When I was graduating from FAST-NU, I designed a web based system in PHP/MySQL for collecting data for Yearbook of our batch. Each student of our batch was given a username and password using which s/he could enter the personal data, make comments about friends, give nicknames and other such features.
At that time there was no server in our university available on which it could be deployed and the only place to host it was a Windows based machine in the labs on which all files in wwwroot folder were readable to anyone logged into the machine. But it did not mater as the MySQL database was secure and I did not mind anyone getting my PHP code. The only problem was that the password to MySQL had to be stored in a PHP config file and it could be read by anyone. I knew one naughty junior was already looking forward to the deployment of the application and I did not want to take any risk. On the other hand I wanted to get it deployed ASAP as well.
I thought about encrypting the password but the key had to be stored at a world readable place. I thought about many other possibilities but found loopholes in each of them. Finally I came up with a clever scheme. After applying it my config file looked like this:
$db_host = “localhost”;
$db_user = “yearbook”;
$db_pass = “********”;
Two days later the kid showed up looking a bit frustrated. He said “How the hell did you mask your password in a PHP file? I have looked all over web and I couldn’t find any info about password masking in PHP or any other text file”.
With a smug look I replied “I rewrote the NTFS to do that”. He went away looking a bit angry as well as disappointed.
I wish the poor chap had thought about the possibility of using eights asterisks as my password.
