config.php dbPass in plain text?

[yrglx]

Situtation: website has been running for years without problems. We are implementing changes and setup a "dev" subdomain to be able to compare old and new.

What went wrong: the hoster makes it possible to change the MySQL dbUser password. Which I accidentally did. Now the new password is not the same as the one defined in the config.php file under "$config->dbPass = ..." and the CMS cannot access the DB anymore. Nothing is working anymore!

Assumptions: in config.php under "$config->dbPass = " the string saved is the salted hashed password, i.e. "myFreaking$difficultPassword" would be saved as f.ex. "jfeime7??6$$3!2". Is that right?

What I need to be able to do: how can I generate that salted hashed password from the plain text password I entered on the host's webinterface for the dbUser?

Or: do I just need to set "$config->dbPass" to the plain text password I entered on the hoster's webinterface to change de dbUser Password?

[cstevensjr]

7 minutes ago, yrglx said:

Or: do I just need to set "$config->dbPass" to the plain text password I entered on the hoster's webinterface to change de dbUser Password?

Please give that a try.

[yrglx]

9 minutes ago, cstevensjr said:

Please give that a try.

It worked, thanks!

But isn't that a security issue?

[cstevensjr]

You will need to work that situation out with your hosting provider.  Under normal circumstances, the application configuration file (config.php) is not accessible to the outside world.

Good luck.

[dragan]

@yrglx check out the docs: https://processwire.com/docs/security/file-permissions/#securing-your-site-config.php-file

 

[yrglx]

6 minutes ago, dragan said:

@yrglx check out the docs: https://processwire.com/docs/security/file-permissions/#securing-your-site-config.php-file

 

thanx. That helps.