PDA

View Full Version : mysql_connect security issue


Learning
02-23-2006, 04:52 PM
Hi, (I'll try this again, this time in the right forum :nervous:)

Please forgive my newbie question, but is using mysql_connect from vb to insert info into a second database a security risk?

Is using the database name, user name and password safe from those viewing the forum?

Thanks,
still Larning.

Is this question too difficult, or too retarded?

Xenon
02-24-2006, 12:05 PM
hmm, actually i don't really understand where there should be an issue.

vb makes a connecten to a db, but that is totally isolated from a second connection, so if you write your scripts carefully, a second db connection is no security risk

Learning
02-24-2006, 03:11 PM
Thank you for replying Xenon.

I simply do not know much about database connections, so am unsure as to the correct way of connecting 2 databases.

Would the following constitute a safe connection?

//connecting to second database
$dbtest = @mysql_connect("host","name","pass",true) or die ("no connection possible");
mysql_select_db("database",$dbtest) or die ("no db");
$a = mysql_query("
SELECT something
FROM " . TABLE_PREFIX . "sometable
");
while ($row = mysql_fetch_assoc($a))
{
foreach ($row as $field_name => $field_value)
echo $field_name . " : " .$field_value;
}

mysql_close($dbtest);

This must not be a very exciting topic to most people but I would like to know whether I am doing it right. Since this code and related password are in a PHP file, I assume no one visiting my site (viewing the results from that php file) can actualy view the code itself.

Thanks in advance.

Xenon
02-24-2006, 03:16 PM
from what i see, there is no security problem in the code, just two things to think about:

1) vb3.5 allows a second connection set up from within config.php afaik, which could make things a bit easier for you
2) are you sure you need TABLE_PREFIX in your query, as you are connecting to a second db, no the vb one, that could produce an error.

as for the security again: yep that's ok, as noone could directly view into the php files and see the pw :)

filburt1
02-24-2006, 03:43 PM
It's only a security risk if injection is possible such that the username/password/database/server/query can be read/altered. As for performance, that depends on how MySQL is set up.

Paul M
02-24-2006, 03:54 PM
1) vb3.5 allows a second connection set up from within config.php afaik, which could make things a bit easier for youThe dual server settings in vb don't work like he wants, you can have a read server and a write server, but you have to set-up replication from the write server to the read server.

Learning
02-24-2006, 09:01 PM
This is great stuff.
Thanks guys, I do appreciate your replies and info.
At least I’m on the right track and my learning curve can now continue / expand.
Cheers.

Xenon
02-26-2006, 09:12 PM
The dual server settings in vb don't work like he wants, you can have a read server and a write server, but you have to set-up replication from the write server to the read server.


seem si have to look at that feature again.
couldn't test it as locally i just have one and never saw a need for it ;)