[snip] Some functions need you to provide username and password, for instance odbc_connect. Even though the username/password just has minimum access privileges to the resource, putting it there in clear text in a script gives me heartburn. How do people handle username/password in such kind of cases? I'm sure there must be some way to store critical information in some encrypted format but it's still readable to scripts for authentication purpose. But don't know how. Any ideas or pointer would be greatly appreciated. [/snip] Some time ago Chris Shifflet provided a nice suggestion on how to make your passwords more secure. It's still not rock solid, but far better than storing them in clear text. The methodology I present below (which Chris presented originally) assumes Apache as your web server. Though I've recently gotten into IIS administration I'm not sure of how you would specifically do this under IIS. Create a file outside of your webroot, and in it use SetEnv declarations to set a username and password as environment vars. SetEnv dbname username SetEnv dbpass password Chown this file such that it is only readable by root, and then (assuming you're on a shared host) have it included in your virtual host block of the server config file. If you're on a dedicated box include it in the configuration section for the site in question. Then when the server is restarted you will be able to access the username and password via $_SERVER['dbuser'] and $_SERVER['dbpass'] in your scripts. As the first response to your post, not exactly what you were looking for, but much more secure than plain text or even simple include files. HTH. Cheers, Pablo -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
