Hi All!

So, I have a shared windows host with IIS 7 with godaddy, so that I can use MSSQL/TSQL (which, as I understand it, is not available with Linux).

However, my server configuration education was with Linux, and focused on the wonderful all encompassing .htaccess file to configure environment variables, webroot, includes default folder, etc...

Is there is a simple way to do this with godaddy's set up? If not, what are my alternatives to protect passwords from web access, and preventing other very simple security vulnerabilities with IIS? How can I set environment variables that are free from prying eyes that I Can store password salt and other sensitive info that is meant to be private?

Am I just using IIS incorrectly in how I set this up? Or is the beliefe that php is secure enough that it doesn't need a webroot that is held in another file?

Any suggestions?

Thanks,

Ryan

Recommended Answers

All 7 Replies

You really should direct your query to GoDaddy support staff as you are not configuring a local IIS server and must utilize their own online configuration tools. Server Side code via PHP, ASP.net or similar can be used for secure access however secure .hta access is not possible on IIS. Both PHP and ASP can be securely utilized with MSSQL.

I did call them, and they weren't terribly helpful.

I was hoping for a more clear answer than the "help" they gave which was a link to domain forwarding, which didn't help with environ globals.

Am I being paranoid in that I want my db password/etc.. stored separately from the web root?

MSSQL db passwords are not stored in the webroot. They are stored in the SQL server itself. If your code has been implemented properly no one can access your stored db connection credentials.
You can also create a secured local ODBC connection to a remote server and utilize Microsoft's MSSQL remote administration/management console if you so desire.

so a connection to the DB with PHP on a windows server is integrated? So I Can just access the db/table without any user/pass being passed through the mysqli api?

The credentials are transmitted from IIS/PHP to MSSQL via TCP.

My own website is one such example -http://www.site-smith.com/

Ahh.. so it was a fundamental misunderstanding of how the connection process works.

Thanks for clearing that up.. That makes things easy.

Now for figuring out how to salt passwords with a hidden variable.. or just time to learn a new method for password hashing... have any advice on that?

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.