Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 3 of 3
  1. #1
    New Coder
    Join Date
    Aug 2010
    Location
    Philippines
    Posts
    15
    Thanks
    6
    Thanked 0 Times in 0 Posts

    Exclamation Help on security!

    Good day to all,

    First my purpose is to share my database connection to someone (other server) but I want to restrict them from modifying it. It is just for viewing data not for modifying.

    Code:
    /*this is my php file that I wanted to share wherein the database connection can be found.
    it's name for example is conn.php*/
    
    mysql_connect('localhost,root,rootpassword');
    mysql_select_db('db_database');
    Now that I have my conn.php containing the sensitive part of my database including a password. This is the php file from another server that I want to share my conn.php to.

    Code:
    /*this is my php file from another server that will use my conn.php.
    it's name for example is client.php*/
    
    include 'http://www.mysite.com/conn.php';
    
    $viewrecord = mysql_query("select * from record where id = 'myname'");
    
    while ($result = mysql_fetch_array($viewrecord))
    {
       echo $result['name'];
    }
    Now, we have settled the connection, and the client can view now the record from table record.
    What I'm afraid of is, What if the client.php did something like:

    Code:
    include 'http://www.mysite.com/conn.php';
    
    $name = "I will";
    $age = "destroy the hell";
    $address = "out of your database hahaha";
    
    mysql_query("update record (name,age,address) values ('$name','$age','$address') where id = 'myname'");
    Man that will be the worse day of my database if he did something like that, please advice me of some of security techniques.

    Thanks!

  • #2
    New Coder
    Join Date
    May 2006
    Location
    Pennsylvania, USA
    Posts
    31
    Thanks
    0
    Thanked 4 Times in 4 Posts
    create a new DB user for your client, give them acces to READ your database only.

    Then any INSERT UPDATE and DELETE commands will be ignored.

    In addition, including your config php from a remote site, as it uses "localhost" for the hostname, will not work, you'll need to get the DNS/IP address for your SQL server and use that. In addition some hosts only allow connections to the database from inside their datacenters, so they maynot beable to connect like that.

    In that case, you'll need to create some sort of gateway.

  • Users who have thanked xanderman for this post:

    lexjoshua (08-25-2010)

  • #3
    New Coder
    Join Date
    Aug 2010
    Location
    Philippines
    Posts
    15
    Thanks
    6
    Thanked 0 Times in 0 Posts
    I'll try it. Thanks!


  •  

    Tags for this Thread

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •