WebApp Sec mailing list archives
RE: MYSQL and PHP
From: "Wall, Kevin" <Kevin.Wall () qwest com>
Date: Thu, 18 May 2006 00:35:29 -0500
For Windows, I'd say that using DPAPI is the way to do, using the IIS_USERxxx or similar user's credentials to do the encryption. Michael Howard...are you out there? Doesn't Microsoft recommend using DPAPI (which if I'm not mistaken is not part of the .NET 2.0 Framework)? --- Kevin W. Wall Qwest Information Technology, Inc. Kevin.Wall () qwest com Phone: 614.215.4788 "The reason you have people breaking into your software all over the place is because your software sucks..." -- Former whitehouse cybersecurity advisor, Richard Clarke, at eWeek Security Summit -----Original Message----- From: bugtraq () cgisecurity net [mailto:bugtraq () cgisecurity net] Sent: Tuesday, May 16, 2006 10:30 AM To: Gerald Quakenbush Cc: John Madden; webappsec () securityfocus com Subject: Re: MYSQL and PHP Windows provides a way in ASP.NET to store the user/pass encrypted in the registry and simply referencing it in your web.config allows it to automagically work. I'm curious what solutions for php exist to allow encrypted storage of sql login credentials so we can avoid the whole storage in cleartext on the filesystem? - zeno http://www.cgisecurity.com/ Web Security news, and More http://www.cgisecurity.com/index.rss [RSS Feed] ------------------------------------------------------------------------ - Sponsored by: Watchfire Watchfire named worldwide market share leader in web application security assessment by leading market research firm. Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. See for yourself. Download a Free Trial of AppScan 6.0 today! https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007t9c ------------------------------------------------------------------------ -- This communication is the property of Qwest and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments. ------------------------------------------------------------------------- Sponsored by: Watchfire Watchfire named worldwide market share leader in web application security assessment by leading market research firm. Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. See for yourself. Download a Free Trial of AppScan 6.0 today! https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007t9c --------------------------------------------------------------------------
Current thread:
- Re: MYSQL and PHP, (continued)
- Re: MYSQL and PHP Gerald Quakenbush (May 16)
- Re: MYSQL and PHP bugtraq (May 16)
- Re: MYSQL and PHP Reid Nichol (May 17)
- Re: MYSQL and PHP r0xes (May 16)
- Re: MYSQL and PHP Kevin Johnson (May 16)
- Re: MYSQL and PHP Jason Ross (May 16)
- Re: MYSQL and PHP Klientų aptarnavimas (May 16)
- Re: MYSQL and PHP Kirk . Johnson (May 16)
- Re: MYSQL and PHP Ed J. Aivazian (May 17)
- Re: MYSQL and PHP wilson . amajohn (May 17)
- RE: MYSQL and PHP Wall, Kevin (May 18)
- Re: MYSQL and PHP Σπυρίδων Νίνος (May 20)
- Re: MYSQL and PHP s89df987 s9f87s987f (May 21)