ID: 29281
Comment by: abodeman at yahoo dot com
Reported By: n4rf at chello dot nl
Status: Open
Bug Type: Feature/Change Request
Operating System: Irrelevant
PHP Version: Irrelevant
New Comment:
The problem then becomes protecting the MD5 passwords from l33t
h4xx0rs. Nothing is changed.
Previous Comments:
------------------------------------------------------------------------
[2004-07-20 14:27:34] n4rf at chello dot nl
Description:
------------
This isn't realy a bug report, but searched PHP.net and couldn't find
anything to report this, so I might just report it here.
It's about the securety to make a database connection. When you normaly
make a MySQL database connection, the login and password can be find
(most likely) in the database config file which you include on every
page. When some l33t h4xx0rs hack the webhosting company where you host
your website, they can find your login and password in the db config
file which makes hacking easy.
Maybe something can done like the example below and can be included in
the next versions of PHP. My idea is to make a database connection
using md5 encrypted passwords. This way nobody can understand the
login, password and database name when they have owned the database
config file. Please check my example below.
Note: This idea is not posible when MySQL does not cooperate with
PHP.net to make this idea work. MySQL should also make a feature which
allows to store md5 encrypted passwords to the config file where the
logins and passwords get stored. This is just an idea, hope it's
possible.. Didn't figure the idea all out but I think the people of
PHP.net en MySQL.com are smart enough to work it out. I'll also post
this message at mysql.com. I hope I brought a good idea instead of a
stupid one.. :)
Reproduce code:
---------------
<?
$host = "localhost";
$login = md5('login_name');
$pass = md5('login_password');
$dbname = md5('database_name');
if ([EMAIL PROTECTED]($dbname, @mysql_connect($host, $login, $pass)))
{
echo "<html><head><title>db error</title></head><body>
<h1>Database connection failed</h1>\n\n";
echo "Could not establish a connection to the database.";
exit();
}
?>
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=29281&edit=1
