License Check using Php Mysql

Question

Possible Duplicate:
How to safely store a password inside PHP code?

So this is the scenario I have an C# program. It will send the Serial Number to my website. (eg: www.example.com/LicenseCheck.php) lets say it sent 1234-1234-1234 as serial.

The licenseCheck.php will then connect to my mysql:

<?php
$username = "your_name";
$password = "your_password";
$hostname = "localhost"; 

//connection to the database
$dbhandle = mysql_connect($hostname, $username, $password)
  or die("Unable to connect to MySQL");
echo "Connected to MySQL<br>";
?>

then it will do a "select" from valid serial table and if the license exist in the table then that means it's a valid serial.

Basically, what im trying to find what would be a good way to approach this. I'm mostly worried about where to store the "Username", "Password". basically I will only have one user who will only have the read permission.

I would like to hide the username and password as best as possible and would like to approach this in a secure way.

What do I mean by "Secure"? Just a way that would keep unauthorized users from getting into my my databasae.

Thanks for all the help.

[`mysql_*` functions](http://php.net/manual/en/intro.mysql.php) are *old and deprecated*. Use [`MYSQLI`](http://php.net/manual/en/book.mysqli.php) or [PDO](http://php.net/manual/en/book.pdo.php) instead. — Jared Farrish, Jan 19 '13 at 09:33
"Who" are you hiding the connection details from? If it's in a PHP block, it won't be sent in plaintext unless the page isn't parsed on request (where you don't have PHP properly configured). Are you actually asking how to secure your webserver? — Jared Farrish, Jan 19 '13 at 09:39
thanks for the info Jared. So are you saying If I login with PHP(using MySqli) and I have my login information stored in that file, no one is going to be able to see it ? if yes, then okay my answer is solved. if no, then I wanted to know how to secure that info. "Who" am I hiding it from ? people who are trying to take a look at it because we dont want anyone to see all the valid serial, do we ? — 00101010 10101010, Jan 19 '13 at 09:45
*If* it's parsed by PHP, PHP sends what's outputted to the buffer as the content for the request. The question is, *will* that ever fail? You're best off putting anything that should not be web-accessible directly by URI/URL *below* your web root directory, so someone can't just `http://www.yoursite.com/config.php` and by glitch or error receive the source PHP. But... That does not mean, just because they obtained your DB user/pass, that they can ad hoc query your DB. We're talking multiple steps, probably an intrusion and rogue code, not just hitting it with a URL in a browser. — Jared Farrish, Jan 19 '13 at 09:49
Let me write up a short answer and hit a few points I think you need, seeing your use case (validating serials). Give me a minute. — Jared Farrish, Jan 19 '13 at 09:51
@0010101010101010 - I haven't forgot you. Working on it, it's gotten a little long. How sophisticated is the client app itself? — Jared Farrish, Jan 19 '13 at 11:12
Much appreciated (: What do you mean how sophisticated ? Like how does the validation check ? — 00101010 10101010, Jan 19 '13 at 11:41
You have an app of some kind which uses a serial number for some purpose, that needs to be checked. What kind of app (desktop?), what is the serial number meant to do, and what is the remote check meant to mean to the app? — Jared Farrish, Jan 19 '13 at 11:47
Oh I see. Yes, it's a desktop app built in C#. It has trial version but it will also have a full version which must be registered using the serial. Upon purchase of the full version, I will add the serial to the database. They will enter the serial on the trial version, it will check with the database if the serial exist. If it does, then it will convert successfully to full version. I'm not sure if this is the best way to handle this but i figured it's a start. — 00101010 10101010, Jan 19 '13 at 11:54
Ok, there's two downloads: HandyAppTrial, which has no serial subsystem, and HandyAppFull, which needs to be fed a serial number (from where?) and then registered to your server before it can be installed/run? (Note as well that *trial* denotes a period of use, whereas a demo might run indefinitely in it's limited state.) — Jared Farrish, Jan 19 '13 at 12:32
There is only one download, HandyAppFull. Which will work fully for 30 days. Then it will need to fed a serial. (Help -> Registration) where a user will have option to purchase a serial which will be e-mailed to them. They will enter that serial. If it is a valid serial, program will continue to run as full. If it's invalid/user did not purchase a serial, the program will not run until it's registered. — 00101010 10101010, Jan 19 '13 at 12:42
If you have the rep (I can't ever remember how much newish users need), let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/23014/discussion-between-jared-farrish-and-00101010-10101010) — Jared Farrish, Jan 19 '13 at 12:42

bashleigh · Accepted Answer · 2013-01-19T17:17:10.647

1

mysql function are no longer to be used. I'm going to give you a mysqli procedural approach to your solution. I'm also going to include a secure method of saving your password.

basic mysqli connection and querying:

$queryString = "SELECT COUNT(*) FROM table WHERE userName = ? AND password=?";//not the question marks
//the question marks are used to bind our parameters/variables so the query string cannot be adjusted I believe? 
$DBH=mysqli_connect('local','user','pass');
mysqli_select_db($DBH,'database');
$query = mysqli_prepare($DBH,$queryString);
mysqli_bind_param($query,'ss',$username,$passwordHASH);//the second parameter declares the datatypes 
mysqli_execute($query);
//mysqli_bind_result($results); ||not needed in this situation but this is how you'd get results from the database
if(mysqli_fetch($query)){ //adding  && $results = 1 would insure there is only one record
    //username and password match
}
else{
    //error builder etc
}

Now for your passwords I'd recommend using a hmac_hash() to provide protection. When inserting your passwords to your database insure that they are hmac_hash()ed to that when you come to querying your database these are protected as such.

$passwordHASH = hash_hmac('sha512',$hashThis, '&R4nD0m^');

So basically your query/fetch will return true if COUNT(*) returns 1 if username and password is equal to $username and $passwordHASH.

BUT having said all that couldn't you use #include <mysql.h> the mysql library in C#?

edited Jan 19 '13 at 17:17

answered Jan 19 '13 at 09:47

bashleigh

8,813
5
29
49

I think you're confused by what the OP is asking. It's the relative *safety* of passwords in a source file. This is the MySQL user password, not an app password. – Jared Farrish Jan 19 '13 at 09:53
@JaredFarrish Right! I see what he's doing now. Wouldn't a C# API request to say a protected file on a server be a better idea? – bashleigh Jan 19 '13 at 09:56
what would that mean ? Connecting directly to my Database using my C# ? skipping the PHP file ? – 00101010 10101010 Jan 19 '13 at 10:00
@0010101010101010 - You could do that. I wouldn't recommend for a license validation doing that explicitly, but I know it's been done before. – Jared Farrish Jan 19 '13 at 10:03
Yea, I don't think I would want to do that either. – 00101010 10101010 Jan 19 '13 at 10:04
@0010101010101010 depends. I'm not brilliant at C# lol using the mysql library would mean that you could connect directly to a mysql server and database without using a php file. But an API connect might be a better solution. But I couldn't say how to build one in C or where to store the validation variables. – bashleigh Jan 19 '13 at 10:05
I mean I could encrypt the validation variables within the program but I think it'll be easier to crack it there lol – 00101010 10101010 Jan 19 '13 at 10:11
@0010101010101010 you could in fact build a php program that would return true if given the correct validators using a cURL, which would grab a response form a file but I wouldn't know how to request a response from C# – bashleigh Jan 19 '13 at 10:14

score 0 · Answer 2 · edited May 23 '17 at 11:56

0

Take a look at the second bullet point of this answer. Essentially you will want to put your MySQL connection details in a config file that is outside of your document root (e.g. public_html/, etc.), and then require that file.

edited May 23 '17 at 11:56

Community

1
1

answered Jan 19 '13 at 09:36

Will Sewell

2,593
2
20
39

(although this depends on your hosting arrangements) – Strawberry Jan 19 '13 at 09:39
Yes, I've looked at that before. Im new to PHP/MySQL so would you be able to provide an exaple ? if i define something like $Password on a file outside my document root. How will I read that info ? – 00101010 10101010 Jan 19 '13 at 09:41
1

@0010101010101010 - Your server has a root "web" directory, oftentimes `htdocs` or `wwwroot`, which is (should be) within your site root. Put the `config.php` file in *site root*, and then use an absolute path to it, e.g., `/etc/yoursite.com/config.php` while `/etc/yoursite.com/wwwroot`. – Jared Farrish Jan 19 '13 at 09:46
Yes, put it into the directory above where you have your index.php file. – Will Sewell Jan 19 '13 at 09:57

License Check using Php Mysql

2 Answers2