From: n4rf at chello dot nl
Operating system: Irrelevant
PHP version: Irrelevant
PHP Bug Type: MySQL related
Bug description: feature for mysql_select_db() and mysql_connect()
Description:
------------
This isn't realy a bug report, but searched PHP.net and couldn't find
anything to report this, so I might just report it here.
It's about the securety to make a database connection. When you normaly
make a MySQL database connection, the login and password can be find (most
likely) in the database config file which you include on every page. When
some l33t h4xx0rs hack the webhosting company where you host your website,
they can find your login and password in the db config file which makes
hacking easy.
Maybe something can done like the example below and can be included in the
next versions of PHP. My idea is to make a database connection using md5
encrypted passwords. This way nobody can understand the login, password
and database name when they have owned the database config file. Please
check my example below.
Note: This idea is not posible when MySQL does not cooperate with PHP.net
to make this idea work. MySQL should also make a feature which allows to
store md5 encrypted passwords to the config file where the logins and
passwords get stored. This is just an idea, hope it's possible.. Didn't
figure the idea all out but I think the people of PHP.net en MySQL.com are
smart enough to work it out. I'll also post this message at mysql.com. I
hope I brought a good idea instead of a stupid one.. :)
Reproduce code:
---------------
<?
$host = "localhost";
$login = md5('login_name');
$pass = md5('login_password');
$dbname = md5('database_name');
if ([EMAIL PROTECTED]($dbname, @mysql_connect($host, $login, $pass)))
{
echo "<html><head><title>db error</title></head><body>
<h1>Database connection failed</h1>\n\n";
echo "Could not establish a connection to the database.";
exit();
}
?>
--
Edit bug report at http://bugs.php.net/?id=29281&edit=1
--
Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=29281&r=trysnapshot4
Try a CVS snapshot (php5): http://bugs.php.net/fix.php?id=29281&r=trysnapshot5
Fixed in CVS: http://bugs.php.net/fix.php?id=29281&r=fixedcvs
Fixed in release: http://bugs.php.net/fix.php?id=29281&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=29281&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=29281&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=29281&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=29281&r=support
Expected behavior: http://bugs.php.net/fix.php?id=29281&r=notwrong
Not enough info: http://bugs.php.net/fix.php?id=29281&r=notenoughinfo
Submitted twice: http://bugs.php.net/fix.php?id=29281&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=29281&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=29281&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=29281&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=29281&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=29281&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=29281&r=float
