pablo... i fail to see how your suggestion is much more secure than placing the user/passwd information in a file that's outside the web access space, and then including the file.
in either case, the user wouldn't be able to read the include file. -bruce -----Original Message----- From: Pablo Gosse [mailto:[EMAIL PROTECTED] Sent: Friday, November 04, 2005 3:16 PM To: php-general@lists.php.net Subject: RE: [PHP] protect password? [snip] Some functions need you to provide username and password, for instance odbc_connect. Even though the username/password just has minimum access privileges to the resource, putting it there in clear text in a script gives me heartburn. How do people handle username/password in such kind of cases? I'm sure there must be some way to store critical information in some encrypted format but it's still readable to scripts for authentication purpose. But don't know how. Any ideas or pointer would be greatly appreciated. [/snip] Some time ago Chris Shifflet provided a nice suggestion on how to make your passwords more secure. It's still not rock solid, but far better than storing them in clear text. The methodology I present below (which Chris presented originally) assumes Apache as your web server. Though I've recently gotten into IIS administration I'm not sure of how you would specifically do this under IIS. Create a file outside of your webroot, and in it use SetEnv declarations to set a username and password as environment vars. SetEnv dbname username SetEnv dbpass password Chown this file such that it is only readable by root, and then (assuming you're on a shared host) have it included in your virtual host block of the server config file. If you're on a dedicated box include it in the configuration section for the site in question. Then when the server is restarted you will be able to access the username and password via $_SERVER['dbuser'] and $_SERVER['dbpass'] in your scripts. As the first response to your post, not exactly what you were looking for, but much more secure than plain text or even simple include files. HTH. Cheers, Pablo -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
