Re: Protecting your DBI user/password in scripts?

I'm wondering what people here use to obscure the username/password they use in their perl scripts to connect to a DB?

If you're really paranoid, don't connect to the database from logic on the web server tier. Instead, connect from middleware that lives on a separate box. Admitedly, this isn't for everyone.

If you're stuck with a one- or two-tier configuration, you have a couple of options. The simple one is to have your script read a username/password from a path that isn't visible to the web server. This works until your box gets hacked.

Another option, available if you're running a two-tier configuration and have some control over the database box, is to user DBI::Proxy and DBD::ProxyServer to the actual database connect to the web server box.

Comment on Re: Protecting your DBI user/password in scripts?

Replies are listed 'Best First'.
Re^2: Protecting your DBI user/password in scripts? by Aristotle (Chancellor) on Sep 12, 2002 at 20:34 UTC
In fact, using a DBI proxy living on a different machine is an excellent suggestion: you can restrict the SQL queries the proxy will accept and forward to the real database. That means far more granular control over what can be submitted from the webserver tier: you could f.ex restrict scripts on the webserver to a single, fixed SELECT query or maybe only certain UPDATE queries. Now even if someone cracks the webserver and gains the script's login data, he can't do any more than the script is allowed to. Your restrictions will need some thought to not allow circumvention, of course. Makeshifts last the longest.	[reply]

Replies are listed 'Best First'.

Re^2: Protecting your DBI user/password in scripts?
by Aristotle (Chancellor) on Sep 12, 2002 at 20:34 UTC

Makeshifts last the longest.

[reply]