-1

I need to put a batch file I've designed on a number of clients computers which automatically connects to my web-server, activate a php file, and download a CSV of their newly joined members for import.

The problem is, this batch must contain the username and password to my server, which is obviously a terrible security risk, especially with personal details contained within the same mysql database.

Is it possible to completely secure batch files so that they cannot be edited/read (Or enough to stand up legally) or can anyone suggest a more secure way for me to implement this?

Many thanks in advance, Ian

notidaho
  • 588
  • 8
  • 28
  • I would put the csv file in a public dir of your web server, so no credentials are needed and no private information is compromised. And you may protect the CSV from a casual download, by securing it in a zip file with a password. – PA. May 25 '11 at 09:54
  • PA - I mean the CSV will contain personal details of new members, who have joined my clients gyms/leisure centres - it's an online signup i'm trying to create. I'm not sure how to password protect a zip file to restrict download? – notidaho May 25 '11 at 23:15

2 Answers2

1

If you have to do this via FTP and a batch file, then create another account for your downloads. Look up chroot as a method to restrict what can be downloaded.

You should not be using the same password for FTP and MySQL.

Best way of doing this would be to use something other than a batch file to download the csv; a simple application in another language would allow the user to enter individual account details, which would allow you to control access properly.

EDIT:

Create a CSV File for a user in PHP

What’s the simplest way to call Http POST url using Delphi?

Downloading a file with HTTP in Delphi

Community
  • 1
  • 1
Colin Pickard
  • 45,724
  • 13
  • 98
  • 148
  • Colin - I don't know if I have to do via FTP and a batch file, it's just the only way I can think of :P I suppose I could try to build a simple Delphi App where they can't see the server password but my delphi skills are limited. I have a basic 1&1 package and I don't think I can create multiple login accounts, so my clients will be using the same password. I presume this nullifies the chroot option? My clients do have logins for an area of my site though... could the batch use these to access a php file, which contains the hidden database connection details and generates the csv? thanks – notidaho May 25 '11 at 23:25
  • Apologies Colin I just realised you mean multiple FTP accounts for my clients... I believe this is possible with 1&1 hosting. In this case I can look in to this chroot option to limit them only to the directory containing their csv files. I still need to secure the CSVs or generate them only momentarily though so my question still applies there. Cheers – notidaho May 25 '11 at 23:33
  • "my clients do have logins for an area of the site" that's the correct way to protect access to some of the public files. Just create a new set of credentials for every user granted to access the file. – PA. May 26 '11 at 05:28
  • The login grants them access to a clients_area manage the membership types they offer to new members. Sort of like a store except the people buying the memberships have their details saved in the database/CSV. I don't know how I'd use that login to allow them restricted access download of only one file. Can you elaborate? I think creating an FTP account for each client should work just fine as I can make the root directory for a given client /client_store so they can't access other clients files. This is providing I can figure out how to secure that CSV from casual download... – notidaho May 26 '11 at 09:01
  • in your clients area, just have a php script that returns your CSV, then make your simple delphi app with a login screen, have the customers enter their login and use that login to download the CSV via HTTP. no need for FTP, no need for you to manage an extra set of accounts, and secure - even more so if you set up HTTPS. – Colin Pickard May 26 '11 at 10:26
  • Hey thanks for the help. The 'client area'of my site is just a few php pages which require the session is set after checking the posted user/password in database. I need to the download process to be automatic (maybe daily) so any login info must be stored on the clients pc. How can you 'post' the username & password to a php file via an app using http? Also what you mean return the CSV? You mean produce it from the database so that the app can download it? or you mean it could actually download it to the client? sorry I know I'm being slow :) – notidaho May 26 '11 at 21:47
  • @user765659 yeah you can create a CSV file in PHP, just select your values from the database and set the correct headers. Then in your delphi app, prompt the user for username and password when they first run it, save that locally, then at intervals use those to login with HTTP POST and download. I've added links to my answer explaining how to do those things. – Colin Pickard May 27 '11 at 08:57
  • I'm steering away from the Delphi option as my programming skills aren't there yet. I've created a php file which when opened emails the relevant client with a list of their new members. Is it possible to open/activate this php through my batch file when it downloads the members csv? I've just just opening the file but it doesn't seem to work. many thanks – notidaho Jun 07 '11 at 15:33
  • @user765659 I'm not sure exactly what you mean there, probably best to start a new question and describe exactly what you're trying to do. – Colin Pickard Jun 08 '11 at 08:35
0

Switch to SFTP if you can and use a client certificate. That's pretty much how Unix folks in an SSH world would do it.

Alternative two would be to invest in a custom app or pay for a commercial app that would hide the credentials for you.

ftexperts
  • 690
  • 7
  • 8