Professional Web Applications Themes

database programming security - MySQL

Hello, This question has come up numerous times in my career, and I was hoping some of you out there might have some additional insight. Essentially, where should the username and password for a database be kept for an external program that accesses it? For example, let's say I have a compiled C or C++ program. Is it okay to put the username and password in a #define? What's a common solution for web apps that need to access a database? I have no good solution for the compile program. As for the web app, I've been using a password ...

  1. #1

    Default database programming security

    Hello,

    This question has come up numerous times in my career, and I was
    hoping some of you out there might have some additional insight.
    Essentially, where should the username and password for a database be
    kept for an external program that accesses it?

    For example, let's say I have a compiled C or C++ program. Is it okay
    to put the username and password in a #define? What's a common
    solution for web apps that need to access a database?

    I have no good solution for the compile program. As for the web app,
    I've been using a password file kept out of the web server's root. I
    have no idea whether or not that is even remotely secure.

    I appreciate your input on this topic,
    Mick Charles Beaver

    myheartinamerica Guest

  2. #2

    Default Re: database programming security

    >This question has come up numerous times in my career, and I was 

    It often turns out that there is no good answer, especially for
    a shared web server leased from a host.
     

    I got energetic and put an ENCRYPTED password in the program. But,
    the program has to be able to decrypt it. This protects against
    running strings(1) on the executable, but not much else. A breakpoint
    set on the call to mysql_connect(), or a tricked-up libmysqlclient,
    would reveal it.
     
     

    A password file kept out of the web server's doent root is pretty
    good on a non-shared web server against web threats. Now, can
    people actually log in (not via web server) to that host? That's
    another threat. How about FTP?

    If it's a shared web server, you have the problem that other people's
    PHP (or Perl or Ruby or whatever) scripts can read the password
    just like your PHP scripts.

    Gordon Guest

  3. #3

    Default Re: database programming security

    On May 15, 7:26 pm, org (Gordon Burditt) wrote: 
    >
    > It often turns out that there is no good answer, especially for
    > a shared web server leased from a host.

    >
    > I got energetic and put an ENCRYPTED password in the program. But,
    > the program has to be able to decrypt it. This protects against
    > running strings(1) on the executable, but not much else. A breakpoint
    > set on the call to mysql_connect(), or a tricked-up libmysqlclient,
    > would reveal it.

    >
    > A password file kept out of the web server's doent root is pretty
    > good on a non-shared web server against web threats. Now, can
    > people actually log in (not via web server) to that host? That's
    > another threat. How about FTP?
    >
    > If it's a shared web server, you have the problem that other people's
    > PHP (or Perl or Ruby or whatever) scripts can read the password
    > just like your PHP scripts.[/ref]

    Put your password in secure place and do use encryption, disable all
    the services that seem to be no used. call your file from other
    directory that has your password and user in.

    kwan Guest

  4. #4

    Default Re: database programming security

    On 15 May 2007 17:51:54 -0700, kwan wrote: [/ref][/ref]
    [..] 
    >
    > Put your password in secure place and do use encryption, disable all
    > the services that seem to be no used. call your file from other
    > directory that has your password and user in.[/ref]

    Additionally, make a whole lot of user IDs and passwords. Sort out
    privileges of those IDs according to reasonable function, and be as
    paranoid about it as you can be. There's no reason, for example, that
    a web script needs to READ a credit card number from a table. That can
    happen from a different process running elsewhere away from the web
    space, under an ID that does have authority to select from the the table
    in question.

    --
    8. After I kidnap the beautiful princess, we will be married immediately in a
    quiet civil ceremony, not a lavish spectacle in three weeks' time during
    which the final phase of my plan will be carried out.
    --Peter Anspach's list of things to do as an Evil Overlord
    Peter Guest

Similar Threads

  1. Replies: 0
    Last Post: May 5th, 06:41 PM
  2. Replies: 14
    Last Post: January 19th, 07:47 AM
  3. database driven programming model
    By John Davis in forum ASP Database
    Replies: 2
    Last Post: August 22nd, 12:12 AM
  4. programming restore database with "share deny" poblem
    By jiatiejun in forum Microsoft SQL / MS SQL Server
    Replies: 7
    Last Post: August 14th, 04:25 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139