James Henson wrote:
I'm using a MySQL database from within some Perl and PHP cgi's.
To make the connection, I have to supply the username/password
in the connection string. This info is readable for anyone that
can view my code, e.g. all other users that can access the
webserver box directly. This because the cgi-program has to be
readable for the user that's used by Apache.
How can I avoid this? I can't have my own webserver, regrettably,
other developers have access to this machine. Is there perhaps an
Apache option that I can use to avoid public exposure of the
connectstring?
I have set up the database server so it only accepts connections
from the webserver box, but that doesn't help with the above
problem.
Any pointers?
In httpd.conf, add this in your VirtualHost directive...
SetEnv SQL_HOST=localhost
SetEnv SQL_PASS=password
SetEnv SQL_USER=user
Then, make sure httpd.conf is chmod 600 and chown root.root
Now, in your scripts, access these variables via
<?php
$host=$_SERVER['SQL_HOST'];
$user=$_SERVER['SQL_USER'];
$pass=$_SERVER['SQL_PASS'];
?>
I'm not sure how to go about it in perl, but it will likely be an
environment variable.
If the host won't chmod and chown httpd.conf, you have create a separate
file with the parameters in it, chmod 600, chown root.root that file
instead, and use an include in the VirtualHost directive.
Since it is in your VirtualHost directive, it is only valid for requests
to your domain name, and only the root user will be able to read the
file with the user and password.
--
Justin Koivisto -
sp**@koivi.com
PHP POSTERS: Please use comp.lang.php for PHP related questions,
alt.php* groups are not recommended.