Secure MySQL connection authentication?

currently we store user/pass in a plain php file, but we want to have a
better method to protect the MySQL login authentication by hiding the
real user name & password

are there any suggested solution?

thanks.

howa wrote:

> currently we store user/pass in a plain php file, but we want to have a
> better method to protect the MySQL login authentication by hiding the
> real user name & password

Hiding it from whom? By putting it in a plain php file, you are hiding
it from all except those who can access the php file. So who else do
you wish to hide it from. The solution depends on this.

howa wrote:

> currently we store user/pass in a plain php file, but we want to have a
> better method to protect the MySQL login authentication by hiding the
> real user name & password

Hiding it from whom? By putting it in a plain php file, you are hiding
it from all except those who can access the php file. So who else do
you wish to hide it from. The solution depends on this.

Captain Paralytic ¼g¹D¡G

> howa wrote:
>
> > currently we store user/pass in a plain php file, but we want to have a
> > better method to protect the MySQL login authentication by hiding the
> > real user name & password
>
> Hiding it from whom? By putting it in a plain php file, you are hiding
> it from all except those who can access the php file. So who else do
> you wish to hide it from. The solution depends on this.

okay, let consider it is a Perl script, running on the server, any
advice?

i.e. sometimes, you even don't want the root to know the password to
the remote Database...

Captain Paralytic ¼g¹D¡G

> howa wrote:
>
> > currently we store user/pass in a plain php file, but we want to have a
> > better method to protect the MySQL login authentication by hiding the
> > real user name & password
>
> Hiding it from whom? By putting it in a plain php file, you are hiding
> it from all except those who can access the php file. So who else do
> you wish to hide it from. The solution depends on this.

okay, let consider it is a Perl script, running on the server, any
advice?

i.e. sometimes, you even don't want the root to know the password to
the remote Database...

"howa" wrote:
> Captain Paralytic =BCg=B9D=A1G
>
>> howa wrote:
>>
>> > currently we store user/pass in a plain php file, but we want to have a
>> > better method to protect the MySQL login authentication by hiding the
>> > real user name & password

If you are using PHP you should put database account information in a
PHP include file and store that *outside* the webservers document root.

>> Hiding it from whom? By putting it in a plain php file, you are hiding
>> it from all except those who can access the php file. So who else do
>> you wish to hide it from. The solution depends on this.
>
> okay, let consider it is a Perl script, running on the server, any
> advice?
>
> i.e. sometimes, you even don't want the root to know the password to
> the remote Database...

This is not possible. The password must either be given interactively
or in a file. If it's in a file, root can always get a copy of that
file and use it (even if the password itself is encrypted).

There are multiple possibilities to store the password in a file:

- write it in the source (possibly obscured)
- write it in a MySQL option file (i.e. ~/.my.cnf)
- use a SSL certificate, no password but REQUIRE X509 ... in GRANT


XL
--
Axel Schwenke, Support Engineer, MySQL AB

Online User Manual: http://dev.mysql.com/doc/refman/5.0/en/
MySQL User Forums: http://forums.mysql.com/

"howa" wrote:
> Captain Paralytic =BCg=B9D=A1G
>
>> howa wrote:
>>
>> > currently we store user/pass in a plain php file, but we want to have a
>> > better method to protect the MySQL login authentication by hiding the
>> > real user name & password

If you are using PHP you should put database account information in a
PHP include file and store that *outside* the webservers document root.

>> Hiding it from whom? By putting it in a plain php file, you are hiding
>> it from all except those who can access the php file. So who else do
>> you wish to hide it from. The solution depends on this.
>
> okay, let consider it is a Perl script, running on the server, any
> advice?
>
> i.e. sometimes, you even don't want the root to know the password to
> the remote Database...

This is not possible. The password must either be given interactively
or in a file. If it's in a file, root can always get a copy of that
file and use it (even if the password itself is encrypted).

There are multiple possibilities to store the password in a file:

- write it in the source (possibly obscured)
- write it in a MySQL option file (i.e. ~/.my.cnf)
- use a SSL certificate, no password but REQUIRE X509 ... in GRANT


XL
--
Axel Schwenke, Support Engineer, MySQL AB

Online User Manual: http://dev.mysql.com/doc/refman/5.0/en/
MySQL User Forums: http://forums.mysql.com/

>> > currently we store user/pass in a plain php file, but we want to have a
>> > better method to protect the MySQL login authentication by hiding the
>> > real user name & password
>>
>> Hiding it from whom? By putting it in a plain php file, you are hiding
>> it from all except those who can access the php file. So who else do
>> you wish to hide it from. The solution depends on this.
>
>okay, let consider it is a Perl script, running on the server, any
>advice?
>
>i.e. sometimes, you even don't want the root to know the password to
>the remote Database...

If your script can know the password, so can root. If you encrypt
the password, your script also has to have the key to decrypt it.
If it isn't necessary to decrypt it, then it *IS* the password.
Some people have attempted this anyway (see Pay TV vendors with
their descrambler boxes) but they get hacked in spite of supposedly
"tamperproof" hardware.

>> > currently we store user/pass in a plain php file, but we want to have a
>> > better method to protect the MySQL login authentication by hiding the
>> > real user name & password
>>
>> Hiding it from whom? By putting it in a plain php file, you are hiding
>> it from all except those who can access the php file. So who else do
>> you wish to hide it from. The solution depends on this.
>
>okay, let consider it is a Perl script, running on the server, any
>advice?
>
>i.e. sometimes, you even don't want the root to know the password to
>the remote Database...

If your script can know the password, so can root. If you encrypt
the password, your script also has to have the key to decrypt it.
If it isn't necessary to decrypt it, then it *IS* the password.
Some people have attempted this anyway (see Pay TV vendors with
their descrambler boxes) but they get hacked in spite of supposedly
"tamperproof" hardware.

Gordon Burditt ¼g¹D¡G

> >> > currently we store user/pass in a plain php file, but we want to have a
> >> > better method to protect the MySQL login authentication by hiding the
> >> > real user name & password
> >>
> >> Hiding it from whom? By putting it in a plain php file, you are hiding
> >> it from all except those who can access the php file. So who else do
> >> you wish to hide it from. The solution depends on this.
> >
> >okay, let consider it is a Perl script, running on the server, any
> >advice?
> >
> >i.e. sometimes, you even don't want the root to know the password to
> >the remote Database...
>
> If your script can know the password, so can root. If you encrypt
> the password, your script also has to have the key to decrypt it.
> If it isn't necessary to decrypt it, then it *IS* the password.
> Some people have attempted this anyway (see Pay TV vendors with
> their descrambler boxes) but they get hacked in spite of supposedly
> "tamperproof" hardware.


consider some applications like e-banking system, how they protect your
data from being modified by the `root` account?