odbc connect using username and password of dsn or application context

[kaeserea]

Hello!

Due to security standards I'm no longer allowed to write the username and password for an odbc connection down in a php file (odbc_connect($dsn, "myUsername", "myPassword").

I was told that I should use either of the following options:

1.) the odbc dsn connection on the server (which is a win200 server). Because her the username and the password are already installed but cannot be read by anyone looking at it.

2.) Using an application pool where my application runs. Here I can run the application within a certain context. I.e. I can state under which username and password the application runs.

So far so good. My problem now is that the function odbc_connect() needs username and password. You cannot go without them. I already tried empty password, username. Doesn't work.

Does anybody know how I can use one of the above methods with php?

Regards
Eva

 

[jpadie]

i think 1 should work fine. feed the function with empty strings for username and password.

method 2 i don't think is quite as straightforward. i'd guess it's not the application so much as the security credentials with which the script runs. i think this only works if your database server is set up to use ntlm security.

i'm not sure i get the security concern though. so long as you place the file with the connection params outside the web root (and include it with php when necessary) where is the security concern?

 

[kaeserea]

Hi jpadie,

empty username and password doesn't work unfortunately.

Well about the thought why it is a security problem... I won't go into this because I think the same as you, yet our standard doesn't allow me to do this. So no chance to discuss it. I simply have to apply it....

Regards,
Eva