Encrypted MySQL password in settings.php

buddha · February 17, 2004, 09:54:19 PM

With YaBBSE, the password to access your MySQL database is in plain text form in the settings.php file, which means that with webspace shared with others, other people can know your database password etc.

I'm a complete novice at all this, but I'm assuming that this is a bad thing? If so, would it be feasible to have this password stored in encrypted form in settings.php, or whatever the equivalent is in SMF?

Just a thought anyhow...

[Unknown] · February 17, 2004, 09:59:12 PM

You can't really encrypt it, because unless it's reversable that would just end up meaning you couldn't connect to the MySQL server...

-[Unknown]

Chris Cromer · February 18, 2004, 03:43:05 PM

Well you could always base64_encode(); it. Then in the source have it base64_decode(); the password.

It won't stop people from being able to get the password, but it will make sure it isn't just plain text.

Personally I think this should be more of a mod rather than built in though.

dschwab9 · February 18, 2004, 04:10:24 PM

I think I'd be more concerned about the fact that others on your server can see your files - That definately should not be possible. If the server is properly secured, no one should be able to read that file, so the password being plain text should not be a big issue.

Chris Cromer · February 18, 2004, 04:54:59 PM

Well reading is one thing, but if they could write to them, then there would be some very serious problems.

Although having a shared server that allows people to read other people's files is pretty stupid as well. But I have seen stupider... a shared database for different sites. I saw a site that had phpmyadmin installed and could access all the other db's for the other hosted sites. And then some of those people hosted on it where surprised when their boards got hacked by someone else hosted on the server.

Spaceman-Spiff · February 18, 2004, 06:27:49 PM

Quote from: Chris Cromer on February 18, 2004, 04:54:59 PM
I saw a site that had phpmyadmin installed and could access all the other db's for the other hosted sites. And then some of those people hosted on it where surprised when their boards got hacked by someone else hosted on the server.

i had that in my old host
but i can only see the other databases and can't access them

dschwab9 · February 18, 2004, 08:39:04 PM

Quote from: Chris Cromer on February 18, 2004, 04:54:59 PM
But I have seen stupider... a shared database for different sites. I saw a site that had phpmyadmin installed and could access all the other db's for the other hosted sites.

SCARY!

adonettos · January 20, 2012, 02:07:54 PM

I apologize for bringing this up again, but I had this question myself today.

Is it in any way possible for someone to see the DB password in Settings.php which is clearly in plaintext format?
If yes, is there a way to fix this? A mod perhaps?

If there's no way out of this, I only need to know so that I at least use a password I never use anywhere else..

Arantor · January 20, 2012, 02:12:36 PM

No, there isn't.

Because however you encrypt it, you only have to decrypt it straight away to actually use it, and that usually means another password... which will have to be in plain text...

You can obfuscate it and make it less immediately obvious to someone looking at the code but it's not really worth the effort.

News:

Encrypted MySQL password in settings.php

buddha