PDA

View Full Version : Secure way to connect to MySQL database



KeineAhnung
29th March 2015, 09:46
Hi there,

In the next release of my app I would like to use an existing MySQL DB to get and modify data. What is the right way to do that so that the DB username and password as well as the username and password from the user using the app is not exposed?
I've been reading a bit about connection to a MySQL DB but most post were quite old and stated that it is a bit bumpy to connect with SSL. Is there an up to date example on how to do this?
Is it a security risk to hard code the DB username and password into the code?

Thanks!

ChrisW67
29th March 2015, 22:37
You should be able to configure for an SSL connection to MySql with
QSqlDatabase::setConnectionOption("CLIENT_SSL=1");
Your Mysql client must have been built for SSL and your server must be configured to accept or require SSL. This will protect user name and password in transit over the network.

Yes it is a risk to embed a database user name and password in your executable. You can obscure it but you must assume it is available to a determined attacker.

KeineAhnung
29th March 2015, 22:55
Hi Chris,

here (https://forum.qt.io/topic/46689/how-to-connect-to-a-mysql-database-using-ssl) it says that QSqlDatabase::setConnectionOption("CLIENT_SSL=1"); is not doing the trick. Was this hack included?

If hardcoding the login information for the DB is a possible vulnerability, what would be a secure way to communicate with the DB? Would it be better to talk to a php script via an URL with the users username, password (for login) and the request to get an XML file back?

Best

Lesiok
30th March 2015, 08:38
Hardcoding connection parameters in code is not good. You can't easily change this parameters.
Save connection parameters (address, login, password) in encrypted ini file.

ChrisW67
30th March 2015, 13:49
No "hack" should be required to get SSL to work if the server is issuing a valid certificate signed by a CA the client side OpenSSL library is aware of. If the server is using a self-signed certificate then that certificate must be manually installed where the SSL library will find it (or try QSslConfiguration, I am not sure if this has global effects)

Sending a client certificate is a whole different problem. It is not worth the effort... It does not make the connection more secure.