tags:

views:

114

answers:

5
+3  Q: 

What is the (most?) secure way to handle database connections in a web application?

I have a web application written in Perl using PostgreSQL.

When accessing the PostgreSQL database I need to supply both username and password. In order to have the password available for unattended start-ups of the system I need have that password embedded in my application or in a configuration file or as an environment variable configured in Apache.

In either case I have to have the password in clear text format somewhere.

How is it done in real web sites?

+6  A: 

The most secure way to do it is to have a configuration file, and put that outside the public folders.

Tor Valamo  2010-01-07 07:46:29
+2  A: 

You can "trust" your Web server's IP (or the localhost, if it's the same node) in your PostgreSQL's pg_hba.conf, and use no password at all. At least, I don't think it's less secure than storing the database password somewhere in the file system of your Web server.

Of course, you can try encrypting and obfuscating the password somehow. But this security through obscurity is not really a barrier for someone who has managed to get into your Web server, especially when all the Perl source code is there to read.

Ivan Krechetov  2010-01-07 08:08:51
+1  A: 

You can store the password in ~/.pgpass (for the web server user, of course). This is obviously not safe in shared hosting where the same user is used for many different websites, but if you have a dedicated setup it often works very well. See http://www.postgresql.org/docs/current/static/libpq-pgpass.html.

The important thing is to store it outside the general web tree.

Magnus Hagander  2010-01-07 09:09:42
+4  A: 
  • Make sure the password is somewhere the web server is never going to serve. If possible put it outside the webroot; if that's not possible,
  • Make sure the file containing the password is readable only by the user the web server runs as, and not writeable by anyone
  • Rotate it regularly, to minimise the impact if it does somehow leak
  • Make sure that the database user you're using has minimal permissions. Eg, for a Wordpress installation, create an account just for Wordpress to use, and give it access only to the databases it actually needs
  • Configure the database to only accept connections from the web server, to minimize the impact of a leak by preventing the attacker from being able to use that password from just any old random node on the net
James Polley  2010-01-07 09:17:26
+1, good list, but you forgot one: Configure the database to only accept connections from the web server, to minimize the impact of a leak by preventing the attacker from being able to use that password from just any old random node on the net.
Dave Sherohman  2010-01-07 14:03:23
Yes, that seemed too obvious to be worth mentioning - but then, so do all the others in some ways. I've set my post to community wiki and added your suggestion :)
James Polley  2010-01-07 20:58:40
A: 

Use Firewall IP:port filter at PostgreSQL Server and limit the access to only IPs of your web-server.

this. __curious_geek  2010-01-07 09:19:54

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security