Welcor wrote: >From: "Artovil" <artovil@ARCANEREALMS.ORG> >> If any of you guys are interested in what we've done with MySQL at Arcane >> Realms, among other things, you are welcome to visit our snippet >> archive. If any of you gurus out there (you know who you are, and yes, >> especially you Peter, George, and Daniel) would want to check it for >memory >> leaks, serious bugs, and just flaws in coding, please do so, since I am >not >> a very good C programmer after all. I just do it for the hell of it, >> memory or no memory. ;) >> >Well, I'm neither Peter, George nor Daniel, but I checked out the link >and I noticed this in the my_sql section: > >/* snip */ >/* MySQL database settings */ >#define MYSQL_HOST "localhost" // database server name >#define MYSQL_DB "YOUR_DATABASE" // database name >#define MYSQL_USERID "YOUR_USERNAME" // database user id >#define MYSQL_PASSWD "YOUR_PASSWORD" // userid password >/* snip */ > >Is it just me being paranoid, or is this a bit unsafe ? >My approach would be quite different, encrypting the password, >and storing it in encrypted form in a file on disk. If the >file didn't exist (ie. first time the mud is run), it will >query for username and password, verify that they work, and >write them, encrypted, to a file, much the same way >mud passwords are stored when using ASCII pfiles. If it did >exist, load the file, parse the user name and password, and >decrypt it, _then_ log on to the database. > >This would prevent someone with read rights to either your >source files (or your binary) from breaking into your database, >since neither place would have a clear text password in them. > >Welcor True. If you want, you are welcome to code this function. Otherwise I guess I can give it a try, but reading/writing files is not my best side, to tell you the truth. But, if someone really wanted to hack my database, they would have done it a long time ago, besides, the MySQL server does not accept connections from the outside, so they'd have to be localhost, and that means either having hacked root (which is virtually impossible without detection on a larger host) or gotten hold of my password (not very likely even if they were running ettercap on my local network they'd have to "decrypt" it from the intercepted SSH traffic, no biggie, but...). So, if they're already logged in, it doesn't matter. But I see what you mean, will be kind of hard to keep this in the public CVS, won't it? I didn't think about that. Kind regards, /Torgny -- -- +---------------------------------------------------------------+ | FAQ: http://qsilver.queensu.ca/~fletchra/Circle/list-faq.html | | Archives: http://post.queensu.ca/listserv/wwwarch/circle.html | | Newbie List: http://groups.yahoo.com/group/circle-newbies/ | +---------------------------------------------------------------+
This archive was generated by hypermail 2b30 : 06/25/03 PDT