I have a lesser known, but very interesting way of hiding a username and password from prying eyes, using only DBI, MySQL and Apache.

There are a few short steps to the process, but it is well worth it.

  1. Configure your httpd.conf

    Go into your Apache httpd.conf, add the following lines, and restart the web server:

    SetEnv DBI_DSN DBI:mysql:db_name;mysql_read_default_file=/etc/my.cnf

    This will set the DBI_DSN environment variable for all your CGI scripts, globally. The value inside the DBI_DSN variable is used if you do not pass in the first argument to DBI::connect. Any code where you create a DBI handle can now become:

    my $dbh = DBI->connect;

  2. Set your DBI handle attributes

    Before we move on, we will need to make sure of one thing: How do we set any of DBI's attributes? A common method of doing this is:

    my $dbh = DBI->connect(
  $dsn,
  $username,
  $password,
  { RaiseError => 1, ChopBlanks => 1, Taint => 1 }
);

    [download]

    It is actually possible to include your database handle attributes inside the DBI_DSN, like so:

    DBI:mysql(RaiseError=>1,ChopBlanks=>1,Taint=>1):db_name;mysql_read_default_file=/etc/my.cnf

    Before we go on, you may want to go back and tweak your DBI_DSN inside the httpd.conf using this knowledge.

  3. mysql_read_default_file

    You'll notice that in the DBI_DSN there is an attribute called mysql_read_default_file. This instructs MySQL where the location of the my.cnf configuration is that you'd like to use. The standard name for a MySQL configuration file is my.cnf.

  4. Make your own my.cnf

    Here is a sample /etc/my.cnf MySQL configuration file:

    [client]
username=my_username
password=my_password

    [download]

    Inside this file you simply specify the username and password to connect to the database. Make sure you chmod 400 this file, preferably as root, to ensure that no one else can read it.

That's it, that's all there is to it. In all future CGI scripts don't supply any arguments to DBI::connect, and MySQL will use the defaults you have configured. By utilizing several interesting features of DBI, MySQL and Apache you have now centralized your database and user management, as well as providing a secure storage method for your usernames and passwords.

In reply to (dkubb) Re: (2) Hiding passwords using DBI's DBI_DSN by dkubb
in thread Hiding DBI Passwords? by Coplan

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.