Home

Securing your mySQL passwords

Submitted by xqus on Mon, 10/18/2004 - 14:52

One of the biggest problem with shared servers and PHP (in my opinion) is how to secure your mySQL passwords.
If the server is poorly configured, all the other users on the server could gain access to your mySQL passwords with a simple CGI application (No, it's not enough to set php_open_base_dir). But there is a way to make it a bit more secure. So secure that the hacker needs root access to find them, and if the hacker has root access you are doomed anyway. But it requires that you have access to the Apache configuration, or some goodwill from your ISP. Apache enables you to store some environment variables using the SetEnv directive. Let's look at an example:

SetEnv mySQL_USER username
SetEnv mySQL_PASS somePassword

If you place this inside your vhost, the environment variables mySQL_USER and mySQL_PASS will be set to username and somePassword for all requests inside this vhost.

The variables will be available in the superglobal array $_SERVER:

echo $_SERVER['mySQL_USER']."<br />\n";
echo $_SERVER['mySQL_PASS']."<br />\n";

But everything has a downside, this method to. Le's say the phpinfo() function is called in one of your scripts, this will print the whole $_SERVER array, including your mySQL passwords.

Tags:

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd><pre><blockquote>
  • Lines and paragraphs break automatically.
  • Insert Flickr images: [flickr-photo:id=230452326,size=s] or [flickr-photoset:id=72157594262419167,size=m].

More information about formatting options

my del.icio.us

del.icio.us bookmarks

Not bookmarked by anyone, yet. Why don't be the first?
Delicious Bookmark this on Delicious

RSS, XHTML, CSS

Drupal Themes Design by SEOposition.com