Securing database passwords

[kiss-o-matic]

So, what's the standard here?  I realize that my site right now is probably not optimal.  I have a php file I include which connects to my database (and stores the database passwords).  Back on an provider, they were attacked and Perl was stopped.  So, when someone accessed the site, just displayed the code, in all it's glory.  As nothing is perfect, I assume that can happen now. 

 

So, considering you need a password to actually get to the database, I'm interested in hearing of secure methods to store the DB password.  I guess if you refuse connections from remote machines in MySQL that's a start.  Renaming the phpmyadmin link would be next.

 

Thoughts?

Cheers

 

[teng84]

make all your code as .php

or define then as constant and put them in one page (php page)

[toplay]

make all your code as .php

or define then as constant and put them in one page (php page)

 

That won't fix the issue that kiss-o-matic reported about what happened with the PERL script. That could happen in PHP too. You could zend encode/guard your scripts.

 

http://www.zend.com/products/zend_guard

 

 

FYI - You can use md5() for saving user passwords in a table.

 

 

[kiss-o-matic]

Thanks.  So Zend Guard basically makes executables out of your php scripts?  I'm not so worried about people seeing the code, or the database structure.  It's mainly the passwords. 

 

FYI - You can use md5() for saving user passwords in a table.

 

I md5() user's passwords, but not the passwords in the mysql table (the ones I'm worried about).  I guess it's much more likely in this situation.  If apache dies, you shouldn't be able to see *anything* on the box.  Can Apache spontaneously lose PHP support?  Perl obviously runs on it's own, so is far easier to break while leaving apache running fine.  So, I guess when you think of it the odds are somewhat slim.