It is exactly the same thing with a PHP script. If someone has and account on that server, they can login and read the php file.
Teddy, Teddy's Center: http://teddy.fcc.ro/ Email: [EMAIL PROTECTED] ----- Original Message ----- From: "Brent Bailey" <[EMAIL PROTECTED]> To: "Benjamin Pflugmann" <[EMAIL PROTECTED]> Cc: "Octavian Rasnita" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Thursday, December 26, 2002 4:26 PM Subject: Re: Hiding the password i would try using php to have you page connect to the mysql database.. The code gets parsed first then is loaded into the browser...so the user & pass for the database is never seen.. i would use something like: $db = mysql_connect("localhost", "mysql-user", "mysql-user-password"); mysql_select_db("whatever-database-name",$db); Brent Benjamin Pflugmann wrote: > Hello. > > On Wed 2002-12-25 at 13:15:58 +0200, [EMAIL PROTECTED] wrote: > > Hi all, > > > > I want to make a CGI program in Perl that queries a MySQL database, and the > > problem is that I need to write the password for the database in the program > > and this password can be seen by any user that has an account on that > > server. > > > > I need to gave 755 permissions to CGI scripts because they need to be > > executed by the web server account, and not by my account. > > > > Do you have any tips for hiding the password, > > Not really. Whereever you put it, the web server account has be able > to access it, so the problem stays. Even if you could arrange that > only the web server account can read it (e.g. by changing the owner of > a file containing the password), every user with permission to create > CGI scripts can still write a script to read the data. > > > or accessing MySQL from CGI scripts is not secure at all? > > Well, it is as secure as the server is set up. E.g. one can set up > Apache so that it executes CGIs as the user to whom the script > belongs. I know this has its own problems... it was only intended as > example that it is a question of the server configuration. > > The "best" way is always a compromise and depends on how the server is > used. If the server configuration is not in your hands, I don't there > is much you can do, except asking the admin which way she suggests. > > HTH, > > Benjamin. > > -- > [EMAIL PROTECTED] > > --------------------------------------------------------------------- > Before posting, please check: > http://www.mysql.com/manual.php (the manual) > http://lists.mysql.com/ (the list archive) > > To request this thread, e-mail <[EMAIL PROTECTED]> > To unsubscribe, e-mail <[EMAIL PROTECTED]> > Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php -- Brent Bailey CCNA High Speed Data Services MetroCast Cablevision 603-332-8629 ext:242 [EMAIL PROTECTED] --------------------------------------------------------------------- Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
