How to get Mysql password for connection using getenv()

Asked

Viewed 124 times

0

I currently use the standard connection form to get the data from MySql, but I know that for greater safety is used the getenv(), however I do not know how to make it to recover the password of connection with my database.

Below is how my connection with Mysql is made

<?php
$con = mysqli_connect("localhost", "root", "", "guaraparivirtual");
?>
  • The use of getenv and putenv won’t make it any safer, I don’t know who told you, but this is very relative.

  • @Guilhermenascimento What is the location and way to assign the password of my database safely?

  • 1

    It’s not a matter of location, it’s a matter of understanding what something is "relative", I can come and tell you that plane is the safest form of transport in the world and yet there is a very serious plane accident, there are many factors to take into account, there is no magic formula ready and only to do something, Right now I’m running out of time to explain the security issue, but I’ll tell you what, between using putenv and a array with the navigation data you will not have much difference.

  • It is easier to create a separate file with the user, password and already make the connection there, and then use a php file encryption tool like the PHP Lockit, then just include the encrypted file in include/require in your other files that require connection;

2 answers

3

There’s no point in using putenv, If you’re gonna do this, you might as well throw it all in one array or object, something like:

config.php

the return is recognized in the include

<?php

return (object) array(
    'host' => 'localhost',
    'user' => 'root',
    'pass' => 'meupassword',
    'db'   => 'meubanco',
);

php page.

$config = require 'config.php';

$con = new mysqli($config->host, $config->user, $config->pass, config->banco);

The issue of security

Maybe that story you heard getenv be safer is to set up refer to setting up such data outside the .php, in the environment variables to be more exact, I will not get into merit of discussion on this, because it does not make much sense, the variables will be accessible to any application anyway, both ways, using a array/object or using the environment variables (Environment Variables) you can be as safe as you are insecure, if your server has some "evil application" it can steal your passwords wherever they are, it won’t matter, if your server is insecure then the problem not in your phps and yes on your server.

Now if your fear is someone getting access to .php, use putenv won’t solve anything.

In short, if your fear is some user via internet access password somehow use getenv is not solution, it is impossible for the visitor to have access to this data unless you have exposed them with echo, print, print_r or some very badly done debugger (it is highly recommended to turn off debuggers in the production server).

1

Hey, you gotta do something like this.

putenv("host=localhost");
putenv("user=root");
putenv("pass= ");

$db_host=getenv("host");
$db_user=getenv("user");
$db_pass=getenv("pass");
$db_name="tese";

$con = new mysqli($db_host, $db_user, $db_pass);

I hope I’ve helped

  • What good would it do getenv('')? Wouldn’t it be easier to put empty even? $db_pass = ''

  • Yes ;) but it was if you had any pass and you hadn’t put it here

  • @Brnper Sorry for my lack of knowledge. But, what is the use in passing the information on getenv() or declare directly as I did?

  • @Gladison don’t worry. Every day we learn new things. getenv() will look for environment variables. The advantage of using getenv() is that the variables in PHP are case-sensitive, with getenv() it will search without worrying about the uppercase or lowercase letters, since it will all be the same for getenv(). An example is this: $_SERVER['Path'] it is necessary that you stay PATH if not PHP cannot find, with getenv('path') you can already. I hope you understand.

  • @Brnper So what’s the difference of using $senha = '1234' and getenv() with regard to security? If I have to fully assign the password to the getenv().

  • @Gladison as far as security is concerned, very little. getenv() and putenv() are used to pass server variables without being worried about rewriting them or knowing them. As for example you use putenv() and put a given input as a variable, in another segment of the code you can use getenv(" put the name" ) and work with that data without knowing what is soon to be safer. I hope I made myself clear to you

  • @Brnper Now I understand! But the code you gave me above is giving error Warning: mysqli_connect(): (HY000/1044): Access denied for user ''@'localhost' to database 'guaraparivirtual' in C:\xampp\htdocs\guaraparivirtual\conexao.php on line 7 line 7 is this $con = mysqli_connect($db_host, $db_user, $db_pass, $db_name);

  • @Gladison I had an error in the post I forgot, but I already corrected

  • @Gladison has already solved his problem Gladison?

  • @Brnper I did it! Thank you so much for your help. Ball show.

  • @Gladison of nothing ;) just be sure to evaluate my answer later as answer to your question

  • 3

    Utilise getenv absolutely no relation about PHP being or not case-insensitive. What happens is that using environment variables, sensitive data is not present in the body of the code. This only facilitates code distribution. No security is added. Use getenv together with putenv Maybe it doesn’t make sense. If someone can access the server and be able to read its source code, they will also be able to access the environment variables, that is, it does not solve the security problem, only the distribution of the code, like posting it on Github, example.

  • 1

    But getenv() has this advantage over $SERVER, since getenv() does not require sensitive

  • And in fact if the result of putenv is associated with an input, after once filled, through the source code the user can in no way know the pass.

  • 1

    But if you have access to the source code, you also have access to the environment variables. Nothing changes in security matters. Use putenv associated with a input makes no sense. To be case-insensitive is no advantage and did not understand what is the relationship of $SERVER with the question.

  • $SERVER is one of the other ways to search for environment variables, right? And I didn’t realize how with access to the source code it’s possible to access the environment variables?

Show 11 more comments

Browser other questions tagged

You are not signed in. Login or sign up in order to post.