Re: Restricted access to Mysql through a CGI script

Wed, 14 Feb 2001 21:53:40 -0800 

At 20:41 14-02-2001 -0500, sachin shetty wrote:
>Hello
>
>I am accessing a mysql database through a CGI script , but wouldnt like to
>give the passwords in the script.

Your web account probably contains two types of directories: Those accessible
via the web and those that are not.

As a rule, you should never place the password in a script inside a directory
accessible via the web, but you should be able to place it in a subdirectory
of your home directory (the one not accessible via the web).

Suppose your home directory is something like /usr/home/sachin (assuming
a Unix based server). Create a subdriectory, say /usr/home/sachin/bin.
Place your script in that subdirectory, e.g. /usr/home/sachin/bin/myscript .

Then place a shell script into your web directory, e.g. myscript.cgi,
which looks like this:

#! /usr/home/sachin/bin/myscript

Just one line. In case your server administrator makes a mistake and the
script becomes accessible from the web, all people will see is the path
to your script, but will not be able to get the script itself via the
web.

Of course, it is still possible that someone may break into the server
via telnet and such, but it is less likely (and shows a major security
flaw with the system). For that reason, ideally, "myscript" should actually
be a program, that is written in C or some other compiled language, storing
the password encrypted and decrypting it when running. That way, even
a hex dump of the script will not reveal the password.

A dedicated cracker may still disassemble the code, and things like that.
There is really nothing you can do to stop a dedicated cracker entirely
(though you can slow him down). But most security breaches are not done
by dedicated crackers. The technique I described above will stop the
majority of crackers. It will certainly stop anyone from getting your
password ia the web alone.

Adam
--- 
Whiz Kid Technomagic - brand name computers for less.
See http://www.whizkidtech.net/pcwarehouse/ for details.

---------------------------------------------------------------------
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/           (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Reply via email to