Hi Everyone,
I'm trying to make a secure connection via PHP's mysql_connect() to a remote MySQL database. I'm really surprised and a little frightened by the lack of documentation on this, which I would think be a common task. If anybody knows of any tutorials about making a secure connection via PHP's mysql_connect() to a remote MySQL database it would be immensely helpful. I've searched for MYSQL_CLIENT_SSL usage information but have found very little. I do have an SSL installed on the MySQL server.

Many thanks!

    Thanks dalecosp. That documentation appears to be for setting up MySQL to handle SSL. My remote MySQL server is already configured for SSL. I'm talking specifically about the PHP code to make this secure connection. For example, the below code connects, but how do I verify that it is indeed a secure connection?

    <?php 
         $flags = "MYSQL_CLIENT_SSL";
         $hostname="myhost.com:3306";
         $conn = @mysql_connect($hostname,'mylogin','*********',$flags);
         $db = "mydatabase";
         @mysql_select_db($db,$conn);		
    // if connection fails echo error 
         if(!$conn){
         $sqlError= mysql_error();	
         echo $sqlError;
         exit();
    } else {
         echo "connected";
         @mysql_close($conn);
    //do something
    }
    ?>

      Two problems I see:

      1. You're using the '@' error suppressor. Don't use this (ever, IMHO).

      2. The flag MYSQL_CLIENT_SSL (or just about any 'flag' for PHP functions/etc.) is supposed to be a constant, not a string.

        Oops - make that three problems; you're passing the $flags parameter in the wrong spot (check the manual page for [man]mysql_connect/man to see where that parameter should go).

          Thanks bradgrafelman. Can you explain why one shouldn't use @ to suppress errors? Wouldn't that keep server information from potentially being displayed on an error? Also, do you know of a way to determine if the optional flag (which I made a constant) is actually working?

            agent_404;10982441 wrote:

            Can you explain why one shouldn't use @ to suppress errors?

            I'd love to! The '@' error suppressor does nothing to help you and everything to hinder you as a programmer.

            If you're using it in your development environment, it's simply going to hide errors in code that you're writing/debugging. This means you'll be unaware of any problems PHP might be trying to make you aware of and thus prevents you from addressing these problems before uploading your code to your production environment.

            If you're using it in your production environment, it's simply going to hide errors in code that is being executed to handle real, live requests. If something breaks or goes wrong, you'll never know about it because the error information that PHP would have logged (since we all know that error logging should always be enabled in production environments... right??? 😉) will instead be thrown away (a.k.a. "suppressed").

            Long story short: I can't think of one good reason why to use it, and I've just listed a few reasons why not to use it. Therefore, I never use it.

            agent_404;10982441 wrote:

            Wouldn't that keep server information from potentially being displayed on an error?

            Indeed, which is very bad (as I explained above).

            If you're relying on using it to hide error information from the end user... well, that's just bad design on your part. You should instead disable display_errors (something you shouldn't have enabled in your production environment anyway... right??? 😉) and instead enable log_errors. Assuming you've done that, the only person you'd be hiding the error info from is yourself - the programmer in charge of fixing said errors.

            agent_404;10982441 wrote:

            Also, do you know of a way to determine if the optional flag (which I made a constant) is actually working?

            I glanced at the MySQL docs briefly but couldn't find what I was looking for. I'm almost positive that MySQL will set a session/connection variable to indicate whether or not you're connected via SSL (assuming the server supports it, which you've indicated that it does).

            However, note that this user-contributed note in the PHP manual suggests that SSL support may or may not work with the 'mysql' extension. At any rate, note that the mysql extension itself is rather outdated; you should probably look into using [man]MySQLi[/man] (or [man]PDO[/man]) instead.

              Thanks again, bradgrafelman. I will try mysqli_connect and continue to try and determine if MYSQLI_CLIENT_SSL is working.

                agent_404;10982438 wrote:

                Thanks dalecosp. That documentation appears to be for setting up MySQL to handle SSL. My remote MySQL server is already configured for SSL. I'm talking specifically about the PHP code to make this secure connection. [/code]Given. Again, I'm not criticizing. Skimming the docs in the chapter I linked to provides a link to the MySQL C API and its function mysql_ssl_set. Searching for the equivalent on php.net doesn't yield anything in Mysql, but, as Brad notes, it does in the mysqli class, and it didn't take too much effort to find this in the PHP manual. mysqli_ssl_set

                So, The Friendly Manual is still our friend 😃

                  Write a Reply...