Hi! Perhaps gurus can comment on what I'm suggesting here - if the database is set up so that only "localhost" can access it, then you can use a php or PERL script to allow people from elsewhere to cruise in and make queries as your script allows. As long as your script is set up to be secure (for example, not to allow special characters like ~ or &^$, etc.) then unless they break into your server they can't do anything you don't want them to.
In other words, it doesn't matter if the id and password for the database are known (and you can't really hide it on the Internet) because as long as the server's identity is different from the domains cruising in, they are constrained by your php script (or PERL script). It may be helpful to do something like this: include($DOCUMENT_ROOT.'/include/database.php'); so that the id and password are stored in another folder. However, sophisticated users will still be able to track the id and password down. . . Certainly I'd appreciate comments on this by people in the know, because it is an issue that so many people face . . . Cheers! -warren ----- Original Message ----- From: "Octavian Rasnita" <[EMAIL PROTECTED]> To: "Benjamin Pflugmann" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Saturday, January 04, 2003 8:47 AM Subject: Re: Hiding the password > Well, I guess the best solution would be to use a Windows server. > > Teddy, > Teddy's Center: http://teddy.fcc.ro/ > Email: [EMAIL PROTECTED] > > ----- Original Message ----- > From: "Benjamin Pflugmann" <[EMAIL PROTECTED]> > To: "Octavian Rasnita" <[EMAIL PROTECTED]> > Cc: <[EMAIL PROTECTED]> > Sent: Wednesday, December 25, 2002 8:39 PM > Subject: Re: Hiding the password > > > Hello. > > On Wed 2002-12-25 at 13:15:58 +0200, [EMAIL PROTECTED] wrote: > > Hi all, > > > > I want to make a CGI program in Perl that queries a MySQL database, and > the > > problem is that I need to write the password for the database in the > program > > and this password can be seen by any user that has an account on that > > server. > > > > I need to gave 755 permissions to CGI scripts because they need to be > > executed by the web server account, and not by my account. > > > > Do you have any tips for hiding the password, > > Not really. Whereever you put it, the web server account has be able > to access it, so the problem stays. Even if you could arrange that > only the web server account can read it (e.g. by changing the owner of > a file containing the password), every user with permission to create > CGI scripts can still write a script to read the data. > > > or accessing MySQL from CGI scripts is not secure at all? > > Well, it is as secure as the server is set up. E.g. one can set up > Apache so that it executes CGIs as the user to whom the script > belongs. I know this has its own problems... it was only intended as > example that it is a question of the server configuration. > > The "best" way is always a compromise and depends on how the server is > used. If the server configuration is not in your hands, I don't there > is much you can do, except asking the admin which way she suggests. > > HTH, > > Benjamin. > > -- > [EMAIL PROTECTED] > > > > --------------------------------------------------------------------- > Before posting, please check: > http://www.mysql.com/manual.php (the manual) > http://lists.mysql.com/ (the list archive) > > To request this thread, e-mail <[EMAIL PROTECTED]> > To unsubscribe, e-mail <[EMAIL PROTECTED]> > Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php > --------------------------------------------------------------------- Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
