Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Dismiss

Perl Hiding Username/Password

21 views

Skip to first unread message

newbie01 perl

unread,

Feb 10, 2010, 6:04:16 PM2/10/10

to begi...@perl.org

Hi all,

Can anyone please advise how I can change the following codes to work where
the <username> and <correct_pass> are not exposed?
Script is ran via crontab and can also be run manually, at the moment am
reading these values from some sort of delimited file.

The worry is someone getting access to the script and then putting in some
print commands to expose the username and password information.
Just thinking in advance before it happen. The original script is a UNIX
script but I thought there may be a Perl module that will masked
the password where there is none of the same thing for UNIX scripts.

#!/usr/bin/perl

use DBI;

......
......

$dbh = DBI->connect('dbi:Oracle:host=localhost;sid=test;port=1521',
'<username>', '<correct_pass>');
my $sth = $dbh->prepare("alter session set nls_date_format = 'DD-MON-YYYY
HH24:MI:SS'");
$sth->execute();
my $sth = $dbh->prepare("select 'Today is ' || sysdate from dual");
$sth->execute();
while (my ($sysdate) = $sth->fetchrow_array()) {
print $sysdate, "\n";
}
$sth->finish();

exit 0;

Any feedback will be very much appreciated. Thanks in advance

Jeff Peng

unread,

Feb 10, 2010, 9:34:29 PM2/10/10

to newbie01 perl, begi...@perl.org

On Thu, Feb 11, 2010 at 7:04 AM, newbie01 perl <newbie...@gmail.com> wrote:

> The worry is someone getting access to the script and then putting in some
> print commands to expose the username and password information.

Could take a look at:

perldoc -q 'hide the source'

--
Jeff Peng
Email: jeff...@netzero.net
Skype: compuperson

Philip Potter

unread,

Feb 11, 2010, 4:37:38 AM2/11/10

to newbie01 perl, begi...@perl.org

What is your threat model? ie what kind of attacker are you trying to
protect yourself from?

You can prevent casual attacks by following some of the suggestions in
perldoc -q "hide the source".

There is no way to do what you ask in such a way that a determined
attacker will not be able to get your password. If this is a problem,
you need to redesign your system.

If you want to make sure the only way a user can access the database
is through your perl script, you'll need to do something to enforce
that, such as storing the script on a different server and giving it a
web interface, and making the database invisible to everything but the
server the script is hosted on. [This might work but it's not
necessarily a good idea.]

Phil

newbie01 perl

unread,

Feb 11, 2010, 3:56:54 PM2/11/10

to Philip Potter, begi...@perl.org

HI all,

Thanks to everyone who had given their input ...

At the every least, I hope to be able to make the password "cryptic" in some
way not super-duper hiding the stuff.

Anyway, at the moment, I create a password word that is accessed by the
script and is read only and readable by the owner of the script ...

On Thu, Feb 11, 2010 at 10:37 PM, Philip Potter
<philip....@gmail.com>wrote:

0 new messages