ID: 29281
User updated by: n4rf at chello dot nl
Reported By: n4rf at chello dot nl
Status: Wont fix
Bug Type: Feature/Change Request
Operating System: Irrelevant
PHP Version: Irrelevant
New Comment:
That is true.. But they didn't resolved the real passwords so they
can't hax anything else with the same password.. The password 'always'
remains hidden. And they can't connect to the database trough
phpmyadmin, mascon or some else db management programm. They first have
to put some DROP sql queries in some programming language to do some
harm. And maybe the haxxor doesn't know anything about SQL and
programming. Who knows. What my point is, it is some saver, not
completely save yet but some :)
Previous Comments:
------------------------------------------------------------------------
[2004-07-21 08:24:09] [EMAIL PROTECTED]
What he means is that the haxors can now use the MD5'ed password to
connect to your database and read it's contents... so he is right,
nothing changed.
------------------------------------------------------------------------
[2004-07-21 01:05:13] n4rf at chello dot nl
You didn't think before posting your reply. Md5 can not be decryptable
easily. In fact, when somebody sees a md5 password, he would think
twice before trying to force it. The thing which did change, is a
person can not just see the plain text login and password and he can
not gain access witin a timelimit of minimum 72 hours.
------------------------------------------------------------------------
[2004-07-20 23:51:48] abodeman at yahoo dot com
The problem then becomes protecting the MD5 passwords from l33t
h4xx0rs. Nothing is changed.
------------------------------------------------------------------------
[2004-07-20 14:27:34] n4rf at chello dot nl
Description:
------------
This isn't realy a bug report, but searched PHP.net and couldn't find
anything to report this, so I might just report it here.
It's about the securety to make a database connection. When you normaly
make a MySQL database connection, the login and password can be find
(most likely) in the database config file which you include on every
page. When some l33t h4xx0rs hack the webhosting company where you host
your website, they can find your login and password in the db config
file which makes hacking easy.
Maybe something can done like the example below and can be included in
the next versions of PHP. My idea is to make a database connection
using md5 encrypted passwords. This way nobody can understand the
login, password and database name when they have owned the database
config file. Please check my example below.
Note: This idea is not posible when MySQL does not cooperate with
PHP.net to make this idea work. MySQL should also make a feature which
allows to store md5 encrypted passwords to the config file where the
logins and passwords get stored. This is just an idea, hope it's
possible.. Didn't figure the idea all out but I think the people of
PHP.net en MySQL.com are smart enough to work it out. I'll also post
this message at mysql.com. I hope I brought a good idea instead of a
stupid one.. :)
Reproduce code:
---------------
<?
$host = "localhost";
$login = md5('login_name');
$pass = md5('login_password');
$dbname = md5('database_name');
if ([EMAIL PROTECTED]($dbname, @mysql_connect($host, $login, $pass)))
{
echo "<html><head><title>db error</title></head><body>
<h1>Database connection failed</h1>\n\n";
echo "Could not establish a connection to the database.";
exit();
}
?>
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=29281&edit=1
