Security for sql database log-in


#1

I’ve been studying php and sql and have learned how to make a database; a table of hypothetical users in the database; add (user) entries to the table; hash the passwords; edit entries …
I’ve got a working log-in php script which matches hashed passwords
in the database hashed versions of passwords entered by “users” (actually me while doing testing).

So far, so good, not that this hasn’t taken a long time working through a book and various web sources.

But the way this is set up currently, this requires the user to know the hostname etc details enabling a connection to the database in mysql.
In order for a real user to log in; his/her credentials have to be compared to what is in the database. I don’t want the users knowing how to connect to the sql database themselves; nor do I want the hostname etc needed to connect to it permanently part of any php file. I assume that would be too vulnerable to hacking. So how does one set this up so a user
can log-in without their having the info needed to connect to the database?

Does one in fact go ahead put the database connection variables in a php script which the user can run?? Seems risky. How ELSE can a casual (non-admin) user cause his/her password to get compared to what is stored in the database in mysql?

THANKS!
Priscilla


#2

This is exactly what a CMS like WordPress does. As long at that information is in a .php script, it should be secure. (There are always loopholes, like database injection, which is why you make sure to sanitize your inputs.)

You are using mysqli functions to connect to the database, right?

http://php.net/manual/en/class.mysqli.php


#3

Thank you. Embedding the database connection credentials in a php script makes it much less complicated.

As for sanitizing, I use html_entities (to see what has been input) and “strip_tags” to clean.
I’ve tested those against html and they seem to work well for that. I haven’t tried odd characters like ’ / @ $ and such with them.
Should I also add the “escape_string” (whatever it’s exact name is) function?

sqli? I am hosted at Dreamhost and only see mysql available, does not seem to be an option for sqli.

Priscilla


#4

mysql is the database type

mysqli is the class for accessing a mysql database.


#5

The book I have been learning from does not mention mysqli. [“PHP for the Web” by Larry Ullman; 4th edition, 2011]
So I don’t know anything about mysqli. I have only the slightest familiarity with object-oriented programming so classes are only a vague concept to me.
I am using php (running on dreamhost) to access and alter the database (a table I created inside the database) (where database is also running on Dreamhost)

I COULD use the web-based “phpMyAdmin” provided by Dreamhost to do probably anything I want to my database table much quicker,
but I enjoy learning and exploring so I only use the phpMyAdmin to check the results I am getting from my php files.

I think I saw that the version of php I access at Dreamhost might be a 4.0 or not up to 5.3 so it might not even work with sqli.


#6

I’ve read that book. Larry Ullman is a good writer. You should check out his website and look into his newsletter. (Which reminds me I haven’t gotten it for a while. Gotta check on that.)

This is a great way to learn! You can also set up a localhost server and try it out that way. I do a lot of my development in localhost before going live with it.

AFAIK, the earliest version of PHP that DreamHost currently offers is 5.3. I’m not sure what is at 4.0 right now.


#7

Nothing. PHP 4 was completely removed from all of our servers years ago; it’s long obsolete.

Perhaps HamGal was looking at the version number for something else? I honestly can’t think of anything offhand that’d be at a 4.x version right now, though, other than a few web applications like WordPress.


#8

I missed seeing these last few replies. I guess I thought I would get emails notifying me when there were new replies.

Thank you all for your comments. The version php was only something from my memory. I hadn’t checked that for accuracy. I discovered that I DID install a microsoft sql of some kind several weeks ago, though I honestly do not recall doing it and I certainly didn’t play around with it. I wonder if happened along with the installation of something else, like IP camera software; NetcamStudio or BlueIris. Anyway I found out pretty much by accident that this local sql server was RUNNING on my desktop. Surprised the heck out of me. I’m sure all this has you thinking my brains have already passed on.

Thanks for the encouragement about my study methods; ie Larry Ullman’s book, etc. You mentioned his website and actually I had also gone to his website - and in fact - WAIT A MINUTE! - MAYBE that is when and where the idea and execution for installing a local sql package came from. That is seeming familiar now. Yes. Something must have robbed my attention away immediately after the installation and then I never got back to it. I can only play and study like that (with the php etc) day after day for so long before the rest of reality starts pounding down the walls to get my attention. Now I’m fully immersed in writing reports and getting my website more current. No time for play/study for a while.

Thanks Andrew and Kjodle!

Priscilla