Actually, it depends. The data is only as secure as its container. In the case of the flat file, your container would be the directory structure, privileges around it, and ultimately the security of the host server. If someone was able to compromise the server and get root access, they would be able to circumvent any file restrictions or database permissions you have setup anyways. Also, I do know there have, at least in the past, been several severe security issues with mySQL that allowed a remote user to execute code on the server as the user mysql was running as. Unknowingly, most people have mysqld's running as root and have experienced some kind of false sense of security thanks to the 'safe_mysqld' command name.

My setup has mysqld runnign chroot jailed in /usr/local/mysql as the user mysql. mysql is the owner of /usr/local/mysql/data and is the only one (besides root) with read access to the database. Its also not necessary for my database to be accessible from anything but the box its running on. As a result I have configured mysql to run on 127.0.0.1:3306 rather than the default 0.0.0.0:3306. I also have taken into account the security of the server. I run only the processes I need to be running, have recompiled a kernel with security as a main concern, and monitor network traffic, the file system, and kernel calls.

Of course, even with all those precautions, someone can still circumvent them, but they'd need a good reason. Whether you store it in a database or a flat file, the password will ultimately get stored in a flat file that anyone with root access can read. If its necessary to store the password somewhere, you need to make an assessment of the amount of security you need. Needless to say, you should never store a root or privileged user password in a flat file or a database! Local user account passwords should be guarded pretty strictly as well. Application user passwords need to be stored somewhere and should be stored encrypted where-ever you decide to store them. Make sure you use taint checking, warnings, strict, and limit the number of system() calls in your code. Also, take some time to account for "the dumbest user in the world" and do some basic checking of ANY variables some other than you has a chance to modify. Oh yeah, and %ENV=(); doesn't hurt either.

-brad..

In reply to Re: OT ~ Security: Why is Root More Secure Than mySQL? by reyjrar
in thread OT ~ Security: Why is a file outside the web root more secure than mySQL? by jerrygarciuh

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.