Security of MySQL Userid/Password in Apache CGI-BIN

I'm writing some 'C' compiled Apache CGI-BINs which interact with MySQL via
the 'C' API (platform: Linux).

Where should I put the MySQL userid/password so that it is the most secure?

Possibilities:

a)Compile them in to the CGI-BIN (and I'm assuming that there is no way for
a web user to actually get the data in the executable--they can only run it,
right?).

b)Keep them in a separate file which is read by the CGI-BIN.

Any thoughts about what is the best way and any security concerns?

Thanks.
------------------------------------------------------------
David T. Ashley (dta@e3ft.com)
http://www.e3ft.com (Consulting Home Page)
http://www.dtashley.com (Personal Home Page)
http://gpl.e3ft.com (GPL Publications and Projects)

David T. Ashley wrote:
> I'm writing some 'C' compiled Apache CGI-BINs which interact with MySQL via
> the 'C' API (platform: Linux).
>
> Where should I put the MySQL userid/password so that it is the most secure?
>
> Possibilities:
>
> a)Compile them in to the CGI-BIN (and I'm assuming that there is no way for
> a web user to actually get the data in the executable--they can only run it,
> right?).
>
> b)Keep them in a separate file which is read by the CGI-BIN.
>
> Any thoughts about what is the best way and any security concerns?
>
> Thanks.
> ------------------------------------------------------------
> David T. Ashley (dta@e3ft.com)
> http://www.e3ft.com (Consulting Home Page)
> http://www.dtashley.com (Personal Home Page)
> http://gpl.e3ft.com (GPL Publications and Projects)
>
>

Compiling them into the executable would definately keep it away from prying
eyes - but you would want to make it extra-strong (lots of
case/numbers/meta-characters) to minimize hackers attempts to crack the password.

I tend to stay away from CGI due to some other inherent risks involved with some
of the "provided" scripts like upload.cgi and Count.cgi. Therefore I almost
always disable cgi and use other methods. But, YMMV.

you could use an encode/decode mechanism such that you can change the password
on a somewhat regular basis - but I would store it in a file outside the web
server directory tree (but give it the proper ownership etc...) This would
minimize the exposure.

One thing to mitigate risks is to have the database server on another server
where the ports used are not internet-facing - so there can be no direct
connection from the internet to your MySQL server ports.

The other thing I do on MY web server is that it runs OpenVMS w/Apache. The
only system at Defcon 9 not hacked. - then they changed the rules such that the
ONLY OS you could run was some flavor of the Linux kernel.

--
Michael Austin
Database Consultant
Domain Registration and Linux/Windows Web Hosting Reseller
http://www.spacelots.com

"David T. Ashley" <dta@e3ft.com> wrote in
news:w6GdndSuesoIzzTYnZ2dnUVZ_qunnZ2d@giganews.com :

> Where should I put the MySQL userid/password so that it is the most
> secure?
>

OUTSIDE of the web space.

----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==----
http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
----= East and West-Coast Server Farms - Total Privacy via Encryption =----