hiding database passwords

Anon

Hi,
Can anyone recomend a good way to make it very difficult for another user to read database passwords in php scripts?

In a virtual hosting environment, anyone with an account on the ISP's server can easily write a perl cgi script to read php source.

Obfuscation may help, but is there a better way? The Zend encoder is too expensive, and my ISP does not use the Optimizer anyway.

Thanks.

angulion

Have in Apaches config for the virtual host following lines if you have mysql:
php_value mysql.default_user "username"
php_value mysql.default_password "password"

if some other DB you could use Apaches
SetEnv DBUser username
SetEnv DBPasswd password
and then in your script get them with:
$username = getenv("DBUser");
$password = getenv("DBPasswd");

Anon

Yes I am using mysql, and what you suggest works in a .htaccess file, but another user will still be able to read the .htaccess file I think.

My host uses plesk to setup the database and I'd hoped that it would have set the values for me in the main Apache config files, but no, it doesn't.

At least, using the .htaccess file gets the passwords out of the php scripts, which is an improvement.

Thanks, Ian

angulion

You could ask to get .htaccess set to -rw-rw---- and own you, and some group that apache belongs to. alternativly apache's user as owner and some group that you & chosen ppl belong to but not all users. ?