My SQL - connection string

[oceanebelle]

Is it possible by any chance that somehow we set something in the settings of mysql such that all clients wishing to connect to it shall need to provide a password and and encrypted one at at that?

for instance.

instead of having a password = test, i would need to specify the encrypted password?

just to avoid storing the actual password in some of the application page or ini file or property file or whatever.

[CornedBee]

Well ... you can certainly prompt the user for the database password, but would you rather entrust your db password to the server's hard disk or to your users and the wild of the internet? (The password would have to be transmitted with every request, e.g. by putting it into a cookie. Or you store it in a session, but PHP sometimes writes session data to disk.)

[kows]

I think she means she is running some kind of server and wants people who make connections to her database to have to use the following to actually connect:

PHP Code:

  mysql_connect("123.234.123.234", "username", md5("password")); 


although MySQL doesn't use md5 for it's passwords (I believe it uses the built-in password() function), I don't see how you plan on doing this, and I don't even think it can be done. I mean, first of all, any password you enter into mysql_connect() will be encrypted, and if you have an already encrypted password and are passing that into the field, then it will encrypt it again, which will make it wrong. do you see what I'm trying to say?

The password has to be entered in the code somewhere. To make your connection script safe from possibly being broken into on the webserver, you could always put it in a directory below the webserver. If your web directory was C:/webstuff/this_username/public_html, you could store the MySQL connection strings in the "this_username" folder, giving only that user access to that file, and it won't be available on the internet, either. You will just have to call it with a relative path from whatever script you're running. IE: if the script that wanted to connect to the MySQL database was in /public_html/dir/dir/, you would need to use include() and include a relative path, eg: ./../../../mysql.inc.php.

Also, one big thing to mention is that if you're building an application that uses MySQL (like a VB application, or whatever, since I think you said this didn't really have anything to do with PHP? I could be wrong, but this is a good general rule anyway), and the application is just for browsing the database, make sure that the user it is using to browse the database only has read privileges for the database (ie: select only), so that if that account is ever compromised they can't run delete, update, insert, drop or truncate commands, which would potentially corrupt or destroy any or all of your data.

I hope that made sense.

[penagate]

MySQL does hash passwords internally, however whether the password is encrypted in transfer or not depends on whether you use some form of connection encryption between the database server and application, such as SSL.

If you are running the database server locally as a backend to a web application then there is no need to encrypt the connection as users do not connect directly to the database.

On the other hand if users do connect remotely to the database server then it is a very good idea to require SSL. Or, set it to only accept local connections and force remote users to connect through some kind of encrypted tunnel.

The web service method is superior to either of those vulnerability-prone solutions, however.