|
|
Posted by CJ Llewellyn on 05/13/05 01:20
On Thu, 12 May 2005 13:01:37 -0700, Pat A wrote:
> We have a dilemma. We are storing our database password in an include
> file that resides outside of the web root. The password is in plain
> text. So, no one can get that password because it can't be served up
> by the web server. So far, so good.
>
> The customer wants all of our passwords encrypted. So, how do I go
> about securely encrypting that password? If I use mcrypt, I have to
> store a key and an IV somewhere...and if those are in clear text, I
> might as well just store the password in clear text. That is to say, I
> could encrypt the password with a given key and IV, and then hard code
> that key and IV into my app and put the encrypted password into the
> database. But, there's really no security in that.
The only way to avoid storing the password on the server is for the user
to supply it on each request he/she makes to the application.
You could use the database's own authentication system to regulate access.
Start by having a low priveledged user name & password that has read only
access to the tables used to generate public content.
Then for each operator of the system create users with higher levels of
access.
Navigation:
[Reply to this message]
|