Massimo
I too am concerned about the security of my DB password from prying
eyes. I understand that when the database connection url uses
localhost as in -> db=SQLDB('mysql://username:[EMAIL PROTECTED]:
3306/mydatabase'), when I upload to a shared webhosting server, to
connect to the DB I am using my domain as in -> db=SQLDB('mysql://
username:[EMAIL PROTECTED]:3306/mydatabase'). Is this secure?
It does make me wonder if I am sending this information in the
clear. :-/
On Oct 15, 8:50 pm, mdipierro <[EMAIL PROTECTED]> wrote:
> In a typical production setting you would have a web server exposed to
> the internet and a secure local network. The connection with the
> database should go only over the local network. ssh will protect you
> from employees snooping around (and stealing database password) but
> will make the database connection more of a bottleneck. Nor ssh nor
> password will protect you in case somebody hacks into the web server
> and acquires the credentials of the web server. If your web app can
> access the DB, the attacker can too. To some extend one can also
> configure the db engine to accept only connections form certain IPs
> and limit the roles of the user associated to the web app.
>
> This is why it is very important to try prevent vulnerabilities in web
> apps.
>
> Massimo
>
> On Oct 15, 5:50 pm, achipa <[EMAIL PROTECTED]> wrote:
>
> > Depends of why he needs to hide the connection parameters in the first
> > place...
>
> > Yarko: you can always do mysql over ssh. Not for the faint at heart,
> > but it IS paswordless and secure.
>
> > On Oct 15, 9:44 pm, yarko <[EMAIL PROTECTED]> wrote:
>
> > > I think the issue is: if the db server is on the same box, and the
> > > box is secure, then that's a limited issue;
> > > If the db server is accross a network, then nothing web2py (or
> > > anything else connecting) can help, without the support of the db -
> > > this practically means you find an alternate way of authenticating on
> > > the db .
>
> > > On Oct 15, 2:05 pm, mdipierro <[EMAIL PROTECTED]> wrote:
>
> > > > No that I know of.
>
> > > > On Oct 15, 11:42 am, Pai <[EMAIL PROTECTED]> wrote:
>
> > > > > Is there a way to hide password in the connection-string?
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"web2py Web Framework" group.
To post to this group, send email to web2py@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/web2py?hl=en
-~----------~----~----~----~------~----~------~--~---
