At 07:20 PM 09/04/2001 +0100, yahoo wrote:
>Hi all,
>I'd like to find out peoples opinion on the following.
>
>If you have a perl cgi script which accesses a database, are there any
>security issues with having the DBI connection details in the perl script
>(rather than, say, an external file not in the document root - is this
>better?)?
My general policy regarding things like this is, the more paranoid you are
, the better :)
Having password information embedded in a publicly accessible document such
as a CGI script is playing with fire, as far as I'm concerned. There may be
a time when you least expect it when someone (or you) screws up the
webserver config, and accidentally allows cgi-scripts to be sent out as
plaintext documents. Ouch.
That's why for all of my Perl and PHP scripts, I "include" the database
server connection details using an include file which is saved outside of
the webserver root. Of course, this isn't 100% secure, since anyone who has
local filesystem access to the server can still get at the information, but
then again, if someone has achieved that level of access, you have bigger
problems than worrying about your DBI include files and CGI scripts ;)
Aloha,
mel
--
mel matsuoka Hawaiian Image Productions
Chief Executive Alphageek (vox)1.808.531.5474
[EMAIL PROTECTED] (fax)1.808.526.4040
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
