ![]() ![]() ![]() ![]() ![]() Posts: 1,330 Joined: 13-February 08 From: Borneo |
Hai Mike!
Thanks for the long info Well, actually I am talking this locally. I mean, I have a localhost web based system in the company I am working. All the IT Staff have access into every php page in the www root. So, somewhere in that file is the page that store my MySQL database Password where I have defined the php variable. What I want to do is to encrypt that password so that others don't have a clue what password to access into the MySQL database. Is it possible? -------------------- |
|
|
Jun 23 2009, 06:11 AM
Post
#4
|
|
|
Professional Squeeze ![]() Posts: 1,267 Joined: 15-February 08 From: UK |
Well, actually I am talking this locally. I mean, I have a localhost web based system in the company I am working. All the IT Staff have access into every php page in the www root. Do they have access to directories *above* the www root? If they don't have access, you can just put the file higher up. QUOTE So, somewhere in that file is the page that store my MySQL database Password where I have defined the php variable. What I want to do is to encrypt that password so that others don't have a clue what password to access into the MySQL database. Well, you can always encrypt the password, as I mentioned. However, if they have access to the entire source code, then I think they could just run the base64_decode function themselves to reverse the hash. In principle, I think, you cannot properly encrypt something if they have access to the entire source code (including the values of all stored passwords, salts, and so on). Your only method of security is then "security through obscurity" -- making the source code so difficult to fathom that they fail to reverse-engineer it. |
|
|
Jun 23 2009, 07:55 PM
Post
#5
|
|
![]() Professional Squeeze ![]() ![]() ![]() ![]() ![]() ![]() Posts: 1,330 Joined: 13-February 08 From: Borneo |
Yes they do have full access to the entire source code.
LOL, I just thought that there is a direct tips for this issue Anyhow... I'll see what I can do with your "security through obscurity" tips! Thanks anyway.... -------------------- |
|
|
Jul 10 2009, 03:19 PM
Post
#6
|
|
![]() Rapid Squeezer ![]() ![]() ![]() ![]() Posts: 114 Joined: 15-February 08 From: Ottawa, Canada |
Sorry, some corrections needed here:
You can also encrypt the database password. I'm a bit shaky on the theory here, but a simple method is to generate an md5 hash of your password. Instead of storing the raw password in your file, you store the hash. In your database connection function/method, you decode the hash. Let's say your password was "my-weak-password". In PHP, for example, you would generate a hash by running md5("my-weak-password"). You then take the output (say, "f13jhvg0be8r32lfdgu9") and store it as your password ($db-password). In your connection function/method, instead of supplying the argument "$db-password", you supply the argument "base64_decode($db-password)". You can make this encryption much more secure by adding a salt. A hash (such as MD5) is a one-way operation. It is impossible to undo a hash (I won't say decrypt, because hashing is NOT encrypting). Passwords are often stored hashed, but rather than undo-ing the hashing to check the password, the user supplied password is hashed using the same algorithm (e.g. MD5) and the hashed values are compared. Using a salt does make a hash more secure because it helps protect against bulk hash dictionary attacks. Next, Base64 is neither hashing, nor encrypting. It's encoding. All the bits are lined up, and then taken 6 at a time. 6 bits mean 64 possibilities. Those 64 possibilities are each represented by 1 "safe"/printable character. Base64 is used to turn some thing binary that normally can't be safely represented in a string format (such as an image file) into a series of characters that can be safely represented in a string format. That's Base64 encoding. Base64 decoding does the exact reverse (i.e. from 6 bit possibilities, back to the 8 bit bytes). Properly encrypting something requires a key. Some encryption methods use the same key to encrypt and decrypt, others use key pairs (one key encrypts, only the other can decrypt). But in either case, if you encrypt your password, you then have to worry about how to protect the key that decrypts the password. It becomes a never ending cycle. As Mike says, your best bet is keeping the password in one location, above the web root and obscure it if you like. This post has been edited by christopher: Jul 10 2009, 03:22 PM -------------------- Blog: annoyed.ca | Web Site Hosting: www.bluephyre.com
|
|
|
Jul 13 2009, 02:12 AM
Post
#7
|
|
![]() Rapid Squeezer ![]() Posts: 442 Joined: 14-February 08 From: Düsseldorf, Germany |
if you're trying to obscure the password in your source code, then base64decode/encode would be one solution. just remember that because it's a decode/encode people can still get at the password if they are determined enough, but at least the password isn't stored as clear-text. This is more a method of "keeping honest people honest"
-------------------- an umcomfortably attractive blend of sort of perverted but suprisingly sweet.
aggregated @ Re-Unleashed I also tumble, tweet & flick |
|
|
Jul 13 2009, 02:42 AM
Post
#8
|
|
![]() Professional Squeeze ![]() ![]() ![]() ![]() ![]() ![]() Posts: 1,330 Joined: 13-February 08 From: Borneo |
Can you show me some example mate
Appreciate it, Thanks. -------------------- |
|
|
Jul 14 2009, 05:30 AM
Post
#9
|
|
![]() Rapid Squeezer ![]() Posts: 442 Joined: 14-February 08 From: Düsseldorf, Germany |
make youself a simple php script:
CODE <?php echo(base64encode('your_password')); ?> the output will be some random string like "ADssf(7234" then instead of a clear-text password in your database connection you can write: CODE $password=base64decode('ADssf(7234');
-------------------- an umcomfortably attractive blend of sort of perverted but suprisingly sweet.
aggregated @ Re-Unleashed I also tumble, tweet & flick |
|
|
Jul 14 2009, 07:02 PM
Post
#10
|
|
![]() Professional Squeeze ![]() ![]() ![]() ![]() ![]() ![]() Posts: 1,330 Joined: 13-February 08 From: Borneo |
Ahhh, great!
I might use that in my page Thanks mate! -------------------- |
|
|
If you found The Web Squeeze to be helpful, please donate so we can keep this site FREE, FRESH, and fortified with Web Design & Development info!
![]() ![]() |
2 User(s) are reading this topic (2 Guests and 0 Anonymous Users)
0 Members:
Similar Topics
| Topic Title | Replies | Topic Starter | Views | Last Action | |||
|---|---|---|---|---|---|---|---|
![]() |
5 | 3twentysix | 1,860 | 11th February 2009 - 12:00 AM Last post by: japh |
|||
![]() |
4 | Jason | 1,248 | 15th February 2008 - 05:54 PM Last post by: Linda |
|||
![]() |
3 | thewal | 1,289 | 19th February 2008 - 03:32 PM Last post by: JasonStanley |
|||
![]() |
14 | JustinStudios | 2,093 | 17th March 2008 - 12:04 AM Last post by: Monie |
|||
![]() |
6 | Vanessa | 1,078 | 11th March 2008 - 02:58 PM Last post by: Vanessa |
|||







Jun 22 2009, 07:12 PM












