Tíquete #36255

faq how to hide db-password from php script?

: 2016-04-15 15:15 Última Atualização: 2016-04-21 13:43

Relator:
Dono:
(Nenhum)
Estado:
Aberto
Componente:
Marcos:
(Nenhum)
Prioridade:
5 - Medium
Gravidade:
5 - Medium
Resolução:
Nenhum
Arquivo:
Nenhum

Details

I am creating a php web-app/web-service with mysql database access that should become opensource.

Currently i have to put 2 php variable $dbuser=... and $dbpassword=... into the script to connect to the osdn database

so everbody who gets the source code for the script will know my osdn-username/osdn password.

what is the osdn prefered way to handle this issue?

Since i donot have the permission to create database users like

CREATE USER 'fdRatingUser'@'somehost.osdn.jp' IDENTIFIED BY '*******'; GRANT SELECT ON fdappratingserv.knownApp TO 'fdRatingUser'@'somehost.osdn.jp'

i cannot add an additional database user that does not have my osdn-login credentials.

my proposal to solve this issue.

every project gets two database users: one project-db-admin user that can create/modify tables and one aditional project-db-webuser that can receive grants from the project-db-admin user.

It would be nice if this issue is documented in https://osdn.jp/projects/docs-en/wiki/ProjectWebDB_FAQ

Note: i cannot assign this ticket to a component because the component names are in japanese and i donot speak japanese

Ticket History (2/2 Histories)

2016-04-15 15:15 Updated by: klaus3b
  • New Ticket "faq how to hide db-password from php script?" created
2016-04-21 13:43 Updated by: ishikawa
  • Tipo Update from Feature Requests to Support Request
  • Componente Update from (Nenhum) to その他
Comentário

klaus3b への返信

I am creating a php web-app/web-service with mysql database access that should become opensource. Currently i have to put 2 php variable $dbuser=... and $dbpassword=... into the script to connect to the osdn database so everbody who gets the source code for the script will know my osdn-username/osdn password. what is the osdn prefered way to handle this issue?

You would set correct permission to these kind of file to hide (can not read ) from non project members.

For example for project 'foo', target file 'bar'

  • http daemon running on project web server will execute the script as user: foo.p, group: foo, so web script should be read by user foo.p or group foo. The script file should have user foo.p read permission or group foo read permission.
  • The file owner can read and write the file.
  • Other people should not be able to read the file 'bar'.

In this stuation you can change permission the filr bar as bellow:

 chmod 640 bar

Attachment File List

No attachments

Editar

You are not logged in. I you are not logged in, your comment will be treated as an anonymous post. » Login