Re: How to avoid exposing connectstring?

James Henson wrote:
> I'm using a MySQL database from within some Perl and PHP cgi's.
> To make the connection, I have to supply the username/password
> in the connection string. This info is readable for anyone that
> can view my code, e.g. all other users that can access the
> webserver box directly. This because the cgi-program has to be
> readable for the user that's used by Apache.
>
> How can I avoid this? I can't have my own webserver, regrettably,
> other developers have access to this machine. Is there perhaps an
> Apache option that I can use to avoid public exposure of the
> connectstring?
>
> I have set up the database server so it only accepts connections
> from the webserver box, but that doesn't help with the above
> problem.
>
> Any pointers?

This was Followup to comp.lang.php, but I thought that some of you in
this group may be curious about it as well...

In httpd.conf, add this in your VirtualHost directive...

SetEnv SQL_HOST=localhost
SetEnv SQL_PASS=password
SetEnv SQL_USER=user

Then, make sure httpd.conf is chmod 600 and chown root.root

Now, in your scripts, access these variables via
<?php
$host=$_SERVER['SQL_HOST'];
$user=$_SERVER['SQL_USER'];
$pass=$_SERVER['SQL_PASS'];
?>

I'm not sure how to go about it in perl, but it will likely be an
environment variable.

If the host won't chmod and chown httpd.conf, you have create a separate
file with the parameters in it, chmod 600, chown root.root that file
instead, and use an include in the VirtualHost directive.

Since it is in your VirtualHost directive, it is only valid for requests
to your domain name, and only the root user will be able to read the
file with the user and password.

--
Justin Koivisto - spam@koivi.com
PHP POSTERS: Please use comp.lang.php for PHP related questions,
alt.php* groups are not recommended.