simple SQL secure connection

Raffie_s

Hello guys,

got a question:
I was searching arount in these forums here about how to connect to a SQL database.
There are so manny large complex scripts here.
what should I do?
this is my situation:

I have created a username and password in phpmyadmin for the SQL database.

in one of my php forms you see a line:
$db = mysql_pconnect('localhost');
I now that when I want to use a username and password I need to use the code:
$db = mysql_pconnect('localhost','test','test');

but I want a html or a php form that lets the user enter they're username and password so the line would be:
$db = mysql_pconnect('localhost','$loginname','$pas');

because phpmyadmin can handle the security stuff like those rights , ya know what I mean right?

anny simple clues??

PhiSYS

header('WWW-Authenticate: Negotiate');
header('WWW-Authenticate: NTLM', false);

Check the HEADER function manual

Yo may also POST a HTML FORM with username and password fields and read with $POST['username'] and $POST['password']

Sxooter

generally, whether or not your database connection uses ssl or something like it is determined by the server more so than the client. In postgresql you set an entry in pg_hba.conf that says whether you want / need / require ssl to connect. Look for somthing similar in mysql's setup files.

Raffie_s

Thanks guys,

I've used the $_POST technique.
it works perfect!

PhiSYS

This does NOT mean the $_POST is secure (unless using SSL).
Generally is a bad idea to transfer the database's user and password, this is just good for MySQL interfaces as phpMyAdmin.

Better program your own (or grab a open source) user management system storing users in a table.

Then use defines or variables in a .php file (never text, html or others; and always between <? ?>) with host, user, pass and database

<?
$DB_HOST = "localhost";
$DB_USER = "user";
$DB_PASS = "pass";
$DB_USE = "database";
?>

then include() this file where you mysql_connect

Of course this configuration file should have privileges denying web users to watch or download the source code.