Possible CGI/database security issue?

mephit has asked for the wisdom of the Perl Monks concerning the following question:

Greetings, monks.

I think I remember reading somewhere a long time ago, that, when using a database in a CGI script, instead of putting one's database login info directly in the CGI script, one should put it in a separate file and include it or otherwise make the information available to the CGI script. If I could remember where I read this, I would go and read it again to make sure it said what I think it said, but I don't, so I'm asking you folks. Is there any advantage to doing this? Thanks.

Mephit -- There are 10 kinds of people: those that understand binary, and those that don't.

Comment on Possible CGI/database security issue? Download Code

Replies are listed 'Best First'.
Re: Possible CGI/database security issue? by Jenda (Abbot) on May 20, 2002 at 21:59 UTC
There is one more reason. It's always better to keep the settings in a separate file. Not only you can access them easily from several separate scripts, but you also do not have to modify the scripts themselves whenever something changes. Imagine you use the same scripts on several machines. If you have the settings inline, you have to be very carefull each time you update or fix the code. On the other hand if you keep the settings separate, you can upload the new version to all servers and be done with it. Jenda@Krynicky.cz	[reply]
Re: Possible CGI/database security issue? by BazB (Priest) on May 20, 2002 at 20:37 UTC
If the permissions of your CGI script gets minced in some way, the whole world might have read access to the source code, and to your db passwords. Put your db passwords in a file outside of your webroot, and at least if the permissions are wrong, it's likely to 'only' be other users of the machine that will get to see your passwords, not everyone with a web browser. Cheers. BazB	[reply]
Re: Possible CGI/database security issue? by particle (Vicar) on May 20, 2002 at 22:05 UTC
by `include`, you probably mean do, or eval (i recommend the former.) there's an example at proper untainting and use of ref that will show you how i use my configuration files. ~Particle accelerates	[reply] [d/l]
Re: Possible CGI/database security issue? by dsheroh (Monsignor) on May 21, 2002 at 15:18 UTC
Another reason to separate out your databse connection info (and my primary reason) is code distribution. If you release your code to outsiders (whether business partners or under a Free/Open Source license), do you really want to lose sleep wondering whether you remembered to remove the password for your private database each time? Do you want that information available in the CVS archive? Not likely... And then there's standardization. FHS says that all system-wide application configuration data belongs under /etc and I tend to agree with it. Life is so much easier for admins when everything puts its settings in /etc/appname (one config file) or /etc/appname/* (multiple config files).	[reply]