I have been so interested in php security lately. I have been trying to figure out whether it is possible to hide database password from the server admin.
You know, normally you would write
mysql_connect("host", "username", "password");
Problem:
1. Admin can access to whatever file you placed the above.
Earlier I read that you can use setenv to create something like $_SERVER['NNTP_PASS']
misc_config.cnf
SetEnv NNTP_LOGIN "login"
SetEnv NNTP_PASS "passwd"
SetEnv NNTP_SERVER "1.2.3.4”
httpd.conf
<VirtualHost 1.2.3.4>
Include “misc_config.cnf”
</VirtualHost>
echo $_SERVER[‘NNTP_LOGIN’]; // login
echo $_SERVER[‘NNTP_PASS’]; // passwd
echo $_SERVER[‘NNTP_SERVER’]; // 1.2.3.4
Problems
1. I don't have access to httpd.conf (I am on shared hosting)
2. Admin can have access to misc_config.cnf
Please I need help, thanks.
Hide Database Password from the Server Admin
Moderator: General Moderators
- akuji36
- Forum Contributor
- Posts: 190
- Joined: Tue Oct 14, 2008 9:53 am
- Location: Hartford, Connecticut
Re: Hide Database Password from the Server Admin
Hello
I believe you must give up total control on shared hosting.
If you would like total control (passwords and file access)
you must run your own host from your own machine (localhost)
or a remote server from which you have admin rights.
The administrator has control over everthing that happens on his
server. As one of his many users you cannot hide anything from
the administrator.
thanks
Rod

I believe you must give up total control on shared hosting.
If you would like total control (passwords and file access)
you must run your own host from your own machine (localhost)
or a remote server from which you have admin rights.
The administrator has control over everthing that happens on his
server. As one of his many users you cannot hide anything from
the administrator.
thanks
Rod
Re: Hide Database Password from the Server Admin
How about obfuscation? Do you think it will help?
Re: Hide Database Password from the Server Admin
No, for plenty of reasons.cygital wrote:How about obfuscation? Do you think it will help?
For one, if all else fails, the admin might even be (secretly) running an extra specially modified PHP version which logs the parameters of the mysql_connect function whenever you call it.
Bottom line: anything your server can do, the server's admin can do as well
Re: Hide Database Password from the Server Admin
Thanks for your reply. So, I have no choice than to trust my server admin.
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: Hide Database Password from the Server Admin
If the user has a write access to anywhere on the file-system, he should be able to get your password.
Never hire admins you can't trust. A foundation can't be based on suspicion.
Never hire admins you can't trust. A foundation can't be based on suspicion.