[pmwiki-users] Keeping MySQL passwords safe

Patrick Ogay lists at basel-inside.ch
Fri Apr 11 03:18:09 CDT 2008 

One problem might be that the db user has to many rights
(administration, create tables, delete tables...)
Usually you can create a db user with just the rights needed (access the
table needed).

Certainly you can include the the db stuff from a place which is not web
accessible.

For security reasons many usually the db servers are only accessible via
localhost, otherwise everybody in the world can access your db, with the
users.

Patrick Ogay


Ben Stallings wrote:

>Julius wrote,
>  
>
>>While installing the UpdateForm recipe (for interfacing with a mysql
>>database), I bumped
>>into a security issue. On
>>http://www.pmwiki.org/wiki/Cookbook/UpdateForm is says:
>>
>> 3. Define (either in the script or in config.php) the constants
>>DB_SERVER, DB_NAME, DB_USER,
>> and DB_PASS to match your database, like so:
>>
>>  define ('DB_SERVER', 'db1.example.com');
>>  define ('DB_NAME', 'my_database');
>>  define ('DB_USER', 'my_username');
>>  define ('DB_PASS', 'my_password');
>>
>>But I prefer to not store these inside my web/doc root.
>>What is the best option to do this then?
>>
>>Should I best put
>>
>>require_once("../dbinclude.php");
>>
>>in /local/config.php or in updateform.php ?
>>where dbinclude.php is:
>><?php include("/home/path_to_dbase_access_variables_stuff.php"); ?>
>>
>>or will the require_once cause trouble and should I use the include directly?
>>    
>>
>
>Hi, Julius.  Require and include do basically the same thing, so there's 
>no need to require a file that does nothing but include another file; 
>you might as well do it in one step.
>
>However, I question whether what you're suggesting will do any good, 
>since the file with the passwords in it has to be readable by the Web 
>server in order to be included by PHP, and as I understand it, that 
>means it will also readable by anyone who has access to your Web 
>document root directory.  I haven't tried it, though, so I may be 
>mistaken.  Let me know what you find out!
>
>Ben Stallings
>Interdependent Web
>
>_______________________________________________
>pmwiki-users mailing list
>pmwiki-users at pmichaud.com
>http://www.pmichaud.com/mailman/listinfo/pmwiki-users
>
>  
>

More information about the pmwiki-users mailing list