Re: Securing PHP scripts - Mailing list pgsql-php
From | Cody Phanekham |
---|---|
Subject | Re: Securing PHP scripts |
Date | |
Msg-id | D4E7ED5EA9163C4089B0D9FF73B1FC4B6450C6@sydmxs04.salmat.com.au Whole thread Raw |
In response to | Securing PHP scripts ("Cody Phanekham" <Cody.Phanekham@salmat.com.au>) |
Responses |
Re: Securing PHP scripts
Re: Securing PHP scripts Re: Securing PHP scripts Re: Securing PHP scripts |
List | pgsql-php |
I should of mentioned that the server is a dedicated PHP / PostgreSQL server, therefore no other user would have access toit. My only concern is *if* the server gets compromised, then the attacker would have access to the DB without too much effort. > -----Original Message----- > From: brew@theMode.com [mailto:brew@theMode.com] > Sent: Tuesday, 19 August 2003 12:55 > To: pgsql-php@postgresql.org > Subject: Re: [PHP] Securing PHP scripts > > > > Cody..... > > > Now to connect to the DB via PHP, I have the password hard > coded (which is in clear text). > > > > Here is my question: Is there a way around storing the > password in clear text? > > But no user can ever read that clear text, right? They > should only get > the PHP script output which normally wouldn't contain the > user name and > password..... > > There can be a danger of other users on the machine being able see the > clear text password if it's a shared machine and if they are > able to read > the script, though! > > Of course that didn't answer your question...... maybe > somebody else knows > a way around storing it in clear text. > > BTW, for the best security you should be sure and run PHP with > register_globals off in the php.ini config file, read about it at > > http://us4.php.net/register_globals > > Sorry if I'm telling you a bunch of stuff you already know > anyway....... > > brew > > > > > > > ---------------------------(end of > broadcast)--------------------------- > TIP 2: you can get off all lists at once with the unregister command > (send "unregister YourEmailAddressHere" to > majordomo@postgresql.org) > ************************************************************************************* This e-mail, including any attachments to it, may contain confidential and/or personal information. If you have received this e-mail in error, you must not copy, distribute, or disclose it, use or take any action based on the information contained within it. Please notify the sender immediately by return e-mail of the error and then delete the original e-mail. The information contained within this e-mail may be solely the opinion of the sender and may not necessarily reflect the position, beliefs or opinions of Salmat on any issue. This email has been swept for the presence of computer viruses known to Salmat's anti-virus systems. For more information, visit our website at www.salmat.com.au. *************************************************************************************