Certain hosts like dreamhost offer features that allow some cross user file sharing, for PHP programmers using mysql you could have an include file ‘buried’ in a separate user with the MYSQL database password. So if a php script insertion happens, the hacker cannot ‘see’ the password. The assumption for this to work is that the mysql connect call have the password in it directly and not in a variable, and NOT in a GLOBAL variable. WordPress puts the password in a global variable in wp-config.php then wp-include/wp-db.php uses it to open the database. If wp-config were written in a way to both have the password and connect the database, then this code could be isolated, and put in a place that was secure with an includes statement. Right now all a hacker needs to do after a script insertion is echo DB_PASSWORD and s/he’s good to go!
So in a perfect universe wordpress would create and includes file with configurable links to place it where ever we want, and all DB password would be in variables that don’t survive the reach of the include.
- The topic ‘Allow better database password protection’ is closed to new replies.