Results 1 to 3 of 3

Thread: PHP SQL Tunnel?     submit to reddit submit to twitter

  1. 2009-02-16 18:42 #1
    Senoska
    Senoska is offline
    Banned.
    Join Date
    Jul 2005
    Posts
    5,821
    BG Level
    8
    FFXI Server
    Sylph
    WoW Realm
    Arthas

    PHP SQL Tunnel?

    So I got a recent job where I need to connect a program to a SQL server, and I was looking to do it via a PHP tunnel to avoid people sniffing the SQL password and whatnot. The problem is that they can sniff the tunnel and still fuck up my shit pretty bad. I'm currently using just a simple PHP page with a get function to querry the server, although, obviously, that's horribly insecure. I also wrote a simple encryption algorithm which obscures what the program is doing, but still, simple enough to sniff out and just shoot the command back at the server, and considering the encryption is mostly server sided as I don't have a VB6 equivelent, it makes things rather hard. This is the code I'm using.

    Just a simple test to see if this works:
    PHP Code:
    <?
        include("encrypt.php");
        
        $text = "SHOW TABLES";
        $ck = "thisshitis4realnukka";
        
        $encrypted_string = encrypt($text,$ck);
        
        $decrypted_string = decrypt($encrypted_string,$ck);
        
        echo "<b>Encryption Results:</b><br>Encrypted the following string: $text<br>Encrypted Value: $encrypted_string<br>Decrypted Value: $decrypted_string";
        

            mysql_connect("localhost", "username", "password") or die(mysql_error());
            mysql_select_db("Databasename") or die(mysql_error());
            echo '<br>Connected!';
            

    $strGet = str_replace("キ", "'", $_GET['idk']);
    $query = decrypt($strGet,$ck);
    $result = mysql_query($query) or die('[ Error: ' .mysql_error() .' ]');

    echo "<table>\n";
    while ($row = mysql_fetch_array($result, MYSQL_ASSOC)) {
        echo "\t<tr>\n";
        foreach ($row as $value) {
            echo "\t\t<td>$value</td>\n";
        }
        echo "\t</tr>\n";
    }
    echo "</table>\n";


    mysql_free_result($result);
    mysql_close($link);
    ?>
    while it does work, if they just take my encrypted string and send it back it would still execute the command.

    I use winsock on the VB6 end and just parse the data that is gotten.

    and ideas? I was thinking of editing the request packet so that it had an encripted string in it, but even then, a simple sniffer would get that.

    Sorry, not so good with problems like this. Hope you understood my problem Been up for a long time trying to get this working. 6 red bulls and 3 starbuck expressos later, still stuck on the same problem

    Thanks!
  2. 2009-02-17 06:30 #2
    Senoska
    Senoska is offline
    Banned.
    Join Date
    Jul 2005
    Posts
    5,821
    BG Level
    8
    FFXI Server
    Sylph
    WoW Realm
    Arthas

    Solved by the problem by biting the bullet and rewriting the VB app to do encryption on its end with a random key that it passes to the server. What a pain the arse that was, Jesus Christ.
  3. 2009-02-17 12:35 #3
    Furtwangler
    Furtwangler is offline
    The Wang
    Join Date
    Jun 2006
    Posts
    1,343
    BG Level
    6
    FFXIV Character
    Furt Wangler
    FFXIV Server
    Coeurl
    FFXI Server
    Sylph

    Someone get this man a beer.
« Previous Thread | Next Thread »

Similar Threads

  1. Msql php support
    By Ikith in forum Tech
    Replies: 4
    Last Post: 2008-04-06, 17:20
  2. Good, cheap hosting service with SQL and CGI (or PHP)?
    By Khamsin in forum Tech
    Replies: 19
    Last Post: 2007-03-12, 18:18
  3. Any Database people can answer a question on SQL JOIN?
    By Faranim in forum Tech
    Replies: 8
    Last Post: 2007-02-22, 22:43