Re: Securing PHP scripts - Mailing list pgsql-php

From Cody Phanekham
Subject Re: Securing PHP scripts
Date
Msg-id D4E7ED5EA9163C4089B0D9FF73B1FC4B6450C6@sydmxs04.salmat.com.au
Whole thread Raw
In response to Securing PHP scripts  ("Cody Phanekham" <Cody.Phanekham@salmat.com.au>)
Responses Re: Securing PHP scripts
Re: Securing PHP scripts
Re: Securing PHP scripts
Re: Securing PHP scripts
List pgsql-php
I should of mentioned that the server is a dedicated PHP / PostgreSQL server, therefore no other user would have access
toit. 

My only concern is *if* the server gets compromised, then the attacker would have access to the DB without too much
effort.

> -----Original Message-----
> From: brew@theMode.com [mailto:brew@theMode.com]
> Sent: Tuesday, 19 August 2003 12:55
> To: pgsql-php@postgresql.org
> Subject: Re: [PHP] Securing PHP scripts
>
>
>
> Cody.....
>
> > Now to connect to the DB via PHP, I have the password hard
> coded (which is in clear text).
> >
> > Here is my question: Is there a way around storing the
> password in clear text?
>
> But no user can ever read that clear text, right?  They
> should only get
> the PHP script output which normally wouldn't contain the
> user name and
> password.....
>
> There can be a danger of other users on the machine being able see the
> clear text password if it's a shared machine and if they are
> able to read
> the script, though!
>
> Of course that didn't answer your question...... maybe
> somebody else knows
> a way around storing it in clear text.
>
> BTW, for the best security you should be sure and run PHP with
> register_globals off in the php.ini config file, read about it at
>
> http://us4.php.net/register_globals
>
> Sorry if I'm telling you a bunch of stuff you already know
> anyway.......
>
> brew
>
>
>
>
>
>
> ---------------------------(end of
> broadcast)---------------------------
> TIP 2: you can get off all lists at once with the unregister command
>     (send "unregister YourEmailAddressHere" to
> majordomo@postgresql.org)
>


*************************************************************************************
This e-mail, including any attachments to it, may contain confidential and/or personal information.
If you have received this e-mail in error, you must not copy, distribute, or disclose it, use or take any action
based on the information contained within it.

Please notify the sender immediately by return e-mail of the error and then delete the original e-mail.

The information contained within this e-mail may be solely the opinion of the sender and may not necessarily
reflect the position, beliefs or opinions of Salmat on any issue.

This email has been swept for the presence of computer viruses known to Salmat's anti-virus systems.

For more information, visit our website at  www.salmat.com.au.
*************************************************************************************


pgsql-php by date:

Previous
From: "Luke Woollard"
Date:
Subject: Re: Securing PHP scripts
Next
From: Gerd Terlutter
Date:
Subject: Re: Authentication Failure with pg_pconnect