in reply to Re: Re: Secure ways to use DBI?
in thread Secure ways to use DBI?

I use ssh (F-secure) to call a (bash/SQL*plus) script that reside on the database server.

The question you need to ask yourself is this: "If some wiley hax0r where to gain control of the web server, how difficult would it be for them to get my database password?"

If they see before them a script that uses ssh, can they then use that script to get the password? If so, you haven't gained yourself much.

Now if this is all done from a middle tier that the wiley hax0r can't get to, that's another matter.

Whether what you describe is a "middle-tier process" I don't know. Perhaps.

Update: What this scheme seems to protect against is losing the password to a sniffer. That works only if you're then using some secure, database-dependent login mechanism, or are using ssh-tunneling to talk to the database.