A better way to use mssql_pconnect

weirdstrangeguy · August 7, 2019, 2:59pm

Hello. I’m a php dev working in PHP 5.2.9 (I know, and It won’t be upgraded anytime soon). We use a very simple way to connect to the database, something like this:

$conectionObject = mssql_pconnect(“[servername]”, “[user]”, “[password]”);

I’ve been asked to use a safer way to connect to the DB, they don’t like the user/password just plainly written in the code, so I’m looking for safer ways to connect (maybe send the password by encryption or something?) without changing the code too much, we have a lot of these old PHP systems and we’re not dropping the mssql_pconnect method; we simply need a way to use it without plainly writting the db password on the code.

Any help would be much appreciated!

m_hutley · August 7, 2019, 5:18pm

Standard safety mechanism is to write the credentials in a file above the webroot, that way only the engine (and anyone with file access to the system) can read them.

Other than that, understand that anything you do to obfuscate the password must, naturally, be reversible by the code; and the method for reversing it must be written into the code. So… basically once you get to the level of “There’s someone inside our machine”, you’ve got bigger problems than “they can read our database password”.

system · November 7, 2019, 12:22am

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.