PHP Database Connection Encryption

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
jgonzalez
Forum Newbie
Posts: 1
Joined: Thu Aug 26, 2010 11:10 am

PHP Database Connection Encryption

Post by jgonzalez »

Hello,

I need to encrypt the mySQL data base connection. I would love to have the actual information off the web root; however, I do not know if this is possible.

Does anyone know of a good way to securely do this?

Thanks.
User avatar
bradbury
Forum Commoner
Posts: 40
Joined: Wed Aug 25, 2010 11:21 am
Location: Eugene, OR

Re: PHP Database Connection Encryption

Post by bradbury »

why are you trying to encrypt the connection to your db? What I would do is just create a class that does all the connection functions and then you can call those functions which cannot be accessed by anyone else if the permissions are set correctly.
Also running an encryption on a connection is possible but it would drastically slow down the connection time and there would be a much greater possibility of errors.
User avatar
timWebUK
Forum Contributor
Posts: 239
Joined: Thu Oct 29, 2009 6:48 am
Location: UK

Re: PHP Database Connection Encryption

Post by timWebUK »

Is the database stored on the same server as web data?

When you are making your PHP calls, is the PHP on the same server as the database? If so, not really much need for an encryption.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: PHP Database Connection Encryption

Post by kaisellgren »

An encrypted connection is needed when the database is accessible from the outside of your network. Usually encrypted connections are not necessary. Most setups that have the database in a separate server are in some intranet network and thus not accessible from the Internet.

For a PHP application, I have never seen a real life need for encrypted database connections. For desktop software, it's the opposite. I use HeidiSQL (a desktop MySQL tool, I highly recommend it) to handle database related tasks from the desktop remotely and therefore it is a must to encrypt the connection.

Refer to the MySQL documentation on how to setup MySQL SSL-ready. As for PHP, I don't know how to initiate an encrypted connection using PDO, but the native mysql and mysqli extensions offer those capabilities. Look for mysql_connect() or mysqli_ssl_set().
Post Reply