http://qs321.pair.com?node_id=918531


in reply to Mysql-CGI Security Question

This is a fairly common question, and an excellent one.

The short answer is, there is not a good solution to this problem. Your script has to run as the user, therefore the user has to be able to see the password. Try to make sure the file containing the password is as restrictive in read permissions as possible.

There is only one other semi-viable option. Use a custom DBD::Proxy based service which uses the password (which is different from the databases password) AND checksums the passed in sql based on IP address, or optionally uses named sql queries. However, this option only restricts what they can run to the dictionary of available queries. It doesn't stop somebody else from running those same queries.

my @a=qw(random brilliant braindead); print $a[rand(@a)];