Hi All, Thanks for all the answers received :-) I understand now that, if someone can read the md5 hash, he/she can connect. I will check later the certificate stuff. What I will do for time being will be to: - move the php connection file out of the web root - change the privileges so that only root can read it - pass the phpsec security guide to the php developers :-) Simon, I read your post regarding the use of a C program and I would be interested in having some more details as we started thinking about implementing something similar. Our idea is to 'obfuscate' the password in some way and then process the value to get back to the plain text password. E.g. let's assume our password is 'cabernet'. We could e.g. encrypt the password in some way (using a two-way algorithm) so that the resulting output can't be directly used to connect to Oracle. If F is the encryption function we compute: F(cabernet) = tenrebac (in this case F is the reverse string function) In order to perform the connection to Oracle, the php code would then apply the reverse function If someone 'steals' the connection file, he can't use the password unless he reverse engineers the code as well, to find out what the function F is. We could get an extra bit of security by encoding the reverse F function in a compiled C program. This is not secure at all, since getting hold of the code gives the secret key as well, but it's (probably) the best we can do Thanks again for all the interesting answer :-) Have a nice day all, Gaël __________________________________ Do you Yahoo!? Yahoo! Mail - 250MB free storage. Do more. Manage less. http://info.mail.yahoo.com/mail_250 -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
