[pmwiki-users] Keeping MySQL passwords safe

Julius jultus at gmail.com
Fri Apr 11 06:30:26 CDT 2008

By the way, GREAT work on the UpdateForm recipe, Ben!
I'm so thankful, this together with pmwiki saves me
days of work and is exactly what I need.

Patrick Ogay wrote:

> One problem might be that the db user has to many rights
> (administration, create tables, delete tables...)
> Usually you can create a db user with just the rights needed (access the
> table needed).

I will, as far as possible.
In this particular situation a lot of (experimenting) students,
scientists and researchers have access to the same database server,
and because of that much of what I use is open from world as well.

> Certainly you can include the the db stuff from a place which is not web
> accessible.

Actually, the most secure solution for my situation turns out to be
putting the DB access data in a very strict htpasswd protected folder
outside of the pmwiki root, with also a referer requirement in .htaccess
(which has local reasons, preventing some cross-script access);

RewriteCond %{HTTP_REFERER} !^http://public-server-address-accessing-database-php/.*$ [NC]
RewriteRule \.(php|htm.*)$ /index.php [L]

and I'm using an include;

>>> <?php include("/home/passwd_protected_folder/path_to_dbase_access_variables_stuff.php"); ?>

>> However, I question whether what you're suggesting will do any good, 
>> since the file with the passwords in it has to be readable by the Web 
>> server in order to be included by PHP, and as I understand it, that 
>> means it will also readable by anyone who has access to your Web 
>> document root directory.  I haven't tried it, though, so I may be 
>> mistaken.  Let me know what you find out!

I've put


in /local/config.php and it works fine. Reason I've not linked to the file directly
is because others need access to it too (not from the pmwiki folder).

More information about the pmwiki-users mailing list