Don
Thanks for your response. The issue I have is that the password for our
database is stored either in the ODBC registry or within our ASP page as
plain text. One option I have is to encrypt the password in the database
connnection string and have a function with a key in a external file that
can unlock it.
The problem remains though - that if the web server is hacked, the hacker
can still navigation there way to the file containing the key to unlock the
password.
Does that make any sense ?
Cheers
Neil
On Fri, Nov 20, 2009 at 3:18 PM, Don Cohen <don-mysql8y@stripped>wrote:
> Tompkins Neil writes:
> > I wondered if anyone else had any thoughts on this issue ?
> > >> Following my previous email. I've now configured my database
> connection
> > >> using a ODBC DNSLESS SSL connection. However the problem still
> remains,
> I'm not sure what dnsless means (that you allow only certain ip
> addresses?) or what difference it makes.
>
> > >> the
> > >> password is stored in the ASP file in plain text. Does anyone have
> any
> > >> recommendations on how to overcome this issue ?
> Is the issue that you're worried that your web server will serve the
> contents of the asp file? And I gather that you want the file to
> access the DB without the user having to supply a password.
> I'll just guess that asp files are similar to php files.
> One thing you could do is have that file read the password from
> another file that is in some place where the web server does not look.
>
> > > Secure the access to the ASP-source file.
> > > You *could* encrypt it but then you have to store the key for it
> somewhere
> > > the ASP can access and ..... Catch 22.
>
