Remove passwords from database.yml in rails 2.3.8 application?

[Robert Nicholson]

We have a 2.3.8 application that has hard coded passwords in the database.yml file.

If we were to use erb to bring these in from a file outside where in the initialization steps
do I load the file to populate the variable I wish to interpolate?

When I tried to do so in config/environment.rb the erb usage said the variable I use trying to interpolate was not defined.

Trying something similar to what is advocated here

http://rubyrobot.github.io/blog/2014/04/08/secure-rails-deployment-and-passwords-best-practices/

[Tamara Temple]

Generally, in projects I've worked on, these variables come from the
environment:

production:
# ...
username: <%= ENV['DB_USER'] %>
password: <%= ENV['DB_PASS'] %>


The actual environment variables would be up to you and your team, of
course.


--
Tamara Temple
tam...@gmail.com
http://www.tamouse.org

[Colin Law]

On 2 November 2015 at 00:31, Robert Nicholson

<robert.n...@gmail.com> wrote:
> We have a 2.3.8 application that has hard coded passwords in the database.yml file.
>
> If we were to use erb to bring these in from a file outside where in the initialization steps
> do I load the file to populate the variable I wish to interpolate?

Just as important is to upgrade to a recent version of rails. 2.3.8
went out of support ages ago and undoubtedly has a number of security
holes.

Colin