问题
I am working on a C++ project that needs to access database for reading its input.
So far, we used a default username(postgres) and a 'fixed clear text' password stored , along with many other settings, in a xml based configuration file.
Now what I need is to hide password from users when I supply the configuration file.
FYI: the development area is linux, database is postgresql. we would like to give users the config file to connect to database and use it without knowing the password
I will appreciate if you suggest a quick and easy reference.(a small reading material will also be great)
thank you
回答1:
You cannot prevent a ill-intentioned user from obtaining this password one way or another if you ship him the program containing it in any form.
But there are two potential solutions:
The user and password that ship with the program have a read-only access to the database;
The program don't connect directly to the database. It requests the data to a server application that can not only fetch this data from the actual database without need to give the user any password, but also can do the proper security checks to ensure this user is accessing only data he is meant to etc.
回答2:
You can have another "hardcoded" password, used to encrypt the password in the config file. So you write the encrypted database password (db_password) to the config file, and then, when you need to access a database, you decrypt the db_password with your hardcoded password. Of course, it is still possible to recover your password using decompiler for example, but it will not be easy.
回答3:
We use MD5 to encipher the password in the config file.
来源:https://stackoverflow.com/questions/15962527/how-to-hide-database-password-in-config-file