[nycphp-talk] Where to store credentials and/or keys
Aaron Fischer
agfische at email.smith.edu
Mon Aug 14 14:03:06 EDT 2006
Greetings listers (or is it listies?),
Following up on recent emails re. taking steps to secure code and data,
I have a new question.
One issue is regarding where to store MySQL database credentials
(uname,pwd). The other is where to store an encryption/decryption key.
My situation also deals with operating in a shared hosted environment
of sorts.
One solution recommended is to store code such as database credentials
in a folder that is outside of the document root on the web server.
Additionally, ask for the server admin to set permissions which will
only allow access by my user account.
However, I am not sure if that protects it from php executing on that
directory. For example, if someone exploits another part of the server
and gains the ability to access areas of the website by utilizing php
code to traverse the file system and open documents, could they access
that directory?
It seems like the answer is yes and therefore this solution has holes in it.
Comments appreciated on implementing this tactic and/or suggestion for
alternative solutions.
I now have security books from Shiflett and Snyder/Southwell on my desk
and have been going through them, but frankly I'm a bit jumbled with all
the new topics so am hoping for some friendly pointers in the right
direction. Looming deadlines are producing some anxiety as well. Sigh.
Thanks.
-Aaron
More information about the talk
mailing list