The only way to protect the password is to not store it on the system at all, and require it to be typed in everytime it is needed. There is no mechanism to secure the password from everybody and still allow your script to access it in a way that allows it to authenticate against another system (your database in this case). The closest you can get is to restrict it to only be readable to any users that have permission to run the script that needs the password.
Now, that having been said, there are a couple of things you can do to make it easier to protect your passwords. Moving them out of the script itself is the first step. secondly, you need to place the strictest permissions possible on the file that does contain the password (remember that your script will need to be able to read it, so it needs to still be accessible by the user that your scripts are executed by - usually the same as what the webserver runs as).
Since you are using MySQL, I would recommend using a MySQL config file to hold the password for you and then provide that config file in the DSN you pass to DBI. Here is some psuedocode to illustrate this technique:
Then in the my.cnf file you can place the following:$dsn = "DBI:mysql:test;mysql_read_default_file=/var/lib/mysql/my.cnf"; $dbh = DBI->connect($dsn);
[client] user="username" password="my_password"
Make sure to remember to chown and chmod this file so that it is secure from 'most' prying eyes...
- Cees
In reply to Re: Handling Passwords Securely
by cees
in thread Handling Passwords Securely
by cymon
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |