Skip to main content
Code Review

Return to Question

deleted 158 characters in body; edited title
Source Link
Jamal
Jamal
  • 35.2k
  • 13
  • 134
  • 238

Security Script for a multi- what can I do to have more security hereuser webapp database connection

I have the following (Working fine)working script which I use for my database connection for a multiusermulti-user webapp. I use a different database for the login, this script is called only after the user is successfully logged in. The login uses PDO.

I would like to know what I can do to

  • make this more secure

  • harder to fail

     include('.dbinc.cred.inc.php');

 try {
 $dbh = new PDO('mysql:host=' . HOST_ONE . ';dbname=' . DB_ONE . '', USER_ONE, PASS_ONE);

 $statement = $dbh->prepare("SELECT user_db, user_db_pass, user_db_user, user_name FROM databases WHERE user_name = :name");
 $statement->execute(array('name' => $_SESSION['user_name']));

 foreach ($statement as $row) {
    $user_db = $row['user_db'];
    $user_db_user = $row['user_db_user'];
    $user_db_pass = $row['user_db_pass'];
 }

 }
   catch (PDOException $e) {
 print "Error!: " . $e->getMessage() . "<br/>";
 die();
 }
 $dbh = null;

 $sql = new mysqli (HOST_ONE,$user_db_user, $user_db_pass,$user_db);
 $sql -> set_charset ( 'utf8' );
 if ($sql->connect_errno)
 {echo "<script language=JavaScript>location.href='#ajax/account_setup.php';</script> ";}

include('.dbinc.cred.inc.php');

try {
$dbh = new PDO('mysql:host=' . HOST_ONE . ';dbname=' . DB_ONE . '', USER_ONE, PASS_ONE);

$statement = $dbh->prepare("SELECT user_db, user_db_pass, user_db_user, user_name FROM databases WHERE user_name = :name");
$statement->execute(array('name' => $_SESSION['user_name']));

foreach ($statement as $row) {
   $user_db = $row['user_db'];
   $user_db_user = $row['user_db_user'];
   $user_db_pass = $row['user_db_pass'];
}

}
  catch (PDOException $e) {
print "Error!: " . $e->getMessage() . "<br/>";
die();
}
$dbh = null;

$sql = new mysqli (HOST_ONE,$user_db_user, $user_db_pass,$user_db);
$sql -> set_charset ( 'utf8' );
if ($sql->connect_errno)
{echo "<script language=JavaScript>location.href='#ajax/account_setup.php';</script> ";}

Is it better to do this in 2 files, one for the user check, then define HOST_TWOHOST_TWO and so on and include the first file in the second?

Why am I using PDO and then mysqliMySQLi?

  I do this (weird) thing because the whole app uses mysqli_ at the moment and I'm rewriting everything to PDO atm. But actually I need the mysqliMySQLi connection, though.

Thank you very much for reading and your help!

Security - what can I do to have more security here

I have the following (Working fine) script which I use for my database connection for a multiuser webapp. I use a different database for the login, this script is called only after the user is successfully logged in. The login uses PDO.

I would like to know what I can do to

  • make this more secure

  • harder to fail

     include('.dbinc.cred.inc.php');

 try {
 $dbh = new PDO('mysql:host=' . HOST_ONE . ';dbname=' . DB_ONE . '', USER_ONE, PASS_ONE);

 $statement = $dbh->prepare("SELECT user_db, user_db_pass, user_db_user, user_name FROM databases WHERE user_name = :name");
 $statement->execute(array('name' => $_SESSION['user_name']));

 foreach ($statement as $row) {
    $user_db = $row['user_db'];
    $user_db_user = $row['user_db_user'];
    $user_db_pass = $row['user_db_pass'];
 }

 }
   catch (PDOException $e) {
 print "Error!: " . $e->getMessage() . "<br/>";
 die();
 }
 $dbh = null;

 $sql = new mysqli (HOST_ONE,$user_db_user, $user_db_pass,$user_db);
 $sql -> set_charset ( 'utf8' );
 if ($sql->connect_errno)
 {echo "<script language=JavaScript>location.href='#ajax/account_setup.php';</script> ";}

Is it better to do this in 2 files, one for the user check, then define HOST_TWO and so on and include the first file in the second?

Why am I using PDO and then mysqli?

  I do this (weird) thing because the whole app uses mysqli_ at the moment and I'm rewriting everything to PDO atm. But actually I need the mysqli connection, though.

Thank you very much for reading and your help!

Script for a multi-user webapp database connection

I have the following working script which I use for my database connection for a multi-user webapp. I use a different database for the login, this script is called only after the user is successfully logged in. The login uses PDO.

I would like to know what I can do to

  • make this more secure

  • harder to fail

include('.dbinc.cred.inc.php');

try {
$dbh = new PDO('mysql:host=' . HOST_ONE . ';dbname=' . DB_ONE . '', USER_ONE, PASS_ONE);

$statement = $dbh->prepare("SELECT user_db, user_db_pass, user_db_user, user_name FROM databases WHERE user_name = :name");
$statement->execute(array('name' => $_SESSION['user_name']));

foreach ($statement as $row) {
   $user_db = $row['user_db'];
   $user_db_user = $row['user_db_user'];
   $user_db_pass = $row['user_db_pass'];
}

}
  catch (PDOException $e) {
print "Error!: " . $e->getMessage() . "<br/>";
die();
}
$dbh = null;

$sql = new mysqli (HOST_ONE,$user_db_user, $user_db_pass,$user_db);
$sql -> set_charset ( 'utf8' );
if ($sql->connect_errno)
{echo "<script language=JavaScript>location.href='#ajax/account_setup.php';</script> ";}

Is it better to do this in 2 files, one for the user check, then define HOST_TWO and so on and include the first file in the second?

Why am I using PDO and then MySQLi? I do this (weird) thing because the whole app uses mysqli_ at the moment and I'm rewriting everything to PDO atm. But actually I need the MySQLi connection, though.

Source Link
baao
baao
  • 123
  • 6

Security - what can I do to have more security here

I have the following (Working fine) script which I use for my database connection for a multiuser webapp. I use a different database for the login, this script is called only after the user is successfully logged in. The login uses PDO.

I would like to know what I can do to

  • make this more secure

  • harder to fail

     include('.dbinc.cred.inc.php');

 try {
 $dbh = new PDO('mysql:host=' . HOST_ONE . ';dbname=' . DB_ONE . '', USER_ONE, PASS_ONE);

 $statement = $dbh->prepare("SELECT user_db, user_db_pass, user_db_user, user_name FROM databases WHERE user_name = :name");
 $statement->execute(array('name' => $_SESSION['user_name']));

 foreach ($statement as $row) {
    $user_db = $row['user_db'];
    $user_db_user = $row['user_db_user'];
    $user_db_pass = $row['user_db_pass'];
 }

 }
   catch (PDOException $e) {
 print "Error!: " . $e->getMessage() . "<br/>";
 die();
 }
 $dbh = null;

 $sql = new mysqli (HOST_ONE,$user_db_user, $user_db_pass,$user_db);
 $sql -> set_charset ( 'utf8' );
 if ($sql->connect_errno)
 {echo "<script language=JavaScript>location.href='#ajax/account_setup.php';</script> ";}

Is it better to do this in 2 files, one for the user check, then define HOST_TWO and so on and include the first file in the second?

Why am I using PDO and then mysqli?

I do this (weird) thing because the whole app uses mysqli_ at the moment and I'm rewriting everything to PDO atm. But actually I need the mysqli connection, though.

Thank you very much for reading and your help!