Help with databases?

If someone has access to the php code the only thing you can really do is encrypt or obfusicate the code.

Thank you kdavies!

Thank you for responding. I was pretty sure there is a way to do this.

OK, so now my question is, how do I encrypt or obfusicate the code?

Greg

Has anyone heard of or used a software program called "sourcecop".
No I am anot the owner or an affiliate btw.
Greg

Hello,

In terms of front-end display, you can use cURL in PHP to grab data from remote servers and process that data on your local server. The user would not know as it happens behind the PHP code, on another sever (if you decide to grab from remote servers).

In terms of back-end processing, if someone has access to your PHP code then they will see an address you're calling from cURL, but will not have access to said remote data as they would the PHP file they've accessed to read said local PHP code.

I hope this makes sense, I'm sure it is hazy because we don't have all the details of what you're trying to do. I hope this helps get you started.

I use cURL to grab "file.php?variable=1234543121" files which are dynamic and create directories based on their titles "/title_of_directory_is_dynamic_variable".

cURL is your friend.

quicklynx,

Thank you for your input.

Can you also recommend a resource for me to learn more about cURL?

I am assuming it is a programming language of some sort, like php?

If it helps, here is what I am attempting:

1. wp plugin is installed.
2. user enters data into different fields.
3. plugin deposits into DataBase on another server
4. widget is installed
5. plugin goes to server (DB) and fetches user information AND other users information to display in the widget dynamically

Does that help?

I would like to encrypt, hide, the php script for the plugin so people cannot see direct access to the server when I use the mysql_connect (un/pw) function.

Would the whole plug-in have to be written in cURL?

Thank you for helping a (plugin writing newb)!

I look forward to any advice or direction you can point me.

Greg

cURL is not a programming language, but a way of accessing web resources.
More info: PHP: cURL - Manual
but even using curl, it's not going to help. You will still need to put the url somewhere.

The best way to get round this is to use some sort of xml-rpc call. I'm not 100% sure what you are aiming to achieve, but you should be able to use an xml call to get the data ok. There are standard ways to make sure that someone won't have access to your actual server, just the info on it.

If you're exchanging data with an external server then somewhere in your code you'll need to have the servers address and some login credentials, either in clear text or encrypted.

I would do this as an API type of design, it's how I look at most stuff anyways these days. Essentially you build an API around your database and only expose the functions necessary for your application. Even though the user has all the API login credentials he/she is limited to the functions exposed by the API. The database itself remains isolated and protected.

Just my take on it!

Bill

Thank you all for the input!
I really have alot to look into, but this is huge for me to go right into the correct direction.
If anyone has any other advice, I am all ears!

Thank You All Again!

Is there a simple way for me to implement this? a program perhaps? a service?

Any input is helpful and appreciated.

Greg

Bill, James, and anyone else recommending an API or XML-RPC type system are 100% correct. Do not ever embed your actual database account information into a script that you plan to distribute... that is a recipe for disaster.

Here's something you can do:

1. Create a PHP script on your server that accepts requests from your distributed script, accesses the database, gets the information, and returns it. It will also check to make sure your user's "API key" or account is valid.

2. Give users of your plugin some sort of account or "API Key" that is unique to them. They will enter this in the options for your plug-in.

3. Write the plugin to access the PHP script on your server, receive the information it returns, and parse it in whatever way is necessary for your plugin to use it.

This sort of setup allows you to control access - even if you're planning on making this plugin free, you'll be able to monitor individual's usage of the plugin, request or demand payment for upgrade, shut off abusers of your service, and more.

Any intermediate PHP programmer (or ASP programmer if you're on a windows server) can set something like this up pretty quickly... it's not too in-depth.

This is pretty much what quicklynx said, but breaking it out into steps may make what you're looking for a bit more clear.

Respectfully,
Marc

awesome, ok, the light is getting a little brighter and coming a little more into focus.

thank you!

I am starting to feel better.

I was going to start asking later about a "key" to authenticate users. Is there a resource I can go to to learn more about setting up an API key?

What about it being randomly generated when installed?

Is there a way to automate that process, as I would not realistically be able to manually generate and maintain that many keys.

thanks for the input.

Greg

yes. that makes sense. I have purchased and use products that do that. That does seem safe and makes more sense.

thank you for the comment.

ok. this is making more and more sense. thank you for the direction pointer.
I am going to delve more into this.
You really saved me hours of wasted time.
Thanks Marc...thanks Everyone for all your input.

I hope this thread helps others as well.

Greg

Hi,

There is one other way though
You could actually create very generic PHP code that has an API key (some sort of a programming password (which is called a hash) of 32 random letters and numbers)

and then make sure your plugin simply needs to POST with cURL to your main server
where you have the database. and only allowed people (who talked to you to get a working key) can actually access the data. but the data will be masked that way
since you will build the file that receives the POST or GET requests and that file will reply back with the data needed in either JSON or XML back.

that way , you only show people the end data and what they really just need , is to get an API key for this service of yours.
which you can also make a page for to generate an API key for.

or you could simply do all that without needing an API key and then your database details will still be protected :-)

Anyway I unfolded all the ways I know to mask this

Thanks to ALL!

This has been very helpful for me.

Worth the war room membership here alone.

Thank you.

Greg