Training, Open Source computer languages
PerlPHPPythonMySQLApache / TomcatTclRubyJavaC and C++LinuxCSS 
Search for:
Home Accessibility Courses Diary The Mouth Forum Resources Site Map About Us Contact
 
For 2023 (and 2024 ...) - we are now fully retired from IT training.
We have made many, many friends over 25 years of teaching about Python, Tcl, Perl, PHP, Lua, Java, C and C++ - and MySQL, Linux and Solaris/SunOS too. Our training notes are now very much out of date, but due to upward compatability most of our examples remain operational and even relevant ad you are welcome to make us if them "as seen" and at your own risk.

Lisa and I (Graham) now live in what was our training centre in Melksham - happy to meet with former delegates here - but do check ahead before coming round. We are far from inactive - rather, enjoying the times that we are retired but still healthy enough in mind and body to be active!

I am also active in many other area and still look after a lot of web sites - you can find an index ((here))
MySQL Security

Posted by JimL (JimL), 22 January 2004
I'm developing a system which uses PHP to read from and update a MySQL database.

Because some of the data is sensitive I want one table to be read-only (so malicious users cannot change any of the information).

However, one table I want to use as a log, and so must be read/write.

Am I correct in thinking that the second table need only to be read/write to the user account within which the PHP application runs?

Cheers,  Jim

Posted by admin (Graham Ellis), 22 January 2004
You're using PHP on a web server to access the MySQL tables.   The PHP scripts won't be visible to users of your system - only to the people who have other access (such as FTP or ssh) to the document directory on your web server; those scripts might well include the MySQL password, but - provided that you set up the PHP properly that code will never get out to the user's browser.

I think that just a single simple login account to the MySQL will suffice, but it will need to be protected with a good password.   You might also consider allowing access to the MySQL through this account only from the web server, so that (even if they discovered the password), user on other systems couldn't get it ... but it would restrict you except when you were logged in to a shell session on the server.

Final note - the security will only be as stong as the security of the worst protected account that can get at the database(s).   In other words, if there happened to be a MySQL root account with lots of global priviledges and a password that lots of people knew, then whatever you do any of these people could come in through the back door ... and remember that a thief will always look for the easiest entry, and preferably one where he expects he won't be seen.

Posted by JimL (JimL), 23 January 2004
Hi Graham,

as far as the code, I'll stick to your guidelines and do all the PHP first, and build up the HTML I want to send in a variable. Then I'll just send it all out at the end in one go.

As far as the MySQL database is concerned, I'll check with the server administators to ensure they put it in a sceure place.

Cheers,  Jim



This page is a thread posted to the opentalk forum at www.opentalk.org.uk and archived here for reference. To jump to the archive index please follow this link.

You can Add a comment or ranking to this page

© WELL HOUSE CONSULTANTS LTD., 2024: Well House Manor • 48 Spa Road • Melksham, Wiltshire • United Kingdom • SN12 7NY
PH: 01144 1225 708225 • FAX: 01144 1225 793803 • EMAIL: info@wellho.net • WEB: http://www.wellho.net • SKYPE: wellho