Plain text database password in the config.php file

[Phil Bass]

The main E!A config.php file contains a plain text password for connecting to the database. This feels like a security weakness. Is there any way to avoid it?

[Alex Tselegidis]

Hello! 

Thanks for reporting this detail. 

That is actually a common practice as in configuring the application parameters in a configuration file. 

This value is never displayed or included in any response. 

Feel free to write with more info to in...@easyappointments.org in case you have discovered any potential security case. 

https://github.com/alextselegidis/easyappointments/blob/main/.github/SECURITY.md

Alex Tselegidis, Easy!Appointments Creator
Need a customization? Get a free quote!

[Phil Bass]

Thanks, Alex.

I wasn't querying the use of a config file. It just seems risky storing passwords unencrypted, and I was wondering if there is any way round this. For example, on a Unix system, the Maria DB server I have can use a Unix socket authentication method, which doesn't need a password. Can E!A be configured to use that? (It doesn't look like it, judging by the contents of the main config.php file.) Alternatively, it may be possible to restrict the file permissions on the config.php file so that it can only be read by the web server (Apache in my case). Or would that interfere with something else that E!A does?

If anyone here can give definite answers to those subsidiary questions, that would be great. Otherwise, I'll have to experiment.