Mysql connection security using PDO, am I doing right?

Asked

Viewed 214 times

0

It is safe to connect with Mysql only using the following form below?

<?php

function conectar() {

        $server = "localhost";
        $dbname = "banco";
        $dbuser = "usuario";
        $dbpass = "senha";

        try {

                $con = new PDO ("mysql:host=$server;dbname=$dbname", $dbuser, $dbpass);

        }catch(PDOException $e) {

                echo "ERRO GERADO" . $e->getMessage();
        }

        return $con;

}

?>

Can I use just like this in my applications or should I take some more care?

php mysql pdo security-guard
  • 1

    Possible duplicate of Mysqli vs PDO - which is the most recommended to use?

  • Did the answer solve your question? Do you think you can accept it? See [tour] if you don’t know how you do it. This would help a lot to indicate that the solution was useful to you. You can also vote on any question or answer you find useful on the entire site.

1 answer

4

The problem of security is not in connection, it is in general use. The biggest problem that most applications have directly related to the database is the injection of SQL, then it is in the consultation that lives the danger.

There are a huge amount of security issues that may affect the database but are not in it itself. I’d say over 90% of the sites out there are vulnerable. Security is a serious, difficult issue that goes far beyond the basic knowledge of programming that most people have. I have 35 years of experience and I am bad at safety. There are those who spent little 35 days and think they can do something safe. Drown who thinks he can swim, who knows nothing.

It is obvious that the password exposed like this is insecure, should never have a password exposed like this. The correct thing is to always let the user type the password and carry it and manipulate it safely, which involves a lot to talk about here. But almost no one does this. In some cases you cannot demand this, it may be that a user does not login to be able to access the bank. An encryption would help a little in these cases.

Of course, the password thus exposed is only compromised if someone else enters the server, so the insecurity comes from another insecurity. It can occur by an outside intrusion, by local access that is relatively easy or even because you let someone access distractingly.

You need to ask yourself why you are using PDO. If you think it is safe, you are mistaken. It gives no security. It serves to abstract access to different databases, which no one does, so it’s usually just a useless layer for almost every case where it’s used.

  • So I don’t have to worry about the connection itself, but the operations that use it right?

  • It’s not that you don’t have to worry, but then it’s hard to give trouble. I’ve seen who left this part insecure, but was a "genius" :)

Browser other questions tagged php mysql pdo security-guard

You are not signed in. Login or sign up in order to post.