We help IT Professionals succeed at work.

question about hiding database user name and password in secure directory

healingtao
healingtao asked
on
266 Views
Last Modified: 2012-05-04
I have the following code that inserts data to my sql database:

my @fields_to_store = qw/ firstname lastname /;

### get the values from the form.
### $cgi is the CGI query object
my $cgi = $script->cgi_object();
my @values = map { $cgi->param($_) || undef } @fields_to_store;

### build the sql string
my $sql = 'insert into client_info (' .
          join(', ', @fields_to_store) .
          ') values (' .
          join(', ', ('?') x scalar(@fields_to_store)) .
          ')';

### connect to the database and perform the query
### wrapped in an 'eval' block to catch errors gracefully
eval {
     use DBI;
     my $db = DBI->connect('dbi:mysql:mydbname','myuserid','mypassword') or die $DBI::errstr;
     print STDERR $sql;
     $db->do($sql, undef, @values) or die $DBI::errstr;
     $db->disconnect;
};

if($@) {
     ### something went wrong with the insert
     ### $@ contains the error message
     ### do whatever you need to report the error here
       print "<pre>There was an error inserting into the database: $@</pre>";
}

I would like to extract the whole eval section(or just DBI->connect) , put it into a new file and store it in a secure directory on my hosting site
since I want to hide user name and password. I was easily able to do this with PHP. How can I do it with perl?

Thanks
Comment
Watch Question

Lee WadwellProject Architect
CERTIFIED EXPERT

Commented:
Not exactly what you were asking...but I do this in a slightly different manner.  I just have a simple script that I keep secured that will return the username and passwork when called.  This program you need ensure that only you have read/write and execute priviledge.

Program to return values is a simple as...for sake of this example I will call "get_password.pl".
#!/usr/local/bin/perl
print "username/password";
exit 0;

In the main program I can get the username and password by...
($username, $password) = split(/\//, qx(get_password.pl));

then just use the variable as needed (actually my prog is a little more complex - to handle multiple usernames and passwords for multiple environments and databases).

Author

Commented:
I like your idea. It's probably even better than my original proposal.
But since I'm kind of new with perl, can you show me how to do it in my context.
I guess it would be something like this:

Program to return values I will call "get_dbinfo.pl". and I'll move it to secure directory
#!/usr/local/bin/perl
print "my_dbname/my_username/my_password";
exit 0;

Then in my main program
($my_dbname, $my_username, $my_password) = split(/\//, qx(get_dbinfo.pl));


eval {
     use DBI;
     my $db = DBI->connect('dbi:mysql:$my_dbname','$my_username','$my_password') or die $DBI::errstr;
     print STDERR $sql;
     $db->do($sql, undef, @values) or die $DBI::errstr;
     $db->disconnect;
};


Is this the correct syntax?
Lee WadwellProject Architect
CERTIFIED EXPERT

Commented:
Yes it looks OK to me...You could do the call and split inside the eval block if you wish.  Also you may need to do a "my ($my_dbname, ...etc".

Just one thing...if the get_dbinfo.pl is not in your path, you may need to tell perl where to find it by fully pathing it - or changing your path.

Commented:
There is no need to hide the user account info in a perl script. Also, calling shell commands within perl is slow.

A better solution would be to create a file that is readable only by the system account that runs the script which calls the DB (If run from apache, the user will be nobody).

dbinfo:
someName:somePass

Then:

# chown nobody dbinfo
# chmod 400 dbinfo

And then in your script, write a function which reads the file and returns the username and password.

Author

Commented:
I've tried to create a new file called connect.pl and moved it to secure directory
contents are :

#!/usr/bin/perl
print "dbname/username/password";
exit 0;

In the main file I have the following

my ($dbname, $username, $password) = split(/\//, qx(connect.pl));

### connect to the database and perform the query
### wrapped in an 'eval' block to catch errors gracefully
eval {
     use DBI;
     my $db = DBI->connect('dbi:mysql:$dbname','$username','$password') or die $DBI::errstr;
     print STDERR $sql;
     $db->do($sql, undef, @values) or die $DBI::errstr;
     $db->disconnect;
};

But it never inserts to database and shows the following error
DBI-connect($dbname) failed: Access denied for user: '$username@localhost'

Not sure why this is happening. Any ideas?
Lee WadwellProject Architect
CERTIFIED EXPERT

Commented:
is the error showing $username (ie that exact string) or the real username?

if its the exact string...try removing the single quotes...ie use

my $db = DBI->connect('dbi:mysql:$dbname',$username,$password) or die $DBI::errstr;

Author

Commented:
It actually shows $username (ie that exact string) not the real username.
I tried removing quotes, no difference, same error.

for testing purpose I put connect.pl in the same directory with the main file that is using it.
Is the path still needs to be used?  because I just did the following
my ($dbname, $username, $password) = split(/\//, qx(connect.pl));

Author

Commented:
Keep in mind that when I hard code the actual user name and password in the connect method, everything works. The problem is not with username/password
Project Architect
CERTIFIED EXPERT
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.