[olug] protecting MySQL password on multi-user system

Trent Melcher trent at wispair.net
Thu Apr 27 02:32:33 UTC 2006 

OK, is the web_root directory under your home directory?  Is it yours and
yours only web directory?  If so then you could try it this way.

Put a .htaccess file into your web_root directory, add these 2 values

SetEnv DBUSER mysqluser
SetEnv DBPASS mysqlpass

PHP will get these variables passed in the $_SERVER superglobal as
$_SERVER['DBUSER'] and $_SERVER['DBPASS'].

Then add this to your php code.

$handle = mysql_connect('localhost', $_SERVER['DBUSER'], $_SERVER['DBPASS'])
or die(mysql_error());

If this Multi-User system has everyone using the same web_root directory,
then there really isn't a good way to look it down so nobosy else can use
your password file.



Trent


-----Original Message-----
From: olug-bounces at olug.org [mailto:olug-bounces at olug.org] On Behalf Of Eric
P
Sent: Wednesday, April 26, 2006 7:49 PM
To: Omaha Linux User Group
Subject: Re: [olug] protecting MySQL password on multi-user system

Check the thread subject.  It's a multi-user system.  I have user perms
only.

Eric
Trent Melcher wrote:
> If you have the ability, you could use the apache configuration file to
> store the password. (Apache reads its main config files as root.)
> 
> Example:
> 
> Add this to your httpd.conf
> 
> <Directory /var/www/html/mydatabase> 
>    php_value mysql.default_user fred 
>    php_value mysql.default_password secret 
>    php_value mysql.default_host server.example.com 
> </Directory> 
> 
> Then all you need in your PHP code is 
> 
> $handle = mysql_connect() or die(mysql_error()); 
> 
> Your configuration will only be picked up by scripts running in the named
> directory and subs...in this case /var/www/html/mydatabase, virtualhosts
can
> be done the same way.  Then you can lock down that directory by using a
> .htaccess file and only those folks with the proper credentials can
execute
> scripts from that location.   This also ussumes that mysql is NOT running
in
> safe_mode.
> 
> Trent  
> 
> 
> -----Original Message-----
> From: olug-bounces at olug.org [mailto:olug-bounces at olug.org] On Behalf Of
Eric
> P
> Sent: Monday, April 24, 2006 9:38 PM
> To: Omaha Linux User Group
> Subject: [olug] protecting MySQL password on multi-user system
> 
> I'm on a multi-user Linux system running PHP and MySQL.
> 
> Whenever I do an SQL query, I include a file just under the web root w/the
> MySQL username and password.
> 
> Even though it's under the web root, I have to keep this file's permission
> at 644 permissions, or else I get 'permission
> denied'.
> 
> Am I missing something here?  I definately don't want this file readable
by
> 'other'.
> 
> Any advice for the correct approach to this would be greatly appreciated!
> 
> Eric Pierce
> _______________________________________________
_______________________________________________
OLUG mailing list
OLUG at olug.org
http://lists.olug.org/mailman/listinfo/olug

More information about the OLUG mailing list