Does the CGI-script need to be world-readable, or just world-executable?
All my perl CGI scripts are set up that way, so while anyone can run it,
only I can read the source code....
----- Original Message -----
From: "Benjamin Pflugmann" <[EMAIL PROTECTED]>
To: "Brent Bailey" <[EMAIL PROTECTED]>
Cc: "Octavian Rasnita" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Thursday, December 26, 2002 9:38 AM
Subject: Re: Hiding the password
> Hello.
>
> On Thu 2002-12-26 at 09:26:09 -0500, [EMAIL PROTECTED]
wrote:
> > i would try using php to have you page connect to the mysql database..
The code gets parsed
> > first then is loaded into the browser...so the user & pass for the
database is never seen.. i
> > would use something like:
> >
> > $db = mysql_connect("localhost", "mysql-user", "mysql-user-password");
> > mysql_select_db("whatever-database-name",$db);
>
> Huh? How does this differ from the original problem with Perl? The
> script has to be world-readable in order to allow the web server
> account to read it in[1] and therefore anyone with shell access or access
> to write CGI scripts can read it.
>
> Bye,
>
> Benjamin
>
>
> [1] in the scenary presented by the original poster.
>
>
> [...]
> > > On Wed 2002-12-25 at 13:15:58 +0200, [EMAIL PROTECTED] wrote:
> > > > Hi all,
> > > >
> > > > I want to make a CGI program in Perl that queries a MySQL database,
and the
> > > > problem is that I need to write the password for the database in the
program
> > > > and this password can be seen by any user that has an account on
that
> > > > server.
> > > >
> > > > I need to gave 755 permissions to CGI scripts because they need to
be
> > > > executed by the web server account, and not by my account.
> > > >
> > > > Do you have any tips for hiding the password,
> > >
> > > Not really. Whereever you put it, the web server account has be able
> > > to access it, so the problem stays. Even if you could arrange that
> > > only the web server account can read it (e.g. by changing the owner of
> > > a file containing the password), every user with permission to create
> > > CGI scripts can still write a script to read the data.
> [...]
>
> --
> [EMAIL PROTECTED]
>
> ---------------------------------------------------------------------
> Before posting, please check:
> http://www.mysql.com/manual.php (the manual)
> http://lists.mysql.com/ (the list archive)
>
> To request this thread, e-mail <[EMAIL PROTECTED]>
> To unsubscribe, e-mail
<[EMAIL PROTECTED]>
> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
---------------------------------------------------------------------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)
To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
