View Full Version : mysql_connect security issue
Learning
02-23-2006, 04:52 PM
Hi, (I'll try this again, this time in the right forum :nervous:)
Please forgive my newbie question, but is using mysql_connect from vb to insert info into a second database a security risk?
Is using the database name, user name and password safe from those viewing the forum?
Thanks,
still Larning.
Is this question too difficult, or too retarded?
Xenon
02-24-2006, 12:05 PM
hmm, actually i don't really understand where there should be an issue.
vb makes a connecten to a db, but that is totally isolated from a second connection, so if you write your scripts carefully, a second db connection is no security risk
Learning
02-24-2006, 03:11 PM
Thank you for replying Xenon.
I simply do not know much about database connections, so am unsure as to the correct way of connecting 2 databases.
Would the following constitute a safe connection?
//connecting to second database
$dbtest = @mysql_connect("host","name","pass",true) or die ("no connection possible");
mysql_select_db("database",$dbtest) or die ("no db");
$a = mysql_query("
SELECT something
FROM " . TABLE_PREFIX . "sometable
");
while ($row = mysql_fetch_assoc($a))
{
foreach ($row as $field_name => $field_value)
echo $field_name . " : " .$field_value;
}
mysql_close($dbtest);
This must not be a very exciting topic to most people but I would like to know whether I am doing it right. Since this code and related password are in a PHP file, I assume no one visiting my site (viewing the results from that php file) can actualy view the code itself.
Thanks in advance.
Xenon
02-24-2006, 03:16 PM
from what i see, there is no security problem in the code, just two things to think about:
1) vb3.5 allows a second connection set up from within config.php afaik, which could make things a bit easier for you
2) are you sure you need TABLE_PREFIX in your query, as you are connecting to a second db, no the vb one, that could produce an error.
as for the security again: yep that's ok, as noone could directly view into the php files and see the pw :)
filburt1
02-24-2006, 03:43 PM
It's only a security risk if injection is possible such that the username/password/database/server/query can be read/altered. As for performance, that depends on how MySQL is set up.
Paul M
02-24-2006, 03:54 PM
1) vb3.5 allows a second connection set up from within config.php afaik, which could make things a bit easier for youThe dual server settings in vb don't work like he wants, you can have a read server and a write server, but you have to set-up replication from the write server to the read server.
Learning
02-24-2006, 09:01 PM
This is great stuff.
Thanks guys, I do appreciate your replies and info.
At least Im on the right track and my learning curve can now continue / expand.
Cheers.
Xenon
02-26-2006, 09:12 PM
The dual server settings in vb don't work like he wants, you can have a read server and a write server, but you have to set-up replication from the write server to the read server.
seem si have to look at that feature again.
couldn't test it as locally i just have one and never saw a need for it ;)
vBulletin® v3.8.12 by vBS, Copyright ©2000-2024, vBulletin Solutions Inc.