Thanks, Brad!
Yes, I hardcode the database log-on info into the script. I've a single module that does the connection. All my modules reside outside of the web directory (/usr/home/mysite/mymodules). I figured that if anybody gets to the script, he's probably good enough to do anything he desires.
I followed that node you pointed. I'm trying to understand your password encryption/decryption code. So you're suggesting I should encrypt the log-on info and place it somewhere below the web directory, like /usr/home/mysite/secret? | [reply] |
The bottom line is that you can only protect yourself from the outside world. If a user has an account on the
same shared system as you, that person can read any file that is "available" for the Web because of chmod. So,
all things being equal, i could just pop on over to your cgi-bin dir and read your script with a text editor. There
is the username, there is the password. Even if you place the username and password in another file in a directory
that cannot be accessed by the web, i can still read it, because it has to be chmod'ed appropriately. By encrypting
the username and password, i can no longer simply view the file and glean the goods, but, as jayrom pointed out
in that thread, i can read the code that decrypts the goods, and therefore i can decrypt the goods myself.
FWIW, i think it is better to find a group of friends, if possible, and pool in on a hosted box. That way, you
have a lot more trust among the users of that system. Someone can still forget to lock the door, though ... oh
yeah. A read-only database user is nice too. If you don't need to write to the database, then connect to
the database with a user that cannot write to it -- if you have the means to set such an account up, of course.
Again, more reasons to get your own box, at least one where you have root access. :)
| [reply] |
| [reply] |
| [reply] |