-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Le Jeudi 12 Juin 2003 16:31, Sallee, Helen a écrit :
> Hi, I'm new to PHP and need to know how I can completely hide Oracle
> database password used in OCILogon call. Since all .php pages can be read
> by www user, if the userid and password are coded in the .php page, they
> anyone can fopen this file and view the contents (right?) - this presents a
> security problem. So how can I have a database connection which is secure?
> Or am I missing something in here? The code below is what I have.
>
> <?php
> putenv("TWO_TASK=ORCL2");
> putenv("ORACLE_HOME=/u01/home/oracle/product/9.2.0");
> $conn = OCILogon("USER1","USER1PASS");
> $query = OCIParse($conn,"select * from state");
> OCIExecute($query);
> ?>
>
> Thank you
Just put the good permission and uid/gid ton your script for solve your
problem.
for example php un suexec/cgi mode with apache patched for suexec, User toto
group users, with a 705 chmod... You can also more secure the environnement
with a kernel patche like grsecurity and access lists.
friendly,
- --
Christophe Casalegno | Digital Network | UIN : 153305055
http://www.digital-network.net | http://www.speed-connect.com
http://www.securite-reseaux.com | http://www.dnsi.info
Security engineer network/systems | Intrusion tests specialist.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE+6IzU0mOixX2DR8IRAnGHAJ47Dk50xAzeoTn7CxH31FpHvUC3xgCeMXqB
KAcM5gm3dvq/9l2Y6Iss3UI=
=fiK4
-----END PGP SIGNATURE-----
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
