My username and password to access mysql database is currently located in a config file at the root level. I include the config file whenever I need access. Doesn't seem safe to me.
What can I do to protect the username and password? Thanks.
Asked
Active
Viewed 1,841 times
0
-
2What's with all the downvotes? Having had the question and the concerns about the security of password files in itself deserves +1 already. – Thilo Apr 23 '13 at 04:18
-
Thanks for sharing link. That page is helpful. – TimNguyenBSM Apr 23 '13 at 18:11
1 Answers
4
That password has to be stored somewhere in order for it to work. Even if you encrypted that password and someone accessed your config file they could login with that encrypted password. You can do following 4 things to start with.
- Do not run your script as
rootcreate a new username and assign only the required database permissions to it. Do not save yourrootpassword in your config - Allow access to your MySQL only from
localhost, do not allow remote access - Review http://dev.mysql.com/doc/refman/5.1/en/password-hashing.html
- Do not store your config file in your web accessible folders. Doing this you will add some additional security and unless your server itself is compromised, it will not be easy to get to that file using only HTTP.
However, none of these guarantee foolproof security, they just make it harder for someone to get there
Hanky Panky
- 46,730
- 8
- 72
- 95
-
Thanks for the answer. I have come to the conclusion this is a difficult problem to solve for because "That password has to be stored somewhere in order for it to work." I will try a combination of your answer and the link provided by Thilo. – TimNguyenBSM Apr 23 '13 at 18:13