473,322 Members | 1,352 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,322 software developers and data experts.

How to avoid exposing connectstring?



I'm using a MySQL database from within some Perl and PHP cgi's.
To make the connection, I have to supply the username/password
in the connection string. This info is readable for anyone that
can view my code, e.g. all other users that can access the
webserver box directly. This because the cgi-program has to be
readable for the user that's used by Apache.

How can I avoid this? I can't have my own webserver, regrettably,
other developers have access to this machine. Is there perhaps an
Apache option that I can use to avoid public exposure of the
connectstring?

I have set up the database server so it only accepts connections
from the webserver box, but that doesn't help with the above
problem.

Any pointers?

James

Jul 17 '05 #1
4 1984
James Henson wrote:

I'm using a MySQL database from within some Perl and PHP cgi's.
To make the connection, I have to supply the username/password
in the connection string. This info is readable for anyone that
can view my code, e.g. all other users that can access the
webserver box directly. This because the cgi-program has to be
readable for the user that's used by Apache.

How can I avoid this? I can't have my own webserver, regrettably,
other developers have access to this machine. Is there perhaps an
Apache option that I can use to avoid public exposure of the
connectstring?

I have set up the database server so it only accepts connections
from the webserver box, but that doesn't help with the above
problem.

Any pointers?


In httpd.conf, add this in your VirtualHost directive...

SetEnv SQL_HOST=localhost
SetEnv SQL_PASS=password
SetEnv SQL_USER=user

Then, make sure httpd.conf is chmod 600 and chown root.root

Now, in your scripts, access these variables via
<?php
$host=$_SERVER['SQL_HOST'];
$user=$_SERVER['SQL_USER'];
$pass=$_SERVER['SQL_PASS'];
?>

I'm not sure how to go about it in perl, but it will likely be an
environment variable.

If the host won't chmod and chown httpd.conf, you have create a separate
file with the parameters in it, chmod 600, chown root.root that file
instead, and use an include in the VirtualHost directive.

Since it is in your VirtualHost directive, it is only valid for requests
to your domain name, and only the root user will be able to read the
file with the user and password.

--
Justin Koivisto - sp**@koivi.com
PHP POSTERS: Please use comp.lang.php for PHP related questions,
alt.php* groups are not recommended.

Jul 17 '05 #2
James Henson wrote:

I'm using a MySQL database from within some Perl and PHP cgi's.
To make the connection, I have to supply the username/password
in the connection string. This info is readable for anyone that
can view my code, e.g. all other users that can access the
webserver box directly. This because the cgi-program has to be
readable for the user that's used by Apache.

How can I avoid this? I can't have my own webserver, regrettably,
other developers have access to this machine. Is there perhaps an
Apache option that I can use to avoid public exposure of the
connectstring?

I have set up the database server so it only accepts connections
from the webserver box, but that doesn't help with the above
problem.


I really don't think this is possible. It's easy to protect such things
from external (ie web) users, but anyone who has access to a prompt and
enough rights to read any files the webserver can will be able to read
your file.

Why don't you trust your (I assume) colleagues? Someone must have the
root password and full access to the box so there's nowhere to hide.

Jul 17 '05 #3
Kevin Thorpe wrote:
Why don't you trust your (I assume) colleagues? Someone must have the
root password and full access to the box so there's nowhere to hide.


The application gets installed on a customers server. As there are
several other vendors apps at this server, I try to minimize
potential mishaps. It won't be the first time I lose a database
because of 'curious' developers. I'm not worried about the admin,
because she is employed by the customer (not third-party).

As someone said:
"Trust your neighbour, but don't forget to lock your door."

James

Jul 17 '05 #4
On Fri, 31 Oct 2003 16:08:16 +0100, James Henson wrote:
...snip... other developers have access to this machine. Is there
perhaps an Apache option that I can use to avoid public exposure of the
connectstring? ...snip...

James


Others have addressed the tech already, so I'll not.

Sounds as if you need to have a direct talk with some of your fellow
developers. Speak to your admin first, and see if that works. I had
similar issues in the last web shop I was at --- noobs who ended up
playing in my files and databases so they could "learn". Unfortunately,
It took them trashing a finished customer site before my boss opened her
ears. Fortunately, I had everything, including the database, copied safely
into some non-accessible directories on my development machine.

So backup, talk to your boss, then, if necessary, talk to the children.

Luck,
Chuck Kinney
Jul 17 '05 #5

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

2
by: Bo Brunsgaard | last post by:
I have a problem trying to run SQL*Loader after migrating to Oracle 9. It used to run with no hicups on Oracle 8i, and I'm at my wits' end. Any help? I'm trying to run SQL*Loader from a command...
4
by: Peter Hemmingsen | last post by:
Hi, I have a dotnet object (implemented in mc++ and used in c#) which have a property called "Info". The Info property is also a dotnet object (implemented in mc++). In the constructor of the...
8
by: Dave A | last post by:
I have a class called 'PrimaryKey' that represents the primary key of a table. PrimaryKeys can only be created and the class only implements .ToString(). The PrimaryKey class internally stores...
44
by: shuisheng | last post by:
Dear All, Assume there are three classes where CA has members of class CA1 and CA2 as follows. To make the public functions of CA1 and CA2 can work on the members a1 and a2 in a CA object, I...
2
by: Neil Cerutti | last post by:
I'm using doctest for the first time, and boy is it cool. But I'm nervous about exposing library internals in the docstring. def glk_cancel_char_event(win): """ Cancel a pending request for...
4
by: =?Utf-8?B?QkogU2FmZGll?= | last post by:
We have a class that has a public property that is of type List<T>. FXCop generates a DoNotExposeGenericLists error, indicating "System.Collections.Generic.List<Tis a generic collection designed...
4
by: =?Utf-8?B?Y2hyaXNjYXA=?= | last post by:
I tried searching the forums for this already and didn't find anything. I want to expose functionality from a vb6 COM component via a WCF service. I am trying to evaluate if exposing this...
1
by: bantunks | last post by:
Hello, I am trying to figure out the advantages and disadvantages of exposing interfaces through Opaque data types in C. I have figured/found out the following two advantages 1. Higher level of...
0
by: rehman | last post by:
Hi, I added reference to COM Component Microsoft ADO Ext. 2.8 for DDL and Security which added a wrapper DLL Interop.ADOX.dll in project references in a web application to create MS Access...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.