> > The original question was concerning that if someone somehow had access to > the file which stored the connections details then they would be able to > use it to connect to the mysql server. Now if someone somehow had access > to your key then it's game over for you. Unless you password protected > your key which -- would be extremely impractical. > Well, considering that ultimate security is argueably impossible, one needs to ride a fine line between impractical and safe. You have a good point though, in that PHP has to have access to the private key in order to encrypt the information, and we're already assuming the the php script lives in an insecure environment, so in that case, it's no more secure than the original plaintext solution. The developer needs to set up a situation where the connection details are secured and only the php process can access them even if the php script itself is compromised. This is tough as if someone compromises the script contents itself, they could very likely have access to change it, and therefore have access to the php process as well. I think about as safe as you can get is by putting the connection data out of the served directory, somewhere that's not directly accessable, and concentrate on system integrity. (security wise) This of course was the suggestion of several others initially. -Micah -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
