0

I have an application which exports entire database in .sql format using php code, but that (.sql)file is easily accessible to others. I don't want others to access that file. So how can I prevent that?I mean how do I password protect this exported file. And I don't want to use any third party software like winzip ,etc. I want to do this through coding.I want the security to be of high level. Here is the code that exports the .sql file using php-

<?php 
    //ENTER THE RELEVANT INFO BELOW
    $mysqlUserName      = "root";
    $mysqlPassword      = "";
    $mysqlHostName      = "localhost";
    $DbName             = "";
    $backup_name        = "mybackup.sql";
    $tables             = array("table1","table2");

   //or add 5th parameter(array) of specific tables:    array("mytable1","mytable2","mytable3") for multiple tables

    Export_Database($mysqlHostName,$mysqlUserName,$mysqlPassword,$DbName,  $tables, $backup_name );

    function Export_Database($mysqlHostName,$mysqlUserName,$mysqlPassword,$DbName,  $tables, $backup_name )
    {
        $mysqli = new mysqli($mysqlHostName,$mysqlUserName,$mysqlPassword,$DbName); 
        $mysqli->select_db($DbName); 
        $mysqli->query("SET NAMES 'utf8'");

        $queryTables    = $mysqli->query('SHOW TABLES'); 
        while($row = $queryTables->fetch_row()) 
        { 
            $target_tables[] = $row[0]; 

        } 


        if($tables !== false) 
        { 
            $target_tables = array_intersect( $target_tables, $tables); 

        }
        foreach($target_tables as $table)
        {
            $result         =   $mysqli->query('SELECT * FROM '.$table);  
            $fields_amount  =   $result->field_count;  
            $rows_num       =   $mysqli->affected_rows;     
            $res            =   $mysqli->query('SHOW CREATE TABLE '.$table); 
            $TableMLine     =   $res->fetch_row();
            $content        = (!isset($content) ?  '' : $content) . "\n\n".$TableMLine[1].";\n\n";

            for ($i = 0, $st_counter = 0; $i < $fields_amount;   $i++, $st_counter=0) 
            {
                while($row = $result->fetch_row())  
                { //when started (and every after 100 command cycle):
                    if ($st_counter%100 == 0 || $st_counter == 0 )  
                    {
                            $content .= "\nINSERT INTO ".$table." VALUES";
                    }
                    $content .= "\n(";
                    for($j=0; $j<$fields_amount; $j++)  
                    { 
                        $row[$j] = str_replace("\n","\\n", addslashes($row[$j]) ); 
                        if (isset($row[$j]))
                        {
                            $content .= '"'.$row[$j].'"' ; 
                        }
                        else 
                        {   
                            $content .= '""';
                        }     
                        if ($j<($fields_amount-1))
                        {
                                $content.= ',';
                        }      
                    }
                    $content .=")";
                    //every after 100 command cycle [or at last line] ....p.s. but should be inserted 1 cycle eariler
                    if ( (($st_counter+1)%100==0 && $st_counter!=0) || $st_counter+1==$rows_num) 
                    {   
                        $content .= ";";
                    } 
                    else 
                    {
                        $content .= ",";
                    } 
                    $st_counter=$st_counter+1;
                }
            } $content .="\n\n\n";
        }
        //$backup_name = $backup_name ? $backup_name : $name."___(".date('H-i-s')."_".date('d-m-Y').")__rand".rand(1,11111111).".sql";
        $backup_name = $backup_name ? $backup_name : $name.".sql";
        header('Content-Type: application/octet-stream');   
        header("Content-Transfer-Encoding: Binary"); 
        header("Content-disposition: attachment; filename=\"".$backup_name."\"");  
        echo $content; 
    }
?>

Thanks in advance.

payal_suthar
  • 355
  • 8
  • 31
  • it is not possible to password protect an .sql file without some kind of third-party tool like winzip, or saving it to an encrypted folder. – mister martin Jul 01 '16 at 14:18
  • My main issue it that i don't want others to have access to that file ,only I should be able to access that file.Then if it is possible to do this with saving it inside an encrypted folder,please guide me on how do i do that through coding in php or making changes in the above code@mistermartin – payal_suthar Jul 01 '16 at 14:24
  • then place that file outside the public area. If you password protect this file, then it will be asking for a username and password each time it loads. – Funk Forty Niner Jul 01 '16 at 14:25
  • Sidenote: make sure to add a space before your `@` when pinging someone. Otherwise, they won't get the notification. – Funk Forty Niner Jul 01 '16 at 14:27
  • that is fine with me if it asks for username and password every time .Please guide me on how do i do this or how do i implement this in my above code.But i don't want to take any risk with this because it is a matter of high security and placing that file outside public area does not reduces the risk to a great extent.@Fred-ii- – payal_suthar Jul 01 '16 at 14:30
  • I have checked the .htaccess solutions ,I dont have any idea how would i implement that in my code.@Fred-ii- – payal_suthar Jul 01 '16 at 14:32

1 Answers1

0

Don't store private data in a publicly accessible folder.

See deny direct access to a folder and file by htaccess (if you are using Apache) or store it outside the document root.

Community
  • 1
  • 1
Shira
  • 6,392
  • 2
  • 25
  • 27