Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Obfuscating database name at login
08-03-2013, 01:22 AM, (This post was last modified: 08-03-2013, 01:23 AM by icedlava.)
#1
Obfuscating database name at login
Hello everyone,

I have not committed this code yet as I need feedback on 3 questions below. First some background:

I have completed some first draft of this code which prevents the database name being displayed at login and instead displays the chosen company name to select at the login box (if this selection option is chosen).

There were a few ways to implement this and I chose to try and minimize page load time, and integrate any necessary variables in the existing config.php which is in any case included.

An alternative path would be to use a small include file in each directory of the company to hold the required variable however this requires more loading time at each page load.

Some benefits of the method chosen:
1. Database is totally obfuscated for security and not able to be seen from the login
2. Only configured databases will display in the Login, so for example if the weberpdemo, which has a companies directory, was not installed it will not display in the login box selector (which could lead to error).
3. A little more user friendly to see the Company name rather than database name.

Files touched in this work include:
* ConnectDB.inc
* Login.php
* install/index.php
* config.php

Other related files updated/affected:
* Z_MakeNewCompany.php

Questions:
1. Are there any other files that may be affected as the $_POST var captured in the login form now is an integer, not a database name. Also, CompanyName is really company name not a database name.

2. How best to do the upgrade? I have at the moment made some provision for the files to consider old installations without the new variables in config.php however this basically adds the old code in the files mentioned as well as the new. This needs to be done unless the existing installs are either updated manually or through some script to run to add the simple array lines holding database name and company name at the end of the config.php file.

3. Do we want this as it is now - or can someone suggest improvement or another method?

Thanks in advance for your attention and feedback on this!

Cheers,


Reply
08-03-2013, 07:13 PM,
#2
RE: Obfuscating database name at login
I have committed the code now for review.

1. I used the method which appends info to the config.php file, rather than my original that used a small file in each company directory. The former method that I settled on reduces code and page load given ConnectDB etc are used frequently on every page. There are also some other small benefits.

2. I have, for now, included code to ensure some backward compatibility for those without updated config.php files. If this code is kept as is, I will also do an upgrade script to update the config.php file once the final code is agreed.

Any comments appreciated, thanks to those received via email.

Best regards!
Reply
08-06-2013, 08:59 AM,
#3
RE: Obfuscating database name at login
Looks good... how to handle the upgrade is interesting though as we don't have the company names in the install already. Perhaps we have to list the company directories and just call the company name the database name for upgrades. Can't see how to do this?
Phil Daintree
webERP Admin
Logic Works Ltd
http://www.logicworks.co.nz
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)