Is there a generally acknowledged Best Practice way of hiding the username and password in a script which needs to access a database? Or, indeed, any other resource?
I was just noticing how the Movable Type people do it (see point 8, "Set your SQL database password").
Most of their information goes in a ".cfg" config file. But the username and password go in a separate file, which has the CGI extension, only without a shebang line. So even though everyone knows where it is, you can't execute it or view it, so you can steal the details.
Is this normal? What are they protecting against by going to all that trouble as opposed to just putting it in the script? Or in the config file? After all, as long as the config doesn't have a "Content-type: whatever\n\n" somewhere, I can't see that either.
Nobody says perl looks like line-noise any more
kids today don't know what line-noise IS ...