hash database password in config.php??

More
1 month 4 days ago #180596 by ritapas
Hello,
I'm being asked about our limesurvey mysql db owner's password, which is in clear text in the config.php file.
Is there any way to hide or hash it?

Please Log in or Create an account to join the conversation.

LimeSurvey Partners
More
1 month 4 days ago #180598 by LouisGac
where will you store the encryption key of that password?
The following user(s) said Thank You: DenisChenu

Please Log in or Create an account to join the conversation.

More
1 month 4 days ago #180603 by DenisChenu
If you know a FLOSS system where DB password can be set hashed : please give link.

Else : you can set password differently in config.php

Using $_ENV : secure.php.net/manual/fr/reserved.variables.environment.php
Using file_get_content("/var/myconfig/ldpassword.txt")

etc …

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand (or search sondages pro).
An error happen ? Before make a new topic : remind the Debug mode .
The following user(s) said Thank You: ritapas

Please Log in or Create an account to join the conversation.

More
1 month 4 days ago #180605 by ritapas
@LouisGac I wish I knew: maybe prompting the root user for it and then storing it in memory? I'm afraid I'm obviously no security expert, I'm just wondering if somebody else has had the same problem and solved it.

@Denis if the example about FLOSS software is related to the fact that it comes "free", you are absolutely right. I wish more people would be able to tell the difference between "free" and "no pay" :(
The only example that comes to my mind is the linux shadow password system!
But, maybe a limesurvey (payed) professional has developed some plugin I could ask to buy, one never knows.

I'll investigate the alternative ways you are showing.

Please Log in or Create an account to join the conversation.

More
1 month 4 days ago #180606 by DenisChenu

ritapas wrote: @Denis if the example about FLOSS software is related to the fact that it comes "free", you are absolutely right. I wish more people would be able to tell the difference between "free" and "no pay" :(

No,

It's about to have some code sample :) if possible in PHP. Then we can get inspiration or even copy/paste.

About linux shadow password : no, we can‘t use it. We can crypt user password (user have to enter password, and then we test if it same) : we do it for user password like linux box do it for user password.

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand (or search sondages pro).
An error happen ? Before make a new topic : remind the Debug mode .
The following user(s) said Thank You: ritapas

Please Log in or Create an account to join the conversation.

More
1 month 4 days ago #180609 by ritapas

DenisChenu wrote: No,

It's about to have some code sample :) if possible in PHP. Then we can get inspiration or even copy/paste.

the only example I've found uses Google services and personally I would not like that.
Indeed I think you might already know about this:
deliciousbrains.com/php-encryption-methods/

I like the idea of having an external service, tough, but in our own network.

Please Log in or Create an account to join the conversation.

More
1 month 4 days ago #180614 by DenisChenu
Using password_hash : done to validate an existing (uncrypted) password is same than a crypted password.
Secret Key Encryption : need the readable private key to decrypt : where did you store this key ?. In config.php , then don't crypt your password …

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand (or search sondages pro).
An error happen ? Before make a new topic : remind the Debug mode .

Please Log in or Create an account to join the conversation.

More
1 month 4 days ago #180621 by holch
While it might seem strange to see the passwort without encryption in the config.php, if someone unauthorized has access to your config.php, then you have far bigger problems than your passport being leaked. This person can do basically anything with your installation anyway, I guess.

I'm not a LimeSurvey GmbH member. I answer at the LimeSurvey forum in my spare time. No support via private message.
Some helpful links: Manual (EN) | Question Types | Workarounds
The following user(s) said Thank You: DenisChenu, LouisGac, ritapas

Please Log in or Create an account to join the conversation.

More
1 month 3 days ago #180647 by ritapas
quite a good point!

Please Log in or Create an account to join the conversation.

Start now!

Just create your account and start using Limesurvey today.

Register now
Join our Newsletter!