Re: How to secure database password? (was Re: Perl/DBI newbie: password storage / security question)
I've written a custom module (say "dbConnect.PM") where the password is hard-coded and is a return value from a function (e.g., "get_password()"). This module is not located in a publicly-accessible folder (i.e., not in htdocs or cgi-bin). My scripts in the cgi-bin call this custom module's function which returns the password, which the scripts then use to connect to the database. An additional security (and maintenance) benefit to this implementation is that the password is stored in a single location, rather than peppered throughout my scripts. This makes regular updates of the database password fast and simple. I continue to ask the same questions you are asking, though. If anybody has better ideas or sees limitations with this solution, I'd love to hear. Todd F. - Original Message - From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Wednesday, September 17, 2003 12:04 AM Subject: How to secure database password? (was Re: Perl/DBI newbie: password storage / security question) > Hello, > > Many thanks to R. Joseph Newton, Motherofperls, essential quint and Chuck Fox for answering my questions, however it is still not what I was asking about. My previous posts were long and maybe unclear so I'll try to get straight to the point this time, adding more details at the bottom of my post. > > It is actually an extremely common situation: There is a CGI script written in Perl. It is a frontend to an SQL database. > > The script has to connect to the database so it has to send a password. I need that password to be secure. I am not interested in security through obscurity. There are other websites on the web server and other users on the system. > > My solution was using SUID wrappers giving my script an EUID of a system user having only one purpose: being the only member of the only group having read privilage to a file storing the database password. The disadvantage of this solution is the large number of system users and groups (few for every website/database) and corresponding database accounts (with the minimum set of privileges each). > > I am quite new to Perl and particularly new to database programming, so I'd like to ask how all of you Perl gurus are solving that common problem of database password security. Is there any better solution than mine? > > This problem is simple and common, but if there is any better place to ask this questions, I'd be grateful for pointing me there. > > I have tried my best to find any related informations on the Web and Usenet archives, only to fail miserably. I will not believe that any sane person has passwords harcoded into the script itself on any production system, like it is suggested in every example of using DBI (which, as I assume, is done only for the sake of the examples simplicity). > > For more datails of my original questions and reasoning see: > > Date: Sat, 13 Sep 2003 05:09:58 -0500 (EST) > Message-Id: <[EMAIL PROTECTED]> > http://www.mail-archive.com/beginners%40perl.org/msg46845.html > > Date: Sat, 13 Sep 2003 21:25:55 -0500 (EST) > Message-Id: <[EMAIL PROTECTED]> > http://www.mail-archive.com/beginners%40perl.org/msg46856.html > > I was trying to be very clear this time, moving the most important informations to the top of my message, so everyone could know what I mean before getting lost in the details of my own reasoning. And now some details: > > Joseph, I was asking about database password, not password database, but speaking about the latter, I would never use a self-made custom hashing algorithm you suggested, nor would I buy any third-party RSA encryption application for that matter.[1] Also, this is not true that the hashing algorithm is any more secure as a compiled object.[2] > > Quint, I was not wondering whether to use RDBMS or flat files, but there are ways to make working with flat files equally convenient.[3] Of course I use HTTPS for client connections, so the users' passwords are safe in transit.[1] I use CPAN modules for everything I can and I make sure my own scripts themselves are written with security in mind.[4] > > Quint, you say that the argument againts flat files is that they have to be writable by the httpd process EUID, but then you propose embedding the RDBMS password in the script or module instead (readable by the server process), which essentially makes the whole database world-writable (as anyone with read access to the script or module, like everyone exploiting any other CGI script on the system, can gain full access to the database), which is absolutely unacceptable for any multiuser system connected to the Internet. > > Chuck, your solutions of storing the password in another database,[5] or moving the password outside the script[6] don't solve the problem, but only move it to someplace else, where it is still unsolved, not improving the security at all. > > Zedgar. > >
Re: Storing Form Data without submitting it.
Bob Showalter wrote: Andrew Gaffney wrote: I believe there is an HTTP status code that tells the browser that the form was successfully submitted, but not to go anywhere. I don't know what it is off the top of my head, but I think it would work in this case. Would that be 204 No Content? http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.2.5 I've never used that before. I wonder if the various browsers behave properly when they get that? I'd hope they would. It is part of the HTTP protocol. A script should just need to do: print "HTTP/1.1 204 No Content\r\n\r\n"; to make it work, I believe. I'm not that good with CGI.pm yet, so I can't remember the official CGI.pm way of returning something besides '200 OK'. Anyone else? -- Andrew Gaffney -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: beginners-cgi Digest 26 Nov 2003 17:53:12 -0000 Issue 497
Dominique Okpara wrote: http://www.geocities.com/geniusdoms/TheGenius [EMAIL PROTECTED] wrote: beginners-cgi Digest 26 Nov 2003 17:53:12 - Issue 497 Topics (messages 10148 through 10155): Re: extracting email addys. 10148 by: John Horner Storing Form Data without submitting it. 10149 by: Marcus Willemsen 10151 by: Wiggins d Anconia 10153 by: Andrew Gaffney 10154 by: Bob Showalter Redirecting to a different url with cgi 10150 by: Ash Singh 10152 by: Wiggins d Anconia CGI Redirection 10155 by: Ash Singh Are you actually replying to something? If you are, trim out all the other message that have absolutely nothing to do with what you are replying to. -- Andrew Gaffney -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: beginners-cgi Digest 26 Nov 2003 17:53:12 -0000 Issue 497
http://www.geocities.com/geniusdoms/TheGenius [EMAIL PROTECTED] wrote: beginners-cgi Digest 26 Nov 2003 17:53:12 - Issue 497 Topics (messages 10148 through 10155): Re: extracting email addys. 10148 by: John Horner Storing Form Data without submitting it. 10149 by: Marcus Willemsen 10151 by: Wiggins d Anconia 10153 by: Andrew Gaffney 10154 by: Bob Showalter Redirecting to a different url with cgi 10150 by: Ash Singh 10152 by: Wiggins d Anconia CGI Redirection 10155 by: Ash Singh Administrivia: To subscribe to the digest, e-mail: To unsubscribe from the digest, e-mail: To post to the list, e-mail: -- > ATTACHMENT part 2 message/rfc822 Date: Tue, 25 Nov 2003 07:32:59 +1100 To: "Silent Zed" , From: John Horner Subject: RE: extracting email addys. Here's my position on this. Randal is a very respected member of the Perl community, but in this case I think his response was a bit extreme, especially as it didn't spell out *why* he was so annoyed. First of all, what's "The FAQ"? Perl, and the various version of Perl, have a lot of different FAQs. In this case, Randal was referring to the general Perl FAQ, sub-section "How do I check a valid mail address?" http://www.perldoc.com/perl5.8.0/pod/perlfaq9.html which is, somewhat confusingly, not in the regex FAQ, is about checking the *validity* of addresses, and starts with a blunt statement that it's impossible. The whole thing is pretty much in the context of "I've been given an address -- how do I tell if it's valid?", and it does indeed address serious issues, which not many people know about, because email addresses can take a number of different and obscure forms and still be valid. However, Sara didn't want to check the validity of email addresses. All the addresses she wanted to fix were valid, known to her, and presumably in one of the more normal forms, as in [EMAIL PROTECTED] -- if Sara had said "I want to match email addresses in the form '[EMAIL PROTECTED]' and replace the '@' symbol", then I submit that the solutions would have been just fine. Randal's right, people should read the FAQ. Everyone go and read it right now. But the FAQ entry he mentioned doesn't directly address the problem at hand, and the solution promised would almost certainly have sufficed. I wish someone had answered more like this: The following regex [regex] will find most normal '[EMAIL PROTECTED]' email addresses -- but please, if you haven't, read the FAQ, [address] because this is *not* a regex that will match every valid email address. -- jh > ATTACHMENT part 3 message/rfc822 Subject: Storing Form Data without submitting it. Date: Wed, 26 Nov 2003 15:14:53 +0100 From: "Marcus Willemsen" To: Hi everybody, I' m not sure this is the right list to ask this kind of question but I don't know where else. We are using html forms to insert and update news articles (texts) stored in a mysql database. Ever so often one of our journalists forgets to press the submit button or his computer crashes and everything written so far is lost. Is it possible to built something like an "autosave" function that submits the form data automatically every couple of minutes and updates the database entry? Any hint's where to look up these kind of things? Thanks Marcus Marcus Willemsen Online Redaktion Juve Verlag GmbH Sachsenring. 6 50677 Köln ++49 (0)221 91 38 80 16 www.juve.de Geschäftsführer: Dr. Astrid Gerber, Dr. Aled W. Griffiths Sitz der Gesellschaft: Köln Amtsgericht Köln HRB 29593, Gerichtsstand: Köln Bankverbindung: Stadtsparkasse Köln, BLZ 37050198, Kto-Nr. 4772281 > ATTACHMENT part 4 message/rfc822 Date: Wed, 26 Nov 2003 07:28:27 -0700 From: "Wiggins d Anconia" To: "Marcus Willemsen" , Subject: Re: Storing Form Data without submitting it. > > Hi everybody, > > I' m not sure this is the right list to ask this kind of question but I don't know where else. We are using html forms to insert and update news articles (texts) stored in a mysql database. Ever so often one of our journalists forgets to press the submit button or his computer crashes and everything written so far is lost. Is it possible to built something like an "autosave" function that submits the form data automatically every couple of minutes and updates the database entry? > Any hint's where to look up these kind of things? > It is sort of the right place :-)... Because this is a client side action (at least what triggers it) you are probably going to want to look to javascript. I believe you can setup timers in javascript that will trigger actions, that will be the hard part, the easy part is the action that is triggered is just a standard submit of the form, then the server side script would just store the info and reprint the form with the fields filled in the same, which I am assuming you can do. As a suggestion I would add (at least) two features, 1) a
