NYCPHP Meetup

[Gary Mort]

Bill P. wrote:
> Hi Gary,
>
> I have been reading through these articles and it really does make it 
> seems very secure, but the plainttext connection is still being sent 
> over to the sql machine, as you stated, right?
> I cannot seem to find any info on how to send an encrypted string to 
> the db and have the db machine decrypt it properly before making the 
> connection.

Erm, no, what I was saying is that according to the doc, that the 
encrypted connection string was being decrypted by the client before 
being used to connect.  Basically, whether or not the connection string 
is encrypted in the file is irrelevant to how it is used between 
systems. As for the connection itself, that occurs in whatever manner 
you connect.  I am not especially familiar with MSSQL to say how that is 
done.

I will note that the documentation included at least one "secure" 
mechanism.  Between windows machines, you can use NTLM security - which 
is Microsoft's preferred method of doing connections and encrypts the 
password before sending it(all Microsoft servers and clients seem to 
support NTLM.  I know that Internet Explorer connecting to an IIS server 
will default to trying an NTLM logon first).

If you want to encrypt the connection string, the simplest answer is to 
encrypt the who sessions.  IE set up a VPN between the web server and 
the database server and send all connections through the VPN.  Outside 
of that, you need to do some work into learning how the connection is 
actually done and what is involved.  For example, with making a DB2 
connection from a client to a server, you use a DB2 client installed on 
the client itself.  So PHP merely connects to the local DB2 client, 
passes it the connection info, and the client will connect to the server 
- and thus you can configure the db2 client to use encrypted 
connections, or encrypt the password.

Does MSSQL follow the same pattern?  Do you have mssql specific client 
code installed on the web server?