First, what you're doing is about as secure as you can get with a standard shared server. If your hosting provider does a good job of isolating the users from each other, then it's fairly reliable as long as your code is secure. If it's not, consider whether the data you're protecting is valuable enough to pay for more isolated hosting, either with a higher-quality shared host that uses suEXEC and chroot, or with a private server or virtual private server. As others have mentioned, ideally you'd want to use a dedicated user account for the parts that have to read the database, so that security flaws in other parts won't compromise the password. Think in terms of minimizing the exposure of the data, and isolating the parts that need access to it.
Second, make sure your code is secure. Use taint mode, and carefully review your code with an eye towards how somebody could compromise it.
Third, one possibility is to use Oracle usernames/passwords as the system logins, so the user simply authenticates to the database on login. That way no password has to be stored on the system at all. I did this for a recent project, and was quite happy with the results.
In reply to Re: Securing the database password for web applications
by sgifford
in thread Securing the database password for web applications
by Anonymous Monk
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |