Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Connect to ODBC without pw in Code 1

Status
Not open for further replies.

kaeserea

Programmer
Feb 26, 2003
164
DE
Dear all,

I use odbc_connect() to connect to a MS SQL database. Of course with that function I have to provide the password as a parameter. Now our company policy says, I should not have the password in code anymore.

Can anybody help? I have a windows server 2012 R2 with IIS and I already have a odbc connection to that MS SQL database established within the control panel. A system DSN, 64 bit, ODBC Driver 13 for SQL Server. (see attachment for a screenshot) So I thought I could maybe use that with the PHP, because the password is already in that system DSN and I would not have to type it into the PHP Code. Does anybody know how to do it?

Best wishes
Eva
 
 https://files.engineering.com/getfile.aspx?folder=a2267baa-8dd2-4adc-ba23-0381c131f4b4&file=odbc_system_dsn.png
To achive this the username & password must be stored somewhre thet the application can read them @ run time
For anything else the obvious place woud be the database[sad]

One option is for them to be stored in a file( out side of the web root!), preferably encrypted that the application can open & read.
I am sure there must be other solutions available & probably more secure.





Do things on the cheap & it will cost you dear
 
kaeserea said:
our company policy says, I should not have the password in code

Your company is nuts. Passwords need to be stored somewhere.

kaeserea said:
I already have a odbc connection to that MS SQL database established within the control panel

That password is stored in code as well. You just don't know where to find it yet.

Your systems should be set up so that even if a password is exposed, your private data is not. That means locking down your database server so that it only accepts connections for that user from a specific IP address (configured via firewall and/or the user account settings).

Useful reading:
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top