You could use Turck to convert the file to byte code. Not exactly state of the art security as Turck does not have any encryption itself, but definately a better option than plain text.
- Sid On Fri, 2 Jul 2004 22:32:24 -0400 (EDT), Michal Migurski <[EMAIL PROTECTED]> wrote: > > I realize the key needs to be stored somewhere which is part of the > > problem of how to make it a bit more secure. I just don't feel safe if > > a password in a flat file in clear text. Ideally the database should > > support something like an ssh style public/private Key auth where the > > private Key is stored internally to the database. > > Where would you store the passphrase to the key? This is a losing battle - > at some point, anonymous requests from the outside world are going to have > to result in some kind of access to the database. > > I think you'd be better off accepting the inherent security tradeoffs as a > known variable, and working from there: write your code so it's not > vulnerable to SQL injection or other attacks, limit the access permissions > of the database user, put the file containing the password someplace where > the webserver won't divulge its content (apache config or .htaccess is a > personal favorite of mine), and (important!) back up your DB regularly so > that you can recover from attacks cleanly. > > -mike. > > --------------------------------------------------------------------- > michal migurski- contact info and pgp key: > sf/ca http://mike.teczno.com/contact.html > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
