symbulos partners wrote:
> Dear friends,
>
> is it possible to use encrypted passwords in php files, for connecting to
> a
> database?
>
> We do not like too much the idea of the password being in clear text.
>
> Example
> $link = mysql_connect('localhost', 'mysql_user', 'mysql_password');
>
> 'mysql_password' should be encrypted
What do you think you gain by having the password encrypted there?
Please take us, step by step, through the algorithm by which this stops a
Bad Guy.
Because, basically, it would *NOT* do any good at all to encrypt it there.
In other words:
If the PHP script can 'read' that password to connect, and the Bad Guy can
read that password to connect, then what format that password is in is
irrelevent.
Whether your password looks like 'password' or
'DEE834KRMF88733JJFDYF6DE6WEY34FJVUEY7347' I can still copy and paste it
into my PHP script or command line and connect to MySQL, once I get to
that point.
If it bothers you that the password is there, then you need to make damn
sure the Bad Guys can't *read* that password.
If you can't reassure yourself of that, consider some other authentication
method or some other method of storing the password that you can protect.
Encrypting a string is not a magic bullet that makes it "Secure"
You're not looking at the Big Picture of how you can be attacked -- or at
least not understanding how this piece of the puzzle fits in, or you would
already know that encrypting the string here won't do anything useful.
--
Like Music?
http://l-i-e.com/artists.htm
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
