Menu
I'm trying to make a secure connection with my database
I wrote the following code:
<?php
// form filled?
if (isset($_POST['submit'])) {
$user = 'gebruiker';
$pass = 'gebruiker';
$db = new mysqli('localhost', $user, $pass, 'forum');
if (mysqli_connect_errno()) {
echo 'database doesnt work';
file_put_contents('MySQLiErrors.txt', date('[Y-m-d H:i:s]') . mysqli_connect_error() . "\r\n", FILE_APPEND);
exit();
} else {
$username = $_POST['username'];
$userspassword = $_POST['password'];
$salt = strrev($userspassword . substr(0, 4));
$password = hash('sha512', $userspassword . $salt);
$statement = $db->prepare("SELECT id,username FROM user WHERE username = ? AND password = ?");
$statement->bind_param("ss", $username, $password);
$statement->execute();
$result = $statement->get_result();
$statement->close();
$count = $result->num_rows;
if ($count > 0) {
session_start();
$_SESSION["username"] = $username;
header("Location: forum.php");
} else {
$_SESSION['Error'] = "Invalid username or password";
}
}
$db->close();
}
I also read something about SSL connections on php.net but I don't have any idea how to implement this in this case.
http://php.net/manual/en/mysqli.ssl-set.php
My code is running on fedora 21 and it works fine but the next thing I want is a secure connection using SSL.
234
Default SSL Configuration in MySQLBy default, MySQL server always installs and enables SSL configuration. However, it is not enforced that clients connect using SSL. Clients can choose to connect with or without SSL as the server allows both types of connections.
By default, MySQL is configured to only allow connections from the local system. If you want to connect to a MySQL server from a remote system, it is recommended to secure it with SSL/TLS. Enabling SSL/TLS will encrypt the data being sent to and from the database.
11: MySQL client programs support an --ssl-mode option that enables you to specify the security state of the connection to the server. The --ssl-mode option comprises the capabilities of the client-side --ssl and --ssl-verify-server-cert options.
You do NOT need the client certificate and private key and in most cases you do NOT want MySQL server to verify the client certificate.
Client however MUST verify server certificate using CA certificate to prevent MITM.
<?php
$mysqli = mysqli_init();
$mysqli->options(MYSQLI_OPT_SSL_VERIFY_SERVER_CERT, true);
$mysqli->ssl_set(NULL, NULL, "/etc/ssl/certs/ca-bundle.crt", NULL, NULL);
$mysqli->real_connect('hostname', 'user', 'password', 'database');
$mysqli->close();
?>
<?php
$con=mysqli_init();
if (!$con)
{
die("mysqli_init failed");
}
mysqli_ssl_set($con,"key.pem","cert.pem","cacert.pem",NULL,NULL);
if (!mysqli_real_connect($con,"localhost","my_user","my_password","my_db"))
{
die("Connect Error: " . mysqli_connect_error());
}
// Some queries...
mysqli_close($con);
?>
connection - Required. Specifies the MySQL connection to use
For mysql_real_connect use
<?php
ini_set ('error_reporting', E_ALL);
ini_set ('display_errors', '1');
error_reporting (E_ALL|E_STRICT);
$db = mysqli_init();
mysqli_options ($db, MYSQLI_OPT_SSL_VERIFY_SERVER_CERT, true);
$db->ssl_set('/etc/mysql/ssl/client-key.pem', '/etc/mysql/ssl/client-cert.pem', '/etc/mysql/ssl/ca-cert.pem', NULL, NULL);
$link = mysqli_real_connect ($db, 'ip', 'user', 'pass', 'db', 3306, NULL, MYSQLI_CLIENT_SSL);
if (!$link)
{
die ('Connect error (' . mysqli_connect_errno() . '): ' . mysqli_connect_error() . "\n");
} else {
$res = $db->query('SHOW TABLES;');
print_r ($res);
$db->close();
}
?>
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
