Package: mysql-server
Version: 5.0.32-7etch1
Severity: important

There is an obvious need for scripts to securely access mysql.  Using a
command-line parameter for a password is known to be insecure and documented
as such in mysql(1).

A simple solution to this problem is to offer another command-line parameter
(maybe -P) that specifies the name of a file which contains a password.

So if I want to allow a PHP script to connect to MySQL I would create a
file that is only readable by the www-data user which contains the password
and the script could call "mysql -u www-data -P /etc/apache2/password-file".


-- System Information:
Debian Release: 4.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-3-xen-686
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)

Versions of packages mysql-server depends on:
ii  mysql-server-5.0           5.0.32-7etch1 mysql database server binaries

mysql-server recommends no packages.

-- no debconf information


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to