Phemur has asked for the wisdom of the Perl Monks concerning the following question:

I'm working on a small Perl/CGI script that will query a database of daily updates and generate a web page with it (essentially a blog). But I'm not sure how to deal with security.

My site is hosted remotely by a hosting service, and I don't have access to the MySQL database to change permissions (either mine or someone else's). As is customary, to access the database, I have to pass a user ID and password. But I only have one user ID/password for my database. How do I authenticate my query? I obviously can't give that user ID/password to everyone, and hard coding it in the script goes against every secure computing principle (even if the script is secured).

I'd prefer references to this, if anyone has any, but straight answers are just as good.

Nat

Replies are listed 'Best First'.
Re: MySQL CGI Security
by Zaxo (Archbishop) on Oct 06, 2002 at 00:26 UTC

    That's a poor situation, but pretty common. If you have suEXEC in effect, you can use filesystem permissions to guard the keys. Make a small private connection sub as I show below, give it 0600 permissions in a directory outside webspace. The user/pass pair is hidden in a closure from the rest of the program. 

    ### file Myconnection.pl
use DBI;
{
    my $dsn = 'whatever';
    my $user = 'joe';
    my $pass = 'joe';
    my $opts = {
                   RaiseError => 1,
                   AutoCommit => 0,
               };
    sub myconnect () {
        DBI->connect($dbs, $user, $pass, $opts);
    }
}

    [download]

    Usage: 

    use lib '/home/user/lib/perl5'; # or wherever
use 'Myconnection.pl';

my $dbh = myconnect();

    [download]

    Without suEXEC, you will lack the filesystem protection, making this scheme much less viable.

    After Compline,
    Zaxo

[reply]
[d/l]
[select]
Re: MySQL CGI Security
by dws (Chancellor) on Oct 06, 2002 at 00:17 UTC
    As is customary, to access the database, I have to pass a user ID and password. But I only have one user ID/password for my database. How do I authenticate my query? I obviously can't give that user ID/password to everyone, and hard coding it in the script goes against every secure computing principle (even if the script is secured).

    Don't give your database ID/password to anyone. Put the pair in a text file that isn't visible through the web server (either by putting in your home directory, or using the appropriate Apache directives in a .htaccess), and have your CGI scripts get the ID/password from this file.

[reply]
Re: MySQL CGI Security
by BUU (Prior) on Oct 06, 2002 at 01:27 UTC
    Why is it so bad to hardcode the name/pw in the script?
[reply]
      Why is it so bad to hardcode the name/pw in the script?

      In part, this advice is a remnant from days past, when certain web servers (*cough* IIS *cough*) fell victim to exploits that would let wily h4x0rz look at the source of your ASP scripts or CGIs. Now, this advice protects you if you accidentally mess up your .htaccess, or hand the script off to someone else forgetting to remove your password.

[reply]

        Just like the Tompkins County Green Party did. Ehem. It's just a good idea to keep your secrets out of your code base anyway - it lets you alter you secrets without worrying about code maintenance. Consider this an extension of the practice of separation of concerns.

        __SIG__
        printf "You are here %08x\n", unpack "L!", unpack "P4", pack "L!", B::svref_2object(sub{})->OUTSIDE

[reply]
[d/l]

Back to Seekers of Perl Wisdom