Re: [PHP] How can I secure database passwords used by PHP webpages

2005-03-02 Thread Richard Lynch
Rob Tanner wrote: > We're a four year college. Some maintainers are faculty, some are > staff and some are work-study (students) and centrally we have little > say over who can and can't. You can put super crucial username/passwords into httpd.conf or root-readable files that get included into ht

RE: [PHP] How can I secure database passwords used by PHP webpages

2005-03-02 Thread Chris W. Parker
Dan Tappin on Wednesday, March 02, 2005 7:32 AM said: > The best way is to not store the password at all. > > Store a hash of the password like this: > > INSERT INTO users SET pass = MD5('password'); > > Now not knowing how you authenticate those passwords this mi

Re: [PHP] How can I secure database passwords used by PHP webpages

2005-03-02 Thread Dan Tappin
The best way is to not store the password at all. Store a hash of the password like this: INSERT INTO users SET pass = MD5('password'); Now not knowing how you authenticate those passwords this might not work. If it's an internal web page via PHP all you do is MD5 the users supplied password and

Re: [PHP] How can I secure database passwords used by PHP

2005-03-02 Thread Jason Barnett
>> >>Who are these "other webpage maintainers" and why do they have access >>to your PHP source code? This isn't a PHP issue. The MySQL password >>has to be in a file as plain text; there's no getting around that (as >>recently discussed on here). Your issue is controlling access to the >>machine a

Re: [PHP] How can I secure database passwords used by PHP webpages

2005-03-01 Thread Rob Tanner
John, We're a four year college. Some maintainers are faculty, some are staff and some are work-study (students) and centrally we have little say over who can and can't. We use webdav but people inevitably share passwords (policies against doing such not withstanding) and that's a problem we can

Re: [PHP] How can I secure database passwords used by PHP webpages

2005-03-01 Thread John Holmes
Rob Tanner wrote: WE have a number of PHP webpages that access one of several MySql databases and while the PHP files that contain the passwords cannot be accessed via the web, we are becoming increasingly concerned over the possibility of other webpage maintainers viewing those files. How have ot