(no subject)

[chhotii]

Astonishingly, for the first time ever I am writing CGI scripts for web pages that will be accessible from off-campus. (Catching up on those mid-1990's technical skills...) Of course I am using mysql for all server-side data handling, so each script starts off with:

$dbh = DBI->connect("dbi:mysql:SleepCog:localhost", 'cgi', 'MyFavoritePassword') ||
die "cannot open database: $!";

Um. See the 3rd argument in the call to DBI->connect()? That's the database password for the database user named cgi. This seems wrong, somehow, to have a password hard-coded into scripts, but offhand I'm not seeing other options. What's the right way to do this?

Comments

[ron_newman]

I'd put that password variable in its own file, and include that from each script. That way if you change the password, you only have to change it in one place.

[ceo]

The standard solution appears to be to store the password in the MySQL config file (or another file) and make sure it has 0600 permissions.

[istemi.livejournal.com]

Another approach is setting it as an environment variable and making the script read from it. Keeps you from accidentally saving your password in version control and makes it easier to have test and production environments.

I don't recognize that language so can't point to an example.

[achinhibitor.livejournal.com]

Assuming your language can read files (it looks like Perl), you could put the password in a file, and each script could open the file and read it.

An environment variable might be more convenient, but beware that environment variables can be displayed by ps, so they're not secure relative to other processes on the same system.