Securing MySQL password on ISP Server

"Bill" <cyberdad@earthlink.com> wrote:
>
>I would like to secure the password for my website database by putting the
>username and password in a small file containing only the DBI connect
>statements that specify the userid and password ( for the db not the
>account ). So far I have the security afforded by account login access
but
>I would like to further protect the database by hiding the password file
>or
>making it unavailable to intruders while still having the password useable
>
>by the website's .cgi files. Can anyone suggest a way to do this.
>Thanks, Bill

Hello, Bill!
You can develope simple application server that performs only subset of
operation with database. For example if you want to insert some messages
to table you can develope special cgi-script on special web-server (in same
security area as MySQL-server - for ex. in DMZ) which will insert some data
to tables.
Usernames and passwords (DBI) must be located only on your separated server.

When you recieve authentication string from user (in HTTP header) you
can redirect it to your special server via local interface. CGI-script on
secured web-server checks userid/password, translates it to appropriate
DBI connect string and performs operation.

Nikolay Stanchenko,
Internet Security Brainbench MVP