Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to Yii app protected connection string?

I'm hosting a Yii app on shared-host with some my friend, and keep database in private MySQL server. As you knew, database info can be found so very easy in protected\config\main.php by another host owner (my friend and more):

'db'=>array(
     'connectionString' => 'mysql:host=211.113.2.45;dbname=FamilyBook',
     'emulatePrepare' => true,
     'username' => root,
     'password' => 'xcute445',
     'charset' => 'utf8',
),

Is there any solution to conceal connection information as IP mySQL server, username, password?

May MySQL server provide RSA mechanism to protect database info?

Example, any people can see as below but cannot understand or use:

'db'=>array(
     'connectionString' => '57bf064b2166366a5ea61109006b8d5c',
     'emulatePrepare' => true,
     'username' => '63a9f0ea7bb98050796b649e85481845',
     'password' => 'e04ccf211208f8c97e4a36e584926e60',
     'charset' => 'utf8',
), // value by MD5 function, example only
like image 618
Davuz Avatar asked Jun 20 '12 09:06

Davuz


1 Answers

No, you cannot conceal the credentials from someone who has access to your source as long as you are using native MySql authentication. That's because your code needs to pass the credentials as cleartext¹ to the server, so it needs to be able to "decrypt" them before connecting. Someone who has access to your source can follow the same procedure and decrypt them as well.

You could secure your system by relying on some type of PAM authentication instead of user-supplied credentials, but Yii does not support such.


¹note: This is not actually true. The client passes a hash to the server, but it needs to have access to the original password in order to hash it. This means that for the purposes of this discussion it makes no difference (it would make a difference for someone who is listening on the network).

like image 91
Jon Avatar answered Oct 31 '22 15:10

Jon