Re: How can I secure database passwords used by PHP webpages

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Rob Tanner wrote:
> We're a four year college.  Some maintainers are faculty, some are
> staff and some are work-study (students) and centrally we have little
> say over who can and can't.

You can put super crucial username/passwords into httpd.conf or
root-readable files that get included into httpd.conf

Other than that, the basic rule to remember is:
If PHP can read the password, so can anybody with a login.

If that's not acceptable for that password, you have very few options:

Move it to httpd.conf
Get rid of that user

Maybe you need to re-structure your server and its access levels to
reflect reality.

You probably trust faculty/staff more than students in terms of
intentional abuse.

Though naivete and ignorance might go the other way 'round. :-)

You *could* run two pools of Apache servers, with two different configs,
and two different PHP users, and give different User/Group settings in the
two different httpd.conf files to separate your faculty/staff from your
students.

Though it might be cheaper to just buy a stock Linux box and move all the
students to that box -- where you simply accept the fact that students are
going to mess it up more than the faculty/staff box.

At any rate, the problem is simply not solvable by PHP, and, when you get
right down to it, not even in the PHP realm.

Whatever trust level you have or don't have, the database passwords being
readable by untrusted users who have logins is lower on the problem stack
than a zillion other nasty things they can do if they have a login and you
don't trust them.

Fixing the passwords may well have looked like the easiest one to tackle,
but it's not that easy at all, and you won't improve your general security
health level even if it *was* something easy to fix, as the perpetrators
would simply turn aside from db access and do more... interesting...
things with their logins.

PS Finding a perpetrator and penalizing them harshly and publicly may wake
up some students to the risks of what they are doing.  Or not...  Worth
considering.

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux