How to open database with Perl CGI securely?

[slimjimscot]

Hi,

I'm writing a Perl CGI script to send a newsletter to e-mail addresses stored in a MySQL database. I have my script stored in a cgi-bin directory and I have a web form that I write a message into and it POSTs the results to the cgi.

I can access the MySQL database ok using the DBI interface,e.g.

$dbh = DBI ->connect('DBI:mysql:dbasename:

http://www.domain.com:3306',

'dbaseuser', 'password', {RaiseError => 1 })

I would rather not have the account name and password visible in this file - as the cgi-bin directory is in the web directory (i.e. open to the web world). I tried storing the account details in another file, opening it, and putting the account details into varables - but the DBI interface doesn't seem to resolve variables (i.e. replacing the account names in the script line above with variables).

Does anyone have any ideas how I use a CGI to access a database via Perl, but without revealing the actual database account details in the script?

Does Perl have some type of 'include' facility like PHP - were you can store the part of the script that opens the database in a file somewhere else, and just include at the appropriate place in the CGI script?

I hope that all makes sense.

I've not done a lot of Perl scripting - so I apologise if this is a stupid question with an obvious answer.

Thanks,
Jim

 

[siberian]

In perl anything in single quotes is not interpreted, this is not a DBI issue.

So your :

$dbh = DBI ->connect('DBI:mysql:dbasename:

http://www.domain.com:3306',

'dbaseuser', 'password', {RaiseError => 1 })

Should be

$dbh = DBI ->connect("DBI:mysql:dbasename:

http://www.domain.com:3306",

"$dbaseuser", "$password", {RaiseError => 1 })

Double quotes will interprete.

Since you are using variables you can eliminate the quotes altogether.

If this doesn't work check the variables you are including, they may not be importing properly from your other files.

The way I handle this usually is to only access the database from a library that lives outside of the webspace. I also tend to have files like Config.pm that i create to hold these configuration variables.

This is all just 'tips', the two things to try are

1) Eliminate single quotes since variables will not interprete in them and

2) Check to make sure your database variable importation is occuring correctly.

 

[siberian]

Oh and yes, oddly enough perls 'include' works like this :

include 'filename';

Try it, you'll love it.

 

[slimjimscot]

Thanks, that's it working now. I had been trying to insert the database name using a variable - which didnt' work; I hadn't got as far as using variables for the user and password, because I thought it wouldn't work.

Fantastic - thanks for your help.

And thanks for the include tip - I couldn't find any documentation about it.

All the best,
Jim

 

[ChrisHunt]

Incidentally, you're probably worrying unnecessarily. Although the cgi-bin directory is in your web space, any requests to the server for files in that directory will cause them to be executed, not served up like a normal HTML page. AFAIK there's no way to "view source" on a CGI script.

-- Chris Hunt

http://www.extracon.com

http://www.mcgonagall-online.org.uk

http://www.napitalia.org.uk

http://www.leicesteryha.org.uk