| Is it safe to keep database password and username in config database file in live site |
[eluser]Andrew Hull[/eluser]
I think you will find Joshua Logsdon gets his point across a lot more clearly ... without the personal abuse. Flame Off, Brain On. My point, for what little it is worth is that while that particular security issue (Nginx 0.7.64 etc) might not affect you, the next one may, but by then it is too late to put the genie back in the bottle, password stolen, damage done. For example http://www.securegoose.org/2009/11/tls-r...y-cve.html Patched here http://nginx.org/download/patch.cve-2009-3555.txt This does relate to Nginx 0.7.64 (but not to directly access .php code) and potentially allows a man in the middle attacker to steal passwords. Once a useful password has been obtained, the hacker may be able to crawl all over the web root, and in the process collect all of the PHP files, in one of which is your database password and user name. cat * | grep password Couple this with the tendancy we all have, but would never admit to, namely to use the same password for many things, and chaos will ensue. Black hat on at a jaunty angle, job done. Yorick I dont expect you to agree, 'cos you are taking this all personally, rather than considering it logically. However while Yorick is off uprading his web server, a bit of advice for the rest of you, always keep any passwords at the very least hashed, and out of the web root. Some of us old trolls have been doing this web thing for a very long time, sometimes we even get paid for it. Now I am off for a quick douch, and then I think I'll go ask Rambo and the rest of the trolls to help me count my Karma points. ;¬) |
| Welcome Guest, Not a member yet? Register Sign In |
MENU
EXTRA MENU
ABOUT US
CodeIgniter is a powerful PHP framework with a very small footprint, built for developers who need a simple and elegant toolkit to create full-featured web applications.
