Php mysql_connect security

Question

Php mysql_connect security

If the web server and the database server are on different hosts, is it possible for a hacker to cheat packages or use some other method to get the database username / password when using mysql_connect in PHP code?

+4

security php mysql cryptography encryption

jimiyash Oct 08 '10 at 6:02

source share

2 answers

I think a hacker can sniff out packets if he has some kind of access to a web server or db server, or at least to the local network where one of these servers is located, in which case you have more problems. But if the web server is on webhost.com, db is on dbhost.com, and the hacker tries to sniff outside, but he can't do much.

0

Chris ghenea Oct 08 '10 at 7:24

source share

rook · Accepted Answer · 2010-10-08T07:00:32+0000

Yes mysql_connect () can sniff. The password is "scrambled" , but this will not stop the attacker. All requests are transmitted via wire in plain text, and an authenticated session can be captured if you sniff TCP sequence identifiers.

You should use full transport layer encryption, which is possible using the MYSQL_CLIENT_SSL flag if you are concerned about this attack. If you are establishing a mysql connection over the Internet or otherwise an untrusted network, this is necessary. This is not necessary if you are connecting through localhost.

Php mysql_connect security

More articles: