[pmwiki-users] Keeping MySQL passwords safe

[Julius]

By the way, GREAT work on the UpdateForm recipe, Ben!
I'm so thankful, this together with pmwiki saves me
days of work and is exactly what I need.

Patrick Ogay wrote:

> One problem might be that the db user has to many rights
> (administration, create tables, delete tables...)
> Usually you can create a db user with just the rights needed (access the
> table needed).

I will, as far as possible.
In this particular situation a lot of (experimenting) students,
scientists and researchers have access to the same database server,
and because of that much of what I use is open from world as well.

> Certainly you can include the the db stuff from a place which is not web
> accessible.

Actually, the most secure solution for my situation turns out to be
putting the DB access data in a very strict htpasswd protected folder
outside of the pmwiki root, with also a referer requirement in .htaccess
(which has local reasons, preventing some cross-script access);

RewriteCond %{HTTP_REFERER} !^http://public-server-address-accessing-database-php/.*$ [NC]
RewriteRule \.(php|htm.*)$ /index.php [L]

and I'm using an include;

>>> <?php include("/home/passwd_protected_folder/path_to_dbase_access_variables_stuff.php"); ?>

>> However, I question whether what you're suggesting will do any good, 
>> since the file with the passwords in it has to be readable by the Web 
>> server in order to be included by PHP, and as I understand it, that 
>> means it will also readable by anyone who has access to your Web 
>> document root directory.  I haven't tried it, though, so I may be 
>> mistaken.  Let me know what you find out!

I've put

  require_once("../file_with_include_in_it.php");

in /local/config.php and it works fine. Reason I've not linked to the file directly
is because others need access to it too (not from the pmwiki folder).
-- 
Julius