Re: database password

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Stut wrote:
> Roberto Mansfield wrote:
>> Bastien Koert wrote:
>>> store your password/access credentials outside the web root and use php
>>> to read the data in.
>>
>> This is good for web attacks, but I'm thinking of an account break in
>> where someone is accessing files directly on the server.
> 
> I suggest you think about this for a second before you start designing
> with a really pointless obfuscation system. Say someone is accessing
> files directly on the server... if they can get at the file that
> contains the password then they can also get at the PHP code that will
> de-obfuscate it. Spend your time locking the doors rather than putting
> 5-minute obstacles in the path.

Yes, I have thought about this. We've spent time locking the doors.
There are many layers in place. As I said, this is not the only type of
security being considered. But if a new exploit comes out and someone
does gain unauthorized access to the file system, I'd rather not hand
them a plaintext password.

So is anyone doing anything to protect plain text passwords in the
filesystem?

Thanks,
Roberto

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [PHP Users]     [Postgresql Discussion]     [Kernel Newbies]     [Postgresql]     [Yosemite News]

  Powered by Linux