Hi All,

Thanks for all the answers received :-)

I understand now that, if someone can read the md5
hash, he/she can connect.

I will check later the certificate stuff. What I will
do for time being will be to:
- move the php connection file out of the web root
- change the privileges so that only root can read it
- pass the phpsec security guide to the php developers

Simon, I read your post regarding the use of a C
program and I would be interested in having some more
details as we started thinking about implementing
something similar.
Our idea is to 'obfuscate' the password in some way
and then process the value to get back to the plain
text password.
E.g. let's assume our password is 'cabernet'. We could
e.g. encrypt the password in some way (using a two-way
algorithm) so that the resulting
output can't be directly used to connect to Oracle. If
F is the encryption function we compute:
F(cabernet) = tenrebac
(in this case F is the reverse string function)

In order to perform the connection to Oracle, the php
code would then apply the reverse function 
If someone 'steals' the connection file, he can't use
the password unless he reverse engineers the code as
well, to find out what the function F is.
We could get an extra bit of security by encoding the
reverse F function in a compiled C program.
This is not secure at all, since getting hold of the
code gives the secret key as well, but it's (probably)
the best we can do

Thanks again for all the interesting answer :-)

Have a nice day all,


Do you Yahoo!? 
Yahoo! Mail - 250MB free storage. Do more. Manage less. 

PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to