I know absolute nothing about MySQL beyond the fact that I apparently need it for one extremely simple purpose. I'm hoping to avoid having to pick through lengthy tutorials to figure out how to accomplish the following tasks:

1) by whatever means is appropriate, permanently and securely store a piece of information (e.g., an encryption key) in a newly created MySQL data base that will reside in my directory tree on a commercially hosted web site.

2) put a line or two in my PHP script to retrieve the above value

Can someone point me to a step-by-step tutorial that addresses the above two tasks with a minimum of extraneous information?


Thanks!

http://www.spoono.com/php/tutorials/tutorial.php?id=20

try that, its not that hard, but if you are unfamiliar with php and databases, you may struggle at first.

OK, I think the above page makes clear how you pull info *out* of an MySQL data base using PHP - thanks!.

That leaves the question of how you get it *into* a (previously non-existent) data base in the first place, especially when you're dealing with a remote web server on which you have no access to a command line other than FTP-type commands.

Grant2,

Are you sure you need a db ?
Db's are ideal if you frequently need to store, manipulate, delete, select , filter (big) amounts a data (typically relative small pieces of data).

If you just 'permanantly' want to store data and then read it, then you can just as well store it in a file. Specially if it's only one or just a few dozen values.

I'm going by the recommendations from a credit card gateway that I'm using for an online ordering page. I assume the reason they recommend putting the encryption key into a MySQL database is for added security, so that simply gaining access to the cgi-bin directory of my web hierarchy wouldn't be enough to gain access to that key.

http://www.spoono.com/php/tutorials/tutorial.php?id=14
you will use an INSERT statement to get data into a database.

Here is one on encrypting passwords
http://www.spoono.com/php/tutorials/tutorial.php?id=26

Originally posted by Grant2
I'm going by the recommendations from a credit card gateway that I'm using for an online ordering page. I assume the reason they recommend putting the encryption key into a MySQL database is for added security, so that simply gaining access to the cgi-bin directory of my web hierarchy wouldn't be enough to gain access to that key.
:confused: You can simply put the file in a directory above the webroot so they would need acces to your server. And you just give it a .php extension just to be sure it would get parsed if it ever got accesible from the web.

The file where you store the key in, is just as secure as the file that holds your db username and pwd .

is this just one piece of information, or multiple pieces of info?

If I understand your comment, I think it would require ME to have access to the directory above webroot. I don't. It's a commercial web hosting service, and my only access to the server is by way of ftp to/from the top level (and below) of my web tree.

I don't think the main concern is about web access to the encryption key. Rather, if anyone having root privileges on the server could access my encryptioni key, they could theoretically misuse it to submit credit card transactions.

My assumption was that by having a password protected MySQL data base that contains the encryption key, someone on the local host who gains access to my web hierarchy would still need to crack the password to my MySQL data base in order to retrieve the encryption key.

But as I said, I'm a novice to MySQL, so I don't know whether this assumption makes sense or not.

Originally posted by wyndom
is this just one piece of information, or multiple pieces of info?

Well, two, actually. A password to the gateway and a transaction key used to generate a unique fingerprint in the web form submitted to the gateway.

In theory, I could also use the MySQL data base to store records connected with the orders, but I don't intend to this, for now at least.

Originally posted by raf

The file where you store the key in, is just as secure as the file that holds your db username and pwd .

I guess I missed this point the first time I read it: what you're saying is that , since my php script needs to access the MySQL data base, and since it therefore must contain the password to the data base, anybody on the local host getting into my web hierarchy and reading the php script can also extract the data from the data base. Is this correct?

If so, then I honestly don't know why the gateway people tell their clients to stick the gateway password and transaction key into a MySQL data base.

I'm now TOTALLY confused.

:confused:

Originally posted by Grant2
I guess I missed this point the first time I read it: what you're saying is that , since my php script needs to access the MySQL data base, and since it therefore must contain the password to the data base, anybody on the local host getting into my web hierarchy and reading the php script can also extract the data from the data base. Is this correct?
That is correct
Originally posted by Grant2
If so, then I honestly don't know why the gateway people tell their clients to stick the gateway password and transaction key into a MySQL data base.

I'm now TOTALLY confused.

:confused:
Ask them to explain to you why that would be safer.
Probably because you can restrict the server from where the account has acces (for instance only the 'localhost'). But that isn't realy enough to keep a skilled/determined hacker out ...

Don't get me wrong, i don't have anything against using db's. But if it's only to store these two data, then there realy is no point.

What sort of host is that, that you can not create a folder outsite the web-root?

Originally posted by raf


What sort of host is that, that you can not create a folder outsite the web-root?

As I said, it's a commercial web hosting service (easyspace.com). They provide their customers with ftp access to the directory hierarchy that serves the customer's web pages, so that web docs and other files can be up-/downloaded, but they don't offer ssh or telnet access to the host. The ftp access is restricted to the web root (and below) for the customer's domain.