Reputation: 18046
unix password service for storing plain-text password in php web application?
Is there a unix service, or at least one I could cobble together, for storing a plaintext password for a PHP web application?
In composing this question, I found that c# provides a service for storing passwords in an encrypted format.
I have to store plain-text passwords because the application is connecting to various ftp servers. Not all of these servers are configured to use public keys. The two vectors I'm looking to protect against are database dumps and someone getting the plaintext password from a file on the filesystem.
I was wondering if there is some way that the server OS itself can store an encrypted string for the user that the app is running under -- apache, www-data or whomever. I understand that such a system is still vulnerable to someone getting the access to those accounts, or uploading malicious PHP scripts, but I feel that with our current practices, those are acceptable risks. I am just looking not to store the plaintext password in the db or on the filesystem.
Upvotes: 2
Views: 735
Answers (1)
Reputation: 976
From your question I assume you are using Apache. The Apache config files should only be readable by root, so any information stored here should be pretty safe. If someone get root access they probably would be able to extract the password somehow anyway.
You can use Apaches SetEnv to set an environment variable:
SetEnv mySQL_PASS somePassword
This will be available for PHP using the $_SERVER superglobal.
echo $_SERVER['mySQL_PASS'];
Upvotes: 1
Related Questions
- Encrypting Passwords
- Handle Plaintext Passwords... Safely
- Stored passwords in plaintext?
- Secure PHP password entry possible?
- What's the most secure way to encrypt a password using PHP without a database
- Secure password storage
- Secure password encryption/decryption of strings in PHP
- PHP security - password and credentials management?
- Simple password protection in PHP
- encrypting password using php