Encript Mysql

guest

would it be possible to have an md5 hash of a connection to the mysql database
i got this script

$username = "username";
$password = "pass";
$host = "www.google.com";
$database = "protected";

mysql_connect($host,$username,$password) or die("Error connecting to Database!");
mysql_select_db($database) or die("Cannot select database!");

and what i would like to do would be like

$username = "14c4b06b824ec593239362517f538b29";
$password = "1a1dc91c907325c69271ddf0c944bc72";
$host = "0a137b375cc3881a70e186ce2172c8d1";
$database = "2d07fad78478d88ebafdc581a91696bf";

so that the php would then unencript it when it does the connect part

Ravenous

I don't totally understand what you mean, but MD5 is a one-way hash. There's no decrypting it. So that's out. There are other algorithms that are reversible, though.

However, what's the point? If someone compromises the source code, they'll have the encrypted values as well as the function needed to decrypt them. They'll still get the info needed. I would suggest spend your time hardening your box in other fashions.

guest

well i was thinking somthing like the passwords of usernames on usermanagment scripts... what im trying to do is to encript the pass lets say someone finds a way to open a file with another php script on my servers, is there anyway to stop that, and what im thinking is encripting it but idk if its possible?

Ravenous

Yes, I guess it would be possible. For instance:

$username = "14c4b06b824ec593239362517f538b29";
$password = "1a1dc91c907325c69271ddf0c944bc72";
$host = "0a137b375cc3881a70e186ce2172c8d1";
$database = "2d07fad78478d88ebafdc581a91696bf";

mysql_connect(mcrypt_decrypt($host,$key,$foo), mcrypt_decrypt($username,$key,$foo), mcrypt_decrypt($password,$key,$foo)) or die("Error connecting to Database!");
mysql_select_db($database) or die("Cannot select database!");

If someone compromised this code, they would know the function needed to reverse the encryption as well as the key. You will have accomplished nothing.

bretticus

Well, I have no idea on the topology of netowrk where the scripts are that you want to protect, however, here are some SIMPLE suggestions that might suffice for the more likely scenario that your admin turns off FileInfo in AllowOverride. Thus, your config to make .html files PHP parseable in your .htaccess file suddenly doesn't work exposing your code for the whole Internet:

Declare and set your database connections either in a class or procedural script that you include from a php files that is not accessible via virtual path of any Website. This is probably far more effective than exposing your decryption routine right in the source php script.
If you host your own Website (your servers), throw in an extra network adapter (if you don't already have one free) and plug your database and your Webserver into a non-routable ip range, so even if outside eyes see your credentials somehow (scenario at the top of this post pehaps), they would not be able to connect to your database anyway. AND you should have a firewall that is blocking outside requests to SQL ports anyway.

Of course if a malicious user gains elevated access to your web server (enough to write PHP scripts even), they can do basically anything you can do with PHP on your server.

bretticus

Oh, and if you really need to have encryption of PHP files for security on remote systems (or you need to protect your intellectual property), you can look into Zend Encoder. It's pricey though!