Ticket #36255

faq how to hide db-password from php script?

Open Date: 2016-04-15 15:15 Last Update: 2016-04-21 13:43

Reporter:
Owner:
(None)
Status:
Open
Component:
MileStone:
(None)
Priority:
5 - Medium
Severity:
5 - Medium
Resolution:
None
File:
None

Details

I am creating a php web-app/web-service with mysql database access that should become opensource.

Currently i have to put 2 php variable $dbuser=... and $dbpassword=... into the script to connect to the osdn database

so everbody who gets the source code for the script will know my osdn-username/osdn password.

what is the osdn prefered way to handle this issue?

Since i donot have the permission to create database users like

CREATE USER 'fdRatingUser'@'somehost.osdn.jp' IDENTIFIED BY '*******'; GRANT SELECT ON fdappratingserv.knownApp TO 'fdRatingUser'@'somehost.osdn.jp'

i cannot add an additional database user that does not have my osdn-login credentials.

my proposal to solve this issue.

every project gets two database users: one project-db-admin user that can create/modify tables and one aditional project-db-webuser that can receive grants from the project-db-admin user.

It would be nice if this issue is documented in https://osdn.jp/projects/docs-en/wiki/ProjectWebDB_FAQ

Note: i cannot assign this ticket to a component because the component names are in japanese and i donot speak japanese

Ticket History (2/2 Histories)

2016-04-15 15:15 Updated by: klaus3b
  • New Ticket "faq how to hide db-password from php script?" created
2016-04-21 13:43 Updated by: ishikawa
  • Component Update from (None) to その他
  • Type Update from Feature Requests to Support Request
Comment

klaus3b への返信

I am creating a php web-app/web-service with mysql database access that should become opensource. Currently i have to put 2 php variable $dbuser=... and $dbpassword=... into the script to connect to the osdn database so everbody who gets the source code for the script will know my osdn-username/osdn password. what is the osdn prefered way to handle this issue?

You would set correct permission to these kind of file to hide (can not read ) from non project members.

For example for project 'foo', target file 'bar'

  • http daemon running on project web server will execute the script as user: foo.p, group: foo, so web script should be read by user foo.p or group foo. The script file should have user foo.p read permission or group foo read permission.
  • The file owner can read and write the file.
  • Other people should not be able to read the file 'bar'.

In this stuation you can change permission the filr bar as bellow:

 chmod 640 bar

Attachment File List

No attachments

Edit

You are not logged in. I you are not logged in, your comment will be treated as an anonymous post. » Login